基于Ruby的Web开发框架 Rails 3.1.2 发布

jopen 13年前
     <p>Rails 3.1.2 正式版发布了,该版本包含一些bug修复及安全漏洞的修复,翻译辅助方法在Ruby on Rails的XSS 漏洞被修复。<br /> </p>    <p>Rails 3.1.2 has been released. This is a patch-level release containing bug fixes and an important security fix.</p>    <h2>Possible XSS vulnerability in the translate helper method in Ruby on Rails</h2>    <p>There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.</p>    <ul>     <li><strong>Versions Affected</strong>: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin</li>     <li><strong>Not Affected</strong>: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable</li>     <li><strong>Fixed Versions</strong>: 3.0.11, 3.1.2</li>    </ul>    <p>Please see <a href="/misc/goto?guid=4958199990914514327">the rubyonrails-security posting</a> and the changelog item below, for more details.</p>    <h2>Changes</h2>    <p>Action Mailer:</p>    <ul>     <li>No changes</li>    </ul>    <p>Action Pack:</p>    <ul>     <li> <p>Fix XSS security vulnerability in the <code>translate</code> helper method. When using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped. <em>GH 3664</em></p> <p>Before:</p> <p>translate('foo_html', :something => '<script>') # => "...<script>..."</p> <p>After:</p> <p>translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."</p> <p><em>Sergey Nartimov</em></p> </li>     <li> <p>Upgrade sprockets dependency to ~> 2.1.0</p> </li>     <li> <p>Ensure that the format isn't applied twice to the cache key, else it becomes impossible to target with expire_action.</p> <p><em>Christopher Meiklejohn</em></p> </li>     <li> <p>Swallow error when can't unmarshall object from session.</p> <p><em>Bruno Zanchet</em></p> </li>     <li> <p>Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.</p> <p>Please see <a href="/misc/goto?guid=4958199991671541027">http://redmine.ruby-lang.org/issues/5564</a> for details of the bug.</p> <p>The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is <em>exactly</em> 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.</p> <p><em>Jon Leighton</em></p> </li>     <li> <p>Ensure users upgrading from 3.0.x to 3.1.x will properly upgrade their flash object in session (issues #3298 and #2509)</p> </li>    </ul>    <p>Active Model:</p>    <ul>     <li>No changes</li>    </ul>    <p>Active Record:</p>    <ul>     <li> <p>Fix problem with prepared statements and PostgreSQL when multiple schemas are used.<em>GH #3232</em></p> <p><em>Juan M. Cuello</em></p> </li>     <li> <p>Fix bug with PostgreSQLAdapter#indexes. When the search path has multiple schemas, spaces were not being stripped from the schema names after the first.</p> <p><em>Sean Kirby</em></p> </li>     <li> <p>Preserve SELECT columns on the COUNT for finder_sql when possible. <em>GH 3503</em></p> <p><em>Justin Mazzi</em></p> </li>     <li> <p>Reset prepared statement cache when schema changes impact statement results. <em>GH 3335</em></p> <p><em>Aaron Patterson</em></p> </li>     <li> <p>Postgres: Do not attempt to deallocate a statement if the connection is no longer active.</p> <p><em>Ian Leitch</em></p> </li>     <li> <p>Prevent QueryCache leaking database connections. <em>GH 3243</em></p> <p><em>Mark J. Titorenko</em></p> </li>     <li> <p>Fix bug where building the conditions of a nested through association could potentially modify the conditions of the through and/or source association. If you have experienced bugs with conditions appearing in the wrong queries when using nested through associations, this probably solves your problems. <em>GH #3271</em></p> <p><em>Jon Leighton</em></p> </li>     <li> <p>If a record is removed from a has_many :through, all of the join records relating to that record should also be removed from the through association's target.</p> <p><em>Jon Leighton</em></p> </li>     <li> <p>Fix adding multiple instances of the same record to a has_many :through. <em>GH #3425</em></p> <p><em>Jon Leighton</em></p> </li>     <li> <p>Fix creating records in a through association with a polymorphic source type. <em>GH #3247</em></p> <p><em>Jon Leighton</em></p> </li>     <li> <p>MySQL: use the information_schema than the describe command when we look for a primary key. <em>GH #3440</em></p> <p><em>Kenny J</em></p> </li>    </ul>    <p>Active Resource:</p>    <ul>     <li>No changes</li>    </ul>    <p>Active Support:</p>    <ul>     <li>No changes</li>    </ul>    <p>Railties:</p>    <ul>     <li> <p>Engines: don't blow up if db/seeds.rb is missing.</p> <p><em>Jeremy Kemper</em></p> </li>     <li> <p><code>rails new foo --skip-test-unit</code> should not add the <code>:test</code> task to the rake default task.<em>GH 2564</em></p> <p><em>José Valim</em></p> </li>    </ul>    <p>As ever, you can <a href="/misc/goto?guid=4958199992410004009">see a full list of commits between the versions</a> on Github.</p>    <p><br /> <img title="rails.png" border="0" alt="rails.png" src="https://simg.open-open.com/show/8e7886c2d44de9794b9b02b7742231a0.png" width="87" height="111" /></p>    <div id="p_fullcontent" class="detail">     <p><strong>Ruby on Rails</strong> 是一个用于开发数据库驱动的网络应用程序的完整框架。Rails基于MVC(模型- 视图- 控制器)设计模式。从视图中的Ajax应用,到控制器中的访问请求和反馈,到封装数据库的模型,Rails 为你提供一个纯Ruby的开发环境。发布网站时,你只需要一个数据库和一个网络服务器即可。</p>     <p>Ruby On Rails是一个用于编写网络应用程序的软件包.它基于一种计算机软件语言Ruby,给程序开发人员提供了强大的框架支持.你可以用比以前少的多的代码和 短的多的时间编写出一流的网络软件.比较著名的社区网站43things.com, odeo.com和basecamphq.com就是用Ruby On Rails编写的.</p>     <p>Ruby On Rails的指导原则是”不要重复你自己”(Don’t Repeat Yourself, 或DRY).意思是说你写的代码不会有重复的地方.比如以往数据库的接口往往是类似的程序代码但是在很多地方都要重复用到.这无论是给编写还是维护都造成 了很大的代价.相反,Ruby On Rails给你提供了绝大多数的支持,让你只需要短短的几行代码就可以实现强大的功能.而且,Rails提供了代码生成工具,让你甚至不需要编写一行代码 就实现强大的管理程序.</p>     <p>Ruby On Rails通过reflection和runtime extension减少了对configuration文件的依靠,这和Java,C#语言的方向有很大不同,让你减少了很多配置和部署的麻烦,但是性能上却完全可以应付一般网站的需求.</p>     <p>Rails 支持各类网络服务器和数据库。在服务器方面,我们推荐Apache、 lighttpd 或 nginx 代理至 Mongrel (或者使用FastCGI)。 数据库方面,你可以采用MySQL、PostgreSQL、 SQLite、 Oracle、 SQL Server、 DB2、 或其他任何我们支持的系统。 Rails可以在各类操作系统上运行,不过我们建议采用基于'nix的系统进行开发。</p>    </div>