Hobo 1.0.3 released
Posted by Bryan Larsen | February 25, 2011 One Response comments

This is a security release. All applications that use the reset password functionality or are on versions of Rails prior to version 2.3.4 should upgrade.

To patch the reset password vulnerability, two changes have been made.

First of all, the lifecycle key hash mechanism has been changed. Existing lifecycle keys will become invalid after you upgrade. Lifecycle keys are typically short lived, so this is unlikely to be a problem for most applications.

Secondly, lifecycle keys are now cleared on every transition to avoid replay vulnerabilities. This new behaviour may be avoided by added the :keep_key => true option to a transition.

More information about the vulnerability can be viewed on the bug report.

Other changes:

The text input tag (<textarea>) has a security hole with versions of Rails prior to 2.3.4. This release makes using textarea safe on old versions of Rails, although it is highly recommended that you upgrade to Rails 2.3.11 because of other security vulnerabilities.

The “include” automatic scope has been aliased to “includes” to increase future compatibility with Rails 3. Future versions of Hobo will remove support for “include”.

This release increases compatibility with Ruby v1.9.2.

Hobo 1.0.2 introduced a major problem with chained scopes. This has been fixed.

All code changes may viewed on the github log

Reader Comments Add your comment »

Comment Number:
1
Written by:
Betelgeuse
Posted on:
February 25, 2011 at 9:58 pm

The github log links is producing weird results:

Showing 2,288 commits by 11 authors.


Write a Comment

Please do not use blog comments for support or reporting bugs.

Please use the hobousers google group for help and support.

Comments are formatted using markdown. To include code, either quote it in `backticks` or indent a code-block by 4 spaces.