actionpack 3.0.8 → 3.0.9.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
data/CHANGELOG
CHANGED
|
@@ -1,7 +1,36 @@
|
|
|
1
|
-
*Rails 3.0.
|
|
1
|
+
*Rails 3.0.9 (unreleased)*
|
|
2
|
+
|
|
3
|
+
* Fix text helpers to work correctly with the new SafeBuffer restriction [Paul Gallagher, Arun Agrawal, Prem Sichanugrist]
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
*Rails 3.0.8 (June 7, 2011)*
|
|
7
|
+
|
|
8
|
+
* It is prohibited to perform a in-place SafeBuffer mutation [tenderlove]
|
|
9
|
+
|
|
10
|
+
The old behavior of SafeBuffer allowed you to mutate string in place via
|
|
11
|
+
method like `sub!`. These methods can add unsafe strings to a safe buffer,
|
|
12
|
+
and the safe buffer will continue to be marked as safe.
|
|
13
|
+
|
|
14
|
+
An example problem would be something like this:
|
|
15
|
+
|
|
16
|
+
<%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %>
|
|
17
|
+
|
|
18
|
+
In the above example, an untrusted string (`params[:xss]`) is added to the
|
|
19
|
+
safe buffer returned by `link_to`, and the untrusted content is successfully
|
|
20
|
+
sent to the client without being escaped. To prevent this from happening
|
|
21
|
+
`sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
|
|
22
|
+
|
|
23
|
+
In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:
|
|
24
|
+
|
|
25
|
+
<%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
|
|
26
|
+
|
|
27
|
+
The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
|
|
28
|
+
|
|
29
|
+
You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb
|
|
2
30
|
|
|
3
31
|
* Fixed github issue #342 with asset paths and relative roots.
|
|
4
32
|
|
|
33
|
+
|
|
5
34
|
*Rails 3.0.7 (April 18, 2011)*
|
|
6
35
|
|
|
7
36
|
*No changes.
|
data/lib/action_pack/version.rb
CHANGED
|
@@ -53,7 +53,13 @@ module ActionView
|
|
|
53
53
|
# This dance is needed because Builder can't use capture
|
|
54
54
|
pos = output_buffer.length
|
|
55
55
|
yield
|
|
56
|
-
|
|
56
|
+
if output_buffer.is_a?(ActionView::OutputBuffer)
|
|
57
|
+
safe_output_buffer = output_buffer.to_str
|
|
58
|
+
fragment = safe_output_buffer.slice!(pos..-1)
|
|
59
|
+
self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
|
|
60
|
+
else
|
|
61
|
+
fragment = output_buffer.slice!(pos..-1)
|
|
62
|
+
end
|
|
57
63
|
controller.write_fragment(name, fragment, options)
|
|
58
64
|
end
|
|
59
65
|
end
|
|
@@ -49,7 +49,7 @@ module ActionView
|
|
|
49
49
|
# Escape carrier returns and single and double quotes for JavaScript segments.
|
|
50
50
|
def escape_javascript(javascript)
|
|
51
51
|
if javascript
|
|
52
|
-
javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[
|
|
52
|
+
javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] }
|
|
53
53
|
else
|
|
54
54
|
''
|
|
55
55
|
end
|
|
@@ -483,7 +483,7 @@ module ActionView
|
|
|
483
483
|
extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
|
|
484
484
|
extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
|
|
485
485
|
|
|
486
|
-
email_address_obfuscated = email_address.
|
|
486
|
+
email_address_obfuscated = email_address.to_str
|
|
487
487
|
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
|
|
488
488
|
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
|
|
489
489
|
|
metadata
CHANGED
|
@@ -1,13 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
5
|
-
prerelease:
|
|
4
|
+
hash: 15424063
|
|
5
|
+
prerelease: 6
|
|
6
6
|
segments:
|
|
7
7
|
- 3
|
|
8
8
|
- 0
|
|
9
|
-
-
|
|
10
|
-
|
|
9
|
+
- 9
|
|
10
|
+
- rc
|
|
11
|
+
- 1
|
|
12
|
+
version: 3.0.9.rc1
|
|
11
13
|
platform: ruby
|
|
12
14
|
authors:
|
|
13
15
|
- David Heinemeier Hansson
|
|
@@ -15,7 +17,7 @@ autorequire:
|
|
|
15
17
|
bindir: bin
|
|
16
18
|
cert_chain: []
|
|
17
19
|
|
|
18
|
-
date: 2011-06-
|
|
20
|
+
date: 2011-06-08 00:00:00 Z
|
|
19
21
|
dependencies:
|
|
20
22
|
- !ruby/object:Gem::Dependency
|
|
21
23
|
name: activesupport
|
|
@@ -25,12 +27,14 @@ dependencies:
|
|
|
25
27
|
requirements:
|
|
26
28
|
- - "="
|
|
27
29
|
- !ruby/object:Gem::Version
|
|
28
|
-
hash:
|
|
30
|
+
hash: 15424063
|
|
29
31
|
segments:
|
|
30
32
|
- 3
|
|
31
33
|
- 0
|
|
32
|
-
-
|
|
33
|
-
|
|
34
|
+
- 9
|
|
35
|
+
- rc
|
|
36
|
+
- 1
|
|
37
|
+
version: 3.0.9.rc1
|
|
34
38
|
type: :runtime
|
|
35
39
|
version_requirements: *id001
|
|
36
40
|
- !ruby/object:Gem::Dependency
|
|
@@ -41,12 +45,14 @@ dependencies:
|
|
|
41
45
|
requirements:
|
|
42
46
|
- - "="
|
|
43
47
|
- !ruby/object:Gem::Version
|
|
44
|
-
hash:
|
|
48
|
+
hash: 15424063
|
|
45
49
|
segments:
|
|
46
50
|
- 3
|
|
47
51
|
- 0
|
|
48
|
-
-
|
|
49
|
-
|
|
52
|
+
- 9
|
|
53
|
+
- rc
|
|
54
|
+
- 1
|
|
55
|
+
version: 3.0.9.rc1
|
|
50
56
|
type: :runtime
|
|
51
57
|
version_requirements: *id002
|
|
52
58
|
- !ruby/object:Gem::Dependency
|
|
@@ -356,12 +362,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
356
362
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
357
363
|
none: false
|
|
358
364
|
requirements:
|
|
359
|
-
- - "
|
|
365
|
+
- - ">"
|
|
360
366
|
- !ruby/object:Gem::Version
|
|
361
|
-
hash:
|
|
367
|
+
hash: 25
|
|
362
368
|
segments:
|
|
363
|
-
-
|
|
364
|
-
|
|
369
|
+
- 1
|
|
370
|
+
- 3
|
|
371
|
+
- 1
|
|
372
|
+
version: 1.3.1
|
|
365
373
|
requirements:
|
|
366
374
|
- none
|
|
367
375
|
rubyforge_project: actionpack
|