Webroar has dependency on old, less secure, version of rails 2.3.2
Reported by Glenn Rempe | November 28th, 2009 @ 11:15 PM
The webroar gem has an runtime dependency on Rails = 2.3.2 which is an outdated release.
Rails 2.3.4 includes security fixes and should be allowed to be used.
http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4
Does webroar include a hard dependency on a specific version of rails? If so, it should not and the application being hosted should determine the version of rails it wants to use.
Different applications running under webroar, should be able to run under different versions of rails at the same time.
Webroar should be able to be installed, and run, with any modern rack aware version of rails and should specify a >= dependency on rails and not an '='.
Comments and changes to this ticket
-
Aditya Babbar November 29th, 2009 @ 12:04 AM
- Assigned user set to Aditya Babbar
- State changed from new to open
Couple of comments:
-
WebROaR can run all versions of Rails Applications and doesn't force the deployed application to use any particular version of rails.
-
The specific dependency of rails 2.3.2 is only for Admin Panel. Unfortunately, as of now Admin Panel + Rail 2.3.4 + Ruby 1.9 combination doesn't work. This issue is very much on our radar and we would be resolving it soon. Since Admin Panel is only meant to be used by the Server Administrator (and we recommend it being kept off when not in use to save memory), the security risk due to that XSS vulnerability is low at this point.
-
Dharmarth Shah December 7th, 2009 @ 07:27 PM
- Assigned user changed from Aditya Babbar to Dharmarth Shah
- State changed from open to resolved
- Tag changed from bug, dependency, install to dependency, rails
Rails dependency is changed to '>= 2.3.5'.
Please find the change in latest version v0.2.5
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
<strong>Source Code Location</strong>
Repository is at <a href="http://github.com/webroar/webroar" target="_blank">http://github.com/webroar/webroar</a>
<p>
Check out the development master:
git clone git://github.com/webroar/webroar.git
<p>
<strong>Creating a bug report</strong>
When creating a bug report, be sure to include as much relevant information as possible.
<p>
Security vulnerabilities should be reported via an email to security@webroar.in, do not use lighthouse for reporting security vulnerabilities. All content in lighthouse is publicly available as soon as it is posted.