Skip to content
This repository
  • 7 commits
  • 34 files changed
  • 2 comments
  • 3 contributors
Aug 04, 2012
Andrew White Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Aug 07, 2012
Santiago Pastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
Rafael Mendonça França Fix tests about single quote escaping 9ef905f
Aug 09, 2012
Santiago Pastorino escape select_tag :prompt values
CVE-2012-3463
c979587
Santiago Pastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
Santiago Pastorino Add CHANGELOG entries 6eda26a
Santiago Pastorino Bump to 3.0.17 77977f3

Showing 34 changed files with 142 additions and 58 deletions. Show diff stats Hide diff stats

  1. 2  Gemfile
  2. 2  RAILS_VERSION
  3. 4  actionmailer/CHANGELOG
  4. 2  actionmailer/lib/action_mailer/version.rb
  5. 15  actionpack/CHANGELOG
  6. 2  actionpack/lib/action_pack/version.rb
  7. 4  actionpack/lib/action_view/helpers/form_tag_helper.rb
  8. 2  actionpack/lib/action_view/helpers/sanitize_helper.rb
  9. 4  actionpack/test/controller/render_test.rb
  10. 23  actionpack/test/template/asset_tag_helper_test.rb
  11. 10  actionpack/test/template/erb_util_test.rb
  12. 6  actionpack/test/template/form_options_helper_test.rb
  13. 8  actionpack/test/template/form_tag_helper_test.rb
  14. 10  actionpack/test/template/javascript_helper_test.rb
  15. 4  actionpack/test/template/sanitize_helper_test.rb
  16. 2  actionpack/test/template/template_test.rb
  17. 2  actionpack/test/template/text_helper_test.rb
  18. 10  actionpack/test/template/url_helper_test.rb
  19. 4  activemodel/CHANGELOG
  20. 2  activemodel/lib/active_model/version.rb
  21. 4  activerecord/CHANGELOG
  22. 29  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  23. 2  activerecord/lib/active_record/version.rb
  24. 2  activerecord/test/schema/mysql2_specific_schema.rb
  25. 2  activerecord/test/schema/mysql_specific_schema.rb
  26. 4  activeresource/CHANGELOG
  27. 2  activeresource/lib/active_resource/version.rb
  28. 4  activesupport/CHANGELOG
  29. 6  activesupport/lib/active_support/core_ext/string/output_safety.rb
  30. 2  activesupport/lib/active_support/version.rb
  31. 17  activesupport/test/core_ext/string_ext_test.rb
  32. 4  railties/CHANGELOG
  33. 2  railties/lib/rails/version.rb
  34. 2  version.rb
2  Gemfile
@@ -41,7 +41,7 @@ platforms :ruby do
41 41
   group :db do
42 42
     gem "pg", ">= 0.9.0"
43 43
     gem "mysql", ">= 2.8.1"
44  
-    gem "mysql2", "~> 0.2.17"
  44
+    gem "mysql2", :git => "git://github.com/brianmario/mysql2.git", :branch => "0.2.x"
45 45
   end
46 46
 end
47 47
 
2  RAILS_VERSION
... ...
@@ -1 +1 @@
1  
-3.0.16
  1
+3.0.17
4  actionmailer/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* No changes.
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
15  actionpack/CHANGELOG
... ...
@@ -1,3 +1,18 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
  4
+  helper doesn't correctly handle malformed html.  As a result an attacker can
  5
+  execute arbitrary javascript through the use of specially crafted malformed
  6
+  html.
  7
+
  8
+  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
  9
+
  10
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.  If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
  11
+  Vulnerable code will look something like this:
  12
+    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
  13
+
  14
+  *Santiago Pastorino*
  15
+
1 16
 ## Rails 3.0.16 (Jul 26, 2012)
2 17
 
3 18
 * Do not convert digest auth strings to symbols. CVE-2012-3424
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -100,9 +100,9 @@ def select_tag(name, option_tags = nil, options = {})
100 100
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
101 101
         if blank = options.delete(:include_blank)
102 102
           if blank.kind_of?(String)
103  
-            option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
  103
+            option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
104 104
           else
105  
-            option_tags = "<option value=\"\"></option>".html_safe + option_tags
  105
+            option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
106 106
           end
107 107
         end
108 108
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
2  actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -81,7 +81,7 @@ def sanitize_css(style)
81 81
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
82 82
       #   # => Welcome to my website!
83 83
       def strip_tags(html)
84  
-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
  84
+        self.class.full_sanitizer.sanitize(html)
85 85
       end
86 86
 
87 87
       # Strips all link tags from +text+ leaving just the link text.
4  actionpack/test/controller/render_test.rb
@@ -149,7 +149,7 @@ def render_text_hello_world
149 149
 
150 150
   # :ported:
151 151
   def render_text_hello_world_with_layout
152  
-    @variable_for_layout = ", I'm here!"
  152
+    @variable_for_layout = ", I am here!"
153 153
     render :text => "hello world", :layout => true
154 154
   end
155 155
 
@@ -776,7 +776,7 @@ def test_render_text
776 776
   # :ported:
777 777
   def test_do_with_render_text_and_layout
778 778
     get :render_text_hello_world_with_layout
779  
-    assert_equal "<html>hello world, I'm here!</html>", @response.body
  779
+    assert_equal "<html>hello world, I am here!</html>", @response.body
780 780
   end
781 781
 
782 782
   # :ported:
23  actionpack/test/template/asset_tag_helper_test.rb
@@ -159,8 +159,9 @@ def url_for(*args)
159 159
     %(image_tag("slash..png")) => %(<img alt="Slash." src="/images/slash..png" />),
160 160
     %(image_tag(".pdf.png")) => %(<img alt=".pdf" src="/images/.pdf.png" />),
161 161
     %(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="http://www.rubyonrails.com/images/rails.png" />),
162  
-    %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
163  
-    %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
  162
+    %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
  163
+    %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
  164
+    %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
164 165
     %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />)
165 166
   }
166 167
 
@@ -1007,8 +1008,8 @@ def test_should_compute_proper_path
1007 1008
     assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
1008 1009
     assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
1009 1010
     assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png"))
1010  
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
1011  
-    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1011
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse.png&#x27;" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1012
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse2.png&#x27;" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
1012 1013
   end
1013 1014
 
1014 1015
   def test_should_ignore_relative_root_path_on_complete_url
@@ -1021,8 +1022,18 @@ def test_should_compute_proper_path_with_asset_host
1021 1022
     assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
1022 1023
     assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
1023 1024
     assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
1024  
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
1025  
-    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1025
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1026
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;http://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1027
+  end
  1028
+
  1029
+  def test_should_compute_proper_path_with_asset_host_and_default_protocol
  1030
+    @controller.config.asset_host = "assets.example.com"
  1031
+    @controller.config.default_asset_host_protocol = :request
  1032
+    assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
  1033
+    assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
  1034
+    assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
  1035
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1036
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
1026 1037
   end
1027 1038
 
1028 1039
   def test_should_ignore_asset_host_on_complete_url
10  actionpack/test/template/erb_util_test.rb
@@ -7,11 +7,11 @@ class ErbUtilTest < Test::Unit::TestCase
7 7
     define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
8 8
       assert_equal expected, html_escape(given)
9 9
     end
  10
+  end
10 11
 
11  
-    unless given == '"'
12  
-      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
13  
-        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
14  
-      end
  12
+  ERB::Util::JSON_ESCAPE.each do |given, expected|
  13
+    define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
  14
+      assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
15 15
     end
16 16
   end
17 17
 
@@ -39,7 +39,7 @@ def test_html_escape_passes_html_escpe_unmodified
39 39
 
40 40
   def test_rest_in_ascii
41 41
     (0..127).to_a.map {|int| int.chr }.each do |chr|
42  
-      next if %w(& " < >).include?(chr)
  42
+      next if %w(& " < > ').include?(chr)
43 43
       assert_equal chr, html_escape(chr)
44 44
     end
45 45
   end
6  actionpack/test/template/form_options_helper_test.rb
@@ -887,7 +887,7 @@ def test_time_zone_select_with_default_time_zone_and_value
887 887
 
888 888
   def test_options_for_select_with_element_attributes
889 889
     assert_dom_equal(
890  
-      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
  890
+      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#x27;Hello World&#x27;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
891 891
       options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
892 892
     )
893 893
   end
@@ -923,13 +923,13 @@ def test_option_html_attributes_with_single_element_hash
923 923
   def test_option_html_attributes_with_multiple_element_hash
924 924
     output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ])
925 925
     assert output.include?(" class=\"fancy\"")
926  
-    assert output.include?(" onclick=\"alert('Hello World');\"")
  926
+    assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
927 927
   end
928 928
 
929 929
   def test_option_html_attributes_with_multiple_hashes
930 930
     output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ])
931 931
     assert output.include?(" class=\"fancy\"")
932  
-    assert output.include?(" onclick=\"alert('Hello World');\"")
  932
+    assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
933 933
   end
934 934
 
935 935
   def test_option_html_attributes_with_special_characters
8  actionpack/test/template/form_tag_helper_test.rb
@@ -195,6 +195,12 @@ def test_select_tag_with_include_blank
195 195
     assert_dom_equal expected, actual
196 196
   end
197 197
 
  198
+  def test_select_tag_escapes_prompt
  199
+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
  200
+    expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
  201
+    assert_dom_equal expected, actual
  202
+  end
  203
+
198 204
   def test_select_tag_with_include_blank_with_string
199 205
     actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :include_blank => "string"
200 206
     expected = %(<select id="places" name="places"><option value="">string</option><option>Home</option><option>Work</option><option>Pub</option></select>)
@@ -361,7 +367,7 @@ def test_stringify_symbol_keys
361 367
 
362 368
   def test_submit_tag
363 369
     assert_dom_equal(
364  
-      %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
  370
+      %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
365 371
       submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
366 372
     )
367 373
   end
10  actionpack/test/template/javascript_helper_test.rb
@@ -41,7 +41,7 @@ def test_escape_javascript_with_safebuffer
41 41
   end
42 42
 
43 43
   def test_button_to_function
44  
-    assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
  44
+    assert_dom_equal %(<input type="button" onclick="alert(&#x27;Hello world!&#x27;);" value="Greeting" />),
45 45
       button_to_function("Greeting", "alert('Hello world!')")
46 46
   end
47 47
 
@@ -60,7 +60,7 @@ def test_button_to_function_with_rjs_block_and_options
60 60
   end
61 61
 
62 62
   def test_button_to_function_with_onclick
63  
-    assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
  63
+    assert_dom_equal "<input onclick=\"alert(&#x27;Goodbye World :(&#x27;); alert(&#x27;Hello world!&#x27;);\" type=\"button\" value=\"Greeting\" />",
64 64
       button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
65 65
   end
66 66
 
@@ -70,12 +70,12 @@ def test_button_to_function_without_function
70 70
   end
71 71
 
72 72
   def test_link_to_function
73  
-    assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
  73
+    assert_dom_equal %(<a href="#" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
74 74
       link_to_function("Greeting", "alert('Hello world!')")
75 75
   end
76 76
 
77 77
   def test_link_to_function_with_existing_onclick
78  
-    assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
  78
+    assert_dom_equal %(<a href="#" onclick="confirm(&#x27;Sanity!&#x27;); alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
79 79
       link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
80 80
   end
81 81
 
@@ -94,7 +94,7 @@ def test_link_to_function_with_rjs_block_and_options
94 94
   end
95 95
 
96 96
   def test_link_to_function_with_href
97  
-    assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
  97
+    assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
98 98
       link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
99 99
   end
100 100
 
4  actionpack/test/template/sanitize_helper_test.rb
@@ -42,9 +42,9 @@ def test_strip_tags
42 42
     [nil, '', '   '].each do |blank|
43 43
       stripped = strip_tags(blank)
44 44
       assert_equal blank, stripped
45  
-      assert stripped.html_safe? unless blank.nil?
46 45
     end
47  
-    assert strip_tags("<script>").html_safe?
  46
+    assert_equal "", strip_tags("<script>")
  47
+    assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
48 48
   end
49 49
 
50 50
   def test_sanitize_is_marked_safe
2  actionpack/test/template/template_test.rb
@@ -50,7 +50,7 @@ def test_basic_template
50 50
 
51 51
   def test_locals
52 52
     @template = new_template("<%= my_local %>")
53  
-    assert_equal "I'm a local", render(:my_local => "I'm a local")
  53
+    assert_equal "I am a local", render(:my_local => "I am a local")
54 54
   end
55 55
 
56 56
   def test_restores_buffer
2  actionpack/test/template/text_helper_test.rb
@@ -305,7 +305,7 @@ def test_auto_link_parsing
305 305
       http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007
306 306
       http://www.mail-archive.com/rails@lists.rubyonrails.org/
307 307
       http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1
308  
-      http://en.wikipedia.org/wiki/Texas_hold'em
  308
+      http://en.wikipedia.org/wiki/Texas_hold
309 309
       https://www.google.com/doku.php?id=gps:resource:scs:start
310 310
       http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group
311 311
       http://of.openfoundry.org/projects/492/download#4th.Release.3
10  actionpack/test/template/url_helper_test.rb
@@ -188,7 +188,7 @@ def test_link_with_nil_html_options
188 188
 
189 189
   def test_link_tag_with_custom_onclick
190 190
     link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
191  
-    expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
  191
+    expected = %{<a href="http://www.example.com" onclick="alert(&#x27;yay!&#x27;)">Hello</a>}
192 192
     assert_dom_equal expected, link
193 193
   end
194 194
 
@@ -198,12 +198,12 @@ def test_link_tag_with_javascript_confirm
198 198
       link_to("Hello", "http://www.example.com", :confirm => "Are you sure?")
199 199
     )
200 200
     assert_dom_equal(
201  
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
202  
-      link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
  201
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
  202
+      link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
203 203
     )
204 204
     assert_dom_equal(
205  
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
206  
-      link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
  205
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
  206
+      link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
207 207
     )
208 208
   end
209 209
 
4  activemodel/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* No changes.
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activerecord/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* Fix type_to_sql with text and limit on mysql/mysql2 (GH #7252)
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
29  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -522,15 +522,26 @@ def rename_column(table_name, column_name, new_column_name) #:nodoc:
522 522
 
523 523
       # Maps logical Rails types to MySQL-specific data types.
524 524
       def type_to_sql(type, limit = nil, precision = nil, scale = nil)
525  
-        return super unless type.to_s == 'integer'
526  
-
527  
-        case limit
528  
-        when 1; 'tinyint'
529  
-        when 2; 'smallint'
530  
-        when 3; 'mediumint'
531  
-        when nil, 4, 11; 'int(11)'  # compatibility with MySQL default
532  
-        when 5..8; 'bigint'
533  
-        else raise(ActiveRecordError, "No integer type has byte size #{limit}")
  525
+        case type.to_s
  526
+        when 'integer'
  527
+          case limit
  528
+          when 1; 'tinyint'
  529
+          when 2; 'smallint'
  530
+          when 3; 'mediumint'
  531
+          when nil, 4, 11; 'int(11)'  # compatibility with MySQL default
  532
+          when 5..8; 'bigint'
  533
+          else raise(ActiveRecordError, "No integer type has byte size #{limit}")
  534
+          end
  535
+        when 'text'
  536
+          case limit
  537
+          when 0..0xff;               'tinytext'
  538
+          when nil, 0x100..0xffff;    'text'
  539
+          when 0x10000..0xffffff;     'mediumtext'
  540
+          when 0x1000000..0xffffffff; 'longtext'
  541
+          else raise(ActiveRecordError, "No text type has character length #{limit}")
  542
+          end
  543
+        else
  544
+          super
534 545
         end
535 546
       end
536 547
 
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  activerecord/test/schema/mysql2_specific_schema.rb
... ...
@@ -1,5 +1,5 @@
1 1
 ActiveRecord::Schema.define do
2  
-  create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
  2
+  create_table :binary_fields, :force => true do |t|
3 3
     t.binary :tiny_blob,   :limit => 255
4 4
     t.binary :normal_blob, :limit => 65535
5 5
     t.binary :medium_blob, :limit => 16777215
2  activerecord/test/schema/mysql_specific_schema.rb
... ...
@@ -1,5 +1,5 @@
1 1
 ActiveRecord::Schema.define do
2  
-  create_table :binary_fields, :force => true, :options => 'CHARACTER SET latin1' do |t|
  2
+  create_table :binary_fields, :force => true do |t|
3 3
     t.binary :tiny_blob,   :limit => 255
4 4
     t.binary :normal_blob, :limit => 65535
5 5
     t.binary :medium_blob, :limit => 16777215
4  activeresource/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* No changes.
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activesupport/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* No changes.
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
6  activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,13 +3,13 @@
3 3
 
4 4
 class ERB
5 5
   module Util
6  
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
  6
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
7 7
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
8 8
 
9 9
     # A utility method for escaping HTML tag characters.
10 10
     # This method is also aliased as <tt>h</tt>.
11 11
     #
12  
-    # In your ERb templates, use this method to escape any unsafe content. For example:
  12
+    # In your ERB templates, use this method to escape any unsafe content. For example:
13 13
     #   <%=h @person.name %>
14 14
     #
15 15
     # ==== Example:
@@ -20,7 +20,7 @@ def html_escape(s)
20 20
       if s.html_safe?
21 21
         s
22 22
       else
23  
-        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
  23
+        s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
24 24
       end
25 25
     end
26 26
 
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
17  activesupport/test/core_ext/string_ext_test.rb
@@ -527,6 +527,23 @@ def to_s
527 527
     assert string.html_safe?
528 528
     assert !string.to_param.html_safe?
529 529
   end
  530
+
  531
+  test "ERB::Util.html_escape should escape unsafe characters" do
  532
+    string = '<>&"\''
  533
+    expected = '&lt;&gt;&amp;&quot;&#x27;'
  534
+    assert_equal expected, ERB::Util.html_escape(string)
  535
+  end
  536
+
  537
+  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
  538
+    string = [192, 60].pack('CC')
  539
+    expected = 192.chr + "&lt;"
  540
+    assert_equal expected, ERB::Util.html_escape(string)
  541
+  end
  542
+
  543
+  test "ERB::Util.html_escape should not escape safe strings" do
  544
+    string = "<b>hello</b>".html_safe
  545
+    assert_equal string, ERB::Util.html_escape(string)
  546
+  end
530 547
 end
531 548
 
532 549
 class StringExcludeTest < ActiveSupport::TestCase
4  railties/CHANGELOG
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.0.17 (Aug 9, 2012)
  2
+
  3
+* No changes.
  4
+
1 5
 ## Rails 3.0.16 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 0
5  
-    TINY  = 16
  5
+    TINY  = 17
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Showing you all comments on commits in this comparison.

Joseph Shraibman

Was this necessary to fix CVE-2013-0333? All of a sudden strings with single quotes stuck into input boxes are being doubly escaped, like so:

<input id="regime_name" name="regime[name]" size="30" type="text" value="with an &amp;mpersand and a &amp;#x27;quote&amp;#x27;" />
Joseph Shraibman

Existing unit tests fail. When I run rails/actionpack/test/template/form_helper_test.rb I get:


  1) Failure:
test_default_form_builder_no_instance_variable(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  2) Failure:
test_default_form_builder_with_active_record_helpers(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

  3) Failure:
test_default_form_builder_without_object(FormHelperTest) [/Users/jshraibman/work/rails/actionpack/lib/action_controller/test_case.rb:119]:
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can't be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div></form>"> expected but was
<"<form action=\"http://www.example.com\" method=\"post\"><div class=\"formError\">can&#x27;t be empty</div><div class=\"errorExplanation\" id=\"errorExplanation\"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#x27;t be empty</li></ul></div></form>">.

96 tests, 134 assertions, 3 failures, 0 errors, 0 skips
Something went wrong with that request. Please try again.