[ANN] Rails 1.2.5: Security and maintenance release

This release closes a JSON XSS vulnerability, fixes a couple of minor
regressions introduced in 1.2.4, and backports a handful of features
and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5,
though it isn’t strictly necessary if you aren’t working with JSON.
For more information the JSON vulnerability, see CVE-2007-3227.

Summary of changes:

  • acts_as_list: fixed an edge case where removing an item from the
    list then destroying the item leads to incorrect item positioning
  • deprecated calling .create on has_many associations with an unsaved
    owner (like post = Post.new; post.comments.create)
  • backport array and hash query parameters
  • fix in place editor’s setter action with non-string fields
  • updated config/boot.rb to correctly recognize RAILS_GEM_VERSION

To upgrade, gem install rails, set RAILS_GEM_VERSION to ‘1.2.5’ in
config/environment.rb, and rake rails:update:configs.

Thank you. Installed. I love how hassle-free that is.

It seems like the default page on the installation should have the
version on it. Maybe that’s just me.


Oh. It’s there, under the environment. Got it.