Rails 3.0 security update

Oct 20, 2010 • posted by Michael Hartl

The Rails core team recently announced a security update to Rails 3.0: Rails 3.0.0 has a vulnerability that has been fixed in Rails 3.0.1. Even though the Rails Tutorial sample application source code doesn't use the method (called accepts_nested_attributes_for) that has the vulnerability, the book and the Rails installation screencasts have been updated to reflect this change, just to be safe.

If you purchased the Rails Tutorial PDF or screencasts, you might want to revisit your download links for the latest versions of the book and the Rails installation files (the other screencasts are unaffected). You don't really have to, though, because it's easy to update your application: First, run

$ gem uninstall rails -v 3.0.0
$ gem install   rails -v 3.0.1

at the command line. Then edit the Gemfile, changing '3.0.0' to '3.0.1'. Finally, run

$ bundle install

at the command line, and you should be good to go.