This card shows how to upgrade a Rails 2 application from Rails 2.3.8 through every single patch level up to 2.3.18, and then, hopefully, Rails LTS.
2.3.8 to 2.3.9
This release has many minor changes and fixes to prepare your application for Rails 3.
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.9'
- Change your
environment.rb
so all invocations ofconfig.load_paths
becomeconfig.autoload_paths
- If you are using
rails_xss
Show archive.org snapshot
, you need to upgrade by deleting the existing plugin directory and calling
script/plugin install https://github.com/rails/rails_xss.git
- If you are using the native Rails I18n API, open all your
config/locales/*.yml
files and change the old placeholder style'Delete {{count}} users?'
to the new style'Delete %{count} users?'
-- When using VIM you can use this command::%s/{{\([^\}]*\)}}/%{\1}/cg
- Fix deprecation warnings with :overwrite_params
- Run tests
- Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
2.3.9 to 2.3.10
Fixes Vulnerability in Nested Attributes code Show archive.org snapshot .
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.10'
- Run tests
- Deploy
Also see commit log Show archive.org snapshot .
From 2.3.10 to 2.3.11
Fixes multiple security issues.
Step-by-step upgrade instructions:
-
Upgrade
rails
gem -
Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.11'
-
Add
<%= csrf_meta_tag %>
into your layout'shead
-
Put this into a JavaScript file that is always loaded (like your
application.js
-- or another file you add to thejavascript_include_tag
):- For Prototype: \
^
Ajax.Responders.register({
onCreate: function(request) {
var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
if (csrf_meta_tag) {
var header = 'X-CSRF-Token',
token = csrf_meta_tag.readAttribute('content');
if (!request.options.requestHeaders) {
request.options.requestHeaders = {};
}
request.options.requestHeaders[header] = token;
}
}
}); - For jQuery: \
^
$(document).ajaxSend(function(e, xhr, options) {
var token = $("meta[name='csrf-token']").attr("content");
xhr.setRequestHeader("X-CSRF-Token", token);
});
- For Prototype: \
-
Any invalid requests will cause a
reset_session
. So if your application provides any "remember me" feature that does not store its information in the session you also need to take care that users are signed out when Rails does not receive a valid token. Rails 2.3.11 callshandle_unverified_request
for this which you need to overwrite with your logic, like this:
def handle_unverified_request
super # call the default behaviour which resets the session
cookies.delete :remember_token
end
-
Run tests
-
If you have non-GET Ajax parts that are not tested via selenium (or alike) toy around with the application to see if they still work and that you do not get signed out.
-
If you want to check if you get signed out when omitting the CSRF token for a non-GET request, you could remove the
csrf_meta_tag
from thehead
and call something like this (Prototype example here):new Ajax.Request('/admin/users', { method: 'POST', onComplete: function() { alert('complete'); } });
-
Until Rails 2.3.12 is out, you will need to copy this initializer into your project, in order to fix a bug in Rails 2.3.11.
-
Run tests
-
Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.11 to 2.3.12
Fixes security issues with the rails_xss plugin.
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.12'
- Upgrade
rails_xss
plugin (if you are using that) - Run tests
- Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.12 to 2.3.13
Version 2.3.13 has been yanked Show archive.org snapshot . Please upgrade directly to 2.3.14.
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.12 to 2.3.14
Fixes many critical vulnerabilities.
Step-by-step upgrade instructions:
-
Upgrade
rails
gem -
Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.14'
-
Run tests
-
Deploy
-
Add
<%= csrf_meta_tag %>
into your layout'shead
-
Put this into a JavaScript file that is always loaded (like your
application.js
-- or another file you add to thejavascript_include_tag
):- For Prototype: \
^
Ajax.Responders.register({
onCreate: function(request) {
var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
if (csrf_meta_tag) {
var header = 'X-CSRF-Token',
token = csrf_meta_tag.readAttribute('content');
if (!request.options.requestHeaders) {
request.options.requestHeaders = {};
}
request.options.requestHeaders[header] = token;
}
}
}); - For jQuery: \
^
$(document).ajaxSend(function(e, xhr, options) {
var token = $("meta[name='csrf-token']").attr("content");
xhr.setRequestHeader("X-CSRF-Token", token);
});
- For Prototype: \
-
Any invalid requests will cause a
reset_session
. So if your application provides any "remember me" feature that does not store its information in the session you also need to take care that users are signed out when Rails does not receive a valid token. Rails 2.3.11 callshandle_unverified_request
for this which you need to overwrite with your logic, like this: \
def handle_unverified_request
super # call the default behaviour which resets the session
cookies.delete :remember_token
end -
Run tests
-
If you have non-GET Ajax parts that are not tested via selenium (or alike) toy around with the application to see if they still work and that you do not get signed out.
-
If you want to check if you get signed out when omitting the CSRF token for a non-GET request, you could remove the
csrf_meta_tag
from thehead
and call something like this (Prototype example here):new Ajax.Request('/admin/users', { method: 'POST', onComplete: function() { alert('complete'); } });
-
Until Rails 2.3.12 is out, you will need to copy this initializer into your project, in order to fix a bug in Rails 2.3.11.
See the commit log Show archive.org snapshot for a detailed list of changes (Diff starts with 2.3.12 because 2.3.13 was yanked, see above).
From 2.3.14 to 2.3.15
Fixes many extremely critical vulnerabilities.
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.15'
- Run tests
- Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.15 to 2.3.16
Fixes an extremely critical vulnerability.
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.16'
- Run tests
- Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.16 to 2.3.17
Fixes several serious vulnerabilities.
Step-by-step upgrade instructions:
- Upgrade
json
gem to atleast 1.7.7, 1.6.8, or 1.5.5 - Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.17'
- Run tests
- Deploy
See the commit log for a detailed list of changes.
From 2.3.17 to 2.3.18
Fixes several important security fixes.
Step-by-step upgrade instructions:
- Upgrade
rails
gem - Change your
environment.rb
so it saysRAILS_GEM_VERSION = '2.3.18'
- Run tests
- Deploy
See the commit log Show archive.org snapshot for a detailed list of changes.
From 2.3.18 to Rails LTS
Support for Rails 2 has ended. You should switch to Rails LTS.