Articles

Double Shot #533

Time to update Rails in your production applications. (Update: Looks like Rails 2.3.4 may not be compatible with Ruby 1.9. Proceed with caution).

Rails form helper security vulnerability

A vulnerability has been found in the Rails form helpers that allows an attacker to inject arbitrary HTML into pages.  This opens up an unpatched Rails app to potential cross site scripting attacks (XSS), which could result in stolen session cookies and other such scenarios.

UUID over the wire

Need to use Active Resource on a remote object that has a UUID?

Last time I checked, Active Resource still overwrites the id with a to_i version of the uuid... this makes "123ABCDE456" turn into 123... not what we want.

But Hyperactive Resource (HyRes) works just fine.

UUID created by the remote system
Does the remote API create the UUID for you? If so - you're laughing.

Ruby on Rails 2.3.4: Security Fixes

We’ve released Ruby on Rails 2.3.4, this release fixes bugs and introduces a few minor features. Due to the inclusion of two security fixes, all users of the 2.3 series are recommended to upgrade as soon as possible.

Security Fixes

2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:

Timing Weakness in Ruby on Rails

There is a weakness in the code Ruby on Rails uses to verify message
digests in the cookie store. Because it uses a non-constant time algorithm to
verify the signatures an attacker may be able to determine when a forged
signature is partially correct. By repeating this process they may be able to successfully forge a digest.

XSS Vulnerability in Ruby on Rails

There is a vulnerability in the escaping code for the form helpers in
Ruby on Rails. Attackers who can inject deliberately malformed unicode
strings into the form helpers can defeat the escaping checks and inject
arbitrary HTML.

Circle of death

debt circle

Rails Magazine Issue #4 - Free Download

A new edition of Rails Magazine (#4 – “The Future of Rails”) is now available as a free pdf (32 pages) at http://railsmagazine.com/issues/4

Inside:

Exclusive coverage of Ruby Kaigi 2009, possibly the largest Ruby conference in the world.

Technical articles:
- Background Processing with delayed_job
- Generating PDF with ODF templates
- Oracle Tips and Tricks
- Feel the Radiance with Radiant CMS

OT: Windy City Rails

I’ll be at Windy City Rails on the 12th. I’d love to meet up w/ other Chicago Rubyists / readers of this blog at breakfast. Drop me an e-mail at f.mischa@gmail.com

Ruby on Rails 2.3.4: Security Fixes

Ruby on Rails 2.3.4 released, this release fixes bugs and introduces a few minor features. Due to the inclusion of two security fixes, all users of the 2.3 series are recommended to upgrade as soon as possible.

Security Fixes

2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:

Einstein's Riddle | Rails Fire

Einstein's Riddle