The Ruby Reflector

[ CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack

[ CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users

[ CVE-2013-1857] XSS Vulnerability in the sanitize helper of Rails

This fixes the following issues:

CHEF-4059 update Rails version to 3.2.13 for security issues

PostgreSQL 9.2.4

This version fixes the following vulnerabilities:

[ CVE-2013-1899] - makes it possible for a connection request containing a database name that begins …

• Topics: PostgreSQL, Nginx, Ruby on Rails, Chef, Hypertext Transfer Protocol
• Rails Envy » Home: Rails Envy Podcast - Episode #097
• Global Nerdy: ClearFit's Looking for a Rails Developer
• Peppy Heppy - Home: Ruby 1.9.2, Encoding UTF-8 and Rails: invalid byte sequence in US-ASCII
• Ruby Inside: The Mega April 2012 Ruby and Rails News Roundup
• A Fresh Cup: What's New in Edge Rails #56
• DevInterface Blog: How to install PostgreSQL and psycopg2 on Osx Snow Leopard

Flawless - Trap exceptions and send an email to the responsible developer by using git-blame to find the right person. Python, but I'm sure someone will be along with a Ruby version soon enough.

Ruby 2.0.0-rc2 is released - The final release candidate.

2.0.0.rc.2 Released - Of rubygems, with breaking changes. Probably worth testing if you're hammering on ruby 2.0.

Postcards from the post-XSS world - A run down on what an attacker can do once they get hold of an XSS vulnerability in your code.

• Topics: Trap, Ruby, Pygments, Bot, Python

Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc for full details including a patch you can apply to generated RDoc documentation.

Ensured that rd parser files are generated before checking the manifest.

RDoc 4.0.0.rc.2

Minor enhancements

Added current heading and page-top links to HTML headings.

Bug fixes

Fixed an XSS exploit in darkfish.js. This could lead to cookie disclosure to third parties. See CVE-2013-0256.rdoc…

• Topics: RDoc, Zachary Scott, here_doc, XHTML, Thomas Leitner
• Ruby News: XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)
• Rails Inside: Learning To Scale Rails With Crappy Programming Book Covers
• Mike Perham: Using RDoc
• Nikos D.: Google Summer of Code Proposal: GRuVeR: A General Ruby library for solving Routing Vehicle Problem
• elc technologies - Blog : Ruby on Rails, iPhone, Flash, Agile, Interactive Design: Good Ruby Times
• interblah.net: accessing-rdoc-fast-using-quicksilver

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc.

Impact

RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable …

• Topics: RDoc, CVE
• Ruby News: Ruby 1.9.3-p385 is released
• A Fresh Cup: Double Shot #1061
• Meta Bates: Building Interfaces and Abstract Classes in Ruby
• Codeshooter's Weblog: Deployment Recipes - Deploying, monitoring and securing your Rails application to a clean Ubuntu 10.04 install using Nginx and U
• Engine Yard Developer Blog: Everything You Need to Know About Unicorn
• jystewart.net | notes, tips and commentary by James Stewart: Rubygems 1.4 will not support Ruby 1.8.6

CHEF-2792 - XSS vulnerability in messages field on login page

CHEF-2903 - Attribute files not loaded in deterministic order

CHEF-2923 - Cookbook Upload Fails due to Syntax Error in unrelated cookbook's metadata file

CHEF-3068 - Chef resources display incorrectly in log files on windows due to splitting on :

CHEF-3376 - Chef Should Load Cookbooks In Dependency Order

CHEF-3393 - Chef Encrypted Data Bag Error due …

• Topics: Chef, API, Knife, Ubuntu, Opscode
• Opscode Blog: Cycle Computing Puts Chef 11 Through its Paces w/10K+ AWS Servers
• Opscode Blog: AWS OpsWorks Uses Opscode Chef as Default Automation Engine
• Engine Yard Developer Blog: Why Chef Should Manage Deploying Your Application
• Blue Box Group: News: Chef as a System Integration Tool
• Labnotes: Rounded Corners 333 - Amazeballs
• Giles Bowkett: Internet Marketing Meets TV Meets The Web

Yikes, it's ugly and can easily lead to XSS security holes! content_tag is your friend.

content_tag :li , :class => 'vehicle_list' do link_to ( "#{vehicle.title.upcase} Sale" , show_all_styles_path ( vehicle. id , vehicle. url_title ) ) end

Bonus points : start introducing helper methods that take blocks. Nested blocks are a natural fit when generating nested HTML.

4. Giant queries loading everything into memory

You need to fix some data so you'll …

• Topics: Ruby on Rails, XHTML, SQL, User, Ruby
• Ruby on Rails Tutorial News: Chapter 6 of the Rails Tutorial, 2nd Edition is out ("Modeling users")
• A Fresh Cup: Open Source Report #6
• Riding Rails - home: Edge Rails: PATCH is the new primary HTTP method for updates
• Engine Yard Developer Blog: Building Mobile Web Applications With Kendo UI And Engine Yard
• Redline Software Inc. - Winnipeg's Leader in Ruby on Rails Development: ASP.Net MVC vs Ruby on Rails Smackdown Results
• Ruby Inside: The Mega March 2012 Ruby and Rails News and Release Roundup

…OOP to Rails Controllers - An experiment from one of the Rails core contributors that fills me with trepidation.

How to Securely Bootstrap JSON in a Rails View - Escaping, user-supplied content, and XSS concerns when you're consuming JSON directly.

Amon - Server monitoring, logging, and error tracking all in one package.

• Topics: Ruby on Rails, Chrome, Firebug, Comptroller, Mozilla Firefox
• Patrick Lenz: Proper Language Detection on the Web
• Andrzej on Software: How we ended up organizing a Ruby conference
• There's no place like ::1: Titanium With Coffeescript and Backbone.js - Part 2
• PragDave: A subtle potential bug in most Rails applications
• PeepCode Products: Play by Play: Aaron Patterson
• Ruby Inside: The Last Week in Ruby: RSpec 2.8, Redcar 0.12, Torquebox 2.0 beta, articles and more

…of the security issues of web applications. In addition to the usual SQL injections / XSS issues / etc, use of the telephone has unique security issues associated with it.

One issue is that confidential information is only confidential until you repeat it into a telephone. Even assuming that the phone call isn't intercepted (which is, ahem, problematic), there are very common user errors and use cases which will cause that information to be disclosed to third parties. For example: …

• Topics: Twilio, API, Hypertext Transfer Protocol, APIs, Arkansas
• Kalzumeus Software: Bingo Card Creator (&etc) Year In Review 2011
• Heroku: Develop a Voice App with Twilio + Heroku, Win a Netbook
• JJinuxLand: I Code Sooooo Slowly!
• A Rubyist Railstastic Adventure: We Deployed a Group Messaging Startup in 48 Hours using Heroku, Twilio, and Resque, on a Freakin' Bus
• SD Ruby Podcast: Episode 104: Send SMS Messages and Make Phone Calls From Your App With Twilio
• Global Nerdy: Write a Shopify/Twilio App and Win a MacBook Air, LEGO Mindstorms or a Kindle Fire!

It's a couple of days late but here are the main headlines from the last week of Ruby news. We have a couple of Rails releases, some event news, and the usual gaggle of great articles and jobs.

Headlines

Rails 3.1.3 Released (Very Quickly After 3.1.2)

This release mainly contains fixes for regressions that popped up in 3.1.2, including a downgrade to Sprockets. 3.1.2 itself was primarily a bug and security fix release and cleared up a XSS vulnerability in the translate helper.

• Topics: Ruby on Rails, Peter Cooper, Ruby, Released
• Home - Leading Ruby on Rails Development and Consulting firm in India - Vinsol: 10 little known ways to find a ruby on rails team for your next project
• Rails Inside: Finland's First Rails Conference - May 7, 2010
• A Fresh Cup: Double Shot #756
• Rails Envy » Home: Rails Envy Podcast - Episode #103
• Segment7: net-http-persistent 2.1
• Trevor Turk: Weekly Digest, 3-24-10

Possible XSS vulnerability in the translate helper method in Ruby on Rails

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

Versions Affected : 3.0.0 and later, 2.3.X in combination with the rails_xss plugin

Not Affected : Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable

Fixed Versions : 3.0.11, 3.1.2

Please see the rubyonrails-security …

• Topics: GH, Jon Leighton, Ruby on Rails, PostgreSQL, XHTML
• A Fresh Cup: Double Shot #755
• Segment7: mechanize 2.0
• Litany Against Fear: RailsConf 2009 Guitar Hero Behind The Music
• jlaine.net: Compensation. Supercompensation.
• Trevor Turk: Weekly Digest, 9-11-09
• Giles Bowkett: Awesome Fucking GitHub UI Hack