Security: Update to Rails 2.3.14

vendor/rails/actionmailer/Rakefile

@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
   s.rubyforge_project = "actionmailer"
   s.homepage = "http://www.rubyonrails.org"
 
-  s.add_dependency('actionpack', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('actionpack', '= 2.3.14' + PKG_BUILD)
 
   s.requirements << 'none'
   s.require_path = 'lib'

vendor/rails/actionmailer/lib/action_mailer/version.rb

@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/actionpack/CHANGELOG

@@ -1935,7 +1935,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Update documentation for erb trim syntax. #5651 [matt@mattmargolis.net]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 
@@ -2532,7 +2532,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Provide support for decimal columns to form helpers. Closes #5672. [Dave Thomas]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 

vendor/rails/actionpack/Rakefile

@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
 
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
   s.add_dependency('rack', '~> 1.1.0')
 
   s.require_path = 'lib'

vendor/rails/actionpack/lib/action_controller/response.rb

@@ -64,12 +64,13 @@ module ActionController # :nodoc:
     # the character set information will also be included in the content type
     # information.
     def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
         if mime_type =~ /charset/ || (c = charset).nil?
           mime_type.to_s
         else
           "#{mime_type}; charset=#{c}"
         end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
     end
 
     # Returns the response's content MIME type, or nil if content type has been set.

vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb

@@ -162,7 +162,7 @@ module HTML #:nodoc:
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
           name.downcase!
   
           unless closing

vendor/rails/actionpack/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/actionpack/lib/action_view/template_handlers/erb.rb

@@ -15,7 +15,6 @@ module ActionView
         erb = "#{magic}<% __in_erb_template=true %>#{template.source}"
 
         if erb.respond_to?(:force_encoding)
-          erb.force_encoding(template.source.encoding)
 #          erb.force_encoding(template.source.encoding)
           erb.force_encoding('UTF-8')
         end

vendor/rails/actionpack/test/controller/content_type_test.rb

@@ -46,6 +46,11 @@ class ContentTypeController < ActionController::Base
       format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
     end
   end
+  
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end
 
   def rescue_action(e) raise end
 end
@@ -129,6 +134,11 @@ class ContentTypeTest < ActionController::TestCase
     assert_equal Mime::HTML, @response.content_type
     assert_equal "utf-8", @response.charset
   end
+  
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end
 
 class AcceptBasedContentTypeTest < ActionController::TestCase

vendor/rails/actionpack/test/controller/html-scanner/sanitizer_test.rb

@@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase
     @sanitizer = nil # used by assert_sanitizer
   end
 
+  def test_strip_tags_with_quote
+    sanitizer = HTML::FullSanitizer.new
+    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+    assert_equal ' hi', sanitizer.sanitize(string)
+  end
+
   def test_strip_tags
     sanitizer = HTML::FullSanitizer.new
     assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

vendor/rails/activerecord/Rakefile

@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
     s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
   end
 
-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
 
   s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
   s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"

vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb

@@ -238,7 +238,7 @@ module ActiveRecord
       end
 
       def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
       end
 
       def quote_table_name(name) #:nodoc:

vendor/rails/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb

@@ -162,7 +162,7 @@ module ActiveRecord
       end
 
       def quote_column_name(name) #:nodoc:
-        %Q("#{name}")
+        %Q("#{name.to_s.gsub('"', '""')}")
       end
 
 

vendor/rails/activerecord/lib/active_record/validations.rb

@@ -333,7 +333,6 @@ module ActiveRecord
     end
 
     def generate_message(attribute, message = :invalid, options = {})
-      ActiveSupport::Deprecation.warn("ActiveRecord::Errors#generate_message has been deprecated. Please use ActiveRecord::Error.new().to_s.")
       Error.new(@base, attribute, message, options).to_s
     end
   end

vendor/rails/activerecord/lib/active_record/version.rb

@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/activerecord/test/cases/base_test.rb

@@ -79,6 +79,23 @@ end
 class BasicsTest < ActiveRecord::TestCase
   fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
 
+  def test_column_names_are_escaped
+    conn      = ActiveRecord::Base.connection
+    classname = conn.class.name[/[^:]*$/]
+    badchar   = {
+      'SQLite3Adapter'    => '"',
+      'MysqlAdapter'      => '`',
+      'Mysql2Adapter'     => '`',
+      'PostgreSQLAdapter' => '"',
+      'OracleAdapter'     => '"',
+    }.fetch(classname) {
+      raise "need a bad char for #{classname}"
+    }
+
+    quoted = conn.quote_column_name "foo#{badchar}bar"
+    assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
+  end
+
   def test_table_exists
     assert !NonExistentTable.table_exists?
     assert Topic.table_exists?

vendor/rails/activeresource/Rakefile

@@ -1,9 +1,9 @@
 require 'rubygems'
 require 'rake'
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
 require 'rake/packagetask'
-require 'rake/gempackagetask'
+require 'rubygems/package_task'
 
 require File.join(File.dirname(__FILE__), 'lib', 'active_resource', 'version')
 
@@ -38,7 +38,7 @@ Rake::TestTask.new { |t|
 
 # Generate the RDoc documentation
 
-Rake::RDocTask.new { |rdoc|
+RDoc::Task.new { |rdoc|
   rdoc.rdoc_dir = 'doc'
   rdoc.title    = "Active Resource -- Object-oriented REST services"
   rdoc.options << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
@@ -66,12 +66,10 @@ spec = Gem::Specification.new do |s|
     s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
   end
   
-  s.add_dependency('activesupport', '= 2.3.11' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
 
   s.require_path = 'lib'
-  s.autorequire = 'active_resource'
 
-  s.has_rdoc = true
   s.extra_rdoc_files = %w( README )
   s.rdoc_options.concat ['--main',  'README']
   
@@ -81,7 +79,7 @@ spec = Gem::Specification.new do |s|
   s.rubyforge_project = "activeresource"
 end
   
-Rake::GemPackageTask.new(spec) do |p|
+Gem::PackageTask.new(spec) do |p|
   p.gem_spec = spec
   p.need_tar = true
   p.need_zip = true

vendor/rails/activeresource/lib/active_resource/version.rb

@@ -2,7 +2,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 11
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/activesupport/lib/active_support/core_ext/string/output_safety.rb

@@ -19,7 +19,7 @@ class ERB
       if s.html_safe?
         s
       else
-        s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
+        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
       end
     end
 

vendor/rails/activesupport/lib/active_support/ordered_hash.rb

@@ -130,14 +130,18 @@ module ActiveSupport
       end
 
       def merge!(other_hash)
-        other_hash.each {|k,v| self[k] = v }
+        if block_given?
+          other_hash.each { |k, v| self[k] = key?(k) ? yield(k, self[k], v) : v }
+        else
+          other_hash.each { |k, v| self[k] = v }
+        end
         self
       end
 
       alias_method :update, :merge!
 
-      def merge(other_hash)
-        dup.merge!(other_hash)
+      def merge(other_hash, &block)
+        dup.merge!(other_hash, &block)
       end
 
       # When replacing with another hash, the initial order of our keys must come from the other hash -ordered or not.

vendor/rails/activesupport/lib/active_support/version.rb

@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/activesupport/test/core_ext/string_ext_test.rb

@@ -2,10 +2,17 @@
 require 'date'
 require 'abstract_unit'
 require 'inflector_test_cases'
+require 'active_support/core_ext/string/output_safety'
 
 class StringInflectionsTest < Test::Unit::TestCase
   include InflectorTestCases
 
+  def test_erb_escape
+    string = [192, 60].pack('CC')
+    expected = 192.chr + "&lt;"
+    assert_equal expected, ERB::Util.html_escape(string)
+  end
+
   def test_pluralize
     SingularToPlural.each do |singular, plural|
       assert_equal(plural, singular.pluralize)

vendor/rails/activesupport/test/ordered_hash_test.rb

@@ -147,6 +147,32 @@ class OrderedHashTest < Test::Unit::TestCase
     assert_equal @ordered_hash.keys, merged.keys
   end
 
+  def test_merge_with_block
+    hash = ActiveSupport::OrderedHash.new
+    hash[:a] = 0
+    hash[:b] = 0
+    merged = hash.merge(:b => 2, :c => 7) do |key, old_value, new_value|
+      new_value + 1
+    end
+
+    assert_equal 0, merged[:a]
+    assert_equal 3, merged[:b]
+    assert_equal 7, merged[:c]
+  end
+
+  def test_merge_bang_with_block
+    hash = ActiveSupport::OrderedHash.new
+    hash[:a] = 0
+    hash[:b] = 0
+    hash.merge!(:a => 1, :c => 7) do |key, old_value, new_value|
+      new_value + 3
+    end
+
+    assert_equal 4, hash[:a]
+    assert_equal 0, hash[:b]
+    assert_equal 7, hash[:c]
+  end
+
   def test_shift
     pair = @ordered_hash.shift
     assert_equal [@keys.first, @values.first], pair

vendor/rails/railties/Rakefile

@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
   EOF
 
   s.add_dependency('rake', '>= 0.8.3')
-  s.add_dependency('activesupport',    '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('activerecord',     '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('actionpack',       '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('actionmailer',     '= 2.3.12' + PKG_BUILD)
-  s.add_dependency('activeresource',   '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport',    '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('activerecord',     '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('actionpack',       '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('actionmailer',     '= 2.3.14' + PKG_BUILD)
+  s.add_dependency('activeresource',   '= 2.3.14' + PKG_BUILD)
 
   s.rdoc_options << '--exclude' << '.'
 

vendor/rails/railties/lib/rails/version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

vendor/rails/railties/lib/tasks/documentation.rake

@@ -1,3 +1,5 @@
+begin
+  require 'rdoc/task'
 namespace :doc do
   desc "Generate documentation for the application. Set custom template with TEMPLATE=/path/to/rdoc/template.rb or title with TITLE=\"Custom Title\""
   RDoc::Task.new("app") { |rdoc|
@@ -86,3 +88,6 @@ namespace :doc do
     end
   end
 end
+rescue LoadError
+  $stderr.puts 'Please install RDoc 2.4.2+ to generate documentation.'
+end