github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-06 21:34:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/3-2-stable' into 3-2-github

Browse Source
This commit is contained in:
Charlie Somerville
2014-09-15 14:04:33 +10:00
parent 9cbc2c3550 11fd052aa8
commit 7684d715ef
26 changed files with 258 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Gemfile
View File

@@ -21,8 +21,11 @@ end
# it being automatically loaded by sprockets
gem 'uglifier', '>= 1.0.3', :require => false
# execjs >= 2.1.0 doesn't work with Ruby 1.8
gem 'execjs', '< 2.1.0'
gem 'rake', '>= 0.8.7'
gem 'mocha', '>= 0.13.0', :require => false
gem 'mocha', '~> 0.14', :require => false
group :doc do
# The current sdoc cannot generate GitHub links due

2
RAILS_VERSION
View File

@@ -1 +1 @@
3.2.17
3.2.19

20
actionmailer/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* No changes.
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.

2
actionmailer/lib/action_mailer/version.rb
View File

@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

14
actionpack/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
`options[:raise]`.
@@ -5,6 +7,18 @@
*Shota Fukumori (sora_h)*
## Rails 3.2.18 (May 6, 2014) ##
* Only accept actions without File::SEPARATOR in the name.
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
*Rafael Mendonça França*
## Rails 3.2.17 (Feb 18, 2014) ##
* Use the reference for the mime type to get the format

28
actionpack/lib/abstract_controller/base.rb
View File

@@ -112,7 +112,7 @@ module AbstractController
def process(action, *args)
@_action_name = action_name = action.to_s
unless action_name = method_for_action(action_name)
unless action_name = _find_action_name(action_name)
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
end
@@ -138,7 +138,7 @@ module AbstractController
# available action consider actions that are also available
# through other means, for example, implicit render ones.
def available_action?(action_name)
method_for_action(action_name).present?
_find_action_name(action_name).present?
end
private
@@ -181,6 +181,23 @@ module AbstractController
action_missing(@_action_name, *args)
end
# Takes an action name and returns the name of the method that will
# handle the action.
#
# It checks if the action name is valid and returns false otherwise.
#
# See method_for_action for more information.
#
# ==== Parameters
# * <tt>action_name</tt> - An action name to find a method name for
#
# ==== Returns
# * <tt>string</tt> - The name of the method that handles the action
# * false - No valid method name could be found. Raise ActionNotFound.
def _find_action_name(action_name)
_valid_action_name?(action_name) && method_for_action(action_name)
end
# Takes an action name and returns the name of the method that will
# handle the action. In normal cases, this method returns the same
# name as it receives. By default, if #method_for_action receives
@@ -203,11 +220,16 @@ module AbstractController
#
# ==== Returns
# * <tt>string</tt> - The name of the method that handles the action
# * <tt>nil</tt> - No method name could be found. Raise ActionNotFound.
# * <tt>nil</tt> - No method name could be found.
def method_for_action(action_name)
if action_method?(action_name) then action_name
elsif respond_to?(:action_missing, true) then "_handle_action_missing"
end
end
# Checks if the action name is valid and returns false otherwise.
def _valid_action_name?(action_name)
action_name.to_s !~ Regexp.new(File::SEPARATOR)
end
end
end

6
actionpack/lib/action_dispatch/middleware/session/cache_store.rb
View File

@@ -16,9 +16,9 @@ module ActionDispatch
# Get a session from the cache.
def get_session(env, sid)
sid ||= generate_sid
session = @cache.read(cache_key(sid))
session ||= {}
unless sid and session = @cache.read(cache_key(sid))
sid, session = generate_sid, {}
end
[sid, session]
end

2
actionpack/lib/action_pack/version.rb
View File

@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

28
actionpack/lib/action_view/template/resolver.rb
View File

@@ -120,13 +120,7 @@ module ActionView
def query(path, details, formats)
query = build_query(path, details)
# deals with case-insensitive file systems.
sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
template_paths = Dir[query].reject { |filename|
File.directory?(filename) ||
!sanitizer[File.dirname(filename)].include?(filename)
}
template_paths = find_template_paths query
template_paths.map { |template|
handler, format = extract_handler_and_format(template, formats)
@@ -139,6 +133,26 @@ module ActionView
}
end
if RUBY_VERSION >= '2.2.0'
def find_template_paths(query)
Dir[query].reject { |filename|
File.directory?(filename) ||
# deals with case-insensitive file systems.
!File.fnmatch(query, filename, File::FNM_EXTGLOB)
}
end
else
def find_template_paths(query)
# deals with case-insensitive file systems.
sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
Dir[query].reject { |filename|
File.directory?(filename) ||
!sanitizer[File.dirname(filename)].include?(filename)
}
end
end
# Helper for building query glob string based on resolver's pattern.
def build_query(path, details)
query = @pattern.dup

17
actionpack/test/controller/new_base/render_implicit_action_test.rb
View File

@@ -6,7 +6,7 @@ module RenderImplicitAction
"render_implicit_action/simple/hello_world.html.erb" => "Hello world!",
"render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!",
"render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
)]
), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
def hello_world() end
end
@@ -33,10 +33,25 @@ module RenderImplicitAction
assert_status 200
end
test "render does not traverse the file system" do
assert_raises(AbstractController::ActionNotFound) do
action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
end
end
test "available_action? returns true for implicit actions" do
assert SimpleController.new.available_action?(:hello_world)
assert SimpleController.new.available_action?(:"hyphen-ated")
assert SimpleController.new.available_action?(:not_implemented)
end
test "available_action? does not allow File::SEPARATOR on the name" do
action_name = %w(evil .. .. path).join(File::SEPARATOR)
assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
action_name = %w(evil path).join(File::SEPARATOR)
assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
end
end
end

17
actionpack/test/dispatch/session/cache_store_test.rb
View File

@@ -149,16 +149,15 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
def test_prevents_session_fixation
with_test_route_set do
get '/get_session_value'
assert_response :success
assert_equal 'foo: nil', response.body
session_id = cookies['_session_id']
assert_equal nil, @cache.read('_session_id:0xhax')
reset!
cookies['_session_id'] = '0xhax'
get '/set_session_value'
get '/set_session_value', :_session_id => session_id
assert_response :success
assert_not_equal session_id, cookies['_session_id']
assert_not_equal '0xhax', cookies['_session_id']
assert_equal nil, @cache.read('_session_id:0xhax')
assert_equal({'foo' => 'bar'}, @cache.read("_session_id:#{cookies['_session_id']}"))
end
end
@@ -170,8 +169,8 @@ class CacheStoreTest < ActionDispatch::IntegrationTest
end
@app = self.class.build_app(set) do |middleware|
cache = ActiveSupport::Cache::MemoryStore.new
middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => cache
@cache = ActiveSupport::Cache::MemoryStore.new
middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => @cache
middleware.delete "ActionDispatch::ShowExceptions"
end

20
activemodel/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* No changes.
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.

2
activemodel/lib/active_model/version.rb
View File

@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

24
activerecord/CHANGELOG.md
View File

@@ -1,3 +1,27 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* Fix SQL Injection Vulnerability in 'bitstring' quoting.
Fixes CVE-2014-3482.
*Rafael Mendonça França*
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* When calling the method .find_or_initialize_by_* from a collection_proxy

6
activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
View File

@@ -442,8 +442,8 @@ module ActiveRecord
when 'xml' then "xml '#{quote_string(value)}'"
when /^bit/
case value
when /^[01]*$/ then "B'#{value}'" # Bit-string notation
when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
end
else
super
@@ -1160,7 +1160,7 @@ module ActiveRecord
FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
def exec_no_cache(sql, binds)
@connection.async_exec(sql)
@connection.async_exec(sql, [])
end
def exec_cache(sql, binds)

2
activerecord/lib/active_record/version.rb
View File

@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

5
activerecord/test/cases/adapters/postgresql/quoting_test.rb
View File

@@ -19,6 +19,11 @@ module ActiveRecord
assert_equal 'f', @conn.type_cast(false, nil)
assert_equal 'f', @conn.type_cast(false, c)
end
def test_quote_bit_string
c = PostgreSQLColumn.new(nil, 1, 'bit')
assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
end
end
end
end

21
activeresource/CHANGELOG.md
View File

@@ -1,7 +1,28 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* No changes.
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
## Rails 3.2.14 (Jul 22, 2013) ##
* Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json.

2
activeresource/lib/active_resource/version.rb
View File

@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

25
activesupport/CHANGELOG.md
View File

@@ -1,3 +1,28 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* Make sure Active Support configurations are applied correctly.
Before this change configuration set using `config.active_support`
would not be set.
*Rafael Mendonça França*
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method.

7
activesupport/lib/active_support/railtie.rb
View File

@@ -55,5 +55,12 @@ module ActiveSupport
Time.zone_default = zone_default
end
initializer "active_support.set_configs" do |app|
app.config.active_support.each do |k, v|
k = "#{k}="
ActiveSupport.send(k, v) if ActiveSupport.respond_to? k
end
end
end
end

2
activesupport/lib/active_support/version.rb
View File

@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

21
railties/CHANGELOG.md
View File

@@ -1,7 +1,28 @@
## Rails 3.2.19 (Jul 2, 2014) ##
* No changes.
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
## Rails 3.2.17 (Feb 18, 2014) ##
* No changes.
## Rails 3.2.16 (Dec 3, 2013) ##
* No changes.
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
## Rails 3.2.14 (Jul 22, 2013) ##
* Fix bugs that crashed `rake test:benchmark`, `rails profiler` and

2
railties/lib/rails/version.rb
View File

@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

12
railties/test/application/configuration_test.rb
View File

@@ -454,6 +454,18 @@ module ApplicationTests
assert ActionView::Resolver.caching?
end
test "configure Active Support using config.active_support" do
add_to_config <<-RUBY
config.active_support.escape_html_entities_in_json = true
RUBY
require 'active_support/json'
require "#{app_path}/config/environment"
assert ActiveSupport.escape_html_entities_in_json
assert ActiveSupport::JSON::Encoding.escape_html_entities_in_json
end
test "config.action_dispatch.show_exceptions is sent in env" do
make_basic_app do |app|
app.config.action_dispatch.show_exceptions = true

2
version.rb
View File

@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 17
TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')