Rails update fixes security issue
Rails update fixes security issue
Wednesday, 06 April 2011

Rails 3.0.6, released today, contains an important security fix. If you can't upgrade there is also a security patch to fix the issue.

Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability which manifests itself via the auto_link method such that this method automatically marks input strings as "html safe" even if the input is from an unknown origin. Users are therefore being urged to update to Rails 3.0.6 which can be downloaded from github. This upgrade will ensure that content passed to auto_link will be automatically escaped for you.

In the event that upgrading Rails 3 isn't something you want to do there is also a security patch that has the same effect.

If you don't want either to upgrade Rails or apply the patch then the advice from the Rails blog is to change calls to auto_link as follows: 

<%= sanitize(auto_link(params[:content])) %>

If you trust the input, then this is the change to make:

<%= raw(auto_link(params[:content])) %>

 


rails

 

A list of other important changes is available on the Rails blog.

Further reading:

Rails 3.0 Released

Faster Rails with 3.0.3


Banner


Fear And Loathing in The App Store 15 - Apple Bans F.lux And Then Duplicates It
20/01/2016

Back in November 2015 we explained how F.lux had been banned from the app store for violating the Developer Program Agreement. This wasn't good, but now Apple has implemented the same functionality as [ ... ]



Hands-On Lego Robotics For Kids
16/01/2016

At CES 2016 Lego Education launched WeDo 2.0 an updated version of its robotics and programming kit for second to fourth grade students, that is the age range 7 to 12 years old. It looks like a lot of [ ... ]


More News

Last Updated ( Wednesday, 06 April 2011 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2016 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.