actionpack 3.0.16 → 3.0.17

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

data/CHANGELOG CHANGED
@@ -1,3 +1,18 @@
1
+ ## Rails 3.0.17 (Aug 9, 2012)
2
+
3
+ * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
4
+ helper doesn't correctly handle malformed html. As a result an attacker can
5
+ execute arbitrary javascript through the use of specially crafted malformed
6
+ html.
7
+
8
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
9
+
10
+ * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
11
+ Vulnerable code will look something like this:
12
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
13
+
14
+ *Santiago Pastorino*
15
+
1
16
  ## Rails 3.0.16 (Jul 26, 2012)
2
17
 
3
18
  * Do not convert digest auth strings to symbols. CVE-2012-3424
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 0
5
- TINY = 16
5
+ TINY = 17
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -100,9 +100,9 @@ module ActionView
100
100
  html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
101
101
  if blank = options.delete(:include_blank)
102
102
  if blank.kind_of?(String)
103
- option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
103
+ option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
104
104
  else
105
- option_tags = "<option value=\"\"></option>".html_safe + option_tags
105
+ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
106
106
  end
107
107
  end
108
108
  content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -81,7 +81,7 @@ module ActionView
81
81
  # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
82
82
  # # => Welcome to my website!
83
83
  def strip_tags(html)
84
- self.class.full_sanitizer.sanitize(html).try(:html_safe)
84
+ self.class.full_sanitizer.sanitize(html)
85
85
  end
86
86
 
87
87
  # Strips all link tags from +text+ leaving just the link text.
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.16
4
+ version: 3.0.17
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-07-26 00:00:00.000000000 Z
12
+ date: 2012-08-09 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: activesupport
@@ -18,7 +18,7 @@ dependencies:
18
18
  requirements:
19
19
  - - '='
20
20
  - !ruby/object:Gem::Version
21
- version: 3.0.16
21
+ version: 3.0.17
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
@@ -26,7 +26,7 @@ dependencies:
26
26
  requirements:
27
27
  - - '='
28
28
  - !ruby/object:Gem::Version
29
- version: 3.0.16
29
+ version: 3.0.17
30
30
  - !ruby/object:Gem::Dependency
31
31
  name: activemodel
32
32
  requirement: !ruby/object:Gem::Requirement
@@ -34,7 +34,7 @@ dependencies:
34
34
  requirements:
35
35
  - - '='
36
36
  - !ruby/object:Gem::Version
37
- version: 3.0.16
37
+ version: 3.0.17
38
38
  type: :runtime
39
39
  prerelease: false
40
40
  version_requirements: !ruby/object:Gem::Requirement
@@ -42,7 +42,7 @@ dependencies:
42
42
  requirements:
43
43
  - - '='
44
44
  - !ruby/object:Gem::Version
45
- version: 3.0.16
45
+ version: 3.0.17
46
46
  - !ruby/object:Gem::Dependency
47
47
  name: builder
48
48
  requirement: !ruby/object:Gem::Requirement
@@ -344,10 +344,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
344
344
  - - ! '>='
345
345
  - !ruby/object:Gem::Version
346
346
  version: '0'
347
+ segments:
348
+ - 0
349
+ hash: -714511862938219574
347
350
  requirements:
348
351
  - none
349
352
  rubyforge_project: actionpack
350
- rubygems_version: 1.8.23
353
+ rubygems_version: 1.8.24
351
354
  signing_key:
352
355
  specification_version: 3
353
356
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).