[ANN] Rails 3.2.2 has been released!

Rails 3.2.2 has been released. This release contains various bug fixes and two important security fixes. All users are recommended to upgrade as soon as possible.

CHANGES

For information regarding the possible vulnerabilities, please see the announcements here and here.

Some highlights from this release are:

  • Log files are always flushed

  • Failing tests will exit with nonzero status code

  • Elimination of calls to deprecated methods

  • Query cache instrumentation includes bindings in the payload

  • Hidden checkbox values are not set if the value is nil

  • Various Ruby 2.0 compatibility fixes

For a comprehensive list, see the commits on github.

[ANN] Rails 3.1.4 has been released!

Rails 3.1.4 has been released. This release contains various bug fixes and two important security fixes. All users are recommended to upgrade as soon as possible.

CHANGES

For information regarding the possible vulnerabilities, please see the announcements here and here.

Some highlights from this release are:

  • thrrubyrhino is added to the Gemfile for JRuby users

  • Routing cache improvements

  • Assets group may be skipped with the --skip-sprockets flag

  • Various Ruby 2.0 compatibility fixes

For a comprehensive list, see the commits on github.

[ANN] Rails 3.0.12 has been released!

Rails 3.0.12 has been released. This release contains various bug fixes and two important security fixes. All users are recommended to upgrade as soon as possible.

CHANGES

For information regarding the possible vulnerabilities, please see the announcements here and here.

Some highlights from this release are:

  • require and load will return the value from the superclass

  • ActiveModel confirmation validation fixes

  • Increasing rack dependency

For a comprehensive list, see the commits on github.

Rails 3.1.0 has been released!

Hi everybody!

It’s been 3 Months since RailsConf, so I think it’s time we released Rails 3.1.0. So, here it is! I’ve released Rails 3.1.0!

CHANGES

For a much more attractive and easy to read list of changes, please check out the awesome Rails 3.1.0 Release Notes on the Rails Guides site. For a less attractive list of changes, please continue to read!

Here are some highlights of the major changes in Rails 3.1.0:

ActionPack

  • ActionPack has been updated to include the new asset pipeline. Please see the rails guides on the asset pipeline.

  • Streaming response support has been added. This feature allows you to stream templates to the user before processing has actually finished. See the Rails Guides, or documentation in ActionController::Metal::Streaming for more information. Middleware have been refactored to support this feature.

  • RJS has been extracted to a gem.

ActiveModel

  • attr_accessible and friends now accepts :as as option to specify a role

  • Added ActiveModel::SecurePassword to encapsulate dead-simple password usage with BCrypt encryption and salting.

ActiveRecord

  • Prepared statement caches have been integrated. ActiveRecord::Base#create and simple finders will use a prepared statement and cache for more performant inserts and selects.

  • Associations have been refactored for greater simplicity and maintainability.

  • default_scope can take any object that responds to call.

  • PostgreSQL adapter only supports PostgreSQL version 8.2 and higher.

  • Migrations use instance methods rather than class methods. Rather than defining a self.up method, you should define an instance method up.

  • Migrations are reversible. When a new migration is generated, the migration will contain one method called change. Database changes made in this method will automatically know how to reverse themselves. For more information, see the documentation for ActiveRecord::Migration and ActiveRecord::Migration::CommandRecorder.

  • When a model is generated, add_index is added by default for belongs_to or references columns.

ActiveResource

  • The default format has been changed to JSON for all requests. If you want to continue to use XML you will need to set self.format = :xml in the class.

ActiveSupport

  • ActiveSupport::BufferedLogger set log encoding to BINARY, but still use text mode to output portable newlines.

  • Add Object#in? to test if an object is included in another object.

  • ActiveSupport::Dependencies::ClassCache class has been introduced for holding references to reloadable classes.

  • Added weeks_ago and prev_week to Date/DateTime/Time.

  • JSON decoding now uses the multi_json gem which also vendors a json engine called OkJson. The yaml backend has been removed in favor of OkJson as a default engine for 1.8.x, while the built in 1.9.x json implementation will be used by default.

Railties

  • The default database schema file is written as UTF-8.

  • Rack::Sendfile middleware is used only if x_sendfile_header is present.

  • Add alias r for rails runner.

  • jQuery is the new default JavaScript library.

  • Added config.force_ssl configuration which loads Rack::SSL middleware and force all requests to be under HTTPS protocol

For more info

For a more detailed list of changes, please see each of the CHANGELOG files checked in to the Rails repository on github.

For an even more detailed list of changes, please see the commit list between Rails 3.0.10 and 3.1.0.

The End

I am personally very proud of this release. I want to say thank you to the people testing our release candidates, the people submitting patches and sending in bug reports. I think that Rails 3.1.0 is the best release of Rails to date, and we could not have done it without you.

Please continue to create amazing things with this framework!

SHA-1

  • b68f74ced662145a4139409edf3c51db1159ead8 actionmailer-3.1.0.gem
  • 136474f270677ae75ad0f9599d26e89cf1d4bc7b actionpack-3.1.0.gem
  • e6b68453c08bb0da52ed1d422ba2f87a5e3aa794 activemodel-3.1.0.gem
  • dfbae15c0d395304812c22fbf18aa9daadbe20b4 activerecord-3.1.0.gem
  • 3f1f547e500d1ffc1f7c3ee4ab9eb1526157a870 activeresource-3.1.0.gem
  • f21627c2f429abfa8685d2147fadab6704c13869 activesupport-3.1.0.gem
  • 21c6592189fb358a066846754a8f7ce7a238fca6 rails-3.1.0.gem
  • 79cfa1eca232de9a45453829287e4438089b7955 railties-3.1.0.gem

<3 <3 <3

[ANN] Rails 3.1.0.rc6

Hi everyone,

Rails 3.1.0.rc6 has been released. This release contains critical security fixes.

CHANGES

You can find an exhaustive list of changes on github. Along with the closed issues marked for v3.1.0.

You can also see issues we haven’t closed.

A comprehensive CHANGELOG will be announced when 3.1.0 final is released. Barring any show stopping bugs, Rails 3.1.0 will be released on August 30th.

4 Security Fixes

Please follow the links to see specific information about each vulnerability, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers. We requested identifiers on August 5th, and have yet to received a response. When we get identifiers, we’ll update the notices with those values.

Also remember to subscribe to the Ruby on Rails Security mailing list.

Why was this release delayed?

You may have noticed this release was originally slated to be released on August 8th. We decided to delay the release in order to obtain CVE identifiers. Unfortunately, identifiers still have not been issued. We felt that getting the security fixes to our users was more important than obtaining CVE values.

That is why our release is late, and contains no CVE identifiers.

THE END

Thanks! <3

[ANN] Rails 3.0.10

Hi everyone,

Rails 3.0.10 has been released. This release contains critical security fixes.

CHANGES

You can find an exhaustive list of changes on github. Here are some notable excerpts:

4 Security Fixes

Please follow the links to see specific information about each vulnerability, along with individual patches for fixing them.

Please note that these security fixes do not have CVE identifiers. We requested identifiers on August 5th, and have yet to received a response. When we get identifiers, we’ll update the notices with those values.

Also remember to subscribe to the Ruby on Rails Security mailing list.

ActionPack:

  • Fixes an issue where cache sweepers with only after filters would have no controller object, it would raise undefined method controller_name for nil [jeroenj]
  • Ensure status codes are logged when exceptions are raised.
  • Subclasses of OutputBuffer are respected.
  • Fixed ActionView::FormOptionsHelper#select with :multiple => false
  • Avoid extra call to Cache#read in case of a fragment cache hit

ActiveRecord:

  • Magic encoding comment added to schema.rb files
  • schema.rb is written as UTF-8 by default.
  • Ensuring an established connection when running rake db:schema:dump
  • Association conditions will not clobber join conditions.
  • Destroying a record will destroy the HABTM record before destroying itself. GH #402.
  • Make ActiveRecord::Batches#find_each to not return self.
  • Update table_exists? in PG to to always use current search_path or schema if explictly set.

Why was this release delayed?

You may have noticed this release was originally slated to be released on August 8th. We decided to delay the release in order to obtain CVE identifiers. Unfortunately, identifiers still have not been issued. We felt that getting the security fixes to our users was more important than obtaining CVE values.

That is why our release is late, and contains no CVE identifiers.

THE END

Thanks! <3

[ANN] Rails 2.3.14

Hi everyone,

Rails 2.3.14 has been released. This release contains critical security fixes.

CHANGES

You can find an exhaustive list of changes on github. Here are some notable excerpts:

4 Security Fixes

Please follow the links to see specific information about each vulnerability, along with individual patches for fixing them.

Also remember to subscribe to the Ruby on Rails Security mailing list.

2 Bug Fixes

  • Rescue from RDoc task errors
  • OrderedHash can merge with blocks

THE END

Thanks! <3

[ANN] Rails 3.0.10.rc1 has been released!

Hi everyone,

Rails 3.0.10.rc1 has been released. As usual, please try out this release candidate and report any issues to the ruby on rails core mailing list. If no issues are found, we’ll release 3.0.10 on August 8th (around 5pm PDT).

If you do find issues, please send them to the rails core mailing list. If the release candidate is found to not be backwards compatible with the previous release, we’ll do another release candidate and postpone the final release date.

Remember that this is your chance to veto / postpone the rails release. Please take this opportunity to test!

CHANGES

You can find an exhaustive list of changes on github. Here are some notable excerpts:

From ActionPack:

  • Fixes an issue where cache sweepers with only after filters would have no controller object, it would raise undefined method controller_name for nil [jeroenj]

  • Ensure status codes are logged when exceptions are raised.

  • Subclasses of OutputBuffer are respected.

  • Fixed ActionView::FormOptionsHelper#select with :multiple => false

  • Avoid extra call to Cache#read in case of a fragment cache hit

From ActiveRecord:

  • Magic encoding comment added to schema.rb files

  • schema.rb is written as UTF-8 by default.

  • Ensuring an established connection when running rake db:schema:dump

  • Association conditions will not clobber join conditions.

  • Destroying a record will destroy the HABTM record before destroying itself. GH #402.

  • Make ActiveRecord::Batches#find_each to not return self.

  • Update table_exists? in PG to to always use current search_path or schema if explictly set.

THE END

Thanks!

-Aaron <3

[ANN] Rails 3.0.9 has been released!

Hi everybody!

Rails 3.0.9 has been released! Since I am at Nordic Ruby, I will deem this Nordic Ruby Edition. 😉

The main boogs fixed in this release are problems dealing with modifications of SafeBuffers.

gem install rails or update your Gemfile and bundle update while it’s hot!

CHANGES

The major changes in this release of Rails are bug fixes surrounding modifications to SafeBuffer strings. We had places that were modifying SafeBuffers and those places raised exceptions after the security fixes in the 3.0.8 release.

We’ve since updated those code paths, and now we have this nice release for you today!

Please check the CHANGELOG files in each section on github for more details.

For an exhaustive list of the commits in this release, please see github.

Gem checksums

SHA-1:

  • fb8f3c0b6c866dbad05ec33baf2af7e851f9d745 actionmailer-3.0.9.gem
  • 9bc2c05463962320d0497bb2e30f4ffa66ed4f79 actionpack-3.0.9.gem
  • 2c1004747a22f756722cf95605398bf9ba6244ed activemodel-3.0.9.gem
  • 285759d41c79460a3f49d26d8a0b3f8c9279e868 activerecord-3.0.9.gem
  • 28f2b296525caeca1341467b5f1bbb90de88aaa7 activesupport-3.0.9.gem
  • 09d52fdcbeefba31dd267d3d7484332ec30f7539 rails-3.0.9.gem
  • 8b46dbeddb56e2e4b4ebfb5312fe81eb865a47e7 railties-3.0.9.gem

Please enjoy this release of Rails!

<3 <3 <3

[ANN] Rails 3.1.0.rc4 has been released!

I’ve pushed a 3.1.0.rc4. Please test it against your application against this release candidate and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad. Especially if it’s good. <3 <3

In two weeks, if there are no show stopping issues I will release the final version. If we do find regressions, I will publish another release candidate and we’ll put another two weeks on the clock.

However, I will not wait two weeks between release candidates. I want to get the final done as quickly as possible, so I’ll try to release RCs as quickly as possible.

CHANGES

Here are some of the major changes to the RC branch:

  • escape_javascript safebuffer fixes
  • json_escape safebuffer fixes
  • RDoc / ruby-debug conflict fixes.
  • arel_table is cached unless the table_name changes

For an exaustive list, please check out the commits on github.

<3 <3 <3

[ANN] Rails 3.0.9.rc3 has been released!

I’ve pushed an rc3. Yes, we skipped one. I screwed up the rc2, so I yanked it, and we’re going straight to rc3. Good thing it’s just a release candidate, right? 😉

As usual, please test this against your application and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad.

I will release the final in 72hours if there are no reported regressions. If there are reported regressions, I will release another RC and the clock will start over.

CHANGES

Here are some of the major changes since 3.0.9.rc1:

  • escape_javascript safebuffer fixes
  • json_escape safebuffer fixes
  • RDoc / ruby-debug conflict fixes.

For an exaustive list, please check out the commits on github.

<3 <3 <3

[ANN] Rails 3.1.0.rc3 has been released!

Hey folks. Sorry for the multiple releases in such a short time span, but the security fixes released yesterday seem to have broken people’s applications. Even though this is a release candidate, I am not happy about breaking stuff.

I’ve pushed a 3.1.0.rc3. Please test it against your application against this release candidate and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad. Especially if it’s good. <3 <3

In two weeks, if there are no show stopping issues I will release the final version. If we do find regressions, I will publish another release candidate and we’ll put another two weeks on the clock.

However, I will not wait two weeks between release candidates. I want to get the final done as quickly as possible, so I’ll try to release RCs as quickly as possible.

CHANGES

Here are some of the major changes to the RC branch:

  • mailto SafeBuffer fixes
  • escape_javascript SafeBuffer fixes
  • Multiple sources in sprocket helpers

For an exaustive list, please check out the commits on github.

Thanks for your patience everyone!

<3 <3 <3

[ANN] Rails 3.0.9.rc1 has been released!

Hey folks. Sorry for the multiple releases in such a short time span, but the security fixes released yesterday seem to have broken people’s applications. I am not happy about that.

I’ve pushed a 3.0.9.rc1. Please test it against your application against this release candidate and report any regressions to the rails core mailing list. I would like to hear your feedback, good or bad.

I will release the final in 72hours if there are no reported regressions. If there are reported regressions, I will release another RC and the clock will start over.

CHANGES

Here are some of the major changes:

  • MemCacheStore works with Ruby 1.9 and -Ku
  • mailto SafeBuffer fixes
  • escape_javascript SafeBuffer fixes

For an exaustive list, please check out the commits on github.

Thanks for your patience everyone!

<3 <3 <3

[ANN] Rails 3.1.0.rc2 has been released!

Security Issues!

This release contains fixes for possible XSS problems in your rails application. It is unlikely that your application is vulnerable, but you should take precautions by updating your application.

For more information about the XSS issue that was fixed in this release, please read this blog post.

WELCOME!

Hi everyone! I’ve released Rails version 3.1.0.rc2!

Please download our latest release candidate and give it a whirl!

Two weeks from today, we’ll either release another rc, or release 3.1.0 final (depending on the reported issues).

CHANGES

  • Fixing Rake 0.9.x integration
  • Fixing rubygems deprecation warnings
  • Sprockets was updated

MORE IMPORTANT CHANGES

  • Much whitespace was removed
  • Many typos were fixed
  • Queens English was changed to American English
  • Many grammar errors removed

For an exaustive list of changes, see the log on github.

[ANN] Rails 3.0.8 has been released!

Security Issues!

This release contains fixes for possible XSS problems in your rails application. It is unlikely that your application is vulnerable, but you should take precautions by updating your application.

For more information about the XSS issue that was fixed in this release, please read this blog post.

WELCOME!

Hi everyone! I’ve released Rails version 3.0.8!

I know I told you I would release Rails 3.0.8 on June 2nd. I may put many hearts in my emails, but I’m quite serious about sticking to announced deadlines. The reason this release was delayed is due to the above security issue. I needed to coordinate three different versions to be released simultaniously, and that delayed this release.

Sorry about that! Barring “perfect storm” issues like this, I will keep you up to date on release dates as I know them. 🙂

CHANGES

The big changes in this release are:

  • Fixing Rake 0.9.x integration
  • Fixing rubygems deprecation warnings
  • Refactoring YAML support to work well with Psych and Syck
  • Joins on polymorphic has_one associations are fixed

For an exaustive log of changes, please see the commit list on github, or the CHANGELOG for each project.

[ANN] Rails 2.3.12 has been released!

Hi everyone! I’ve released rails version 2.3.12.

Security issues!

There are security issues in the rails_xss plugin, and we’ve fixed them with this release. Please make sure to upgrade your rails_xss plugin.

Please see here for more details about the security issue.

CHANGES

The main changes in this release are fixing compatibility issues with Rubygems 1.8.5.

You can view the complete list of changes here.

SUPPORT!

I want to briefly mention provided support for the 2.3.x series. This branch is in security-maintenance mode. We will release it when there are problems like “the sky is falling”, or major security issues. It’s time for us to focus on pushing Rails forward!

Potential XSS Vulnerability in Ruby on Rails Applications

The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an ‘unsafe string’ incorrectly considered safe. It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they’re not called unintentionally.

How the XSS Prevention Works

When strings are rendered to the client, if the string is not marked as “html safe”, the string will be automatically escaped and marked as “html safe”. Some helper methods automatically return strings already marked as safe.

For example:

<%= link_to('hello world', @user) %>

The link_to method will return a string marked as html safe. Since link_to returns an “html safe” string (also known as a safe buffer), the text will be output directly, meaning the user sees a link tag rather than escaped HTML.

The Problem

Safe buffers are allowed to be mutated in place via methods like sub!. These methods can add unsafe strings to a safe buffer, and the safe buffer will continue to be marked safe.

An example problem would be something like this:

<%= link_to('hello world', @user).sub!(/hello/, params[:xss])  %>

In the above example, an untrusted string (params[:xss]) is added to the safe buffer returned by link_to, and the untrusted content is successfully sent to the client without being escaped. To prevent this from happening sub! and other similar methods will now raise an exception when they are called on a safe buffer.

In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:

<%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>

The new versions will now ensure that all strings returned by these methods on safe buffers are marked unsafe.

Affected versions

This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.

The Solution

Any methods that mutate the safe buffer without escaping input will now raise an exception.

If you need to modify a safe buffer, cast it to a Ruby string first by calling the to_str method:

<%= link_to('hello world', @user).to_str.sub!(/hello/, params[:xss]) %>

Upgrading

This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss). If for some reason you cannot upgrade your Rails installation, please apply these patches:

Thanks

Thanks to Bruno Michel of LinuxFr.org and Brett Valantine who each independently reported the issue to us.

[ANN] Rails 3.0.8.rc3 (third time is the charm!)

Hey everybody! I’ve pushed Rails 3.0.8.rc3.

Hopefully this release candidate takes care of all the outstanding issues remaining. To see what has changed between 3.0.8.rc2 and 3.0.8.rc3, check out this link on github.
If no regressions are found, I will release the final version 72 hours from now (Thursday, June 2nd around 1pm). Please let us know if this release candidate causes any regressions from the 3.0.7 version.

I’m still getting over my cold, so I promise that next release I will return to my normal level of excitement! 😉

[ANN] Rails 3.0.8.rc2

Hey folks! I’ve pushed 3.0.8.rc2.

I want to give a big thanks to Philip Arndt and Robert Pankowecki for reporting regressions in 3.0.8.rc1! We’ve fixed the regressions, so I pushed an rc2.

To see the diffs for this rc, check out the commit list on github.

Since we’ve released a new release candidate, I’ll target the final release for June 1. If you find regressions between v3.0.7 and v3.0.8.rc2, please let me know and we’ll do another rc!

Thanks everyone!

$ curl 'http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/383777' | ruby -n -e'print $_.gsub(/rc1/, "rc2")'

[ANN] Rails 3.0.8.rc1

ZOMG HI EVERYBODY!!!! HAPPY WEDNESDAY (UTC-7).

I am EXCITED, PLEASED, and even MORE EXCITED to announce the release of the
Rails 3.0.8 released candidate NUMBER ONE!

OMG RELEASE CANDIDATE. WHAT DOES IT MEAN?

This is a release candidate! It means that we (the rails core team) are asking
you (our lovely users) to test out the code that we’d like to release!

This is your chance to VETO our release of Rails 3.0.8 final!

VETO?? WHY WOULD I DO THAT?

Well you see, dear public, let me explain. In order to bring you this latest
and greatest released of rails, we’ve made bug fixes and changed codes.
Unfortunately, that means that we may have inadvertently broken your
application. We don’t want to break your application, we want to fix bugs!

This is your chance to try our the release candidate and let us know if we’ve
broken your application!

HOW DO I TEST YOUR WONDERFUL AND AMAZING RELEASE CANDIDATE?

Very simple! If you’re using bundler, just update your Gemfile to point at
rails version ‘3.0.8.rc1’. Then do a bundle update, and you’re off to the
races! Make sure your application behaves normally, all your tests pass, etc.

I think I’ve found a boog! How do I veto???

It’s easy, breezy, beautiful, to veto! Just reply to this on the rails-core
mailing list
, and let us
know what went wrong! We’ll fix the problem and cut another release candidate.

Make sure to check that your failure does not occur on Rails 3.0.7, but does
occur on the release candidate. If the failure is also on 3.0.7, we still want
to know! It just won’t block our release.

TELLME THE CHANGES YOU’VE MADE!

Ok, just calm down. For now, go check out this link on github.

Or go check out the CHANGELOG files in each project. When we release the final,
I’ll add the changelog to the announce email.

WHEN WILL THE FINAL RELEASE BE??? TELL ME NOW!!!

Typically we release the final version 72 hours after the release candidate.
But this weekend is a holiday, so I don’t feel like doing a release this
weekend. Instead, I will target the final to be released on May 31st.

If we find show stopping bugs, we’ll release another RC and the 72hour counter
will reset!

WHY AREN’T YOU RELEASING ON THE WEEKEND? COMMON, BRO.

What?!?! Why aren’t you releasing on the weekend??? I’m going to be making
sausage. 😛

Thanks everybody!!!!

<3 <3 <3 <3 <3 <3