What are the new Rails critical security fixes? - ruby-on-rails

I got these updates from rails:
I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY.
link
as it says it's critical. I just updated my application with rails 3.1 to 3.11 and did bundle update rails. My questions are:
What was the actual loophole in rails that has now been fixed?
As a learner I'm eager to understand what the problem was and how has it been fixed. I couldn't get anywhere about this.
Is it really a big loophole, and is there any problem for all Rails application which haven't been updated?

Here's an explanation of the hack : http://charlie.bz/blog/rails-3.2.10-remote-code-execution
And the original post by tenderlove : https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
Basically, anyone can inject XML and instantiate any kind of Ruby object using YAML ... it's complicated, but works on all apps (except the patched one of course, and Rails 1.X) and can even execute system commands ...
Anyone having Rails apps around should already have upgraded ... if not, do it NOW!

Related

How to update rails 3.0.3 to 3.1?

How do I update to Rails 3.1 ?
I am using windows xp with ruby console.
And is there a smart way to update a rails app from 3.0.3 to 3.1 or do I need to rewrite it all?
This question has a lot of useful information which might help you out: Upgrading from Rails 3 to Rails 3.1
It doesn't answer specifically for Windows, but there's a lot of advice and insight that you'll find useful for the upgrade.
The only advice I can offer on top of reading the answers in the above question is to have a bit of patience and not expect it to work straight away. There's a lot of changes in the way 3.1 works so expect to spend some time fixing it up.
Good luck!
I created one vanilla 3.0 site, added it to Git, then created a vanilla 3.1 site and copied it over the 3.0 site, deleting existing files first. A diff then showed me exactly what changed.
I would strongly recommend this and the following two railscasts in the series

Is it okay to use Rails 3.1 for a new project? Is hard to convert over?

I have just started using 3.0.7. I am about 2 weeks of development in.
I was wondering if I should keep building for 3.0.7 or switch to 3.1 before I have too much code to port over? I like most of the new features (my only fear is not having good error messages when I use coffeescript), so I'd like to code towards the latest and greatest if it's relatively safe.
The javascript standards look interesting, and the attr_accessible fix sounds like it's very much appreciated.
Is Rails 3.1 compatible with all the gems out there though?
Also, if I go the 3.1 route, is hard or easy to migrate my project towards it? How might one go about that?
I guess this is a lot of mini yet related questions. I'd really appreciate some answers. Thank you.
I think if you want to ride on Rails 3.1 you should do it :). As for me I have some projects on Rails 2.3.5, 3.0.5 and would like to port them on Rails 3.1 but there is to much code there :). So don't be afraid and go to the fresh stuff (unless your code overflow :) ).
Rails 3.1 are pretty stable for now (I didn't have much problems with installing and using it)
If you're only two weeks into a project then it makes sense to stay on the edge and move to 3.1.
The way I'd do it is clone my project to a new dir (you're using git / similar version control, right?), change the Rails version in my Gemspec, run tests and play around to see what got broken (if anything). Based on the results you can figure out whether the effort is too great.
Regarding gem compatibility, hardly anything is compatible with all gems out there. Since you're two weeks in, you probably know which gems you use. Test like I suggested and you'll have an idea whether it's compatible with what you need. If you're using popular gems, then they'll most likely be updated to work with 3.1 soon enough.

Turn on html_safe for the entire app in Rails 3

Rails 3 turns off the html_safe option by default. I want to revert this thing. I have a rails 2.3.8 app getting converted to rails 3. Almost every page breaks because of the rails3 default html_safe setting. Is there any way I can revert this to where it was in previous versions of rails ? Please help
No, there isn't and even if there is, you shouldn't.
It's a good habit to test (and update) your app using the rails_xss plugin in Rails 2.3.x before actually starting the conversion to Rails 3.
Also, you should have a valid test suite in place so that every error will be spotted by the test suite and you can easily fix it.
Don't try to upgrade unless you have completed these two simple steps. There are also a few other suggestions.
As a side note: Current versions of Rails 3 HTML-escape also non-HTML templates, which is a bug. See: https://rails.lighthouseapp.com/projects/8994/tickets/4858
I'm posting this here, because I found this question while investigating the bug mentioned above, but didn't fine that ticket or anything about this bug on the interwebs. (Bad google skills?) Hope it saves someone time.

Rails 3 beta 3 -- is it time to start using this for new projects?

Is it time to start new projects in Rails 3? I'm nervous about using beta versions but at the same time I really like what they are doing and don't want to deal with legacy 2.3.5 issues with these apps.
Is it better to wait these things out, or buckle-up, deal with early adopter issues and get a head start on the future. Thanks for any light you can shed.
I'd say no, rails v3.beta3 still has some serious issues that cause it to crash (unexpectedly). As noted from the Riding Rails blog:
Note that Ruby 1.8.7 p248 and p249 has marshaling bugs that crash both Rails 2.3.x and Rails 3.0.0. Ruby 1.9.1 outright segfaults on Rails 3.0.0, so if you want to use Rails 3 with 1.9.x, jump on 1.9.2 trunk for smooth sailing.
Also of note:
Known regressions: Rails crashes unless configuration.action_controller.session is set, config.thread_safe does not work, Unable to run a RJS partial from an HTML template, Backtrace silencers oftem remove application lines from test failures backtraces, Active Record double escapes error_messages_for
I am doing all of my new development work on Rails 3. I have found a couple of issues in general stability, but they are really in the fringe/edge cases - I have a system running on Heroku that is quite stable. The core platform itself is quite stable and the various APIs should not significantly change heading to release.
You need to ask yourself what you've got to lose, but one thing is clear: Rails 2.x is history.

How can I make my Ruby on Rails 2.3.4 application "Rails 3-ready"

I'm developing an application with Ruby on Rails that I want to maintain for at least a few years, so I'm concerned about the next version coming up soon.
Going from Rails 1 to Rails 2 was such a big pain that I didn't bother and froze my gems and let the application die, alone, in the dark.
On this project I don't want to do that. First because this new version looks awesome, but also because this application may turn into a real product.
How can I prepare my application so that it will be upgradable with as little changes as possible.
How time consuming do you think switching version will be?
And what about my server? Deployment?
I'm already looking at deprecation notices... what else can I do?
The best thing you could do would be to follow development of Rails 3 via blogs and the Github repository and keep up a copy of your app along with it.
The official Ruby on Rails blog is updated with "What's new in Edge" posts every once in awhile. There are other blogs that often write about new things in edge as well. Larger features are often highlighted in these blogs, so you know about all the cool new features you can play with.
I'm not sure how close Rails 3 is to release (last I heard the core team was talking about a release at RailsConf 2009 in May), but you can always freeze the edge version of Rails into your application and just see what breaks. If you are using git, or another DVCS, you might make a branch specifically for Rails 3 and periodically update Rails to the latest edge code. Just be aware that edge Rails is a moving target so things in your app may break or fix themselves as you are pulling in newer Rails code.
Update:
Jeremy McAnally has a ton of info on upgrading from Rails 2 to Rails 3 on his blog.
http://omgbloglol.com/
I don't think there is going to be a major problem. Going off what was said in that initial report the Rails team realized that they can't do a major rewrite like they did from 1 to 2.
They even say:
I’m sure there’ll be some parts of Rails 3 that are incompatible, but we’ll try to keep them to a minimum and make it really easy to convert a Rails 2.x application to Rails 3.
I would be more concerned going from Merb to Rails 3.
The single most important thing you can do to make it easy to migrate to a new version of rails is to have a comprehensive test suite. Without a good test suite, I would never have the confidence that the new version of rails hasn't broken something in my app. On the current Rails app I'm working on, we started on Rails 2.1.1 back in October of 2008. Since then, we've migrated to Rails 2.1.2, 2.2.2, 2.3.2, 2.3.3 and now 2.3.4. I did the migrations to 2.3.2, 2.3.3 and 2.3.4...and for the 2.3.2 and 2.3.3 upgrades, we had some failing tests that alerted us to problems we would not have discovered without having such a good test suite. The failing tests actually alerted us to a regressive bug in rails that there was a patch for on the Rails lighthouse but that was not included in the release (since it was discovered, right after the release).
Once you've got that test suite in place, just stay current with each rails release (waiting a couple weeks to upgrade is fine, just don't skip any of the releases).
Yehuda Katz (a member of the Rails core team) has stated that there will most likely be a transitional release, containing deprecation warnings and such.
So as long as you have a good test suite to expose the inevitable upgrade problems, and stay current with the Rails release, the migration to Rails 3 should not be too difficult.
As simple as:
One
Two
Three
Great screencasts from Ryan Bates.
For preparing your application, the best way it what Jared said. Follow the Rails3 development.
For the time consuming, I think it depends of how you've followed the rails3 development before it's release.
And for the deployment, it shouldn't take too much problems. Rails 3 will be using Rack. So you can start it with mongrel, passenger or any server/gateway it shouldn't give you any problem.
There are some major changes in Rails 3, I posted about my experience upgrading my app to Rails 3 here: http://rails3.community-tracker.com/permalinks/5/notes-from-the-field-upgrading-to-rails-3
A good start in preparing would be to migrate over to using bundler. And doing a very deep review of strings that will go through the new XSS protection scheme.
There are going to be some automated compatibility checkers. Also, keep an eye on http://www.railsplugins.org/ so that you know if the libraries you depend on are going to be upgraded. The Rails Core team seems to be giving a lot of advance notice to the community this time around, so any lib that is actively maintained should be good to go.
Just do one thing
take a backup of your old version project first and then
on terminal(command prompt) write
rails new path/of/the/project
for example if my 2.3.* project is at home/rails_projects/myproject then
rails new home/rails_projects/myproject
or
cd home/rails_projects
rails new myproject
It will ask if there is any modifications done in any /config or other files. Do appropriate.

Resources