Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 9 commits
  • 26 files changed
  • 5 commit comments
  • 5 contributors
Commits on Mar 05, 2013
@spastorino spastorino Freeze columns only once per Result
Conflicts:
	activerecord/lib/active_record/result.rb
b544524
@tenderlove tenderlove Revert "Merge pull request #8209 from senny/backport_8176"
This reverts commit 7240202, reversing
changes made to e4e2bcc.

Conflicts:
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/calculations.rb
	activerecord/test/cases/calculations_test.rb
1b699fc
Commits on Mar 06, 2013
@tenderlove tenderlove bumping to rc2 ccf256d
Commits on Mar 12, 2013
@carlosantoniodasilva carlosantoniodasilva Merge pull request #9616 from exviva/multiple_select_name_double_squa…
…re_brackets

Fix incorrectly appended square brackets to a multiple select box

Before:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][][]" ...>

After:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][]" ...>

Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_view/helpers/tags/base.rb
	actionpack/test/template/form_options_helper_test.rb
4886991
Commits on Mar 16, 2013
@tenderlove tenderlove stop calling to_sym when building arel nodes [CVE-2013-1854] f980289
@charliesome charliesome fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] ff3b9ca
@benmmurphy benmmurphy JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
c0d0663
@tenderlove tenderlove fix protocol checking in sanitization [CVE-2013-1857]
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
99123ad
Commits on Mar 18, 2013
@tenderlove tenderlove bumping to 3.2.13 a4b5582
Showing with 119 additions and 52 deletions.
  1. +1 −1  RAILS_VERSION
  2. +1 −1  actionmailer/lib/action_mailer/version.rb
  3. +17 −0 actionpack/CHANGELOG.md
  4. +5 −5 actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
  5. +1 −1  actionpack/lib/action_pack/version.rb
  6. +1 −1  actionpack/lib/action_view/helpers/form_helper.rb
  7. +8 −0 actionpack/test/template/form_options_helper_test.rb
  8. +15 −0 actionpack/test/template/html-scanner/sanitizer_test.rb
  9. +1 −1  activemodel/lib/active_model/version.rb
  10. +0 −15 activerecord/CHANGELOG.md
  11. +1 −1  activerecord/lib/active_record/relation.rb
  12. +1 −1  activerecord/lib/active_record/relation/predicate_builder.rb
  13. +9 −3 activerecord/lib/active_record/result.rb
  14. +1 −1  activerecord/lib/active_record/version.rb
  15. +0 −6 activerecord/test/cases/calculations_test.rb
  16. +5 −5 activerecord/test/cases/method_scoping_test.rb
  17. +3 −3 activerecord/test/cases/relation_test.rb
  18. +1 −1  activeresource/lib/active_resource/version.rb
  19. +1 −1  activesupport/lib/active_support/version.rb
  20. +6 −0 activesupport/lib/active_support/xml_mini/jdom.rb
  21. +1 −0  activesupport/test/fixtures/xml/jdom_doctype.dtd
  22. +1 −0  activesupport/test/fixtures/xml/jdom_entities.txt
  23. +1 −0  activesupport/test/fixtures/xml/jdom_include.txt
  24. +36 −3 activesupport/test/xml_mini/jdom_engine_test.rb
  25. +1 −1  railties/lib/rails/version.rb
  26. +1 −1  version.rb
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.2.13.rc1
+3.2.13
View
2  actionmailer/lib/action_mailer/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
17 actionpack/CHANGELOG.md
@@ -5,6 +5,23 @@
## Rails 3.2.13 (Feb 17, 2013) ##
+* Fix incorrectly appended square brackets to a multiple select box
+ if an explicit name has been given and it already ends with "[]".
+
+ Before:
+
+ select(:category, [], {}, multiple: true, name: "post[category][]")
+ # => <select name="post[category][][]" ...>
+
+ After:
+
+ select(:category, [], {}, multiple: true, name: "post[category][]")
+ # => <select name="post[category][]" ...>
+
+ Backport #9616.
+
+ *Olek Janiszewski*
+
* Determine the controller#action from only the matched path when using the
shorthand syntax. Previously the complete path was used, which led
to problems with nesting (scopes and namespaces).
View
10 actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -66,7 +66,7 @@ class WhiteListSanitizer < Sanitizer
# A regular expression of the valid characters used to separate protocols like
# the ':' in 'http://foo.com'
- self.protocol_separator = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
+ self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
# Specifies a Set of HTML attributes that can have URIs.
self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
@@ -110,8 +110,8 @@ def sanitize_css(style)
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
@@ -122,7 +122,7 @@ def sanitize_css(style)
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
!allowed_css_keywords.include?(keyword) &&
- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
@@ -171,7 +171,7 @@ def process_attributes_for(node, options)
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
- (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
+ (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
View
2  actionpack/lib/action_pack/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2  actionpack/lib/action_view/helpers/form_helper.rb
@@ -1207,7 +1207,7 @@ def add_default_name_and_id(options)
options["id"] = options.fetch("id"){ tag_id }
end
- options["name"] += "[]" if options["multiple"]
+ options["name"] += "[]" if options["multiple"] && !options["name"].ends_with?("[]")
options["id"] = [options.delete('namespace'), options["id"]].compact.join("_").presence
end
View
8 actionpack/test/template/form_options_helper_test.rb
@@ -515,6 +515,14 @@ def test_select_with_multiple_to_add_hidden_input
)
end
+ def test_select_with_multiple_and_with_explicit_name_ending_with_brackets
+ output_buffer = select(:post, :category, "", {}, :multiple => true, :name => 'post[category][]')
+ assert_dom_equal(
+ "<input type=\"hidden\" name=\"post[category][]\" value=\"\"/><select multiple=\"multiple\" id=\"post_category\" name=\"post[category][]\"></select>",
+ output_buffer
+ )
+ end
+
def test_select_with_multiple_and_disabled_to_add_disabled_hidden_input
output_buffer = select(:post, :category, "", {}, :multiple => true, :disabled => true)
assert_dom_equal(
View
15 actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -176,6 +176,7 @@ def test_should_block_script_tag
%(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
%(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
%(<IMG SRC=" &#14; javascript:alert('XSS');">),
+ %(<IMG SRC="javascript&#x3a;alert('XSS');">),
%(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
assert_sanitized img_hack, "<img>"
@@ -256,6 +257,11 @@ def test_should_sanitize_div_style_expression
assert_equal '', sanitize_css(raw)
end
+ def test_should_sanitize_across_newlines
+ raw = %(\nwidth:\nexpression(alert('XSS'));\n)
+ assert_equal '', sanitize_css(raw)
+ end
+
def test_should_sanitize_img_vbscript
assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
end
@@ -276,6 +282,15 @@ def test_should_sanitize_neverending_attribute
assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
end
+ def test_x03a
+ assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
+ assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
+ end
+
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new
View
2  activemodel/lib/active_model/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
15 activerecord/CHANGELOG.md
@@ -1,8 +1,3 @@
-## unreleased ##
-
-* No changes.
-
-
## Rails 3.2.13 (Feb 17, 2013) ##
* Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, 'Quote numeric values
@@ -228,16 +223,6 @@
*Victor Costan*
-* `#pluck` can be used on a relation with `select` clause.
- Fixes #7551.
- Backport of #8176.
-
- Example:
-
- Topic.select([:approved, :id]).order(:id).pluck(:id)
-
- *Yves Senn*
-
* Use `nil?` instead of `blank?` to check whether dynamic finder with a bang
should raise RecordNotFound.
Fixes #7238.
View
2  activerecord/lib/active_record/relation.rb
@@ -464,7 +464,7 @@ def where_values_hash
node.left.relation.name == table_name
}
- Hash[equalities.map { |where| [where.left.name, where.right] }]
+ Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
end
def scope_for_create
View
2  activerecord/lib/active_record/relation/predicate_builder.rb
@@ -20,7 +20,7 @@ def self.build_from_hash(engine, attributes, default_table, allow_table_name = t
table = Arel::Table.new(table_name, engine)
end
- attribute = table[column.to_sym]
+ attribute = table[column]
case value
when ActiveRecord::Relation
View
12 activerecord/lib/active_record/result.rb
@@ -26,9 +26,15 @@ def to_hash
private
def hash_rows
- @hash_rows ||= @rows.map { |row|
- Hash[@columns.zip(row)]
- }
+ @hash_rows ||=
+ begin
+ # We freeze the strings to prevent them getting duped when
+ # used as keys in ActiveRecord::Model's @attributes hash
+ columns = @columns.map { |c| c.dup.freeze }
+ @rows.map { |row|
+ Hash[columns.zip(row)]
+ }
+ end
end
end
end
View
2  activerecord/lib/active_record/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
6 activerecord/test/cases/calculations_test.rb
@@ -493,12 +493,6 @@ def test_pluck_with_qualified_column_name
assert_equal [1,2,3,4], Topic.order(:id).pluck("topics.id")
end
- def test_pluck_replaces_select_clause
- taks_relation = Topic.select([:approved, :id]).order(:id)
- assert_equal [1,2,3,4], taks_relation.pluck(:id)
- assert_equal [false, true, true, true], taks_relation.pluck(:approved)
- end
-
def test_pluck_auto_table_name_prefix
c = Company.create!(:name => "test", :contracts => [Contract.new])
assert_equal [c.id], Company.joins(:contracts).pluck(:id)
View
10 activerecord/test/cases/method_scoping_test.rb
@@ -212,14 +212,14 @@ def test_scope_for_create_only_uses_equal
table = VerySpecialComment.arel_table
relation = VerySpecialComment.scoped
relation.where_values << table[:id].not_eq(1)
- assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create))
+ assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create))
end
def test_scoped_create
new_comment = nil
VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do
- assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
+ assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
new_comment = VerySpecialComment.create :body => "Wonderful world"
end
@@ -228,7 +228,7 @@ def test_scoped_create
def test_scoped_create_with_join_and_merge
Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do
- assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create)
+ assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create)
end
end
@@ -441,7 +441,7 @@ def test_nested_scoped_create
comment = nil
Comment.send(:with_scope, :create => { :post_id => 1}) do
Comment.send(:with_scope, :create => { :post_id => 2}) do
- assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create))
+ assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create))
comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!"
end
end
@@ -453,7 +453,7 @@ def test_nested_exclusive_scope_for_create
Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do
Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do
- assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create))
+ assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create))
assert_blank Comment.new.body
comment = Comment.create :body => "Hey guys"
end
View
6 activerecord/test/cases/relation_test.rb
@@ -71,7 +71,7 @@ def test_empty_where_values_hash
def test_has_values
relation = Relation.new Post, Post.arel_table
relation.where_values << relation.table[:id].eq(10)
- assert_equal({:id => 10}, relation.where_values_hash)
+ assert_equal({'id' => 10}, relation.where_values_hash)
end
def test_values_wrong_table
@@ -101,7 +101,7 @@ def test_scope_for_create
def test_create_with_value
relation = Relation.new Post, Post.arel_table
- hash = { :hello => 'world' }
+ hash = { 'hello' => 'world' }
relation.create_with_value = hash
assert_equal hash, relation.scope_for_create
end
@@ -110,7 +110,7 @@ def test_create_with_value_with_wheres
relation = Relation.new Post, Post.arel_table
relation.where_values << relation.table[:id].eq(10)
relation.create_with_value = {:hello => 'world'}
- assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create)
+ assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create)
end
# FIXME: is this really wanted or expected behavior?
View
2  activeresource/lib/active_resource/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2  activesupport/lib/active_support/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
6 activesupport/lib/active_support/xml_mini/jdom.rb
@@ -38,6 +38,12 @@ def parse(data)
{}
else
@dbf = DocumentBuilderFactory.new_instance
+ # secure processing of java xml
+ # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
+ @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+ @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+ @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+ @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
xml_string_reader = StringReader.new(data)
xml_input_source = InputSource.new(xml_string_reader)
doc = @dbf.new_document_builder.parse(xml_input_source)
View
1  activesupport/test/fixtures/xml/jdom_doctype.dtd
@@ -0,0 +1 @@
+<!ENTITY a "external entity">
View
1  activesupport/test/fixtures/xml/jdom_entities.txt
@@ -0,0 +1 @@
+<!ENTITY a "hello">
View
1  activesupport/test/fixtures/xml/jdom_include.txt
@@ -0,0 +1 @@
+include me
View
39 activesupport/test/xml_mini/jdom_engine_test.rb
@@ -3,9 +3,11 @@
require 'active_support/xml_mini'
require 'active_support/core_ext/hash/conversions'
- class JDOMEngineTest < Test::Unit::TestCase
+ class JDOMEngineTest < ActiveSupport::TestCase
include ActiveSupport
+ FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
+
def setup
@default_backend = XmlMini.backend
XmlMini.backend = 'JDOM'
@@ -30,10 +32,41 @@ def test_file_from_xml
assert_equal 'image/png', file.content_type
end
+ def test_not_allowed_to_expand_entities_to_files
+ attack_xml = <<-EOT
+ <!DOCTYPE member [
+ <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
+ ]>
+ <member>x&a;</member>
+ EOT
+ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+ end
+
+ def test_not_allowed_to_expand_parameter_entities_to_files
+ attack_xml = <<-EOT
+ <!DOCTYPE member [
+ <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
+ %b;
+ ]>
+ <member>x&a;</member>
+ EOT
+ assert_raise Java::OrgXmlSax::SAXParseException do
+ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+ end
+ end
+
+
+ def test_not_allowed_to_load_external_doctypes
+ attack_xml = <<-EOT
+ <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
+ <member>x&a;</member>
+ EOT
+ assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+ end
+
def test_exception_thrown_on_expansion_attack
- assert_raise NativeException do
+ assert_raise Java::OrgXmlSax::SAXParseException do
attack_xml = <<-EOT
- <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
View
2  railties/lib/rails/version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end
View
2  version.rb
@@ -3,7 +3,7 @@ module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
TINY = 13
- PRE = "rc1"
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
end

Showing you all comments on commits in this comparison.

@rsanheim

Also, a possible regression related to this commit: #9813

@cthiel

This is probably causing tors/jquery-fileupload-rails#36

@exviva

@cthiel this commit actually makes the conditional more restrictive. I think 175ba04 introduced the bug (see #9616).

@cthiel

@exviva you could be right! Thanks for the pointer.

Something went wrong with that request. Please try again.