Hi everyone,
Rails 3.1.2 has been released. This is a patch-level release containing
bug fixes and an important security fix.
## Possible XSS vulnerability in the translate helper method in Ruby on
Rails ##
There is a vulnerability in the translate helper method which may allow
an attacker to insert arbitrary code into a page.
Versions Affected: 3.0.0 and later, 2.3.X in combination with the
rails_xss plugin
Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did
no automatic XSS escaping, so are not considered vulnerable
Fixed Versions: 3.0.11, 3.1.2
Please see [the rubyonrails-security
posting](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5)
and the changelog item below, for more details.
## CHANGES ##
Action Mailer:
* No changes
Action Pack:
* Fix XSS security vulnerability in the `translate` helper method.
When using interpolation
in combination with HTML-safe translations, the interpolated input
would not get HTML
escaped. *GH 3664*
Before:
translate(''foo_html'', :something =>
''<script>'') # =>
"...<script>..."
After:
translate(''foo_html'', :something =>
''<script>'') # =>
"...<script>..."
*Sergey Nartimov*
* Upgrade sprockets dependency to ~> 2.1.0
* Ensure that the format isn''t applied twice to the cache key, else
it
becomes impossible to target with expire_action.
*Christopher Meiklejohn*
* Swallow error when can''t unmarshall object from session.
*Bruno Zanchet*
* Implement a workaround for a bug in ruby-1.9.3p0 where an error
would be raised while attempting to convert a template from one encoding
to another.
Please see http://redmine.ruby-lang.org/issues/5564 for details of
the bug.
The workaround is to load all conversions into memory ahead of time,
and will only happen if the ruby version is *exactly* 1.9.3p0. The hope
is obviously that the underlying problem will be resolved in the next
patchlevel release of 1.9.3.
*Jon Leighton*
* Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade
their flash object in session (issues #3298 and #2509)
Active Model:
* No changes
Active Record:
* Fix problem with prepared statements and PostgreSQL when multiple
schemas are used.
*GH #3232*
*Juan M. Cuello*
* Fix bug with PostgreSQLAdapter#indexes. When the search path has
multiple schemas, spaces
were not being stripped from the schema names after the first.
*Sean Kirby*
* Preserve SELECT columns on the COUNT for finder_sql when possible.
*GH 3503*
*Justin Mazzi*
* Reset prepared statement cache when schema changes impact statement
results. *GH 3335*
*Aaron Patterson*
* Postgres: Do not attempt to deallocate a statement if the connection
is no longer active.
*Ian Leitch*
* Prevent QueryCache leaking database connections. *GH 3243*
*Mark J. Titorenko*
* Fix bug where building the conditions of a nested through
association could potentially
modify the conditions of the through and/or source association. If
you have experienced
bugs with conditions appearing in the wrong queries when using
nested through associations,
this probably solves your problems. *GH #3271*
*Jon Leighton*
* If a record is removed from a has_many :through, all of the join
records relating to that
record should also be removed from the through association''s
target.
*Jon Leighton*
* Fix adding multiple instances of the same record to a
has_many :through. *GH #3425*
*Jon Leighton*
* Fix creating records in a through association with a polymorphic
source type. *GH #3247*
*Jon Leighton*
* MySQL: use the information_schema than the describe command when we
look for a primary key. *GH #3440*
*Kenny J*
Active Resource:
* No changes
Active Support:
* No changes
Railties:
* Engines: don''t blow up if db/seeds.rb is missing.
*Jeremy Kemper*
* `rails new foo --skip-test-unit` should not add the `:test` task to
the rake default task.
*GH 2564*
*José Valim*
As ever, you can see a full list of commits between the versions on
Github:
* https://github.com/rails/rails/compare/v3.1.1...v3.1.2
--
http://jonathanleighton.com/