You are viewing an historical archive of past issues. Please report new issues to the appropriate project issue tracker on GitHub.

Feature request #1917: Update to Rails 3.1.2

Kind feature request
Product wincent.dev
When Created , updated
Status closed
Reporter Greg Hurrell
Tags no tags

Description

Release announcement here:

Comments

  1. Greg Hurrell

    All the more reason to do this due to this vulnerability: 

    There is a vulnerability in the translate helper method which may allow
an attacker to insert arbitrary code into a page.  This vulnerability
has been disclosed to the public so no a CVE identifier has yet to be
assigned.

Versions Affected:  3.0.0 and later, 2.3.X in combination with the
rails_xss plugin
Not Affected:       Pre-3.0.0 releases, without the rails_xss plugin,
did no automatic XSS escaping, so are not considered vulnerable
Fixed Versions:     3.0.11, 3.1.2

Impact
------

Ruby on Rails has a helper method for i18n translations. This function
has a convention whereby translations strings with a name ending in
'html' are considered HTML safe. There is also a mechanism for
interpolation. It has been discovered that these 'html' strings allow
arbitrary values to be contained in the interpolated input, and these
values are not escaped.

All users using the translate helper method with 'html safe'
translations which use variable interpolation should either upgrade or
use one of the workarounds immediately.

Workarounds
-----------

Escape all interpolated input manually. For example:

 translate('some_html', :some => '<input>')

should be changed to:

 translate('some_html', :some => h('<input>'))

Patches
-------

To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series.  They are in git-am format
and consist of a single changeset.

* 3-0-translate.patch - Patch for 3.0 series
* 3-1-translate.patch - Patch for 3.1 series

Credits
-------

Thanks to Sergey Nartimov for finding the vulnerability and submitting
the initial patch.

    (Although I confess I don't think I'm using the helper anywhere, so I'm ok. I'll still audit the codebase, anyway, and I'll still upgrade.)

  2. Greg Hurrell

    Summary changed:

    • From: Try Rails 3.1.2.rc2
    • To: Update to Rails 3.1.2
  3. Greg Hurrell

    Weblog hasn't updated yet, but 3.1.2 is out on the gem servers.

  4. Greg Hurrell

    Rather painful as the update included a forced-switch to the asset pipeline, but done.

  5. Greg Hurrell

    Status changed:

    • From: new
    • To: closed
Add a comment

Comments are now closed for this issue.

Menu