Merge pull request #67 from github/2-3-github+cve-2014-0130

CVE-2014-0130 protection

RAILS_VERSION

@@ -1 +1 @@
-2.3.14.github40
+2.3.14.github43

actionpack/lib/action_controller/base.rb

@@ -1320,7 +1320,14 @@ module ActionController #:nodoc:
         render
       end
 
+      CVE_2014_0310 = Class.new(StandardError)
+
       def perform_action
+        # CVE-2014-0130 protection
+        if action_name.include? "/"
+          raise CVE_2014_0310
+        end
+
         if action_methods.include?(action_name)
           send(action_name)
           default_render unless performed?

activerecord/lib/active_record/connection_adapters/abstract_adapter.rb

@@ -195,7 +195,9 @@ module ActiveRecord
       def log_info(sql, name, ms)
         if @logger && @logger.debug?
           name = '%s (%.1fms)' % [name || 'SQL', ms]
-          sql.force_encoding 'binary' if sql.respond_to?(:force_encoding)
+          if sql.respond_to?(:force_encoding)
+            sql = sql.dup.force_encoding 'binary'
+          end
           @logger.debug(format_log_entry(name, sql.squeeze(' ')))
         end
       end
@@ -212,13 +214,7 @@ module ActiveRecord
             log_info(sql, name, 0)
             nil
           end
-        rescue SystemExit, SignalException, NoMemoryError => e
+        rescue => e
-          # Don't re-wrap these exceptions. They are probably not being caused by invalid
-          # sql, but rather some external stimulus beyond the responsibilty of this code.
-          # Additionaly, wrapping these exceptions with StatementInvalid would lead to
-          #  meaningful loss of data, such as losing SystemExit#status.
-          raise e
-        rescue Exception => e
           # Log message and raise exception.
           # Set last_verification to 0, so that connection gets verified
           # upon reentering the request loop

activesupport/lib/active_support/core_ext/kernel.rb

@@ -1,5 +1,4 @@
 require 'active_support/core_ext/kernel/daemonizing'
 require 'active_support/core_ext/kernel/reporting'
-require 'active_support/core_ext/kernel/agnostics'
 require 'active_support/core_ext/kernel/requires'
 require 'active_support/core_ext/kernel/debugger'

activesupport/lib/active_support/core_ext/kernel/agnostics.rb

@@ -1,11 +0,0 @@
-class Object
-  # Makes backticks behave (somewhat more) similarly on all platforms.
-  # On win32 `nonexistent_command` raises Errno::ENOENT; on Unix, the
-  # spawned shell prints a message to stderr and sets $?.  We emulate
-  # Unix on the former but not the latter.
-  def `(command) #:nodoc:
-    super
-  rescue Errno::ENOENT => e
-    STDERR.puts "#$0: #{e}"
-  end
-end

activesupport/lib/active_support/memoizable.rb

@@ -1,3 +1,6 @@
+require 'active_support/core_ext/kernel/singleton_class'
+require 'active_support/core_ext/module/aliasing'
+
 module ActiveSupport
   module Memoizable
     def self.memoized_ivar_for(symbol)
@@ -41,10 +44,10 @@ module ActiveSupport
         end
       end
 
-      def flush_cache(*syms, &block)
+      def flush_cache(*syms)
         syms.each do |sym|
           (methods + private_methods + protected_methods).each do |m|
-            if m.to_s =~ /^_unmemoized_(#{sym})/
+            if m.to_s =~ /^_unmemoized_(#{sym.to_s.gsub(/\?\Z/, '\?')})/
               ivar = ActiveSupport::Memoizable.memoized_ivar_for($1)
               instance_variable_get(ivar).clear if instance_variable_defined?(ivar)
             end
@@ -69,7 +72,7 @@ module ActiveSupport
           if instance_method(:#{symbol}).arity == 0                                # if instance_method(:mime_type).arity == 0
             def #{symbol}(reload = false)                                          #   def mime_type(reload = false)
               if reload || !defined?(#{memoized_ivar}) || #{memoized_ivar}.empty?  #     if reload || !defined?(@_memoized_mime_type) || @_memoized_mime_type.empty?
-                #{memoized_ivar} = [#{original_method}.freeze]                     #       @_memoized_mime_type = [_unmemoized_mime_type.freeze]
+                #{memoized_ivar} = [#{original_method}]                            #       @_memoized_mime_type = [_unmemoized_mime_type]
               end                                                                  #     end
               #{memoized_ivar}[0]                                                  #     @_memoized_mime_type[0]
             end                                                                    #   end
@@ -82,7 +85,7 @@ module ActiveSupport
                 if !reload && #{memoized_ivar}.has_key?(args)                      #       if !reload && @_memoized_mime_type.has_key?(args)
                   #{memoized_ivar}[args]                                           #         @_memoized_mime_type[args]
                 elsif #{memoized_ivar}                                             #       elsif @_memoized_mime_type
-                  #{memoized_ivar}[args] = #{original_method}(*args).freeze        #         @_memoized_mime_type[args] = _unmemoized_mime_type(*args).freeze
+                  #{memoized_ivar}[args] = #{original_method}(*args)               #         @_memoized_mime_type[args] = _unmemoized_mime_type(*args)
                 end                                                                #       end
               else                                                                 #     else
                 #{original_method}(*args)                                          #       _unmemoized_mime_type(*args)

activesupport/test/flush_cache_on_private_memoization_test.rb

@@ -1,3 +1,4 @@
+require 'abstract_unit'
 require 'active_support'
 require 'test/unit'
 

activesupport/test/memoizable_test.rb

@@ -4,12 +4,13 @@ class MemoizableTest < Test::Unit::TestCase
   class Person
     extend ActiveSupport::Memoizable
 
-    attr_reader :name_calls, :age_calls, :is_developer_calls
+    attr_reader :name_calls, :age_calls, :is_developer_calls, :name_query_calls
 
     def initialize
       @name_calls = 0
       @age_calls = 0
       @is_developer_calls = 0
+      @name_query_calls = 0
     end
 
     def name
@@ -18,6 +19,7 @@ class MemoizableTest < Test::Unit::TestCase
     end
 
     def name?
+      @name_query_calls += 1
       true
     end
     memoize :name?
@@ -123,6 +125,13 @@ class MemoizableTest < Test::Unit::TestCase
     end
   end
 
+  def test_memoization_flush_with_punctuation
+    assert_equal true, @person.name?
+    @person.flush_cache(:name?)
+    3.times { assert_equal true, @person.name? }
+    assert_equal 2, @person.name_query_calls
+  end
+
   def test_memoization_with_nil_value
     assert_equal nil, @person.age
     assert_equal 1, @person.age_calls
@@ -131,13 +140,7 @@ class MemoizableTest < Test::Unit::TestCase
     assert_equal 1, @person.age_calls
   end
 
-  def test_memorized_results_are_immutable
-    assert_equal "Josh", @person.name
-    assert_raise(ActiveSupport::FrozenObjectError) { @person.name.gsub!("Josh", "Gosh") }
-  end
-
   def test_reloadable
-    counter = @calculator.counter
     assert_equal 1, @calculator.counter
     assert_equal 2, @calculator.counter(:reload)
     assert_equal 2, @calculator.counter