Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Instiki 0.19.5 (SECURITY!)

Update Rails to 2.3.15.
  • Loading branch information...
commit b79c399b4e55c679bd0575f12c622af996f1a2cb 1 parent 94eacd8
@distler distler authored
Showing with 126 additions and 41 deletions.
  1. +13 −0 CHANGELOG
  2. +2 −1  Gemfile
  3. +2 −2 app/controllers/application_controller.rb
  4. +1 −1  vendor/rails/actionmailer/Rakefile
  5. +1 −1  vendor/rails/actionmailer/lib/action_mailer/version.rb
  6. +2 −2 vendor/rails/actionpack/Rakefile
  7. +1 −1  vendor/rails/actionpack/lib/action_controller.rb
  8. +1 −1  vendor/rails/actionpack/lib/action_controller/request.rb
  9. +1 −1  vendor/rails/actionpack/lib/action_pack/version.rb
  10. +3 −0  vendor/rails/actionpack/test/controller/request_test.rb
  11. +13 −0 vendor/rails/actionpack/test/controller/webservice_test.rb
  12. +1 −1  vendor/rails/activerecord/Rakefile
  13. +5 −1 vendor/rails/activerecord/lib/active_record/base.rb
  14. +5 −5 vendor/rails/activerecord/lib/active_record/validations.rb
  15. +1 −1  vendor/rails/activerecord/lib/active_record/version.rb
  16. +12 −0 vendor/rails/activerecord/test/cases/finder_test.rb
  17. +1 −1  vendor/rails/activeresource/Rakefile
  18. +1 −1  vendor/rails/activeresource/lib/active_resource/version.rb
  19. +6 −0 vendor/rails/activesupport/CHANGELOG
  20. +24 −7 vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb
  21. +1 −1  vendor/rails/activesupport/lib/active_support/version.rb
  22. +23 −7 vendor/rails/activesupport/test/core_ext/hash_ext_test.rb
  23. +5 −5 vendor/rails/railties/Rakefile
  24. +1 −1  vendor/rails/railties/lib/rails/version.rb
View
13 CHANGELOG
@@ -6,6 +6,19 @@ N.B.: You *must* run
after installing the new software, to enjoy the benefits of this new version.
------------------------------------------------------------------------------
+* 0.19.5
+
+New Features:
+* MathJax 2.0
+* Rails 2.3.15
+* Support for embedding Wolfram CDF files
+* Extended support for HTML5 audio and video
+* Maruku and file_signature unbundled
+
+Bugs Fixed:
+* Fixed CVE-2013-0155 and CVE-2013-0156
+* Stylesheet fixes
+------------------------------------------------------------------------------
* 0.19.4
New Feautures:
View
3  Gemfile
@@ -1,7 +1,7 @@
source "http://rubygems.org"
gem "sqlite3", :require => "sqlite3"
gem "itextomml", ">=1.4.10"
-gem "rack", ">=1.1.0"
+gem "rack", ">=1.1.3"
gem "mongrel", ">=1.2.0.pre2"
gem "rubyzip"
gem "RedCloth", ">=4.0.0"
@@ -12,3 +12,4 @@ gem "rdoc"
gem "json"
gem "file_signature", :git => 'http://github.com/distler/file_signature.git'
gem "maruku", :git => 'http://github.com/distler/maruku.git', :branch => 'nokogiri'
+gem "rake"
View
4 app/controllers/application_controller.rb
@@ -288,7 +288,7 @@ module VERSION #:nodoc:
MINOR = 19
TINY = 5
SUFFIX = '(MML+)'
- PRERELEASE = '.5pre'
+ PRERELEASE = false
if PRERELEASE
STRING = [MAJOR, MINOR].join('.') + PRERELEASE + SUFFIX
else
@@ -314,4 +314,4 @@ def set_content_type!(controller, extension)
end
end
end
-end
+end
View
2  vendor/rails/actionmailer/Rakefile
@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
s.rubyforge_project = "actionmailer"
s.homepage = "http://www.rubyonrails.org"
- s.add_dependency('actionpack', '= 2.3.14' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.15' + PKG_BUILD)
s.requirements << 'none'
s.require_path = 'lib'
View
2  vendor/rails/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
4 vendor/rails/actionpack/Rakefile
@@ -78,8 +78,8 @@ spec = Gem::Specification.new do |s|
s.requirements << 'none'
- s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
- s.add_dependency('rack', '~> 1.1.0')
+ s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('rack', '~> 1.1.3')
s.require_path = 'lib'
View
2  vendor/rails/actionpack/lib/action_controller.rb
@@ -31,7 +31,7 @@
end
end
-gem 'rack', '>= 1.1.0'
+gem 'rack', '>= 1.1.3'
require 'rack'
require 'action_controller/cgi_ext'
View
2  vendor/rails/actionpack/lib/action_controller/request.rb
@@ -225,7 +225,7 @@ def remote_ip
not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES}
return not_trusted_addrs.first unless not_trusted_addrs.empty?
end
- remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
+ remote_ips = @env['HTTP_X_FORWARDED_FOR'].present? && @env['HTTP_X_FORWARDED_FOR'].split(',')
if @env.include? 'HTTP_CLIENT_IP'
if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
View
2  vendor/rails/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
3  vendor/rails/actionpack/test/controller/request_test.rb
@@ -20,6 +20,9 @@ def test_remote_ip
'HTTP_X_FORWARDED_FOR' => '3.4.5.6'
assert_equal '1.2.3.4', request.remote_ip
+ request = stub_request 'HTTP_X_FORWARDED_FOR' => ''
+ assert_nil request.remote_ip
+
request = stub_request 'REMOTE_ADDR' => '127.0.0.1',
'HTTP_X_FORWARDED_FOR' => '3.4.5.6'
assert_equal '3.4.5.6', request.remote_ip
View
13 vendor/rails/actionpack/test/controller/webservice_test.rb
@@ -121,6 +121,19 @@ def test_post_xml_using_an_attributted_node_named_type
end
end
+ def test_post_xml_using_a_disallowed_type_attribute
+ $stderr = StringIO.new
+ with_test_route_set do
+ post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+
+ post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+ end
+ ensure
+ $stderr = STDERR
+ end
+
def test_register_and_use_yaml
with_test_route_set do
ActionController::Base.param_parsers[Mime::YAML] = Proc.new { |d| YAML.load(d) }
View
2  vendor/rails/activerecord/Rakefile
@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
View
6 vendor/rails/activerecord/lib/active_record/base.rb
@@ -1897,7 +1897,11 @@ def method_missing(method_id, *arguments, &block)
# end
self.class_eval <<-EOS, __FILE__, __LINE__ + 1
def self.#{method_id}(*args)
- options = args.extract_options!
+ options = if args.length > #{attribute_names.size}
+ args.extract_options!
+ else
+ {}
+ end
attributes = construct_attributes_from_arguments(
[:#{attribute_names.join(',:')}],
args
View
10 vendor/rails/activerecord/lib/active_record/validations.rb
@@ -602,14 +602,14 @@ def validates_presence_of(*attr_names)
# Validates that the specified attribute matches the length restrictions supplied. Only one option can be used at a time:
#
# class Person < ActiveRecord::Base
- # validates_length_of :first_name, :maximum=>30
- # validates_length_of :last_name, :maximum=>30, :message=>"less than %{count} if you don't mind"
+ # validates_length_of :first_name, :maximum => 30
+ # validates_length_of :last_name, :maximum => 30, :message => "less than %{count} if you don't mind"
# validates_length_of :fax, :in => 7..32, :allow_nil => true
# validates_length_of :phone, :in => 7..32, :allow_blank => true
# validates_length_of :user_name, :within => 6..20, :too_long => "pick a shorter name", :too_short => "pick a longer name"
- # validates_length_of :fav_bra_size, :minimum => 1, :too_short => "please enter at least %{count} character"
- # validates_length_of :smurf_leader, :is => 4, :message => "papa is spelled with %{count} characters... don't play me."
- # validates_length_of :essay, :minimum => 100, :too_short => "Your essay must be at least %{count} words."), :tokenizer => lambda {|str| str.scan(/\w+/) }
+ # validates_length_of :zip_code, :minimum => 5, :too_short => "please enter at least %{count} characters"
+ # validates_length_of :smurf_leader, :is => 4, :message => "papa is spelled with %{count} characters... don't play me"
+ # validates_length_of :essay, :minimum => 100, :too_short => "Your essay must be at least %{count} words"), :tokenizer => lambda {|str| str.scan(/\w+/) }
# end
#
# Configuration options:
View
2  vendor/rails/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
12 vendor/rails/activerecord/test/cases/finder_test.rb
@@ -66,6 +66,18 @@ def test_find_or_create_by
class FinderTest < ActiveRecord::TestCase
fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers
+ def test_find_by_id_with_hash
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.find_by_id(:limit => 1)
+ end
+ end
+
+ def test_find_by_title_and_id_with_hash
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.find_by_title_and_id('foo', :limit => 1)
+ end
+ end
+
def test_find
assert_equal(topics(:first).title, Topic.find(1).title)
end
View
2  vendor/rails/activeresource/Rakefile
@@ -66,7 +66,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
s.require_path = 'lib'
View
2  vendor/rails/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
6 vendor/rails/activesupport/CHANGELOG
@@ -1,5 +1,11 @@
+## Rails 2.3.15 (Jan 8, 2012) ##
+
+* Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy Kemper]
+
+
*2.3.11 (February 9, 2011)*
+
*2.3.10 (October 15, 2010)*
View
31 vendor/rails/activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -26,6 +26,13 @@ def content_type
end
end
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
+ class DisallowedType < StandardError #:nodoc:
+ def initialize(type)
+ super "Disallowed type attribute: #{type.inspect}"
+ end
+ end
+
XML_TYPE_NAMES = {
"Symbol" => "symbol",
"Fixnum" => "integer",
@@ -160,14 +167,24 @@ def rename_key(key, options = {})
end
module ClassMethods
- def from_xml(xml)
- typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
+ def from_xml(xml, disallowed_types = nil)
+ typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
+ end
+
+ def from_trusted_xml(xml)
+ from_xml xml, []
end
private
- def typecast_xml_value(value)
+ def typecast_xml_value(value, disallowed_types = nil)
+ disallowed_types ||= DISALLOWED_XML_TYPES
+
case value.class.to_s
when 'Hash'
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
+ raise DisallowedType, value['type']
+ end
+
if value['type'] == 'array'
child_key, entries = value.detect { |k,v| k != 'type' } # child_key is throwaway
if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -175,9 +192,9 @@ def typecast_xml_value(value)
else
case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
when "Array"
- entries.collect { |v| typecast_xml_value(v) }
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
when "Hash"
- [typecast_xml_value(entries)]
+ [typecast_xml_value(entries, disallowed_types)]
else
raise "can't typecast #{entries.inspect}"
end
@@ -205,7 +222,7 @@ def typecast_xml_value(value)
nil
else
xml_value = value.inject({}) do |h,(k,v)|
- h[k] = typecast_xml_value(v)
+ h[k] = typecast_xml_value(v, disallowed_types)
h
end
@@ -214,7 +231,7 @@ def typecast_xml_value(value)
xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
end
when 'Array'
- value.map! { |i| typecast_xml_value(i) }
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
case value.length
when 0 then nil
when 1 then value.first
View
2  vendor/rails/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
30 vendor/rails/activesupport/test/core_ext/hash_ext_test.rb
@@ -575,12 +575,10 @@ def test_single_record_from_xml
<replies-close-in type="integer">2592000000</replies-close-in>
<written-on type="date">2003-07-16</written-on>
<viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
- <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n</content>
<author-email-address>david@loudthinking.com</author-email-address>
<parent-id></parent-id>
<ad-revenue type="decimal">1.5</ad-revenue>
<optimum-viewing-angle type="float">135</optimum-viewing-angle>
- <resident type="symbol">yes</resident>
</topic>
EOT
@@ -593,12 +591,10 @@ def test_single_record_from_xml
:replies_close_in => 2592000000,
:written_on => Date.new(2003, 7, 16),
:viewed_at => Time.utc(2003, 7, 16, 9, 28),
- :content => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
:author_email_address => "david@loudthinking.com",
:parent_id => nil,
:ad_revenue => BigDecimal("1.50"),
:optimum_viewing_angle => 135.0,
- :resident => :yes
}.stringify_keys
assert_equal expected_topic_hash, Hash.from_xml(topic_xml)["topic"]
@@ -612,7 +608,6 @@ def test_single_record_from_xml_with_nil_values
<approved type="boolean"></approved>
<written-on type="date"></written-on>
<viewed-at type="datetime"></viewed-at>
- <content type="yaml"></content>
<parent-id></parent-id>
</topic>
EOT
@@ -623,7 +618,6 @@ def test_single_record_from_xml_with_nil_values
:approved => nil,
:written_on => nil,
:viewed_at => nil,
- :content => nil,
:parent_id => nil
}.stringify_keys
@@ -833,6 +827,28 @@ def test_type_trickles_through_when_unknown
assert_equal expected_product_hash, Hash.from_xml(product_xml)["product"]
end
+ def test_from_xml_raises_on_disallowed_type_attributes
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="foo">value</name></product>', %w(foo)
+ end
+ end
+
+ def test_from_xml_disallows_symbol_and_yaml_types_by_default
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="symbol">value</name></product>'
+ end
+
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="yaml">value</name></product>'
+ end
+ end
+
+ def test_from_trusted_xml_allows_symbol_and_yaml_types
+ expected = { 'product' => { 'name' => :value }}
+ assert_equal expected, Hash.from_trusted_xml('<product><name type="symbol">value</name></product>')
+ assert_equal expected, Hash.from_trusted_xml('<product><name type="yaml">:value</name></product>')
+ end
+
def test_should_use_default_value_for_unknown_key
hash_wia = HashWithIndifferentAccess.new(3)
assert_equal 3, hash_wia[:new_key]
@@ -867,7 +883,7 @@ def test_kernel_method_names_to_xml
def test_empty_string_works_for_typecast_xml_value
assert_nothing_raised do
- Hash.__send__(:typecast_xml_value, "")
+ Hash.__send__(:typecast_xml_value, "", [])
end
end
View
10 vendor/rails/railties/Rakefile
@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
EOF
s.add_dependency('rake', '>= 0.8.3')
- s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
- s.add_dependency('activerecord', '= 2.3.14' + PKG_BUILD)
- s.add_dependency('actionpack', '= 2.3.14' + PKG_BUILD)
- s.add_dependency('actionmailer', '= 2.3.14' + PKG_BUILD)
- s.add_dependency('activeresource', '= 2.3.14' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('activerecord', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('actionmailer', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('activeresource', '= 2.3.15' + PKG_BUILD)
s.rdoc_options << '--exclude' << '.'
View
2  vendor/rails/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 14
+ TINY = 15
STRING = [MAJOR, MINOR, TINY].join('.')
end
Please sign in to comment.
Something went wrong with that request. Please try again.