This card shows how to upgrade a Rails 2 application from Rails 2.3.8 through every single patch level up to 2.3.18, and then, hopefully, Rails LTS Show archive.org snapshot .
This release has many minor changes and fixes Show archive.org snapshot to prepare your application for Rails 3.
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.9'
environment.rb
so all invocations of config.load_paths
become config.autoload_paths
script/plugin install https://github.com/rails/rails_xss.git
config/locales/*.yml
files and change the old placeholder style 'Delete {{count}} users?'
to the new style 'Delete %{count} users?'
-- When using VIM you can use this command: :%s/{{\([^\}]*\)}}/%{\1}/cg
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes Vulnerability in Nested Attributes code Show archive.org snapshot .
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.10'
Also see commit log Show archive.org snapshot .
Fixes multiple security issues Show archive.org snapshot .
Step-by-step upgrade instructions:
Upgrade rails
gem
Change your environment.rb
so it says RAILS_GEM_VERSION = '2.3.11'
Add <%= csrf_meta_tag %>
into your layout's head
Put this into a JavaScript file that is always loaded (like your application.js
-- or another file you add to the javascript_include_tag
):
Any invalid requests will cause a reset_session
. So if your application provides any "remember me" feature that does not store its information in the session you also need to take care that users are signed out when Rails does not receive a valid token. Rails 2.3.11 calls handle_unverified_request
for this which you need to overwrite with your logic, like this:
def handle_unverified_request
super # call the default behaviour which resets the session
cookies.delete :remember_token
end
Run tests
If you have non-GET Ajax parts that are not tested via selenium (or alike) toy around with the application to see if they still work and that you do not get signed out.
If you want to check if you get signed out when omitting the CSRF token for a non-GET request, you could remove the csrf_meta_tag
from the head
and call something like this (Prototype example here):
new Ajax.Request('/admin/users', { method: 'POST', onComplete: function() { alert('complete'); } });
Until Rails 2.3.12 is out, you will need to copy this initializer into your project, in order to fix a bug in Rails 2.3.11.
Run tests
Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes security issues with the rails_xss plugin Show archive.org snapshot .
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.12'
rails_xss
plugin (if you are using that)See the commit log Show archive.org snapshot for a detailed list of changes.
Version 2.3.13 has been yanked Show archive.org snapshot . Please upgrade directly to 2.3.14.
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes many critical vulnerabilities Show archive.org snapshot .
Step-by-step upgrade instructions:
Upgrade rails
gem
Change your environment.rb
so it says RAILS_GEM_VERSION = '2.3.14'
Run tests
Deploy
Add <%= csrf_meta_tag %>
into your layout's head
Put this into a JavaScript file that is always loaded (like your application.js
-- or another file you add to the javascript_include_tag
):
Any invalid requests will cause a reset_session
. So if your application provides any "remember me" feature that does not store its information in the session you also need to take care that users are signed out when Rails does not receive a valid token. Rails 2.3.11 calls handle_unverified_request
for this which you need to overwrite with your logic, like this: \
def handle_unverified_request
super # call the default behaviour which resets the session
cookies.delete :remember_token
end
Run tests
If you have non-GET Ajax parts that are not tested via selenium (or alike) toy around with the application to see if they still work and that you do not get signed out.
If you want to check if you get signed out when omitting the CSRF token for a non-GET request, you could remove the csrf_meta_tag
from the head
and call something like this (Prototype example here):
new Ajax.Request('/admin/users', { method: 'POST', onComplete: function() { alert('complete'); } });
Until Rails 2.3.12 is out, you will need to copy this initializer into your project, in order to fix a bug in Rails 2.3.11.
See the
commit log
Show archive.org snapshot
for a detailed list of changes (Diff starts with 2.3.12 because 2.3.13 was yanked, see above).
Fixes many extremely critical vulnerabilities Show archive.org snapshot .
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.15'
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes an extremely critical vulnerability Show archive.org snapshot .
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.16'
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes several serious vulnerabilities Show archive.org snapshot .
Step-by-step upgrade instructions:
json
gem to atleast 1.7.7, 1.6.8, or 1.5.5rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.17'
See the commit log Show archive.org snapshot for a detailed list of changes.
Fixes several important security fixes Show archive.org snapshot .
Step-by-step upgrade instructions:
rails
gemenvironment.rb
so it says RAILS_GEM_VERSION = '2.3.18'
See the commit log Show archive.org snapshot for a detailed list of changes.
Support for Rails 2 has ended. You should switch to Rails LTS Show archive.org snapshot .