Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch '3-0-10' into 3-0-stable

* 3-0-10:
  bumping rails to 3.0.10
  properly subsituting bad utf8 characters
  Tags with invalid names should also be stripped in order to prevent XSS attacks.  Thanks Sascha Depold for the report.
  prevent sql injection attacks by escaping quotes in column names
  Properly escape glob characters.
  bumping to 3.0.10.rc1
  more changelog updates
  updating CHANGELOGs
  • Loading branch information...
commit 0b377044fa17b72bc9394a4161c22f1b4686a7b8 2 parents 4c8a211 + 4f15f39
@tenderlove tenderlove authored
Showing with 106 additions and 18 deletions.
  1. +1 −1  RAILS_VERSION
  2. +5 −1 actionmailer/CHANGELOG
  3. +1 −1  actionmailer/lib/action_mailer/version.rb
  4. +9 −1 actionpack/CHANGELOG
  5. +1 −1  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +5 −1 actionpack/lib/action_view/template/resolver.rb
  8. +14 −0 actionpack/test/controller/render_test.rb
  9. +1 −0  actionpack/test/fixtures/test/hello_w*rld.erb
  10. +7 −0 actionpack/test/template/html-scanner/sanitizer_test.rb
  11. +6 −0 activemodel/CHANGELOG
  12. +1 −1  activemodel/lib/active_model/version.rb
  13. +12 −0 activerecord/CHANGELOG
  14. +1 −1  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  15. +1 −1  activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
  16. +1 −1  activerecord/lib/active_record/version.rb
  17. +17 −0 activerecord/test/cases/base_test.rb
  18. +5 −1 activeresource/CHANGELOG
  19. +1 −1  activeresource/lib/active_resource/version.rb
  20. +1 −1  activesupport/lib/active_support/core_ext/string/output_safety.rb
  21. +1 −1  activesupport/lib/active_support/version.rb
  22. +7 −0 activesupport/test/core_ext/string_ext_test.rb
  23. +5 −1 railties/CHANGELOG
  24. +1 −1  railties/lib/rails/version.rb
  25. +1 −1  version.rb
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.0.9
+3.0.10
View
6 actionmailer/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
* Mail dependency increased to 2.2.19
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
10 actionpack/CHANGELOG
@@ -3,7 +3,15 @@
* Fixes an issue where cache sweepers with only after filters would have no
controller object, it would raise undefined method controller_name for nil [jeroenj]
-*Rails 3.0.9 (unreleased)*
+* Ensure status codes are logged when exceptions are raised.
+
+* Subclasses of OutputBuffer are respected.
+
+* Fixed ActionView::FormOptionsHelper#select with :multiple => false
+
+* Avoid extra call to Cache#read in case of a fragment cache hit
+
+*Rails 3.0.9 (June 16, 2011)*
* json_escape will now return a SafeBuffer string if it receives SafeBuffer string [tenderlove]
View
2  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
end
closing = ( scanner.scan(/\//) ? :close : nil )
- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
name.downcase!
unless closing
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
6 actionpack/lib/action_view/template/resolver.rb
@@ -63,7 +63,7 @@ def build_path(name, prefix, partial, details)
end
def query(path, exts, formats)
- query = File.join(@path, path)
+ query = escape_entry File.join(@path, path)
exts.each do |ext|
query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
@@ -88,6 +88,10 @@ def query(path, exts, formats)
templates
end
+ def escape_entry(entry)
+ entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
+ end
+
# Extract handler and formats from path. If a format cannot be a found neither
# from the path, or the handler, we should return the array of formats given
# to the resolver.
View
14 actionpack/test/controller/render_test.rb
@@ -396,6 +396,14 @@ def render_with_explicit_template
render :template => "test/hello_world"
end
+ def render_with_explicit_unescaped_template
+ render :template => "test/h*llo_world"
+ end
+
+ def render_with_explicit_escaped_template
+ render :template => "test/hello_w*rld"
+ end
+
def render_with_explicit_string_template
render "test/hello_world"
end
@@ -1057,6 +1065,12 @@ def test_render_with_explicit_template
assert_response :success
end
+ def test_render_with_explicit_unescaped_template
+ assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
+ get :render_with_explicit_escaped_template
+ assert_equal "Hello w*rld!", @response.body
+ end
+
def test_render_with_explicit_string_template
get :render_with_explicit_string_template
assert_equal "<html>Hello world!</html>", @response.body
View
1  actionpack/test/fixtures/test/hello_w*rld.erb
@@ -0,0 +1 @@
+Hello w*rld!
View
7 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
@sanitizer = nil # used by assert_sanitizer
end
+ def test_strip_tags_with_quote
+ sanitizer = HTML::FullSanitizer.new
+ string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+ assert_equal ' hi', sanitizer.sanitize(string)
+ end
+
def test_strip_tags
sanitizer = HTML::FullSanitizer.new
assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
View
6 activemodel/CHANGELOG
@@ -1,3 +1,9 @@
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
+
*Rails 3.0.7 (April 18, 2011)*
*No changes.
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
12 activerecord/CHANGELOG
@@ -4,6 +4,18 @@
* schema.rb is written as UTF-8 by default.
+* Ensuring an established connection when running `rake db:schema:dump`
+
+* Association conditions will not clobber join conditions.
+
+* Destroying a record will destroy the HABTM record before destroying itself.
+GH #402.
+
+* Make `ActiveRecord::Batches#find_each` to not return `self`.
+
+* Update `table_exists?` in PG to to always use current search_path or schema
+if explictly set.
+
*Rails 3.0.9 (June 16, 2011)*
*Rails 3.0.8 (June 7, 2011)*
View
2  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -199,7 +199,7 @@ def quote(value, column = nil)
end
def quote_column_name(name) #:nodoc:
- @quoted_column_names[name] ||= "`#{name}`"
+ @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
end
def quote_table_name(name) #:nodoc:
View
2  activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
@@ -115,7 +115,7 @@ def quote_string(s) #:nodoc:
end
def quote_column_name(name) #:nodoc:
- %Q("#{name}")
+ %Q("#{name.to_s.gsub('"', '""')}")
end
# Quote date/time values for use in SQL input. Includes microseconds
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
17 activerecord/test/cases/base_test.rb
@@ -50,6 +50,23 @@ class Boolean < ActiveRecord::Base; end
class BasicsTest < ActiveRecord::TestCase
fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
+ def test_column_names_are_escaped
+ conn = ActiveRecord::Base.connection
+ classname = conn.class.name[/[^:]*$/]
+ badchar = {
+ 'SQLite3Adapter' => '"',
+ 'MysqlAdapter' => '`',
+ 'Mysql2Adapter' => '`',
+ 'PostgreSQLAdapter' => '"',
+ 'OracleAdapter' => '"',
+ }.fetch(classname) {
+ raise "need a bad char for #{classname}"
+ }
+
+ quoted = conn.quote_column_name "foo#{badchar}bar"
+ assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
+ end
+
unless current_adapter?(:PostgreSQLAdapter,:OracleAdapter,:SQLServerAdapter)
def test_limit_with_comma
assert_nothing_raised do
View
6 activeresource/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
*No changes.
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ def html_escape(s)
if s.html_safe?
s
else
- s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+ s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
end
end
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
7 activesupport/test/core_ext/string_ext_test.rb
@@ -7,10 +7,17 @@
require 'active_support/time'
require 'active_support/core_ext/kernel/reporting'
require 'active_support/core_ext/string/strip'
+require 'active_support/core_ext/string/output_safety'
class StringInflectionsTest < Test::Unit::TestCase
include InflectorTestCases
+ def test_erb_escape
+ string = [192, 60].pack('CC')
+ expected = 192.chr + "&lt;"
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
def test_strip_heredoc_on_an_empty_string
assert_equal '', ''.strip_heredoc
end
View
6 railties/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
* Fix Rake 0.9.0 support.
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
Please sign in to comment.
Something went wrong with that request. Please try again.