Prepare for the 3.0.1 release

Revert 0c0b0aa0f2 which introduced a security vulnerability.
This addresses CVE-2010-3933
2026-01-13 16:48:06 -05:00 · 2010-10-15 09:13:00 +13:00 · 2010-10-13 14:28:06 +13:00
18 changed files with 59 additions and 34 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-3.0.0
+3.0.1
--- a/actionmailer/CHANGELOG
+++ b/actionmailer/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * subject is automatically looked up on I18n using mailer_name and action_name as scope as in t(".subject") [JK]
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * Symbols and strings in routes should yield the same behavior. Note this may break existing apps that were using symbols with the new routes API [José Valim]
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/activemodel/CHANGELOG
+++ b/activemodel/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * Added ActiveModel::MassAssignmentSecurity [Eric Chapweske, Josh Kalderimis]
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* Introduce a fix for CVE-2010-3993
+
 *Rails 3.0.0 (August 29, 2010)*

 * Changed update_attribute to not run callbacks and update the record directly in the database [Neeraj Singh]
--- a/activerecord/lib/active_record/nested_attributes.rb
+++ b/activerecord/lib/active_record/nested_attributes.rb
@@ -296,9 +296,7 @@ module ActiveRecord
        assign_to_or_mark_for_destruction(record, attributes, options[:allow_destroy])

      elsif attributes['id']
-        existing_record = self.class.reflect_on_association(association_name).klass.find(attributes['id'])
-        assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy])
-        self.send(association_name.to_s+'=', existing_record)
+        raise_nested_attributes_record_not_found(association_name, attributes['id'])

      elsif !reject_new_record?(association_name, attributes)
        method = "build_#{association_name}"
@@ -369,15 +367,12 @@ module ActiveRecord
            association.build(attributes.except(*UNASSIGNABLE_KEYS))
          end

-        elsif existing_records.count == 0 #Existing record but not yet associated
-          existing_record = self.class.reflect_on_association(association_name).klass.find(attributes['id'])
-          association.send(:add_record_to_target_with_callbacks, existing_record) unless association.loaded?
-          assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy])
-
        elsif existing_record = existing_records.detect { |record| record.id.to_s == attributes['id'].to_s }
          association.send(:add_record_to_target_with_callbacks, existing_record) unless association.loaded?
          assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy])

+        else
+          raise_nested_attributes_record_not_found(association_name, attributes['id'])
        end
      end
    end
@@ -397,7 +392,7 @@ module ActiveRecord
      ConnectionAdapters::Column.value_to_boolean(hash['_destroy'])
    end

-    # Determines if a new record should be built by checking for
+    # Determines if a new record should be build by checking for
    # has_destroy_flag? or if a <tt>:reject_if</tt> proc exists for this
    # association and evaluates to +true+.
    def reject_new_record?(association_name, attributes)
@@ -413,5 +408,9 @@ module ActiveRecord
      end
    end

+    def raise_nested_attributes_record_not_found(association_name, record_id)
+      reflection = self.class.reflect_on_association(association_name)
+      raise RecordNotFound, "Couldn't find #{reflection.klass.name} with ID=#{record_id} for #{self.class.name} with ID=#{id}"
+    end
  end
 end
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/activerecord/test/cases/nested_attributes_test.rb
+++ b/activerecord/test/cases/nested_attributes_test.rb
@@ -178,6 +178,12 @@ class TestNestedAttributesOnAHasOneAssociation < ActiveRecord::TestCase
    assert_equal 'Davy Jones Gold Dagger', @pirate.ship.name
  end

+  def test_should_raise_RecordNotFound_if_an_id_is_given_but_doesnt_return_a_record
+    assert_raise_with_message ActiveRecord::RecordNotFound, "Couldn't find Ship with ID=1234567890 for Pirate with ID=#{@pirate.id}" do
+      @pirate.ship_attributes = { :id => 1234567890 }
+    end
+  end
+
  def test_should_take_a_hash_with_string_keys_and_update_the_associated_model
    @pirate.reload.ship_attributes = { 'id' => @ship.id, 'name' => 'Davy Jones Gold Dagger' }

@@ -349,13 +355,10 @@ class TestNestedAttributesOnABelongsToAssociation < ActiveRecord::TestCase
    assert_equal 'Arr', @ship.pirate.catchphrase
  end

-  def test_should_associate_with_record_if_parent_record_is_not_saved
-    @ship.destroy
-    @pirate = Pirate.create(:catchphrase => 'Arr')
-    @ship = Ship.new(:name => 'Nights Dirty Lightning', :pirate_attributes => { :id => @pirate.id, :catchphrase => @pirate.catchphrase})
-
-    assert_equal @ship.name, 'Nights Dirty Lightning'
-    assert_equal @pirate, @ship.pirate
+  def test_should_raise_RecordNotFound_if_an_id_is_given_but_doesnt_return_a_record
+    assert_raise_with_message ActiveRecord::RecordNotFound, "Couldn't find Pirate with ID=1234567890 for Ship with ID=#{@ship.id}" do
+      @ship.pirate_attributes = { :id => 1234567890 }
+    end
  end

  def test_should_take_a_hash_with_string_keys_and_update_the_associated_model
@@ -486,11 +489,6 @@ module NestedAttributesOnACollectionAssociationTests
    assert_equal ['Grace OMalley', 'Privateers Greed'], [@child_1.reload.name, @child_2.reload.name]
  end

-  def test_should_assign_existing_children_if_parent_is_new
-    @pirate = Pirate.new({:catchphrase => "Don' botharr talkin' like one, savvy?"}.merge(@alternate_params))
-    assert_equal ['Grace OMalley', 'Privateers Greed'], [@pirate.send(@association_name)[0].name, @pirate.send(@association_name)[1].name]
-  end
-
  def test_should_also_work_with_a_HashWithIndifferentAccess
    @pirate.send(association_setter, HashWithIndifferentAccess.new('foo' => HashWithIndifferentAccess.new(:id => @child_1.id, :name => 'Grace OMalley')))
    @pirate.save
@@ -554,8 +552,8 @@ module NestedAttributesOnACollectionAssociationTests
    assert_equal ['Grace OMalley', 'Privateers Greed'], [@child_1.name, @child_2.name]
  end

-  def test_should_not_raise_RecordNotFound_if_an_id_is_given_but_doesnt_return_a_record
-    assert_nothing_raised ActiveRecord::RecordNotFound do
+  def test_should_raise_RecordNotFound_if_an_id_is_given_but_doesnt_return_a_record
+    assert_raise_with_message ActiveRecord::RecordNotFound, "Couldn't find #{@child_1.class.name} with ID=1234567890 for Pirate with ID=#{@pirate.id}" do
      @pirate.attributes = { association_getter => [{ :id => 1234567890 }] }
    end
  end
--- a/activeresource/CHANGELOG
+++ b/activeresource/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * JSON: set Base.include_root_in_json = true to include a root value in the JSON: {"post": {"title": ...}}. Mirrors the Active Record option.  [Santiago Pastorino]
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/activesupport/CHANGELOG
+++ b/activesupport/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * Implemented String#strip_heredoc. [fxn]
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/railties/CHANGELOG
+++ b/railties/CHANGELOG
@@ -1,3 +1,7 @@
+*Rails 3.0.1 (October 15, 2010)*
+
+* No Changes, just a version bump.
+
 *Rails 3.0.0 (August 29, 2010)*

 * Application generation: --skip-testunit and --skip-activerecord become --skip-test-unit
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
+    TINY  = 1

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/version.rb
+++ b/version.rb
@@ -2,9 +2,9 @@ module Rails
  module VERSION #:nodoc:
    MAJOR = 3
    MINOR = 0
-    TINY  = 0
-    BUILD = "rc2"
+    TINY  = 1
+    BUILD = nil

-    STRING = [MAJOR, MINOR, TINY, BUILD].join('.')
+    STRING = [MAJOR, MINOR, TINY, BUILD].compact.join('.')
  end
 end
Author	SHA1	Message	Date
Michael Koziarski	bac6ba99b1	Prepare for the 3.0.1 release	2010-10-15 09:13:00 +13:00
Michael Koziarski	2d96bccb1e	Revert `0c0b0aa0f2` which introduced a security vulnerability. This addresses CVE-2010-3933	2010-10-13 14:28:06 +13:00
@@ -1 +1 @@
 .0.0
 .0.1