≡

wincent.dev

  • Products
  • Blog
  • Wiki
  • Issues
You are viewing an historical archive of past issues. Please report new issues to the appropriate project issue tracker on GitHub.
Home » Issues » Feature request #1917

Feature request #1917: Update to Rails 3.1.2

Kind feature request
Product wincent.dev
When Created 11/15/2011, updated 11/21/2011
Status closed
Reporter Greg Hurrell
Tags no tags

Description

Release announcement here:

  • http://groups.google.com/group/rubyonrails-core/browse_thread/thread/c16ebb42fe1ed5a2

Comments

  1. Greg Hurrell 11/18/2011

    All the more reason to do this due to this vulnerability:

    There is a vulnerability in the translate helper method which may allow
    an attacker to insert arbitrary code into a page.  This vulnerability
    has been disclosed to the public so no a CVE identifier has yet to be
    assigned.
    
    Versions Affected:  3.0.0 and later, 2.3.X in combination with the
    rails_xss plugin
    Not Affected:       Pre-3.0.0 releases, without the rails_xss plugin,
    did no automatic XSS escaping, so are not considered vulnerable
    Fixed Versions:     3.0.11, 3.1.2
    
    Impact
    ------
    
    Ruby on Rails has a helper method for i18n translations. This function
    has a convention whereby translations strings with a name ending in
    'html' are considered HTML safe. There is also a mechanism for
    interpolation. It has been discovered that these 'html' strings allow
    arbitrary values to be contained in the interpolated input, and these
    values are not escaped.
    
    All users using the translate helper method with 'html safe'
    translations which use variable interpolation should either upgrade or
    use one of the workarounds immediately.
    
    Workarounds
    -----------
    
    Escape all interpolated input manually. For example:
    
     translate('some_html', :some => '<input>')
    
    should be changed to:
    
     translate('some_html', :some => h('<input>'))
    
    Patches
    -------
    
    To aid users who aren't able to upgrade immediately we have provided
    patches for the two supported release series.  They are in git-am format
    and consist of a single changeset.
    
    * 3-0-translate.patch - Patch for 3.0 series
    * 3-1-translate.patch - Patch for 3.1 series
    
    Credits
    -------
    
    Thanks to Sergey Nartimov for finding the vulnerability and submitting
    the initial patch.

    (Although I confess I don't think I'm using the helper anywhere, so I'm ok. I'll still audit the codebase, anyway, and I'll still upgrade.)

  2. Greg Hurrell 11/18/2011

    Summary changed:

    • From: Try Rails 3.1.2.rc2
    • To: Update to Rails 3.1.2
  3. Greg Hurrell 11/18/2011

    Weblog hasn't updated yet, but 3.1.2 is out on the gem servers.

  4. Greg Hurrell 11/21/2011

    Rather painful as the update included a forced-switch to the asset pipeline, but done.

  5. Greg Hurrell 11/21/2011

    Status changed:

    • From: new
    • To: closed
Add a comment

Comments are now closed for this issue.

  • contact
  • legal

Menu

  • Blog
  • Wiki
  • Issues
  • Snippets