Dev411 Blog

I finally got around to upgrading from Typo 4.0.0 r1188 to Typo 4.1.1 and it was pretty smooth. I had held off for a while because Typo was changing a lot under the covers with some much needed refactoring and I have a few hacks I didn't feel like modifying with every minor update.

A couple of people have blogged about their use of the "elite hacking tool diff -r" to identify the problem solved by the Rails 1.1.5 Mandatory Mystery Patch. The problem is that Rails accepted LOAD_PATH as a HTTP request header with any file upload so a hacker could upload ruby controllers and then execute them by accessing the newly exposed URIs. This is discussed by Kristian Köhntopp and Evan Weaver.

People are reporting a Rails 1.1.5 routing vulerability where accessing certain URIs will crash Rails. The problem has been reported on Mongrel, WeBrick and FastCGI. Piers Cawley is working on an explicit routes fix for Typo and discusses the issue on his blog. This has not been mentioned on the RoR blog yet. Good thing for public forums.

It was recently announced that Rails 1.1.0, 1.1.1, 1.1.2, and 1.1.4. have a very serious security hole. Although the RoR blog hasn't discussed exactly what the hole is, it has been rumored to involve uploading of .rb files to execute arbitrary code on the server (UPDATE: now confirmed). Typo only allows file uploads by administrators so certain applications may be somewhat safer. (UPDATE: Running arbitrary code was fixed in 1.1.5 however you could still crash it. 1.1.6 has been released to fix these lingering bugs. Just change 1.1.5 to 1.1.6 below).

Two weeks ago, Scott Laird posted a Mongrel patch to the Typo list to make it work with non-root URIs. I'm particularly interested in this because Mongrel is getting more mindshare and my blog uses a non-root URI. The patch has been submitted to Zed Shaw for inclusion but, until it's in, here are some links since I don't think this is easy to find:

• archived email
• mongrel.diff patch

UPDATE: This is now included in Mongrel 0.3.13.4 pre-release.

The future of Prototype (the JavaScript AJAX library), both as a stand-alone library and as a part of Rails, is being discussed by the community on the rails-spinoffs list. The primary concerns appear to be:

I've been using MediaWiki for a while and wanted its ability to auto-generate Table of contents for pages with multiple articles such as the homepage and the category pages. Typo is a Ruby on Rails app so you'll need to be somewhat familiar with it to make enhancments. I have this running on Typo 4.1.1, 4.0.0 r1188 and 2.6.0.

I came up with the following but it's still in the early stages:

IMO, one of the major limitations of Ruby on Rails compared to other frameworks is its ORM, ActiveRecord. ActiveRecord is a fairly early ORM (object-relational mapper) that has made some questionable design decisions and doesn't support some very basic relational database concepts. These issues have been discussed on Joel on Software and elsewhere. Here are some limitations I wish were fixed: