Merge branch '4-0-sec' into 4-0-stable

* 4-0-sec:
  bumping version for relesase
  correctly escape backslashes in request path globs

RAILS_VERSION

@@ -1 +1 @@
-4.0.11
+4.0.12

actionmailer/lib/action_mailer/version.rb

@@ -1,7 +1,7 @@
 module ActionMailer
   # Returns the version of the currently loaded ActionMailer as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.11"
+    Gem::Version.new "4.0.12"
   end
 
   module VERSION #:nodoc:

actionpack/lib/action_dispatch/middleware/static.rb

@@ -19,7 +19,7 @@ def match?(path)
       paths = "#{full_path}#{ext}"
 
       matches = Dir[paths]
-      match = matches.detect { |m| File.file?(m) }
+      match = matches.detect { |m| File.file?(m) && File.readable?(m) }
       if match
         match.sub!(@compiled_root, '')
         ::Rack::Utils.escape(match)
@@ -42,7 +42,7 @@ def unescape_path(path)
     end
 
     def escape_glob_chars(path)
-      path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+      path.gsub(/[*?{}\[\]\\]/, "\\\\\\&")
     end
 
     private

actionpack/lib/action_pack/version.rb

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.11"
+    Gem::Version.new "4.0.12"
   end
 
   module VERSION #:nodoc:

actionpack/test/dispatch/static_test.rb

@@ -1,5 +1,6 @@
 # encoding: utf-8
 require 'abstract_unit'
+require 'fileutils'
 require 'rbconfig'
 
 module StaticTests
@@ -157,6 +158,46 @@ def public_path
 
   include StaticTests
 
+  def test_custom_handler_called_when_file_is_not_readable
+    filename = 'unreadable.html.erb'
+    target = File.join(@root, filename)
+    FileUtils.touch target
+    File.chmod 0200, target
+    assert File.exist? target
+    assert !File.readable?(target)
+    path = "/#{filename}"
+    env = {
+      "REQUEST_METHOD"=>"GET",
+      "REQUEST_PATH"=> path,
+      "PATH_INFO"=> path,
+      "REQUEST_URI"=> path,
+      "HTTP_VERSION"=>"HTTP/1.1",
+      "SERVER_NAME"=>"localhost",
+      "SERVER_PORT"=>"8080",
+      "QUERY_STRING"=>""
+    }
+    assert_equal(DummyApp.call(nil), @app.call(env))
+  ensure
+    File.unlink target
+  end
+
+  def test_custom_handler_called_when_file_is_outside_root_backslash
+    filename = 'shared.html.erb'
+    assert File.exist?(File.join(@root, '..', filename))
+    path = "/%5C..%2F#{filename}"
+    env = {
+      "REQUEST_METHOD"=>"GET",
+      "REQUEST_PATH"=> path,
+      "PATH_INFO"=> path,
+      "REQUEST_URI"=> path,
+      "HTTP_VERSION"=>"HTTP/1.1",
+      "SERVER_NAME"=>"localhost",
+      "SERVER_PORT"=>"8080",
+      "QUERY_STRING"=>""
+    }
+    assert_equal(DummyApp.call(nil), @app.call(env))
+  end
+
   def test_custom_handler_called_when_file_is_outside_root
     filename = 'shared.html.erb'
     assert File.exist?(File.join(@root, '..', filename))

activemodel/lib/active_model/version.rb

@@ -1,7 +1,7 @@
 module ActiveModel
   # Returns the version of the currently loaded ActiveModel as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.11"
+    Gem::Version.new "4.0.12"
   end
 
   module VERSION #:nodoc:

activerecord/lib/active_record/version.rb

@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.11"
+    Gem::Version.new "4.0.12"
   end
 
   module VERSION #:nodoc:

activesupport/lib/active_support/version.rb

@@ -1,7 +1,7 @@
 module ActiveSupport
   # Returns the version of the currently loaded ActiveSupport as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.11"
+    Gem::Version.new "4.0.12"
   end
 
   module VERSION #:nodoc:

railties/lib/rails/version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 11
+    TINY  = 12
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 11
+    TINY  = 12
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")