Merge branch '4-0-3' into 4-0-stable

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md

RAILS_VERSION

@@ -1 +1 @@
-4.0.2
+4.0.3

actionmailer/lib/action_mailer/version.rb

@@ -1,7 +1,7 @@
 module ActionMailer
   # Returns the version of the currently loaded ActionMailer as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

actionpack/CHANGELOG.md

@@ -166,7 +166,15 @@
 
     *Brendon Murphy*, *Doug Cole*
 
-## Rails 4.0.2 ##
+
+## Rails 4.0.3 (February 18, 2014) ##
+
+*   Escape format, negative_format and units options of number helpers
+
+    Fixes: CVE-2014-0081
+
+
+## Rails 4.0.2 (December 02, 2013) ##
 
 *   Ensure simple_format escapes its html attributes. This fixes CVE-2013-6416
 

actionpack/lib/action_pack/version.rb

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

actionpack/lib/action_view/helpers/number_helper.rb

@@ -106,7 +106,7 @@ def number_to_phone(number, options = {})
       #   # => 1234567890,50 R$
       def number_to_currency(number, options = {})
         return unless number
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_currency(number, options)
@@ -151,7 +151,7 @@ def number_to_currency(number, options = {})
       #   number_to_percentage("98a", raise: true)                         # => InvalidNumberError
       def number_to_percentage(number, options = {})
         return unless number
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_percentage(number, options)
@@ -188,7 +188,7 @@ def number_to_percentage(number, options = {})
       #
       #  number_with_delimiter("112a", raise: true)              # => raise InvalidNumberError
       def number_with_delimiter(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_delimited(number, options)
@@ -237,7 +237,7 @@ def number_with_delimiter(number, options = {})
       #   number_with_precision(1111.2345, precision: 2, separator: ',', delimiter: '.')
       #   # => 1.111,23
       def number_with_precision(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_rounded(number, options)
@@ -293,7 +293,7 @@ def number_with_precision(number, options = {})
       #   number_to_human_size(1234567890123, precision: 5)        # => "1.1229 TB"
       #   number_to_human_size(524288000, precision: 5)            # => "500 MB"
       def number_to_human_size(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_human_size(number, options)
@@ -399,7 +399,7 @@ def number_to_human_size(number, options = {})
       #  number_to_human(0.34, units: :distance)                # => "34 centimeters"
       #
       def number_to_human(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
 
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_human(number, options)
@@ -408,13 +408,22 @@ def number_to_human(number, options = {})
 
       private
 
-      def escape_unsafe_delimiters_and_separators(options)
-        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
-        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
-        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+      def escape_unsafe_options(options)
+        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
         options
       end
 
+      def escape_units(units)
+        Hash[units.map do |k, v|
+          [k, ERB::Util.html_escape(v)]
+        end]
+      end
+
       def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
         valid_float = valid_float?(number)
         raise InvalidNumberError, number if raise_on_invalid && !valid_float

actionpack/test/template/number_helper_test.rb

@@ -8,6 +8,8 @@ def test_number_to_phone
     assert_equal "555-1234", number_to_phone(5551234)
     assert_equal "(800) 555-1212 x 123", number_to_phone(8005551212, area_code: true, extension: 123)
     assert_equal "+18005551212", number_to_phone(8005551212, country_code: 1, delimiter: "")
+    assert_equal "+&lt;script&gt;&lt;/script&gt;8005551212", number_to_phone(8005551212, country_code: "<script></script>", delimiter: "")
+    assert_equal "8005551212 x &lt;script&gt;&lt;/script&gt;", number_to_phone(8005551212, extension: "<script></script>", delimiter: "")
   end
 
   def test_number_to_currency
@@ -16,11 +18,17 @@ def test_number_to_currency
     assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
     assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: raw("K&#269;"), format: "%n %u", negative_format: "%n - %u")
     assert_equal "&amp;pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "&pound;")
+    assert_equal "&lt;b&gt;1,234,567,890.50&lt;/b&gt; $", number_to_currency("1234567890.50", format: "<b>%n</b> %u")
+    assert_equal "&lt;b&gt;1,234,567,890.50&lt;/b&gt; $", number_to_currency("-1234567890.50", negative_format: "<b>%n</b> %u")
+    assert_equal "&lt;b&gt;1,234,567,890.50&lt;/b&gt; $", number_to_currency("-1234567890.50", 'negative_format' => "<b>%n</b> %u")
   end
 
   def test_number_to_percentage
     assert_equal nil, number_to_percentage(nil)
     assert_equal "100.000%", number_to_percentage(100)
+    assert_equal "100.000 %", number_to_percentage(100, format: '%n %')
+    assert_equal "&lt;b&gt;100.000&lt;/b&gt; %", number_to_percentage(100, format: '<b>%n</b> %')
+    assert_equal "<b>100.000</b> %", number_to_percentage(100, format: raw('<b>%n</b> %'))
     assert_equal "100%", number_to_percentage(100, precision: 0)
     assert_equal "123.4%", number_to_percentage(123.400, precision: 3, strip_insignificant_zeros: true)
     assert_equal "1.000,000%", number_to_percentage(1000, delimiter: ".", separator: ",")
@@ -52,6 +60,31 @@ def test_number_to_human
     assert_equal "489.0 Thousand", number_to_human(489000, precision: 4, strip_insignificant_zeros: false)
   end
 
+  def test_number_to_human_escape_units
+    volume = { unit: "<b>ml</b>", thousand: "<b>lt</b>", million: "<b>m3</b>", trillion: "<b>km3</b>", quadrillion: "<b>Pl</b>" }
+    assert_equal '123 &lt;b&gt;lt&lt;/b&gt;', number_to_human(123456, :units => volume)
+    assert_equal '12 &lt;b&gt;ml&lt;/b&gt;', number_to_human(12, :units => volume)
+    assert_equal '1.23 &lt;b&gt;m3&lt;/b&gt;', number_to_human(1234567, :units => volume)
+    assert_equal '1.23 &lt;b&gt;km3&lt;/b&gt;', number_to_human(1_234_567_000_000, :units => volume)
+    assert_equal '1.23 &lt;b&gt;Pl&lt;/b&gt;', number_to_human(1_234_567_000_000_000, :units => volume)
+
+    #Including fractionals
+    distance = { mili: "<b>mm</b>", centi: "<b>cm</b>", deci: "<b>dm</b>", unit: "<b>m</b>",
+                 ten: "<b>dam</b>", hundred: "<b>hm</b>", thousand: "<b>km</b>",
+                 micro: "<b>um</b>", nano: "<b>nm</b>", pico: "<b>pm</b>", femto: "<b>fm</b>"}
+    assert_equal '1.23 &lt;b&gt;mm&lt;/b&gt;', number_to_human(0.00123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;cm&lt;/b&gt;', number_to_human(0.0123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;dm&lt;/b&gt;', number_to_human(0.123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;m&lt;/b&gt;', number_to_human(1.23, :units => distance)
+    assert_equal '1.23 &lt;b&gt;dam&lt;/b&gt;', number_to_human(12.3, :units => distance)
+    assert_equal '1.23 &lt;b&gt;hm&lt;/b&gt;', number_to_human(123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;km&lt;/b&gt;', number_to_human(1230, :units => distance)
+    assert_equal '1.23 &lt;b&gt;um&lt;/b&gt;', number_to_human(0.00000123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;nm&lt;/b&gt;', number_to_human(0.00000000123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;pm&lt;/b&gt;', number_to_human(0.00000000000123, :units => distance)
+    assert_equal '1.23 &lt;b&gt;fm&lt;/b&gt;', number_to_human(0.00000000000000123, :units => distance)
+  end
+
   def test_number_helpers_escape_delimiter_and_separator
     assert_equal "111&lt;script&gt;&lt;/script&gt;111&lt;script&gt;&lt;/script&gt;1111", number_to_phone(1111111111, delimiter: "<script></script>")
 
@@ -73,6 +106,12 @@ def test_number_helpers_escape_delimiter_and_separator
     assert_equal "100&lt;script&gt;&lt;/script&gt;000 Quadrillion", number_to_human(10**20, delimiter: "<script></script>")
   end
 
+  def test_number_to_human_with_custom_translation_scope
+    I18n.backend.store_translations 'ts',
+      :custom_units_for_number_to_human => {:mili => "mm", :centi => "cm", :deci => "dm", :unit => "m", :ten => "dam", :hundred => "hm", :thousand => "km"}
+    assert_equal "1.01 cm", number_to_human(0.0101, :locale => 'ts', :units => :custom_units_for_number_to_human)
+  end
+
   def test_number_helpers_outputs_are_html_safe
     assert number_to_human(1).html_safe?
     assert !number_to_human("<script></script>").html_safe?

activemodel/lib/active_model/version.rb

@@ -1,7 +1,7 @@
 module ActiveModel
   # Returns the version of the currently loaded ActiveModel as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

activerecord/CHANGELOG.md

@@ -389,6 +389,18 @@
     *Eric Hankins*
 
 
+## Rails 4.0.3 (February 18, 2014) ##
+
+*   Correctly escape PostgreSQL arrays.
+
+    Fixes: CVE-2014-0080
+
+
+## Rails 4.0.2 (December 02, 2013) ##
+
+*No changes*
+
+
 ## Rails 4.0.1 (November 01, 2013) ##
 
 *   `NullRelation#pluck` takes a list of columns

activerecord/lib/active_record/connection_adapters/postgresql/cast.rb

@@ -142,12 +142,16 @@ def escape_hstore(value)
             end
           end
 
+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
           def quote_and_escape(value)
             case value
             when "NULL", Numeric
               value
             else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
             end
           end
       end

activerecord/lib/active_record/version.rb

@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

activerecord/test/cases/adapters/postgresql/datatype_test.rb

@@ -184,6 +184,14 @@ def test_data_type_of_array_types
     assert_equal :text, @first_array.column_for_attribute(:nicknames).type
   end
 
+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
   def test_data_type_of_range_types
     skip "PostgreSQL 9.2 required for range datatypes" unless @connection.supports_ranges?
     assert_equal :daterange, @first_range.column_for_attribute(:date_range).type

activesupport/lib/active_support/version.rb

@@ -1,7 +1,7 @@
 module ActiveSupport
   # Returns the version of the currently loaded ActiveSupport as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

railties/lib/rails/version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 2
+    TINY  = 3
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 2
+    TINY  = 3
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")