Skip to content
This repository
Browse code

Merge branch '3-2-13' into 3-2-stable

* 3-2-13:
  bumping to 3.2.13
  fix protocol checking in sanitization [CVE-2013-1857]
  JDOM XXE Protection [CVE-2013-1856]
  fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
  stop calling to_sym when building arel nodes [CVE-2013-1854]
  Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets
  bumping to rc2
  Revert "Merge pull request #8209 from senny/backport_8176"
  Freeze columns only once per Result
  Preparing for 3.2.13.rc1 release
  Update CHANGELOGs for 3.2.13 release.

Conflicts:
	actionmailer/CHANGELOG.md
	actionpack/CHANGELOG.md
	activemodel/CHANGELOG.md
	activeresource/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md
  • Loading branch information...
commit afcd01bf25c0d7742d07b10dd8a465cffef4b9fe 2 parents 491d691 + a4b5582
Aaron Patterson tenderlove authored

Showing 28 changed files with 98 additions and 50 deletions. Show diff stats Hide diff stats

  1. +1 1  RAILS_VERSION
  2. +1 1  actionmailer/CHANGELOG.md
  3. +1 1  actionmailer/lib/action_mailer/version.rb
  4. +7 0 actionpack/CHANGELOG.md
  5. +5 5 actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
  6. +1 1  actionpack/lib/action_pack/version.rb
  7. +15 0 actionpack/test/template/html-scanner/sanitizer_test.rb
  8. +1 1  activemodel/CHANGELOG.md
  9. +1 1  activemodel/lib/active_model/version.rb
  10. +1 11 activerecord/CHANGELOG.md
  11. +1 1  activerecord/lib/active_record/relation.rb
  12. +1 1  activerecord/lib/active_record/relation/predicate_builder.rb
  13. +1 1  activerecord/lib/active_record/version.rb
  14. +0 6 activerecord/test/cases/calculations_test.rb
  15. +5 5 activerecord/test/cases/method_scoping_test.rb
  16. +3 3 activerecord/test/cases/relation_test.rb
  17. +1 2  activeresource/CHANGELOG.md
  18. +1 1  activeresource/lib/active_resource/version.rb
  19. +2 1  activesupport/CHANGELOG.md
  20. +1 1  activesupport/lib/active_support/version.rb
  21. +6 0 activesupport/lib/active_support/xml_mini/jdom.rb
  22. +1 0  activesupport/test/fixtures/xml/jdom_doctype.dtd
  23. +1 0  activesupport/test/fixtures/xml/jdom_entities.txt
  24. +1 0  activesupport/test/fixtures/xml/jdom_include.txt
  25. +36 3 activesupport/test/xml_mini/jdom_engine_test.rb
  26. +1 1  railties/CHANGELOG.md
  27. +1 1  railties/lib/rails/version.rb
  28. +1 1  version.rb
2  RAILS_VERSION
... ... @@ -1 +1 @@
1   -3.2.12
  1 +3.2.13
2  actionmailer/CHANGELOG.md
Source Rendered
@@ -3,7 +3,7 @@
3 3 * No changes.
4 4
5 5
6   -## Rails 3.2.13.rc1 (Feb 17, 2013) ##
  6 +## Rails 3.2.13 ##
7 7
8 8 * No changes.
9 9
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
7 actionpack/CHANGELOG.md
Source Rendered
@@ -4,6 +4,10 @@
4 4 Fixes GH#3512.
5 5
6 6 *Juan Barreneche*
  7 +* No changes.
  8 +
  9 +
  10 +## Rails 3.2.13 ##
7 11
8 12 * Fix incorrectly appended square brackets to a multiple select box
9 13 if an explicit name has been given and it already ends with "[]".
@@ -22,6 +26,7 @@
22 26
23 27 *Olek Janiszewski*
24 28
  29 +<<<<<<< HEAD
25 30 * Fix `ActionDispatch::Request#formats` when the Accept request-header is an
26 31 empty string. Fix #7774 [Backport #8977, #9541]
27 32
@@ -29,6 +34,8 @@
29 34
30 35 ## Rails 3.2.13.rc1 (Feb 17, 2013) ##
31 36
  37 +=======
  38 +>>>>>>> 3-2-13
32 39 * Determine the controller#action from only the matched path when using the
33 40 shorthand syntax. Previously the complete path was used, which led
34 41 to problems with nesting (scopes and namespaces).
10 actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -66,7 +66,7 @@ class WhiteListSanitizer < Sanitizer
66 66
67 67 # A regular expression of the valid characters used to separate protocols like
68 68 # the ':' in 'http://foo.com'
69   - self.protocol_separator = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
  69 + self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
70 70
71 71 # Specifies a Set of HTML attributes that can have URIs.
72 72 self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
@@ -110,8 +110,8 @@ def sanitize_css(style)
110 110 style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
111 111
112 112 # gauntlet
113   - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
114   - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
  113 + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
  114 + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
115 115 return ''
116 116 end
117 117
@@ -122,7 +122,7 @@ def sanitize_css(style)
122 122 elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
123 123 unless val.split().any? do |keyword|
124 124 !allowed_css_keywords.include?(keyword) &&
125   - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
  125 + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
126 126 end
127 127 clean << prop + ': ' + val + ';'
128 128 end
@@ -171,7 +171,7 @@ def process_attributes_for(node, options)
171 171
172 172 def contains_bad_protocols?(attr_name, value)
173 173 uri_attributes.include?(attr_name) &&
174   - (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
  174 + (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
175 175 end
176 176 end
177 177 end
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
15 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -176,6 +176,7 @@ def test_should_block_script_tag
176 176 %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
177 177 %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
178 178 %(<IMG SRC=" &#14; javascript:alert('XSS');">),
  179 + %(<IMG SRC="javascript&#x3a;alert('XSS');">),
179 180 %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
180 181 define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
181 182 assert_sanitized img_hack, "<img>"
@@ -256,6 +257,11 @@ def test_should_sanitize_div_style_expression
256 257 assert_equal '', sanitize_css(raw)
257 258 end
258 259
  260 + def test_should_sanitize_across_newlines
  261 + raw = %(\nwidth:\nexpression(alert('XSS'));\n)
  262 + assert_equal '', sanitize_css(raw)
  263 + end
  264 +
259 265 def test_should_sanitize_img_vbscript
260 266 assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
261 267 end
@@ -276,6 +282,15 @@ def test_should_sanitize_neverending_attribute
276 282 assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
277 283 end
278 284
  285 + def test_x03a
  286 + assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
  287 + assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
  288 + assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
  289 + assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
  290 + assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
  291 + assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
  292 + end
  293 +
279 294 protected
280 295 def assert_sanitized(input, expected = nil)
281 296 @sanitizer ||= HTML::WhiteListSanitizer.new
2  activemodel/CHANGELOG.md
Source Rendered
@@ -3,7 +3,7 @@
3 3 * No changes.
4 4
5 5
6   -## Rails 3.2.13.rc1 (Feb 17, 2013) ##
  6 +## Rails 3.2.13 ##
7 7
8 8 * Specify type of singular association during serialization *Steve Klabnik*
9 9
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
12 activerecord/CHANGELOG.md
Source Rendered
... ... @@ -1,4 +1,4 @@
1   -## unreleased ##
  1 +## Rails 3.2.13 (Feb 17, 2013) ##
2 2
3 3 * Reload the association target if it's stale. `@stale_state` should be nil
4 4 when a model isn't saved.
@@ -238,16 +238,6 @@
238 238
239 239 *Victor Costan*
240 240
241   -* `#pluck` can be used on a relation with `select` clause.
242   - Fixes #7551.
243   - Backport of #8176.
244   -
245   - Example:
246   -
247   - Topic.select([:approved, :id]).order(:id).pluck(:id)
248   -
249   - *Yves Senn*
250   -
251 241 * Use `nil?` instead of `blank?` to check whether dynamic finder with a bang
252 242 should raise RecordNotFound.
253 243 Fixes #7238.
2  activerecord/lib/active_record/relation.rb
@@ -464,7 +464,7 @@ def where_values_hash
464 464 node.left.relation.name == table_name
465 465 }
466 466
467   - Hash[equalities.map { |where| [where.left.name, where.right] }]
  467 + Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
468 468 end
469 469
470 470 def scope_for_create
2  activerecord/lib/active_record/relation/predicate_builder.rb
@@ -20,7 +20,7 @@ def self.build_from_hash(engine, attributes, default_table, allow_table_name = t
20 20 table = Arel::Table.new(table_name, engine)
21 21 end
22 22
23   - attribute = table[column.to_sym]
  23 + attribute = table[column]
24 24
25 25 case value
26 26 when ActiveRecord::Relation
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
6 activerecord/test/cases/calculations_test.rb
@@ -493,12 +493,6 @@ def test_pluck_with_qualified_column_name
493 493 assert_equal [1,2,3,4], Topic.order(:id).pluck("topics.id")
494 494 end
495 495
496   - def test_pluck_replaces_select_clause
497   - taks_relation = Topic.select([:approved, :id]).order(:id)
498   - assert_equal [1,2,3,4], taks_relation.pluck(:id)
499   - assert_equal [false, true, true, true], taks_relation.pluck(:approved)
500   - end
501   -
502 496 def test_pluck_auto_table_name_prefix
503 497 c = Company.create!(:name => "test", :contracts => [Contract.new])
504 498 assert_equal [c.id], Company.joins(:contracts).pluck(:id)
10 activerecord/test/cases/method_scoping_test.rb
@@ -212,14 +212,14 @@ def test_scope_for_create_only_uses_equal
212 212 table = VerySpecialComment.arel_table
213 213 relation = VerySpecialComment.scoped
214 214 relation.where_values << table[:id].not_eq(1)
215   - assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create))
  215 + assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create))
216 216 end
217 217
218 218 def test_scoped_create
219 219 new_comment = nil
220 220
221 221 VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do
222   - assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
  222 + assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
223 223 new_comment = VerySpecialComment.create :body => "Wonderful world"
224 224 end
225 225
@@ -228,7 +228,7 @@ def test_scoped_create
228 228
229 229 def test_scoped_create_with_join_and_merge
230 230 Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do
231   - assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create)
  231 + assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create)
232 232 end
233 233 end
234 234
@@ -441,7 +441,7 @@ def test_nested_scoped_create
441 441 comment = nil
442 442 Comment.send(:with_scope, :create => { :post_id => 1}) do
443 443 Comment.send(:with_scope, :create => { :post_id => 2}) do
444   - assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create))
  444 + assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create))
445 445 comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!"
446 446 end
447 447 end
@@ -453,7 +453,7 @@ def test_nested_exclusive_scope_for_create
453 453
454 454 Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do
455 455 Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do
456   - assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create))
  456 + assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create))
457 457 assert_blank Comment.new.body
458 458 comment = Comment.create :body => "Hey guys"
459 459 end
6 activerecord/test/cases/relation_test.rb
@@ -71,7 +71,7 @@ def test_empty_where_values_hash
71 71 def test_has_values
72 72 relation = Relation.new Post, Post.arel_table
73 73 relation.where_values << relation.table[:id].eq(10)
74   - assert_equal({:id => 10}, relation.where_values_hash)
  74 + assert_equal({'id' => 10}, relation.where_values_hash)
75 75 end
76 76
77 77 def test_values_wrong_table
@@ -101,7 +101,7 @@ def test_scope_for_create
101 101
102 102 def test_create_with_value
103 103 relation = Relation.new Post, Post.arel_table
104   - hash = { :hello => 'world' }
  104 + hash = { 'hello' => 'world' }
105 105 relation.create_with_value = hash
106 106 assert_equal hash, relation.scope_for_create
107 107 end
@@ -110,7 +110,7 @@ def test_create_with_value_with_wheres
110 110 relation = Relation.new Post, Post.arel_table
111 111 relation.where_values << relation.table[:id].eq(10)
112 112 relation.create_with_value = {:hello => 'world'}
113   - assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create)
  113 + assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create)
114 114 end
115 115
116 116 # FIXME: is this really wanted or expected behavior?
3  activeresource/CHANGELOG.md
Source Rendered
@@ -3,11 +3,10 @@
3 3 * No changes.
4 4
5 5
6   -## Rails 3.2.13.rc1 (Feb 17, 2013) ##
  6 +## Rails 3.2.13 ##
7 7
8 8 * No changes.
9 9
10   -
11 10 ## Rails 3.2.12 (Feb 11, 2013) ##
12 11
13 12 * No changes.
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
3  activesupport/CHANGELOG.md
Source Rendered
@@ -6,7 +6,8 @@
6 6 *Andrew White*
7 7
8 8
9   -## Rails 3.2.13.rc1 (Feb 17, 2013) ##
  9 +## Rails 3.2.13 (Feb 17, 2013) ##
  10 +
10 11
11 12 * Fix DateTime comparison with DateTime::Infinity object.
12 13
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
6 activesupport/lib/active_support/xml_mini/jdom.rb
@@ -38,6 +38,12 @@ def parse(data)
38 38 {}
39 39 else
40 40 @dbf = DocumentBuilderFactory.new_instance
  41 + # secure processing of java xml
  42 + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
  43 + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
  44 + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
  45 + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
  46 + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
41 47 xml_string_reader = StringReader.new(data)
42 48 xml_input_source = InputSource.new(xml_string_reader)
43 49 doc = @dbf.new_document_builder.parse(xml_input_source)
1  activesupport/test/fixtures/xml/jdom_doctype.dtd
... ... @@ -0,0 +1 @@
  1 +<!ENTITY a "external entity">
1  activesupport/test/fixtures/xml/jdom_entities.txt
... ... @@ -0,0 +1 @@
  1 +<!ENTITY a "hello">
1  activesupport/test/fixtures/xml/jdom_include.txt
... ... @@ -0,0 +1 @@
  1 +include me
39 activesupport/test/xml_mini/jdom_engine_test.rb
@@ -3,9 +3,11 @@
3 3 require 'active_support/xml_mini'
4 4 require 'active_support/core_ext/hash/conversions'
5 5
6   - class JDOMEngineTest < Test::Unit::TestCase
  6 + class JDOMEngineTest < ActiveSupport::TestCase
7 7 include ActiveSupport
8 8
  9 + FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
  10 +
9 11 def setup
10 12 @default_backend = XmlMini.backend
11 13 XmlMini.backend = 'JDOM'
@@ -30,10 +32,41 @@ def test_file_from_xml
30 32 assert_equal 'image/png', file.content_type
31 33 end
32 34
  35 + def test_not_allowed_to_expand_entities_to_files
  36 + attack_xml = <<-EOT
  37 + <!DOCTYPE member [
  38 + <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
  39 + ]>
  40 + <member>x&a;</member>
  41 + EOT
  42 + assert_equal 'x', Hash.from_xml(attack_xml)["member"]
  43 + end
  44 +
  45 + def test_not_allowed_to_expand_parameter_entities_to_files
  46 + attack_xml = <<-EOT
  47 + <!DOCTYPE member [
  48 + <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
  49 + %b;
  50 + ]>
  51 + <member>x&a;</member>
  52 + EOT
  53 + assert_raise Java::OrgXmlSax::SAXParseException do
  54 + assert_equal 'x', Hash.from_xml(attack_xml)["member"]
  55 + end
  56 + end
  57 +
  58 +
  59 + def test_not_allowed_to_load_external_doctypes
  60 + attack_xml = <<-EOT
  61 + <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
  62 + <member>x&a;</member>
  63 + EOT
  64 + assert_equal 'x', Hash.from_xml(attack_xml)["member"]
  65 + end
  66 +
33 67 def test_exception_thrown_on_expansion_attack
34   - assert_raise NativeException do
  68 + assert_raise Java::OrgXmlSax::SAXParseException do
35 69 attack_xml = <<-EOT
36   - <?xml version="1.0" encoding="UTF-8"?>
37 70 <!DOCTYPE member [
38 71 <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
39 72 <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
2  railties/CHANGELOG.md
Source Rendered
@@ -3,7 +3,7 @@
3 3 * No changes.
4 4
5 5
6   -## Rails 3.2.13.rc1 (Feb 17, 2013) ##
  6 +## Rails 3.2.13 ##
7 7
8 8 * No changes.
9 9
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  version.rb
@@ -2,7 +2,7 @@ module Rails
2 2 module VERSION #:nodoc:
3 3 MAJOR = 3
4 4 MINOR = 2
5   - TINY = 12
  5 + TINY = 13
6 6 PRE = nil
7 7
8 8 STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

0 comments on commit afcd01b

Please sign in to comment.
Something went wrong with that request. Please try again.