[DRE-commits] [rails-3.2] 01/03: Imported Upstream version 3.2.18
Antonio Terceiro
terceiro at moszumanska.debian.org
Sat May 10 18:14:39 UTC 2014
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master
in repository rails-3.2.
commit 6220c53166ed1cafeb33d5d06b64529da73f444e
Author: Antonio Terceiro <terceiro at debian.org>
Date: Sat May 10 15:09:47 2014 -0300
Imported Upstream version 3.2.18
---
Gemfile | 2 +-
RAILS_VERSION | 2 +-
actionmailer/CHANGELOG.md | 15 ++++++++++++
actionmailer/lib/action_mailer/version.rb | 2 +-
actionpack/CHANGELOG.md | 14 +++++++++++
actionpack/lib/abstract_controller/base.rb | 28 +++++++++++++++++++---
actionpack/lib/action_pack/version.rb | 2 +-
.../new_base/render_implicit_action_test.rb | 17 ++++++++++++-
.../test/template/number_helper_i18n_test.rb | 10 ++++----
activemodel/CHANGELOG.md | 15 ++++++++++++
activemodel/lib/active_model/version.rb | 2 +-
activerecord/CHANGELOG.md | 15 ++++++++++++
activerecord/lib/active_record/version.rb | 2 +-
activeresource/CHANGELOG.md | 16 +++++++++++++
activeresource/lib/active_resource/version.rb | 2 +-
activesupport/CHANGELOG.md | 15 ++++++++++++
activesupport/lib/active_support/version.rb | 2 +-
railties/CHANGELOG.md | 16 +++++++++++++
railties/lib/rails/version.rb | 2 +-
version.rb | 2 +-
20 files changed, 162 insertions(+), 19 deletions(-)
diff --git a/Gemfile b/Gemfile
index 8c5cbb2..6334442 100644
--- a/Gemfile
+++ b/Gemfile
@@ -22,7 +22,7 @@ end
gem 'uglifier', '>= 1.0.3', :require => false
gem 'rake', '>= 0.8.7'
-gem 'mocha', '>= 0.13.0', :require => false
+gem 'mocha', '~> 0.14', :require => false
group :doc do
# The current sdoc cannot generate GitHub links due
diff --git a/RAILS_VERSION b/RAILS_VERSION
index ff8001a..f05489d 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-3.2.17
+3.2.18
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index b8c3753..94d3f54 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
index e33d01a..8212a9b 100644
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 6269123..1264e85 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,16 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* Only accept actions without File::SEPARATOR in the name.
+
+ This will avoid directory traversal in implicit render.
+
+ Fixes: CVE-2014-0130
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
* Use the reference for the mime type to get the format
Fixes: CVE-2014-0082
@@ -6,6 +19,7 @@
Fixes: CVE-2014-0081
+
## Rails 3.2.16 (Dec 12, 2013) ##
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb
index fd6a46f..2541125 100644
--- a/actionpack/lib/abstract_controller/base.rb
+++ b/actionpack/lib/abstract_controller/base.rb
@@ -112,7 +112,7 @@ module AbstractController
def process(action, *args)
@_action_name = action_name = action.to_s
- unless action_name = method_for_action(action_name)
+ unless action_name = _find_action_name(action_name)
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
end
@@ -138,7 +138,7 @@ module AbstractController
# available action consider actions that are also available
# through other means, for example, implicit render ones.
def available_action?(action_name)
- method_for_action(action_name).present?
+ _find_action_name(action_name).present?
end
private
@@ -182,6 +182,23 @@ module AbstractController
end
# Takes an action name and returns the name of the method that will
+ # handle the action.
+ #
+ # It checks if the action name is valid and returns false otherwise.
+ #
+ # See method_for_action for more information.
+ #
+ # ==== Parameters
+ # * <tt>action_name</tt> - An action name to find a method name for
+ #
+ # ==== Returns
+ # * <tt>string</tt> - The name of the method that handles the action
+ # * false - No valid method name could be found. Raise ActionNotFound.
+ def _find_action_name(action_name)
+ _valid_action_name?(action_name) && method_for_action(action_name)
+ end
+
+ # Takes an action name and returns the name of the method that will
# handle the action. In normal cases, this method returns the same
# name as it receives. By default, if #method_for_action receives
# a name that is not an action, it will look for an #action_missing
@@ -203,11 +220,16 @@ module AbstractController
#
# ==== Returns
# * <tt>string</tt> - The name of the method that handles the action
- # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound.
+ # * <tt>nil</tt> - No method name could be found.
def method_for_action(action_name)
if action_method?(action_name) then action_name
elsif respond_to?(:action_missing, true) then "_handle_action_missing"
end
end
+
+ # Checks if the action name is valid and returns false otherwise.
+ def _valid_action_name?(action_name)
+ action_name.to_s !~ Regexp.new(File::SEPARATOR)
+ end
end
end
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 4d27881..ac6d334 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/test/controller/new_base/render_implicit_action_test.rb b/actionpack/test/controller/new_base/render_implicit_action_test.rb
index 1e2191d..5b4885f 100644
--- a/actionpack/test/controller/new_base/render_implicit_action_test.rb
+++ b/actionpack/test/controller/new_base/render_implicit_action_test.rb
@@ -6,7 +6,7 @@ module RenderImplicitAction
"render_implicit_action/simple/hello_world.html.erb" => "Hello world!",
"render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!",
"render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
- )]
+ ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
def hello_world() end
end
@@ -33,10 +33,25 @@ module RenderImplicitAction
assert_status 200
end
+ test "render does not traverse the file system" do
+ assert_raises(AbstractController::ActionNotFound) do
+ action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
+ SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
+ end
+ end
+
test "available_action? returns true for implicit actions" do
assert SimpleController.new.available_action?(:hello_world)
assert SimpleController.new.available_action?(:"hyphen-ated")
assert SimpleController.new.available_action?(:not_implemented)
end
+
+ test "available_action? does not allow File::SEPARATOR on the name" do
+ action_name = %w(evil .. .. path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+
+ action_name = %w(evil path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+ end
end
end
diff --git a/actionpack/test/template/number_helper_i18n_test.rb b/actionpack/test/template/number_helper_i18n_test.rb
index d6e9de9..5a3250e 100644
--- a/actionpack/test/template/number_helper_i18n_test.rb
+++ b/actionpack/test/template/number_helper_i18n_test.rb
@@ -7,7 +7,7 @@ class NumberHelperTest < ActionView::TestCase
I18n.backend.store_translations 'ts',
:number => {
:format => { :precision => 3, :delimiter => ',', :separator => '.', :significant => false, :strip_insignificant_zeros => false },
- :currency => { :format => { :unit => '&$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } },
+ :currency => { :format => { :unit => '$$$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } },
:human => {
:format => {
:precision => 2,
@@ -42,9 +42,9 @@ class NumberHelperTest < ActionView::TestCase
end
def test_number_to_i18n_currency
- assert_equal("&$ - 10.00", number_to_currency(10, :locale => 'ts'))
- assert_equal("(&$ - 10.00)", number_to_currency(-10, :locale => 'ts'))
- assert_equal("-10.00 - &$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u"))
+ assert_equal("$$$ - 10.00", number_to_currency(10, :locale => 'ts'))
+ assert_equal("($$$ - 10.00)", number_to_currency(-10, :locale => 'ts'))
+ assert_equal("-10.00 - $$$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u"))
end
def test_number_to_currency_with_clean_i18n_settings
@@ -53,7 +53,7 @@ class NumberHelperTest < ActionView::TestCase
assert_equal("-$10.00", number_to_currency(-10))
end
end
-
+
def test_number_to_currency_without_currency_negative_format
clean_i18n do
I18n.backend.store_translations 'ts', :number => { :currency => { :format => { :unit => '@', :format => '%n %u' } } }
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 7db0854..fb4bfda 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
index 08d437c..e675c74 100644
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 878e5ee..6ac368f 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* When calling the method .find_or_initialize_by_* from a collection_proxy
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index cced9ea..3dd782a 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md
index c1f0fa3..4a555cf 100644
--- a/activeresource/CHANGELOG.md
+++ b/activeresource/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json.
diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
index ea9b7a5..dee96b8 100644
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 29f7db5..e22aded 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method.
diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index 95faab1..10c9fca 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 3e075a8..ce832d1 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fix bugs that crashed `rake test:benchmark`, `rails profiler` and
diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
index 38890e1..ec2f546 100644
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/version.rb b/version.rb
index 38890e1..ec2f546 100644
--- a/version.rb
+++ b/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list