New to Rails 3? Check out the Ruby on Rails 3 Tutorial book and screencast.

A book and screencast series showing you how to develop and deploy industrial-strength Rails apps in a direct, step by step way. The screencast series includes 12 lessons over more than 15 hours! Get the best "over the shoulder" experience of following what a top Rails 3 developer does when building an app today. Click here to learn more.

Rails 3.0.1 and Rails 2.3.10 Released To Counter Nested Attributes Vulnerability

By Peter Cooper — October 15th, 2010 — No Comments - Leave One Now!

In News

Michael Koziarski (a.k.a. nzkoz) has announced the simultaneous release of Rails 3.0.1 and 2.3.10. Don't get too excited - they're only very minor security releases intended to resolve a nasty bug that surfaced in 2.3.9 and 3.0.0. Upgrade if possible but if you're unsure, read on for some pointers.

The bug in question surrounds nested attributes that are accepted through the accepts_nested_attributes_for method. If you're not using this method, you're probably OK, though I have a big fat disclaimer over that (if you don't upgrade and your app gets fried, don't blame me ;-)).

If you're using 2.3.9 or 3.0.0 and are truly unable to upgrade at this point but are using nested attributes, Michael has included patches on this post. You might also appreciate the discussion on Hacker News if you want more info and insight.

Post to Twitter Tweet This Post

Vaguely Related Posts (Usually)

Leave a Reply

Previous Post: The iPhone Helpers Plugin for Rails 3.x
Next Post: 14 Bare Minimum Security Checks Before Releasing a Rails App