Merge branch '3-2-sec' into 3-2-stable

Conflicts: actionpack/CHANGELOG.md
2026-01-08 22:27:59 -05:00 · 2014-05-06 13:31:07 -03:00
parent a3bda38467 50d6b4549d
commit bbec7d72be
19 changed files with 155 additions and 14 deletions
--- a/2
+++ b/2
@@ -22,7 +22,7 @@ end
 gem 'uglifier', '>= 1.0.3', :require => false

 gem 'rake', '>= 0.8.7'
-gem 'mocha', '>= 0.13.0', :require => false
+gem 'mocha', '~> 0.14', :require => false

 group :doc do
  # The current sdoc cannot generate GitHub links due
--- a/2
+++ b/2
@@ -1 +1 @@
-3.2.17
+3.2.18
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 *   No changes.
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,6 +5,18 @@

    *Shota Fukumori (sora_h)*

+
+## Rails 3.2.18 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
 ## Rails 3.2.17 (Feb 18, 2014) ##

 *   Use the reference for the mime type to get the format
--- a/actionpack/lib/abstract_controller/base.rb
+++ b/actionpack/lib/abstract_controller/base.rb
@@ -112,7 +112,7 @@ module AbstractController
    def process(action, *args)
      @_action_name = action_name = action.to_s

-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
        raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
      end

@@ -138,7 +138,7 @@ module AbstractController
    # available action consider actions that are also available
    # through other means, for example, implicit render ones.
    def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
    end

    private
@@ -181,6 +181,23 @@ module AbstractController
        action_missing(@_action_name, *args)
      end

+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
      # Takes an action name and returns the name of the method that will
      # handle the action. In normal cases, this method returns the same
      # name as it receives. By default, if #method_for_action receives
@@ -203,11 +220,16 @@ module AbstractController
      #
      # ==== Returns
      # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
      def method_for_action(action_name)
        if action_method?(action_name) then action_name
        elsif respond_to?(:action_missing, true) then "_handle_action_missing"
        end
      end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
  end
 end
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/actionpack/test/controller/new_base/render_implicit_action_test.rb
+++ b/actionpack/test/controller/new_base/render_implicit_action_test.rb
@@ -6,7 +6,7 @@ module RenderImplicitAction
      "render_implicit_action/simple/hello_world.html.erb"     => "Hello world!",
      "render_implicit_action/simple/hyphen-ated.html.erb"     => "Hello hyphen-ated!",
      "render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
-    )]
+    ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]

    def hello_world() end
  end
@@ -33,10 +33,25 @@ module RenderImplicitAction
      assert_status 200
    end

+    test "render does not traverse the file system" do
+      assert_raises(AbstractController::ActionNotFound) do
+        action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
+        SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
+      end
+    end
+
    test "available_action? returns true for implicit actions" do
      assert SimpleController.new.available_action?(:hello_world)
      assert SimpleController.new.available_action?(:"hyphen-ated")
      assert SimpleController.new.available_action?(:not_implemented)
    end
+
+    test "available_action? does not allow File::SEPARATOR on the name" do
+      action_name = %w(evil .. .. path).join(File::SEPARATOR)
+      assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+
+      action_name = %w(evil path).join(File::SEPARATOR)
+      assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+    end
  end
 end
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 *   No changes.
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 *   When calling the method .find_or_initialize_by_* from a collection_proxy
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/activeresource/CHANGELOG.md
+++ b/activeresource/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 * No changes.

+
 ## Rails 3.2.14 (Jul 22, 2013) ##

 *   Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json.
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 *   Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method.
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
 ## Rails 3.2.15 (Oct 16, 2013) ##

 * No changes.

+
 ## Rails 3.2.14 (Jul 22, 2013) ##

 *   Fix bugs that crashed `rake test:benchmark`, `rails profiler` and
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
--- a/version.rb
+++ b/version.rb
@@ -2,7 +2,7 @@ module Rails
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 2
-    TINY  = 17
+    TINY  = 18
    PRE   = nil

    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -1 +1 @@
 .2.17
 .2.18