Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 4 commits
  • 22 files changed
  • 1 commit comment
  • 3 contributors
Commits on Jan 08, 2013
@spastorino spastorino Avoid Rack security warning no secret provided
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
4d5f950
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
7e5cc96
@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 8133a81
@tenderlove tenderlove bumping version a7dd0bb
Showing with 147 additions and 32 deletions.
  1. +1 −1  RAILS_VERSION
  2. +1 −1  actionmailer/lib/action_mailer/version.rb
  3. +4 −0 actionpack/CHANGELOG.md
  4. +4 −6 actionpack/lib/action_dispatch/http/request.rb
  5. +2 −2 actionpack/lib/action_dispatch/middleware/params_parser.rb
  6. +2 −0  actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
  7. +1 −1  actionpack/lib/action_pack/version.rb
  8. +13 −0 actionpack/test/controller/webservice_test.rb
  9. +15 −0 actionpack/test/dispatch/request/json_params_parsing_test.rb
  10. +17 −0 actionpack/test/dispatch/request/xml_params_parsing_test.rb
  11. +1 −1  activemodel/lib/active_model/version.rb
  12. +4 −0 activerecord/CHANGELOG.md
  13. +6 −1 activerecord/lib/active_record/relation/predicate_builder.rb
  14. +1 −1  activerecord/lib/active_record/version.rb
  15. +15 −1 activerecord/test/cases/relation/where_test.rb
  16. +1 −1  activeresource/lib/active_resource/version.rb
  17. +9 −0 activesupport/CHANGELOG.md
  18. +25 −7 activesupport/lib/active_support/core_ext/hash/conversions.rb
  19. +1 −1  activesupport/lib/active_support/version.rb
  20. +22 −6 activesupport/test/core_ext/hash_ext_test.rb
  21. +1 −1  railties/lib/rails/version.rb
  22. +1 −1  version.rb
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.1.9
+3.1.10
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.10
+
+* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+
## Rails 3.1.9
## Rails 3.1.8 (Aug 9, 2012)
View
10 actionpack/lib/action_dispatch/http/request.rb
@@ -267,18 +267,14 @@ def local?
LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
end
- protected
-
# Remove nils from the params hash
def deep_munge(hash)
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
- keys.each { |k| hash[k] = nil }
-
- hash.each_value do |v|
+ hash.each do |k, v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
v.compact!
+ hash[k] = nil if v.empty?
when Hash
deep_munge(v)
end
@@ -287,6 +283,8 @@ def deep_munge(hash)
hash
end
+ protected
+
def parse_query(qs)
deep_munge(super)
end
View
4 actionpack/lib/action_dispatch/middleware/params_parser.rb
@@ -38,13 +38,13 @@ def parse_formatted_parameters(env)
when Proc
strategy.call(request.raw_post)
when :xml_simple, :xml_node
- data = Hash.from_xml(request.body.read) || {}
+ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
request.body.rewind if request.body.respond_to?(:rewind)
data.with_indifferent_access
when :yaml
YAML.load(request.raw_post)
when :json
- data = ActiveSupport::JSON.decode(request.body)
+ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
request.body.rewind if request.body.respond_to?(:rewind)
data = {:_json => data} unless data.is_a?(Hash)
data.with_indifferent_access
View
2  actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -25,6 +25,8 @@ def destroy
module Compatibility
def initialize(app, options = {})
options[:key] ||= '_session_id'
+ # FIXME Rack's secret is not being used
+ options[:secret] ||= SecureRandom.hex(30)
super
end
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
13 actionpack/test/controller/webservice_test.rb
@@ -118,6 +118,19 @@ def test_post_xml_using_an_attributted_node_named_type
end
end
+ def test_post_xml_using_a_disallowed_type_attribute
+ $stderr = StringIO.new
+ with_test_route_set do
+ post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+
+ post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+ assert_response 500
+ end
+ ensure
+ $stderr = STDERR
+ end
+
def test_register_and_use_yaml
with_test_route_set do
with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
View
15 actionpack/test/dispatch/request/json_params_parsing_test.rb
@@ -30,6 +30,21 @@ def teardown
)
end
+ test "nils are stripped from collections" do
+ assert_parses(
+ {"person" => nil},
+ "{\"person\":[null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ assert_parses(
+ {"person" => ['foo']},
+ "{\"person\":[\"foo\",null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ assert_parses(
+ {"person" => nil},
+ "{\"person\":[null, null]}", { 'CONTENT_TYPE' => 'application/json' }
+ )
+ end
+
test "logs error if parsing unsuccessful" do
with_test_routing do
begin
View
17 actionpack/test/dispatch/request/xml_params_parsing_test.rb
@@ -30,6 +30,23 @@ def call(env)
assert_equal "<ok>bar</ok>", resp.body
end
+ def assert_parses(expected, xml)
+ with_test_routing do
+ post "/parse", xml, default_headers
+ assert_response :ok
+ assert_equal(expected, TestController.last_request_parameters)
+ end
+ end
+
+ test "nils are stripped from collections" do
+ assert_parses(
+ {"hash" => { "person" => nil} },
+ "<hash><person type=\"array\"><person nil=\"true\"/></person></hash>")
+ assert_parses(
+ {"hash" => { "person" => ['foo']} },
+ "<hash><person type=\"array\"><person>foo</person><person nil=\"true\"/></person>\n</hash>")
+ end
+
test "parses hash params" do
with_test_routing do
xml = "<person><name>David</name></person>"
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
4 activerecord/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.1.10
+
+* Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155]
+
## Rails 3.1.9
* CVE-2012-5664 ensure that options are never taken from the first parameter
View
7 activerecord/lib/active_record/relation/predicate_builder.rb
@@ -6,7 +6,12 @@ def self.build_from_hash(engine, attributes, default_table, allow_table_name = t
if allow_table_name && value.is_a?(Hash)
table = Arel::Table.new(column, engine)
- build_from_hash(engine, value, table, false)
+
+ if value.empty?
+ '1 = 2'
+ else
+ build_from_hash(engine, value, table, false)
+ end
else
column = column.to_s
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
16 activerecord/test/cases/relation/where_test.rb
@@ -1,9 +1,11 @@
require "cases/helper"
require 'models/post'
+require 'models/comment'
+require 'models/edge'
module ActiveRecord
class WhereTest < ActiveRecord::TestCase
- fixtures :posts
+ fixtures :posts, :edges
def test_where_error
assert_raises(ActiveRecord::StatementInvalid) do
@@ -21,5 +23,17 @@ def test_where_with_table_name
post = Post.first
assert_equal post, Post.where(:posts => { 'id' => post.id }).first
end
+
+ def test_where_with_table_name_and_empty_hash
+ assert_equal 0, Post.where(:posts => {}).count
+ end
+
+ def test_where_with_table_name_and_empty_array
+ assert_equal 0, Post.where(:id => []).count
+ end
+
+ def test_where_with_empty_hash_and_no_foreign_key
+ assert_equal 0, Edge.where(:sink => {}).count
+ end
end
end
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
9 activesupport/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 3.1.10 (Jan 8, 2012) ##
+
+* Hash.from_xml raises when it encounters type="symbol" or type="yaml".
+ Use Hash.from_trusted_xml to parse this XML.
+
+ CVE-2013-0156
+
+ *Jeremy Kemper*
+
## Rails 3.1.9
## Rails 3.1.8 (Aug 9, 2012)
View
32 activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -85,15 +85,33 @@ def to_xml(options = {})
end
end
+ class DisallowedType < StandardError #:nodoc:
+ def initialize(type)
+ super "Disallowed type attribute: #{type.inspect}"
+ end
+ end
+
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
+
class << self
- def from_xml(xml)
- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
+ def from_xml(xml, disallowed_types = nil)
+ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
+ end
+
+ def from_trusted_xml(xml)
+ from_xml xml, []
end
private
- def typecast_xml_value(value)
+ def typecast_xml_value(value, disallowed_types = nil)
+ disallowed_types ||= DISALLOWED_XML_TYPES
+
case value.class.to_s
when 'Hash'
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
+ raise DisallowedType, value['type']
+ end
+
if value['type'] == 'array'
_, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -101,9 +119,9 @@ def typecast_xml_value(value)
else
case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
when "Array"
- entries.collect { |v| typecast_xml_value(v) }
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
when "Hash"
- [typecast_xml_value(entries)]
+ [typecast_xml_value(entries, disallowed_types)]
else
raise "can't typecast #{entries.inspect}"
end
@@ -127,14 +145,14 @@ def typecast_xml_value(value)
elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash)
nil
else
- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }]
+ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }]
# Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with
# how multipart uploaded files from HTML appear
xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
end
when 'Array'
- value.map! { |i| typecast_xml_value(i) }
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
value.length > 1 ? value : value.first
when 'String'
value
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
28 activesupport/test/core_ext/hash_ext_test.rb
@@ -730,12 +730,10 @@ def test_single_record_from_xml
<replies-close-in type="integer">2592000000</replies-close-in>
<written-on type="date">2003-07-16</written-on>
<viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
- <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n</content>
<author-email-address>david@loudthinking.com</author-email-address>
<parent-id></parent-id>
<ad-revenue type="decimal">1.5</ad-revenue>
<optimum-viewing-angle type="float">135</optimum-viewing-angle>
- <resident type="symbol">yes</resident>
</topic>
EOT
@@ -748,12 +746,10 @@ def test_single_record_from_xml
:replies_close_in => 2592000000,
:written_on => Date.new(2003, 7, 16),
:viewed_at => Time.utc(2003, 7, 16, 9, 28),
- :content => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
:author_email_address => "david@loudthinking.com",
:parent_id => nil,
:ad_revenue => BigDecimal("1.50"),
:optimum_viewing_angle => 135.0,
- :resident => :yes
}.stringify_keys
assert_equal expected_topic_hash, Hash.from_xml(topic_xml)["topic"]
@@ -767,7 +763,6 @@ def test_single_record_from_xml_with_nil_values
<approved type="boolean"></approved>
<written-on type="date"></written-on>
<viewed-at type="datetime"></viewed-at>
- <content type="yaml"></content>
<parent-id></parent-id>
</topic>
EOT
@@ -778,7 +773,6 @@ def test_single_record_from_xml_with_nil_values
:approved => nil,
:written_on => nil,
:viewed_at => nil,
- :content => nil,
:parent_id => nil
}.stringify_keys
@@ -1005,6 +999,28 @@ def test_type_trickles_through_when_unknown
assert_equal expected_product_hash, Hash.from_xml(product_xml)["product"]
end
+ def test_from_xml_raises_on_disallowed_type_attributes
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="foo">value</name></product>', %w(foo)
+ end
+ end
+
+ def test_from_xml_disallows_symbol_and_yaml_types_by_default
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="symbol">value</name></product>'
+ end
+
+ assert_raise Hash::DisallowedType do
+ Hash.from_xml '<product><name type="yaml">value</name></product>'
+ end
+ end
+
+ def test_from_trusted_xml_allows_symbol_and_yaml_types
+ expected = { 'product' => { 'name' => :value }}
+ assert_equal expected, Hash.from_trusted_xml('<product><name type="symbol">value</name></product>')
+ assert_equal expected, Hash.from_trusted_xml('<product><name type="yaml">:value</name></product>')
+ end
+
def test_should_use_default_value_for_unknown_key
hash_wia = HashWithIndifferentAccess.new(3)
assert_equal 3, hash_wia[:new_key]
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 1
- TINY = 9
+ TINY = 10
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Showing you all comments on commits in this comparison.

@kb
kb commented on 7e5cc96

On a mongoid model you can have something like...

field :foo, :type => Array, :default => []

On a PUT update from a form, the params from the form will come through as :foo => [], however with the introduction of this code the :foo becomes nil and overwrites the default array value from the model.

Wouldn't it be better to simply reject the key instead of setting it to nil and potentially overwriting a db value?

cc/ @tenderlove

Something went wrong with that request. Please try again.