[DRE-commits] [rails] 02/03: Imported Upstream version 4.1.5
Antonio Terceiro
terceiro at moszumanska.debian.org
Mon Aug 18 18:27:06 UTC 2014
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master
in repository rails.
commit 753cb00da235822efdc594ed9bab2e9af1ab0a96
Author: Antonio Terceiro <terceiro at debian.org>
Date: Mon Aug 18 15:15:54 2014 -0300
Imported Upstream version 4.1.5
---
RAILS_VERSION | 2 +-
actionmailer/CHANGELOG.md | 5 ++++
actionmailer/lib/action_mailer/gem_version.rb | 2 +-
actionpack/lib/action_pack/gem_version.rb | 2 +-
actionview/CHANGELOG.md | 5 ++++
actionview/lib/action_view/gem_version.rb | 2 +-
activemodel/CHANGELOG.md | 5 ++++
.../forbidden_attributes_protection.rb | 1 +
activemodel/lib/active_model/gem_version.rb | 2 +-
activerecord/CHANGELOG.md | 5 ++++
activerecord/lib/active_record/gem_version.rb | 2 +-
.../lib/active_record/relation/query_methods.rb | 16 ++++++++++--
.../cases/forbidden_attributes_protection_test.rb | 30 ++++++++++++++++++++++
activesupport/CHANGELOG.md | 5 ++++
activesupport/lib/active_support/gem_version.rb | 2 +-
guides/CHANGELOG.md | 5 ++++
railties/CHANGELOG.md | 9 +++++++
railties/lib/rails/gem_version.rb | 2 +-
version.rb | 2 +-
19 files changed, 93 insertions(+), 11 deletions(-)
diff --git a/RAILS_VERSION b/RAILS_VERSION
index a95f288..b1cbc1f 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-4.1.4
+4.1.5
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index c14e911..6863a5b 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
index abd294f..5d776ea 100644
--- a/actionmailer/lib/action_mailer/gem_version.rb
+++ b/actionmailer/lib/action_mailer/gem_version.rb
@@ -7,7 +7,7 @@ module ActionMailer
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
index 8a9bb8a..512881a 100644
--- a/actionpack/lib/action_pack/gem_version.rb
+++ b/actionpack/lib/action_pack/gem_version.rb
@@ -7,7 +7,7 @@ module ActionPack
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 2881f94..bb945dc 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
index 34f86db..a7a1b47 100644
--- a/actionview/lib/action_view/gem_version.rb
+++ b/actionview/lib/action_view/gem_version.rb
@@ -7,7 +7,7 @@ module ActionView
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index cc5916d..b6bd757 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/activemodel/lib/active_model/forbidden_attributes_protection.rb b/activemodel/lib/active_model/forbidden_attributes_protection.rb
index 7468f95..b4fa378 100644
--- a/activemodel/lib/active_model/forbidden_attributes_protection.rb
+++ b/activemodel/lib/active_model/forbidden_attributes_protection.rb
@@ -23,5 +23,6 @@ module ActiveModel
attributes
end
end
+ alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
end
end
diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb
index 7ca78dd..7db445f 100644
--- a/activemodel/lib/active_model/gem_version.rb
+++ b/activemodel/lib/active_model/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveModel
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index eef5f9f..6e5ec40 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* Fix regression added from the latest security fix.
diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb
index 9792eaf..9e527f6 100644
--- a/activerecord/lib/active_record/gem_version.rb
+++ b/activerecord/lib/active_record/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveRecord
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index 72d3917..acf2f35 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1,9 +1,12 @@
require 'active_support/core_ext/array/wrap'
+require 'active_model/forbidden_attributes_protection'
module ActiveRecord
module QueryMethods
extend ActiveSupport::Concern
+ include ActiveModel::ForbiddenAttributesProtection
+
# WhereChain objects act as placeholder for queries in which #where does not have any parameter.
# In this case, #where must be chained with #not to return a new relation.
class WhereChain
@@ -561,7 +564,10 @@ module ActiveRecord
if opts == :chain
WhereChain.new(self)
else
- references!(PredicateBuilder.references(opts)) if Hash === opts
+ if Hash === opts
+ opts = sanitize_forbidden_attributes(opts)
+ references!(PredicateBuilder.references(opts))
+ end
self.where_values += build_where(opts, rest)
self
@@ -711,7 +717,13 @@ module ActiveRecord
end
def create_with!(value) # :nodoc:
- self.create_with_value = value ? create_with_value.merge(value) : {}
+ if value
+ value = sanitize_forbidden_attributes(value)
+ self.create_with_value = create_with_value.merge(value)
+ else
+ self.create_with_value = {}
+ end
+
self
end
diff --git a/activerecord/test/cases/forbidden_attributes_protection_test.rb b/activerecord/test/cases/forbidden_attributes_protection_test.rb
index 981a75f..f4e7646 100644
--- a/activerecord/test/cases/forbidden_attributes_protection_test.rb
+++ b/activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -66,4 +66,34 @@ class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
person = Person.new
assert_nil person.assign_attributes(ProtectedParams.new({}))
end
+
+ def test_create_with_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.create_with(params).create!
+ end
+ end
+
+ def test_create_with_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.create_with(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
+
+ def test_where_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.where(params).create!
+ end
+ end
+
+ def test_where_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.where(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
end
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index b9fe524..5c95aab 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/activesupport/lib/active_support/gem_version.rb b/activesupport/lib/active_support/gem_version.rb
index ffeb9f7..fbd1429 100644
--- a/activesupport/lib/active_support/gem_version.rb
+++ b/activesupport/lib/active_support/gem_version.rb
@@ -7,7 +7,7 @@ module ActiveSupport
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/guides/CHANGELOG.md b/guides/CHANGELOG.md
index bd90aea..dca9999 100644
--- a/guides/CHANGELOG.md
+++ b/guides/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index ef7bed5..2612d67 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* Check attributes passed to `create_with` and `where`.
+
+ Fixes CVE-2014-3514.
+
+ *Rafael Mendonça França*
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
diff --git a/railties/lib/rails/gem_version.rb b/railties/lib/rails/gem_version.rb
index 255e08c..5c8b1f8 100644
--- a/railties/lib/rails/gem_version.rb
+++ b/railties/lib/rails/gem_version.rb
@@ -7,7 +7,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/version.rb b/version.rb
index 255e08c..5c8b1f8 100644
--- a/version.rb
+++ b/version.rb
@@ -7,7 +7,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git
More information about the Pkg-ruby-extras-commits
mailing list