Feature request #1824: Update to Rails 3.0.9, and Rails 3.1.0.rc4

Comments

1. Greg Hurrell 2011-05-31T16:35:25Z

   Status changed:

   • From: new
   • To: open

2. Greg Hurrell 2011-05-31T18:38:11Z

   rc3 is a lemon, so wait for rc4 instead:

   • https://github.com/rails/rails/commit/ce23c6e47f184616c8cc9b779c1670e1417adfd0

3. Greg Hurrell 2011-05-31T18:38:18Z

   Summary changed:

   • From: Trial Rails 3.0.8.rc3
   • To: Trial Rails 3.0.8.rc4

4. Greg Hurrell 2011-06-08T03:55:52Z

   Summary changed:

   • From: Trial Rails 3.0.8.rc4
   • To: Update to Rails 3.0.8, and Rails 3.1.0.rc2

5. Greg Hurrell 2011-06-08T03:56:35Z

   3.0.8 final is now out, with a security fix. 3.1.0.rc2 is also out, containing the same fix.

   # Potential XSS Vulnerability in Ruby on Rails Applications
   
   The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an 'unsafe string' incorrectly considered safe.  It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they're not called unintentionally.
   
   ## How the XSS Prevention Works
   
   When strings are rendered to the client, if the string is not marked as "html safe", the string will be automatically escaped and marked as "html safe". Some helper methods automatically return strings already marked as safe.
   
   For example:
   
      <%= link_to('hello world', @user) %>
   
   The `link_to` method will return a string marked as html safe.  Since `link_to` returns an "html safe" string (also known as a safe buffer), the text will be output directly, meaning the user sees a link tag rather than escaped HTML.
   
   ## The Problem
   
   Safe buffers are allowed to be mutated in place via methods like `sub!`.  These methods can add unsafe strings to a safe buffer, and the safe buffer will continue to be marked safe.
   
   An example problem would be something like this:
   
      <%= link_to('hello world', @user).sub!(/hello/, params[:xss])  %>
   
   In the above example, an untrusted string (`params[:xss]`) is added to the safe buffer returned by `link_to`, and the untrusted content is successfully sent to the client without being escaped.  To prevent this from happening `sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
   
   In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe.  For example:
   
      <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
   
   The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
   ## Affected versions
   
   This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.
   
   ## The Solution
   
   Any methods that mutate the safe buffer without escaping input will now raise
   an exception.
   
   If you need to modify a safe buffer, cast it to a Ruby string first by calling
   the `to_str` method:
   
      <%= link_to('hello world', @user).to_str.sub!(/hello/, params[:xss]) %>
   
   ## Upgrading
   
   This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss) (which will be
   released in the next hour).  If for some reason you cannot upgrade your Rails
   installation, please apply these patches (also find them attached):
   
   
    * [For 3.1.0.rc1](https://gist.github.com/89d6266cc7875614c5a5) 
    * [For 3.0.7](https://gist.github.com/b2ceb626fc2bcdfe497f)
    * [For 2.3.11, specifically the rails_xss plugin](https://gist.github.com/392235903426322e0414) 
   
   ## Thanks
   
   Thanks to Bruno Michel of LinuxFr.org and Brett Valantine who each independently reported the issue to us.

6. Greg Hurrell 2011-06-09T03:50:12Z

   Summary changed:

   • From: Update to Rails 3.0.8, and Rails 3.1.0.rc2
   • To: Update to Rails 3.0.8, and Rails 3.1.0.rc3

7. Greg Hurrell 2011-06-09T03:52:02Z

   Summary changed:

   • From: Update to Rails 3.0.8, and Rails 3.1.0.rc3
   • To: Update to Rails 3.0.9.rc1, and Rails 3.1.0.rc3

8. Greg Hurrell 2011-06-09T03:52:09Z

   • Rails 3.1.0.rc3 announcement: http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-1-0-rc3-has-been-released
   • Rails 3.1.0.rc2 announcement: http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-1-0-rc2-has-been-released
   • Rails 3.0.9.rc1 announcement: http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-0-9-rc1-has-been-released
   • Rails 3.0.8 announcement: http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-0-8-has-been-released

9. Greg Hurrell 2011-06-10T08:23:51Z

   Tried 'em out, but time to try out some more:

   • Rails 3.1.0.rc4 release announcement: http://weblog.rubyonrails.org/2011/6/9/ann-rails-3-1-0-rc4-has-been-released
   • Rails 3.0.9.rc3 release announcement: http://weblog.rubyonrails.org/2011/6/9/ann-rails-3-0-9-rc3-has-been-released

10. Greg Hurrell 2011-06-10T08:24:05Z

    Summary changed:

    • From: Update to Rails 3.0.9.rc1, and Rails 3.1.0.rc3
    • To: Update to Rails 3.0.9.rc3, and Rails 3.1.0.rc4

11. Greg Hurrell 2011-06-13T16:53:16Z

    Summary changed:

    • From: Update to Rails 3.0.9.rc3, and Rails 3.1.0.rc4
    • To: Update to Rails 3.0.9.rc5, and Rails 3.1.0.rc4

12. Greg Hurrell 2011-06-16T16:25:12Z

    Summary changed:

    • From: Update to Rails 3.0.9.rc5, and Rails 3.1.0.rc4
    • To: Update to Rails 3.0.9, and Rails 3.1.0.rc4

13. Greg Hurrell 2011-06-16T16:25:15Z

    http://weblog.rubyonrails.org/2011/6/16/ann-rails-3-0-9-has-been-released

14. Greg Hurrell 2011-09-02T06:42:21Z

    Superseded by ticket #1861.

15. Greg Hurrell 2011-09-02T06:42:33Z

    Status changed:

    • From: open
    • To: closed

Add a comment

Comments are now closed for this issue.