Hi everybody! Rails 3.0.6 has been released!
Let's get the serious business out of the way first:
## Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The
vulnerability manifests itself via the `auto_link` method. The `auto_link`
method will automatically mark input strings as "html safe" even if the input
is from an unknown origin.
<%= auto_link(params[:content]) %>
rendered without being escaped.
### How can I protect myself?
* Upgrade to Rails 3.0.6, then content passed to `auto_link` will be
automatically escaped for you.
* If you cannot upgrade Rails, then apply the patch found [here](https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d).
Then `auto_link` content will be escaped for you.
* If you cannot upgrade Rails, or apply the patch, then change your calls to
`auto_link` to call sanitize like so:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then change to this
<%= raw(auto_link(params[:content])) %>
Thanks go to Torben Schulz for reporting this issue!
## SERIOUS BUSINESS COMPLETE ##
After two release candidates, we we we so excited to announce the release of
Rails version 3.0.6! I want to thank everyone that tried out the release
candidates and reported their feedback! I hope that we can continue soliciting
feedback from the public before releasing final versions.
## LOL CHANGES!!!!
For changes in a particular package, please view the CHANGELOG in each
particular project on [github](https://github.com/rails/rails/tree/3-0-6). Even better, you can check the
Changes of note are:
* The above security fix in ActionPack
* Un-deprecating the `reorder` method in ActiveRecord
* A backport of "cheaper attributes reads" in ActiveRecord
* Correctling handling `before_type_cast` on timezone aware attributes
* Escaping binary data in sqlite3 inserts
* Fixing schema support for the mysql adapter
This change list IS NOT exhaustive. They are just some of my favorites! For
the complete list *please* see the CHANGELOG files or view the diff on github.
## GEM CHECKSUMS
If you totally want to make sure that you've got the right gems, here are my
shasums before I pushed the gems!
$ shasum *
## IN CLOSING
Thank you for waiting for me to finish vacation before I released this! I hope
that everyone enjoys this bugfix release of Rails. Next time I'll try not to
vacation so much!
<3 <3 <3 <3 <3