Skip to content
This repository
  • 14 commits
  • 26 files changed
  • 0 comments
  • 5 contributors
May 29, 2012
James Mead Exceptions like Interrupt should not be rescued in tests.
This is a back-port of rails/rails#6525. See the commit notes there for
details.
4cd3285
Rafael Mendonça França Merge pull request #6532 from freerange/3-1-stable-minitest-passthrou…
…gh-exceptions

Exceptions like Interrupt should not be rescued in tests.
2f42815
May 31, 2012
Aaron Patterson Merge branch '3-1-stable-sec' into 3-1-stable
* 3-1-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
aa6e56b
Aaron Patterson Merge branch '3-1-rel' into 3-1-stable
* 3-1-rel:
  bumping to 3.1.5
  updating the CHANGELOG
  bumping to 3.1.5.rc1
a1a71ab
Jun 08, 2012
Ernie Miller Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
8355abf
Jun 10, 2012
Aaron Patterson Array parameters should not contain nil values. f4174ad
Jun 11, 2012
Toshinori Kajihara Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
023eaf8
Toshinori Kajihara Change the string to use in test case.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
8e6ed58
Rafael Mendonça França Mysql and Mysql2 adapters accepts only two arguments in the tables 3e2c00a
Aaron Patterson Merge branch '3-1-stable-sec' into 3-1-stable-rel
* 3-1-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
64e30e8
Aaron Patterson adding version number to changelogs 75d039f
Aaron Patterson updating changelogs with security fixes bee42f3
Aaron Patterson bumping version numbers 4e7d571
Jun 12, 2012
Aaron Patterson updating changelogs 63dce16

Showing 26 changed files with 135 additions and 18 deletions. Show diff stats Hide diff stats

  1. 2  RAILS_VERSION
  2. 4  actionmailer/CHANGELOG.md
  3. 2  actionmailer/lib/action_mailer/version.rb
  4. 6  actionpack/CHANGELOG.md
  5. 6  actionpack/lib/action_dispatch/http/request.rb
  6. 2  actionpack/lib/action_pack/version.rb
  7. 4  actionpack/test/dispatch/request/query_string_parsing_test.rb
  8. 4  activemodel/CHANGELOG.md
  9. 2  activemodel/lib/active_model/version.rb
  10. 8  activerecord/CHANGELOG.md
  11. 4  activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
  12. 5  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
  13. 6  activerecord/lib/active_record/relation/predicate_builder.rb
  14. 2  activerecord/lib/active_record/version.rb
  15. 10  activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
  16. 11  activerecord/test/cases/adapters/mysql2/schema_test.rb
  17. 6  activerecord/test/cases/relation/where_test.rb
  18. 4  activeresource/CHANGELOG.md
  19. 2  activeresource/lib/active_resource/version.rb
  20. 4  activesupport/CHANGELOG.md
  21. 5  activesupport/lib/active_support/testing/setup_and_teardown.rb
  22. 2  activesupport/lib/active_support/version.rb
  23. 44  activesupport/test/test_case_test.rb
  24. 4  railties/CHANGELOG.md
  25. 2  railties/lib/rails/version.rb
  26. 2  version.rb
2  RAILS_VERSION
... ...
@@ -1 +1 @@
1  
-3.1.5
  1
+3.1.6
4  actionmailer/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.5 (May 31, 2012) ##
2 6
 
3 7
 *   Increase minimum version of mail.
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
6  actionpack/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,9 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   nil is removed from array parameter values
  4
+
  5
+    CVE-2012-2694
  6
+
1 7
 ## Rails 3.1.5 (May 31, 2012) ##
2 8
 
3 9
 *   Detect optional glob params when adding non-greedy regexp - closes #4817.
6  actionpack/lib/action_dispatch/http/request.rb
@@ -271,17 +271,19 @@ def local?
271 271
 
272 272
     # Remove nils from the params hash
273 273
     def deep_munge(hash)
  274
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
  275
+      keys.each { |k| hash[k] = nil }
  276
+
274 277
       hash.each_value do |v|
275 278
         case v
276 279
         when Array
277 280
           v.grep(Hash) { |x| deep_munge(x) }
  281
+          v.compact!
278 282
         when Hash
279 283
           deep_munge(v)
280 284
         end
281 285
       end
282 286
 
283  
-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
284  
-      keys.each { |k| hash[k] = nil }
285 287
       hash
286 288
     end
287 289
 
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  actionpack/test/dispatch/request/query_string_parsing_test.rb
@@ -89,6 +89,10 @@ def teardown
89 89
     assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
90 90
   end
91 91
 
  92
+  def test_array_parses_without_nil
  93
+    assert_parses({"action" => ['1']}, "action[]=1&action[]")
  94
+  end
  95
+
92 96
   test "query string with empty key" do
93 97
     assert_parses(
94 98
       { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
4  activemodel/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.5 (May 31, 2012) ##
2 6
 
3 7
 *   No changes.
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
8  activerecord/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,11 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   protect against the nesting of hashes changing the
  4
+    table context in the next call to build_from_hash. This fix
  5
+    covers this case as well.
  6
+
  7
+    CVE-2012-2695
  8
+
1 9
 ## Rails 3.1.5 (May 31, 2012) ##
2 10
 
3 11
 *   Fix type_to_sql with text and limit on mysql/mysql2. Fix GH #3931.
4  activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
@@ -423,7 +423,9 @@ def collation
423 423
       end
424 424
 
425 425
       def tables(name = nil, database = nil) #:nodoc:
426  
-        sql = ["SHOW TABLES", database].compact.join(' IN ')
  426
+        sql = "SHOW TABLES "
  427
+        sql << "IN #{quote_table_name(database)} " if database
  428
+
427 429
         execute(sql, 'SCHEMA').collect do |field|
428 430
           field.first
429 431
         end
5  activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -630,7 +630,10 @@ def collation
630 630
       end
631 631
 
632 632
       def tables(name = nil, database = nil) #:nodoc:
633  
-        result = execute(["SHOW TABLES", database].compact.join(' IN '), 'SCHEMA')
  633
+        sql = "SHOW TABLES "
  634
+        sql << "IN #{quote_table_name(database)} " if database
  635
+
  636
+        result = execute(sql, 'SCHEMA')
634 637
         tables = result.collect { |field| field[0] }
635 638
         result.free
636 639
         tables
6  activerecord/lib/active_record/relation/predicate_builder.rb
... ...
@@ -1,16 +1,16 @@
1 1
 module ActiveRecord
2 2
   class PredicateBuilder # :nodoc:
3  
-    def self.build_from_hash(engine, attributes, default_table, check_column = true)
  3
+    def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
4 4
       predicates = attributes.map do |column, value|
5 5
         table = default_table
6 6
 
7  
-        if value.is_a?(Hash)
  7
+        if allow_table_name && value.is_a?(Hash)
8 8
           table = Arel::Table.new(column, engine)
9 9
           build_from_hash(engine, value, table, false)
10 10
         else
11 11
           column = column.to_s
12 12
 
13  
-          if check_column && column.include?('.')
  13
+          if allow_table_name && column.include?('.')
14 14
             table_name, column = column.split('.', 2)
15 15
             table = Arel::Table.new(table_name, engine)
16 16
           end
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
10  activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
@@ -52,6 +52,16 @@ def test_exec_insert_string
52 52
         assert_equal str, value
53 53
       end
54 54
 
  55
+      def test_tables_quoting
  56
+        begin
  57
+          @conn.tables(nil, "foo-bar")
  58
+          flunk
  59
+        rescue => e
  60
+          # assertion for *quoted* database properly
  61
+          assert_match(/database 'foo-bar'/, e.inspect)
  62
+        end
  63
+      end
  64
+
55 65
       private
56 66
       def insert(ctx, data)
57 67
         binds   = data.map { |name, value|
11  activerecord/test/cases/adapters/mysql2/schema_test.rb
@@ -35,6 +35,17 @@ def test_table_exists?
35 35
       def test_table_exists_wrong_schema
36 36
         assert(!@connection.table_exists?("#{@db_name}.zomg"), "table should not exist")
37 37
       end
  38
+
  39
+      def test_tables_quoting
  40
+        begin
  41
+          @connection.tables(nil, "foo-bar")
  42
+          flunk
  43
+        rescue => e
  44
+          # assertion for *quoted* database properly
  45
+          assert_match(/database 'foo-bar'/, e.inspect)
  46
+        end
  47
+      end
  48
+
38 49
     end
39 50
   end
40 51
 end
6  activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
11 11
       end
12 12
     end
13 13
 
  14
+    def test_where_error_with_hash
  15
+      assert_raises(ActiveRecord::StatementInvalid) do
  16
+        Post.where(:id => { :posts => {:author_id => 10} }).first
  17
+      end
  18
+    end
  19
+
14 20
     def test_where_with_table_name
15 21
       post = Post.first
16 22
       assert_equal post, Post.where(:posts => { 'id' => post.id }).first
4  activeresource/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.5 (May 31, 2012) ##
2 6
 
3 7
 *   No changes
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activesupport/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.5 (May 31, 2012) ##
2 6
 
3 7
 *   call binmode on the tempfile for Ruby 1.8 compatibility
5  activesupport/lib/active_support/testing/setup_and_teardown.rb
@@ -28,17 +28,22 @@ def teardown(*args, &block)
28 28
       end
29 29
 
30 30
       module ForMiniTest
  31
+        PASSTHROUGH_EXCEPTIONS = MiniTest::Unit::TestCase::PASSTHROUGH_EXCEPTIONS rescue [NoMemoryError, SignalException, Interrupt, SystemExit]
31 32
         def run(runner)
32 33
           result = '.'
33 34
           begin
34 35
             run_callbacks :setup do
35 36
               result = super
36 37
             end
  38
+          rescue *PASSTHROUGH_EXCEPTIONS => e
  39
+            raise e
37 40
           rescue Exception => e
38 41
             result = runner.puke(self.class, method_name, e)
39 42
           ensure
40 43
             begin
41 44
               run_callbacks :teardown
  45
+            rescue *PASSTHROUGH_EXCEPTIONS => e
  46
+              raise e
42 47
             rescue Exception => e
43 48
               result = runner.puke(self.class, method_name, e)
44 49
             end
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
44  activesupport/test/test_case_test.rb
@@ -19,7 +19,7 @@ def options
19 19
     end
20 20
 
21 21
     if defined?(MiniTest::Assertions) && TestCase < MiniTest::Assertions
22  
-      def test_callback_with_exception
  22
+      def test_standard_error_raised_within_setup_callback_is_puked
23 23
         tc = Class.new(TestCase) do
24 24
           setup :bad_callback
25 25
           def bad_callback; raise 'oh noes' end
@@ -38,7 +38,7 @@ def test_true; assert true end
38 38
         assert_equal 'oh noes', exception.message
39 39
       end
40 40
 
41  
-      def test_teardown_callback_with_exception
  41
+      def test_standard_error_raised_within_teardown_callback_is_puked
42 42
         tc = Class.new(TestCase) do
43 43
           teardown :bad_callback
44 44
           def bad_callback; raise 'oh noes' end
@@ -56,6 +56,46 @@ def test_true; assert true end
56 56
         assert_equal test_name, name
57 57
         assert_equal 'oh noes', exception.message
58 58
       end
  59
+
  60
+      def test_passthrough_exception_raised_within_test_method_is_not_rescued
  61
+        tc = Class.new(TestCase) do
  62
+          def test_which_raises_interrupt; raise Interrupt; end
  63
+        end
  64
+
  65
+        test_name = 'test_which_raises_interrupt'
  66
+        fr = FakeRunner.new
  67
+
  68
+        test = tc.new test_name
  69
+        assert_raises(Interrupt) { test.run fr }
  70
+      end
  71
+
  72
+      def test_passthrough_exception_raised_within_setup_callback_is_not_rescued
  73
+        tc = Class.new(TestCase) do
  74
+          setup :callback_which_raises_interrupt
  75
+          def callback_which_raises_interrupt; raise Interrupt; end
  76
+          def test_true; assert true end
  77
+        end
  78
+
  79
+        test_name = 'test_true'
  80
+        fr = FakeRunner.new
  81
+
  82
+        test = tc.new test_name
  83
+        assert_raises(Interrupt) { test.run fr }
  84
+      end
  85
+
  86
+      def test_passthrough_exception_raised_within_teardown_callback_is_not_rescued
  87
+        tc = Class.new(TestCase) do
  88
+          teardown :callback_which_raises_interrupt
  89
+          def callback_which_raises_interrupt; raise Interrupt; end
  90
+          def test_true; assert true end
  91
+        end
  92
+
  93
+        test_name = 'test_true'
  94
+        fr = FakeRunner.new
  95
+
  96
+        test = tc.new test_name
  97
+        assert_raises(Interrupt) { test.run fr }
  98
+      end
59 99
     end
60 100
   end
61 101
 end
4  railties/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.6 (Jun 12, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.5 (May 31, 2012) ##
2 6
 
3 7
 *   No changes.
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
2  version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 5
  5
+    TINY  = 6
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

No commit comments for this range

Something went wrong with that request. Please try again.