Friday, October 12, 2007

Rails 1.2.5: Security and maintenance release

Posted by michael

This release closes a JSON XSS vulnerability, fixes a couple of minor regressions introduced in 1.2.4, and backports a handful of features and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn’t strictly necessary if you aren’t working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.

Summary of changes:

  • acts_as_list: fixed an edge case where removing an item from the list then destroying the item leads to incorrect item positioning
  • deprecated calling .create on has_many associations with an unsaved owner (like post =; post.comments.create)
  • backport array and hash query parameters
  • fix in place editor’s setter action with non-string fields
  • updated config/boot.rb to correctly recognize RAILS_GEM_VERSION

To upgrade, `gem install rails`, set RAILS_GEM_VERSION to ‘1.2.5’ in config/environment.rb, and `rake rails:update:configs`.