Merge branch '3-0-6' into 3-0-stable

* 3-0-6: bumping version to 3.0.6 updating CHANGELOG updating CHANGELOG for actionpack do not return html safe strings from auto_link bumping to 3.0.6.rc2 Support both conventions for translations for namespaced models. Added back the use of the Reflection module's cached sanitized_conditions in an AssociationProxy. This was recently removed and when a has_one association with conditions is eager loaded the conditions would be sanitized once for every result row, causing a database hit to fetch the columns. Bring back i18n_key to avoid regression Revert "Improve testing of cookies in functional tests:" bumping version to 3.0.6.rc1 updating AR changelog
CvX · Apr 5, 2011 · 3940e34 · 3940e34
2 parents e6bc818 + 38df020
commit 3940e34
Show file tree

Hide file tree

Showing 23 changed files with 52 additions and 125 deletions.
diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-3.0.5
+3.0.6
diff --git a/actionmailer/CHANGELOG b/actionmailer/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * Don't allow i18n to change the minor version, version now set to ~> 0.5.0 [Santiago Pastorino]
 

diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,4 +1,14 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
+
+* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks input as
+  html safe.  Please make sure that calls to auto_link() are wrapped in a
+  sanitize(), or a raw() depending on the type of input passed to auto_link().
+  For example:
+
+    <%= sanitize(auto_link(some_user_input)) %>
+
+  Thanks to Torben Schulz for reporting this.  The fix can be found here:
+  61ee3449674c591747db95f9b3472c5c3bd9e84d
 
 * Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
 

diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
@@ -171,10 +171,6 @@ def assign_parameters(routes, controller_path, action, parameters = {})
     end
 
     def recycle!
-      write_cookies!
-      @env.delete('HTTP_COOKIE') if @cookies.blank?
-      @env.delete('action_dispatch.cookies')
-      @cookies = nil
       @formats = nil
       @env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
       @env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
@@ -301,11 +297,7 @@ def exists?; true; end
   # and cookies, though. For sessions, you just do:
   #
   #   @request.session[:key] = "value"
-  #   @request.cookies[:key] = "value"
+  #   @request.cookies["key"] = "value"
-  #
-  # To clear the cookies for a test just clear the request's cookies hash:
-  #
-  #   @request.cookies.clear
   #
   # == Testing named routes
   #
@@ -419,7 +411,6 @@ def process(action, parameters = nil, session = nil, flash = nil, http_method =
         Base.class_eval { include Testing }
         @controller.process_with_new_base_test(@request, @response)
         @request.session.delete('flash') if @request.session['flash'].blank?
-        @request.cookies.merge!(@response.cookies)
         @response
       end
 

diff --git a/actionpack/lib/action_dispatch/testing/test_process.rb b/actionpack/lib/action_dispatch/testing/test_process.rb
@@ -22,7 +22,7 @@ def flash
     end
 
     def cookies
-      @request.cookies.merge(@response.cookies).with_indifferent_access
+      @request.cookies.merge(@response.cookies)
     end
 
     def redirect_to_url

diff --git a/actionpack/lib/action_dispatch/testing/test_request.rb b/actionpack/lib/action_dispatch/testing/test_request.rb
@@ -1,6 +1,5 @@
 require 'active_support/core_ext/object/blank'
 require 'active_support/core_ext/hash/reverse_merge'
-require 'rack/utils'
 
 module ActionDispatch
   class TestRequest < Request
@@ -77,14 +76,10 @@ def cookies
     private
       def write_cookies!
         unless @cookies.blank?
-          @env['HTTP_COOKIE'] = @cookies.map { |name, value| escape_cookie(name, value) }.join('; ')
+          @env['HTTP_COOKIE'] = @cookies.map { |name, value| "#{name}=#{value};" }.join(' ')
         end
       end
 
-      def escape_cookie(name, value)
-        "#{Rack::Utils.escape(name)}=#{Rack::Utils.escape(value)}"
-      end
-
       def delete_nil_values!
         @env.delete_if { |k, v| v.nil? }
       end

diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -299,7 +299,7 @@ def simple_format(text, html_options={}, options={})
       #   # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
       #         Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
       def auto_link(text, *args, &block)#link = :all, html = {}, &block)
-        return ''.html_safe if text.blank?
+        return '' if text.blank?
 
         options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
         unless args.empty?
@@ -503,7 +503,7 @@ def auto_link_urls(text, html_options = {}, options = {})
               end
               content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
             end
-          end.html_safe
+          end
         end
 
         # Turns all email addresses into clickable links.  If a block is given,

diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
@@ -94,30 +94,6 @@ def delete_cookie_with_domain
       cookies.delete(:user_name, :domain => :all)
       head :ok
     end
-
-    def symbol_key
-      cookies[:user_name] = "david"
-      head :ok
-    end
-
-    def string_key
-      cookies['user_name'] = "david"
-      head :ok
-    end
-
-    def symbol_key_mock
-      cookies[:user_name] = "david" if cookies[:user_name] == "andrew"
-      head :ok
-    end
-
-    def string_key_mock
-      cookies['user_name'] = "david" if cookies['user_name'] == "andrew"
-      head :ok
-    end
-
-    def noop
-      head :ok
-    end
   end
 
   tests TestController
@@ -315,65 +291,6 @@ def test_deleting_cookie_with_all_domain_option
     assert_cookie_header "user_name=; domain=.nextangle.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT"
   end
 
-  def test_cookies_hash_is_indifferent_access
-    [:symbol_key, :string_key].each do |cookie_key|
-      get cookie_key
-      assert_equal "david", cookies[:user_name]
-      assert_equal "david", cookies['user_name']
-    end
-  end
-
-  def test_setting_request_cookies_is_indifferent_access
-    @request.cookies.clear
-    @request.cookies[:user_name] = "andrew"
-    get :string_key_mock
-    assert_equal "david", cookies[:user_name]
-
-    @request.cookies.clear
-    @request.cookies['user_name'] = "andrew"
-    get :symbol_key_mock
-    assert_equal "david", cookies['user_name']
-  end
-
-  def test_cookies_retained_across_requests
-    get :symbol_key
-    assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
-    assert_equal "david", cookies[:user_name]
-
-    get :noop
-    assert_nil @response.headers["Set-Cookie"]
-    assert_equal "user_name=david", @request.env['HTTP_COOKIE']
-    assert_equal "david", cookies[:user_name]
-
-    get :noop
-    assert_nil @response.headers["Set-Cookie"]
-    assert_equal "user_name=david", @request.env['HTTP_COOKIE']
-    assert_equal "david", cookies[:user_name]
-  end
-
-  def test_cookies_can_be_cleared
-    get :symbol_key
-    assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
-    assert_equal "david", cookies[:user_name]
-
-    @request.cookies.clear
-    get :noop
-    assert_nil @response.headers["Set-Cookie"]
-    assert_nil @request.env['HTTP_COOKIE']
-    assert_nil cookies[:user_name]
-
-    get :symbol_key
-    assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
-    assert_equal "david", cookies[:user_name]
-  end
-
-  def test_cookies_are_escaped
-    @request.cookies[:user_ids] = '1;2'
-    get :noop
-    assert_equal "user_ids=1%3B2", @request.env['HTTP_COOKIE']
-    assert_equal "1;2", cookies[:user_ids]
-  end
-
   private
     def assert_cookie_header(expected)
       header = @response.headers["Set-Cookie"]

diff --git a/actionpack/test/dispatch/test_request_test.rb b/actionpack/test/dispatch/test_request_test.rb
@@ -36,10 +36,10 @@ class TestRequestTest < ActiveSupport::TestCase
 
     req.cookies["user_name"] = "david"
     assert_equal({"user_name" => "david"}, req.cookies)
-    assert_equal "user_name=david", req.env["HTTP_COOKIE"]
+    assert_equal "user_name=david;", req.env["HTTP_COOKIE"]
 
     req.cookies["login"] = "XJ-122"
     assert_equal({"user_name" => "david", "login" => "XJ-122"}, req.cookies)
-    assert_equal %w(login=XJ-122 user_name=david), req.env["HTTP_COOKIE"].split(/; /).sort
+    assert_equal %w(login=XJ-122 user_name=david), req.env["HTTP_COOKIE"].split(/; ?/).sort
   end
 end
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
@@ -315,14 +315,20 @@ def generate_result(link_text, href = nil, escape = false)
     end
   end
 
-  def test_auto_link_should_be_html_safe
+  def test_auto_link_should_not_be_html_safe
     email_raw    = 'santiago@wyeworks.com'
     link_raw     = 'http://www.rubyonrails.org'
 
-    assert auto_link(nil).html_safe?
+    assert !auto_link(nil).html_safe?, 'should not be html safe'
-    assert auto_link('').html_safe?
+    assert !auto_link('').html_safe?, 'should not be html safe'
-    assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
+    assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
-    assert auto_link("hello #{email_raw}").html_safe?
+    assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+  end
+
+  def test_auto_link_email_address
+    email_raw    = 'aaron@tenderlovemaking.com'
+    email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
+    assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
   end
 
   def test_auto_link

diff --git a/activemodel/CHANGELOG b/activemodel/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * Fix when database column name has some symbolic characters (e.g. Oracle CASE# VARCHAR2(20)) #5818 #6850 [Robert Pankowecki, Santiago Pastorino]
 

diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * Un-deprecate reorder method [Sebastian Martinez]
 
@@ -7,6 +7,14 @@
 
 * Schemas set in set_table_name are respected by the mysql adapter. LH #5322
 
+* Fixed a bug when empty? was called on a grouped Relation that wasn't loaded.
+  LH #5829
+
+* Reapply extensions when using except and only. Thanks Iain Hecker.
+
+* Binary data is escaped when being inserted to SQLite3 Databases. Thanks
+  Naruse!
+
 *Rails 3.0.5 (February 26, 2011)*
 
 * Model.where(:column => 1).where(:column => 2) will always produce an AND

diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activeresource/CHANGELOG b/activeresource/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * No changes.
 

diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activesupport/CHANGELOG b/activesupport/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * No changes.
 

diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/railties/CHANGELOG b/railties/CHANGELOG
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
 
 * No changes.
 

diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/version.rb b/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')