Rails 1.1.3: Security fix and minor fixes

Posted by David June 27, 2006 @ 08:07 PM

We’ve found and fixed a security issue with routing that could cause excess CPU usage in Rails processes when triggered by certain URLs. We strongly encourage anyone running 1.1.x to upgrade to the latest version. It’s fully backwards compatible and should serve as a small drop-in fix.

If you’re running the latest Edge Rails, though, there’s no need to update. We’ve rewritten the routes functionality on edge and the new version doesn’t have this problem.

To upgrade, you as always can just do: gem install rails --include-dependencies

Note: This release doesn’t include any of the new CRUD/resource-based features. All of the new features we’ve been working on over the last couple of months will become available in 1.2.0, which is scheduled for “soonish”. This 1.1.3 release is purely to address the security issue and another few minor fixes that were available on the STABLE branch as well.

Posted in Releases | 27 comments

Comments

Leave a response

  1. Joe on 27 Jun 20:36:

    What are the “certain URLs”?

  2. Jon Maddox on 27 Jun 20:36:

    What happened to DRY David?

  3. Abdur-Rahman Advany on 27 Jun 21:00:

    You are repeating the same thing twice :)

  4. Jacob Atzen on 27 Jun 21:08:

    It seems activesupport 1.3.1 is missing from the repository:

    $ gem update -y

    Upgrading installed gems… Attempting remote upgrade of actionmailer Attempting remote installation of ‘actionmailer’ ERROR: While executing gem … (Gem::GemNotFoundException) Could not find activesupport (= 1.3.1) in the repository

  5. Adam Sanderson on 27 Jun 21:09:

    heh, yeah WET post here ;) Thanks for the security update.

  6. Sebastian on 27 Jun 21:14:

    no tag release for this?

  7. Phil on 27 Jun 21:20:

    Maybe he is going to refactor his post?

  8. Jomdom on 27 Jun 21:25:

    I’d like to know what the certain urls are as well.

  9. Pat on 27 Jun 21:42:

    Do we need to change the RAILS_GEM_VERSION value in environment.rb, or does that just mean the minimum gem version, so all apps will use 1.1.3?

  10. joojoobeans on 27 Jun 22:01:

    “What happened to DRY David?”

    What are you talking about?

  11. gecko on 27 Jun 22:21:

    Got the activesupport 1.3.1 error too. Looks like it’s on the server (http://gems.rubyforge.org/gems/activesupport-1.3.1.gem) but gem list—remote doesn’t pick it up.

  12. ajaya agrawalla on 27 Jun 22:40:

    $ gem install rails—include-dependencies—install-dir vendor Attempting local installation of ‘rails’ Local gem file not found: rails*.gem Attempting remote installation of ‘rails’ Updating Gem source index for: http://gems.rubyforge.org ERROR: While executing gem … (Gem::GemNotFoundException) Could not find activesupport (= 1.3.1) in the repository

  13. HybridIndie on 27 Jun 22:43:

    Just download and install the gem manually from rubyforge.

    gem install—local activesupport-1.3.1

  14. Curtis on 27 Jun 22:44:

    It typically takes a while for the gems to propagate across servers. ;)

  15. Stephen Waits on 27 Jun 23:38:

    Pat: You need to update it.

  16. Jon Maddox on 28 Jun 04:46:

    joojoobeans:

    The original post was repeated, as if he wrote it in one app and pasted it into the field to post, but pasted it twice.

    So my comment is a bit off since he updated the post.

  17. Chris on 28 Jun 05:03:

    I get the error:

    ERROR: While executing gem … (Errno::EACCES) Permission denied – /usr/local/lib/ruby/gems/1.8/cache/activerecord-1.14.3.gem

  18. Jeroen on 28 Jun 08:02:

    Can anybody provide more information on these new CRUD/resource-based features?

  19. joost on 28 Jun 09:31:

    This update seems to have broken my application. Routing to controllers inside directories doesn’t work any longer.

    e.g. /article/read/723 works fine /edit/article/edit/723 does not work.

  20. dopey on 28 Jun 14:34:

    Anyone knows what CRUD/resource-based is?

  21. Thijs on 28 Jun 14:41:

    Same here, no routes to controllers inside directories.

  22. DHH on 28 Jun 20:12:

    We’ve found a few bugs, which have already been fixed in stable. Seems like we’ll be pushing out 1.1.4 today. Sorry about this, guys. Certainly looks a tad sloppy.

  23. matte on 28 Jun 22:35:

    No worries, with the RAILS_GEM_VERSION option isn’t a problem switching froma a rails version to another!

    Good work for the new rails version!

  24. Kevin.Li on 29 Jun 06:25:

    This update seems to have broken my application too, activerecord not work now, I use postgresql database and use postgres-pr driver,but I get the error: uninitialized constant PGconn ... when I visit http://localhost:3000

  25. Alan Francis on 29 Jun 10:43:

    If you upgraded to RubyGems 0.9.0 you may be experiencing some gem update problems.

    delete the source_cache file to resolve.

  26. Johnpg on 29 Jun 20:35:

    Darn I got bit by the “controllers inside directories” bug too. I knew I should have saved my frozen gems. :-) Looking forward to 1.1.4.

  27. eric on 24 Jul 21:42:

    Is anyone else seeing the postgres “error: uninitialized constant PGconn … when I visit http://localhost:3000” issue? I am as well, but have no idea what the problem is

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals