Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
  • 7 commits
  • 34 files changed
  • 2 commit comments
  • 3 contributors
Commits on Aug 04, 2012
@pixeltrix pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Commits on Aug 08, 2012
@spastorino spastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
@rafaelfranca rafaelfranca Fix tests about single quote escaping 9ef905f
Commits on Aug 09, 2012
@spastorino spastorino escape select_tag :prompt values
CVE-2012-3463
c979587
@spastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
@spastorino spastorino Add CHANGELOG entries 6eda26a
@spastorino spastorino Bump to 3.0.17 77977f3
Showing with 142 additions and 58 deletions.
  1. +1 −1  Gemfile
  2. +1 −1  RAILS_VERSION
  3. +4 −0 actionmailer/CHANGELOG
  4. +1 −1  actionmailer/lib/action_mailer/version.rb
  5. +15 −0 actionpack/CHANGELOG
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +2 −2 actionpack/lib/action_view/helpers/form_tag_helper.rb
  8. +1 −1  actionpack/lib/action_view/helpers/sanitize_helper.rb
  9. +2 −2 actionpack/test/controller/render_test.rb
  10. +17 −6 actionpack/test/template/asset_tag_helper_test.rb
  11. +5 −5 actionpack/test/template/erb_util_test.rb
  12. +3 −3 actionpack/test/template/form_options_helper_test.rb
  13. +7 −1 actionpack/test/template/form_tag_helper_test.rb
  14. +5 −5 actionpack/test/template/javascript_helper_test.rb
  15. +2 −2 actionpack/test/template/sanitize_helper_test.rb
  16. +1 −1  actionpack/test/template/template_test.rb
  17. +1 −1  actionpack/test/template/text_helper_test.rb
  18. +5 −5 actionpack/test/template/url_helper_test.rb
  19. +4 −0 activemodel/CHANGELOG
  20. +1 −1  activemodel/lib/active_model/version.rb
  21. +4 −0 activerecord/CHANGELOG
  22. +20 −9 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  23. +1 −1  activerecord/lib/active_record/version.rb
  24. +1 −1  activerecord/test/schema/mysql2_specific_schema.rb
  25. +1 −1  activerecord/test/schema/mysql_specific_schema.rb
  26. +4 −0 activeresource/CHANGELOG
  27. +1 −1  activeresource/lib/active_resource/version.rb
  28. +4 −0 activesupport/CHANGELOG
  29. +3 −3 activesupport/lib/active_support/core_ext/string/output_safety.rb
  30. +1 −1  activesupport/lib/active_support/version.rb
  31. +17 −0 activesupport/test/core_ext/string_ext_test.rb
  32. +4 −0 railties/CHANGELOG
  33. +1 −1  railties/lib/rails/version.rb
  34. +1 −1  version.rb
View
2  Gemfile
@@ -41,7 +41,7 @@ platforms :ruby do
group :db do
gem "pg", ">= 0.9.0"
gem "mysql", ">= 2.8.1"
- gem "mysql2", "~> 0.2.17"
+ gem "mysql2", :git => "git://github.com/brianmario/mysql2.git", :branch => "0.2.x"
end
end
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.0.16
+3.0.17
View
4 actionmailer/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
15 actionpack/CHANGELOG
@@ -1,3 +1,18 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+ helper doesn't correctly handle malformed html. As a result an attacker can
+ execute arbitrary javascript through the use of specially crafted malformed
+ html.
+
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+ Vulnerable code will look something like this:
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+ *Santiago Pastorino*
+
## Rails 3.0.16 (Jul 26, 2012)
* Do not convert digest auth strings to symbols. CVE-2012-3424
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -100,9 +100,9 @@ def select_tag(name, option_tags = nil, options = {})
html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
if blank = options.delete(:include_blank)
if blank.kind_of?(String)
- option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
+ option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
else
- option_tags = "<option value=\"\"></option>".html_safe + option_tags
+ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
end
end
content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
View
2  actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -81,7 +81,7 @@ def sanitize_css(style)
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# # => Welcome to my website!
def strip_tags(html)
- self.class.full_sanitizer.sanitize(html).try(:html_safe)
+ self.class.full_sanitizer.sanitize(html)
end
# Strips all link tags from +text+ leaving just the link text.
View
4 actionpack/test/controller/render_test.rb
@@ -149,7 +149,7 @@ def render_text_hello_world
# :ported:
def render_text_hello_world_with_layout
- @variable_for_layout = ", I'm here!"
+ @variable_for_layout = ", I am here!"
render :text => "hello world", :layout => true
end
@@ -776,7 +776,7 @@ def test_render_text
# :ported:
def test_do_with_render_text_and_layout
get :render_text_hello_world_with_layout
- assert_equal "<html>hello world, I'm here!</html>", @response.body
+ assert_equal "<html>hello world, I am here!</html>", @response.body
end
# :ported:
View
23 actionpack/test/template/asset_tag_helper_test.rb
@@ -159,8 +159,9 @@ def url_for(*args)
%(image_tag("slash..png")) => %(<img alt="Slash." src="/images/slash..png" />),
%(image_tag(".pdf.png")) => %(<img alt=".pdf" src="/images/.pdf.png" />),
%(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="http://www.rubyonrails.com/images/rails.png" />),
- %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
- %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+ %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
+ %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
+ %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
%(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />)
}
@@ -1007,8 +1008,8 @@ def test_should_compute_proper_path
assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png"))
- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse.png&#x27;" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse2.png&#x27;" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
end
def test_should_ignore_relative_root_path_on_complete_url
@@ -1021,8 +1022,18 @@ def test_should_compute_proper_path_with_asset_host
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ end
+
+ def test_should_compute_proper_path_with_asset_host_and_default_protocol
+ @controller.config.asset_host = "assets.example.com"
+ @controller.config.default_asset_host_protocol = :request
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
+ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
+ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
end
def test_should_ignore_asset_host_on_complete_url
View
10 actionpack/test/template/erb_util_test.rb
@@ -7,11 +7,11 @@ class ErbUtilTest < Test::Unit::TestCase
define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
assert_equal expected, html_escape(given)
end
+ end
- unless given == '"'
- define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
- end
+ ERB::Util::JSON_ESCAPE.each do |given, expected|
+ define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+ assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
end
@@ -39,7 +39,7 @@ def test_html_escape_passes_html_escpe_unmodified
def test_rest_in_ascii
(0..127).to_a.map {|int| int.chr }.each do |chr|
- next if %w(& " < >).include?(chr)
+ next if %w(& " < > ').include?(chr)
assert_equal chr, html_escape(chr)
end
end
View
6 actionpack/test/template/form_options_helper_test.rb
@@ -887,7 +887,7 @@ def test_time_zone_select_with_default_time_zone_and_value
def test_options_for_select_with_element_attributes
assert_dom_equal(
- "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+ "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#x27;Hello World&#x27;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
)
end
@@ -923,13 +923,13 @@ def test_option_html_attributes_with_single_element_hash
def test_option_html_attributes_with_multiple_element_hash
output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ])
assert output.include?(" class=\"fancy\"")
- assert output.include?(" onclick=\"alert('Hello World');\"")
+ assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
end
def test_option_html_attributes_with_multiple_hashes
output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ])
assert output.include?(" class=\"fancy\"")
- assert output.include?(" onclick=\"alert('Hello World');\"")
+ assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
end
def test_option_html_attributes_with_special_characters
View
8 actionpack/test/template/form_tag_helper_test.rb
@@ -195,6 +195,12 @@ def test_select_tag_with_include_blank
assert_dom_equal expected, actual
end
+ def test_select_tag_escapes_prompt
+ actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
+ expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
+ assert_dom_equal expected, actual
+ end
+
def test_select_tag_with_include_blank_with_string
actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "string"
expected = %(<select id="places" name="places"><option value="">string</option><option>Home</option><option>Work</option><option>Pub</option></select>)
@@ -361,7 +367,7 @@ def test_stringify_symbol_keys
def test_submit_tag
assert_dom_equal(
- %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+ %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
)
end
View
10 actionpack/test/template/javascript_helper_test.rb
@@ -41,7 +41,7 @@ def test_escape_javascript_with_safebuffer
end
def test_button_to_function
- assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
+ assert_dom_equal %(<input type="button" onclick="alert(&#x27;Hello world!&#x27;);" value="Greeting" />),
button_to_function("Greeting", "alert('Hello world!')")
end
@@ -60,7 +60,7 @@ def test_button_to_function_with_rjs_block_and_options
end
def test_button_to_function_with_onclick
- assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
+ assert_dom_equal "<input onclick=\"alert(&#x27;Goodbye World :(&#x27;); alert(&#x27;Hello world!&#x27;);\" type=\"button\" value=\"Greeting\" />",
button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
end
@@ -70,12 +70,12 @@ def test_button_to_function_without_function
end
def test_link_to_function
- assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="#" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')")
end
def test_link_to_function_with_existing_onclick
- assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="#" onclick="confirm(&#x27;Sanity!&#x27;); alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
end
@@ -94,7 +94,7 @@ def test_link_to_function_with_rjs_block_and_options
end
def test_link_to_function_with_href
- assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
end
View
4 actionpack/test/template/sanitize_helper_test.rb
@@ -42,9 +42,9 @@ def test_strip_tags
[nil, '', ' '].each do |blank|
stripped = strip_tags(blank)
assert_equal blank, stripped
- assert stripped.html_safe? unless blank.nil?
end
- assert strip_tags("<script>").html_safe?
+ assert_equal "", strip_tags("<script>")
+ assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
end
def test_sanitize_is_marked_safe
View
2  actionpack/test/template/template_test.rb
@@ -50,7 +50,7 @@ def test_basic_template
def test_locals
@template = new_template("<%= my_local %>")
- assert_equal "I'm a local", render(:my_local => "I'm a local")
+ assert_equal "I am a local", render(:my_local => "I am a local")
end
def test_restores_buffer
View
2  actionpack/test/template/text_helper_test.rb
@@ -305,7 +305,7 @@ def test_auto_link_parsing
http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007
http://www.mail-archive.com/rails@lists.rubyonrails.org/
http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1
- http://en.wikipedia.org/wiki/Texas_hold'em
+ http://en.wikipedia.org/wiki/Texas_hold
https://www.google.com/doku.php?id=gps:resource:scs:start
http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group
http://of.openfoundry.org/projects/492/download#4th.Release.3
View
10 actionpack/test/template/url_helper_test.rb
@@ -188,7 +188,7 @@ def test_link_with_nil_html_options
def test_link_tag_with_custom_onclick
link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
- expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
+ expected = %{<a href="http://www.example.com" onclick="alert(&#x27;yay!&#x27;)">Hello</a>}
assert_dom_equal expected, link
end
@@ -198,12 +198,12 @@ def test_link_tag_with_javascript_confirm
link_to("Hello", "http://www.example.com", :confirm => "Are you sure?")
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
)
assert_dom_equal(
- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
+ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
+ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
)
end
View
4 activemodel/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 activerecord/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* Fix type_to_sql with text and limit on mysql/mysql2 (GH #7252)
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
29 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -522,15 +522,26 @@ def rename_column(table_name, column_name, new_column_name) #:nodoc:
# Maps logical Rails types to MySQL-specific data types.
def type_to_sql(type, limit = nil, precision = nil, scale = nil)
- return super unless type.to_s == 'integer'
-
- case limit
- when 1; 'tinyint'
- when 2; 'smallint'
- when 3; 'mediumint'
- when nil, 4, 11; 'int(11)' # compatibility with MySQL default
- when 5..8; 'bigint'
- else raise(ActiveRecordError, "No integer type has byte size #{limit}")
+ case type.to_s
+ when 'integer'
+ case limit
+ when 1; 'tinyint'
+ when 2; 'smallint'
+ when 3; 'mediumint'
+ when nil, 4, 11; 'int(11)' # compatibility with MySQL default
+ when 5..8; 'bigint'
+ else raise(ActiveRecordError, "No integer type has byte size #{limit}")
+ end
+ when 'text'
+ case limit
+ when 0..0xff; 'tinytext'
+ when nil, 0x100..0xffff; 'text'
+ when 0x10000..0xffffff; 'mediumtext'
+ when 0x1000000..0xffffffff; 'longtext'
+ else raise(ActiveRecordError, "No text type has character length #{limit}")
+ end
+ else
+ super
end
end
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  activerecord/test/schema/mysql2_specific_schema.rb
@@ -1,5 +1,5 @@
ActiveRecord::Schema.define do
- create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
+ create_table :binary_fields, :force => true do |t|
t.binary :tiny_blob, :limit => 255
t.binary :normal_blob, :limit => 65535
t.binary :medium_blob, :limit => 16777215
View
2  activerecord/test/schema/mysql_specific_schema.rb
@@ -1,5 +1,5 @@
ActiveRecord::Schema.define do
- create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
+ create_table :binary_fields, :force => true do |t|
t.binary :tiny_blob, :limit => 255
t.binary :normal_blob, :limit => 65535
t.binary :medium_blob, :limit => 16777215
View
4 activeresource/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 activesupport/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
6 activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,13 +3,13 @@
class ERB
module Util
- HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;' }
+ HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
- # In your ERb templates, use this method to escape any unsafe content. For example:
+ # In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
@@ -20,7 +20,7 @@ def html_escape(s)
if s.html_safe?
s
else
- s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
+ s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
17 activesupport/test/core_ext/string_ext_test.rb
@@ -527,6 +527,23 @@ def to_s
assert string.html_safe?
assert !string.to_param.html_safe?
end
+
+ test "ERB::Util.html_escape should escape unsafe characters" do
+ string = '<>&"\''
+ expected = '&lt;&gt;&amp;&quot;&#x27;'
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
+ test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
+ string = [192, 60].pack('CC')
+ expected = 192.chr + "&lt;"
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
+ test "ERB::Util.html_escape should not escape safe strings" do
+ string = "<b>hello</b>".html_safe
+ assert_equal string, ERB::Util.html_escape(string)
+ end
end
class StringExcludeTest < ActiveSupport::TestCase
View
4 railties/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.17 (Aug 9, 2012)
+
+* No changes.
+
## Rails 3.0.16 (Jul 26, 2012)
* No changes.
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 0
- TINY = 16
+ TINY = 17
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Showing you all comments on commits in this comparison.

@jshraibman-mdsol

Was this necessary to fix CVE-2013-0333? All of a sudden strings with single quotes stuck into input boxes are being doubly escaped, like so:

<input id="regime_name" name="regime[name]" size="30" type="text" value="with an &amp;mpersand and a &amp;#x27;quote&amp;#x27;" />
@jshraibman-mdsol

Existing unit tests fail. When I run rails/actionpack/test/template/form_helper_test.rb I get:


  1) Failure:
test_default_form_builder_no_instance_variable(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  2) Failure:
test_default_form_builder_with_active_record_helpers(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  3) Failure:
test_default_form_builder_without_object(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

96 tests, 134 assertions, 3 failures, 0 errors, 0 skips
Something went wrong with that request. Please try again.