Merge branch '3-0-10' into 3-0-stable

* 3-0-10: bumping rails to 3.0.10 properly subsituting bad utf8 characters Tags with invalid names should also be stripped in order to prevent XSS attacks. Thanks Sascha Depold for the report. prevent sql injection attacks by escaping quotes in column names Properly escape glob characters. bumping to 3.0.10.rc1 more changelog updates updating CHANGELOGs
rails · Aug 16, 2011 · 0b37704 · 0b37704
2 parents 4c8a211 + 4f15f39
commit 0b37704
Show file tree

Hide file tree

Showing 25 changed files with 106 additions and 18 deletions.
diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-3.0.9
+3.0.10
diff --git a/actionmailer/CHANGELOG b/actionmailer/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
 
 * Mail dependency increased to 2.2.19
 

diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -3,7 +3,15 @@
 * Fixes an issue where cache sweepers with only after filters would have no
 controller object, it would raise undefined method controller_name for nil [jeroenj]
 
-*Rails 3.0.9 (unreleased)*
+* Ensure status codes are logged when exceptions are raised.
+
+* Subclasses of OutputBuffer are respected.
+
+* Fixed ActionView::FormOptionsHelper#select with :multiple => false
+
+* Avoid extra call to Cache#read in case of a fragment cache hit
+
+*Rails 3.0.9 (June 16, 2011)*
 
 * json_escape will now return a SafeBuffer string if it receives SafeBuffer string [tenderlove]
 

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -156,7 +156,7 @@ def parse(parent, line, pos, content, strict=true)
           end
 
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
           name.downcase!
 
           unless closing

diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
@@ -63,7 +63,7 @@ def build_path(name, prefix, partial, details)
     end
 
     def query(path, exts, formats)
-      query = File.join(@path, path)
+      query = escape_entry File.join(@path, path)
 
       exts.each do |ext|
         query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
@@ -88,6 +88,10 @@ def query(path, exts, formats)
       templates
     end
 
+    def escape_entry(entry)
+      entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
+    end
+
     # Extract handler and formats from path. If a format cannot be a found neither
     # from the path, or the handler, we should return the array of formats given
     # to the resolver.

diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
@@ -396,6 +396,14 @@ def render_with_explicit_template
     render :template => "test/hello_world"
   end
 
+  def render_with_explicit_unescaped_template
+    render :template => "test/h*llo_world"
+  end
+
+  def render_with_explicit_escaped_template
+    render :template => "test/hello_w*rld"
+  end
+
   def render_with_explicit_string_template
     render "test/hello_world"
   end
@@ -1057,6 +1065,12 @@ def test_render_with_explicit_template
     assert_response :success
   end
 
+  def test_render_with_explicit_unescaped_template
+    assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
+    get :render_with_explicit_escaped_template
+    assert_equal "Hello w*rld!", @response.body
+  end
+
   def test_render_with_explicit_string_template
     get :render_with_explicit_string_template
     assert_equal "<html>Hello world!</html>", @response.body

diff --git a/actionpack/test/fixtures/test/hello_w*rld.erb b/actionpack/test/fixtures/test/hello_w*rld.erb
@@ -0,0 +1 @@
+Hello w*rld!
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -5,6 +5,13 @@ def setup
     @sanitizer = nil # used by assert_sanitizer
   end
 
+  def test_strip_tags_with_quote
+    sanitizer = HTML::FullSanitizer.new
+    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+    assert_equal ' hi', sanitizer.sanitize(string)
+  end
+
   def test_strip_tags
     sanitizer = HTML::FullSanitizer.new
     assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

diff --git a/activemodel/CHANGELOG b/activemodel/CHANGELOG
@@ -1,3 +1,9 @@
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
+
 *Rails 3.0.7 (April 18, 2011)*
 
 *No changes.

diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -4,6 +4,18 @@
 
 * schema.rb is written as UTF-8 by default.
 
+* Ensuring an established connection when running `rake db:schema:dump`
+
+* Association conditions will not clobber join conditions.
+
+* Destroying a record will destroy the HABTM record before destroying itself.
+GH #402.
+
+* Make `ActiveRecord::Batches#find_each` to not return `self`.
+
+* Update `table_exists?` in PG to to always use current search_path or schema
+if explictly set.
+
 *Rails 3.0.9 (June 16, 2011)*
 
 *Rails 3.0.8 (June 7, 2011)*

diff --git a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -199,7 +199,7 @@ def quote(value, column = nil)
       end
 
       def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
       end
 
       def quote_table_name(name) #:nodoc:

diff --git a/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb b/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
@@ -115,7 +115,7 @@ def quote_string(s) #:nodoc:
       end
 
       def quote_column_name(name) #:nodoc:
-        %Q("#{name}")
+        %Q("#{name.to_s.gsub('"', '""')}")
       end
 
       # Quote date/time values for use in SQL input. Includes microseconds

diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb
@@ -50,6 +50,23 @@ class Boolean < ActiveRecord::Base; end
 class BasicsTest < ActiveRecord::TestCase
   fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
 
+ def test_column_names_are_escaped
+   conn      = ActiveRecord::Base.connection
+   classname = conn.class.name[/[^:]*$/]
+   badchar   = {
+     'SQLite3Adapter'    => '"',
+     'MysqlAdapter'      => '`',
+     'Mysql2Adapter'     => '`',
+     'PostgreSQLAdapter' => '"',
+     'OracleAdapter'     => '"',
+   }.fetch(classname) {
+     raise "need a bad char for #{classname}"
+   }
+
+   quoted = conn.quote_column_name "foo#{badchar}bar"
+   assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
+ end
+
   unless current_adapter?(:PostgreSQLAdapter,:OracleAdapter,:SQLServerAdapter)
     def test_limit_with_comma
       assert_nothing_raised do

diff --git a/activeresource/CHANGELOG b/activeresource/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
 
 *No changes.
 

diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -20,7 +20,7 @@ def html_escape(s)
       if s.html_safe?
         s
       else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
       end
     end
 

diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
@@ -7,10 +7,17 @@
 require 'active_support/time'
 require 'active_support/core_ext/kernel/reporting'
 require 'active_support/core_ext/string/strip'
+require 'active_support/core_ext/string/output_safety'
 
 class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
 
+  def test_erb_escape
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
   def test_strip_heredoc_on_an_empty_string
     assert_equal '', ''.strip_heredoc
   end

diff --git a/railties/CHANGELOG b/railties/CHANGELOG
@@ -1,4 +1,8 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.10 (unreleased)*
+
+*Rails 3.0.9 (June 16, 2011)*
+
+*Rails 3.0.8 (June 7, 2011)*
 
 * Fix Rake 0.9.0 support.
 

diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

diff --git a/version.rb b/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 9
+    TINY  = 10
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')