Dev411 Blog

It was recently announced that Rails 1.1.0, 1.1.1, 1.1.2, and 1.1.4. have a very serious security hole. Although the RoR blog hasn't discussed exactly what the hole is, it has been rumored to involve uploading of .rb files to execute arbitrary code on the server (UPDATE: now confirmed). Typo only allows file uploads by administrators so certain applications may be somewhat safer. (UPDATE: Running arbitrary code was fixed in 1.1.5 however you could still crash it. 1.1.6 has been released to fix these lingering bugs. Just change 1.1.5 to 1.1.6 below).

Scott Laird is working on releasing Typo 4.0.1 (now released) which will include Rails 1.1.5 but until then, or if you don't want to upgrade Typo, you can simply upgrade the Rails used by Typo by installing the 1.1.5 vendor/rails directory over the existing one. Here are some steps:

$ cd /tmp
$ wget http://rubyforge.org/frs/download.php/12258/rails-1.1.5.tgz
$ tar -zxf rails-1.1.5.tgz
$ cd rails/vendor
$ tar -zcf rails-1.1.5-vendor-rails.tgz rails
$ mv rails-1.1.5-vendor-rails.tgz /path/to/typo/vendor
$ cd /path/to/typo/vendor
$ tar -zxf rails-1.1.5-vendor-rails.tgz

To verify that Rails has been updated you can view the version.rb file which should now give you the following:

$ cat rails/railties/lib/rails/version.rb
module Rails
  module VERSION #:nodoc:
    MAJOR = 1
    MINOR = 1
    TINY  = 5

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
end

You'll probably want to back up the existing vendor/rails directory as this will extract the 1.1.5 files over it. If you simply swap vendor directories, you'll get a lot of missing requirements errors (e.g. redcloth, bluecloth, rubypants, uuidtools, etc.) because rails isn't the only thing installed under vendor for Typo.