« Rails 1.2.5 security release | Main | ActionPack: Security »
Wednesday
Oct102007

Rails 1.2.4 Maintenance release, security

DateWednesday, October 10, 2007 at 10:08AM

The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.

The following issues have been addressed:

  • URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies.  The functionality could be exploited by a malicious user to obtain an authenticated session.
    Use config.action_controller.session_options[:cookie_session_id_only] = false to re-enable it
  • Changed the JSON encoding algorithms to avoid potential XSS issues when using ActiveRecord::Base#to_json
  • Potential Information Disclosure or DoS with Hash#from_xml: Maliciously crafted requests to a Rails application could cause the XML parser to read files from the server's disk or the network. 1.2.4 removes this functionality entirely.

AuthorHeiko | Comment3 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (3)

c790t

October 12, 2007 | Unregistered Commenterma838zda

c712t

October 13, 2007 | Unregistered Commenterma135zda

c342t

October 13, 2007 | Unregistered Commenterma193zda

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.