The Ruby on Rails developers have published Rails 3.2.3 which includes the mass assignment change that appeared in the wake of March's GitHub incident. In that incident, a developer named Egor Homakov used a well-known vulnerability in the default configuration of Rails applications to manipulate GitHub projects.

The problem was that, for ease of development, Rails had allowed any field in a database record to be set in a mass assignment action and then left it to the developer to lock down the application. The change in Rails 3.2.3 now forces developers to whitelist fields for mass assignment by flipping the config.active_record.whitelist_attributes property to true by default. This change only affects new applications and developers should check their existing Rails applications for mass assignment vulnerabilities or to set the config.active_record.whitelist_attributes property to true in their applications. The Rails security guide gives advice on the process.

The 3.2.3 release also sees the addition of an option to change to how authenticity_tokens are handled when doing remote forms, and an update to rack-cache (to fix a cookie leak) and mail to address security vulnerabilities. Other changes include a find_or_create_by_{attribute} dynamic method added, attribute_present fixed to return false for empty strings, a number of corrected regressions and other bug fixes – details of which can be found in the announcement and in the comparison between 3.2.2 and 3.2.3. Rails can be updated using "gem install rails" at the command line. Further details on installing Rails can be found at the Ruby on Rails download page. Rails is published under the MIT licence.

(djwm)