Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 3 commits
  • 20 files changed
  • 0 commit comments
  • 1 contributor
Commits on May 05, 2014
@rafaelfranca rafaelfranca Only accept actions without File::SEPARATOR in the name.
This will avoid directory traversal in implicit render.

Fixes: CVE-2014-0130
0f3b7d1
Commits on May 06, 2014
@rafaelfranca rafaelfranca Preparing for 3.2.18 release 4e8f1d2
@rafaelfranca rafaelfranca Fix broken tests of the previous release 50d6b45
View
2  Gemfile
@@ -22,7 +22,7 @@ end
gem 'uglifier', '>= 1.0.3', :require => false
gem 'rake', '>= 0.8.7'
-gem 'mocha', '>= 0.13.0', :require => false
+gem 'mocha', '~> 0.14', :require => false
group :doc do
# The current sdoc cannot generate GitHub links due
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.2.17
+3.2.18
View
15 actionmailer/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
14 actionpack/CHANGELOG.md
@@ -1,3 +1,16 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* Only accept actions without File::SEPARATOR in the name.
+
+ This will avoid directory traversal in implicit render.
+
+ Fixes: CVE-2014-0130
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
* Use the reference for the mime type to get the format
Fixes: CVE-2014-0082
@@ -6,6 +19,7 @@
Fixes: CVE-2014-0081
+
## Rails 3.2.16 (Dec 12, 2013) ##
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
View
28 actionpack/lib/abstract_controller/base.rb
@@ -112,7 +112,7 @@ def method_added(name)
def process(action, *args)
@_action_name = action_name = action.to_s
- unless action_name = method_for_action(action_name)
+ unless action_name = _find_action_name(action_name)
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
end
@@ -138,7 +138,7 @@ def action_methods
# available action consider actions that are also available
# through other means, for example, implicit render ones.
def available_action?(action_name)
- method_for_action(action_name).present?
+ _find_action_name(action_name).present?
end
private
@@ -182,6 +182,23 @@ def _handle_action_missing(*args)
end
# Takes an action name and returns the name of the method that will
+ # handle the action.
+ #
+ # It checks if the action name is valid and returns false otherwise.
+ #
+ # See method_for_action for more information.
+ #
+ # ==== Parameters
+ # * <tt>action_name</tt> - An action name to find a method name for
+ #
+ # ==== Returns
+ # * <tt>string</tt> - The name of the method that handles the action
+ # * false - No valid method name could be found. Raise ActionNotFound.
+ def _find_action_name(action_name)
+ _valid_action_name?(action_name) && method_for_action(action_name)
+ end
+
+ # Takes an action name and returns the name of the method that will
# handle the action. In normal cases, this method returns the same
# name as it receives. By default, if #method_for_action receives
# a name that is not an action, it will look for an #action_missing
@@ -203,11 +220,16 @@ def _handle_action_missing(*args)
#
# ==== Returns
# * <tt>string</tt> - The name of the method that handles the action
- # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound.
+ # * <tt>nil</tt> - No method name could be found.
def method_for_action(action_name)
if action_method?(action_name) then action_name
elsif respond_to?(:action_missing, true) then "_handle_action_missing"
end
end
+
+ # Checks if the action name is valid and returns false otherwise.
+ def _valid_action_name?(action_name)
+ action_name.to_s !~ Regexp.new(File::SEPARATOR)
+ end
end
end
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
17 actionpack/test/controller/new_base/render_implicit_action_test.rb
@@ -6,7 +6,7 @@ class SimpleController < ::ApplicationController
"render_implicit_action/simple/hello_world.html.erb" => "Hello world!",
"render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!",
"render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
- )]
+ ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
def hello_world() end
end
@@ -33,10 +33,25 @@ class RenderImplicitActionTest < Rack::TestCase
assert_status 200
end
+ test "render does not traverse the file system" do
+ assert_raises(AbstractController::ActionNotFound) do
+ action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
+ SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
+ end
+ end
+
test "available_action? returns true for implicit actions" do
assert SimpleController.new.available_action?(:hello_world)
assert SimpleController.new.available_action?(:"hyphen-ated")
assert SimpleController.new.available_action?(:not_implemented)
end
+
+ test "available_action? does not allow File::SEPARATOR on the name" do
+ action_name = %w(evil .. .. path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+
+ action_name = %w(evil path).join(File::SEPARATOR)
+ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
+ end
end
end
View
10 actionpack/test/template/number_helper_i18n_test.rb
@@ -7,7 +7,7 @@ def setup
I18n.backend.store_translations 'ts',
:number => {
:format => { :precision => 3, :delimiter => ',', :separator => '.', :significant => false, :strip_insignificant_zeros => false },
- :currency => { :format => { :unit => '&$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } },
+ :currency => { :format => { :unit => '$$$', :format => '%u - %n', :negative_format => '(%u - %n)', :precision => 2 } },
:human => {
:format => {
:precision => 2,
@@ -42,9 +42,9 @@ def setup
end
def test_number_to_i18n_currency
- assert_equal("&$ - 10.00", number_to_currency(10, :locale => 'ts'))
- assert_equal("(&$ - 10.00)", number_to_currency(-10, :locale => 'ts'))
- assert_equal("-10.00 - &$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u"))
+ assert_equal("$$$ - 10.00", number_to_currency(10, :locale => 'ts'))
+ assert_equal("($$$ - 10.00)", number_to_currency(-10, :locale => 'ts'))
+ assert_equal("-10.00 - $$$", number_to_currency(-10, :locale => 'ts', :format => "%n - %u"))
end
def test_number_to_currency_with_clean_i18n_settings
@@ -53,7 +53,7 @@ def test_number_to_currency_with_clean_i18n_settings
assert_equal("-$10.00", number_to_currency(-10))
end
end
-
+
def test_number_to_currency_without_currency_negative_format
clean_i18n do
I18n.backend.store_translations 'ts', :number => { :currency => { :format => { :unit => '@', :format => '%n %u' } } }
View
15 activemodel/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
15 activerecord/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* When calling the method .find_or_initialize_by_* from a collection_proxy
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
16 activeresource/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json.
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
15 activesupport/CHANGELOG.md
@@ -1,3 +1,18 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method.
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
16 railties/CHANGELOG.md
@@ -1,7 +1,23 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
+* No changes.
+
+
+## Rails 3.2.16 (Dec 3, 2013) ##
+
+* No changes.
+
+
## Rails 3.2.15 (Oct 16, 2013) ##
* No changes.
+
## Rails 3.2.14 (Jul 22, 2013) ##
* Fix bugs that crashed `rake test:benchmark`, `rails profiler` and
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 17
+ TINY = 18
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

No commit comments for this range

Something went wrong with that request. Please try again.