14 DAY TRIAL // The Ruby on Rails development team has released an update for the web application framework which addresses a cross-site scripting (XSS) vulnerability.
The new Rails 3.0.6 version contains multiple bug fixes and changes in addition to the security patch and comes after two release candidates.
The XSS vulnerability affects all previous 3.0.x versions and is located in the auto_link method. Researcher Torben Schulz is credited with its discovery.
"The auto_link method will automatically mark input strings as 'html safe' even if the input is from an unknown origin.
"If the 'content' parameter contains malicious javascript, that script will be rendered without being escaped," the development team explains.
Cross-site scripting vulnerabilities are amongst the most common type of flaws. They are the result of insufficient user input validation and can allow for rogue code to be injected and executed into pages.
All users are advised to upgrade to the new version as soon as possible. However, people who can't for various reasons, can apply the patch manually.
The development team even offers a solution for those users who can neither upgrade nor apply the patch. It involves adding "sanitize" to their auto_link calls.
Other important changes in this release include restoring the formerly deprecated "reorder" method in ActiveRecord, backporting "cheaper attributes reads" and correcting the way "before_type_cast" is handled on timezone-aware attributes.
The escaping of binary data inserted into sqlite3 has also been improved and so was the schema support for the MySQL adapter. More changes can be viewed in the changelogs or by doing a compare in the git repository.
Ruby on Rails is the most popular open source web application development framework for Ruby, a powerful object-oriented programming language similar to Perl and Python.
The latest version for Ruby on Rails can be downloaded from here.