Ruby on Rails 5.1.2 released

New version of Ruby on Rails framework has been released, bringing some new features
27 June 2017   2359
Ruby

A dynamic, open source programming language, focused on simplicity and productivity
 

Ruby on Rails

Ruby on Rails (RoR) - a framework written in the Ruby programming language

Good news for RoR fans. New 5.1.2 version has been released.

Changelogs

List of changes for every gem:

  •  Action Pack:
    • driven_by now registers poltergeist and capybara-webkit
      If driver poltergeist or capybara-webkit is set for System Tests, driven_by will register the driver and set additional options passed via :options param.
  • Action View:
    • Fixed issues with scopes and engine on current_page? method.
    • Generate field ids in collection_check_boxes and collection_radio_buttons. This makes sure that the labels are linked up with the fields.
  • Active Model:
    • Fixed regression in numericality validator when comparing Decimal and Float input values with more scale than the schema.
  • Active Record:
    • Restore previous behavior of collection proxies: their values can have methods stubbed, and they respect extension modules applied by a default scope.
    • Loading model schema from database is now thread-safe.
  • Active Support:
    • Cache: Restore the options = nil argument for LocalStore#clear that was removed in 5.1.0. Restores compatibility with backends that take an options argument and use the local cache strategy.

Fix implicit coercion calculations with scalars and durations
Previously calculations where the scalar is first would be converted to a duration of seconds but this causes issues with dates being converted to times, e.g:

Time.zone = "Beijing"           # => Asia/Shanghai
date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
2 * 1.day                       # => 172800 seconds
date + 2 * 1.day                # => Mon, 22 May 2017 00:00:00 CST +08:00

Now the ActiveSupport::Duration::Scalar calculation methods will try to maintain the part structure of the duration where possible, e.g:
 

Time.zone = "Beijing"           # => Asia/Shanghai
date = Date.civil(2017, 5, 20)  # => Mon, 20 May 2017
2 * 1.day                       # => 2 days
date + 2 * 1.day                # => Mon, 22 May 2017
  • Railties:
    • Add Windows support to rails secrets:edit.

View all changes list at GitHub.

SHA-256

Feel free to use this checksum in order to check version of your gem:

$ shasum -a 256 *-5.1.2.gem
27943a2642cd94478a88d4e239bb1467476d2acd10f0f588b220e05367163524  actioncable-5.1.2.gem
e62c4e1b09565e8188d405eac974db1cf31b552064fa9e15fac686556837909f  actionmailer-5.1.2.gem
b63833831efcfc5fce72deb5bfc14feb7bbe87dd065d8de5904db6dfbc115bca  actionpack-5.1.2.gem
82efdca96308476cb644d65bc9842167099ed1210ce3c8b626be9ebdcc8c311e  actionview-5.1.2.gem
d6f762971dfaa312d5f9262eb65eef1c16080cde4790e0e3fd29a0c9651659c4  activejob-5.1.2.gem
e5d8ae2826f733220dd29792bda5c57d7aa5f6bca036abc1a5fcd4632628f1ce  activemodel-5.1.2.gem
a3757003b09ac6926d18b32106927d341f906fdf71aa8fa2e3a8e8e0716548ce  activerecord-5.1.2.gem
0ecf4132689fc06c888c8a1d6678dc22ab972ff5abe797c4fc685582c9ce9d17  activesupport-5.1.2.gem
4ee8ea1a2760cafbd70fbc878fd0c4ad2fec105082719c818934b39fd4ff0e9b  rails-5.1.2.gem
db82fbd1dd000b9f5558bfa20c341ccf74ea43716f96e3839be5c219fffe78fc  railties-5.1.2.gem

 

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   620

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;