Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Methods that return nil should not be considered YAML #8853

Merged
merged 1 commit into from

4 participants

@zmoazeni

This is a direct port of @jaw6's pull request
#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see Hash::DisallowedType: Disallowed type attribute: "yaml"

@carlosantoniodasilva

It should get a changelog entry, can you please add one? Thanks.

@zmoazeni

@carlosantoniodasilva would you want it as a note in a v3.0.20 release in the CHANGELOGs?

@carlosantoniodasilva

@zmoazeni yes, you can follow PR #8846 that was merged to 3-1, but add (unreleased) after the version. I'll change there as well. Thanks.

@zmoazeni

@carlosantoniodasilva Just updated the commit. I only updated the CHANGELOG of activemodel. Let me know if you need anything else!

@carlosantoniodasilva

Seems fine, I'll just ask you to elaborate the changelog a little bit more with what's actually being fixed (ie the pull request title with minor tweaks seems to describe it better I think). Wdyt?

@zmoazeni

Actually I changed the wrong CHANGELOG. Fixing.

@zmoazeni zmoazeni Methods that return nil should not be considered YAML
This is a direct port of @jaw6's pull request
rails#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
477f0e7
@zmoazeni

@carlosantoniodasilva Alrighty. Updated again.

@carlosantoniodasilva carlosantoniodasilva merged commit 583e5fd into from
@carlosantoniodasilva

Great, thank you.

@saten

What if I am consuming an active resource api exposed by a rails 2.3.15 application, let's say reading a model which has a serialized attribute?

This commit can be ported in lib/active_record/serializers/xml_serializer.rb to fix the problem with nil values, but I've no idea how to work around the serialized field issue.

Any ideas?

@grosser

FYI monkey-patch:

if Rails.version == "3.0.19"
  ActiveModel::Serializers::Xml::Serializer::Attribute.class_eval do
    def compute_type_with_nil
      return if value.nil?
      compute_type_without_nil
    end
    alias_method_chain :compute_type, :nil
  end
else
  raise "remove this #{__FILE__}"
end
@masylum masylum referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 9, 2013
  1. @zmoazeni

    Methods that return nil should not be considered YAML

    zmoazeni authored
    This is a direct port of @jaw6's pull request
    rails#492. His cleanly applied to Rails
    v3.1 and v3.2, and this cleanly applies to v3.0.
    
    With yesterday's security patches
    http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
    there is now an issue with Rails v3.0 serving XML to any of the latest
    versions of ActiveResource.
    
    Without this, Rails v3.0 can serve XML to ActiveResource consumers that
    will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
This page is out of date. Refresh to see the latest.
View
4 activemodel/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 3.0.20 (unreleased)
+
+* Fix XML serialization of methods that return nil to not be considered as YAML (GH #8853 and GH #492)
+
## Rails 3.0.18
## Rails 3.0.17 (Aug 9, 2012)
View
1  activemodel/lib/active_model/serializers/xml.rb
@@ -33,6 +33,7 @@ def decorations
protected
def compute_type
+ return if value.nil?
type = ActiveSupport::XmlMini::TYPE_NAMES[value.class.name]
type ||= :string if value.respond_to?(:to_str)
type ||= :yaml
View
4 activemodel/test/cases/serializeration/xml_serialization_test.rb
@@ -86,6 +86,10 @@ def setup
assert_match %r{<name>aaron stack</name>}, @contact.to_xml
end
+ test "should serialize nil" do
+ assert_match %r{<pseudonyms nil=\"true\"></pseudonyms>}, @contact.to_xml(:methods => :pseudonyms)
+ end
+
test "should serialize integer" do
assert_match %r{<age type="integer">25</age>}, @contact.to_xml
end
View
4 activemodel/test/models/contact.rb
@@ -16,6 +16,10 @@ def initialize(options = {})
options.each { |name, value| send("#{name}=", value) }
end
+ def pseudonyms
+ nil
+ end
+
def persisted?
id
end
View
5 activerecord/test/cases/xml_serialization_test.rb
@@ -143,10 +143,7 @@ def test_should_serialize_boolean
end
def test_should_serialize_yaml
- assert %r{<preferences(.*)></preferences>}.match(@xml)
- attributes = $1
- assert_match %r{type="yaml"}, attributes
- assert_match %r{nil="true"}, attributes
+ assert_match %r{<preferences nil=\"true\"></preferences>}, @xml
end
end
Something went wrong with that request. Please try again.