RubyGems - actionpack - Versions diffs - 4.0.2 → 4.0.3 - Mend

actionpack 4.0.2 → 4.0.3

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/action_pack/version.rb +1 -1
data/lib/action_view/helpers/number_helper.rb +19 -10
metadata +25 -25

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6fbfd3478ffdabae6c448f11b8d2555183dc9afa
-  data.tar.gz: c943680b657f1ee41a97fc0b3e45ed917f651ff6
+  metadata.gz: 88bdd4990a97dcad1337f5538672cf2ba466bc9e
+  data.tar.gz: 5c5e247912af700ec1d6cfe4a46d6fd123d6d2c9
 SHA512:
-  metadata.gz: de8fa29de785a8374d2f42a857d0cfaa6767dd509d2b8550367a57af9adcc07d0aa0a3fe5853e3983481d2c77d4879eb016dce956d0d7a8fbbcae66eba1adf93
-  data.tar.gz: fc2e767c978ef701d1b7cac55cd691ee3aa202c0afe2ebb28710dbc5f6bdccbcc5679c18a2e7d670f50df90f5429d741e759b21e81b08d9ee12b17c431cc30c2
+  metadata.gz: 24449d94d5ae99d1571a69d0c39459c07c88effd7614c1f368bb359688aec13f492e0b42fe4d8cf924d6879d5a309261567e6f2019d5b34a60fbcf2637877b50
+  data.tar.gz: e81f58104713eb4cecddc46b0903bbf436a19e7bd40c347311ba1fdce6f7a4f30d6cb62ddc92cbb9b9e8550693c172c29846f1fa5ee9ed5dc5aafd741ad2af59

data/CHANGELOG.md CHANGED

@@ -1,3 +1,9 @@
+*   Escape format, negative_format and units options of number helpers
+    Fixes: CVE-2014-0081
+## Rails 4.0.2 (December 02, 2013) ##
 *   Ensure simple_format escapes its html attributes. This fixes CVE-2013-6416
 *   Deep Munge the parameters for GET and POST Fixes CVE-2013-6417

data/lib/action_pack/version.rb CHANGED

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
   module VERSION #:nodoc:

data/lib/action_view/helpers/number_helper.rb CHANGED

@@ -106,7 +106,7 @@ module ActionView
       #   # => 1234567890,50 &pound;
       def number_to_currency(number, options = {})
         return unless number
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_currency(number, options)
@@ -151,7 +151,7 @@ module ActionView
       #   number_to_percentage("98a", raise: true)                         # => InvalidNumberError
       def number_to_percentage(number, options = {})
         return unless number
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_percentage(number, options)
@@ -188,7 +188,7 @@ module ActionView
       #
       #  number_with_delimiter("112a", raise: true)              # => raise InvalidNumberError
       def number_with_delimiter(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_delimited(number, options)
@@ -237,7 +237,7 @@ module ActionView
       #   number_with_precision(1111.2345, precision: 2, separator: ',', delimiter: '.')
       #   # => 1.111,23
       def number_with_precision(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_rounded(number, options)
@@ -293,7 +293,7 @@ module ActionView
       #   number_to_human_size(1234567890123, precision: 5)        # => "1.1229 TB"
       #   number_to_human_size(524288000, precision: 5)            # => "500 MB"
       def number_to_human_size(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_human_size(number, options)
@@ -399,7 +399,7 @@ module ActionView
       #  number_to_human(0.34, units: :distance)                # => "34 centimeters"
       #
       def number_to_human(number, options = {})
-        options = escape_unsafe_delimiters_and_separators(options.symbolize_keys)
+        options = escape_unsafe_options(options.symbolize_keys)
         wrap_with_output_safety_handling(number, options.delete(:raise)) {
           ActiveSupport::NumberHelper.number_to_human(number, options)
@@ -408,13 +408,22 @@ module ActionView
       private
-      def escape_unsafe_delimiters_and_separators(options)
-        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
-        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
-        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+      def escape_unsafe_options(options)
+        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
         options
       end
+      def escape_units(units)
+        Hash[units.map do |k, v|
+          [k, ERB::Util.html_escape(v)]
+        end]
+      end
       def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
         valid_float = valid_float?(number)
         raise InvalidNumberError, number if raise_on_invalid && !valid_float

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.0.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-12-03 00:00:00.000000000 Z
+date: 2014-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
 - !ruby/object:Gem::Dependency
   name: tzinfo
   requirement: !ruby/object:Gem::Requirement
@@ -116,8 +116,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- README.rdoc
 - MIT-LICENSE
+- README.rdoc
+- lib/abstract_controller.rb
 - lib/abstract_controller/asset_paths.rb
 - lib/abstract_controller/base.rb
 - lib/abstract_controller/callbacks.rb
@@ -130,13 +131,14 @@ files:
 - lib/abstract_controller/translation.rb
 - lib/abstract_controller/url_for.rb
 - lib/abstract_controller/view_paths.rb
-- lib/abstract_controller.rb
+- lib/action_controller.rb
 - lib/action_controller/base.rb
-- lib/action_controller/caching/fragments.rb
 - lib/action_controller/caching.rb
-- lib/action_controller/deprecated/integration_test.rb
+- lib/action_controller/caching/fragments.rb
 - lib/action_controller/deprecated.rb
+- lib/action_controller/deprecated/integration_test.rb
 - lib/action_controller/log_subscriber.rb
+- lib/action_controller/metal.rb
 - lib/action_controller/metal/conditional_get.rb
 - lib/action_controller/metal/cookies.rb
 - lib/action_controller/metal/data_streaming.rb
@@ -163,7 +165,6 @@ files:
 - lib/action_controller/metal/strong_parameters.rb
 - lib/action_controller/metal/testing.rb
 - lib/action_controller/metal/url_for.rb
-- lib/action_controller/metal.rb
 - lib/action_controller/middleware.rb
 - lib/action_controller/model_naming.rb
 - lib/action_controller/railtie.rb
@@ -171,7 +172,7 @@ files:
 - lib/action_controller/record_identifier.rb
 - lib/action_controller/test_case.rb
 - lib/action_controller/vendor/html-scanner.rb
-- lib/action_controller.rb
+- lib/action_dispatch.rb
 - lib/action_dispatch/http/cache.rb
 - lib/action_dispatch/http/filter_parameters.rb
 - lib/action_dispatch/http/filter_redirect.rb
@@ -186,6 +187,7 @@ files:
 - lib/action_dispatch/http/response.rb
 - lib/action_dispatch/http/upload.rb
 - lib/action_dispatch/http/url.rb
+- lib/action_dispatch/journey.rb
 - lib/action_dispatch/journey/backwards.rb
 - lib/action_dispatch/journey/formatter.rb
 - lib/action_dispatch/journey/gtg/builder.rb
@@ -201,16 +203,15 @@ files:
 - lib/action_dispatch/journey/parser_extras.rb
 - lib/action_dispatch/journey/path/pattern.rb
 - lib/action_dispatch/journey/route.rb
+- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/router/strexp.rb
 - lib/action_dispatch/journey/router/utils.rb
-- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/routes.rb
 - lib/action_dispatch/journey/scanner.rb
 - lib/action_dispatch/journey/visitors.rb
 - lib/action_dispatch/journey/visualizer/fsm.css
 - lib/action_dispatch/journey/visualizer/fsm.js
 - lib/action_dispatch/journey/visualizer/index.html.erb
-- lib/action_dispatch/journey.rb
 - lib/action_dispatch/middleware/callbacks.rb
 - lib/action_dispatch/middleware/cookies.rb
 - lib/action_dispatch/middleware/debug_exceptions.rb
@@ -242,6 +243,7 @@ files:
 - lib/action_dispatch/middleware/templates/routes/_table.html.erb
 - lib/action_dispatch/railtie.rb
 - lib/action_dispatch/request/session.rb
+- lib/action_dispatch/routing.rb
 - lib/action_dispatch/routing/inspector.rb
 - lib/action_dispatch/routing/mapper.rb
 - lib/action_dispatch/routing/polymorphic_routes.rb
@@ -249,26 +251,26 @@ files:
 - lib/action_dispatch/routing/route_set.rb
 - lib/action_dispatch/routing/routes_proxy.rb
 - lib/action_dispatch/routing/url_for.rb
-- lib/action_dispatch/routing.rb
+- lib/action_dispatch/testing/assertions.rb
 - lib/action_dispatch/testing/assertions/dom.rb
 - lib/action_dispatch/testing/assertions/response.rb
 - lib/action_dispatch/testing/assertions/routing.rb
 - lib/action_dispatch/testing/assertions/selector.rb
 - lib/action_dispatch/testing/assertions/tag.rb
-- lib/action_dispatch/testing/assertions.rb
 - lib/action_dispatch/testing/integration.rb
 - lib/action_dispatch/testing/test_process.rb
 - lib/action_dispatch/testing/test_request.rb
 - lib/action_dispatch/testing/test_response.rb
-- lib/action_dispatch.rb
-- lib/action_pack/version.rb
 - lib/action_pack.rb
+- lib/action_pack/version.rb
+- lib/action_view.rb
 - lib/action_view/base.rb
 - lib/action_view/buffers.rb
 - lib/action_view/context.rb
 - lib/action_view/dependency_tracker.rb
 - lib/action_view/digestor.rb
 - lib/action_view/flows.rb
+- lib/action_view/helpers.rb
 - lib/action_view/helpers/active_model_helper.rb
 - lib/action_view/helpers/asset_tag_helper.rb
 - lib/action_view/helpers/asset_url_helper.rb
@@ -289,6 +291,7 @@ files:
 - lib/action_view/helpers/rendering_helper.rb
 - lib/action_view/helpers/sanitize_helper.rb
 - lib/action_view/helpers/tag_helper.rb
+- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/tags/base.rb
 - lib/action_view/helpers/tags/check_box.rb
 - lib/action_view/helpers/tags/checkable.rb
@@ -322,11 +325,9 @@ files:
 - lib/action_view/helpers/tags/time_zone_select.rb
 - lib/action_view/helpers/tags/url_field.rb
 - lib/action_view/helpers/tags/week_field.rb
-- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/text_helper.rb
 - lib/action_view/helpers/translation_helper.rb
 - lib/action_view/helpers/url_helper.rb
-- lib/action_view/helpers.rb
 - lib/action_view/locale/en.yml
 - lib/action_view/log_subscriber.rb
 - lib/action_view/lookup_context.rb
@@ -341,25 +342,24 @@ files:
 - lib/action_view/renderer/template_renderer.rb
 - lib/action_view/routing_url_for.rb
 - lib/action_view/tasks/dependencies.rake
+- lib/action_view/template.rb
 - lib/action_view/template/error.rb
+- lib/action_view/template/handlers.rb
 - lib/action_view/template/handlers/builder.rb
 - lib/action_view/template/handlers/erb.rb
 - lib/action_view/template/handlers/raw.rb
-- lib/action_view/template/handlers.rb
 - lib/action_view/template/resolver.rb
 - lib/action_view/template/text.rb
 - lib/action_view/template/types.rb
-- lib/action_view/template.rb
 - lib/action_view/test_case.rb
 - lib/action_view/testing/resolvers.rb
+- lib/action_view/vendor/html-scanner.rb
 - lib/action_view/vendor/html-scanner/html/document.rb
 - lib/action_view/vendor/html-scanner/html/node.rb
 - lib/action_view/vendor/html-scanner/html/sanitizer.rb
 - lib/action_view/vendor/html-scanner/html/selector.rb
 - lib/action_view/vendor/html-scanner/html/tokenizer.rb
 - lib/action_view/vendor/html-scanner/html/version.rb
-- lib/action_view/vendor/html-scanner.rb
-- lib/action_view.rb
 homepage: http://www.rubyonrails.org
 licenses:
 - MIT
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - none
 rubyforge_project:
-rubygems_version: 2.0.2
+rubygems_version: 2.2.0
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).