There have been a number of issues with Rails popping up yesterday and today. First there was the announcement that Rails 1.1.4 had a security issue. Discussions emerged on why the core team did not disclose the details of the vulnerability. Evan Weaver had a quick look at the diff between 1.1.4 and 1.1.5 and described the problem:
It looks like, for example, that if your Rails installation is in /www/rails/, passing a string such as /www/rails/../../tmp/ would pass the old validation, and if you had managed to upload a file such as hax_controller.rb to /tmp/, a route request to /hax/ would force Rails to run your arbitrary code.
Nice. I updated a sample app to 1.1.5 and though I was safe until I read this discussion over at Ruby Forum:
One more for 1.1.5: Two subsequent calls:
http://127.0.0.1:3000/builder/blankslate http://127.0.0.1:3000/active_support/dependencies
…put server to errors “SystemStackError (stack level too deep)” constantly for all further requests.
Nice. I guess this is part of life for early adopters of new frameworks. Hopefully the community will be able to resolve these issues quickly.