From 0f3b7d1a319383f743f9938e1eed00f0fba7a367 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Thu, 17 Apr 2014 16:50:39 -0300 Subject: [PATCH 01/13] Only accept actions without File::SEPARATOR in the name. This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130 --- actionpack/lib/abstract_controller/base.rb | 28 +++++++++++++++++-- .../new_base/render_implicit_action_test.rb | 17 ++++++++++- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb index fd6a46fbec..2541125ec6 100644 --- a/actionpack/lib/abstract_controller/base.rb +++ b/actionpack/lib/abstract_controller/base.rb @@ -112,7 +112,7 @@ module AbstractController def process(action, *args) @_action_name = action_name = action.to_s - unless action_name = method_for_action(action_name) + unless action_name = _find_action_name(action_name) raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}" end @@ -138,7 +138,7 @@ module AbstractController # available action consider actions that are also available # through other means, for example, implicit render ones. def available_action?(action_name) - method_for_action(action_name).present? + _find_action_name(action_name).present? end private @@ -181,6 +181,23 @@ module AbstractController action_missing(@_action_name, *args) end + # Takes an action name and returns the name of the method that will + # handle the action. + # + # It checks if the action name is valid and returns false otherwise. + # + # See method_for_action for more information. + # + # ==== Parameters + # * action_name - An action name to find a method name for + # + # ==== Returns + # * string - The name of the method that handles the action + # * false - No valid method name could be found. Raise ActionNotFound. + def _find_action_name(action_name) + _valid_action_name?(action_name) && method_for_action(action_name) + end + # Takes an action name and returns the name of the method that will # handle the action. In normal cases, this method returns the same # name as it receives. By default, if #method_for_action receives @@ -203,11 +220,16 @@ module AbstractController # # ==== Returns # * string - The name of the method that handles the action - # * nil - No method name could be found. Raise ActionNotFound. + # * nil - No method name could be found. def method_for_action(action_name) if action_method?(action_name) then action_name elsif respond_to?(:action_missing, true) then "_handle_action_missing" end end + + # Checks if the action name is valid and returns false otherwise. + def _valid_action_name?(action_name) + action_name.to_s !~ Regexp.new(File::SEPARATOR) + end end end diff --git a/actionpack/test/controller/new_base/render_implicit_action_test.rb b/actionpack/test/controller/new_base/render_implicit_action_test.rb index 1e2191d417..5b4885f7e0 100644 --- a/actionpack/test/controller/new_base/render_implicit_action_test.rb +++ b/actionpack/test/controller/new_base/render_implicit_action_test.rb @@ -6,7 +6,7 @@ module RenderImplicitAction "render_implicit_action/simple/hello_world.html.erb" => "Hello world!", "render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!", "render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented" - )] + ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))] def hello_world() end end @@ -33,10 +33,25 @@ module RenderImplicitAction assert_status 200 end + test "render does not traverse the file system" do + assert_raises(AbstractController::ActionNotFound) do + action_name = %w(.. .. fixtures shared).join(File::SEPARATOR) + SimpleController.action(action_name).call(Rack::MockRequest.env_for("/")) + end + end + test "available_action? returns true for implicit actions" do assert SimpleController.new.available_action?(:hello_world) assert SimpleController.new.available_action?(:"hyphen-ated") assert SimpleController.new.available_action?(:not_implemented) end + + test "available_action? does not allow File::SEPARATOR on the name" do + action_name = %w(evil .. .. path).join(File::SEPARATOR) + assert_equal false, SimpleController.new.available_action?(action_name.to_sym) + + action_name = %w(evil path).join(File::SEPARATOR) + assert_equal false, SimpleController.new.available_action?(action_name.to_sym) + end end end From 4e8f1d258854d0d6a6bff5955ef1aeb4fbb1dc00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Mon, 5 May 2014 13:17:18 -0300 Subject: [PATCH 02/13] Preparing for 3.2.18 release --- RAILS_VERSION | 2 +- actionmailer/CHANGELOG.md | 15 +++++++++++++++ actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/CHANGELOG.md | 14 ++++++++++++++ actionpack/lib/action_pack/version.rb | 2 +- activemodel/CHANGELOG.md | 15 +++++++++++++++ activemodel/lib/active_model/version.rb | 2 +- activerecord/CHANGELOG.md | 15 +++++++++++++++ activerecord/lib/active_record/version.rb | 2 +- activeresource/CHANGELOG.md | 16 ++++++++++++++++ activeresource/lib/active_resource/version.rb | 2 +- activesupport/CHANGELOG.md | 15 +++++++++++++++ activesupport/lib/active_support/version.rb | 2 +- railties/CHANGELOG.md | 16 ++++++++++++++++ railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 16 files changed, 115 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index ff8001a0f1..f05489d385 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.17 +3.2.18 diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index b8c375306e..94d3f54bea 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index e33d01ac4c..8212a9b108 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,7 +2,7 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 6269123de3..1264e859b3 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,16 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* Only accept actions without File::SEPARATOR in the name. + + This will avoid directory traversal in implicit render. + + Fixes: CVE-2014-0130 + + *Rafael Mendonça França* + + +## Rails 3.2.17 (Feb 18, 2014) ## + * Use the reference for the mime type to get the format Fixes: CVE-2014-0082 @@ -6,6 +19,7 @@ Fixes: CVE-2014-0081 + ## Rails 3.2.16 (Dec 12, 2013) ## * Deep Munge the parameters for GET and POST Fixes CVE-2013-6417 diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 4d278814c8..ac6d3343b9 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 7db08549d9..fb4bfda149 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index 08d437cbc2..e675c7454c 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,7 +2,7 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 878e5eeebc..6ac368f379 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * When calling the method .find_or_initialize_by_* from a collection_proxy diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index cced9eae8f..3dd782af9f 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index c1f0fa3403..4a555cf6b8 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -1,7 +1,23 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. + ## Rails 3.2.14 (Jul 22, 2013) ## * Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json. diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index ea9b7a51e9..dee96b8fd8 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,7 +2,7 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 29f7db53eb..e22aded195 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method. diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 95faab1dd6..10c9fca86c 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 3e075a8f9f..ce832d12ee 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,7 +1,23 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. + ## Rails 3.2.14 (Jul 22, 2013) ## * Fix bugs that crashed `rake test:benchmark`, `rails profiler` and diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index 38890e162d..ec2f5467f0 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/version.rb b/version.rb index 38890e162d..ec2f5467f0 100644 --- a/version.rb +++ b/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') From 50d6b4549d56ac3a82f2096bd479a7b2305b0bf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 6 May 2014 11:41:30 -0300 Subject: [PATCH 03/13] Fix broken tests of the previous release --- Gemfile | 2 +- actionpack/test/template/number_helper_i18n_test.rb | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile b/Gemfile index 8c5cbb2ab1..633444212b 100644 --- a/Gemfile +++ b/Gemfile @@ -22,7 +22,7 @@ end gem 'uglifier', '>= 1.0.3', :require => false gem 'rake', '>= 0.8.7' -gem 'mocha', '>= 0.13.0', :require => false +gem 'mocha', '~> 0.14', :require => false group :doc do # The current sdoc cannot generate GitHub links due diff --git a/actionpack/test/template/number_helper_i18n_test.rb b/actionpack/test/template/number_helper_i18n_test.rb index d6e9de9555..5a3250e949 100644 --- a/actionpack/test/template/number_helper_i18n_test.rb +++ b/actionpack/test/template/number_helper_i18n_test.rb @@ -7,7 +7,7 @@ class NumberHelperTest < ActionView::TestCase I18n.backend.store_translations 'ts', :number => { :format => { :precision => 3, :delimiter => ',', :separator => '.', :significant => false, :strip_insignificant_zeros => false }, - :currency => { :format => { :unit => '&$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } }, + :currency => { :format => { :unit => '$$$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } }, :human => { :format => { :precision => 2, @@ -42,9 +42,9 @@ class NumberHelperTest < ActionView::TestCase end def test_number_to_i18n_currency - assert_equal("&$ - 10.00", number_to_currency(10, :locale => 'ts')) - assert_equal("(&$ - 10.00)", number_to_currency(-10, :locale => 'ts')) - assert_equal("-10.00 - &$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u")) + assert_equal("$$$ - 10.00", number_to_currency(10, :locale => 'ts')) + assert_equal("($$$ - 10.00)", number_to_currency(-10, :locale => 'ts')) + assert_equal("-10.00 - $$$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u")) end def test_number_to_currency_with_clean_i18n_settings @@ -53,7 +53,7 @@ class NumberHelperTest < ActionView::TestCase assert_equal("-$10.00", number_to_currency(-10)) end end - + def test_number_to_currency_without_currency_negative_format clean_i18n do I18n.backend.store_translations 'ts', :number => { :currency => { :format => { :unit => '@', :format => '%n %u' } } } From 03e016f22aaebf09dc11a44f46598b4357b30de3 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Fri, 9 May 2014 14:45:43 -0700 Subject: [PATCH 04/13] use fnmatch to test for case insensitive file systems this is due to: https://bugs.ruby-lang.org/issues/5994 --- actionpack/lib/action_view/template/resolver.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index f855ea257c..51dd07a02f 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -120,12 +120,10 @@ module ActionView def query(path, details, formats) query = build_query(path, details) - # deals with case-insensitive file systems. - sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] } - template_paths = Dir[query].reject { |filename| File.directory?(filename) || - !sanitizer[File.dirname(filename)].include?(filename) + # deals with case-insensitive file systems. + !File.fnmatch(query, filename, File::FNM_EXTGLOB) } template_paths.map { |template| From c40df470556646a90a9070a077f19f8e520304f4 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sat, 10 May 2014 11:52:13 -0700 Subject: [PATCH 05/13] feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 --- .../lib/action_view/template/resolver.rb | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index 51dd07a02f..27d11ab6fb 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -120,11 +120,7 @@ module ActionView def query(path, details, formats) query = build_query(path, details) - template_paths = Dir[query].reject { |filename| - File.directory?(filename) || - # deals with case-insensitive file systems. - !File.fnmatch(query, filename, File::FNM_EXTGLOB) - } + template_paths = find_template_paths query template_paths.map { |template| handler, format = extract_handler_and_format(template, formats) @@ -137,6 +133,26 @@ module ActionView } end + if File.const_defined? :FNM_EXTGLOB + def find_template_paths(query) + Dir[query].reject { |filename| + File.directory?(filename) || + # deals with case-insensitive file systems. + !File.fnmatch(query, filename, File::FNM_EXTGLOB) + } + end + else + def find_template_paths(query) + # deals with case-insensitive file systems. + sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] } + + Dir[query].reject { |filename| + File.directory?(filename) || + !sanitizer[File.dirname(filename)].include?(filename) + } + end + end + # Helper for building query glob string based on resolver's pattern. def build_query(path, details) query = @pattern.dup From 6a051299f98ee43864326c6c0a4f7d169d22b3f8 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sun, 18 May 2014 12:00:03 -0700 Subject: [PATCH 06/13] Feature detect based on Ruby version. I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version. --- actionpack/lib/action_view/template/resolver.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index 27d11ab6fb..47ea8a3c9b 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -133,7 +133,7 @@ module ActionView } end - if File.const_defined? :FNM_EXTGLOB + if RUBY_VERSION >= '2.2.0' def find_template_paths(query) Dir[query].reject { |filename| File.directory?(filename) || From fca3cc23fa02d7ed0117260e6209572ef001cc04 Mon Sep 17 00:00:00 2001 From: Vishal Zambre Date: Wed, 18 Jun 2014 10:51:27 +0530 Subject: [PATCH 07/13] File.exists? is a deprecated name, use File.exist? File.exists? is a deprecated name, use File.exist? --- activesupport/lib/active_support/file_update_checker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/activesupport/lib/active_support/file_update_checker.rb b/activesupport/lib/active_support/file_update_checker.rb index a4ad2da137..2e0e873fda 100644 --- a/activesupport/lib/active_support/file_update_checker.rb +++ b/activesupport/lib/active_support/file_update_checker.rb @@ -95,7 +95,7 @@ module ActiveSupport def updated_at #:nodoc: @updated_at || begin all = [] - all.concat @files.select { |f| File.exists?(f) } + all.concat @files.select { |f| File.exist?(f) } all.concat Dir[@glob] if @glob all.map { |path| File.mtime(path) }.max || Time.at(0) end From bc90ea63e9937d2eee3da7dce022bf4bed10e49a Mon Sep 17 00:00:00 2001 From: Guillermo Iguaran Date: Wed, 18 Jun 2014 00:37:46 -0500 Subject: [PATCH 08/13] Revert "Merge pull request #15794 from vishalzambre/patch-1" This reverts commit 6d800a909e24465ca6f3fa5206222fa7d78967f6, reversing changes made to 6a051299f98ee43864326c6c0a4f7d169d22b3f8. We don't apply non-security fixes to 3-2-stable branch!!! --- activesupport/lib/active_support/file_update_checker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/activesupport/lib/active_support/file_update_checker.rb b/activesupport/lib/active_support/file_update_checker.rb index 2e0e873fda..a4ad2da137 100644 --- a/activesupport/lib/active_support/file_update_checker.rb +++ b/activesupport/lib/active_support/file_update_checker.rb @@ -95,7 +95,7 @@ module ActiveSupport def updated_at #:nodoc: @updated_at || begin all = [] - all.concat @files.select { |f| File.exist?(f) } + all.concat @files.select { |f| File.exists?(f) } all.concat Dir[@glob] if @glob all.map { |path| File.mtime(path) }.max || Time.at(0) end From 297bff7f8f01fbda2a6bacaed4afb3d060292b9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Thu, 26 Jun 2014 18:37:48 -0300 Subject: [PATCH 09/13] Make sure Active Support configurations are applied correctly Before this patch configuration set using config.active_support would not be set. Closes #15364 --- activesupport/lib/active_support/railtie.rb | 7 +++++++ railties/test/application/configuration_test.rb | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/activesupport/lib/active_support/railtie.rb b/activesupport/lib/active_support/railtie.rb index 1638512af0..65851a0937 100644 --- a/activesupport/lib/active_support/railtie.rb +++ b/activesupport/lib/active_support/railtie.rb @@ -55,5 +55,12 @@ module ActiveSupport Time.zone_default = zone_default end + + initializer "active_support.set_configs" do |app| + app.config.active_support.each do |k, v| + k = "#{k}=" + ActiveSupport.send(k, v) if ActiveSupport.respond_to? k + end + end end end diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index eb16713455..626dd64ea6 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -454,6 +454,18 @@ module ApplicationTests assert ActionView::Resolver.caching? end + test "configure Active Support using config.active_support" do + add_to_config <<-RUBY + config.active_support.escape_html_entities_in_json = true + RUBY + + require 'active_support/json' + require "#{app_path}/config/environment" + + assert ActiveSupport.escape_html_entities_in_json + assert ActiveSupport::JSON::Encoding.escape_html_entities_in_json + end + test "config.action_dispatch.show_exceptions is sent in env" do make_basic_app do |app| app.config.action_dispatch.show_exceptions = true From 3622858ed514493f730649d87428e12de1501ed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Thu, 26 Jun 2014 22:10:32 -0300 Subject: [PATCH 10/13] Use a version of execjs compatible with Ruby 1.8 --- Gemfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Gemfile b/Gemfile index 633444212b..5ece0b8d29 100644 --- a/Gemfile +++ b/Gemfile @@ -21,6 +21,9 @@ end # it being automatically loaded by sprockets gem 'uglifier', '>= 1.0.3', :require => false +# execjs >= 2.1.0 doesn't work with Ruby 1.8 +gem 'execjs', '< 2.1.0' + gem 'rake', '>= 0.8.7' gem 'mocha', '~> 0.14', :require => false From 1f2192e46d78ee0ba2b06373f2c24caf8440ff5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Thu, 5 Jun 2014 12:34:07 -0300 Subject: [PATCH 11/13] Check against bit string values using multiline regexp Fix CVE-2014-3482. --- .../active_record/connection_adapters/postgresql_adapter.rb | 6 +++--- activerecord/test/cases/adapters/postgresql/quoting_test.rb | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb index e98337e7d5..3cd65d0bf5 100644 --- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb +++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb @@ -442,8 +442,8 @@ module ActiveRecord when 'xml' then "xml '#{quote_string(value)}'" when /^bit/ case value - when /^[01]*$/ then "B'#{value}'" # Bit-string notation - when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation + when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation + when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation end else super @@ -1160,7 +1160,7 @@ module ActiveRecord FEATURE_NOT_SUPPORTED = "0A000" # :nodoc: def exec_no_cache(sql, binds) - @connection.async_exec(sql) + @connection.async_exec(sql, []) end def exec_cache(sql, binds) diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb index 172055f15c..cfdf16d48d 100644 --- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb +++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb @@ -19,6 +19,11 @@ module ActiveRecord assert_equal 'f', @conn.type_cast(false, nil) assert_equal 'f', @conn.type_cast(false, c) end + + def test_quote_bit_string + c = PostgreSQLColumn.new(nil, 1, 'bit') + assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c) + end end end end From 53c845cb185036c71cc9793c4eb6bf4dc989307b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Wed, 2 Jul 2014 12:55:09 -0300 Subject: [PATCH 12/13] Preparing for 3.2.19 release --- RAILS_VERSION | 2 +- actionmailer/CHANGELOG.md | 5 +++++ actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/CHANGELOG.md | 2 ++ actionpack/lib/action_pack/version.rb | 2 +- activemodel/CHANGELOG.md | 5 +++++ activemodel/lib/active_model/version.rb | 2 +- activerecord/CHANGELOG.md | 9 +++++++++ activerecord/lib/active_record/version.rb | 2 +- activeresource/CHANGELOG.md | 5 +++++ activeresource/lib/active_resource/version.rb | 2 +- activesupport/CHANGELOG.md | 10 ++++++++++ activesupport/lib/active_support/version.rb | 2 +- railties/CHANGELOG.md | 5 +++++ railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 16 files changed, 50 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index f05489d385..100838dc41 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.18 +3.2.19 diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index 94d3f54bea..d7ed55ef4c 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index 8212a9b108..f769dcacfd 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,7 +2,7 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 643e926312..15fc0af20e 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,5 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with `options[:raise]`. diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index ac6d3343b9..3dc00b99fe 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index fb4bfda149..4f2e4e1959 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index e675c7454c..3137205802 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,7 +2,7 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 6ac368f379..0334f4454e 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,12 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* Fix SQL Injection Vulnerability in 'bitstring' quoting. + + Fixes CVE-2014-3482. + + *Rafael Mendonça França* + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 3dd782af9f..cc73a14f7c 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index 4a555cf6b8..64509399e8 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index dee96b8fd8..5e8910f386 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,7 +2,7 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index e22aded195..6123be4ab4 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,13 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* Make sure Active Support configurations are applied correctly. + + Before this change configuration set using `config.active_support` + would not be set. + + *Rafael Mendonça França* + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 10c9fca86c..6fdf950bc0 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index ce832d12ee..0ff661cc9f 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index ec2f5467f0..ef640c9dab 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/version.rb b/version.rb index ec2f5467f0..ef640c9dab 100644 --- a/version.rb +++ b/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') From 11fd052aa815ae0255ea5b2463e88138fb3fec61 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 9 Jul 2014 21:49:37 -0300 Subject: [PATCH 13/13] Regenerate sid when sbdy tries to fixate the session Fixed broken test. Thanks Stephen Richards for reporting. --- .../middleware/session/cache_store.rb | 6 +++--- .../test/dispatch/session/cache_store_test.rb | 17 ++++++++--------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/actionpack/lib/action_dispatch/middleware/session/cache_store.rb b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb index 1db6194271..625050dc4b 100644 --- a/actionpack/lib/action_dispatch/middleware/session/cache_store.rb +++ b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb @@ -16,9 +16,9 @@ module ActionDispatch # Get a session from the cache. def get_session(env, sid) - sid ||= generate_sid - session = @cache.read(cache_key(sid)) - session ||= {} + unless sid and session = @cache.read(cache_key(sid)) + sid, session = generate_sid, {} + end [sid, session] end diff --git a/actionpack/test/dispatch/session/cache_store_test.rb b/actionpack/test/dispatch/session/cache_store_test.rb index 73e056de23..0d88d1d29e 100644 --- a/actionpack/test/dispatch/session/cache_store_test.rb +++ b/actionpack/test/dispatch/session/cache_store_test.rb @@ -149,16 +149,15 @@ class CacheStoreTest < ActionDispatch::IntegrationTest def test_prevents_session_fixation with_test_route_set do - get '/get_session_value' - assert_response :success - assert_equal 'foo: nil', response.body - session_id = cookies['_session_id'] + assert_equal nil, @cache.read('_session_id:0xhax') - reset! + cookies['_session_id'] = '0xhax' + get '/set_session_value' - get '/set_session_value', :_session_id => session_id assert_response :success - assert_not_equal session_id, cookies['_session_id'] + assert_not_equal '0xhax', cookies['_session_id'] + assert_equal nil, @cache.read('_session_id:0xhax') + assert_equal({'foo' => 'bar'}, @cache.read("_session_id:#{cookies['_session_id']}")) end end @@ -170,8 +169,8 @@ class CacheStoreTest < ActionDispatch::IntegrationTest end @app = self.class.build_app(set) do |middleware| - cache = ActiveSupport::Cache::MemoryStore.new - middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => cache + @cache = ActiveSupport::Cache::MemoryStore.new + middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => @cache middleware.delete "ActionDispatch::ShowExceptions" end