Feature request #1917: Update to Rails 3.1.2

Comments

1. Greg Hurrell 2011-11-18T02:54:34Z

   All the more reason to do this due to this vulnerability:

   There is a vulnerability in the translate helper method which may allow
   an attacker to insert arbitrary code into a page.  This vulnerability
   has been disclosed to the public so no a CVE identifier has yet to be
   assigned.
   
   Versions Affected:  3.0.0 and later, 2.3.X in combination with the
   rails_xss plugin
   Not Affected:       Pre-3.0.0 releases, without the rails_xss plugin,
   did no automatic XSS escaping, so are not considered vulnerable
   Fixed Versions:     3.0.11, 3.1.2
   
   Impact
   ------
   
   Ruby on Rails has a helper method for i18n translations. This function
   has a convention whereby translations strings with a name ending in
   'html' are considered HTML safe. There is also a mechanism for
   interpolation. It has been discovered that these 'html' strings allow
   arbitrary values to be contained in the interpolated input, and these
   values are not escaped.
   
   All users using the translate helper method with 'html safe'
   translations which use variable interpolation should either upgrade or
   use one of the workarounds immediately.
   
   Workarounds
   -----------
   
   Escape all interpolated input manually. For example:
   
    translate('some_html', :some => '<input>')
   
   should be changed to:
   
    translate('some_html', :some => h('<input>'))
   
   Patches
   -------
   
   To aid users who aren't able to upgrade immediately we have provided
   patches for the two supported release series.  They are in git-am format
   and consist of a single changeset.
   
   * 3-0-translate.patch - Patch for 3.0 series
   * 3-1-translate.patch - Patch for 3.1 series
   
   Credits
   -------
   
   Thanks to Sergey Nartimov for finding the vulnerability and submitting
   the initial patch.

   (Although I confess I don't think I'm using the helper anywhere, so I'm ok. I'll still audit the codebase, anyway, and I'll still upgrade.)

2. Greg Hurrell 2011-11-18T02:56:34Z

   Summary changed:

   • From: Try Rails 3.1.2.rc2
   • To: Update to Rails 3.1.2

3. Greg Hurrell 2011-11-18T02:56:50Z

   Weblog hasn't updated yet, but 3.1.2 is out on the gem servers.

4. Greg Hurrell 2011-11-21T03:58:49Z

   Rather painful as the update included a forced-switch to the asset pipeline, but done.

5. Greg Hurrell 2011-11-21T03:58:59Z

   Status changed:

   • From: new
   • To: closed

Add a comment

Comments are now closed for this issue.