actionpack 2.1.1 → 2.1.2

data/CHANGELOG

@@ -1,3 +1,10 @@
+*2.1.2 (October 23rd, 2008)*
+
+* Sanitize the URLs passed to redirect_to to prevent a potential response splitting attack [koz]
+
+* Fixed FormTagHelper#submit_tag with :disable_with option wouldn't submit the button's value when was clicked #633 [Jose Fernandez]
+
+
 *2.1.1 (September 4th, 2008)*
 
 * All 2xx requests are considered successful [Josh Peek]

data/Rakefile

@@ -80,7 +80,7 @@ spec = Gem::Specification.new do |s|
   s.has_rdoc = true
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.1.1' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.1.2' + PKG_BUILD)
 
   s.require_path = 'lib'
   s.autorequire = 'action_controller'

data/lib/action_controller/response.rb

@@ -30,9 +30,9 @@ module ActionController
 
     def redirect(to_url, response_status)
       self.headers["Status"] = response_status
-      self.headers["Location"] = to_url
+      self.headers["Location"] = to_url.gsub(/[\r\n]/, '')
 
-      self.body = "<html><body>You are being <a href=\"#{to_url}\">redirected</a>.</body></html>"
+      self.body = "<html><body>You are being <a href=\"#{CGI.escapeHTML(to_url)}\">redirected</a>.</body></html>"
     end
 
     def prepare!

data/lib/action_controller/routing/recognition_optimisation.rb

@@ -68,12 +68,16 @@ module ActionController
         end
       end
 
-      def recognize_optimized(path, env)
-        write_recognize_optimized
-        recognize_optimized(path, env)
+      def clear_recognize_optimized!
+        instance_eval %{
+          def recognize_optimized(path, env)
+            write_recognize_optimized!
+            recognize_optimized(path, env)
+          end
+        }, __FILE__, __LINE__
       end
 
-      def write_recognize_optimized
+      def write_recognize_optimized!
         tree = segment_tree(routes)
         body = generate_code(tree)
         instance_eval %{

data/lib/action_controller/routing/route_set.rb

@@ -194,6 +194,7 @@ module ActionController
       def initialize
         self.routes = []
         self.named_routes = NamedRouteCollection.new
+        clear_recognize_optimized!
       end
 
       # Subclasses and plugins may override this method to specify a different
@@ -213,9 +214,9 @@ module ActionController
         named_routes.clear
         @combined_regexp = nil
         @routes_by_controller = nil
-        # This will force routing/recognition_optimization.rb
+        # This will force routing/recognition_optimisation.rb
         # to refresh optimisations.
-        @compiled_recognize_optimized = nil
+        clear_recognize_optimized!
       end
 
       def install_helpers(destinations = [ActionController::Base, ActionView::Base], regenerate_code = false)

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 1
-    TINY  = 1
+    TINY  = 2
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/action_view/helpers/form_options_helper.rb

@@ -400,6 +400,7 @@ module ActionView
       end
 
       def to_country_select_tag(priority_countries, options, html_options)
+        ActiveSupport::Deprecation.warn("country_select will be removed from 2.2.0.  http://www.rubyonrails.org/deprecation/list-of-countries has more information.", caller)
         html_options = html_options.stringify_keys
         add_default_name_and_id(html_options)
         value = value(object)

data/lib/action_view/helpers/form_tag_helper.rb

@@ -116,7 +116,7 @@ module ActionView
 
       # Creates a label field
       #
-      # ==== Options
+      # ==== Options  
       # * Creates standard HTML attributes for the tag.
       #
       # ==== Examples
@@ -351,19 +351,16 @@ module ActionView
           disable_with = "this.value='#{disable_with}'"
           disable_with << ";#{options.delete('onclick')}" if options['onclick']
           
-          options["onclick"] = [
-            "this.setAttribute('originalValue', this.value)",
-            "this.disabled=true",
-            disable_with,
-            "result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit())",
-            "if (result == false) { this.value = this.getAttribute('originalValue'); this.disabled = false }",
-            "return result;",
-          ].join(";")
+          options["onclick"]  = "if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }"
+          options["onclick"] << "else { hiddenCommit = this.cloneNode(false);hiddenCommit.setAttribute('type', 'hidden');this.form.appendChild(hiddenCommit); }"
+          options["onclick"] << "this.setAttribute('originalValue', this.value);this.disabled = true;#{disable_with};"
+          options["onclick"] << "result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());"
+          options["onclick"] << "if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;"
         end
         
         if confirm = options.delete("confirm")
           options["onclick"] ||= ''
-          options["onclick"] += "return #{confirm_javascript_function(confirm)};"
+          options["onclick"] << "return #{confirm_javascript_function(confirm)};"
         end
         
         tag :input, { "type" => "submit", "name" => "commit", "value" => value }.update(options.stringify_keys)

data/test/controller/routing_test.rb

@@ -671,6 +671,35 @@ class LegacyRouteSetTests < Test::Unit::TestCase
       x.send(:foo_with_requirement_url, "I am Against the requirements")
     end
   end
+
+  def test_routes_changed_correctly_after_clear
+    ActionController::Base.optimise_named_routes = true
+    rs = ::ActionController::Routing::RouteSet.new
+    rs.draw do |r|
+      r.connect 'ca', :controller => 'ca', :action => "aa"
+      r.connect 'cb', :controller => 'cb', :action => "ab"
+      r.connect 'cc', :controller => 'cc', :action => "ac"
+      r.connect ':controller/:action/:id'
+      r.connect ':controller/:action/:id.:format'
+    end
+
+    hash = rs.recognize_path "/cc"
+
+    assert_not_nil hash
+    assert_equal %w(cc ac), [hash[:controller], hash[:action]]
+
+    rs.draw do |r|
+      r.connect 'cb', :controller => 'cb', :action => "ab"
+      r.connect 'cc', :controller => 'cc', :action => "ac"    
+      r.connect ':controller/:action/:id'
+      r.connect ':controller/:action/:id.:format'
+    end
+
+    hash = rs.recognize_path "/cc"
+
+    assert_not_nil hash
+    assert_equal %w(cc ac), [hash[:controller], hash[:action]]
+  end
 end
 
 class SegmentTest < Test::Unit::TestCase

data/test/template/form_options_helper_test.rb

@@ -656,7 +656,9 @@ uses_mocha "FormOptionsHelperTest" do
 <option value="Zambia">Zambia</option>
 <option value="Zimbabwe">Zimbabwe</option></select>
   COUNTRIES
-      assert_dom_equal(expected_select[0..-2], country_select("post", "origin"))
+      assert_deprecated 'list-of-countries' do
+        assert_dom_equal(expected_select[0..-2], country_select("post", "origin"))
+      end
     end
 
     def test_country_select_with_priority_countries
@@ -911,7 +913,9 @@ uses_mocha "FormOptionsHelperTest" do
 <option value="Zambia">Zambia</option>
 <option value="Zimbabwe">Zimbabwe</option></select>
   COUNTRIES
-      assert_dom_equal(expected_select[0..-2], country_select("post", "origin", ["New Zealand", "Nicaragua"]))
+      assert_deprecated 'list-of-countries' do
+        assert_dom_equal(expected_select[0..-2], country_select("post", "origin", ["New Zealand", "Nicaragua"]))
+      end
     end
 
     def test_country_select_with_selected_priority_country
@@ -1166,7 +1170,9 @@ uses_mocha "FormOptionsHelperTest" do
 <option value="Zambia">Zambia</option>
 <option value="Zimbabwe">Zimbabwe</option></select>
   COUNTRIES
-      assert_dom_equal(expected_select[0..-2], country_select("post", "origin", ["New Zealand", "Nicaragua"]))
+      assert_deprecated 'list-of-countries' do
+        assert_dom_equal(expected_select[0..-2], country_select("post", "origin", ["New Zealand", "Nicaragua"]))
+      end
     end
 
     def test_time_zone_select

data/test/template/form_tag_helper_test.rb

@@ -223,14 +223,14 @@ class FormTagHelperTest < ActionView::TestCase
 
   def test_submit_tag
     assert_dom_equal(
-      %(<input name='commit' type='submit' value='Save' onclick="this.setAttribute('originalValue', this.value);this.disabled=true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue'); this.disabled = false };return result;" />),
+      %(<input name='commit' type='submit' value='Save' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = this.cloneNode(false);hiddenCommit.setAttribute('type', 'hidden');this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" />),
       submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
     )
   end
 
   def test_submit_tag_with_no_onclick_options
     assert_dom_equal(
-      %(<input name='commit' type='submit' value='Save' onclick="this.setAttribute('originalValue', this.value);this.disabled=true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue'); this.disabled = false };return result;" />),
+      %(<input name='commit' type='submit' value='Save' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = this.cloneNode(false);hiddenCommit.setAttribute('type', 'hidden');this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" />),
       submit_tag("Save", :disable_with => "Saving...")
     )
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  version: 2.1.1
+  version: 2.1.2
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -9,7 +9,7 @@ autorequire: action_controller
 bindir: bin
 cert_chain: []
 
-date: 2008-09-04 00:00:00 +02:00
+date: 2008-10-23 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -20,7 +20,7 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 2.1.1
+        version: 2.1.2
     version: 
 description: Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.
 email: david@loudthinking.com
@@ -476,7 +476,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: 
 - none
 rubyforge_project: actionpack
-rubygems_version: 1.2.0
+rubygems_version: 1.3.0
 signing_key: 
 specification_version: 2
 summary: Web-flow and rendering framework putting the VC in MVC.