Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Evan on 10 Aug 2006 02:52:10 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] Any news on whats what with 1.1.5?

From: Evan <eweaver@gmail.com>

To: talk@phillyonrails.org

Subject: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Date: Wed, 9 Aug 2006 22:49:55 -0400

List-archive: <http://lists.phillyonrails.org/pipermail/talk>

Reply-to: talk@phillyonrails.org

Sender: talk-bounces@phillyonrails.org

It could possibly be related to these lines:

diff -r old/rails/vendor/rails/actionpack/lib/action_controller/routing.rb new/rails/vendor/rails/actionpack/lib/action_controller/routing.rb 221c221,225 < ---

def file_kinds(kind) ((@file_kinds ||= []) << kind).uniq! || @file_kinds end

230a235
file_kinds :app
271c276 < base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin} ---
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}

But I don't know what it might be in specific (the new version is marked by the > sign).

Evan

PS. A diff of 1.1.4 and 1.1.5, minus the /doc directory and other things unlikely to be relevant, is here: http://blog.evanweaver.com/files/diff.txt .

On 8/9/06, Aaron Blohowiak <aaron@aaronblohowiak.com> wrote:

Security issue, not something "broken" as in stopped functioning when functioned previously.

If you live on edge, you are actually safe from this flaw.

ALWAYS TEST before you go live with a new version of rails. Though they claim this is a drop-in, it isnt. It kills some rails apps that use certain plugins. Hit up #rubyonrails on freenode until this gets sorted out.

Aaron Blohowiak

On Aug 9, 2006, at 2:55 PM, Mike Zornek wrote:

http://weblog.rubyonrails.com/2006/8/9/rails-1-1-5-mandatory-security-patch- and-other-tidbits

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn't affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.

I'm not really a fan of the fearful release note as seen above. I know some Philly on Rails people live on edge. Anyone want to go in to detail on what was actually broken? And how it was fixed?

~ Mike -- Work: http://ClickableBliss.com Play: http://MikeZornek.com

_______________________________________________ talk mailing list talk@phillyonrails.org http://lists.phillyonrails.org/mailman/listinfo/talk

_______________________________________________ talk mailing list talk@phillyonrails.org http://lists.phillyonrails.org/mailman/listinfo/talk

-- Evan Weaver University of Delaware _______________________________________________ talk mailing list talk@phillyonrails.org http://lists.phillyonrails.org/mailman/listinfo/talk

Follow-Ups:

Re: [PhillyOnRails] Any news on whats what with 1.1.5?
From: Evan <eweaver@gmail.com>

References:

[PhillyOnRails] Any news on whats what with 1.1.5?
From: Mike Zornek <mikezornek@mikezornek.com>

Re: [PhillyOnRails] Any news on whats what with 1.1.5?
From: Aaron Blohowiak <aaron@aaronblohowiak.com>

Prev by Date: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Next by Date: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Previous by thread: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Next by thread: Re: [PhillyOnRails] Any news on whats what with 1.1.5?

Index(es):

Date

Thread