Commit 5e076bdf115789a0ab279f3b0ba9e4214020d669 to dysinger's gitorious

5e076bd
all branches
- mailer
- master
- sonian
- ssh-read-only
all tags
comments

dysinger / gitorious

Description:	Gitorious aims to provide a great way of doing distributed opensource code collaboration.
Homepage:	http://gitorious.org/projects/gitorious
Clone URL:	git://github.com/dysinger/gitorious.git Give this clone URL to anyone. `git clone git://github.com/dysinger/gitorious.git`

Updated to lastest rails + a patch of our own (in url_helper, ticket #294)

js (author)

Sun Jun 01 11:14:03 -0700 2008

commit 5e076bdf115789a0ab279f3b0ba9e4214020d669
tree 216914ee5141a90f4b691d8316d3d30c0964dda8
parent 5b6844692e9d34478e00a9e7800a594e6050afc4

spec/helpers/users_helper_spec.rb
vendor/rails/actionpack/lib/action_view/helpers/url_helper.rb
vendor/rails/actionpack/test/template/url_helper_test.rb
vendor/rails/activerecord/CHANGELOG
vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
vendor/rails/activerecord/test/cases/adapter_test.rb

spec/helpers/users_helper_spec.rb

0
@@ -11,12 +11,12 @@ describe UsersHelper do
0
       Need to investigate if this is a Rails bug and
0
       either fix it there or let go of obfuscation.
0
     }
0
-    pending(message) do
0
+    #pending(message) do
0
       email = "aAT@NOSPAM@bDOTcom"
0
       encoded = (0...email.length).inject("") do |result, index|
0
         result << sprintf("%%%x",email[index])
0
       end
0
       helper.encoded_mail_to("a@b.com").should match(/#{encoded}/)
0
-    end
0
+    #end
0
   end
0
 end

vendor/rails/actionpack/lib/action_view/helpers/url_helper.rb

0
@@ -444,7 +444,7 @@ module ActionView
0
         email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
0
 
0
         if encode == "javascript"
0
-          "document.write('#{content_tag("a", name || email_address, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
0
+          "document.write('#{content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+email_address_obfuscated+extras }))}');".each_byte do |c|
0
             string << sprintf("%%%x", c)
0
           end
0
           "<script type=\"#{Mime::JS}\">eval(unescape('#{string}'))</script>"

vendor/rails/actionpack/test/template/url_helper_test.rb

0
@@ -283,7 +283,7 @@ class UrlHelperTest < ActionView::TestCase
0
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)")
0
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">My email</a>", mail_to("me@domain.com", "My email", :encode => "hex", :replace_at => "(at)")
0
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#40;&#100;&#111;&#116;&#41;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
0
-    assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
0
+    assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
0
   end
0
   
0
   def protect_against_forgery?

vendor/rails/activerecord/CHANGELOG

0
@@ -1,3 +1,8 @@
0
+*Edge*
0
+
0
+* Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]
0
+
0
+
0
 *2.1.0 (May 31st, 2008)*
0
 
0
 * Add ActiveRecord::Base.sti_name that checks ActiveRecord::Base#store_full_sti_class? and returns either the full or demodulized name. [rick]

vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb

0
@@ -336,10 +336,11 @@ module ActiveRecord
0
 
0
       def add_limit_offset!(sql, options) #:nodoc:
0
         if limit = options[:limit]
0
+          limit = sanitize_limit(limit)
0
           unless offset = options[:offset]
0
             sql << " LIMIT #{limit}"
0
           else
0
-            sql << " LIMIT #{offset}, #{limit}"
0
+            sql << " LIMIT #{offset.to_i}, #{limit}"
0
           end
0
         end
0
       end

vendor/rails/activerecord/test/cases/adapter_test.rb

0
@@ -118,7 +118,7 @@ class AdapterTest < ActiveRecord::TestCase
0
     sql_inject = "1, 7 procedure help()"
0
     if current_adapter?(:MysqlAdapter)
0
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
0
-      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
0
+      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=> '1 ; DROP TABLE USERS', :offset=>7)
0
     else
0
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
0
       assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)

Comments

No one has commented yet.