Rails 3.1.2 has been released. This is a patch-level release containing bug fixes and an important security fix.
Possible XSS vulnerability in the translate helper method in Ruby on Rails
There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.
- Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin
- Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable
- Fixed Versions: 3.0.11, 3.1.2
Please see the rubyonrails-security posting and the changelog item below, for more details.
Fix XSS security vulnerability in the
translate helper method. When using interpolation
in combination with HTML-safe translations, the interpolated input would not get HTML
escaped. GH 3664
translate('foo_html', :something => '<script>') # => "...<script>..."
translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."
Upgrade sprockets dependency to ~> 2.1.0
Ensure that the format isn’t applied twice to the cache key, else it becomes impossible to target with expire_action.
Swallow error when can’t unmarshall object from session.
Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.
Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.
The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.
Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade their flash object in session (issues #3298 and #2509)
Fix problem with prepared statements and PostgreSQL when multiple schemas are used.
Juan M. Cuello
Fix bug with PostgreSQLAdapter#indexes. When the search path has multiple schemas, spaces
were not being stripped from the schema names after the first.
Preserve SELECT columns on the COUNT for finder_sql when possible. GH 3503
Reset prepared statement cache when schema changes impact statement results. GH 3335
Postgres: Do not attempt to deallocate a statement if the connection is no longer active.
Prevent QueryCache leaking database connections. GH 3243
Mark J. Titorenko
Fix bug where building the conditions of a nested through association could potentially
modify the conditions of the through and/or source association. If you have experienced
bugs with conditions appearing in the wrong queries when using nested through associations,
this probably solves your problems. GH #3271
If a record is removed from a has_many :through, all of the join records relating to that
record should also be removed from the through association’s target.
Fix adding multiple instances of the same record to a has_many :through. GH #3425
Fix creating records in a through association with a polymorphic source type. GH #3247
MySQL: use the information_schema than the describe command when we look for a primary key. GH #3440
As ever, you can see a full list of commits between the versions on Github.