Skip to content
Browse files

Merge branch 'master' of github.com:svenfuchs/adva_cms

  • Loading branch information...
2 parents d92b586 + 0612e41 commit 1cca85fd701486d3b2214fd96be352261297f8bd @clemens clemens committed Mar 12, 2010
View
4 engines/adva_assets/test/unit/models/asset_test.rb
@@ -68,7 +68,7 @@ def setup
test "appends an integer to basename to ensure a unique filename if the file exists" do
dirname = "#{Asset.root_dir}/sites/site-#{@site.id}/assets"
FileUtils.mkdir_p dirname
- File.cp image_fixture.path, "#{dirname}/rails.png"
+ FileUtils.copy image_fixture.path, "#{dirname}/rails.png"
create_image_asset.path.should == "#{dirname}/rails.1.png"
create_image_asset.path.should == "#{dirname}/rails.2.png"
end
@@ -215,4 +215,4 @@ def setup
test "image? returns true for an image asset" do
create_image_asset.image?.should be_true
end
-end
+end
View
17 engines/adva_cms/vendor/plugins/safemode/README.markdown
@@ -1,6 +1,6 @@
## Safemode
-A library for safe evaluation of Ruby code based on ParseTree/RubyParser and
+A library for safe evaluation of Ruby code based on RubyParser and
Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
### Word of warning
@@ -16,11 +16,11 @@ feedback to help make it waterproof and finally suitable for serious purposes.
For manual evaluation of Ruby code and ERB templates see demo.rb
You can use the ActionView template handlers by registering them, e.g., in
-a config/initializer file like so:
+a config/initializer file like this:
# in config/intializer/safemode_tempate_handlers.rb
- ActionView::Base.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb
- ActionView::Base.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml
+ ActionView::Template.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb
+ ActionView::Template.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml
If you register the ERB template handler for the file extension :erb be aware
that this most probably will break when your application tries to render an
@@ -51,11 +51,8 @@ following blog posts until a more comprehensive writeup is available:
Requires the gems:
-* either ParseTree or RubyParser
-* Ruby2Ruby
-
-RubyParser has the advantage of being pure Ruby and not having any further
-system dependencies while ParseTree is is a C extension that uses RubyInline.
+* RubyParser
+* Ruby2Ruby
As of writing RubyParser alters StringIO and thus breaks usage with Rails.
See [http://www.zenspider.com/pipermail/parsetree/2008-April/000026.html](http://www.zenspider.com/pipermail/parsetree/2008-April/000026.html)
@@ -71,4 +68,4 @@ See lib/ruby\_parser\_string\_io\_patch.diff
This code and all of the Safemode library's code was initially written by
Sven Fuchs to allow Haml to have a safe mode. It was then modified and
re-structured by Peter Cooper and Sven Fuchs to extend the idea to generic
-Ruby eval situations.
+Ruby eval situations.
View
6 engines/adva_cms/vendor/plugins/safemode/init.rb
@@ -1,5 +1 @@
-# we only preload the jail class so that the app runs with no parse_tree/ruby2ruby
-# gems installed
-
-# require 'safemode/jail'
-# require 'action_view/conditional_template_handler' if Object.const_defined?('ActionView')
+require 'safemode'
View
40 engines/adva_cms/vendor/plugins/safemode/lib/action_view/conditional_template_handler.rb
@@ -1,40 +0,0 @@
-module ActionView
- class Template
- def initialize(view, path, use_full_path, locals = {})
- @view = view
- @finder = @view.finder
-
- # Clear the forward slash at the beginning if exists
- @path = use_full_path ? path.sub(/^\//, '') : path
- @view.first_render ||= @path
- @source = nil # Don't read the source until we know that it is required
- set_extension_and_file_name(use_full_path)
-
- @locals = locals || {}
- @handler = self.class.handler_class_for_template(self).new(@view)
- end
-
- def self.register_template_handler(extension, klass, options = {})
- @@template_handlers[extension.to_sym] = options.update(:class => klass)
- ActionView::TemplateFinder.update_extension_cache_for(extension.to_s)
- end
-
- def self.handler_class_for_template(template)
- if template.extension && handler = @@template_handlers[template.extension.to_sym]
- if handler.is_a? Hash
- return handler[:class] if eval_handler_conditions(template, handler)
- else
- return handler
- end
- end
- @@default_template_handlers
- end
-
- def self.eval_handler_conditions(template, handler)
- [:path, :filename].each do |type|
- return false if handler[type] and handler[type] !~ template.send(type)
- end
- true
- end
- end
-end
View
22 engines/adva_cms/vendor/plugins/safemode/lib/action_view/template_handlers/safe_erb.rb
@@ -6,7 +6,7 @@ module TemplateHandlers
class SafeErb < TemplateHandler
include Compilable rescue nil # does not exist prior Rails 2.1
extend SafemodeHandler
-
+
def self.line_offset
0
end
@@ -16,19 +16,27 @@ def compile(template)
# template instance
src = template.respond_to?(:source) ? template.source : template
filename = template.filename rescue nil
-
- code = ::ERB.new(src, nil, @view.erb_trim_mode).src
+ erb_trim_mode = '-'
+
+ # code = ::ERB.new(src, nil, @view.erb_trim_mode).src
+ code = ::ERB.new("<% __in_erb_template=true %>#{src}", nil, erb_trim_mode, '@output_buffer').src
+ # Ruby 1.9 prepends an encoding to the source. However this is
+ # useless because you can only set an encoding on the first line
+ RUBY_VERSION >= '1.9' ? src.sub(/\A#coding:.*\n/, '') : src
+
code.gsub!('\\','\\\\\\') # backslashes would disappear in compile_template/modul_eval, so we escape them
-
- <<-CODE
+
+ code = <<-CODE
handler = ActionView::TemplateHandlers::SafeHaml
assigns = handler.valid_assigns(@template.assigns)
methods = handler.delegate_methods(self)
code = %Q(#{code});
-
+
box = Safemode::Box.new(self, methods, #{filename.inspect}, 0)
- box.eval(code, assigns, local_assigns, &lambda{ yield })
+ box.eval(code, assigns, local_assigns, &lambda{ |*args| yield(*args) })
CODE
+ # puts code
+ code
end
end
end
View
4 engines/adva_cms/vendor/plugins/safemode/lib/haml/safemode.rb
@@ -2,11 +2,9 @@
module Haml
class Buffer
-=begin
class Jail < Safemode::Jail
allow :push_script, :push_text, :_hamlout, :open_tag
end
-=end
end
end
@@ -40,4 +38,4 @@ def precompile_for_safemode(filename, ignore_assigns = [], delegate_methods = []
# preamble + "code = %Q(#{@precompiled});" + postamble
end
end
-end
+end
View
13 engines/adva_cms/vendor/plugins/safemode/lib/safemode.rb
@@ -1,10 +1,17 @@
require 'rubygems'
require 'ruby2ruby'
-begin
+begin
require 'ruby_parser' # try to load RubyParser and use it if present
-rescue MissingSourceFile => e
+rescue LoadError => e
end
+# this doesn't work somehow. Maybe something changed inside
+# ParseTree or sexp_processor or so.
+# (the require itself works, but ParseTree doesn't play nice)
+# begin
+# require 'parse_tree'
+# rescue LoadError => e
+# end
require 'safemode/core_ext'
require 'safemode/blankslate'
@@ -41,7 +48,7 @@ def initialize(delegate = nil, delegate_methods = [], filename = nil, line = nil
def eval(code, assigns = {}, locals = {}, &block)
code = Parser.jail(code)
binding = @scope.bind(assigns, locals, &block)
- result = Kernel.eval code, binding, @filename || __FILE__, @line || __LINE__
+ result = Kernel.eval(code, binding, @filename || __FILE__, @line || __LINE__)
end
def output
View
7 engines/adva_cms/vendor/plugins/safemode/lib/safemode/blankslate.rb
@@ -1,5 +1,3 @@
-require 'safemode/core_ext'
-
module Safemode
class Blankslate
@@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'to_s', 'instance_variable_get']
@@ -31,11 +29,6 @@ def allow(*names)
def allowed?(name)
allowed_methods.include? name.to_s
end
-
- # otherwise breaks, e.g. Rails::Generator::Spec
- def ancestors
- []
- end
end
end
end
View
2 engines/adva_cms/vendor/plugins/safemode/lib/safemode/jail.rb
@@ -1,5 +1,3 @@
-require 'safemode/blankslate'
-
module Safemode
class Jail < Blankslate
def initialize(source = nil)
View
47 engines/adva_cms/vendor/plugins/safemode/lib/safemode/parser.rb
@@ -1,6 +1,7 @@
module Safemode
class Parser < Ruby2Ruby
- @@parser = defined?(RubyParser) ? 'RubyParser' : 'ParseTree'
+ # @@parser = defined?(RubyParser) ? 'RubyParser' : 'ParseTree'
+ @@parser = 'RubyParser'
class << self
def jail(code, allowed_fcalls = [])
@@ -11,8 +12,8 @@ def jail(code, allowed_fcalls = [])
def parse(code)
case @@parser
- when 'ParseTree'
- ParseTree.translate(code)
+ # when 'ParseTree'
+ # ParseTree.translate(code)
when 'RubyParser'
RubyParser.new.parse(code)
else
@@ -57,32 +58,42 @@ def process_vcall(exp)
exp.clear
"to_jail.#{name}"
end
-
+
+ def process_iasgn(exp)
+ code = super
+ if code != '@output_buffer = ""'
+ raise_security_error(:iasgn, code)
+ else
+ code
+ end
+ end
+
# see http://www.namikilab.tuat.ac.jp/~sasada/prog/rubynodes/nodes.html
-
- allowed = [ :call, :vcall, :evstr,
- :lvar, :dvar, :ivar, :lasgn, :masgn, :dasgn, :dasgn_curr,
- :lit, :str, :dstr, :dsym, :nil, :true, :false,
- :array, :zarray, :hash, :dot2, :dot3, :flip2, :flip3,
- :if, :case, :when, :while, :until, :iter, :for, :break, :next, :yield,
+
+ allowed = [ :call, :vcall, :evstr,
+ :lvar, :dvar, :ivar, :lasgn, :masgn, :dasgn, :dasgn_curr,
+ :lit, :str, :dstr, :dsym, :nil, :true, :false,
+ :array, :zarray, :hash, :dot2, :dot3, :flip2, :flip3,
+ :if, :case, :when, :while, :until, :iter, :for, :break, :next, :yield,
:and, :or, :not,
+ :iasgn, # iasgn is sometimes allowed
# not sure about self ...
:self,
# unnecessarily advanced?
:argscat, :argspush, :splat, :block_pass,
:op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
# needed for haml
:block ]
-
+
disallowed = [ # :self, # self doesn't seem to be needed for vcalls?
:const, :defn, :defs, :alias, :valias, :undef, :class, :attrset,
- :module, :sclass, :colon2, :colon3,
- :fbody, :scope, :args, :block_arg, :postexe,
- :redo, :retry, :begin, :rescue, :resbody, :ensure,
+ :module, :sclass, :colon2, :colon3,
+ :fbody, :scope, :args, :block_arg, :postexe,
+ :redo, :retry, :begin, :rescue, :resbody, :ensure,
:defined, :super, :zsuper, :return,
- :dmethod, :bmethod, :to_ary, :svalue, :match,
- :iasgn, :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
- :xstr, :dxstr,
+ :dmethod, :bmethod, :to_ary, :svalue, :match,
+ :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
+ :xstr, :dxstr,
# not sure how secure ruby regexp is, so leave it out for now
:dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref ]
@@ -182,4 +193,4 @@ def process_if(exp)
end
end
end
-end
+end
View
5 engines/adva_cms/vendor/plugins/safemode/test/test_all.rb
@@ -6,8 +6,9 @@
require File.join(File.dirname(__FILE__), 'test_safemode_eval')
require File.join(File.dirname(__FILE__), 'test_erb_eval')
-['ParseTree', 'RubyParser'].each do |parser|
+# ['ParseTree', 'RubyParser'].each do |parser|
+['RubyParser'].each do |parser|
Safemode::Parser.parser = parser
puts "Running suite with Safemode::Parser using #{parser}"
Test::Unit::AutoRunner.run
-end
+end
View
4 engines/adva_cms/vendor/plugins/safemode/test/test_helper.rb
@@ -48,7 +48,7 @@ def security_error_raising_calls
"load('/path/to/file')", "require 'something'",
"loop{}",
"open('/etc/passwd'){|f| f.read}",
- "p 'text'", "pretty_inspect(self)",
+ "p 'text'", "pretty_inspect",
# "print 'text'", "puts 'text'", allowed and buffered these (see ScopeObject)
"printf 'text'", "putc 'a'",
"raise RuntimeError, 'should not happen'",
@@ -114,7 +114,6 @@ def to_jail
end
end
-=begin
class Article::Jail < Safemode::Jail
allow :title, :comments, :is_article?
@@ -129,4 +128,3 @@ class Article::ExtendedJail < Article::Jail
class Comment::Jail < Safemode::Jail
allow :article, :text
end
-=end
View
4 engines/adva_cms/vendor/plugins/safemode/test/test_jail.rb
@@ -27,7 +27,9 @@ def test_jail_instances_should_have_limited_methods
def test_jail_classes_should_have_limited_methods
expected = ["new", "methods", "name", "inherited", "method_added", "inspect",
- "allow", "allowed?", "allowed_methods", "init_allowed_methods"]
+ "allow", "allowed?", "allowed_methods", "init_allowed_methods",
+ "<" # < needed in Rails Object#subclasses_of
+ ]
objects.each do |object|
assert_equal expected.sort, reject_pretty_methods(object.to_jail.class.methods.sort)
end
View
8 engines/adva_cms/vendor/plugins/safemode/test/test_safemode_parser.rb
@@ -25,7 +25,13 @@ def test_ternary_should_be_usable_for_erb
assert_jailed "if true then\n 1\n else\n2\nend", "true ? 1 : 2"
end
-private
+ def test_output_buffer_should_be_assignable
+ assert_nothing_raised do
+ jail('@output_buffer = ""')
+ end
+ end
+
+private
def assert_jailed(expected, code)
assert_equal expected.gsub(' ', ''), jail(code).gsub(' ', '')
View
4 engines/adva_themes/test/unit/models/theme_file_test.rb
@@ -141,8 +141,8 @@ def expect_valid_file(file, type, path)
test "appends an integer to basename to ensure a unique filename if the file exists" do
dirname = "#{Theme.root_dir}/sites/site-#{@site.id}/themes/#{@theme.theme_id}/images"
FileUtils.mkdir_p dirname
- File.cp image_fixture.path, "#{dirname}/rails.png"
+ FileUtils.copy image_fixture.path, "#{dirname}/rails.png"
uploaded_image.path.should == "#{dirname}/rails.1.png"
uploaded_image.path.should == "#{dirname}/rails.2.png"
end
-end
+end

0 comments on commit 1cca85f

Please sign in to comment.
Something went wrong with that request. Please try again.