Merge remote-tracking branch 'upstream/3-2-stable' into 3-2-github

actionpack/CHANGELOG.md

@@ -1,3 +1,5 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
 *   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
     `options[:raise]`.
 
@@ -5,6 +7,18 @@
 
     *Shota Fukumori (sora_h)*
 
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
 ## Rails 3.2.17 (Feb 18, 2014) ##
 
 *   Use the reference for the mime type to get the format

actionpack/lib/abstract_controller/base.rb

@@ -112,7 +112,7 @@ module AbstractController
     def process(action, *args)
       @_action_name = action_name = action.to_s
 
-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
         raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
       end
 
@@ -138,7 +138,7 @@ module AbstractController
     # available action consider actions that are also available
     # through other means, for example, implicit render ones.
     def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
     end
 
     private
@@ -181,6 +181,23 @@ module AbstractController
         action_missing(@_action_name, *args)
       end
 
+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
       # Takes an action name and returns the name of the method that will
       # handle the action. In normal cases, this method returns the same
       # name as it receives. By default, if #method_for_action receives
@@ -203,11 +220,16 @@ module AbstractController
       #
       # ==== Returns
       # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
       def method_for_action(action_name)
         if action_method?(action_name) then action_name
         elsif respond_to?(:action_missing, true) then "_handle_action_missing"
         end
       end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
   end
 end

actionpack/lib/action_dispatch/middleware/session/cache_store.rb

@@ -16,9 +16,9 @@ module ActionDispatch
 
       # Get a session from the cache.
       def get_session(env, sid)
-        sid ||= generate_sid
-        session = @cache.read(cache_key(sid))
-        session ||= {}
+        unless sid and session = @cache.read(cache_key(sid))
+          sid, session = generate_sid, {}
+        end
         [sid, session]
       end
 

actionpack/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 17
+    TINY  = 19
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

actionpack/lib/action_view/template/resolver.rb

@@ -120,13 +120,7 @@ module ActionView
     def query(path, details, formats)
       query = build_query(path, details)
 
-      # deals with case-insensitive file systems.
-      sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
-
-      template_paths = Dir[query].reject { |filename|
-        File.directory?(filename) ||
-          !sanitizer[File.dirname(filename)].include?(filename)
-      }
+      template_paths = find_template_paths query
 
       template_paths.map { |template|
         handler, format = extract_handler_and_format(template, formats)
@@ -139,6 +133,26 @@ module ActionView
       }
     end
 
+    if RUBY_VERSION >= '2.2.0'
+      def find_template_paths(query)
+        Dir[query].reject { |filename|
+          File.directory?(filename) ||
+            # deals with case-insensitive file systems.
+            !File.fnmatch(query, filename, File::FNM_EXTGLOB)
+        }
+      end
+    else
+      def find_template_paths(query)
+        # deals with case-insensitive file systems.
+        sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
+
+        Dir[query].reject { |filename|
+          File.directory?(filename) ||
+            !sanitizer[File.dirname(filename)].include?(filename)
+        }
+      end
+    end
+
     # Helper for building query glob string based on resolver's pattern.
     def build_query(path, details)
       query = @pattern.dup

actionpack/test/controller/new_base/render_implicit_action_test.rb

@@ -6,7 +6,7 @@ module RenderImplicitAction
       "render_implicit_action/simple/hello_world.html.erb"     => "Hello world!",
       "render_implicit_action/simple/hyphen-ated.html.erb"     => "Hello hyphen-ated!",
       "render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
-    )]
+    ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
 
     def hello_world() end
   end
@@ -33,10 +33,25 @@ module RenderImplicitAction
       assert_status 200
     end
 
+    test "render does not traverse the file system" do
+      assert_raises(AbstractController::ActionNotFound) do
+        action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
+        SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
+      end
+    end
+
     test "available_action? returns true for implicit actions" do
       assert SimpleController.new.available_action?(:hello_world)
       assert SimpleController.new.available_action?(:"hyphen-ated")
       assert SimpleController.new.available_action?(:not_implemented)
     end
+
+    test "available_action? does not allow File::SEPARATOR on the name" do
+      action_name = %w(evil .. .. path).join(File::SEPARATOR)
+      assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+
+      action_name = %w(evil path).join(File::SEPARATOR)
+      assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+    end
   end
 end

actionpack/test/dispatch/session/cache_store_test.rb

@@ -149,16 +149,15 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
 
   def test_prevents_session_fixation
     with_test_route_set do
-      get '/get_session_value'
-      assert_response :success
-      assert_equal 'foo: nil', response.body
-      session_id = cookies['_session_id']
+      assert_equal nil, @cache.read('_session_id:0xhax')
 
-      reset!
+      cookies['_session_id'] = '0xhax'
+      get '/set_session_value'
 
-      get '/set_session_value', :_session_id => session_id
       assert_response :success
-      assert_not_equal session_id, cookies['_session_id']
+      assert_not_equal '0xhax', cookies['_session_id']
+      assert_equal nil, @cache.read('_session_id:0xhax')
+      assert_equal({'foo' => 'bar'}, @cache.read("_session_id:#{cookies['_session_id']}"))
     end
   end
 
@@ -170,8 +169,8 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
         end
 
         @app = self.class.build_app(set) do |middleware|
-          cache = ActiveSupport::Cache::MemoryStore.new
-          middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => cache
+          @cache = ActiveSupport::Cache::MemoryStore.new
+          middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => @cache
           middleware.delete "ActionDispatch::ShowExceptions"
         end