Rails 1.2.5: Security and maintenance release

Posted by michael October 12, 2007 @ 04:44 PM

This release closes a JSON XSS vulnerability, fixes a couple of minor regressions introduced in 1.2.4, and backports a handful of features and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn’t strictly necessary if you aren’t working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.

Summary of changes:
  • acts_as_list: fixed an edge case where removing an item from the list then destroying the item leads to incorrect item positioning
  • deprecated calling .create on has_many associations with an unsaved owner (like post = Post.new; post.comments.create)
  • backport array and hash query parameters
  • fix in place editor’s setter action with non-string fields
  • updated config/boot.rb to correctly recognize RAILS_GEM_VERSION

To upgrade, `gem install rails`, set RAILS_GEM_VERSION to ‘1.2.5’ in config/environment.rb, and `rake rails:update:configs`.

Posted in Releases | 26 comments

Comments

Leave a response

  1. Justin on 12 Oct 18:12:

    Has anyone yet successfully updated their gem? I keep getting:

    ERROR: While executing gem ... (OpenURI::HTTPError) 404 Not Found
  2. Jim H on 12 Oct 18:15:

    Doesn’t appear to have propagated to all the rubyforge mirrors as of yet… anyone have any idea how long that normally takes?

  3. Dave Woodward on 12 Oct 18:28:

    I tried this:

    $ sudo gem install rails—source http://gems.rubyonrails.org Install required dependency activesupport? [Yn] ERROR: While executing gem … (Gem::GemNotFoundException) Could not find activesupport (= 1.4.3.7843) in any repository

    So far I’ve found that 1.2.4 isn’t actually a “drop-in replacement” and now this gem doesn’t work.

    Whats wrong guys… has it been so long that you forgot how to do a release?

  4. Peter Theill on 12 Oct 18:50:

    I’m getting the GemNotFound version error as well .. I saw some very recent commits by david with regards to versioning .. maybe they missed to update the version numbers and we’ll be able to install soon when the next build is done.

  5. Dave Woodward on 12 Oct 19:13:

    Got it! thanks Jeremy (guess its been so long I did forget how to use gem).

  6. Jeremy Kemper on 12 Oct 19:18:

    Dave, ha ha. Please wait for the RubyGems repository to propagate the updated gems out to the mirrors.

    In the meantime, `gem install rails—version ’= 1.2.5’—source http://gems.rubyonrails.org/`

    And you can `gem help` if it’s been so long you forgot how to use gems ;)

  7. G$ on 13 Oct 00:05:

    A thought… How about the rails team waits for the propagation to the mirrors to complete before posting a release announcement to the blog?

    Think of all the wasted effort and annoyance this would save. No?

  8. Jeremy Kemper on 13 Oct 00:42:

    Too true. We’ll release at night instead of at the beginning of the day, too ;)

  9. Justin Lynn on 13 Oct 03:57:

    Thanks for getting the JSON fix out there so quickly and backporting some neat new features as well. Keep up the great work :) I really look forward to the 2.0 release.

  10. cch@karensoft.com.my on 13 Oct 10:50:

    Hi

    Except for an error message on clicking the About Your App’s Environment, it looks OK

    “Routing Error, no route found to match /rails/info/properties with (:method :Get)

    Details at http://cch4rails.blogspot.com

  11. Lee on 13 Oct 15:05:

    Aha. I was wondering what 1.2.5 was when it installed yesterday morning instead of the 2.0PR. I must have gotten it not long after the gem went live.

    Thanks for the info.

  12. James on 13 Oct 17:49:

    Does the “backport array and hash query parameters” provide any new features? Could someone elaborate on this? Thanks.

  13. Jeremy Kemper on 13 Oct 19:14:

    James, it means you can, for example, do search_url(:terms => %w(apple orange pear)) to get /search?terms[]=apple&terms[]=orange&terms[]=pear

  14. Martin Labuschin on 15 Oct 11:51:

    Thanks!

    Succesfully upgraded without any problems.

  15. TedC on 15 Oct 15:20:

    Ain’t working. Installed over 50 times and all was well, after 1.2.5, base install is getting the properties issue and 404 errors when I create new projects. Other suggested workarounds aren’t working. Suggestions?

  16. Steve Koppelman on 16 Oct 16:51:

    Any reason the homepage still says 1.2.4. is the current release and the linked 1.2.4 announcement hasn’t beeen updated to inform everyone to go to 1.2.5?

  17. Jeremy Kemper on 16 Oct 18:51:

    Steve, good point! Fixed.

  18. Dom on 16 Oct 19:28:

    After upgrading to 1.2.5 and the 1.25.7919 2.0pr, non-generated public methods on my AR objects are getting NoMethodError, yet o.public_methods includes them. The means all business logic implemented as methods on AR objects is broken. Anybody else seeing this issue? Ruby 1.8.6, rubygems 0.9.4, mongrel 1.01 all on FreeBSD 6.1.

  19. Dom on 16 Oct 21:50:

    Um, nevermind sort of. There is a bug if a model method starts with ‘active’ where the method is not accessible. I just happened to to have methods named active_from and active_until. Think the problem has been around longer than this release.

    Sorry.

  20. TedC on 18 Oct 04:56:

    Issue with relative path in Windows. Note to self… “When on Windows…always launch server as ruby script\server”. So it was a brain, not a patch issue.

  21. MarcelloDL on 18 Oct 09:58:

    As of today, upgrading from 1.2.3 works fine (restarted web- and db- servers just in case).

    I think some comments here could have been less harsh, I guess problems don’t get fixed any faster if you’re being rude.

    Keep up the good work.

  22. Ric on 19 Oct 19:26:

    The following installation procedure works for me on my OS X Tiger (10.4.10) on MacBook Pro: Password: Bulk updating Gem source index for: http://gems.rubyonrails.org/ Install required dependency activesupport? [Yn] Y Install required dependency activerecord? [Yn] Y Install required dependency actionpack? [Yn] Y Install required dependency actionmailer? [Yn] Y Install required dependency actionwebservice? [Yn] Y Successfully installed rails-1.2.5 Successfully installed activesupport-1.4.4 Successfully installed activerecord-1.15.5 Successfully installed actionpack-1.13.5 Successfully installed actionmailer-1.3.5 Successfully installed actionwebservice-1.2.5 Installing ri documentation for activesupport-1.4.4… Installing ri documentation for activerecord-1.15.5… Installing ri documentation for actionpack-1.13.5… Installing ri documentation for actionmailer-1.3.5… Installing ri documentation for actionwebservice-1.2.5… Installing RDoc documentation for activesupport-1.4.4… Installing RDoc documentation for activerecord-1.15.5… Installing RDoc documentation for actionpack-1.13.5… Installing RDoc documentation for actionmailer-1.3.5… Installing RDoc documentation for actionwebservice-1.2.5…

    gem install rails -v1.2.5 --source http://gems.rubyonrails.org/

    [/Users/Ric]

  23. Fat Lotus on 23 Oct 00:43:

    Successfully installed on Ubuntu Linux and Mac OS X. No problems. Keep up the good work!

    On a completely unrelated note: Why does *.rubyonrails.org => the blog? There has to be a story behind that!

  24. atMyBrothersPC on 31 Oct 06:05:

    fyi, this page does not display correctly under IE7 (upper left is all jumbled)

  25. FreshWeb on 01 Nov 09:52:

    I can confirm the IE7 disply problem – posted from IE7!

  26. Yottameter on 03 Nov 08:50:

    What does api.rubyonrails.org represent with regard to version? If it is 1.2.5, shouldn’t ActionController::HttpAuthentication be up there?

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals