Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 19 commits
  • 26 files changed
  • 4 commit comments
  • 9 contributors
Commits on Dec 04, 2013
@kratob kratob repair a test broken by the number_to_currency XSS fix 9e625d6
@rafaelfranca rafaelfranca Merge pull request #13162 from makandra/3-2-stable
Repair a test broken by the number_to_currency XSS fix
9c60e3d
@rafaelfranca rafaelfranca Fix documentation of number_to_currency helper
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
c82025f
Commits on Dec 05, 2013
@carlosantoniodasilva carlosantoniodasilva Merge pull request #13183 from sorah/never_ignore_i18n_translate_rais…
…e_option

Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
31a485f
Commits on Dec 14, 2013
@tyre tyre Update Session Store Documentation
session_id doesn't need to be a text column, just string (VARCHAR)
1805682
@rafaelfranca rafaelfranca Merge pull request #13315 from tyre/patch-1
Update Session Store Documentation
3a429e6
Commits on Jan 06, 2014
@simi simi Fix force_ssl.rb documentation. Close tt tag.
[ci skip]
c13eb1c
@dmathieu dmathieu Merge pull request #13613 from simi/patch-1
Fix force_ssl.rb documentation. Close tt tag.
5a84d3e
Commits on Feb 18, 2014
@rafaelfranca rafaelfranca Merge branch '3-2-17' into 3-2-stable
Conflicts:
	actionpack/CHANGELOG.md
a3bda38
Commits on May 06, 2014
@rafaelfranca rafaelfranca Merge branch '3-2-sec' into 3-2-stable
Conflicts:
	actionpack/CHANGELOG.md
bbec7d7
Commits on May 09, 2014
@tenderlove tenderlove use fnmatch to test for case insensitive file systems 03e016f
Commits on May 10, 2014
@tenderlove tenderlove feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 c40df47
Commits on May 18, 2014
@tenderlove tenderlove Feature detect based on Ruby version.
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0.  Checking for a
case-insensitive FS seems too hard, so just check Ruby version  Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
6a05129
Commits on Jun 18, 2014
@vishalzambre vishalzambre File.exists? is a deprecated name, use File.exist?
File.exists? is a deprecated name, use File.exist?
fca3cc2
@guilleiguaran guilleiguaran Merge pull request #15794 from vishalzambre/patch-1
File.exists? is a deprecated name, use File.exist?
6d800a9
@guilleiguaran guilleiguaran Revert "Merge pull request #15794 from vishalzambre/patch-1"
This reverts commit 6d800a9, reversing
changes made to 6a05129.

We don't apply non-security fixes to 3-2-stable branch!!!
bc90ea6
Commits on Jun 26, 2014
@rafaelfranca rafaelfranca Make sure Active Support configurations are applied correctly
Before this patch configuration set using config.active_support
would not be set.

Closes #15364
297bff7
Commits on Jul 02, 2014
@rafaelfranca rafaelfranca Check against bit string values using multiline regexp
Fix CVE-2014-3482.
1f2192e
@rafaelfranca rafaelfranca Preparing for 3.2.19 release 53c845c
Showing with 127 additions and 26 deletions.
  1. +1 −1  RAILS_VERSION
  2. +5 −0 actionmailer/CHANGELOG.md
  3. +1 −1  actionmailer/lib/action_mailer/version.rb
  4. +10 −0 actionpack/CHANGELOG.md
  5. +1 −1  actionpack/lib/action_controller/metal/force_ssl.rb
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +4 −4 actionpack/lib/action_view/helpers/number_helper.rb
  8. +9 −1 actionpack/lib/action_view/helpers/translation_helper.rb
  9. +21 −7 actionpack/lib/action_view/template/resolver.rb
  10. +6 −0 actionpack/test/template/translation_helper_test.rb
  11. +5 −0 activemodel/CHANGELOG.md
  12. +1 −1  activemodel/lib/active_model/version.rb
  13. +9 −0 activerecord/CHANGELOG.md
  14. +3 −3 activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
  15. +1 −1  activerecord/lib/active_record/session_store.rb
  16. +1 −1  activerecord/lib/active_record/version.rb
  17. +5 −0 activerecord/test/cases/adapters/postgresql/quoting_test.rb
  18. +5 −0 activeresource/CHANGELOG.md
  19. +1 −1  activeresource/lib/active_resource/version.rb
  20. +10 −0 activesupport/CHANGELOG.md
  21. +7 −0 activesupport/lib/active_support/railtie.rb
  22. +1 −1  activesupport/lib/active_support/version.rb
  23. +5 −0 railties/CHANGELOG.md
  24. +1 −1  railties/lib/rails/version.rb
  25. +12 −0 railties/test/application/configuration_test.rb
  26. +1 −1  version.rb
View
2  RAILS_VERSION
@@ -1 +1 @@
-3.2.18
+3.2.19
View
5 actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
10 actionpack/CHANGELOG.md
@@ -1,3 +1,13 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
+ `options[:raise]`.
+
+ This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
+
+ *Shota Fukumori (sora_h)*
+
+
## Rails 3.2.18 (May 6, 2014) ##
* Only accept actions without File::SEPARATOR in the name.
View
2  actionpack/lib/action_controller/metal/force_ssl.rb
@@ -22,7 +22,7 @@ module ClassMethods
#
# ==== Options
# * <tt>only</tt> - The callback should be run only for this action
- # * <tt>except<tt> - The callback should be run for all actions except this action
+ # * <tt>except</tt> - The callback should be run for all actions except this action
def force_ssl(options = {})
host = options.delete(:host)
before_filter(options) do
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
8 actionpack/lib/action_view/helpers/number_helper.rb
@@ -129,10 +129,10 @@ def number_to_phone(number, options = {})
#
# number_to_currency(-1234567890.50, :negative_format => "(%u%n)")
# # => ($1,234,567,890.50)
- # number_to_currency(1234567890.50, :unit => "&pound;", :separator => ",", :delimiter => "")
- # # => &pound;1234567890,50
- # number_to_currency(1234567890.50, :unit => "&pound;", :separator => ",", :delimiter => "", :format => "%n %u")
- # # => 1234567890,50 &pound;
+ # number_to_currency(1234567890.50, :unit => "R$", :separator => ",", :delimiter => "")
+ # # => R$1234567890,50
+ # number_to_currency(1234567890.50, :unit => "R$", :separator => ",", :delimiter => "", :format => "%n %u")
+ # # => 1234567890,50 R$
def number_to_currency(number, options = {})
return unless number
View
10 actionpack/lib/action_view/helpers/translation_helper.rb
@@ -36,7 +36,13 @@ module TranslationHelper
def translate(key, options = {})
# If the user has specified rescue_format then pass it all through, otherwise use
# raise and do the work ourselves
- options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
+ if options.key?(:raise) || options.key?(:rescue_format)
+ raise_error = options[:raise] || options[:rescue_format]
+ else
+ raise_error = false
+ options[:raise] = true
+ end
+
if html_safe_translation_key?(key)
html_safe_options = options.dup
options.except(*I18n::RESERVED_KEYS).each do |name, value|
@@ -51,6 +57,8 @@ def translate(key, options = {})
I18n.translate(scope_key_by_partial(key), options)
end
rescue I18n::MissingTranslationData => e
+ raise e if raise_error
+
keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
end
View
28 actionpack/lib/action_view/template/resolver.rb
@@ -120,13 +120,7 @@ def find_templates(name, prefix, partial, details)
def query(path, details, formats)
query = build_query(path, details)
- # deals with case-insensitive file systems.
- sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
-
- template_paths = Dir[query].reject { |filename|
- File.directory?(filename) ||
- !sanitizer[File.dirname(filename)].include?(filename)
- }
+ template_paths = find_template_paths query
template_paths.map { |template|
handler, format = extract_handler_and_format(template, formats)
@@ -139,6 +133,26 @@ def query(path, details, formats)
}
end
+ if RUBY_VERSION >= '2.2.0'
+ def find_template_paths(query)
+ Dir[query].reject { |filename|
+ File.directory?(filename) ||
+ # deals with case-insensitive file systems.
+ !File.fnmatch(query, filename, File::FNM_EXTGLOB)
+ }
+ end
+ else
+ def find_template_paths(query)
+ # deals with case-insensitive file systems.
+ sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
+
+ Dir[query].reject { |filename|
+ File.directory?(filename) ||
+ !sanitizer[File.dirname(filename)].include?(filename)
+ }
+ end
+ end
+
# Helper for building query glob string based on resolver's pattern.
def build_query(path, details)
query = @pattern.dup
View
6 actionpack/test/template/translation_helper_test.rb
@@ -52,6 +52,12 @@ def test_returns_missing_translation_message_using_nil_as_rescue_format
assert_equal false, translate(:"translations.missing", :rescue_format => nil).html_safe?
end
+ def test_raises_missing_translation_message_with_raise_option
+ assert_raise(I18n::MissingTranslationData) do
+ translate(:"translations.missing", :raise => true)
+ end
+ end
+
def test_i18n_translate_defaults_to_nil_rescue_format
expected = 'translation missing: en.translations.missing'
assert_equal expected, I18n.translate(:"translations.missing")
View
5 activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
9 activerecord/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* Fix SQL Injection Vulnerability in 'bitstring' quoting.
+
+ Fixes CVE-2014-3482.
+
+ *Rafael Mendonça França*
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
6 activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
@@ -442,8 +442,8 @@ def quote(value, column = nil) #:nodoc:
when 'xml' then "xml '#{quote_string(value)}'"
when /^bit/
case value
- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
+ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
+ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
end
else
super
@@ -1160,7 +1160,7 @@ def translate_exception(exception, message)
FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
def exec_no_cache(sql, binds)
- @connection.async_exec(sql)
+ @connection.async_exec(sql, [])
end
def exec_cache(sql, binds)
View
2  activerecord/lib/active_record/session_store.rb
@@ -9,7 +9,7 @@ module ActiveRecord
#
# The default assumes a +sessions+ tables with columns:
# +id+ (numeric primary key),
- # +session_id+ (text, or longtext if your session data exceeds 65K), and
+ # +session_id+ (string, :limit => 255), and
# +data+ (text or longtext; careful if your session data exceeds 65KB).
#
# The +session_id+ column should always be indexed for speedy lookups.
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
5 activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -19,6 +19,11 @@ def test_type_cast_false
assert_equal 'f', @conn.type_cast(false, nil)
assert_equal 'f', @conn.type_cast(false, c)
end
+
+ def test_quote_bit_string
+ c = PostgreSQLColumn.new(nil, 1, 'bit')
+ assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
+ end
end
end
end
View
5 activeresource/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
10 activesupport/CHANGELOG.md
@@ -1,3 +1,13 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* Make sure Active Support configurations are applied correctly.
+
+ Before this change configuration set using `config.active_support`
+ would not be set.
+
+ *Rafael Mendonça França*
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
7 activesupport/lib/active_support/railtie.rb
@@ -55,5 +55,12 @@ class Railtie < Rails::Railtie
Time.zone_default = zone_default
end
+
+ initializer "active_support.set_configs" do |app|
+ app.config.active_support.each do |k, v|
+ k = "#{k}="
+ ActiveSupport.send(k, v) if ActiveSupport.respond_to? k
+ end
+ end
end
end
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
5 railties/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.19 (Jul 2, 2014) ##
+
+* No changes.
+
+
## Rails 3.2.18 (May 6, 2014) ##
* No changes.
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
View
12 railties/test/application/configuration_test.rb
@@ -454,6 +454,18 @@ def index
assert ActionView::Resolver.caching?
end
+ test "configure Active Support using config.active_support" do
+ add_to_config <<-RUBY
+ config.active_support.escape_html_entities_in_json = true
+ RUBY
+
+ require 'active_support/json'
+ require "#{app_path}/config/environment"
+
+ assert ActiveSupport.escape_html_entities_in_json
+ assert ActiveSupport::JSON::Encoding.escape_html_entities_in_json
+ end
+
test "config.action_dispatch.show_exceptions is sent in env" do
make_basic_app do |app|
app.config.action_dispatch.show_exceptions = true
View
2  version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 18
+ TINY = 19
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Showing you all comments on commits in this comparison.

@jmehnle

What's the significance of this change in addressing the security vulnerability? My team noticed that this causes PostgreSQL to fail with a "cannot insert multiple commands into a prepared statement" error message if multiple SQL statements are passed in a single query. Is passing the explicit empty array even in the absence of any actual bind parameters intended to force the pg gem to call PQexecParams instead of PQexec? We're going to change our own app, but this breaks compatibility with any Rails app issuing multiple SQL statements in a single query, for no apparent benefit.

CC: @agaridata/engineering @vidurapparao @zmt

@rafaelfranca

Yes, it is to force the pg gem to use PQexecParams and avoid future security issues like this one.

@jmehnle

I'm probably missing something — how does this make a difference if the array of params passed is empty?
In any case, should this incompatibility with multiple statements per query be documented somewhere?

@rafaelfranca

It make difference because it would not be possible to execute multiple statements in the same call to exec_no_cache. This way vulnerabilities like the fixed on this commit will not be so destructive. Attackers can not use a vulnerability on the quote code to execute a DESTROY query in a find call for example.

In any case, should this incompatibility with multiple statements per query be documented somewhere?

As far I know it was never documented you can execute multiple statements per query. But I'm :+1: to document it is not possible.

Something went wrong with that request. Please try again.