Browse files

Merge branch '2-3-sec' into 2-3-stable

* 2-3-sec:
  bumping to 2.3.17
  fix serialization vulnerability
  fixing attr_protected CVE-2013-0276
  • Loading branch information...
2 parents ae61bf4 + 02d553d commit 1737f9480316418969e8091e47d9aa7abd4f2ff5 @tenderlove tenderlove committed Feb 11, 2013
View
2 actionmailer/Rakefile
@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
s.rubyforge_project = "actionmailer"
s.homepage = "http://www.rubyonrails.org"
- s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.17' + PKG_BUILD)
s.requirements << 'none'
s.require_path = 'lib'
View
4 actionmailer/actionmailer.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'actionmailer'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Service layer for easy email delivery and testing.'
s.description = 'Makes it trivial to test and deliver emails sent from a single service layer.'
@@ -10,5 +10,5 @@ Gem::Specification.new do |s|
s.require_path = 'lib'
- s.add_dependency 'actionpack', '= 2.3.16'
+ s.add_dependency 'actionpack', '= 2.3.17'
end
View
2 actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2 actionpack/Rakefile
@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
s.requirements << 'none'
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.add_dependency('rack', '~> 1.1.0')
s.require_path = 'lib'
View
4 actionpack/actionpack.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'actionpack'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Web-flow and rendering framework putting the VC in MVC.'
s.description = 'Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn\'t require a browser.'
@@ -10,6 +10,6 @@ Gem::Specification.new do |s|
s.require_path = 'lib'
- s.add_dependency 'activesupport', '= 2.3.16'
+ s.add_dependency 'activesupport', '= 2.3.17'
s.add_dependency 'rack', '~> 1.1.0'
end
View
2 actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2 activerecord/Rakefile
@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
View
4 activerecord/activerecord.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activerecord'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Implements the ActiveRecord pattern for ORM.'
s.description = 'Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.'
@@ -13,5 +13,5 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--main', 'README']
s.extra_rdoc_files = ['README']
- s.add_dependency 'activesupport', '= 2.3.16'
+ s.add_dependency 'activesupport', '= 2.3.17'
end
View
19 activerecord/lib/active_record/attribute_methods.rb
@@ -80,7 +80,9 @@ def define_attribute_methods
end
unless instance_method_already_implemented?("#{name}=")
- if create_time_zone_conversion_attribute?(name, column)
+ if self.serialized_attributes[name]
+ define_write_method_for_serialized_attribute(name)
+ elsif create_time_zone_conversion_attribute?(name, column)
define_write_method_for_time_zone_conversion(name)
else
define_write_method(name.to_sym)
@@ -130,7 +132,7 @@ def cache_attribute?(attr_name)
# Suffixes a, ?, c become regexp /(a|\?|c)$/
def rebuild_attribute_method_regexp
suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
- @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
+ @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
end
# Default to =, ?, _before_type_cast
@@ -184,6 +186,19 @@ def define_question_method(attr_name)
def define_write_method(attr_name)
evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
end
+
+ # Defined for all serialized attributes. Disallows assigning already serialized YAML.
+ def define_write_method_for_serialized_attribute(attr_name)
+ method_body = <<-EOV
+ def #{attr_name}=(value)
+ if value.is_a?(String) and value =~ /^---/
+ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+ end
+ write_attribute(:#{attr_name}, value)
+ end
+ EOV
+ evaluate_attribute_method attr_name, method_body, "#{attr_name}="
+ end
# Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
# This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
View
6 activerecord/lib/active_record/base.rb
@@ -2998,11 +2998,11 @@ def convert_number_column_value(value)
def remove_attributes_protected_from_mass_assignment(attributes)
safe_attributes =
if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
- attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.protected_attributes.nil?
- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.accessible_attributes.nil?
- attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
else
raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
end
View
2 activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
6 activerecord/test/cases/base_test.rb
@@ -1499,6 +1499,12 @@ def test_nil_serialized_attribute_with_class_constraint
assert_nil topic.content
end
+ def test_should_raise_exception_on_assigning_already_serialized_content
+ topic = Topic.new
+ serialized_content = %w[foo bar].to_yaml
+ assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
+ end
+
def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
myobj = MyObject.new('value1', 'value2')
topic = Topic.new(:content => myobj)
View
2 activeresource/Rakefile
@@ -66,7 +66,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.require_path = 'lib'
View
4 activeresource/activeresource.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activeresource'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Think Active Record for web resources.'
s.description = 'Wraps web resources in model classes that can be manipulated through XML over REST.'
@@ -13,5 +13,5 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--main', 'README']
s.extra_rdoc_files = ['README']
- s.add_dependency 'activesupport', '= 2.3.16'
+ s.add_dependency 'activesupport', '= 2.3.17'
end
View
2 activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2 activesupport/activesupport.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activesupport'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Support and utility classes used by the Rails framework.'
s.description = 'Utility library which carries commonly used classes and goodies from the Rails framework'
View
2 activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
10 railties/Rakefile
@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
EOF
s.add_dependency('rake', '>= 0.8.3')
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('activerecord', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('actionmailer', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('activeresource', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('activerecord', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('actionmailer', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('activeresource', '= 2.3.17' + PKG_BUILD)
s.rdoc_options << '--exclude' << '.'
View
2 railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
12 railties/railties.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'rails'
- s.version = '2.3.16'
+ s.version = '2.3.17'
s.summary = 'Web-application framework with template engine, control-flow layer, and ORM.'
s.description = "Rails is a framework for building web-application using CGI, FCGI, mod_ruby, or WEBrick\non top of either MySQL, PostgreSQL, SQLite, DB2, SQL Server, or Oracle with eRuby- or Builder-based templates."
@@ -14,9 +14,9 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--exclude', '.']
s.add_dependency 'rake', '>= 0.8.3'
- s.add_dependency 'activesupport', '= 2.3.16'
- s.add_dependency 'activerecord', '= 2.3.16'
- s.add_dependency 'actionpack', '= 2.3.16'
- s.add_dependency 'actionmailer', '= 2.3.16'
- s.add_dependency 'activeresource', '= 2.3.16'
+ s.add_dependency 'activesupport', '= 2.3.17'
+ s.add_dependency 'activerecord', '= 2.3.17'
+ s.add_dependency 'actionpack', '= 2.3.17'
+ s.add_dependency 'actionmailer', '= 2.3.17'
+ s.add_dependency 'activeresource', '= 2.3.17'
end

1 comment on commit 1737f94

@clifff

To be super clear, the "fix serialization vulnerability" you mention in the commit is CVE-2013-0277, correct?

Please sign in to comment.