actionpack 4.1.7 → 4.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fd553597f482cd30ac29dec61f759fbfc0dc1005
-  data.tar.gz: 1a22032cc1c4b44051182dff1fba4762885f83f0
+  metadata.gz: db10782d837eef0e09b1e170e4f44fc747a5ac69
+  data.tar.gz: 08366ec637eee7308307e4bb95e443b28ff9d8cc
 SHA512:
-  metadata.gz: cf3fba7f2188f04480178dfc0e9e1a6265da868dfd7f11d35ec0b024155c9ce4f8bdccda3dfae58b96de23f3ff7de118ecda483b37301814c9711e268cf9dde8
-  data.tar.gz: 6deca2a2a3f989a1b2e385a09ba2d616e0e0d43e2cf9b1cb3d4ee91dfccc426b1a08b696f9e285ab489cca6d7d752e5a8cda15b39612ab86b88847b7b6eb7ac5
+  metadata.gz: 4062ad340cd1a94d719fb2aa978a19456dbc9863177120fd3473ba36f1624e52391eae5cd04a997cffd5db750a1f63c8fab373b06bc4d5ccc480406cd2724c67
+  data.tar.gz: 6f10b6e27d69b0d9f4365b49d7660c7cbcf1d1a898b72d213890937aa2184805df51f7f52756bb67be387f37ef8d561f90a25e42db7192f8b132c40803df5723

data/CHANGELOG.md

@@ -1,3 +1,48 @@
+## Rails 4.1.9 (January 6, 2015) ##
+
+*   Fixed handling of positional url helper arguments when `format: false`.
+
+    Fixes #17819.
+
+    *Andrew White*, *Tatiana Soukiassian*
+
+*   Restore handling of a bare `Authorization` header, without `token=`
+    prefix.
+
+    Fixes #17108.
+
+    *Guo Xiang Tan*
+
+
+## Rails 4.1.8 (November 16, 2014) ##
+
+*   Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
+
+    fixes #17035.
+
+    *arthurnn*
+
+*   Fix a bug where malformed query strings lead to 500.
+
+    fixes #11502.
+
+    *Yuki Nishijima*
+
+
+## Rails 4.1.7.1 (November 19, 2014) ##
+
+*   Fix arbitrary file existence disclosure in Action Pack.
+
+    CVE-2014-7829.
+
+
+## Rails 4.1.7 (October 29, 2014) ##
+
+*   Fix arbitrary file existence disclosure in Action Pack.
+
+    CVE-2014-7818.
+
+
 ## Rails 4.1.6 (September 11, 2014) ##
 
 *   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671

data/lib/action_controller/base.rb

@@ -44,7 +44,7 @@ module ActionController
   # The full request object is available via the request accessor and is primarily used to query for HTTP headers:
   #
   #   def server_ip
-  #     location = request.env["SERVER_ADDR"]
+  #     location = request.env["REMOTE_ADDR"]
   #     render plain: "This server hosted at #{location}"
   #   end
   #

data/lib/action_controller/metal/http_authentication.rb

@@ -397,6 +397,7 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
+      TOKEN_KEY = 'token='
       TOKEN_REGEX = /^Token /
       AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
@@ -471,7 +472,13 @@ module ActionController
       # pairs by the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        auth.sub(TOKEN_REGEX, '').split(/"\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+
+        if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+          _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
+        end
+
+        _raw_params
       end
 
       # Encodes the given token and options into an Authorization header value.
@@ -481,7 +488,7 @@ module ActionController
       #
       # Returns String.
       def encode_credentials(token, options = {})
-        values = ["token=#{token.to_s.inspect}"] + options.map do |key, value|
+        values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
         end
         "Token #{values * ", "}"

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -70,7 +70,7 @@ module ActionDispatch
       def variant=(variant)
         if variant.is_a?(Symbol)
           @variant = [variant]
-        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
+        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
           @variant = variant
         else
           raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \

data/lib/action_dispatch/http/parameter_filter.rb

@@ -56,7 +56,7 @@ module ActionDispatch
             elsif value.is_a?(Array)
               value = value.map { |v| v.is_a?(Hash) ? call(v) : v }
             elsif blocks.any?
-              key = key.dup
+              key = key.dup if key.duplicable?
               value = value.dup if value.duplicable?
               blocks.each { |b| b.call(key, value) }
             end

data/lib/action_dispatch/http/request.rb

@@ -315,7 +315,7 @@ module ActionDispatch
 
     private
       def check_method(name)
-        HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS.to_sentence(:locale => :en)}")
+        HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS[0...-1].join(', ')}, and #{HTTP_METHODS[-1]}")
         name
       end
   end

data/lib/action_dispatch/journey/formatter.rb

@@ -34,7 +34,7 @@ module ActionDispatch
         end
 
         message = "No route matches #{Hash[constraints.sort].inspect}"
-        message << " missing required keys: #{missing_keys.sort.inspect}" if name
+        message << " missing required keys: #{missing_keys.sort.inspect}" unless missing_keys.empty?
 
         raise ActionController::UrlGenerationError, message
       end

data/lib/action_dispatch/journey/router.rb

@@ -63,9 +63,9 @@ module ActionDispatch
 
           unless route.path.anchored
             env['SCRIPT_NAME'] = (script_name.to_s + match.to_s).chomp('/')
-            path_info = match.post_match
-            env['PATH_INFO']   = path_info
-            env['PATH_INFO']   = "/" + path_info unless path_info.start_with? "/"
+            matched_path = match.post_match
+            env['PATH_INFO']   = matched_path
+            env['PATH_INFO']   = "/" + matched_path unless matched_path.start_with? "/"
           end
 
           env[@params_key] = (set_params || {}).merge parameters

data/lib/action_dispatch/middleware/cookies.rb

@@ -70,11 +70,13 @@ module ActionDispatch
   #   restrict to the domain level. If you use a schema like www.example.com
   #   and want to share session with user.example.com set <tt>:domain</tt>
   #   to <tt>:all</tt>. Make sure to specify the <tt>:domain</tt> option with
-  #   <tt>:all</tt> again when deleting cookies.
+  #   <tt>:all</tt> or <tt>Array</tt> again when deleting cookies.
   #
   #     domain: nil  # Does not sets cookie domain. (default)
   #     domain: :all # Allow the cookie for the top most level
   #                       domain and subdomains.
+  #     domain: %w(.example.com .example.org) # Allow the cookie 
+  #                       for concrete domain names.
   #
   # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object.
   # * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers.
@@ -118,7 +120,7 @@ module ActionDispatch
       # the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
       # cookie was tampered with by the user (or a 3rd party), nil will be returned.
       #
-      # If +secrets.secret_key_base+ and +config.secret_token+ (deprecated) are both set,
+      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
       # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
@@ -141,7 +143,7 @@ module ActionDispatch
       # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
       # If the cookie was tampered with by the user (or a 3rd party), nil will be returned.
       #
-      # If +secrets.secret_key_base+ and +config.secret_token+ (deprecated) are both set,
+      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
       # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
@@ -481,7 +483,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacySignedCookieJar is used instead of SignedCookieJar if
-    # config.secret_token and secrets.secret_key_base are both set. It reads
+    # secrets.secret_token and secrets.secret_key_base are both set. It reads
     # legacy cookies signed with the old dummy key generator and re-saves
     # them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacySignedCookieJar < SignedCookieJar #:nodoc:
@@ -539,7 +541,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
-    # instead of EncryptedCookieJar if config.secret_token and secrets.secret_key_base
+    # instead of EncryptedCookieJar if secrets.secret_token and secrets.secret_key_base
     # are both set. It reads legacy cookies signed with the old dummy key generator and
     # encrypts and re-saves them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacyEncryptedCookieJar < EncryptedCookieJar #:nodoc:

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -6,16 +6,17 @@ module ActionDispatch
     cattr_accessor :rescue_responses
     @@rescue_responses = Hash.new(:internal_server_error)
     @@rescue_responses.merge!(
-      'ActionController::RoutingError'             => :not_found,
-      'AbstractController::ActionNotFound'         => :not_found,
-      'ActionController::MethodNotAllowed'         => :method_not_allowed,
-      'ActionController::UnknownHttpMethod'        => :method_not_allowed,
-      'ActionController::NotImplemented'           => :not_implemented,
-      'ActionController::UnknownFormat'            => :not_acceptable,
-      'ActionController::InvalidAuthenticityToken' => :unprocessable_entity,
-      'ActionDispatch::ParamsParser::ParseError'   => :bad_request,
-      'ActionController::BadRequest'               => :bad_request,
-      'ActionController::ParameterMissing'         => :bad_request
+      'ActionController::RoutingError'                => :not_found,
+      'AbstractController::ActionNotFound'            => :not_found,
+      'ActionController::MethodNotAllowed'            => :method_not_allowed,
+      'ActionController::UnknownHttpMethod'           => :method_not_allowed,
+      'ActionController::NotImplemented'              => :not_implemented,
+      'ActionController::UnknownFormat'               => :not_acceptable,
+      'ActionController::InvalidAuthenticityToken'    => :unprocessable_entity,
+      'ActionController::InvalidCrossOriginRequest'   => :unprocessable_entity,
+      'ActionDispatch::ParamsParser::ParseError'      => :bad_request,
+      'ActionController::BadRequest'                  => :bad_request,
+      'ActionController::ParameterMissing'            => :bad_request
     )
 
     cattr_accessor :rescue_templates

data/lib/action_dispatch/middleware/flash.rb

@@ -129,7 +129,7 @@ module ActionDispatch
       end
 
       def key?(name)
-        @flashes.key? name
+        @flashes.key? name.to_s
       end
 
       def delete(key)

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -9,8 +9,12 @@ module ActionDispatch
     def call(env)
       status       = env["PATH_INFO"][1..-1]
       request      = ActionDispatch::Request.new(env)
-      content_type = request.formats.first
       body         = { :status => status, :error => Rack::Utils::HTTP_STATUS_CODES.fetch(status.to_i, Rack::Utils::HTTP_STATUS_CODES[500]) }
+      content_type = begin
+                       request.formats.first
+                     rescue ActionController::BadRequest
+                       Mime::HTML
+                     end
 
       render(status, content_type, body)
     end

data/lib/action_dispatch/middleware/static.rb

@@ -19,7 +19,7 @@ module ActionDispatch
       paths = "#{full_path}#{ext}"
 
       matches = Dir[paths]
-      match = matches.detect { |m| File.file?(m) }
+      match = matches.detect { |m| File.file?(m) && File.readable?(m) }
       if match
         match.sub!(@compiled_root, '')
         ::Rack::Utils.escape(match)
@@ -42,7 +42,7 @@ module ActionDispatch
     end
 
     def escape_glob_chars(path)
-      path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+      path.gsub(/[*?{}\[\]\\]/, "\\\\\\&")
     end
 
     private

data/lib/action_dispatch/routing/route_set.rb

@@ -235,7 +235,14 @@ module ActionDispatch
             result = options.dup
 
             if args.size > 0
-              if args.size < keys.size - 1 # take format into account
+              # take format into account
+              if keys.include?(:format)
+                keys_size = keys.size - 1
+              else
+                keys_size = keys.size
+              end
+
+              if args.size < keys_size
                 keys -= t.url_options.keys if t.respond_to?(:url_options)
                 keys -= options.keys
               end

data/lib/action_dispatch/testing/assertions/routing.rb

@@ -38,7 +38,7 @@ module ActionDispatch
       #   # Test a custom route
       #   assert_recognizes({controller: 'items', action: 'show', id: '1'}, 'view/item1')
       def assert_recognizes(expected_options, path, extras={}, msg=nil)
-        request = recognized_request_for(path, extras)
+        request = recognized_request_for(path, extras, msg)
 
         expected_options = expected_options.clone
 
@@ -69,9 +69,9 @@ module ActionDispatch
       #
       #   # Asserts that the generated route gives us our custom route
       #   assert_generates "changesets/12", { controller: 'scm', action: 'show_diff', revision: "12" }
-      def assert_generates(expected_path, options, defaults={}, extras = {}, message=nil)
+      def assert_generates(expected_path, options, defaults={}, extras={}, message=nil)
         if expected_path =~ %r{://}
-          fail_on(URI::InvalidURIError) do
+          fail_on(URI::InvalidURIError, message) do
             uri = URI.parse(expected_path)
             expected_path = uri.path.to_s.empty? ? "/" : uri.path
           end
@@ -174,7 +174,7 @@ module ActionDispatch
 
       private
         # Recognizes the route for a given path.
-        def recognized_request_for(path, extras = {})
+        def recognized_request_for(path, extras = {}, msg)
           if path.is_a?(Hash)
             method = path[:method]
             path   = path[:path]
@@ -186,7 +186,7 @@ module ActionDispatch
           request = ActionController::TestRequest.new
 
           if path =~ %r{://}
-            fail_on(URI::InvalidURIError) do
+            fail_on(URI::InvalidURIError, msg) do
               uri = URI.parse(path)
               request.env["rack.url_scheme"] = uri.scheme || "http"
               request.host = uri.host if uri.host
@@ -200,7 +200,7 @@ module ActionDispatch
 
           request.request_method = method if method
 
-          params = fail_on(ActionController::RoutingError) do
+          params = fail_on(ActionController::RoutingError, msg) do
             @routes.recognize_path(path, { :method => method, :extras => extras })
           end
           request.path_parameters = params.with_indifferent_access
@@ -208,10 +208,10 @@ module ActionDispatch
           request
         end
 
-        def fail_on(exception_class)
+        def fail_on(exception_class, message)
           yield
         rescue exception_class => e
-          raise Minitest::Assertion, e.message
+          raise Minitest::Assertion, message || e.message
         end
     end
   end

data/lib/action_pack/gem_version.rb

@@ -7,7 +7,7 @@ module ActionPack
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 7
+    TINY  = 9
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.1.7
+  version: 4.1.9
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-29 00:00:00.000000000 Z
+date: 2015-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.7
+        version: 4.1.9
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -258,7 +258,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).