Happy Friday Everyone!
This is Vipul, bringing you the latest changes in the Rails codebase.
[CVE-2023-28362] Possible XSS via User Supplied Values to redirect_to
If you haven’t already, its time to upgrade your Rails application to the latest version!
Rails versions 220.127.116.11, 18.104.22.168 have been released with a security fix for a possible XSS vulnerability in
redirect_to when using user-supplied values.
It fixes the
redirect_to method in Rails that allowed provided values to contain characters which are not legal in an HTTP header value.
This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Rails 7.0.6 has been released!
Rails 7.0.6 has also been released. This release contains many backported bug-fixes in the last few months since 7.0.4 release.
The new method
config.autoload_lib(ignore:) provides a simple way to autoload from
config.autoload_lib(ignore: %w(assets tasks))
lib directory has subdirectories that should not be autoloaded or eager loaded.
This new method allows you to specify which subdirectories to be autoloaded as needed.
Read more about this new feature in the autoloading guide.
config.autoload_lib_once(ignore:) is similar to
config.autoload_lib introduced above,
except that it adds lib to
config.autoload_lib_once, classes and modules in
lib can be autoloaded,
even from application initializers, but won’t be reloaded.
Bounce emails can now be sent with deliver_now
This change adds
This is useful when you want to send the bounce email immediately, instead of going through the mailer queue-
# Enqueues the bounce email
# Delivers the email immediately
DATABASE option for railties:install:migrations
This change adds a new
DATABASE option to
This allows us to specify which database the migrations should be copied to when running
rails railties:install:migrations in engines-
$ rails railties:install:migrations DATABASE=animals
Active Record encryption support for decrypting data previously encrypted non-deterministically
This change adds support to decrypting data encrypted non-deterministically with a
SHA1 hash digest.
It adds a new Active Record encryption option to support decrypting data encrypted non-deterministically with a SHA1 hash digest:
Rails.application.config.active_record.encryption.support_sha1_for_non_deterministic_encryption = true
It addresses a problem when upgrading from 7.0 to 7.1 where SHA-1 was being used as its digest class instead of global one.
Add :report behavior to ActiveSupport::Deprecation
This change adds a
:report behavior for
config.active_support.deprecation = :report uses the error reporter to report deprecation warnings to
This is useful to report deprecations happening in production to bug trackers, instead of them being logged silently.
You can view the complete list of changes here.
We had 25 contributors to the Rails codebase this past week!
Happy Friday again! Until next time :-)
Subscribe to get these updates mailed to you.