On June 9th, 2009 a vulnerability was disclosed that causes Ruby to crash when an very large (we’re talking astronomical proportions) decimals are converted to strings.  This is a serious issue, but we feel that the exposure surface to most Rails sites may not be as large as initially thought.

Rails seems to convert decminals into big decimals when fetched from the database, and possibily a few other instances.  Since values in the database can very easily be user input, any Rails application that has decimals of any kind either stored in the database or at any time retrieved from the user is potentially at risk.  We can’t say for certain that if you don’t use decimals or big decimals you’re not at risk, but it does appear to be that way.

Our Recommendation

If your Rails app in any way uses decimals (either stored in the database or requested from the user), we recommend you update Ruby ASAP.  If you do not use this, we still recommend you upgrade, but its not as critical.

In either case, you can patch the issue by installing the gem by running:

gem sources -a http://gems.github.com
sudo gem install NZKoz-bigdecimal-segfault-fix

Then add the lines:

gem 'NZKoz-bigdecimal-segfault-fix'
require 'bigdecimal-segfault-fix'

to your application (for Rails, put this in config/environment.rb).  Once you install this, you’ll need to restart your Rails application.

The best long term solution though is to upgrade Ruby.  Here’s how to proceed:

• If you’re on shared hosting we will be automatically updating Ruby over the next few days.  If you use Mongrel, your application will need to be restarted, so we recommend you do this within the next 72 hours.  If you’re using your own install of  Ruby in your account, in which case you’ll have to upgrade it yourself.  If you don’t know how, we can do this for you as part of managed shared hosting or on a one-time-fee basis.
• If you have a managed server or VDS we’ll be glad to do that, just open a ticket and we’ll get that scheduled.
• If you have an unmanaged server or VDS and would like us to perform this for you, we can do it on a one-time-fee basis.  Just open a ticket and we’ll start the process for you.

If you have any questions about this, please let us know and we’ll be glad to assist you.

PassengerAppRoot /home/user/rails_apps/yourapp

Replace “user” with your username and “rails_apps/yourapp”  with the path to your Rails application. 

On the servers we have deployed the upgrade to we have added this to any existing .htaccess file or created a new one with that line in it.  However, if you use Subversion or Git repository, you’ll need to add this change to it so that the next time you do an update this change will be preserved. 

You have not made this change already, please do so as soon as you can.  This will ensure upgrades on the rest of our shared hosting cluster will go smoothly.

On the off chance that your Rails application isn’t functioning correctly, make sure the above line is in your .htaccess file in the public folder of your Rails application.

I normally do most of my Rails development in Linux, but I do have a Windows development environment setup as well, because most of my non-development time is spent in Windows and I like being able to quickly work on a Rails project without having to switch to my Linux machine.

The problem though with Rails development on Windows is two-fold:

1. Ruby and Rails do not cooperate with Windows as well as they should sometimes
2. Microsoft doesn’t cooperate with UNIX well at all

So rather than try and lay blame as to who’s fault this is, I’ve developed a workaround work flow that works quite nicely.

Software I Use

To make Rails development easier in Windows, I use:

• The E – TextEditor
• Cygwin (installed at first by e, but customized later on by me)
• puttycyg (because Windows console windows suck)

Installing the Environment

I recommend removing Ruby for Windows (the one-click installer variety) before you get started.  It will make things a lot easier for you down the road, and unless you’re doing Ruby for Windows applications development, you won’t need it.  I also recommend uninstalling Cygwin as well if you have installed it previously, because the e will automatically setup Cygwin for you with some pretty good defaults.

Download a trial of the E – TextEditor and install it.  When you first run it, it will want to install Cygwin.  Let it do so.  Pick Manual if you want to customize the software.  You can choose Automatic though and be just  fine, because you can always rerun the Cygwin setup (by going to the Cygwin website and downloading their installer) and add or update features later.  If you choose the manual method, it would be a good idea to include Subversion, Git, and perhaps other languages like Python and a C compiler to enable you to use other UNIX software inside your Cygwin installation.

Once you’ve done this, you’re almost ready to go.  If you like the Windows console, then you can stop here – but I don’t.  That’s where puttycyg comes in.   It’s basically a modified PuTTY version that works with Cygwin.  Using this program you can connect to your Cygwin instance, but having all the options of display and scrollback that come with PuTTY.  Let’s face it, being limited to 2 fonts in the Windows console really isn’t fun.  I’m still amazed Microsoft hasn’t fixed this.

Once you’ve done this, you can pretty much proceed with development of Rails application using the same commands you would on a Linux or Mac machine (well, at least with 99% compatibility).  You can even access your Windows drives with the /cygdrive/c (replace c with the drive you want to use) path in Cygwin.

Conclusion

While this isn’t the most ideal setup, it works well for most things, and enables you to use Capistrano deployments much more easily than you can in Windows.  Git’s native Windows version has a long way to go, and thus the Cygwin near-native UNIX version of Git makes using Git under Windows a far more productive task.

In this guide I’m using the E – TextEditor.  You could replace this with any other editor that you like and achieve similiar results.  You can even use Vim or Emacs inside Cygwin.  Either way, I still recommend using Cygwin, because the native Windows Ruby interpreter and Rails support for Windows will cause you problems down the road.

Many have asked our policy on RAM usage and how we enforce the limits.  All of the RAM limits on shared hosting are soft, with a high hard limit to prevent a runaway process with a memory leak to cause problems for other accounts.  If your Rails application goes over your limit by 5 or 10% we do not typically mind.  Since we don’t oversell, the limits are there to help keep resources free for all users on shared hosting plans.  If you start to use too much RAM over the buffer zone we allow for all accounts, we will notify you with options on how to proceed.

These new limits will take effect both on new and existing accounts.

We are passing this along to our customers and all cPanel users in general though so that they can be aware of this and avoid this sort of scam.  OCS staff would never e-mail you and ask for information in this way.

If you are an OCS customer and receive an e-mail asking for login details that you’re not sure about, please contact us securely.  If you’re not an OCS customer, please contact your hosting company or cPanel for details.

We have added a new page on our managed hosting service.  Back by popular demand, this service frees you from the headaches of server management and lets you focus on your business.  We have also introduced a managed shared hosting plan which provides support above the standard level of already comprehensive support offered by our shared hosting service.

We are in the process with working out promotions with 3rd party vendors that we’ll be able to offer you for free or at a reduced cost.  I’ll be providing more details on that in our next post.

If you haven’t yet signed up for our low-volume mailing list, please take a moment to do so.  Each e-mail will be loaded with information you can use, including tips and tricks on how to get the most out of your website.

We are always adding new information and articles to our wiki, so check back often for the latest updates.

This new blog is an attempt to change that.  We’ll be posting here on a regular basis, sometimes daily.  You’ll hear mainly from me, but also from the rest of our staff, sharing news that affects both OCS customers and thoughts and ideas on current Internet technology topics of interest.

Our old posts have been archived and can be found at the old OCS Solutions Blog, but we will phase them out eventually.

Please feel free to comment on any post you see here and share your thoughs with us as well.  We love hearing from you!