Earlier this month, Rails 3.0.6 was released. If you haven’t made the jump, it’s about time. 😉
First off, version 3.0.6 has some important security fixes which always seems to be the case these days. The previous version security issue was as follows:
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the auto_link method. The auto_link method will automatically mark input strings as “html safe” even if the input is from an unknown origin.
For example: [cc lang=”rails”]<%= auto_link(params[:content]) %>[/cc]
So, how do you protect yourself?
- Upgrade to Rails 3.0.6! Then, when content is passed to “auto_link”, it will automatically escape for you.
- If you can’t upgrade, use this patch.
- If you can’t use the patch, change your “auto_link” calls to sanitize like this:[cc lang=”rails”]<%= sanitize(auto_link(params[:content])) %>[/cc]If you trust the input, then change it to:[cc lang=”rails”]<%= raw(auto_link(params[:content])) %>[/cc]
Be sure to make your changes (for security sake), and if you have any questions or problems, you can try the Rails Hotline.
Yes, the Rails Hotline.
The Rails Hotline is a free helpline that is staffed with Ruby and Rails developers. Because they are volunteers, don’t expect this to be a fully 24-hour staffed hotline. These are volunteers, people! When you visit the site, it displays the volunteer status, so you know if any experts are “in”.
Remember it’s totally free, and if you’re interested in joining the volunteer team at the Rails Hotline, go ahead and apply!
The Rails Hotline is (877) 817-4190, but I would visit their website first and see if someone’s available.
Bookmark it, too!