Hi everybody! Rails 3.0.6 has been released!
Let’s get the serious business out of the way first:
Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The
vulnerability manifests itself via the
auto_link method. The
method will automatically mark input strings as “html safe” even if the input
is from an unknown origin.
<%= auto_link(params[:content]) %>
rendered without being escaped.
How can I protect myself?
Upgrade to Rails 3.0.6, then content passed to
auto_link will be
automatically escaped for you.
If you cannot upgrade Rails, then apply the patch found here.
auto_link content will be escaped for you.
If you cannot upgrade Rails, or apply the patch, then change your calls to
auto_link to call sanitize like so:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then change to this
<%= raw(auto_link(params[:content])) %>
Thanks go to Torben Schulz for reporting this issue!
SERIOUS BUSINESS COMPLETE
After two release candidates, we we we so excited to announce the release of
Rails version 3.0.6! I want to thank everyone that tried out the release
candidates and reported their feedback! I hope that we can continue soliciting
feedback from the public before releasing final versions.
For changes in a particular package, please view the CHANGELOG in each
particular project on github. Even better, you can check the
Changes of note are:
The above security fix in ActionPack
reorder method in ActiveRecord
A backport of “cheaper attributes reads” in ActiveRecord
before_type_cast on timezone aware attributes
Escaping binary data in sqlite3 inserts
Fixing schema support for the mysql adapter
This change list IS NOT exhaustive. They are just some of my favorites! For
the complete list please see the CHANGELOG files or view the diff on github.
If you totally want to make sure that you’ve got the right gems, here are my
shasums before I pushed the gems!
- fc7b0503bdf99d1ec08dc0dcee3677ca1dd29f0f actionmailer-3.0.6.gem
- e8fbefd5b0a46408dd557331700ea514a4c199ab actionpack-3.0.6.gem
- 8509520744ecd8e6712158311a16ba4782b454e2 activemodel-3.0.6.gem
- 3b392e811ba342a5bf430d89cf4f060d119aba64 activerecord-3.0.6.gem
- 9eea440bdf885e857ebfb5ff8e31119f76a18a4e activeresource-3.0.6.gem
- 175ba6286f7802edeeaab30f900d87a38f516728 activesupport-3.0.6.gem
- ebeea3c1f03db3309ea9a6640e1767ab144ff567 rails-3.0.6.gem
- 61e24f94ea87fc58175b2067f7f6a3a8c468bfe0 railties-3.0.6.gem
Thank you for waiting for me to finish vacation before I released this! I hope
that everyone enjoys this bugfix release of Rails. Next time I’ll try not to
vacation so much! ;-)
<3 <3 <3 <3 <3