The release of Rails 2.3.11 and 3.0.4 included a critical security fix
for a CSRF protection bypass vulnerability. It's great that this was
caught and, other than a couple things which I'll explain in a moment,
I think it's being handled very well.
This release, however, highlights a flaw in the release process with
regard to security fixes, one which I think it fairly easy to fix. The
release that seemed like merely a security fix to many also possibly
includes some bugs. This could prevent those on 3.0.3 (or earlier)
from upgrading to 3.0.4:
Other issues arise, however, if you're on a version well before the
latest release. We have an application on Rails 2.3.5 still and we
were tasked with figuring out how to apply this security fix to the
application without the pain of upgrading to 2.3.11. Other than this
security fix, we don't have a reason to upgrade just yet.
"Just apply the patch," you might say. While this patch is handy, it
assumes a vendored rails that you are comfortable with modifying in
this. For example, suppose you need to upgrade from 2.3.5 to 2.3.7 and
you re-vendor. Make sure you apply that patch again! And suppose you
avoid vendoring rails as I, and likely many others, am in the practice
of doing, how are you to apply this patch? It's obvious, right? Just
monkey-patch the appropriate methods in rails.
Except, since the code to monkey-patch isn't provided in a centralized
way (like, oh, say the REXML vulnerability in 2008:
), the labor of this task has been multiplied to everyone in a similar
situation to the one I find myself in.
So, I submit this code to you. The tests work on Rails 2.3.5 - 2.3.10:
I'd encourage anyone who's using rails 3 and is in a similar situation
to provide the same.