Archive RSS Email

Rails 3.0 security update

Oct 20, 2010 • posted by Michael Hartl

The Rails core team recently announced a security update to Rails 3.0: Rails 3.0.0 has a vulnerability that has been fixed in Rails 3.0.1. Even though the Rails Tutorial sample application source code doesn't use the method (called accepts_nested_attributes_for) that has the vulnerability, the book and the Rails installation screencasts have been updated to reflect this change, just to be safe.

If you purchased the Rails Tutorial PDF or screencasts, you might want to revisit your download links for the latest versions of the book and the Rails installation files (the other screencasts are unaffected). You don't really have to, though, because it's easy to update your application: First, run

$ gem uninstall rails -v 3.0.0
$ gem install   rails -v 3.0.1

at the command line. Then edit the Gemfile, changing '3.0.0' to '3.0.1'. Finally, run

$ bundle install

at the command line, and you should be good to go.

Michael Hartl

I’m Michael Hartl—author, educator, and entrepreneur. I’m probably best known as the creator of the Ruby on Rails Tutorial, a book and screencast series that together constitute one of the leading introductions to web development. Once called his “favorite book” by Wikipedia founder Jimmy Wales, the Ruby on Rails Tutorial currently has over 150 5-star reviews at Amazon. I’m also (in)famous for creating Tau Day and The Tau Manifesto, which have inspired an international movement dedicated to the proposition that “pi is wrong.” (For example, as a result of The Tau Manifesto, MIT releases their admissions decisions each year at “Tau Time” (6:28 p.m.), and typing tau/2 at Google yields 3.14159…) Finally, I’m a founder of Softcover, a publishing system and sales platform for technical authors, which among other things powers both The Tau Manifesto and the Ruby on Rails Tutorial.

I’m a graduate of Harvard College and have a Ph.D. in Physics from Caltech, where I studied black hole dynamics and was an award-winning instructor in theoretical and computational physics. I’m also an alumnus of Y Combinator, the entrepreneur program that has produced companies such as Dropbox and Airbnb. (Alas, my own Y Combinator startup was neither Dropbox nor Airbnb.)