Security: Update to Rails 2.3.14

2011-08-19 01:54:58 -05:00 · 2011-08-19 01:54:58 -05:00 · 4b2448b09a
commit 4b2448b09a
parent 3c650f2cf6
26 changed files with 106 additions and 33 deletions
--- a/vendor/rails/actionpack/lib/action_controller/response.rb
+++ b/vendor/rails/actionpack/lib/action_controller/response.rb
@ -64,12 +64,13 @@ module ActionController # :nodoc:
    # the character set information will also be included in the content type
    # information.
    def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
        if mime_type =~ /charset/ || (c = charset).nil?
          mime_type.to_s
        else
          "#{mime_type}; charset=#{c}"
        end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
    end

    # Returns the response's content MIME type, or nil if content type has been set.
--- a/vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@ -162,7 +162,7 @@ module HTML #:nodoc:
          end
          
          closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
          name.downcase!
  
          unless closing