Spree Commerce

Try It Now

Spree 0.50.2 Released

Posted on April 25, 2011 by Sean Schofield

Spree 0.50.2 has just been released. Its a minor patch release to address a performance issue with a previous version of Rails.

You can also use the Github compare tool to see a complete list of changes for the 0.50.2 release.

Security Fix: Content Controller & Search Logic

Posted on April 19, 2011 by John Dyer and Sean Schofield

The Spree team was recently alerted to two potential security vulnerabilities.

The first potential exploit, reported by John Hartzler, would allow a user to request a specially crafted URL and expose arbitrary files on the server. All prior versions of Spree are affected by this issue but it has since been patched in the edge code as well as the brand new Spree 0.50.1 release.

If you are not able to upgrade immediately there is a simple “hot fix” you can code into your site which should work with all prior versions of Spree. You need to create a file named `config/initializers/security_hotfix.rb` in your application and make sure it contains the following code:

ContentController.class_eval do<br />
  def show<br />
    render :template =&gt; params[:path]<br />
  end<br />

The second issue, reported by joernchen of Phenoelit, is a bug in the
rd_searchlogic gem which
would allow malacious users to execute arbitrary remote commands. The
rd_searchlogic gem was forked from the original searchlogic since the original still does not support Rails 3. The forked gem is the most vulnerable but the original searchlogic gem also contains a variation of this exploit.

This affects both the 0.30.x and the 0.40.x versions of Spree. Upgrading
your installation of Spree to 0.50.x is an easy solution to this problem (since we no longer use searchlogic.) If you are unable to upgrade at this time and are not using the search functionality provided by the REST API, then you can drop the following code into a new file titled `config/initializers/searchlogic_hotfix.rb`:

Api::BaseController.class_eval do<br />
  protected<br />
<br />
  def search<br />
    return nil<br />
  end<br />

Both of these fixes will require a restart of your production server to take effect.

Spree 0.50.1 Released

Posted on April 19, 2011 by Sean Schofield

Spree 0.50.1 has just been released. Its a minor patch release to address a handful of small issues. It also contains an important security fix (see the recent security announcement for more details.)

You can also use the Github compare tool to see a complete list of changes for the 0.50.1 release.

New Extension Versioning Mechanism

Posted on March 28, 2011 by Sean Schofield

We’re pleased to announce a new mechanism for versioning Spree extensions to simplify the determination process of which version of an extension to use for a particular version of Spree. Once you’ve established that an extension you’re interested in works with the Spree version you’re using, there is still the challenge of figuring out how to "install" the right version of the extension in your application. We spent some time thinking through that challenge as well as looking at similar projects that support extensions such as Drupal.

Ultimately we wanted something that was simple to implement and understand. Just as important, the solution needed to be simple to maintain or people wouldn’t bother keeping it up to date. We didn’t want to require an extension author to have multiple branches or tags in their Github repository if the same branch or tag effectively worked on multiple versions of Spree. Our solution was to introduce a concept known as the Versionfile.

The basic concept is that you add a file with the name Versionfile to the root of your extension source code. The file is a simple Ruby hash which maps versions of Spree to a "point in time release" of the source code. If you have published your extension as a gem then this will map to the exact gem version you pushed to Rubygems. What’s even cooler is that you don’t need to actually release your code as a gem to share it with the world. Just identify an exact point in "git history" as the release point.

The extension registry now reads these files directly from Github and parses them for version information. This process allows for automatic updating of all extensions based on the Versionfile. We’ve also done away with the confusing "voting system" that we used to indicate whether or not an extension was working with a particular version. This biggest problem with community voting was that even if it were determined that an extension was compatible with a particular version of Spree, there was no easy way to identify which version of the extension to use or how to get the source.

We’ll be going through some of the old extensions and adding this information. We encourage extension authors to do the same. For more information please also see the new documentation on Versionfile.