Instiki 0.17.2: Security Release

This release upgrades Instiki to Rails 2.3.4, which patches two security holes in Rails. See http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4 There are also some new features, and the usual boatload of bugfixes. See the CHANGELOG for details.
2009-09-05 02:01:46 -05:00 · 2009-09-05 02:01:46 -05:00 · 4bdf703ab2
commit 4bdf703ab2
parent 34c4306867
211 changed files with 3959 additions and 1325 deletions
--- a/vendor/rails/activeresource/lib/active_resource/base.rb
+++ b/vendor/rails/activeresource/lib/active_resource/base.rb
@ -93,6 +93,8 @@ module ActiveResource
  #
  # Many REST APIs will require authentication, usually in the form of basic
  # HTTP authentication.  Authentication can be specified by:
+  #
+  # === HTTP Basic Authentication
  # * putting the credentials in the URL for the +site+ variable.
  #
  #    class Person < ActiveResource::Base
@ -112,6 +114,19 @@ module ActiveResource
  #
  # Note: Some values cannot be provided in the URL passed to site.  e.g. email addresses
  # as usernames.  In those situations you should use the separate user and password option.
+  #
+  # === Certificate Authentication
+  #
+  # * End point uses an X509 certificate for authentication. <tt>See ssl_options=</tt> for all options.
+  #
+  #    class Person < ActiveResource::Base
+  #      self.site = "https://secure.api.people.com/"
+  #      self.ssl_options = {:cert         => OpenSSL::X509::Certificate.new(File.open(pem_file))
+  #                          :key          => OpenSSL::PKey::RSA.new(File.open(pem_file)),
+  #                          :ca_path      => "/path/to/OpenSSL/formatted/CA_Certs",
+  #                          :verify_mode  => OpenSSL::SSL::VERIFY_PEER}
+  #    end
+  #
  # == Errors & Validation
  #
  # Error handling and validation is handled in much the same manner as you're used to seeing in
@ -138,6 +153,7 @@ module ActiveResource
  # * 404 - ActiveResource::ResourceNotFound
  # * 405 - ActiveResource::MethodNotAllowed
  # * 409 - ActiveResource::ResourceConflict
+  # * 410 - ActiveResource::ResourceGone
  # * 422 - ActiveResource::ResourceInvalid (rescued by save as validation errors)
  # * 401..499 - ActiveResource::ClientError
  # * 500..599 - ActiveResource::ServerError
@ -158,7 +174,7 @@ module ActiveResource
  #
  # Active Resource supports validations on resources and will return errors if any these validations fail
  # (e.g., "First name can not be blank" and so on).  These types of errors are denoted in the response by
-  # a response code of <tt>422</tt> and an XML representation of the validation errors.  The save operation will
+  # a response code of <tt>422</tt> and an XML or JSON representation of the validation errors.  The save operation will
  # then fail (with a <tt>false</tt> return value) and the validation errors can be accessed on the resource in question.
  #
  #   ryan = Person.find(1)
@ -167,10 +183,14 @@ module ActiveResource
  #
  #   # When
  #   # PUT http://api.people.com:3000/people/1.xml
+  #   # or
+  #   # PUT http://api.people.com:3000/people/1.json
  #   # is requested with invalid values, the response is:
  #   #
  #   # Response (422):
  #   # <errors type="array"><error>First cannot be empty</error></errors>
+  #   # or
+  #   # {"errors":["First cannot be empty"]}
  #   #
  #
  #   ryan.errors.invalid?(:first)  # => true
@ -246,6 +266,22 @@ module ActiveResource
        end
      end

+      # Gets the \proxy variable if a proxy is required
+      def proxy
+        # Not using superclass_delegating_reader. See +site+ for explanation
+        if defined?(@proxy)
+          @proxy
+        elsif superclass != Object && superclass.proxy
+          superclass.proxy.dup.freeze
+        end
+      end
+
+      # Sets the URI of the http proxy to the value in the +proxy+ argument.
+      def proxy=(proxy)
+        @connection = nil
+        @proxy = proxy.nil? ? nil : create_proxy_uri_from(proxy)
+      end
+
      # Gets the \user for REST HTTP authentication.
      def user
        # Not using superclass_delegating_reader. See +site+ for explanation
@ -315,15 +351,42 @@ module ActiveResource
        end
      end

+      # Options that will get applied to an SSL connection.
+      #
+      # * <tt>:key</tt> - An OpenSSL::PKey::RSA or OpenSSL::PKey::DSA object.
+      # * <tt>:cert</tt> - An OpenSSL::X509::Certificate object as client certificate
+      # * <tt>:ca_file</tt> - Path to a CA certification file in PEM format. The file can contrain several CA certificates.
+      # * <tt>:ca_path</tt> - Path of a CA certification directory containing certifications in PEM format.
+      # * <tt>:verify_mode</tt> - Flags for server the certification verification at begining of SSL/TLS session. (OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER is acceptable)
+      # * <tt>:verify_callback</tt> - The verify callback for the server certification verification.
+      # * <tt>:verify_depth</tt> - The maximum depth for the certificate chain verification.
+      # * <tt>:cert_store</tt> - OpenSSL::X509::Store to verify peer certificate.
+      # * <tt>:ssl_timeout</tt> -The SSL timeout in seconds.
+      def ssl_options=(opts={})
+        @connection   = nil
+        @ssl_options  = opts
+      end
+
+      # Returns the SSL options hash.
+      def ssl_options
+        if defined?(@ssl_options)
+          @ssl_options
+        elsif superclass != Object && superclass.ssl_options
+          superclass.ssl_options
+        end
+      end
+
      # An instance of ActiveResource::Connection that is the base \connection to the remote service.
      # The +refresh+ parameter toggles whether or not the \connection is refreshed at every request
      # or not (defaults to <tt>false</tt>).
      def connection(refresh = false)
        if defined?(@connection) || superclass == Object
          @connection = Connection.new(site, format) if refresh || @connection.nil?
+          @connection.proxy = proxy if proxy
          @connection.user = user if user
          @connection.password = password if password
          @connection.timeout = timeout if timeout
+          @connection.ssl_options = ssl_options if ssl_options
          @connection
        else
          superclass.connection
@ -557,7 +620,7 @@ module ActiveResource
          response.code.to_i == 200
        end
        # id && !find_single(id, options).nil?
-      rescue ActiveResource::ResourceNotFound
+      rescue ActiveResource::ResourceNotFound, ActiveResource::ResourceGone
        false
      end

@ -611,6 +674,11 @@ module ActiveResource
          site.is_a?(URI) ? site.dup : URI.parse(site)
        end

+        # Accepts a URI and creates the proxy URI from that.
+        def create_proxy_uri_from(proxy)
+          proxy.is_a?(URI) ? proxy.dup : URI.parse(proxy)
+        end
+
        # contains a set of the current prefix parameters.
        def prefix_parameters
          @prefix_parameters ||= prefix_source.scan(/:\w+/).map { |key| key[1..-1].to_sym }.to_set
@ -952,7 +1020,13 @@ module ActiveResource
          case value
            when Array
              resource = find_or_create_resource_for_collection(key)
-              value.map { |attrs| attrs.is_a?(String) ? attrs.dup : resource.new(attrs) }
+              value.map do |attrs|
+                if attrs.is_a?(String) || attrs.is_a?(Numeric)
+                  attrs.duplicable? ? attrs.dup : attrs
+                else
+                  resource.new(attrs)
+                end
+              end
            when Hash
              resource = find_or_create_resource_for(key)
              resource.new(value)