Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 14 commits
  • 26 files changed
  • 0 commit comments
  • 5 contributors
Commits on May 29, 2012
@floehopper floehopper Exceptions like Interrupt should not be rescued in tests.
This is a back-port of rails/rails#6525. See the commit notes there for
details.
4cd3285
@rafaelfranca rafaelfranca Merge pull request #6532 from freerange/3-1-stable-minitest-passthrou…
…gh-exceptions

Exceptions like Interrupt should not be rescued in tests.
2f42815
Commits on May 31, 2012
@tenderlove tenderlove Merge branch '3-1-stable-sec' into 3-1-stable
* 3-1-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
aa6e56b
@tenderlove tenderlove Merge branch '3-1-rel' into 3-1-stable
* 3-1-rel:
  bumping to 3.1.5
  updating the CHANGELOG
  bumping to 3.1.5.rc1
a1a71ab
Commits on Jun 08, 2012
@ernie ernie Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
8355abf
Commits on Jun 11, 2012
@tenderlove tenderlove Array parameters should not contain nil values. f4174ad
@kennyj kennyj Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
023eaf8
@kennyj kennyj Change the string to use in test case.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
8e6ed58
@rafaelfranca rafaelfranca Mysql and Mysql2 adapters accepts only two arguments in the tables 3e2c00a
@tenderlove tenderlove Merge branch '3-1-stable-sec' into 3-1-stable-rel
* 3-1-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
64e30e8
@tenderlove tenderlove adding version number to changelogs 75d039f
@tenderlove tenderlove updating changelogs with security fixes bee42f3
@tenderlove tenderlove bumping version numbers 4e7d571
Commits on Jun 12, 2012
@tenderlove tenderlove updating changelogs 63dce16
Showing with 135 additions and 18 deletions.
  1. +1 −1  RAILS_VERSION
  2. +4 −0 actionmailer/CHANGELOG.md
  3. +1 −1  actionmailer/lib/action_mailer/version.rb
  4. +6 −0 actionpack/CHANGELOG.md
  5. +4 −2 actionpack/lib/action_dispatch/http/request.rb
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +4 −0 actionpack/test/dispatch/request/query_string_parsing_test.rb
  8. +4 −0 activemodel/CHANGELOG.md
  9. +1 −1  activemodel/lib/active_model/version.rb
  10. +8 −0 activerecord/CHANGELOG.md
  11. +3 −1 activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
  12. +4 −1 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  13. +3 −3 activerecord/lib/active_record/relation/predicate_builder.rb
  14. +1 −1  activerecord/lib/active_record/version.rb
  15. +10 −0 activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
  16. +11 −0 activerecord/test/cases/adapters/mysql2/schema_test.rb
  17. +6 −0 activerecord/test/cases/relation/where_test.rb
  18. +4 −0 activeresource/CHANGELOG.md
  19. +1 −1  activeresource/lib/active_resource/version.rb
  20. +4 −0 activesupport/CHANGELOG.md
  21. +5 −0 activesupport/lib/active_support/testing/setup_and_teardown.rb
  22. +1 −1  activesupport/lib/active_support/version.rb
  23. +42 −2 activesupport/test/test_case_test.rb
  24. +4 −0 railties/CHANGELOG.md
  25. +1 −1  railties/lib/rails/version.rb
  26. +1 −1  version.rb
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.1.5
+3.1.6
View
4 actionmailer/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* No changes.
+
## Rails 3.1.5 (May 31, 2012) ##
* Increase minimum version of mail.
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
6 actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* nil is removed from array parameter values
+
+ CVE-2012-2694
+
## Rails 3.1.5 (May 31, 2012) ##
* Detect optional glob params when adding non-greedy regexp - closes #4817.
View
6 actionpack/lib/action_dispatch/http/request.rb
@@ -271,17 +271,19 @@ def local?
# Remove nils from the params hash
def deep_munge(hash)
+ keys = hash.keys.find_all { |k| hash[k] == [nil] }
+ keys.each { |k| hash[k] = nil }
+
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
+ v.compact!
when Hash
deep_munge(v)
end
end
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
- keys.each { |k| hash[k] = nil }
hash
end
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 actionpack/test/dispatch/request/query_string_parsing_test.rb
@@ -89,6 +89,10 @@ def teardown
assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
end
+ def test_array_parses_without_nil
+ assert_parses({"action" => ['1']}, "action[]=1&action[]")
+ end
+
test "query string with empty key" do
assert_parses(
{ "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
View
4 activemodel/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* No changes.
+
## Rails 3.1.5 (May 31, 2012) ##
* No changes.
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
8 activerecord/CHANGELOG.md
@@ -1,3 +1,11 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* protect against the nesting of hashes changing the
+ table context in the next call to build_from_hash. This fix
+ covers this case as well.
+
+ CVE-2012-2695
+
## Rails 3.1.5 (May 31, 2012) ##
* Fix type_to_sql with text and limit on mysql/mysql2. Fix GH #3931.
View
4 activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
@@ -423,7 +423,9 @@ def collation
end
def tables(name = nil, database = nil) #:nodoc:
- sql = ["SHOW TABLES", database].compact.join(' IN ')
+ sql = "SHOW TABLES "
+ sql << "IN #{quote_table_name(database)} " if database
+
execute(sql, 'SCHEMA').collect do |field|
field.first
end
View
5 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -630,7 +630,10 @@ def collation
end
def tables(name = nil, database = nil) #:nodoc:
- result = execute(["SHOW TABLES", database].compact.join(' IN '), 'SCHEMA')
+ sql = "SHOW TABLES "
+ sql << "IN #{quote_table_name(database)} " if database
+
+ result = execute(sql, 'SCHEMA')
tables = result.collect { |field| field[0] }
result.free
tables
View
6 activerecord/lib/active_record/relation/predicate_builder.rb
@@ -1,16 +1,16 @@
module ActiveRecord
class PredicateBuilder # :nodoc:
- def self.build_from_hash(engine, attributes, default_table, check_column = true)
+ def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
predicates = attributes.map do |column, value|
table = default_table
- if value.is_a?(Hash)
+ if allow_table_name && value.is_a?(Hash)
table = Arel::Table.new(column, engine)
build_from_hash(engine, value, table, false)
else
column = column.to_s
- if check_column && column.include?('.')
+ if allow_table_name && column.include?('.')
table_name, column = column.split('.', 2)
table = Arel::Table.new(table_name, engine)
end
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
10 activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
@@ -52,6 +52,16 @@ def test_exec_insert_string
assert_equal str, value
end
+ def test_tables_quoting
+ begin
+ @conn.tables(nil, "foo-bar")
+ flunk
+ rescue => e
+ # assertion for *quoted* database properly
+ assert_match(/database 'foo-bar'/, e.inspect)
+ end
+ end
+
private
def insert(ctx, data)
binds = data.map { |name, value|
View
11 activerecord/test/cases/adapters/mysql2/schema_test.rb
@@ -35,6 +35,17 @@ def test_table_exists?
def test_table_exists_wrong_schema
assert(!@connection.table_exists?("#{@db_name}.zomg"), "table should not exist")
end
+
+ def test_tables_quoting
+ begin
+ @connection.tables(nil, "foo-bar")
+ flunk
+ rescue => e
+ # assertion for *quoted* database properly
+ assert_match(/database 'foo-bar'/, e.inspect)
+ end
+ end
+
end
end
end
View
6 activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
end
end
+ def test_where_error_with_hash
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.where(:id => { :posts => {:author_id => 10} }).first
+ end
+ end
+
def test_where_with_table_name
post = Post.first
assert_equal post, Post.where(:posts => { 'id' => post.id }).first
View
4 activeresource/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* No changes.
+
## Rails 3.1.5 (May 31, 2012) ##
* No changes
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 activesupport/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* No changes.
+
## Rails 3.1.5 (May 31, 2012) ##
* call binmode on the tempfile for Ruby 1.8 compatibility
View
5 activesupport/lib/active_support/testing/setup_and_teardown.rb
@@ -28,17 +28,22 @@ def teardown(*args, &block)
end
module ForMiniTest
+ PASSTHROUGH_EXCEPTIONS = MiniTest::Unit::TestCase::PASSTHROUGH_EXCEPTIONS rescue [NoMemoryError, SignalException, Interrupt, SystemExit]
def run(runner)
result = '.'
begin
run_callbacks :setup do
result = super
end
+ rescue *PASSTHROUGH_EXCEPTIONS => e
+ raise e
rescue Exception => e
result = runner.puke(self.class, method_name, e)
ensure
begin
run_callbacks :teardown
+ rescue *PASSTHROUGH_EXCEPTIONS => e
+ raise e
rescue Exception => e
result = runner.puke(self.class, method_name, e)
end
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
44 activesupport/test/test_case_test.rb
@@ -19,7 +19,7 @@ def options
end
if defined?(MiniTest::Assertions) && TestCase < MiniTest::Assertions
- def test_callback_with_exception
+ def test_standard_error_raised_within_setup_callback_is_puked
tc = Class.new(TestCase) do
setup :bad_callback
def bad_callback; raise 'oh noes' end
@@ -38,7 +38,7 @@ def test_true; assert true end
assert_equal 'oh noes', exception.message
end
- def test_teardown_callback_with_exception
+ def test_standard_error_raised_within_teardown_callback_is_puked
tc = Class.new(TestCase) do
teardown :bad_callback
def bad_callback; raise 'oh noes' end
@@ -56,6 +56,46 @@ def test_true; assert true end
assert_equal test_name, name
assert_equal 'oh noes', exception.message
end
+
+ def test_passthrough_exception_raised_within_test_method_is_not_rescued
+ tc = Class.new(TestCase) do
+ def test_which_raises_interrupt; raise Interrupt; end
+ end
+
+ test_name = 'test_which_raises_interrupt'
+ fr = FakeRunner.new
+
+ test = tc.new test_name
+ assert_raises(Interrupt) { test.run fr }
+ end
+
+ def test_passthrough_exception_raised_within_setup_callback_is_not_rescued
+ tc = Class.new(TestCase) do
+ setup :callback_which_raises_interrupt
+ def callback_which_raises_interrupt; raise Interrupt; end
+ def test_true; assert true end
+ end
+
+ test_name = 'test_true'
+ fr = FakeRunner.new
+
+ test = tc.new test_name
+ assert_raises(Interrupt) { test.run fr }
+ end
+
+ def test_passthrough_exception_raised_within_teardown_callback_is_not_rescued
+ tc = Class.new(TestCase) do
+ teardown :callback_which_raises_interrupt
+ def callback_which_raises_interrupt; raise Interrupt; end
+ def test_true; assert true end
+ end
+
+ test_name = 'test_true'
+ fr = FakeRunner.new
+
+ test = tc.new test_name
+ assert_raises(Interrupt) { test.run fr }
+ end
end
end
end
View
4 railties/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.6 (Jun 12, 2012)
+
+* No changes.
+
## Rails 3.1.5 (May 31, 2012) ##
* No changes.
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

No commit comments for this range

Something went wrong with that request. Please try again.