In association with heise online

06 April 2011, 10:27

Ruby on Rails update addresses security vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Ruby on Rails Logo Version 3.0.6 of Ruby on Rails has been released. According to the developers, the maintenance and security update to the open source web framework addresses a vulnerability in the auto_link functionality.

This is reportedly caused when the auto_link method automatically marks input strings as "html safe", even when the input is from an unknown origin. This could be exploited by a malicious person, for example, to conduct cross-site scripting (XSS) or script insertion attacks. Ruby on Rails 3.0.x to 3.0.5 is said to be affected. Updating to version 3.0.6 corrects the issue.

Other changes include ActiveRecord updates, fixes for schema support in the MySQL adapter and corrections for handling before_type_cast on timezone aware attributes. All users are advised to upgrade.

Further details about the 3.0.6 security update can be found in a post on the Ruby on Rails blog and in the change log. Users can install the latest version using the gem install rails or update with gem update rails. Patches for existing versions are also available. However, at the time of this posting, the project's homepage still shows version 3.0.5 as the latest update. Rails is released under the MIT licence.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit