config/initializers/readonly_records.rb db/migrate/20081219130711_unescape_comment_fields.rb spec/controllers/mephisto_controller_spec.rb spec/models/readonly_spec.rb spec/models/user_spec.rb @@ -43,7 +43,10 @@ class AccountController < ApplicationController def activate self.current_user = site.user_by_token(params[:id]) if logged_in? - current_user.reset_token! + # TODO - See security comments on AuthenticatedSystem#login_from_cookie. + ActiveRecord::Base.with_writable_records do + current_user.reset_token! + end else flash[:error] = "Invalid token. Try resending your forgotten password request." end app/controllers/account_controller.rb @@ -138,7 +138,7 @@ class Admin::ArticlesController < Admin::BaseController with_site_timezone do date = Time.parse_from_attributes(params[:article], :published_at, :local) next unless date - params[:article].delete_if { |k, v| k.to_s =~ /^#{:published_at}/ } + params[:article].delete_if { |k, v| k.to_s =~ /\A#{:published_at}/ } params[:article][:published_at] = local_to_utc(date) end end app/controllers/admin/articles_controller.rb @@ -3,6 +3,7 @@ class Admin::AssetsController < Admin::BaseController skip_before_filter :login_required before_filter :find_asset, :except => [:index, :new, :create, :latest, :search, :upload, :clear_bucket] before_filter :login_required + before_filter :protect_action, :except => [:index, :new, :latest, :search] def index search_assets 24 app/controllers/admin/assets_controller.rb @@ -22,7 +22,7 @@ class Admin::BaseController < ApplicationController end def find_and_sort_templates - @layouts, @templates = site.templates.partition { |t| t.dirname.to_s =~ /layouts$/ } + @layouts, @templates = site.templates.partition { |t| t.dirname.to_s =~ /layouts\z/ } end def self.clear_empty_templates_for(model, *attributes) app/controllers/admin/base_controller.rb @@ -7,7 +7,7 @@ class Admin::DesignController < Admin::BaseController return end - if params[:filename] =~ /\.(css|js)$/i + if params[:filename] =~ /\.(css|js)\z/i @resource = @theme.resources.write params[:filename], params[:data] redirect_to url_for_theme(:controller => 'resources', :action => 'edit', :filename => @resource.basename.to_s) else app/controllers/admin/design_controller.rb @@ -3,6 +3,7 @@ class ApplicationController < ActionController::Base include Mephisto::CachingMethods before_filter :set_cache_root + around_filter :get_requests_are_readonly helper_method :site attr_reader :site @@ -14,6 +15,7 @@ class ApplicationController < ActionController::Base end filter_parameter_logging "password" + filter_parameter_logging "token" protected helper_method :admin? @@ -95,6 +97,21 @@ class ApplicationController < ActionController::Base end end + # Much of a web browser's built-in protection against CSRF attacks + # assumes that all GET requests are "safe". Since we don't want to + # rely on getting this 100% right in every controller and plugin, let's + # just enforce this policy globally. You can override this using + # <code>skip_filter :get_requests_are_readonly</code>. + def get_requests_are_readonly + if request.method == :get + ActiveRecord::Base.with_readonly_records do + yield + end + else + yield + end + end + def with_site_timezone old_tz = ENV['TZ'] ENV['TZ'] = site.timezone.name app/controllers/application.rb @@ -6,7 +6,7 @@ class FeedController < ApplicationController def feed sections = params[:sections].clone last = sections.last - sections.delete(last) if last =~ /\.xml$/ + sections.delete(last) if last =~ /\.xml\z/ @section_path = sections.blank? ? '' : sections.join('/') case last when 'all_comments.xml' app/controllers/feed_controller.rb @@ -47,7 +47,19 @@ class MephistoController < ApplicationController redirect_to site.permalink_for(@article) and return end - @comment = @article.comments.build(params[:comment].merge(:user_id => session[:user], :author_ip => request.remote_ip, :user_agent => request.user_agent, :referrer => request.referer)) + # Since this input is utterly untrustworthy (no authenticity_token, + # session, or anything else required), build the record manually. + comment_data = { + :user_id => session[:user], + :author_ip => request.remote_ip, + :user_agent => request.user_agent, + :referrer => request.referer, + :author => params[:comment][:author], + :author_email => params[:comment][:author_email], + :author_url => params[:comment][:author_url], + :body => params[:comment][:body] + } + @comment = @article.comments.build(comment_data) @comment.check_approval site, request if @comment.valid? @comment.save! redirect_to dispatch_path(:path => (site.permalink_for(@article)[1..-1].split('/') << 'comments' << @comment.id.to_s), :anchor => @comment.dom_id) app/controllers/mephisto_controller.rb @@ -2,16 +2,25 @@ class CommentDrop < BaseDrop include Mephisto::Liquid::UrlMethods timezone_dates :published_at, :created_at - liquid_attributes.push(*[:author, :author_email, :author_ip, :title]) + liquid_attributes.push(:title) # Not sure who uses this. def initialize(source) super - @liquid.update 'is_approved' => @source.approved?, 'body' => ActionView::Base.white_list_sanitizer.sanitize(@source.body_html) + @liquid.update('is_approved' => @source.approved?, + 'body' => ActionView::Base.white_list_sanitizer.sanitize(@source.body_html)) + + # We used to escape these fields when we saved them to the database. + # Now we've unescaped everything in the database, but we still need to + # preserve backwards compatibility with old themes, which expect these + # values to be escaped. So we escape these fields manually here. + [:author, :author_email, :author_ip].each do |a| + @liquid.update(a.to_s => CGI.escapeHTML(@source.send(a) || '')) + end end - + def author_url return nil if source.author_url.blank? - @source.author_url =~ /^https?:\/\// ? @source.author_url : "http://" + @source.author_url + CGI.escapeHTML(@source.author_url =~ /\Ahttps?:\/\// ? @source.author_url : "http://" + @source.author_url) end def url @@ -23,7 +32,7 @@ class CommentDrop < BaseDrop end def author_link - @source.author_url.blank? ? "#{@source.author}" : %Q{<a href="#{author_url}">#{@source.author}</a>} + @source.author_url.blank? ? "#{@liquid['author']}" : %Q{<a href="#{author_url}">#{@liquid['author']}</a>} end def presentation_class app/drops/comment_drop.rb @@ -28,7 +28,7 @@ module CoreFilters def parse_date(date) return Time.now.utc if date.blank? - date = "#{date}-1" if date.to_s =~ /^\d{4}-\d{1,2}$/ unless [Time, Date].include?(date.class) + date = "#{date}-1" if date.to_s =~ /\A\d{4}-\d{1,2}\z/ unless [Time, Date].include?(date.class) date = date.to_time end app/filters/core_filters.rb @@ -3,7 +3,7 @@ module ApplicationHelper def author_link_for(comment) return h(comment.author) if comment.author_url.blank? - link_to h(comment.author), "#{'http://' unless comment.author_url =~ /^https?:\/\//}#{comment.author_url}" + link_to h(comment.author), "#{'http://' unless comment.author_url =~ /\Ahttps?:\/\//}#{comment.author_url}" end def avatar_for(user, options = {}) app/helpers/application_helper.rb @@ -14,11 +14,11 @@ class Asset < ActiveRecord::Base class << self def movie?(content_type) - content_type.to_s =~ /^video/ || extra_content_types[:movie].include?(content_type) + content_type.to_s =~ /\Avideo/ || extra_content_types[:movie].include?(content_type) end def audio?(content_type) - content_type.to_s =~ /^audio/ || extra_content_types[:audio].include?(content_type) + content_type.to_s =~ /\Aaudio/ || extra_content_types[:audio].include?(content_type) end def other?(content_type) @@ -72,7 +72,7 @@ class Asset < ActiveRecord::Base def public_filename_with_host(thumbnail = nil) returning public_filename_without_host(thumbnail) do |s| - s.gsub! /^\/assets\/[^\/]+\//, "/assets/#{$1}" if Site.multi_sites_enabled + s.gsub! /\A\/assets\/[^\/]+\//, "/assets/#{$1}" if Site.multi_sites_enabled end end alias_method_chain :public_filename, :host app/models/asset.rb @@ -7,14 +7,13 @@ class Comment < Content before_validation :clean_up_author_url after_validation_on_create :snag_article_attributes before_create :check_comment_expiration - before_create :sanitize_attributes before_save :update_counter_cache before_destroy :decrement_counter_cache belongs_to :article has_one :event, :dependent => :destroy before_create :check_if_previewing - attr_accessible :article, :article_id, :user_id, :user, :excerpt, :body, :author, :author_url, :author_email, :author_ip, :updater_id, :updater, :comment_age, :user_agent, :referrer, :preview + attr_accessible :article, :article_id, :user_id, :user, :excerpt, :body, :author, :author_url, :author_email, :author_ip, :user_agent, :referrer, :preview attr_accessor :preview class Previewing < StandardError; end @@ -78,12 +77,6 @@ class Comment < Content end protected - def sanitize_attributes - [:author, :author_url, :author_email, :author_ip, :user_agent, :referrer].each do |a| - self.send("#{a}=", CGI::escapeHTML(self.send(a).to_s)) - end - end - def snag_article_attributes self.filter ||= article.site.filter [:site, :title, :published_at, :permalink].each { |a| self.send("#{a}=", article.send(a)) } app/models/comment.rb @@ -20,8 +20,8 @@ class Resources < Attachments def [](filename) path = case filename - when /\.js$/i then 'javascripts' - when /\.css$/i then 'stylesheets' + when /\.js\z/i then 'javascripts' + when /\.css\z/i then 'stylesheets' else 'images' end app/models/resources.rb @@ -260,8 +260,8 @@ class Site < ActiveRecord::Base end def check_permalink_style - permalink_style.sub! /^\//, '' - permalink_style.sub! /\/$/, '' + permalink_style.sub! /\A\//, '' + permalink_style.sub! /\/\z/, '' pieces = permalink_style.split('/') errors.add :permalink_style, 'cannot have blank paths' if pieces.any?(&:blank?) pieces.each do |p| app/models/site.rb @@ -7,8 +7,8 @@ class Templates < Attachments end def [](template_name) - template_name = File.basename(template_name.to_s).sub /#{theme.extension}$/, '' - theme.path + "#{template_name =~ /layout$/ ? 'layouts' : 'templates'}/#{template_name}#{theme.extension}" + template_name = File.basename(template_name.to_s).sub /#{theme.extension}\z/, '' + theme.path + "#{template_name =~ /layout\z/ ? 'layouts' : 'templates'}/#{template_name}#{theme.extension}" end def collect_templates(template_type, *custom_templates) app/models/templates.rb @@ -9,7 +9,7 @@ class Theme dest = options[:to].is_a?(Pathname) ? options[:to] : Pathname.new(options[:to] || '.') basename = dest.basename.to_s if dest.exist? || basename == 'current' - basename = basename =~ /(.*)_(\d+)$/ ? $1 : basename + basename = basename =~ /(.*)_(\d+)\z/ ? $1 : basename number = $2 ? $2.to_i + 1 : 2 dirname = dest.dirname dest = dirname + "#{basename}_#{number}" @@ -27,7 +27,7 @@ class Theme dir_path = Pathname.new(dest + dir) FileUtils.mkdir_p dir_path unless dir_path.exist? z.dir.entries(dir).each do |entry| - next unless entry =~ /(\.\w+)$/ && allowed_extensions.include?($1) + next unless entry =~ /(\.\w+)\z/ && allowed_extensions.include?($1) z.file.open(File.join(dir, entry)) { |zf| File.open(dir_path + entry, 'wb') { |f| f << zf.read } } end end @@ -47,7 +47,7 @@ class Theme @base_path = base @path = Pathname.new(@base_path) end - layout = (@path + "layouts").children(false).select {|v| v.to_s =~ /^layout/}[0] if (@path + "layouts").directory? + layout = (@path + "layouts").children(false).select {|v| v.to_s =~ /\Alayout/}[0] if (@path + "layouts").directory? @extension = layout.extname if layout end app/models/theme.rb @@ -32,6 +32,7 @@ class User < ActiveRecord::Base # Authenticates a user by their login name and unencrypted password. Returns the user or nil. def self.authenticate_for(site, login, password) + return nil if site.nil? || login.nil? || login.blank? || password.nil? || password.blank? u = find(:first, @@membership_options.merge( :conditions => ['users.login = ? and (memberships.site_id = ? or users.admin = ?)', login, site.id, true])) u && u.authenticated?(password) ? u : nil @@ -55,6 +56,7 @@ class User < ActiveRecord::Base end def self.find_by_token(site, token) + return nil if site.nil? || token.nil? || token.blank? find(:first, @@membership_options.merge(:conditions => ['token = ? and token_expires_at > ? and (memberships.site_id = ? or users.admin = ?)', token, Time.now.utc, site.id, true])) end app/models/user.rb @@ -66,8 +66,13 @@ Rails::Initializer.run do |config| config.active_record.observers = [:article_observer, :comment_observer] end - # Allow table tags in untrusted HTML. + # Allow table tags in untrusted HTML, but block img tags to prevent + # SRC attributes from being used in CSRF attacks. config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td'] + config.after_initialize do + ActionView::Base.sanitized_allowed_tags.delete 'img' + ActionView::Base.sanitized_allowed_attributes.delete 'src' + end # We're slowly moving the contents of vendor and vender/plugins into # vendor/gems by adding config.gem declarations. config/environment.rb @@ -1,5 +1,5 @@ # This file is auto-generated from the current state of the database. Instead of editing this file, -# please use the migrations feature of ActiveRecord to incrementally modify your database, and +# please use the migrations feature of Active Record to incrementally modify your database, and # then regenerate this schema definition. # # Note that this schema.rb definition is the authoritative source for your database schema. If you need @@ -9,7 +9,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 76) do +ActiveRecord::Schema.define(:version => 20081219130711) do create_table "assets", :force => true do |t| t.string "content_type" @@ -110,8 +110,8 @@ ActiveRecord::Schema.define(:version => 76) do t.integer "assets_count", :default => 0 end - add_index "contents", ["published_at"], :name => "idx_articles_published" add_index "contents", ["article_id", "approved", "type"], :name => "idx_comments" + add_index "contents", ["published_at"], :name => "idx_articles_published" create_table "events", :force => true do |t| t.string "mode" db/schema.rb @@ -74,7 +74,17 @@ module AuthenticatedSystem def login_from_cookie return unless cookies[:token] && !logged_in? self.current_user = site.user_by_token(cookies[:token]) - cookies[:token] = { :value => self.current_user.reset_token! , :expires => self.current_user.token_expires_at } if logged_in? + # TODO - We allow the token to be changed on GET requests and we log + # the user in. I haven't fully analyzed the consequences of allowing + # session and token updates on hostile GET requests triggered by CSRF + # attacks. If this helps out in some kind of attack, it would affect + # almost every single web application in existence. + ActiveRecord::Base.with_writable_records do + cookies[:token] = { + :value => self.current_user.reset_token!, + :expires => self.current_user.token_expires_at + } if logged_in? + end true end lib/authenticated_system.rb @@ -1,6 +1,6 @@ module Format # yes this is valid ruby, even if textmate's highlighter can't grok it - DOMAIN = /^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)+((a[cdefgilmnoqrstuwxz]|aero|arpa)|(b[abdefghijmnorstvwyz]|biz)|(c[acdfghiklmnorsuvxyz]|cat|com|coop)|d[ejkmoz]|(e[ceghrstu]|edu)|f[ijkmor]|(g[abdefghilmnpqrstuwy]|gov)|(h[kmnrtu]#{RAILS_ENV=='test'?'|host':''})|(i[delmnoqrst]|info|int)|(j[emop]|jobs)|k[eghimnprwyz]|l[abcikrstuvy]|(m[acdghklmnopqrstuvwxyz]|mil|mobi|museum)|(n[acefgilopruz]|name|net)|(om|org)|(p[aefghklmnrstwy]|pro)|qa|r[eouw]|s[abcdeghijklmnortvyz]|(t[cdfghjklmnoprtvwz]|travel)|u[agkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw])$/ unless const_defined?(:DOMAIN) - STRING = /^[a-z0-9-]+$/ + DOMAIN = /\A([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)+((a[cdefgilmnoqrstuwxz]|aero|arpa)|(b[abdefghijmnorstvwyz]|biz)|(c[acdfghiklmnorsuvxyz]|cat|com|coop)|d[ejkmoz]|(e[ceghrstu]|edu)|f[ijkmor]|(g[abdefghilmnpqrstuwy]|gov)|(h[kmnrtu]#{RAILS_ENV=='test'?'|host':''})|(i[delmnoqrst]|info|int)|(j[emop]|jobs)|k[eghimnprwyz]|l[abcikrstuvy]|(m[acdghklmnopqrstuvwxyz]|mil|mobi|museum)|(n[acefgilopruz]|name|net)|(om|org)|(p[aefghklmnrstwy]|pro)|qa|r[eouw]|s[abcdeghijklmnortvyz]|(t[cdfghjklmnoprtvwz]|travel)|u[agkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw])\z/ unless const_defined?(:DOMAIN) + STRING = /\A[a-z0-9-]+\z/ EMAIL = /(\A(\s*)\Z)|(\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z)/i end \ No newline at end of file lib/format.rb @@ -1,7 +1,7 @@ # Object model of a plugin in plugins/vendor. May or may not have an internal Mephisto::Plugins::Plugin (an AR). module Mephisto class DirectoryPlugin - @@filter = /^mephisto_(\w+)$/ + @@filter = /\Amephisto_(\w+)\z/ attr_accessor :plugin, :path def self.scan lib/mephisto/directory_plugin.rb @@ -1,7 +1,7 @@ module Mephisto class Dispatcher PERMALINK_OPTIONS = { :year => '\d{4}', :month => '\d{1,2}', :day => '\d{1,2}', :permalink => '[\w\-]+', :id => '\d+' } - PERMALINK_VAR = /^:([a-z]+)$/ + PERMALINK_VAR = /\A:([a-z]+)\z/ def self.run(site, path) # check for any bad urls like /foo//bar @@ -80,7 +80,7 @@ module Mephisto result.first[var] = match[i+1] end result << match[variables.size + 2] # comments | comments.xml | changes.xml - result.last.gsub!(/\/(.*)$/, '') if result.last + result.last.gsub!(/\/(.*)\z/, '') if result.last result << match[variables.size + 4] # comment id end end lib/mephisto/dispatcher.rb @@ -29,7 +29,7 @@ module Mephisto end def mephisto_plugin? - name =~ /^mephisto_(\w+)$/ + name =~ /\Amephisto_(\w+)\z/ end def configurable? @@ -37,7 +37,7 @@ module Mephisto end def mephisto_name - name.sub /^mephisto_/, '' + name.sub /\Amephisto_/, '' end alias :conf_name :mephisto_name end lib/mephisto/plugin.rb @@ -87,7 +87,7 @@ module Mephisto end protected - @@sanitize_path_regex = /^(\/)|(https?:\/\/)/ + @@sanitize_path_regex = /\A(\/)|(https?:\/\/)/ def self.sanitize_path(path) path =~ @@sanitize_path_regex ? path : "/#{path.split("://").last}" end lib/mephisto/routing.rb @@ -2,7 +2,7 @@ module XMLRPC module Convert def self.dateTime(str) case str - when /^(-?\d\d\d\d)-?(\d\d)-?(\d\d)T(\d\d):(\d\d):(\d\d)(?:Z|([+-])(\d\d):?(\d\d))?$/ + when /\A(-?\d\d\d\d)-?(\d\d)-?(\d\d)T(\d\d):(\d\d):(\d\d)(?:Z|([+-])(\d\d):?(\d\d))?\z/ a = [$1, $2, $3, $4, $5, $6].collect{|i| i.to_i} if $7 ofs = $8.to_i*3600 + $9.to_i*60 @@ -16,7 +16,7 @@ module XMLRPC a = [ utc.year, utc.month, utc.day, utc.hour, utc.min, utc.sec ] end XMLRPC::DateTime.new(*a) - when /^(-?\d\d)-?(\d\d)-?(\d\d)T(\d\d):(\d\d):(\d\d)(Z|([+-]\d\d):(\d\d))?$/ + when /\A(-?\d\d)-?(\d\d)-?(\d\d)T(\d\d):(\d\d):(\d\d)(Z|([+-]\d\d):(\d\d))?\z/ a = [$1, $2, $3, $4, $5, $6].collect{|i| i.to_i} if a[0] < 70 a[0] += 2000 lib/xmlrpc_patch.rb @@ -13,7 +13,7 @@ Site.blueprint do title { Sham.title } host { Sham.host } filter { 'textile_filter' } - approve_comments { false } + approve_comments { true } comment_age { 30 } timezone { TZInfo::Timezone.new("America/New_York") } articles_per_page { 15 } spec/blueprints.rb @@ -5,7 +5,7 @@ class CommentDropTest < Test::Unit::TestCase def setup @comment = contents(:welcome_comment).to_liquid - @mock_comment = [:published_at, :created_at, :author, :author_email, :author_ip, :title, :approved?].inject({:body_html => 'foo'}) { |h, i| h.update i => true } + @mock_comment = [:published_at, :created_at, :title, :approved?].inject({:body_html => 'foo', :author => 'Bob', :author_email => 'bob@example.com', :author_ip => '127.0.0.1' }) { |h, i| h.update i => true } end def test_should_convert_comment_to_drop @@ -36,10 +36,14 @@ class CommentDropTest < Test::Unit::TestCase assert_equal %Q{<a href="https://abc">rico</a>}, @comment.author_link @comment.source.author = 'rico' @comment.source.author_url = 'https://abc' - @comment.source.send(:sanitize_attributes) - assert_equal %Q{<a href="http://https://abc">rico</a>}, @comment.author_link + assert_equal %Q{<a href="http://https://abc">rico</a>}, @comment.source.to_liquid.author_link end + def test_should_not_be_fooled_by_newlines_in_author_url + @comment.source.author_url = "javascript:alert('Oops')\nhttp://" + assert_equal "http://javascript:alert('Oops')\nhttp://", @comment.author_url + end + def test_should_show_filtered_text comment = contents(:welcome).comments.create :body => '*test* comment', :author => 'bob', :author_ip => '127.0.0.1' assert_valid comment @@ -48,6 +52,15 @@ class CommentDropTest < Test::Unit::TestCase assert_equal 'test comment', liquid.before_method(:body) end + def test_should_not_allow_img_tags + # img tags can be used in CSRF attacks against actions that + # accidentally allow GET requests to perform destructive actions. + comment = contents(:welcome_comment) + comment.body = 'a<img src="/admin/site/destroy/1" />b' + comment.save! + assert_equal 'ab', comment.to_liquid.before_method(:body) + end + def test_comment_url t = Time.now.utc - 3.days assert_equal "/#{t.year}/#{t.month}/#{t.day}/welcome-to-mephisto", @comment.url @@ -74,4 +87,4 @@ class CommentDropTest < Test::Unit::TestCase def stub.id() 55; end end end -end \ No newline at end of file +end test/unit/comment_drop_test.rb @@ -27,9 +27,15 @@ class FlickrMacro < FilteredColumn::Macros::Base if(caption.blank?) captioncode = "" else - captioncode = "#{caption}" + captioncode = "#{h caption}" end - "<div style=\"#{style}\" class=\"flickrplugin\"><a href=\"#{imagelink}\"><img src=\"#{imageurl}\" width=\"#{width}\" height=\"#{height}\" alt=\"#{alt}\" title=\"#{title}\"/></a>#{captioncode}</div>" + "<div style=\"#{h style}\" class=\"flickrplugin\"><a href=\"#{h imagelink}\"><img src=\"#{h imageurl}\" width=\"#{h width}\" height=\"#{h height}\" alt=\"#{h alt}\" title=\"#{h title}\"/></a>#{captioncode}</div>" end -end \ No newline at end of file + + private + + def h str + CGI.escapeHTML(str) + end +end vendor/plugins/filtered_column_flickr_macro/lib/flickr_macro.rb @@ -2,4 +2,3 @@ $:.unshift(File.dirname(__FILE__) + '/../lib') require 'test/unit' require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb')) -require 'breakpoint' \ No newline at end of file vendor/plugins/filtered_column_flickr_macro/test/abstract_unit.rb 0c628dc7e2ff8b7529f43e4090d37adc8e86ba54 24bfceaae2b1edf7c2f92fb9a7716a523ba7f417 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/f2712773d0f8beed1be8ec97fcd39a27f6ff4159 f2712773d0f8beed1be8ec97fcd39a27f6ff4159

2008-12-20T08:04:57-08:00

Merge branch 'master' into new-plugins Conflicts: lib/mephisto/plugin.rb 1e506c6f381b3ba951c3c9b76de90aeccf33aad0 Eric Kidd git@randomhacks.net