Rails 2.3.5 Unofficial Release Notes
Friday, November 27, 2009 at 7:56AM Rails 2.3.5 is out but the official release notes have not yet appeared. So I thought it might be useful to share my own notes on what's new in this version. This list is only the highlights, but it should give you an overview.
An XSS vulnerability in strip_tags is fixed.
Rails 2.3.5 supports the xss_safe plugin, which gives you the XSS escaping features that will be the default in Rails 3.0.
There are a bunch of Ruby 1.9 compatibility fixes, including changes to MessageVerifier#secure_compare (which was tweaked in 2.3.4 to fix a timing vulnerability), the -c and -c options to the rails command, Time#beginning_of_day, and String#strip.
The nested attributes bits get some attention, including fixes to avoid trying to validate records that are marked for destruction and allowing fields_for on a nested attribute to accept a collection to use. The :_delete option in nested attributes has been renamed to :_destroy, and the old name is deprecated. You can also declare that there are a maximum number of nested records: accepts_nested_attributes_for :orders, :limit => 4
The MySQL adapter is updated to allow the use of stored procedures.
Building or creating objects on a has_one association is now more consistent with the way it works on a has_many: record creation from the association is scoped if a hash is used. has_one :account, :conditions => {:enabled => true} will create an enabled account with @company.create_account or @company.build_account.
Rails is tested with newer versions of Rack (1.0.1), the MySQL adapter (2.8.1), Mocha (0.9.8), and the sqlite3-ruby adapter (1.2.5). sqlite 2 is only supported if you're using Ruby 1.8.x.
A problem that prevented the debugger from going into IRB mode has been fixed.
If you're using Rails 2.3.x, you should upgrade to this version as soon as possible, to get the security fixes that it contains. If you're using Rails 2.2, there's a separate patch available. Rails versions older than 2.2 are no longer supported with security patches, and should be retired/upgraded as soon as possible.
Reader Comments (7)
Thanks!
As usual mike, great job and the concise point driven post gives us all a clear view of what is going on in this release. Thanks!
Thanks for putting this together, Mike. I had assume it was strictly a XSS security release.
I'm digging the improvements to accept_nested_attributes_for
> A problem that prevented the debugger from going into IRB mode has been fixed.
Yay! As a heavy user of the debugger, I've like to thank the Rails core team for fixing this issue. The debugger has been the easiest way to help new developers plunge into an existing codebase.
Thanks for a concise summary on 2.3.5 - I'm upgrading from 2.1 and it takes some work to get everything working properly.
What about the error_messages method (ActiveRecordHelper) - it appeared to be broken in 2.3.4 and I'm curious if that has been fixed in 2.3.5 ?
Mike,
thanks for the update.
Also, have you (or anyone) heard a word about Rails 3? I thought there was to be a tnetative release last May (? ). Things are so quiet lately I'm unsure where to go for news
The Rails 3 branch in github is active (it's the master branch) and core team keeps adding stuff to it. I haven't seen any announcement of a date, though.