actionpack 3.2.22 → 3.2.22.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/abstract_controller/rendering.rb +3 -3
- data/lib/action_controller/metal/http_authentication.rb +6 -1
- data/lib/action_dispatch/http/mime_type.rb +16 -2
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_view/helpers/rendering_helper.rb +2 -0
- data/lib/action_view/helpers/tag_helper.rb +12 -5
- data/lib/action_view/lookup_context.rb +4 -0
- data/lib/action_view/path_set.rb +19 -7
- data/lib/action_view/renderer/abstract_renderer.rb +1 -1
- data/lib/action_view/renderer/renderer.rb +7 -0
- data/lib/action_view/renderer/template_renderer.rb +3 -2
- data/lib/action_view/template/resolver.rb +33 -7
- data/lib/action_view/testing/resolvers.rb +2 -3
- metadata +8 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b2589906c64cd869c852384400c0faaa3ce38781
|
|
4
|
+
data.tar.gz: 791a03c38208269ba110b4d5afaa77b3144894b6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ac4faea0a3986fbaa9644ec86c74bab96478b4b75786901f0d9142f563ada0d0efdf56e3c094af894eb7542fedfb7c88eaa93fa04fdb37be981c7e9267a65875
|
|
7
|
+
data.tar.gz: ef93100f309d422d5d4542e73dd02a7087cd4f0fc3b37e48d01fc9d0deedbc282550cf81780489d707ad2902e559f3a65711ca03c25b03ad2fce7ab28b5e5186
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require "abstract_controller/base"
|
|
2
2
|
require "action_view"
|
|
3
3
|
require "active_support/core_ext/object/instance_variables"
|
|
4
|
+
require "active_support/hash_with_indifferent_access"
|
|
4
5
|
|
|
5
6
|
module AbstractController
|
|
6
7
|
class DoubleRenderError < Error
|
|
@@ -138,7 +139,7 @@ module AbstractController
|
|
|
138
139
|
end
|
|
139
140
|
|
|
140
141
|
# Normalize args by converting render "foo" to render :action => "foo" and
|
|
141
|
-
# render "foo/bar" to render :
|
|
142
|
+
# render "foo/bar" to render :app_template_file => "foo/bar".
|
|
142
143
|
# :api: plugin
|
|
143
144
|
def _normalize_args(action=nil, options={})
|
|
144
145
|
case action
|
|
@@ -147,12 +148,11 @@ module AbstractController
|
|
|
147
148
|
options = action
|
|
148
149
|
when String, Symbol
|
|
149
150
|
action = action.to_s
|
|
150
|
-
key = action.include?(?/) ? :
|
|
151
|
+
key = action.include?(?/) ? :app_template_file : :action
|
|
151
152
|
options[key] = action
|
|
152
153
|
else
|
|
153
154
|
options[:partial] = action
|
|
154
155
|
end
|
|
155
|
-
|
|
156
156
|
options
|
|
157
157
|
end
|
|
158
158
|
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'active_support/base64'
|
|
2
2
|
require 'active_support/core_ext/object/blank'
|
|
3
|
+
require 'active_support/security_utils'
|
|
3
4
|
|
|
4
5
|
module ActionController
|
|
5
6
|
module HttpAuthentication
|
|
@@ -111,7 +112,11 @@ module ActionController
|
|
|
111
112
|
def http_basic_authenticate_with(options = {})
|
|
112
113
|
before_filter(options.except(:name, :password, :realm)) do
|
|
113
114
|
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
|
|
114
|
-
|
|
115
|
+
# This comparison uses & so that it doesn't short circuit and
|
|
116
|
+
# uses `variable_size_secure_compare` so that length information
|
|
117
|
+
# isn't leaked.
|
|
118
|
+
ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
|
|
119
|
+
ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
|
|
115
120
|
end
|
|
116
121
|
end
|
|
117
122
|
end
|
|
@@ -22,7 +22,7 @@ module Mime
|
|
|
22
22
|
|
|
23
23
|
SET = Mimes.new
|
|
24
24
|
EXTENSION_LOOKUP = {}
|
|
25
|
-
LOOKUP =
|
|
25
|
+
LOOKUP = {}
|
|
26
26
|
|
|
27
27
|
def self.[](type)
|
|
28
28
|
return type if type.is_a?(Type)
|
|
@@ -85,7 +85,7 @@ module Mime
|
|
|
85
85
|
Q_SEPARATOR_REGEXP = /;\s*q=/
|
|
86
86
|
|
|
87
87
|
def lookup(string)
|
|
88
|
-
LOOKUP[string]
|
|
88
|
+
LOOKUP[string] || Type.new(string)
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
def lookup_by_extension(extension)
|
|
@@ -204,9 +204,12 @@ module Mime
|
|
|
204
204
|
end
|
|
205
205
|
end
|
|
206
206
|
|
|
207
|
+
attr_reader :hash
|
|
208
|
+
|
|
207
209
|
def initialize(string, symbol = nil, synonyms = [])
|
|
208
210
|
@symbol, @synonyms = symbol, synonyms
|
|
209
211
|
@string = string
|
|
212
|
+
@hash = [@string, @synonyms, @symbol].hash
|
|
210
213
|
end
|
|
211
214
|
|
|
212
215
|
def to_s
|
|
@@ -240,6 +243,13 @@ module Mime
|
|
|
240
243
|
end
|
|
241
244
|
end
|
|
242
245
|
|
|
246
|
+
def eql?(other)
|
|
247
|
+
super || (self.class == other.class &&
|
|
248
|
+
@string == other.string &&
|
|
249
|
+
@synonyms == other.synonyms &&
|
|
250
|
+
@symbol == other.symbol)
|
|
251
|
+
end
|
|
252
|
+
|
|
243
253
|
def =~(mime_type)
|
|
244
254
|
return false if mime_type.blank?
|
|
245
255
|
regexp = Regexp.new(Regexp.quote(mime_type.to_s))
|
|
@@ -262,6 +272,10 @@ module Mime
|
|
|
262
272
|
super || method.to_s =~ /(\w+)\?$/
|
|
263
273
|
end
|
|
264
274
|
|
|
275
|
+
protected
|
|
276
|
+
|
|
277
|
+
attr_reader :string, :synonyms
|
|
278
|
+
|
|
265
279
|
private
|
|
266
280
|
def method_missing(method, *args)
|
|
267
281
|
if method.to_s =~ /(\w+)\?$/
|
data/lib/action_pack/version.rb
CHANGED
|
@@ -10,6 +10,7 @@ module ActionView
|
|
|
10
10
|
module TagHelper
|
|
11
11
|
extend ActiveSupport::Concern
|
|
12
12
|
include CaptureHelper
|
|
13
|
+
include OutputSafetyHelper
|
|
13
14
|
|
|
14
15
|
BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked autobuffer
|
|
15
16
|
autoplay controls loop selected hidden scoped async
|
|
@@ -141,20 +142,26 @@ module ActionView
|
|
|
141
142
|
unless v.is_a?(String) || v.is_a?(Symbol) || v.is_a?(BigDecimal)
|
|
142
143
|
v = v.to_json
|
|
143
144
|
end
|
|
144
|
-
|
|
145
|
-
attrs << %(data-#{k.to_s.dasherize}="#{v}")
|
|
145
|
+
attrs << tag_option("data-#{k.to_s.dasherize}", v, escape)
|
|
146
146
|
end
|
|
147
147
|
elsif BOOLEAN_ATTRIBUTES.include?(key)
|
|
148
148
|
attrs << %(#{key}="#{key}") if value
|
|
149
149
|
elsif !value.nil?
|
|
150
|
-
|
|
151
|
-
final_value = ERB::Util.html_escape(final_value) if escape
|
|
152
|
-
attrs << %(#{key}="#{final_value}")
|
|
150
|
+
attrs << tag_option(key, value, escape)
|
|
153
151
|
end
|
|
154
152
|
end
|
|
155
153
|
" #{attrs.sort * ' '}".html_safe unless attrs.empty?
|
|
156
154
|
end
|
|
157
155
|
end
|
|
156
|
+
|
|
157
|
+
def tag_option(key, value, escape)
|
|
158
|
+
if value.is_a?(Array)
|
|
159
|
+
value = escape ? safe_join(value, " ") : value.join(" ")
|
|
160
|
+
else
|
|
161
|
+
value = escape ? ERB::Util.html_escape(value) : value.to_s
|
|
162
|
+
end
|
|
163
|
+
%(#{key}="#{value.gsub(/"/, '"'.freeze)}")
|
|
164
|
+
end
|
|
158
165
|
end
|
|
159
166
|
end
|
|
160
167
|
end
|
|
@@ -127,6 +127,10 @@ module ActionView
|
|
|
127
127
|
@view_paths.find_all(*args_for_lookup(name, prefixes, partial, keys, options))
|
|
128
128
|
end
|
|
129
129
|
|
|
130
|
+
def find_file(name, prefixes = [], partial = false, keys = [], options = {})
|
|
131
|
+
@view_paths.find_file(*args_for_lookup(name, prefixes, partial, keys, options))
|
|
132
|
+
end
|
|
133
|
+
|
|
130
134
|
def exists?(name, prefixes = [], partial = false, keys = [], options = {})
|
|
131
135
|
@view_paths.exists?(*args_for_lookup(name, prefixes, partial, keys, options))
|
|
132
136
|
end
|
data/lib/action_view/path_set.rb
CHANGED
|
@@ -58,23 +58,35 @@ module ActionView #:nodoc:
|
|
|
58
58
|
find_all(*args).first || raise(MissingTemplate.new(self, *args))
|
|
59
59
|
end
|
|
60
60
|
|
|
61
|
+
def find_file(path, prefixes = [], *args)
|
|
62
|
+
_find_all(path, prefixes, args, true).first || raise(MissingTemplate.new(self, path, prefixes, *args))
|
|
63
|
+
end
|
|
64
|
+
|
|
61
65
|
def find_all(path, prefixes = [], *args)
|
|
66
|
+
_find_all path, prefixes, args, false
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def exists?(path, prefixes, *args)
|
|
70
|
+
find_all(path, prefixes, *args).any?
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
private
|
|
74
|
+
|
|
75
|
+
def _find_all(path, prefixes, args, outside_app)
|
|
62
76
|
prefixes = [prefixes] if String === prefixes
|
|
63
77
|
prefixes.each do |prefix|
|
|
64
78
|
paths.each do |resolver|
|
|
65
|
-
|
|
79
|
+
if outside_app
|
|
80
|
+
templates = resolver.find_all_anywhere(path, prefix, *args)
|
|
81
|
+
else
|
|
82
|
+
templates = resolver.find_all(path, prefix, *args)
|
|
83
|
+
end
|
|
66
84
|
return templates unless templates.empty?
|
|
67
85
|
end
|
|
68
86
|
end
|
|
69
87
|
[]
|
|
70
88
|
end
|
|
71
89
|
|
|
72
|
-
def exists?(path, prefixes, *args)
|
|
73
|
-
find_all(path, prefixes, *args).any?
|
|
74
|
-
end
|
|
75
|
-
|
|
76
|
-
private
|
|
77
|
-
|
|
78
90
|
def typecast(paths)
|
|
79
91
|
paths.map do |path|
|
|
80
92
|
case path
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
module ActionView
|
|
2
2
|
class AbstractRenderer #:nodoc:
|
|
3
|
-
delegate :find_template, :template_exists?, :with_fallbacks, :update_details,
|
|
3
|
+
delegate :find_template, :find_file, :template_exists?, :with_fallbacks, :update_details,
|
|
4
4
|
:with_layout_format, :formats, :to => :@lookup_context
|
|
5
5
|
|
|
6
6
|
def initialize(lookup_context)
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'active_support/hash_with_indifferent_access'
|
|
2
|
+
|
|
1
3
|
module ActionView
|
|
2
4
|
# This is the main entry point for rendering. It basically delegates
|
|
3
5
|
# to other objects like TemplateRenderer and PartialRenderer which
|
|
@@ -11,6 +13,11 @@ module ActionView
|
|
|
11
13
|
|
|
12
14
|
# Main render entry point shared by AV and AC.
|
|
13
15
|
def render(context, options)
|
|
16
|
+
if (options.is_a?(HashWithIndifferentAccess) && !options.respond_to?(:permitted?)) ||
|
|
17
|
+
(options.respond_to?(:permitted?) && !options.permitted?)
|
|
18
|
+
raise ArgumentError, "render parameters are not permitted"
|
|
19
|
+
end
|
|
20
|
+
|
|
14
21
|
if options.key?(:partial)
|
|
15
22
|
render_partial(context, options)
|
|
16
23
|
else
|
|
@@ -21,11 +21,12 @@ module ActionView
|
|
|
21
21
|
# Determine the template to be rendered using the given options.
|
|
22
22
|
def determine_template(options) #:nodoc:
|
|
23
23
|
keys = options[:locals].try(:keys) || []
|
|
24
|
-
|
|
25
24
|
if options.key?(:text)
|
|
26
25
|
Template::Text.new(options[:text], formats.try(:first))
|
|
26
|
+
elsif options.key?(:app_template_file)
|
|
27
|
+
find_template(options[:app_template_file], nil, false, keys, @details)
|
|
27
28
|
elsif options.key?(:file)
|
|
28
|
-
with_fallbacks {
|
|
29
|
+
with_fallbacks { find_file(options[:file], nil, false, keys, @details) }
|
|
29
30
|
elsif options.key?(:inline)
|
|
30
31
|
handler = Template.handler_for_extension(options[:type] || "erb")
|
|
31
32
|
Template.new(options[:inline], "inline template", handler, :locals => keys)
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require "pathname"
|
|
2
2
|
require "active_support/core_ext/class"
|
|
3
3
|
require "active_support/core_ext/io"
|
|
4
|
+
require "active_support/core_ext/string/starts_ends_with"
|
|
4
5
|
require "action_view/template"
|
|
5
6
|
|
|
6
7
|
module ActionView
|
|
@@ -43,7 +44,13 @@ module ActionView
|
|
|
43
44
|
# Normalizes the arguments and passes it on to find_template.
|
|
44
45
|
def find_all(name, prefix=nil, partial=false, details={}, key=nil, locals=[])
|
|
45
46
|
cached(key, [name, prefix, partial], details, locals) do
|
|
46
|
-
find_templates(name, prefix, partial, details)
|
|
47
|
+
find_templates(name, prefix, partial, details, false)
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def find_all_anywhere(name, prefix, partial=false, details={}, key=nil, locals=[])
|
|
52
|
+
cached(key, [name, prefix, partial], details, locals) do
|
|
53
|
+
find_templates(name, prefix, partial, details, true)
|
|
47
54
|
end
|
|
48
55
|
end
|
|
49
56
|
|
|
@@ -54,8 +61,8 @@ module ActionView
|
|
|
54
61
|
# This is what child classes implement. No defaults are needed
|
|
55
62
|
# because Resolver guarantees that the arguments are present and
|
|
56
63
|
# normalized.
|
|
57
|
-
def find_templates(name, prefix, partial, details)
|
|
58
|
-
raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details) method"
|
|
64
|
+
def find_templates(name, prefix, partial, details, outside_app_allowed = false)
|
|
65
|
+
raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details, outside_app_allowed) method"
|
|
59
66
|
end
|
|
60
67
|
|
|
61
68
|
# Helpers that builds a path. Useful for building virtual paths.
|
|
@@ -110,18 +117,22 @@ module ActionView
|
|
|
110
117
|
super()
|
|
111
118
|
end
|
|
112
119
|
|
|
120
|
+
cattr_accessor :instance_reader => false, :instance_writer => false
|
|
121
|
+
|
|
113
122
|
private
|
|
114
123
|
|
|
115
|
-
def find_templates(name, prefix, partial, details)
|
|
124
|
+
def find_templates(name, prefix, partial, details, outside_app_allowed = false)
|
|
116
125
|
path = Path.build(name, prefix, partial)
|
|
117
|
-
query(path, details, details[:formats])
|
|
126
|
+
query(path, details, details[:formats], outside_app_allowed)
|
|
118
127
|
end
|
|
119
128
|
|
|
120
|
-
def query(path, details, formats)
|
|
129
|
+
def query(path, details, formats, outside_app_allowed)
|
|
121
130
|
query = build_query(path, details)
|
|
122
131
|
|
|
123
132
|
template_paths = find_template_paths query
|
|
124
133
|
|
|
134
|
+
template_paths = reject_files_external_to_app(template_paths) unless outside_app_allowed
|
|
135
|
+
|
|
125
136
|
template_paths.map { |template|
|
|
126
137
|
handler, format = extract_handler_and_format(template, formats)
|
|
127
138
|
contents = File.binread template
|
|
@@ -133,6 +144,10 @@ module ActionView
|
|
|
133
144
|
}
|
|
134
145
|
end
|
|
135
146
|
|
|
147
|
+
def reject_files_external_to_app(files)
|
|
148
|
+
files.reject { |filename| !inside_path?(@path, filename) }
|
|
149
|
+
end
|
|
150
|
+
|
|
136
151
|
if RUBY_VERSION >= '2.2.0'
|
|
137
152
|
def find_template_paths(query)
|
|
138
153
|
Dir[query].reject { |filename|
|
|
@@ -153,6 +168,12 @@ module ActionView
|
|
|
153
168
|
end
|
|
154
169
|
end
|
|
155
170
|
|
|
171
|
+
def inside_path?(path, filename)
|
|
172
|
+
filename = File.expand_path(filename)
|
|
173
|
+
path = File.join(path, '')
|
|
174
|
+
filename.start_with?(path)
|
|
175
|
+
end
|
|
176
|
+
|
|
156
177
|
# Helper for building query glob string based on resolver's pattern.
|
|
157
178
|
def build_query(path, details)
|
|
158
179
|
query = @pattern.dup
|
|
@@ -250,7 +271,12 @@ module ActionView
|
|
|
250
271
|
class OptimizedFileSystemResolver < FileSystemResolver #:nodoc:
|
|
251
272
|
def build_query(path, details)
|
|
252
273
|
exts = EXTENSIONS.map { |ext| details[ext] }
|
|
253
|
-
|
|
274
|
+
|
|
275
|
+
if path.to_s.starts_with? @path.to_s
|
|
276
|
+
query = escape_entry(path)
|
|
277
|
+
else
|
|
278
|
+
query = escape_entry(File.join(@path, path))
|
|
279
|
+
end
|
|
254
280
|
|
|
255
281
|
query + exts.map { |ext|
|
|
256
282
|
"{#{ext.compact.uniq.map { |e| ".#{e}," }.join}}"
|
|
@@ -19,7 +19,7 @@ module ActionView #:nodoc:
|
|
|
19
19
|
|
|
20
20
|
private
|
|
21
21
|
|
|
22
|
-
def query(path, exts, formats)
|
|
22
|
+
def query(path, exts, formats, outside_app_allowed)
|
|
23
23
|
query = ""
|
|
24
24
|
EXTENSIONS.each do |ext|
|
|
25
25
|
query << '(' << exts[ext].map {|e| e && Regexp.escape(".#{e}") }.join('|') << '|)'
|
|
@@ -40,11 +40,10 @@ module ActionView #:nodoc:
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
class NullResolver < PathResolver
|
|
43
|
-
def query(path, exts, formats)
|
|
43
|
+
def query(path, exts, formats, outside_app_allowed)
|
|
44
44
|
handler, format = extract_handler_and_format(path, formats)
|
|
45
45
|
[ActionView::Template.new("Template generated by Null Resolver", path, handler, :virtual_path => path, :format => format)]
|
|
46
46
|
end
|
|
47
47
|
end
|
|
48
48
|
|
|
49
49
|
end
|
|
50
|
-
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: actionpack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.2.22
|
|
4
|
+
version: 3.2.22.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-09-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 3.2.22
|
|
19
|
+
version: 3.2.22.5
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 3.2.22
|
|
26
|
+
version: 3.2.22.5
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activemodel
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - '='
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 3.2.22
|
|
33
|
+
version: 3.2.22.5
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - '='
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 3.2.22
|
|
40
|
+
version: 3.2.22.5
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: rack-cache
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -369,8 +369,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
369
369
|
requirements:
|
|
370
370
|
- none
|
|
371
371
|
rubyforge_project:
|
|
372
|
-
rubygems_version: 2.
|
|
372
|
+
rubygems_version: 2.6.6
|
|
373
373
|
signing_key:
|
|
374
374
|
specification_version: 4
|
|
375
375
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
|
376
376
|
test_files: []
|
|
377
|
+
has_rdoc:
|