Permalink
Browse files

Merge branch '3-2-sec' into 3-2-secmerge

* 3-2-sec:
  bumping version
  CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
  * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
  Avoid Rack security warning no secret provided

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activesupport/CHANGELOG.md
  • Loading branch information...
2 parents f64be7d + 746dbd8 commit 48810a52dfba26cef127168af447a9620d4555c3 @tenderlove tenderlove committed Jan 8, 2013
View
@@ -1 +1 @@
-3.2.10
+3.2.11
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-## Rails 3.2.11 (unreleased) ##
+## Rails 3.2.12 (unreleased) ##
* Bump `rack` dependency to 1.4.3, eliminate `Rack::File` headers deprecation warning.
@@ -93,11 +93,14 @@
*Daniel Fox, Grant Hutchins & Trace Wax*
+## Rails 3.2.11 ##
+
+* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+
## Rails 3.2.10 (Jan 2, 2013) ##
* No changes.
-
## Rails 3.2.9 (Nov 12, 2012) ##
* Clear url helpers when reloading routes.
@@ -248,18 +248,14 @@ def local?
LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
end
- protected
-
# Remove nils from the params hash
def deep_munge(hash)
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
- keys.each { |k| hash[k] = nil }
-
- hash.each_value do |v|
+ hash.each do |k, v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
v.compact!
+ hash[k] = nil if v.empty?
when Hash
deep_munge(v)
end
@@ -268,6 +264,8 @@ def deep_munge(hash)
hash
end
+ protected
+
def parse_query(qs)
deep_munge(super)
end
@@ -38,13 +38,13 @@ def parse_formatted_parameters(env)
when Proc
strategy.call(request.raw_post)
when :xml_simple, :xml_node
- data = Hash.from_xml(request.body.read) || {}
+ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
request.body.rewind if request.body.respond_to?(:rewind)
data.with_indifferent_access
when :yaml
YAML.load(request.raw_post)
when :json
- data = ActiveSupport::JSON.decode(request.body)
+ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
request.body.rewind if request.body.respond_to?(:rewind)
data = {:_json => data} unless data.is_a?(Hash)
data.with_indifferent_access
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -118,6 +118,19 @@ def test_post_xml_using_an_attributted_node_named_type
end
end
+ def test_post_xml_using_a_disallowed_type_attribute
+ $stderr = StringIO.new
+ with_test_route_set do
+ post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+
+ post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+ end
+ ensure
+ $stderr = STDERR
+ end
+
def test_register_and_use_yaml
with_test_route_set do
with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
@@ -30,6 +30,21 @@ def teardown
)
end
+ test "nils are stripped from collections" do
+ assert_parses(
+ {"person" => nil},
+ "{\"person\":[null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ assert_parses(
+ {"person" => ['foo']},
+ "{\"person\":[\"foo\",null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ assert_parses(
+ {"person" => nil},
+ "{\"person\":[null, null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ end
+
test "logs error if parsing unsuccessful" do
with_test_routing do
output = StringIO.new
@@ -30,6 +30,23 @@ def call(env)
assert_equal "<ok>bar</ok>", resp.body
end
+ def assert_parses(expected, xml)
+ with_test_routing do
+ post "/parse", xml, default_headers
+ assert_response :ok
+ assert_equal(expected, TestController.last_request_parameters)
+ end
+ end
+
+ test "nils are stripped from collections" do
+ assert_parses(
+ {"hash" => { "person" => nil} },
+ "<hash><person type=\"array\"><person nil=\"true\"/></person></hash>")
+ assert_parses(
+ {"hash" => { "person" => ['foo']} },
+ "<hash><person type=\"array\"><person>foo</person><person nil=\"true\"/></person>\n</hash>")
+ end
+
test "parses hash params" do
with_test_routing do
xml = "<person><name>David</name></person>"
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -1,4 +1,4 @@
-## Rails 3.2.11 (unreleased)
+## Rails 3.2.12 (unreleased)
* Fix undefined method `to_i` when calling `new` on a scope that uses an
Array; Fix FloatDomainError when setting integer column to NaN.
@@ -179,6 +179,9 @@
*Gabriel Sobrinho, Ricardo Henrique*
+## Rails 3.2.11 ##
+
+* Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155]
## Rails 3.2.10 (Jan 2, 2013) ##
@@ -6,7 +6,12 @@ def self.build_from_hash(engine, attributes, default_table, allow_table_name = t
if allow_table_name && value.is_a?(Hash)
table = Arel::Table.new(column, engine)
- build_from_hash(engine, value, table, false)
+
+ if value.empty?
+ '1 = 2'
+ else
+ build_from_hash(engine, value, table, false)
+ end
else
column = column.to_s
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -1,9 +1,11 @@
require "cases/helper"
require 'models/post'
+require 'models/comment'
+require 'models/edge'
module ActiveRecord
class WhereTest < ActiveRecord::TestCase
- fixtures :posts
+ fixtures :posts, :edges
def test_where_error
assert_raises(ActiveRecord::StatementInvalid) do
@@ -21,5 +23,17 @@ def test_where_with_table_name
post = Post.first
assert_equal post, Post.where(:posts => { 'id' => post.id }).first
end
+
+ def test_where_with_table_name_and_empty_hash
+ assert_equal 0, Post.where(:posts => {}).count
+ end
+
+ def test_where_with_table_name_and_empty_array
+ assert_equal 0, Post.where(:id => []).count
+ end
+
+ def test_where_with_empty_hash_and_no_foreign_key
+ assert_equal 0, Edge.where(:sink => {}).count
+ end
end
end
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
@@ -1,4 +1,4 @@
-## Rails 3.2.11 (unreleased)
+## Rails 3.2.12 (unreleased)
* Remove surrogate unicode character encoding from ActiveSupport::JSON.encode
The encoding scheme was broken for unicode characters outside the basic
@@ -20,11 +20,19 @@
*Daniele Sluijters*
+## Rails 3.2.11 (Jan 8, 2012) ##
+
+* Hash.from_xml raises when it encounters type="symbol" or type="yaml".
+ Use Hash.from_trusted_xml to parse this XML.
+
+ CVE-2013-0156
+
+ *Jeremy Kemper*
+
## Rails 3.2.10 (Jan 2, 2013) ##
* No changes.
-
## Rails 3.2.9 (Nov 12, 2012) ##
* Add logger.push_tags and .pop_tags to complement logger.tagged:
@@ -85,25 +85,43 @@ def to_xml(options = {})
end
end
+ class DisallowedType < StandardError #:nodoc:
+ def initialize(type)
+ super "Disallowed type attribute: #{type.inspect}"
+ end
+ end
+
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
+
class << self
- def from_xml(xml)
- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
+ def from_xml(xml, disallowed_types = nil)
+ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
+ end
+
+ def from_trusted_xml(xml)
+ from_xml xml, []
end
private
- def typecast_xml_value(value)
+ def typecast_xml_value(value, disallowed_types = nil)
+ disallowed_types ||= DISALLOWED_XML_TYPES
+
case value.class.to_s
when 'Hash'
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
+ raise DisallowedType, value['type']
+ end
+
if value['type'] == 'array'
_, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
if entries.nil? || (c = value['__content__'] && c.blank?)
[]
else
case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
when "Array"
- entries.collect { |v| typecast_xml_value(v) }
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
when "Hash"
- [typecast_xml_value(entries)]
+ [typecast_xml_value(entries, disallowed_types)]
else
raise "can't typecast #{entries.inspect}"
end
@@ -127,14 +145,14 @@ def typecast_xml_value(value)
elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash)
nil
else
- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }]
+ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }]
# Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with
# how multipart uploaded files from HTML appear
xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
end
when 'Array'
- value.map! { |i| typecast_xml_value(i) }
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
value.length > 1 ? value : value.first
when 'String'
value
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 10
+ TINY = 11
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
Oops, something went wrong.

0 comments on commit 48810a5

Please sign in to comment.