Rails 3.1.2

Hi everyone,

Rails 3.1.2 has been released. This is a patch-level release containing bug fixes and an important security fix.

## Possible XSS vulnerability in the translate helper method in Ruby on Rails ##

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable Fixed Versions: 3.0.11, 3.1.2

Please see [the rubyonrails-security posting](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5) and the changelog item below, for more details.


Action Mailer:

* No changes

Action Pack:

* Fix XSS security vulnerability in the `translate` helper method. When using interpolation     in combination with HTML-safe translations, the interpolated input would not get HTML     escaped. *GH 3664*


        translate('foo_html', :something => '<script>') # => "...<script>..."


        translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

    *Sergey Nartimov*

* Upgrade sprockets dependency to ~> 2.1.0

* Ensure that the format isn't applied twice to the cache key, else it becomes impossible to target with expire_action.

    *Christopher Meiklejohn*

* Swallow error when can't unmarshall object from session.

    *Bruno Zanchet*

* Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.

    Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.

    The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is *exactly* 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.

    *Jon Leighton*

* Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade their flash object in session (issues #3298 and #2509)

Active Model:

* No changes

Active Record:

* Fix problem with prepared statements and PostgreSQL when multiple schemas are used.     *GH #3232*

    *Juan M. Cuello*

* Fix bug with PostgreSQLAdapter#indexes. When the search path has multiple schemas, spaces     were not being stripped from the schema names after the first.

    *Sean Kirby*

* Preserve SELECT columns on the COUNT for finder_sql when possible. *GH 3503*

    *Justin Mazzi*

* Reset prepared statement cache when schema changes impact statement results. *GH 3335*

    *Aaron Patterson*

* Postgres: Do not attempt to deallocate a statement if the connection is no longer active.

    *Ian Leitch*

* Prevent QueryCache leaking database connections. *GH 3243*

    *Mark J. Titorenko*

* Fix bug where building the conditions of a nested through association could potentially     modify the conditions of the through and/or source association. If you have experienced     bugs with conditions appearing in the wrong queries when using nested through associations,     this probably solves your problems. *GH #3271*

    *Jon Leighton*

* If a record is removed from a has_many :through, all of the join records relating to that     record should also be removed from the through association's target.

    *Jon Leighton*

* Fix adding multiple instances of the same record to a has_many :through. *GH #3425*

    *Jon Leighton*

* Fix creating records in a through association with a polymorphic source type. *GH #3247*

    *Jon Leighton*

* MySQL: use the information_schema than the describe command when we look for a primary key. *GH #3440*

    *Kenny J*

Active Resource:

* No changes

Active Support:

* No changes


* Engines: don't blow up if db/seeds.rb is missing.

    *Jeremy Kemper*

* `rails new foo --skip-test-unit` should not add the `:test` task to the rake default task.     *GH 2564*

    *José Valim*

As ever, you can see a full list of commits between the versions on Github:

  * Comparing v3.1.1...v3.1.2 · rails/rails · GitHub