bump 2.3.14.github40

CVE-2014-0081

RAILS_VERSION

@@ -1 +1 @@
-2.3.14.github36
+2.3.14.github40

actionpack/lib/action_controller/benchmarking.rb

@@ -87,7 +87,6 @@ module ActionController #:nodoc:
           log_message << " [#{complete_request_uri rescue "unknown"}]"
 
           logger.info(log_message)
-          response.headers["X-Runtime"] = "%.0f" % ms
         else
           perform_action_without_benchmark
         end

actionpack/lib/action_controller/session/cookie_store.rb

@@ -37,7 +37,7 @@ module ActionController
     # Note that changing digest or secret invalidates all existing sessions!
     class CookieStore
       include AbstractStore::SessionUtils
-      
+
       # Cookies can typically store 4096 bytes.
       MAX = 4096
       SECRET_MIN_LENGTH = 30 # characters
@@ -95,14 +95,21 @@ module ActionController
 
       def call(env)
         prepare!(env)
-        
+
         status, headers, body = @app.call(env)
 
         session_data = env[ENV_SESSION_KEY]
         options = env[ENV_SESSION_OPTIONS_KEY]
         request = ActionController::Request.new(env)
-        
+
         if !(options[:secure] && !request.ssl?) && (!session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after])
+
+          # Backport standard Rack::Session::Cookie behavior
+          # Skip writing session if env['rack.session.options'][:skip] is set
+          if options[:skip]
+            return [status, headers, body]
+          end
+
           session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
 
           persistent_session_id!(session_data)
@@ -122,7 +129,7 @@ module ActionController
       end
 
       private
-      
+
         def prepare!(env)
           env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
           env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
@@ -133,7 +140,7 @@ module ActionController
           data = persistent_session_id!(data)
           [data[:session_id], data]
         end
-        
+
         def extract_session_id(env)
           if data = unpacked_cookie_data(env)
             persistent_session_id!(data) unless data.empty?

actionpack/lib/action_view/helpers/number_helper.rb

@@ -73,6 +73,8 @@ module ActionView
       def number_to_currency(number, options = {})
         options.symbolize_keys!
 
+        options[:format]    = ERB::Util.html_escape(options[:format]) if options[:format]
+
         defaults  = I18n.translate(:'number.format', :locale => options[:locale], :raise => true) rescue {}
         currency  = I18n.translate(:'number.currency.format', :locale => options[:locale], :raise => true) rescue {}
         defaults  = defaults.merge(currency)

actionpack/test/template/number_helper_test.rb

@@ -3,6 +3,12 @@ require 'abstract_unit'
 class NumberHelperTest < ActionView::TestCase
   tests ActionView::Helpers::NumberHelper
 
+  def test_number_helpers_escape_delimiter_and_separator
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;01", number_to_currency(1.01, :separator => "<script></script>")
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;000.00", number_to_currency(1000, :delimiter => "<script></script>")
+    assert_equal "&lt;script&gt;1,000.00$&lt;/script&gt;", number_to_currency(1000, :format => "<script>%n%u</script>")
+  end
+
   def test_number_to_phone
     assert_equal("555-1234", number_to_phone(5551234))
     assert_equal("800-555-1212", number_to_phone(8005551212))