Evan on 10 Aug 2006 02:52:10 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] Any news on whats what with 1.1.5?

It could possibly be related to these lines:

diff -r old/rails/vendor/rails/actionpack/lib/action_controller/routing.rb

def file_kinds(kind) ((@file_kinds ||= []) << kind).uniq! || @file_kinds end

file_kinds :app
<               base[0, extended_root.length] == extended_root || base
=~ %r{rails-[\d.]+/builtin}
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}

But I don't know what it might be in specific (the new version is marked by the > sign).


PS. A diff of 1.1.4 and 1.1.5, minus the /doc directory and other
things unlikely to be relevant, is here:
http://blog.evanweaver.com/files/diff.txt .

On 8/9/06, Aaron Blohowiak <aaron@aaronblohowiak.com> wrote:

Security issue, not something "broken" as in stopped functioning when functioned previously.

If you live on edge, you are actually safe from this flaw.

ALWAYS TEST before you go live with a new version of rails. Though they
claim this is a drop-in, it isnt. It kills some rails apps that use certain
plugins. Hit up #rubyonrails on freenode until this gets sorted out.

Aaron Blohowiak

On Aug 9, 2006, at 2:55 PM, Mike Zornek wrote:


This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn't affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig into
the specifics. No need to arm would-be assalients.

I'm not really a fan of the fearful release note as seen above. I know some
Philly on Rails people live on edge. Anyone want to go in to detail on what
was actually broken? And how it was fixed?

~ Mike
Work: http://ClickableBliss.com
Play: http://MikeZornek.com

_______________________________________________ talk mailing list talk@phillyonrails.org http://lists.phillyonrails.org/mailman/listinfo/talk

talk mailing list

Evan Weaver
University of Delaware
talk mailing list