CNK's Blog

Upgrading from Rails 2.3.5 Part 2

csrf_meta_tags

Carrying on from part1, once I had everything in place to run my tests, almost all of my functional tests failed complaining “no method csrf_meta_tags”. Ahh right, I am not running the stock Rails 2.3.5 gem in production. In February of 2011 the rails team put out a patch for a XSS vulnerability. I was concerned that some of the changes between Rails 2.3.5 and 2.3.10 might interfere with my connection to my Oracle 8i database. I was already having to do some monkey patching of the activerecord-oracle_enhanced-adapter so I could continue to use it. So instead of upgrading my gems to Rails 2.3.11, I applied the patch and then added <%= csrf_meta_tags %> to all of my layouts. Since the point of what I am doing is to upgrade my gems, for now I just commented out the offending line in each of my layouts.

SSL

OK now that I actually run some functional tests, there are a couple of other things that are not working properly. On my production (and usual development) machines, I have ssl configured and my application uses the ssl-requirement plugin to require my login pages are only accessible under ssl. I don’t want to set up SSL on this temporary location, so for now I tweaked the plugin to claim that all protocols are ‘secure’. Also during a security audit, I was asked to only pass my user cookie over https to prevent session hijacking. Since I disabled SSL, then I can never login; so I had to temporarily disable the secure cookie requirement too. Interestingly a recent Railscast discussed session hihacking and provided example code basically like what I have.

Mime-type checking

The next set of failures in my functional tests are in tests that check to see that I can only uplaod specific file types into the image and documents sections of my CMS. By default my attachement processing code, which uses attachment_fu, was using the content type provided during file upload - which largely uses the file extension to determine file type. To beef that up, I have extended attachment_fu to use the shared-mime-info ruby gem. It works fine on my production RHEL5 machine and as far as I can tell I have the same rpm + gem combination on this test box. But it isn’t working. All of my file uploads (in tests and from the browser) are getting back nil for the mime-type. Looking at the code, that implies that the library thinks it should be able to determine the file type but can’t. This may be that I am not loading the library correctly in my Gemfile: gem "shared-mime-info", :require => "shared-mime-info" But I have already had trouble getting this to work on my collegue’s Leopard Mac so there is already a work around in place for that. Again, for now I am going to make this work around trigger all the time and see what else I need to change to get this app on a supported version of Rails.

“Real” errors

So after ignoring/working around the issues above, are all my tests and cucumber features passing? Yes! I am getting one warning when I run my cucumber features. I am being told that I need to update one of my steps that is reusing other existing steps. I have been using the original syntax that uses ‘When/Given/Then’. The warning tells me to use ‘step’ instead. I made that change and then moved on.

Rails 2.3.14 on Ruby 1.8.7

So, what happens when I update to the last of the 2.3.x releases - 2.3.14 at this time. I created a new rvm gemset, updated the rails line in my Gemfile, removed my Gemfile.lock, and did a clean bundle install. When I first tried to run my app, I got complaints that I did not have Rails 2.3.5 installed - which was coming from my config/environment.rb file:

     # Specifies gem version of Rails to use when vendor/rails is not present
     RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION

So now let’s run our tests again. They pass, but this time with some additional deprecation warnings. The first set were complaints about the preferred location of the tasks directory inside my plugins. Errors like:

    DEPRECATION WARNING: Rake tasks in vendor/plugins/aftfilr/tasks are deprecated. Use lib/tasks instead.
    (called from /home/cnk/.rvm/gems/ruby-1.8.7-p352@rails2.3.14/gems/rails-2.3.14/lib/tasks/rails.rb:10)

None of the directories that rake was complaining about actually contained any tasks so the simplest option would seem to be to remove the offending directories. Or it would be if they were in code I had written. But all of those plugins were code I was including using git submodules and pointing directly to the upstream repositories. I suspect that none of those plugins have been updated in a very long time. Perhaps the best/easiest option is to just include those plugins directly in my code. Which plugins do I need to alter: aftflr, aftimagr, authorization, and mimetype_fu. Of the 4, the only one that has had any updates is mimetype_fu. Mimetype_fu is used when I have to work around the lack of shared-mime-info code on the Mac (or on this test box). For now I think I’ll just include this in my code as is.

    NOTE: Gem.source_index is deprecated, use Specification. It will be removed on or after 2011-11-01.
    Gem.source_index called from
    /home/cnk/.rvm/gems/ruby-1.8.7-p352@rails2.3.14/gems/rails-2.3.14/lib/rails/gem_dependency.rb:21.

    DEPRECATION WARNING: Kernel#returning has been deprecated in favor of Object#tap.
    (called from enable_activerecord at /home/cnk/rails/empcms2.3.5/vendor/plugins/will_paginate/lib/will_paginate.rb:39)

    DEPRECATION WARNING: Kernel#returning has been deprecated in favor of Object#tap.
    (called from generate_img_css_classes at /home/cnk/rails/empcms2.3.5/lib/aftimagr.rb:22)