Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

We’re showing branches in this repository, but you can also compare across forks.

base fork: rails/rails
...
head fork: rails/rails
  • 7 commits
  • 34 files changed
  • 2 commit comments
  • 3 contributors
Commits on Aug 04, 2012
Andrew White pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Commits on Aug 08, 2012
Santiago Pastorino spastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
Rafael Mendonça França rafaelfranca Fix tests about single quote escaping 9ef905f
Commits on Aug 09, 2012
Santiago Pastorino spastorino escape select_tag :prompt values
CVE-2012-3463
c979587
Santiago Pastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
Santiago Pastorino spastorino Add CHANGELOG entries 6eda26a
Santiago Pastorino spastorino Bump to 3.0.17 77977f3
Showing with 142 additions and 58 deletions.
  1. +1 −1  Gemfile
  2. +1 −1  RAILS_VERSION
  3. +4 −0 actionmailer/CHANGELOG
  4. +1 −1  actionmailer/lib/action_mailer/version.rb
  5. +15 −0 actionpack/CHANGELOG
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +2 −2 actionpack/lib/action_view/helpers/form_tag_helper.rb
  8. +1 −1  actionpack/lib/action_view/helpers/sanitize_helper.rb
  9. +2 −2 actionpack/test/controller/render_test.rb
  10. +17 −6 actionpack/test/template/asset_tag_helper_test.rb
  11. +5 −5 actionpack/test/template/erb_util_test.rb
  12. +3 −3 actionpack/test/template/form_options_helper_test.rb
  13. +7 −1 actionpack/test/template/form_tag_helper_test.rb
  14. +5 −5 actionpack/test/template/javascript_helper_test.rb
  15. +2 −2 actionpack/test/template/sanitize_helper_test.rb
  16. +1 −1  actionpack/test/template/template_test.rb
  17. +1 −1  actionpack/test/template/text_helper_test.rb
  18. +5 −5 actionpack/test/template/url_helper_test.rb
  19. +4 −0 activemodel/CHANGELOG
  20. +1 −1  activemodel/lib/active_model/version.rb
  21. +4 −0 activerecord/CHANGELOG
  22. +20 −9 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  23. +1 −1  activerecord/lib/active_record/version.rb
  24. +1 −1  activerecord/test/schema/mysql2_specific_schema.rb
  25. +1 −1  activerecord/test/schema/mysql_specific_schema.rb
  26. +4 −0 activeresource/CHANGELOG
  27. +1 −1  activeresource/lib/active_resource/version.rb
  28. +4 −0 activesupport/CHANGELOG
  29. +3 −3 activesupport/lib/active_support/core_ext/string/output_safety.rb
  30. +1 −1  activesupport/lib/active_support/version.rb
  31. +17 −0 activesupport/test/core_ext/string_ext_test.rb
  32. +4 −0 railties/CHANGELOG
  33. +1 −1  railties/lib/rails/version.rb
  34. +1 −1  version.rb
2  Gemfile
View
@@ -41,7 +41,7 @@ platforms :ruby do
group :db do
gem "pg", ">= 0.9.0"
gem "mysql", ">= 2.8.1"
- gem "mysql2", "~> 0.2.17"
+ gem "mysql2", :git => "git://github.com/brianmario/mysql2.git", :branch => "0.2.x"
end
end
2  RAILS_VERSION
View
@@ -1 +1 @@
-3.0.16
+3.0.17
4 actionmailer/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
2  actionmailer/lib/action_mailer/version.rb
View
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
15 actionpack/CHANGELOG
View
@@ -1,3 +1,18 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+ helper doesn't correctly handle malformed html. As a result an attacker can
+ execute arbitrary javascript through the use of specially crafted malformed
+ html.
+
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+ Vulnerable code will look something like this:
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+ *Santiago Pastorino*
+
## Rails 3.0.16 (Jul 26, 2012)
* Do not convert digest auth strings to symbols. CVE-2012-3424
2  actionpack/lib/action_pack/version.rb
View
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4 actionpack/lib/action_view/helpers/form_tag_helper.rb
View
@@ -100,9 +100,9 @@ def select_tag(name, option_tags = nil, options = {})
html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
if blank = options.delete(:include_blank)
if blank.kind_of?(String)
- option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
+ option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
else
- option_tags = "<option value=\"\"></option>".html_safe + option_tags
+ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
end
end
content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
2  actionpack/lib/action_view/helpers/sanitize_helper.rb
View
@@ -81,7 +81,7 @@ def sanitize_css(style)
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# # => Welcome to my website!
def strip_tags(html)
- self.class.full_sanitizer.sanitize(html).try(:html_safe)
+ self.class.full_sanitizer.sanitize(html)
end
# Strips all link tags from +text+ leaving just the link text.
4 actionpack/test/controller/render_test.rb
View
@@ -149,7 +149,7 @@ def render_text_hello_world
# :ported:
def render_text_hello_world_with_layout
- @variable_for_layout = ", I'm here!"
+ @variable_for_layout = ", I am here!"
render :text => "hello world", :layout => true
end
@@ -776,7 +776,7 @@ def test_render_text
# :ported:
def test_do_with_render_text_and_layout
get :render_text_hello_world_with_layout
- assert_equal "<html>hello world, I'm here!</html>", @response.body
+ assert_equal "<html>hello world, I am here!</html>", @response.body
end
# :ported:
23 actionpack/test/template/asset_tag_helper_test.rb
View
@@ -159,8 +159,9 @@ def url_for(*args)
%(image_tag("slash..png")) => %(<img alt="Slash." src="/images/slash..png" />),
%(image_tag(".pdf.png")) => %(<img alt=".pdf" src="/images/.pdf.png" />),
%(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="http://www.rubyonrails.com/images/rails.png" />),
- %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
- %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+ %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
+ %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
+ %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
%(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />)
}
@@ -1007,8 +1008,8 @@ def test_should_compute_proper_path
assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png"))
- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse.png&#x27;" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse2.png&#x27;" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
end
def test_should_ignore_relative_root_path_on_complete_url
@@ -1021,8 +1022,18 @@ def test_should_compute_proper_path_with_asset_host
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ end
+
+ def test_should_compute_proper_path_with_asset_host_and_default_protocol
+ @controller.config.asset_host = "assets.example.com"
+ @controller.config.default_asset_host_protocol = :request
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
end
def test_should_ignore_asset_host_on_complete_url
10 actionpack/test/template/erb_util_test.rb
View
@@ -7,11 +7,11 @@ class ErbUtilTest < Test::Unit::TestCase
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
assert_equal expected, html_escape(given)
end
+ end
- unless given == '"'
- define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
- end
+ ERB::Util::JSON_ESCAPE.each do |given, expected|
+ define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+ assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
@@ -39,7 +39,7 @@ def test_html_escape_passes_html_escpe_unmodified
def test_rest_in_ascii
(0..127).to_a.map {|int| int.chr }.each do |chr|
- next if %w(& " < >).include?(chr)
+ next if %w(& " < > ').include?(chr)
assert_equal chr, html_escape(chr)
end
end
6 actionpack/test/template/form_options_helper_test.rb
View
@@ -887,7 +887,7 @@ def test_time_zone_select_with_default_time_zone_and_value
def test_options_for_select_with_element_attributes
assert_dom_equal(
- "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+ "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#x27;Hello World&#x27;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
)
end
@@ -923,13 +923,13 @@ def test_option_html_attributes_with_single_element_hash
def test_option_html_attributes_with_multiple_element_hash
output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ])
assert output.include?(" class=\"fancy\"")
- assert output.include?(" onclick=\"alert('Hello World');\"")
+ assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
end
def test_option_html_attributes_with_multiple_hashes
output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ])
assert output.include?(" class=\"fancy\"")
- assert output.include?(" onclick=\"alert('Hello World');\"")
+ assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
end
def test_option_html_attributes_with_special_characters
8 actionpack/test/template/form_tag_helper_test.rb
View
@@ -195,6 +195,12 @@ def test_select_tag_with_include_blank
assert_dom_equal expected, actual
end
+ def test_select_tag_escapes_prompt
+ actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
+ expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
+ assert_dom_equal expected, actual
+ end
+
def test_select_tag_with_include_blank_with_string
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "string"
expected = %(<select id="places" name="places"><option value="">string</option><option>Home</option><option>Work</option><option>Pub</option></select>)
@@ -361,7 +367,7 @@ def test_stringify_symbol_keys
def test_submit_tag
assert_dom_equal(
- %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+ %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
)
end
10 actionpack/test/template/javascript_helper_test.rb
View
@@ -41,7 +41,7 @@ def test_escape_javascript_with_safebuffer
end
def test_button_to_function
- assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
+ assert_dom_equal %(<input type="button" onclick="alert(&#x27;Hello world!&#x27;);" value="Greeting" />),
button_to_function("Greeting", "alert('Hello world!')")
end
@@ -60,7 +60,7 @@ def test_button_to_function_with_rjs_block_and_options
end
def test_button_to_function_with_onclick
- assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
+ assert_dom_equal "<input onclick=\"alert(&#x27;Goodbye World :(&#x27;); alert(&#x27;Hello world!&#x27;);\" type=\"button\" value=\"Greeting\" />",
button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
end
@@ -70,12 +70,12 @@ def test_button_to_function_without_function
end
def test_link_to_function
- assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="#" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')")
end
def test_link_to_function_with_existing_onclick
- assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="#" onclick="confirm(&#x27;Sanity!&#x27;); alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
end
@@ -94,7 +94,7 @@ def test_link_to_function_with_rjs_block_and_options
end
def test_link_to_function_with_href
- assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
end
4 actionpack/test/template/sanitize_helper_test.rb
View
@@ -42,9 +42,9 @@ def test_strip_tags
[nil, '', ' '].each do |blank|
stripped = strip_tags(blank)
assert_equal blank, stripped
- assert stripped.html_safe? unless blank.nil?
end
- assert strip_tags("<script>").html_safe?
+ assert_equal "", strip_tags("<script>")
+ assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
end
def test_sanitize_is_marked_safe
2  actionpack/test/template/template_test.rb
View
@@ -50,7 +50,7 @@ def test_basic_template
def test_locals
@template = new_template("<%= my_local %>")
- assert_equal "I'm a local", render(:my_local => "I'm a local")
+ assert_equal "I am a local", render(:my_local => "I am a local")
end
def test_restores_buffer
2  actionpack/test/template/text_helper_test.rb
View
@@ -305,7 +305,7 @@ def test_auto_link_parsing
http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007
http://www.mail-archive.com/rails@lists.rubyonrails.org/
http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1
- http://en.wikipedia.org/wiki/Texas_hold'em
+ http://en.wikipedia.org/wiki/Texas_hold
https://www.google.com/doku.php?id=gps:resource:scs:start
http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group
http://of.openfoundry.org/projects/492/download#4th.Release.3
10 actionpack/test/template/url_helper_test.rb
View
@@ -188,7 +188,7 @@ def test_link_with_nil_html_options
def test_link_tag_with_custom_onclick
link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
- expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
+ expected = %{<a href="http://www.example.com" onclick="alert(&#x27;yay!&#x27;)">Hello</a>}
assert_dom_equal expected, link
end
@@ -198,12 +198,12 @@ def test_link_tag_with_javascript_confirm
link_to("Hello", "http://www.example.com", :confirm => "Are you sure?")
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
)
end
4 activemodel/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
2  activemodel/lib/active_model/version.rb
View
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4 activerecord/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* Fix type_to_sql with text and limit on mysql/mysql2 (GH #7252)
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
29 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
View
@@ -522,15 +522,26 @@ def rename_column(table_name, column_name, new_column_name) #:nodoc:
# Maps logical Rails types to MySQL-specific data types.
def type_to_sql(type, limit = nil, precision = nil, scale = nil)
- return super unless type.to_s == 'integer'
-
- case limit
- when 1; 'tinyint'
- when 2; 'smallint'
- when 3; 'mediumint'
- when nil, 4, 11; 'int(11)' # compatibility with MySQL default
- when 5..8; 'bigint'
- else raise(ActiveRecordError, "No integer type has byte size #{limit}")
+ case type.to_s
+ when 'integer'
+ case limit
+ when 1; 'tinyint'
+ when 2; 'smallint'
+ when 3; 'mediumint'
+ when nil, 4, 11; 'int(11)' # compatibility with MySQL default
+ when 5..8; 'bigint'
+ else raise(ActiveRecordError, "No integer type has byte size #{limit}")
+ end
+ when 'text'
+ case limit
+ when 0..0xff; 'tinytext'
+ when nil, 0x100..0xffff; 'text'
+ when 0x10000..0xffffff; 'mediumtext'
+ when 0x1000000..0xffffffff; 'longtext'
+ else raise(ActiveRecordError, "No text type has character length #{limit}")
+ end
+ else
+ super
end
end
2  activerecord/lib/active_record/version.rb
View
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  activerecord/test/schema/mysql2_specific_schema.rb
View
@@ -1,5 +1,5 @@
ActiveRecord::Schema.define do
- create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
+ create_table :binary_fields, :force => true do |t|
t.binary :tiny_blob, :limit => 255
t.binary :normal_blob, :limit => 65535
t.binary :medium_blob, :limit => 16777215
2  activerecord/test/schema/mysql_specific_schema.rb
View
@@ -1,5 +1,5 @@
ActiveRecord::Schema.define do
- create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
+ create_table :binary_fields, :force => true do |t|
t.binary :tiny_blob, :limit => 255
t.binary :normal_blob, :limit => 65535
t.binary :medium_blob, :limit => 16777215
4 activeresource/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
2  activeresource/lib/active_resource/version.rb
View
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4 activesupport/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
6 activesupport/lib/active_support/core_ext/string/output_safety.rb
View
@@ -3,13 +3,13 @@
class ERB
module Util
- HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
+ HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
- # In your ERb templates, use this method to escape any unsafe content. For example:
+ # In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
@@ -20,7 +20,7 @@ def html_escape(s)
if s.html_safe?
s
else
- s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+ s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
2  activesupport/lib/active_support/version.rb
View
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
17 activesupport/test/core_ext/string_ext_test.rb
View
@@ -527,6 +527,23 @@ def to_s
assert string.html_safe?
assert !string.to_param.html_safe?
end
+
+ test "ERB::Util.html_escape should escape unsafe characters" do
+ string = '<>&"\''
+ expected = '&lt;&gt;&amp;&quot;&#x27;'
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
+ test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
+ string = [192, 60].pack('CC')
+ expected = 192.chr + "&lt;"
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
+ test "ERB::Util.html_escape should not escape safe strings" do
+ string = "<b>hello</b>".html_safe
+ assert_equal string, ERB::Util.html_escape(string)
+ end
end
class StringExcludeTest < ActiveSupport::TestCase
4 railties/CHANGELOG
View
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
2  railties/lib/rails/version.rb
View
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  version.rb
View
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Showing you all comments on commits in this comparison.

Joseph Shraibman

Was this necessary to fix CVE-2013-0333? All of a sudden strings with single quotes stuck into input boxes are being doubly escaped, like so:

<input id="regime_name" name="regime[name]" size="30" type="text" value="with an &amp;mpersand and a &amp;#x27;quote&amp;#x27;" />
Joseph Shraibman

Existing unit tests fail. When I run rails/actionpack/test/template/form_helper_test.rb I get:


  1) Failure:
test_default_form_builder_no_instance_variable(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  2) Failure:
test_default_form_builder_with_active_record_helpers(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  3) Failure:
test_default_form_builder_without_object(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

96 tests, 134 assertions, 3 failures, 0 errors, 0 skips
Something went wrong with that request. Please try again.