[DRE-commits] [rails] 02/03: Imported Upstream version 4.1.5

Antonio Terceiro terceiro at moszumanska.debian.org
Mon Aug 18 18:27:06 UTC 2014


This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch master
in repository rails.

commit 753cb00da235822efdc594ed9bab2e9af1ab0a96
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Mon Aug 18 15:15:54 2014 -0300

    Imported Upstream version 4.1.5
---
 RAILS_VERSION                                      |  2 +-
 actionmailer/CHANGELOG.md                          |  5 ++++
 actionmailer/lib/action_mailer/gem_version.rb      |  2 +-
 actionpack/lib/action_pack/gem_version.rb          |  2 +-
 actionview/CHANGELOG.md                            |  5 ++++
 actionview/lib/action_view/gem_version.rb          |  2 +-
 activemodel/CHANGELOG.md                           |  5 ++++
 .../forbidden_attributes_protection.rb             |  1 +
 activemodel/lib/active_model/gem_version.rb        |  2 +-
 activerecord/CHANGELOG.md                          |  5 ++++
 activerecord/lib/active_record/gem_version.rb      |  2 +-
 .../lib/active_record/relation/query_methods.rb    | 16 ++++++++++--
 .../cases/forbidden_attributes_protection_test.rb  | 30 ++++++++++++++++++++++
 activesupport/CHANGELOG.md                         |  5 ++++
 activesupport/lib/active_support/gem_version.rb    |  2 +-
 guides/CHANGELOG.md                                |  5 ++++
 railties/CHANGELOG.md                              |  9 +++++++
 railties/lib/rails/gem_version.rb                  |  2 +-
 version.rb                                         |  2 +-
 19 files changed, 93 insertions(+), 11 deletions(-)

diff --git a/RAILS_VERSION b/RAILS_VERSION
index a95f288..b1cbc1f 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-4.1.4
+4.1.5
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index c14e911..6863a5b 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
index abd294f..5d776ea 100644
--- a/actionmailer/lib/action_mailer/gem_version.rb
+++ b/actionmailer/lib/action_mailer/gem_version.rb
@@ -7,7 +7,7 @@ module ActionMailer
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
index 8a9bb8a..512881a 100644
--- a/actionpack/lib/action_pack/gem_version.rb
+++ b/actionpack/lib/action_pack/gem_version.rb
@@ -7,7 +7,7 @@ module ActionPack
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 2881f94..bb945dc 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
index 34f86db..a7a1b47 100644
--- a/actionview/lib/action_view/gem_version.rb
+++ b/actionview/lib/action_view/gem_version.rb
@@ -7,7 +7,7 @@ module ActionView
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index cc5916d..b6bd757 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/activemodel/lib/active_model/forbidden_attributes_protection.rb b/activemodel/lib/active_model/forbidden_attributes_protection.rb
index 7468f95..b4fa378 100644
--- a/activemodel/lib/active_model/forbidden_attributes_protection.rb
+++ b/activemodel/lib/active_model/forbidden_attributes_protection.rb
@@ -23,5 +23,6 @@ module ActiveModel
           attributes
         end
       end
+      alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
   end
 end
diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb
index 7ca78dd..7db445f 100644
--- a/activemodel/lib/active_model/gem_version.rb
+++ b/activemodel/lib/active_model/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveModel
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index eef5f9f..6e5ec40 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   Fix regression added from the latest security fix.
diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb
index 9792eaf..9e527f6 100644
--- a/activerecord/lib/active_record/gem_version.rb
+++ b/activerecord/lib/active_record/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveRecord
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index 72d3917..acf2f35 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1,9 +1,12 @@
 require 'active_support/core_ext/array/wrap'
+require 'active_model/forbidden_attributes_protection'
 
 module ActiveRecord
   module QueryMethods
     extend ActiveSupport::Concern
 
+    include ActiveModel::ForbiddenAttributesProtection
+
     # WhereChain objects act as placeholder for queries in which #where does not have any parameter.
     # In this case, #where must be chained with #not to return a new relation.
     class WhereChain
@@ -561,7 +564,10 @@ module ActiveRecord
       if opts == :chain
         WhereChain.new(self)
       else
-        references!(PredicateBuilder.references(opts)) if Hash === opts
+        if Hash === opts
+          opts = sanitize_forbidden_attributes(opts)
+          references!(PredicateBuilder.references(opts))
+        end
 
         self.where_values += build_where(opts, rest)
         self
@@ -711,7 +717,13 @@ module ActiveRecord
     end
 
     def create_with!(value) # :nodoc:
-      self.create_with_value = value ? create_with_value.merge(value) : {}
+      if value
+        value = sanitize_forbidden_attributes(value)
+        self.create_with_value = create_with_value.merge(value)
+      else
+        self.create_with_value = {}
+      end
+
       self
     end
 
diff --git a/activerecord/test/cases/forbidden_attributes_protection_test.rb b/activerecord/test/cases/forbidden_attributes_protection_test.rb
index 981a75f..f4e7646 100644
--- a/activerecord/test/cases/forbidden_attributes_protection_test.rb
+++ b/activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -66,4 +66,34 @@ class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
     person = Person.new
     assert_nil person.assign_attributes(ProtectedParams.new({}))
   end
+
+  def test_create_with_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.create_with(params).create!
+    end
+  end
+
+  def test_create_with_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.create_with(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
+
+  def test_where_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.where(params).create!
+    end
+  end
+
+  def test_where_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.where(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
 end
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index b9fe524..5c95aab 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/activesupport/lib/active_support/gem_version.rb b/activesupport/lib/active_support/gem_version.rb
index ffeb9f7..fbd1429 100644
--- a/activesupport/lib/active_support/gem_version.rb
+++ b/activesupport/lib/active_support/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveSupport
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/guides/CHANGELOG.md b/guides/CHANGELOG.md
index bd90aea..dca9999 100644
--- a/guides/CHANGELOG.md
+++ b/guides/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   No changes.
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index ef7bed5..2612d67 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+*   Check attributes passed to `create_with` and `where`.
+
+    Fixes CVE-2014-3514.
+
+    *Rafael Mendonça França*
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.
diff --git a/railties/lib/rails/gem_version.rb b/railties/lib/rails/gem_version.rb
index 255e08c..5c8b1f8 100644
--- a/railties/lib/rails/gem_version.rb
+++ b/railties/lib/rails/gem_version.rb
@@ -7,7 +7,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/version.rb b/version.rb
index 255e08c..5c8b1f8 100644
--- a/version.rb
+++ b/version.rb
@@ -7,7 +7,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git



More information about the Pkg-ruby-extras-commits mailing list