Security: Update to Rails 2.3.14

2011-08-19 01:54:58 -05:00 · 2011-08-19 01:54:58 -05:00 · 4b2448b09a
parent 3c650f2cf6
commit 4b2448b09a
26 changed files with 106 additions and 33 deletions
--- a/vendor/rails/actionmailer/Rakefile
+++ b/vendor/rails/actionmailer/Rakefile
@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
  s.rubyforge_project = "actionmailer"
  s.homepage = "http://www.rubyonrails.org"

-  s.add_dependency('actionpack', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('actionpack', '= 2.3.14' + PKG_BUILD)

  s.requirements << 'none'
  s.require_path = 'lib'
--- a/vendor/rails/actionmailer/lib/action_mailer/version.rb
+++ b/vendor/rails/actionmailer/lib/action_mailer/version.rb
@ -2,7 +2,7 @@ module ActionMailer
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/actionpack/CHANGELOG
+++ b/vendor/rails/actionpack/CHANGELOG
@ -1935,7 +1935,7 @@ superclass' view_paths.  [Rick Olson]

 * Update documentation for erb trim syntax. #5651 [matt@mattmargolis.net]

-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]

 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]

@ -2532,7 +2532,7 @@ superclass' view_paths.  [Rick Olson]

 * Provide support for decimal columns to form helpers. Closes #5672. [Dave Thomas]

-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]

 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]

--- a/vendor/rails/actionpack/Rakefile
+++ b/vendor/rails/actionpack/Rakefile
@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|

  s.requirements << 'none'

-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
  s.add_dependency('rack', '~> 1.1.0')

  s.require_path = 'lib'
--- a/vendor/rails/actionpack/lib/action_controller/response.rb
+++ b/vendor/rails/actionpack/lib/action_controller/response.rb
@ -64,12 +64,13 @@ module ActionController # :nodoc:
    # the character set information will also be included in the content type
    # information.
    def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
        if mime_type =~ /charset/ || (c = charset).nil?
          mime_type.to_s
        else
          "#{mime_type}; charset=#{c}"
        end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
    end

    # Returns the response's content MIME type, or nil if content type has been set.
--- a/vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@ -162,7 +162,7 @@ module HTML #:nodoc:
          end
          
          closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
          name.downcase!
  
          unless closing
--- a/vendor/rails/actionpack/lib/action_pack/version.rb
+++ b/vendor/rails/actionpack/lib/action_pack/version.rb
@ -2,7 +2,7 @@ module ActionPack #:nodoc:
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/actionpack/lib/action_view/template_handlers/erb.rb
+++ b/vendor/rails/actionpack/lib/action_view/template_handlers/erb.rb
@ -15,7 +15,6 @@ module ActionView
        erb = "#{magic}<% __in_erb_template=true %>#{template.source}"

        if erb.respond_to?(:force_encoding)
-          erb.force_encoding(template.source.encoding)
 #          erb.force_encoding(template.source.encoding)
          erb.force_encoding('UTF-8')
        end
--- a/vendor/rails/actionpack/test/controller/content_type_test.rb
+++ b/vendor/rails/actionpack/test/controller/content_type_test.rb
@ -46,6 +46,11 @@ class ContentTypeController < ActionController::Base
      format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
    end
  end
+  
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end

  def rescue_action(e) raise end
 end
@ -129,6 +134,11 @@ class ContentTypeTest < ActionController::TestCase
    assert_equal Mime::HTML, @response.content_type
    assert_equal "utf-8", @response.charset
  end
+  
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end

 class AcceptBasedContentTypeTest < ActionController::TestCase
--- a/vendor/rails/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/vendor/rails/actionpack/test/controller/html-scanner/sanitizer_test.rb
@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase
    @sanitizer = nil # used by assert_sanitizer
  end

+  def test_strip_tags_with_quote
+    sanitizer = HTML::FullSanitizer.new
+    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+    assert_equal ' hi', sanitizer.sanitize(string)
+  end
+
  def test_strip_tags
    sanitizer = HTML::FullSanitizer.new
    assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
--- a/vendor/rails/activerecord/Rakefile
+++ b/vendor/rails/activerecord/Rakefile
@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
    s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
  end

-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)

  s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
  s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
--- a/vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+++ b/vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@ -238,7 +238,7 @@ module ActiveRecord
      end

      def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
      end

      def quote_table_name(name) #:nodoc:
--- a/vendor/rails/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+++ b/vendor/rails/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
@ -162,7 +162,7 @@ module ActiveRecord
      end

      def quote_column_name(name) #:nodoc:
-        %Q("#{name}")
+        %Q("#{name.to_s.gsub('"', '""')}")
      end


--- a/vendor/rails/activerecord/lib/active_record/validations.rb
+++ b/vendor/rails/activerecord/lib/active_record/validations.rb
@ -333,7 +333,6 @@ module ActiveRecord
    end

    def generate_message(attribute, message = :invalid, options = {})
-      ActiveSupport::Deprecation.warn("ActiveRecord::Errors#generate_message has been deprecated. Please use ActiveRecord::Error.new().to_s.")
      Error.new(@base, attribute, message, options).to_s
    end
  end
--- a/vendor/rails/activerecord/lib/active_record/version.rb
+++ b/vendor/rails/activerecord/lib/active_record/version.rb
@ -2,7 +2,7 @@ module ActiveRecord
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/activerecord/test/cases/base_test.rb
+++ b/vendor/rails/activerecord/test/cases/base_test.rb
@ -79,6 +79,23 @@ end
 class BasicsTest < ActiveRecord::TestCase
  fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts

+  def test_column_names_are_escaped
+    conn      = ActiveRecord::Base.connection
+    classname = conn.class.name[/[^:]*$/]
+    badchar   = {
+      'SQLite3Adapter'    => '"',
+      'MysqlAdapter'      => '`',
+      'Mysql2Adapter'     => '`',
+      'PostgreSQLAdapter' => '"',
+      'OracleAdapter'     => '"',
+    }.fetch(classname) {
+      raise "need a bad char for #{classname}"
+    }
+
+    quoted = conn.quote_column_name "foo#{badchar}bar"
+    assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
+  end
+
  def test_table_exists
    assert !NonExistentTable.table_exists?
    assert Topic.table_exists?
--- a/vendor/rails/activeresource/Rakefile
+++ b/vendor/rails/activeresource/Rakefile
@ -1,9 +1,9 @@
 require 'rubygems'
 require 'rake'
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
 require 'rake/packagetask'
-require 'rake/gempackagetask'
+require 'rubygems/package_task'

 require File.join(File.dirname(__FILE__), 'lib', 'active_resource', 'version')

@ -38,7 +38,7 @@ Rake::TestTask.new { |t|

 # Generate the RDoc documentation

-Rake::RDocTask.new { |rdoc|
+RDoc::Task.new { |rdoc|
  rdoc.rdoc_dir = 'doc'
  rdoc.title    = "Active Resource -- Object-oriented REST services"
  rdoc.options << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
@ -66,12 +66,10 @@ spec = Gem::Specification.new do |s|
    s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
  end
  
-  s.add_dependency('activesupport', '= 2.3.11' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)

  s.require_path = 'lib'
-  s.autorequire = 'active_resource'

-  s.has_rdoc = true
  s.extra_rdoc_files = %w( README )
  s.rdoc_options.concat ['--main',  'README']
  
@ -81,7 +79,7 @@ spec = Gem::Specification.new do |s|
  s.rubyforge_project = "activeresource"
 end
  
-Rake::GemPackageTask.new(spec) do |p|
+Gem::PackageTask.new(spec) do |p|
  p.gem_spec = spec
  p.need_tar = true
  p.need_zip = true
--- a/vendor/rails/activeresource/lib/active_resource/version.rb
+++ b/vendor/rails/activeresource/lib/active_resource/version.rb
@ -2,7 +2,7 @@ module ActiveResource
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 11
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/vendor/rails/activesupport/lib/active_support/core_ext/string/output_safety.rb
@ -19,7 +19,7 @@ class ERB
      if s.html_safe?
        s
      else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
      end
    end

--- a/vendor/rails/activesupport/lib/active_support/ordered_hash.rb
+++ b/vendor/rails/activesupport/lib/active_support/ordered_hash.rb
@ -130,14 +130,18 @@ module ActiveSupport
      end

      def merge!(other_hash)
-        other_hash.each {|k,v| self[k] = v }
+        if block_given?
+          other_hash.each { |k, v| self[k] = key?(k) ? yield(k, self[k], v) : v }
+        else
+          other_hash.each { |k, v| self[k] = v }
+        end
        self
      end

      alias_method :update, :merge!

-      def merge(other_hash)
-        dup.merge!(other_hash)
+      def merge(other_hash, &block)
+        dup.merge!(other_hash, &block)
      end

      # When replacing with another hash, the initial order of our keys must come from the other hash -ordered or not.
--- a/vendor/rails/activesupport/lib/active_support/version.rb
+++ b/vendor/rails/activesupport/lib/active_support/version.rb
@ -2,7 +2,7 @@ module ActiveSupport
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/activesupport/test/core_ext/string_ext_test.rb
+++ b/vendor/rails/activesupport/test/core_ext/string_ext_test.rb
@ -2,10 +2,17 @@
 require 'date'
 require 'abstract_unit'
 require 'inflector_test_cases'
+require 'active_support/core_ext/string/output_safety'

 class StringInflectionsTest < Test::Unit::TestCase
  include InflectorTestCases

+  def test_erb_escape
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
  def test_pluralize
    SingularToPlural.each do |singular, plural|
      assert_equal(plural, singular.pluralize)
--- a/vendor/rails/activesupport/test/ordered_hash_test.rb
+++ b/vendor/rails/activesupport/test/ordered_hash_test.rb
@ -147,6 +147,32 @@ class OrderedHashTest < Test::Unit::TestCase
    assert_equal @ordered_hash.keys, merged.keys
  end

+  def test_merge_with_block
+    hash = ActiveSupport::OrderedHash.new
+    hash[:a] = 0
+    hash[:b] = 0
+    merged = hash.merge(:b => 2, :c => 7) do |key, old_value, new_value|
+      new_value + 1
+    end
+
+    assert_equal 0, merged[:a]
+    assert_equal 3, merged[:b]
+    assert_equal 7, merged[:c]
+  end
+
+  def test_merge_bang_with_block
+    hash = ActiveSupport::OrderedHash.new
+    hash[:a] = 0
+    hash[:b] = 0
+    hash.merge!(:a => 1, :c => 7) do |key, old_value, new_value|
+      new_value + 3
+    end
+
+    assert_equal 4, hash[:a]
+    assert_equal 0, hash[:b]
+    assert_equal 7, hash[:c]
+  end
+
  def test_shift
    pair = @ordered_hash.shift
    assert_equal [@keys.first, @values.first], pair
--- a/vendor/rails/railties/Rakefile
+++ b/vendor/rails/railties/Rakefile
@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
  EOF

  s.add_dependency('rake', '>= 0.8.3')
-  s.add_dependency('activesupport',    '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('activerecord',     '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('actionpack',       '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('actionmailer',     '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('activeresource',   '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport',    '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('activerecord',     '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('actionpack',       '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('actionmailer',     '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('activeresource',   '= 2.3.14' + PKG_BUILD)

  s.rdoc_options << '--exclude' << '.'

--- a/vendor/rails/railties/lib/rails/version.rb
+++ b/vendor/rails/railties/lib/rails/version.rb
@ -2,7 +2,7 @@ module Rails
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/railties/lib/tasks/documentation.rake
+++ b/vendor/rails/railties/lib/tasks/documentation.rake
@ -1,3 +1,5 @@
+begin
+  require 'rdoc/task'
 namespace :doc do
  desc "Generate documentation for the application. Set custom template with TEMPLATE=/path/to/rdoc/template.rb or title with TITLE=\"Custom Title\""
  RDoc::Task.new("app") { |rdoc|
@ -86,3 +88,6 @@ namespace :doc do
    end
  end
 end
+rescue LoadError
+  $stderr.puts 'Please install RDoc 2.4.2+ to generate documentation.'
+end