diff --git a/Gemfile b/Gemfile
index 984f7ac37a..dac4f6a2a0 100644
--- a/Gemfile
+++ b/Gemfile
@@ -21,8 +21,11 @@ end
# it being automatically loaded by sprockets
gem 'uglifier', '>= 1.0.3', :require => false
+# execjs >= 2.1.0 doesn't work with Ruby 1.8
+gem 'execjs', '< 2.1.0'
+
gem 'rake', '>= 0.8.7'
-gem 'mocha', '>= 0.13.0', :require => false
+gem 'mocha', '~> 0.14', :require => false
group :doc do
# The current sdoc cannot generate GitHub links due
diff --git a/RAILS_VERSION b/RAILS_VERSION
index ff8001a0f1..100838dc41 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-3.2.17
+3.2.19
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index b8c375306e..d7ed55ef4c 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,23 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
index e33d01ac4c..f769dcacfd 100644
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a5dbfbd12d..15fc0af20e 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,5 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
`options[:raise]`.
@@ -5,6 +7,18 @@
*Shota Fukumori (sora_h)*
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* Only accept actions without File::SEPARATOR in the name.
+
+ This will avoid directory traversal in implicit render.
+
+ Fixes: CVE-2014-0130
+
+ *Rafael Mendonça França*
+
+
## Rails 3.2.17 (Feb 18, 2014) ##
* Use the reference for the mime type to get the format
diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb
index fd6a46fbec..2541125ec6 100644
--- a/actionpack/lib/abstract_controller/base.rb
+++ b/actionpack/lib/abstract_controller/base.rb
@@ -112,7 +112,7 @@ module AbstractController
def process(action, *args)
@_action_name = action_name = action.to_s
- unless action_name = method_for_action(action_name)
+ unless action_name = _find_action_name(action_name)
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
end
@@ -138,7 +138,7 @@ module AbstractController
# available action consider actions that are also available
# through other means, for example, implicit render ones.
def available_action?(action_name)
- method_for_action(action_name).present?
+ _find_action_name(action_name).present?
end
private
@@ -181,6 +181,23 @@ module AbstractController
action_missing(@_action_name, *args)
end
+ # Takes an action name and returns the name of the method that will
+ # handle the action.
+ #
+ # It checks if the action name is valid and returns false otherwise.
+ #
+ # See method_for_action for more information.
+ #
+ # ==== Parameters
+ # * action_name - An action name to find a method name for
+ #
+ # ==== Returns
+ # * string - The name of the method that handles the action
+ # * false - No valid method name could be found. Raise ActionNotFound.
+ def _find_action_name(action_name)
+ _valid_action_name?(action_name) && method_for_action(action_name)
+ end
+
# Takes an action name and returns the name of the method that will
# handle the action. In normal cases, this method returns the same
# name as it receives. By default, if #method_for_action receives
@@ -203,11 +220,16 @@ module AbstractController
#
# ==== Returns
# * string - The name of the method that handles the action
- # * nil - No method name could be found. Raise ActionNotFound.
+ # * nil - No method name could be found.
def method_for_action(action_name)
if action_method?(action_name) then action_name
elsif respond_to?(:action_missing, true) then "_handle_action_missing"
end
end
+
+ # Checks if the action name is valid and returns false otherwise.
+ def _valid_action_name?(action_name)
+ action_name.to_s !~ Regexp.new(File::SEPARATOR)
+ end
end
end
diff --git a/actionpack/lib/action_dispatch/middleware/session/cache_store.rb b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb
index 1db6194271..625050dc4b 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cache_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb
@@ -16,9 +16,9 @@ module ActionDispatch
# Get a session from the cache.
def get_session(env, sid)
- sid ||= generate_sid
- session = @cache.read(cache_key(sid))
- session ||= {}
+ unless sid and session = @cache.read(cache_key(sid))
+ sid, session = generate_sid, {}
+ end
[sid, session]
end
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 4d278814c8..3dc00b99fe 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index f855ea257c..47ea8a3c9b 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -120,13 +120,7 @@ module ActionView
def query(path, details, formats)
query = build_query(path, details)
- # deals with case-insensitive file systems.
- sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
-
- template_paths = Dir[query].reject { |filename|
- File.directory?(filename) ||
- !sanitizer[File.dirname(filename)].include?(filename)
- }
+ template_paths = find_template_paths query
template_paths.map { |template|
handler, format = extract_handler_and_format(template, formats)
@@ -139,6 +133,26 @@ module ActionView
}
end
+ if RUBY_VERSION >= '2.2.0'
+ def find_template_paths(query)
+ Dir[query].reject { |filename|
+ File.directory?(filename) ||
+ # deals with case-insensitive file systems.
+ !File.fnmatch(query, filename, File::FNM_EXTGLOB)
+ }
+ end
+ else
+ def find_template_paths(query)
+ # deals with case-insensitive file systems.
+ sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
+
+ Dir[query].reject { |filename|
+ File.directory?(filename) ||
+ !sanitizer[File.dirname(filename)].include?(filename)
+ }
+ end
+ end
+
# Helper for building query glob string based on resolver's pattern.
def build_query(path, details)
query = @pattern.dup
diff --git a/actionpack/test/controller/new_base/render_implicit_action_test.rb b/actionpack/test/controller/new_base/render_implicit_action_test.rb
index 1e2191d417..5b4885f7e0 100644
--- a/actionpack/test/controller/new_base/render_implicit_action_test.rb
+++ b/actionpack/test/controller/new_base/render_implicit_action_test.rb
@@ -6,7 +6,7 @@ module RenderImplicitAction
"render_implicit_action/simple/hello_world.html.erb" => "Hello world!",
"render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!",
"render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
- )]
+ ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
def hello_world() end
end
@@ -33,10 +33,25 @@ module RenderImplicitAction
assert_status 200
end
+ test "render does not traverse the file system" do
+ assert_raises(AbstractController::ActionNotFound) do
+ action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
+ SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
+ end
+ end
+
test "available_action? returns true for implicit actions" do
assert SimpleController.new.available_action?(:hello_world)
assert SimpleController.new.available_action?(:"hyphen-ated")
assert SimpleController.new.available_action?(:not_implemented)
end
+
+ test "available_action? does not allow File::SEPARATOR on the name" do
+ action_name = %w(evil .. .. path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+
+ action_name = %w(evil path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+ end
end
end
diff --git a/actionpack/test/dispatch/session/cache_store_test.rb b/actionpack/test/dispatch/session/cache_store_test.rb
index 73e056de23..0d88d1d29e 100644
--- a/actionpack/test/dispatch/session/cache_store_test.rb
+++ b/actionpack/test/dispatch/session/cache_store_test.rb
@@ -149,16 +149,15 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
def test_prevents_session_fixation
with_test_route_set do
- get '/get_session_value'
- assert_response :success
- assert_equal 'foo: nil', response.body
- session_id = cookies['_session_id']
+ assert_equal nil, @cache.read('_session_id:0xhax')
- reset!
+ cookies['_session_id'] = '0xhax'
+ get '/set_session_value'
- get '/set_session_value', :_session_id => session_id
assert_response :success
- assert_not_equal session_id, cookies['_session_id']
+ assert_not_equal '0xhax', cookies['_session_id']
+ assert_equal nil, @cache.read('_session_id:0xhax')
+ assert_equal({'foo' => 'bar'}, @cache.read("_session_id:#{cookies['_session_id']}"))
end
end
@@ -170,8 +169,8 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
end
@app = self.class.build_app(set) do |middleware|
- cache = ActiveSupport::Cache::MemoryStore.new
- middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => cache
+ @cache = ActiveSupport::Cache::MemoryStore.new
+ middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => @cache
middleware.delete "ActionDispatch::ShowExceptions"
end
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 7db08549d9..4f2e4e1959 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,23 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
index 08d437cbc2..3137205802 100644
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 878e5eeebc..0334f4454e 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,27 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* Fix SQL Injection Vulnerability in 'bitstring' quoting.
+
+ Fixes CVE-2014-3482.
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* When calling the method .find_or_initialize_by_* from a collection_proxy
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
index e98337e7d5..3cd65d0bf5 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
@@ -442,8 +442,8 @@ module ActiveRecord
when 'xml' then "xml '#{quote_string(value)}'"
when /^bit/
case value
- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
+ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
+ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
end
else
super
@@ -1160,7 +1160,7 @@ module ActiveRecord
FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
def exec_no_cache(sql, binds)
- @connection.async_exec(sql)
+ @connection.async_exec(sql, [])
end
def exec_cache(sql, binds)
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index cced9eae8f..cc73a14f7c 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
index 172055f15c..cfdf16d48d 100644
--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -19,6 +19,11 @@ module ActiveRecord
assert_equal 'f', @conn.type_cast(false, nil)
assert_equal 'f', @conn.type_cast(false, c)
end
+
+ def test_quote_bit_string
+ c = PostgreSQLColumn.new(nil, 1, 'bit')
+ assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
+ end
end
end
end
diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md
index c1f0fa3403..64509399e8 100644
--- a/activeresource/CHANGELOG.md
+++ b/activeresource/CHANGELOG.md
@@ -1,7 +1,28 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json.
diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
index ea9b7a51e9..5e8910f386 100644
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 29f7db53eb..6123be4ab4 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,28 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* Make sure Active Support configurations are applied correctly.
+
+ Before this change configuration set using `config.active_support`
+ would not be set.
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method.
diff --git a/activesupport/lib/active_support/railtie.rb b/activesupport/lib/active_support/railtie.rb
index 1638512af0..65851a0937 100644
--- a/activesupport/lib/active_support/railtie.rb
+++ b/activesupport/lib/active_support/railtie.rb
@@ -55,5 +55,12 @@ module ActiveSupport
Time.zone_default = zone_default
end
+
+ initializer "active_support.set_configs" do |app|
+ app.config.active_support.each do |k, v|
+ k = "#{k}="
+ ActiveSupport.send(k, v) if ActiveSupport.respond_to? k
+ end
+ end
end
end
diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index 95faab1dd6..6fdf950bc0 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 3e075a8f9f..0ff661cc9f 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,7 +1,28 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fix bugs that crashed `rake test:benchmark`, `rails profiler` and
diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
index 38890e162d..ef640c9dab 100644
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index eb16713455..626dd64ea6 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -454,6 +454,18 @@ module ApplicationTests
assert ActionView::Resolver.caching?
end
+ test "configure Active Support using config.active_support" do
+ add_to_config <<-RUBY
+ config.active_support.escape_html_entities_in_json = true
+ RUBY
+
+ require 'active_support/json'
+ require "#{app_path}/config/environment"
+
+ assert ActiveSupport.escape_html_entities_in_json
+ assert ActiveSupport::JSON::Encoding.escape_html_entities_in_json
+ end
+
test "config.action_dispatch.show_exceptions is sent in env" do
make_basic_app do |app|
app.config.action_dispatch.show_exceptions = true
diff --git a/version.rb b/version.rb
index 38890e162d..ef640c9dab 100644
--- a/version.rb
+++ b/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')