Permalink
Switch branches/tags
Commits on Oct 2, 2009
Commits on Dec 21, 2008
  1. Add declarative untaint_result helper

    emk committed Dec 21, 2008
    This can be used to automatically untaint the return value of a specific
    function without having to wrap it manually.
  2. Add unit tests for h and html_escape

    emk committed Dec 21, 2008
  3. Standadize file names

    emk committed Dec 21, 2008
  4. Convert to ActiveSupport::Test case and clean up tests

    emk committed Dec 21, 2008
    We've dropped the ERB-specific tests in favor of ones focusing on
    ActionView::Template, converted everything to use the shiny new
    ActiveSupport::Test API, and generally tried to clean up a bit.
  5. Untaint translations to work around Rails bugs

    emk committed Dec 21, 2008
    The classes in ActionView::Helpers have a nasty habit of loading
    translations and dropping the results straight into HTML without calling
    h(...).
    
    Since the various translation files aren't under user control, this
    can't easily be used as an attack method.  So I'm going to go ahead and
    untaint all our translations up front, even though we really ought to
    leave them all tainted.
    
    This allows us to get rid of several ActionView::Helpers-related
    patches, but I left the corresponding test cases.
  6. Add test cases for records read from the database

    emk committed Dec 21, 2008
    This patch also removes our Rails 1.* support, which probably doesn't
    work anymore.
Commits on Dec 20, 2008
  1. Only apply safe_erb to ActionView::Renderable

    emk committed Dec 20, 2008
    We were applying safe_erb to all ERB invocations that weren't on our
    whitelisted set of file extensions.  But this broke script/generate.
    So after a bit of tweaking, this patch limits safe_erb to all instances
    of ActionView::Renderable that aren't on our whitelist.
    
    I've done a fair bit of testing, using both automated tests and manual
    tests.  So far, safe_erb seems to be working.
    
    This code is fairly fragile, because the internals of ActionView are
    pretty weird, especially when view caching is turned on.  It's fairly
    hard to write a unit test which proves that safe_erb is actually
    working when config.action_controller.perform_caching is true.
  2. Untaint RAILS_ROOT

    emk committed Dec 20, 2008
    Thanks to court3nay for catching this:
    
      ActionView::TemplateError (attempted to output tainted string:
      /Users/courtenay/dev/oss/mephisto) on line #10 of
      .../actionpack-2.2.2/lib/action_controller/templates/rescues/_trace.erb:
    
      10: <p><code>RAILS_ROOT: <%= defined?(RAILS_ROOT) ?
    
    This needs to be fixed in upstream Rails by adding an h(...) there, but
    for now, we're just going to go ahead and untaint RAILS_ROOT because it
    isn't under the control of remote users.
Commits on Dec 17, 2008
  1. Fix per-database monkey-patching code

    emk committed Dec 17, 2008
    This only worked if you were using SQLite3.
  2. Fix file list in gem

    emk committed Dec 17, 2008
    Maybe this will help github to build the gem.
  3. Ignore pkg/ directory

    emk committed Dec 17, 2008
  4. Fix hyphenation in description

    emk committed Dec 17, 2008
    This is just a trivial change to trigger an initial gem build
    at github.
  5. Add gemspec file

    emk committed Dec 17, 2008
    This gemspec file (and the new tasks in the Rakefile) were generated
    using the gemhub library.
  6. Move init.rb into Rails directory

    emk committed Dec 17, 2008
    This will eventually allow us to use this plugin as a gem.
  7. Ignore Emacs backup files

    emk committed Dec 17, 2008
  8. Taint data returned from SQLite3 database

    emk committed Dec 17, 2008
    This is based on a patch by Koji Shimada.
    
      http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045
    
    Ideally, this code would eventually move into SQLite3 itself.
Commits on Dec 16, 2008
  1. Automatically ignore .text.plain.erb templates

    emk committed Dec 16, 2008
    This helps make ActionMailer work out-of-the-box.  We'll probably want
    to generalize this code quite a bit to cover other non-HTML, non-XML
    templates.
Commits on Dec 13, 2008
  1. Temporarily work around various Rails helpers

    emk committed Dec 13, 2008
    These two Rails helpers cause Mephisto to fail massively under SafeERB.
    I'm not quite sure what's going wrong internally, because both of these
    helpers should be escaping their HTML.  I've read the source code, and
    I don't see where these helpers are picking up any kind of legitimate
    taint.
    
    Pending further investigation, I'm going to (perhaps unsafely) mark the
    return values of these two helpers as trusted.
  2. Make SafeERB taint checks default to on, not off

    emk committed Dec 13, 2008
    SafeERB wasn't working reliably with modern versions of Rails, because
    it appears that not all templates were getting rendered via 'render'.
    After thinking about this problem for a while, I decided to flip around
    the defaults in SafeERB: Instead of only checking for tainting problems
    in a few places, SafeERB now checks everywhere, and must be explicitly
    disabled when not needed.  This makes SafeERB more "intrusive", but it
    also means that security problems are less likely to slip through
    unnoticed.
    
    This will generally cause problems with ActionMailer and *.erb.txt
    files.  For now, you can insert explicit ERB.without_checking_tainted
    blocks manually.  In the longer run, we probably need to do something
    fancier.
  3. Make ERB.check_tainted thread-safe

    emk committed Dec 13, 2008
Commits on Aug 21, 2008
  1. extracted ERB-specific code into an external file

    Matthew Bass committed Aug 21, 2008
  2. removed environment.rb dependency from tests

    Matthew Bass committed Aug 21, 2008
  3. culled empty files

    Matthew Bass committed Aug 21, 2008
Commits on Aug 20, 2008
  1. initial commit

    Matthew Bass committed Aug 20, 2008