In January 2013, I was informed from a colleague about a severely critical security hole in nearly all Ruby on Rails versions. Although I’d read about the issue a couple weeks prior, I didn’t think I had to immediately worry about making the necessary upgrades to the patched versions, because all the Rails applications I was currently working on were still only in development modes, and running on local workstations under localhost. But then my colleague sent me a link to the following article (if you develop Rails applications, please read it):
www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/
Hopefully, you noticed from the article that even development applications running under localhost are vulnerable to this security breach. Although localhost-only applications are probably less likely to be attacked than larger, more popular Rails applications, or even applications currently available over the web, localhost Rails apps can still be hit since they are connected to a browser which could serve up some nasty code. Thankfully, the Rails community has offered up patched versions which you can find here:
weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
To patch, update your gemfile to use a version of Rails specified in the above link. If your applications are well well tested, you should easily be able to find and fix anything the new version broke, but if not, be sure to perform vigorous manual checks.
How do I feel about this security issue in Rails?
As a recent fan-boy of the framework, I’ll admit, it’s a bit of a disappointment. But the security issue hasn’t anywhere near dissuaded me from continuing to learn more about Rails and to continue developing in it. All web frameworks have experienced the need for security patches, although, maybe not all as severe as this one. And all applications, regardless of framework, very likely have home grown security breaches. There’s no way to be completely safe while hosting your app to a global community of very intelligent, potentially dangerous hackers. Framework developers must always be diligent in there attempts to find holes in their systems before the hackers, and patch them expediently.
I believe the Rails community responded well to this most recent security patch, and I expect the framework to continue to improve and maintain it’s popularity far into the future.
Get every new post delivered to your Inbox.
Join 251 other followers
3 thoughts on “Critical Rails Security Issue”
All nice and dandy, but please update your post – Rails 3.2.12 is already out with another security fix.
Thanks for the heads up, I updated the link to the patches to the following: Most recent Rails security patches
in other news – other software which have had updates recently due to security bugs – Windows (57 security fixes) , Java (critical update), Adobe PDF reader (zero day exploit), WordPress (security flaw), Jenkins (security flaw)… and the list goes on