Monday, May 23, 2011

Rails 3.0.1 and Rails 2.3.10 Released To Counter Nested Attributes Vulnerability

Michael Koziarski (a.k.a. nzkoz) has announced the simultaneous release of Rails 3.0.1 and 2.3.10. Don't get too excited - they're only very minor security releases intended to resolve a nasty bug that surfaced in 2.3.9 and 3.0.0. Upgrade if possible but if you're unsure, read on for some pointers.

The bug in question surrounds nested attributes that are accepted through the accepts_nested_attributes_for method. If you're not using this method, you're probably OK, though I have a big fat disclaimer over that (if you don't upgrade and your app gets fried, don't blame me ;-)).

If you're using 2.3.9 or 3.0.0 and are truly unable to upgrade at this point but are using nested attributes, Michael has included patches on this post. You might also appreciate the discussion on Hacker News if you want more info and insight.

For Free consultation on regarding RoR Installation, RoR Developers, RoR Development, ROR Programmer log on to


Post a Comment