Ruby on Rails update addresses security vulnerability
Version 3.0.6 of Ruby on Rails has been released. According to the developers, the maintenance and security update to the open source web framework addresses a vulnerability in the auto_link functionality.
This is reportedly caused when the auto_link method automatically marks input strings as "html safe", even when the input is from an unknown origin. This could be exploited by a malicious person, for example, to conduct cross-site scripting (XSS) or script insertion attacks. Ruby on Rails 3.0.x to 3.0.5 is said to be affected. Updating to version 3.0.6 corrects the issue.
Other changes include ActiveRecord updates, fixes for schema support in the MySQL adapter and corrections for handling before_type_cast on timezone aware attributes. All users are advised to upgrade.
Further details about the 3.0.6 security update can be found in a post on the Ruby on Rails blog and in the change log. Users can install the latest version using the gem install rails or update with gem update rails. Patches for existing versions are also available. However, at the time of this posting, the project's homepage still shows version 3.0.5 as the latest update. Rails is released under the MIT licence.
See also:
- XSS Vulnerability in auto_link() Options, Ruby on Rails security advisory.
- Potential XSS Vulnerability in auto_link(), Ruby on Rails security advisory.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
