Permalink
Browse files

Merge branch '3-0-6' into 3-0-stable

* 3-0-6:
  bumping version to 3.0.6
  updating CHANGELOG
  updating CHANGELOG for actionpack
  do not return html safe strings from auto_link
  bumping to 3.0.6.rc2
  Support both conventions for translations for namespaced models.
  Added back the use of the Reflection module's cached sanitized_conditions in an AssociationProxy. This was recently removed and when a has_one association with conditions is eager loaded the conditions would be sanitized once for every result row, causing a database hit to fetch the columns.
  Bring back i18n_key to avoid regression
  Revert "Improve testing of cookies in functional tests:"
  bumping version to 3.0.6.rc1
  updating AR changelog
  • Loading branch information...
2 parents e6bc818 + 38df020 commit 3940e345aacb67cb95600acda0f01cb8b02112c0 @tenderlove tenderlove committed Apr 5, 2011
View
@@ -1 +1 @@
-3.0.5
+3.0.6
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* Don't allow i18n to change the minor version, version now set to ~> 0.5.0 [Santiago Pastorino]
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,14 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
+
+* Fixed XSS vulnerability in `auto_link`. `auto_link` no longer marks input as
+ html safe. Please make sure that calls to auto_link() are wrapped in a
+ sanitize(), or a raw() depending on the type of input passed to auto_link().
+ For example:
+
+ <%= sanitize(auto_link(some_user_input)) %>
+
+ Thanks to Torben Schulz for reporting this. The fix can be found here:
+ 61ee3449674c591747db95f9b3472c5c3bd9e84d
* Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
@@ -171,10 +171,6 @@ def assign_parameters(routes, controller_path, action, parameters = {})
end
def recycle!
- write_cookies!
- @env.delete('HTTP_COOKIE') if @cookies.blank?
- @env.delete('action_dispatch.cookies')
- @cookies = nil
@formats = nil
@env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
@env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
@@ -301,11 +297,7 @@ def exists?; true; end
# and cookies, though. For sessions, you just do:
#
# @request.session[:key] = "value"
- # @request.cookies[:key] = "value"
- #
- # To clear the cookies for a test just clear the request's cookies hash:
- #
- # @request.cookies.clear
+ # @request.cookies["key"] = "value"
#
# == Testing named routes
#
@@ -419,7 +411,6 @@ def process(action, parameters = nil, session = nil, flash = nil, http_method =
Base.class_eval { include Testing }
@controller.process_with_new_base_test(@request, @response)
@request.session.delete('flash') if @request.session['flash'].blank?
- @request.cookies.merge!(@response.cookies)
@response
end
@@ -22,7 +22,7 @@ def flash
end
def cookies
- @request.cookies.merge(@response.cookies).with_indifferent_access
+ @request.cookies.merge(@response.cookies)
end
def redirect_to_url
@@ -1,6 +1,5 @@
require 'active_support/core_ext/object/blank'
require 'active_support/core_ext/hash/reverse_merge'
-require 'rack/utils'
module ActionDispatch
class TestRequest < Request
@@ -77,14 +76,10 @@ def cookies
private
def write_cookies!
unless @cookies.blank?
- @env['HTTP_COOKIE'] = @cookies.map { |name, value| escape_cookie(name, value) }.join('; ')
+ @env['HTTP_COOKIE'] = @cookies.map { |name, value| "#{name}=#{value};" }.join(' ')
end
end
- def escape_cookie(name, value)
- "#{Rack::Utils.escape(name)}=#{Rack::Utils.escape(value)}"
- end
-
def delete_nil_values!
@env.delete_if { |k, v| v.nil? }
end
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -299,7 +299,7 @@ def simple_format(text, html_options={}, options={})
# # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
# Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
def auto_link(text, *args, &block)#link = :all, html = {}, &block)
- return ''.html_safe if text.blank?
+ return '' if text.blank?
options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
unless args.empty?
@@ -503,7 +503,7 @@ def auto_link_urls(text, html_options = {}, options = {})
end
content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
end
- end.html_safe
+ end
end
# Turns all email addresses into clickable links. If a block is given,
@@ -94,30 +94,6 @@ def delete_cookie_with_domain
cookies.delete(:user_name, :domain => :all)
head :ok
end
-
- def symbol_key
- cookies[:user_name] = "david"
- head :ok
- end
-
- def string_key
- cookies['user_name'] = "david"
- head :ok
- end
-
- def symbol_key_mock
- cookies[:user_name] = "david" if cookies[:user_name] == "andrew"
- head :ok
- end
-
- def string_key_mock
- cookies['user_name'] = "david" if cookies['user_name'] == "andrew"
- head :ok
- end
-
- def noop
- head :ok
- end
end
tests TestController
@@ -315,65 +291,6 @@ def test_deleting_cookie_with_all_domain_option
assert_cookie_header "user_name=; domain=.nextangle.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT"
end
- def test_cookies_hash_is_indifferent_access
- [:symbol_key, :string_key].each do |cookie_key|
- get cookie_key
- assert_equal "david", cookies[:user_name]
- assert_equal "david", cookies['user_name']
- end
- end
-
- def test_setting_request_cookies_is_indifferent_access
- @request.cookies.clear
- @request.cookies[:user_name] = "andrew"
- get :string_key_mock
- assert_equal "david", cookies[:user_name]
-
- @request.cookies.clear
- @request.cookies['user_name'] = "andrew"
- get :symbol_key_mock
- assert_equal "david", cookies['user_name']
- end
-
- def test_cookies_retained_across_requests
- get :symbol_key
- assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
- assert_equal "david", cookies[:user_name]
-
- get :noop
- assert_nil @response.headers["Set-Cookie"]
- assert_equal "user_name=david", @request.env['HTTP_COOKIE']
- assert_equal "david", cookies[:user_name]
-
- get :noop
- assert_nil @response.headers["Set-Cookie"]
- assert_equal "user_name=david", @request.env['HTTP_COOKIE']
- assert_equal "david", cookies[:user_name]
- end
-
- def test_cookies_can_be_cleared
- get :symbol_key
- assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
- assert_equal "david", cookies[:user_name]
-
- @request.cookies.clear
- get :noop
- assert_nil @response.headers["Set-Cookie"]
- assert_nil @request.env['HTTP_COOKIE']
- assert_nil cookies[:user_name]
-
- get :symbol_key
- assert_equal "user_name=david; path=/", @response.headers["Set-Cookie"]
- assert_equal "david", cookies[:user_name]
- end
-
- def test_cookies_are_escaped
- @request.cookies[:user_ids] = '1;2'
- get :noop
- assert_equal "user_ids=1%3B2", @request.env['HTTP_COOKIE']
- assert_equal "1;2", cookies[:user_ids]
- end
-
private
def assert_cookie_header(expected)
header = @response.headers["Set-Cookie"]
@@ -36,10 +36,10 @@ class TestRequestTest < ActiveSupport::TestCase
req.cookies["user_name"] = "david"
assert_equal({"user_name" => "david"}, req.cookies)
- assert_equal "user_name=david", req.env["HTTP_COOKIE"]
+ assert_equal "user_name=david;", req.env["HTTP_COOKIE"]
req.cookies["login"] = "XJ-122"
assert_equal({"user_name" => "david", "login" => "XJ-122"}, req.cookies)
- assert_equal %w(login=XJ-122 user_name=david), req.env["HTTP_COOKIE"].split(/; /).sort
+ assert_equal %w(login=XJ-122 user_name=david), req.env["HTTP_COOKIE"].split(/; ?/).sort
end
end
@@ -315,14 +315,20 @@ def generate_result(link_text, href = nil, escape = false)
end
end
- def test_auto_link_should_be_html_safe
+ def test_auto_link_should_not_be_html_safe
email_raw = 'santiago@wyeworks.com'
link_raw = 'http://www.rubyonrails.org'
- assert auto_link(nil).html_safe?
- assert auto_link('').html_safe?
- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
- assert auto_link("hello #{email_raw}").html_safe?
+ assert !auto_link(nil).html_safe?, 'should not be html safe'
+ assert !auto_link('').html_safe?, 'should not be html safe'
+ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
+ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+ end
+
+ def test_auto_link_email_address
+ email_raw = 'aaron@tenderlovemaking.com'
+ email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
+ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
end
def test_auto_link
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* Fix when database column name has some symbolic characters (e.g. Oracle CASE# VARCHAR2(20)) #5818 #6850 [Robert Pankowecki, Santiago Pastorino]
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* Un-deprecate reorder method [Sebastian Martinez]
@@ -7,6 +7,14 @@
* Schemas set in set_table_name are respected by the mysql adapter. LH #5322
+* Fixed a bug when empty? was called on a grouped Relation that wasn't loaded.
+ LH #5829
+
+* Reapply extensions when using except and only. Thanks Iain Hecker.
+
+* Binary data is escaped when being inserted to SQLite3 Databases. Thanks
+ Naruse!
+
*Rails 3.0.5 (February 26, 2011)*
* Model.where(:column => 1).where(:column => 2) will always produce an AND
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* No changes.
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* No changes.
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
* No changes.
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

0 comments on commit 3940e34

Please sign in to comment.