actionpack 3.0.8 → 3.0.9.rc1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. data/CHANGELOG +30 -1
  2. data/lib/action_pack/version.rb +2 -2
  3. data/lib/action_view/helpers/cache_helper.rb +7 -1
  4. data/lib/action_view/helpers/javascript_helper.rb +1 -1
  5. data/lib/action_view/helpers/url_helper.rb +1 -1
  6. metadata +23 -15
data/CHANGELOG CHANGED
@@ -1,7 +1,36 @@
1
- *Rails 3.0.8 (unreleased)*
1
+ *Rails 3.0.9 (unreleased)*
2
+
3
+ * Fix text helpers to work correctly with the new SafeBuffer restriction [Paul Gallagher, Arun Agrawal, Prem Sichanugrist]
4
+
5
+
6
+ *Rails 3.0.8 (June 7, 2011)*
7
+
8
+ * It is prohibited to perform a in-place SafeBuffer mutation [tenderlove]
9
+
10
+ The old behavior of SafeBuffer allowed you to mutate string in place via
11
+ method like `sub!`. These methods can add unsafe strings to a safe buffer,
12
+ and the safe buffer will continue to be marked as safe.
13
+
14
+ An example problem would be something like this:
15
+
16
+ <%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %>
17
+
18
+ In the above example, an untrusted string (`params[:xss]`) is added to the
19
+ safe buffer returned by `link_to`, and the untrusted content is successfully
20
+ sent to the client without being escaped. To prevent this from happening
21
+ `sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
22
+
23
+ In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:
24
+
25
+ <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
26
+
27
+ The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
28
+
29
+ You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb
2
30
 
3
31
  * Fixed github issue #342 with asset paths and relative roots.
4
32
 
33
+
5
34
  *Rails 3.0.7 (April 18, 2011)*
6
35
 
7
36
  *No changes.
data/lib/action_pack/version.rb CHANGED
@@ -2,8 +2,8 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 0
5
- TINY = 8
6
- PRE = nil
5
+ TINY = 9
6
+ PRE = "rc1"
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
9
9
  end
data/lib/action_view/helpers/cache_helper.rb CHANGED
@@ -53,7 +53,13 @@ module ActionView
53
53
  # This dance is needed because Builder can't use capture
54
54
  pos = output_buffer.length
55
55
  yield
56
- fragment = output_buffer.slice!(pos..-1)
56
+ if output_buffer.is_a?(ActionView::OutputBuffer)
57
+ safe_output_buffer = output_buffer.to_str
58
+ fragment = safe_output_buffer.slice!(pos..-1)
59
+ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
60
+ else
61
+ fragment = output_buffer.slice!(pos..-1)
62
+ end
57
63
  controller.write_fragment(name, fragment, options)
58
64
  end
59
65
  end
data/lib/action_view/helpers/javascript_helper.rb CHANGED
@@ -49,7 +49,7 @@ module ActionView
49
49
  # Escape carrier returns and single and double quotes for JavaScript segments.
50
50
  def escape_javascript(javascript)
51
51
  if javascript
52
- javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[$1] }
52
+ javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] }
53
53
  else
54
54
  ''
55
55
  end
data/lib/action_view/helpers/url_helper.rb CHANGED
@@ -483,7 +483,7 @@ module ActionView
483
483
  extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
484
484
  extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
485
485
 
486
- email_address_obfuscated = email_address.dup
486
+ email_address_obfuscated = email_address.to_str
487
487
  email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
488
488
  email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
489
489
 
metadata CHANGED
@@ -1,13 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 23
5
- prerelease:
4
+ hash: 15424063
5
+ prerelease: 6
6
6
  segments:
7
7
  - 3
8
8
  - 0
9
- - 8
10
- version: 3.0.8
9
+ - 9
10
+ - rc
11
+ - 1
12
+ version: 3.0.9.rc1
11
13
  platform: ruby
12
14
  authors:
13
15
  - David Heinemeier Hansson
@@ -15,7 +17,7 @@ autorequire:
15
17
  bindir: bin
16
18
  cert_chain: []
17
19
 
18
- date: 2011-06-07 00:00:00 Z
20
+ date: 2011-06-08 00:00:00 Z
19
21
  dependencies:
20
22
  - !ruby/object:Gem::Dependency
21
23
  name: activesupport
@@ -25,12 +27,14 @@ dependencies:
25
27
  requirements:
26
28
  - - "="
27
29
  - !ruby/object:Gem::Version
28
- hash: 23
30
+ hash: 15424063
29
31
  segments:
30
32
  - 3
31
33
  - 0
32
- - 8
33
- version: 3.0.8
34
+ - 9
35
+ - rc
36
+ - 1
37
+ version: 3.0.9.rc1
34
38
  type: :runtime
35
39
  version_requirements: *id001
36
40
  - !ruby/object:Gem::Dependency
@@ -41,12 +45,14 @@ dependencies:
41
45
  requirements:
42
46
  - - "="
43
47
  - !ruby/object:Gem::Version
44
- hash: 23
48
+ hash: 15424063
45
49
  segments:
46
50
  - 3
47
51
  - 0
48
- - 8
49
- version: 3.0.8
52
+ - 9
53
+ - rc
54
+ - 1
55
+ version: 3.0.9.rc1
50
56
  type: :runtime
51
57
  version_requirements: *id002
52
58
  - !ruby/object:Gem::Dependency
@@ -356,12 +362,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
356
362
  required_rubygems_version: !ruby/object:Gem::Requirement
357
363
  none: false
358
364
  requirements:
359
- - - ">="
365
+ - - ">"
360
366
  - !ruby/object:Gem::Version
361
- hash: 3
367
+ hash: 25
362
368
  segments:
363
- - 0
364
- version: "0"
369
+ - 1
370
+ - 3
371
+ - 1
372
+ version: 1.3.1
365
373
  requirements:
366
374
  - none
367
375
  rubyforge_project: actionpack