Hi everybody! Rails 3.0.6 has been released!
Let’s get the serious business out of the way first:
Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The
vulnerability manifests itself via the
auto_link method. The
method will automatically mark input strings as “html safe” even if the
is from an unknown origin.
<%= auto_link(params[:content]) %>
rendered without being escaped.
How can I protect myself?
Upgrade to Rails 3.0.6, then content passed to
automatically escaped for you.
If you cannot upgrade Rails, then apply the patch found
auto_linkcontent will be escaped for you.
If you cannot upgrade Rails, or apply the patch, then change your
auto_linkto call sanitize like so:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then change to this
<%= raw(auto_link(params[:content])) %>
Thanks go to Torben Schulz for reporting this issue!
SERIOUS BUSINESS COMPLETE
After two release candidates, we we we so excited to announce the
Rails version 3.0.6! I want to thank everyone that tried out the
candidates and reported their feedback! I hope that we can continue
feedback from the public before releasing final versions.
Changes of note are:
The above security fix in ActionPack
reordermethod in ActiveRecord
A backport of “cheaper attributes reads” in ActiveRecord
before_type_caston timezone aware attributes
Escaping binary data in sqlite3 inserts
Fixing schema support for the mysql adapter
This change list IS NOT exhaustive. They are just some of my favorites!
the complete list please see the CHANGELOG files or view the diff on
If you totally want to make sure that you’ve got the right gems, here
shasums before I pushed the gems!
$ shasum *
Thank you for waiting for me to finish vacation before I released this!
that everyone enjoys this bugfix release of Rails. Next time I’ll try
vacation so much!
<3 <3 <3 <3 <3