actionpack 3.0.19 → 3.0.20

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +6 -6
  2. data/CHANGELOG +10 -4
  3. data/lib/action_dispatch/http/filter_parameters.rb +1 -3
  4. data/lib/action_dispatch/middleware/params_parser.rb +2 -2
  5. data/lib/action_pack/version.rb +1 -1
  6. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: 0a7e9ae651abc0a3754a626d318b31c2b803d595
4
- data.tar.gz: 73f5d21b129de3cddf43e3f392b79c444ced9996
5
- !binary "U0hBNTEy":
6
- metadata.gz: e60a6daeae274813b631e95716981782f699fd2e73e86f89e2a89cfdd6c780f76b5ae809a593895b315a88a4c76304e3b06a8be7c29fd1d4f603c693ab4eabb2
7
- data.tar.gz: 83a4577c0c9d8fdefa4c5f05e2724462e13d75dcd6f1ef40671a949d9a38139755f72776006794cfe3024176c15062db95e8b8227e0cad92a93dcfbf66806bc9
2
+ SHA1:
3
+ metadata.gz: 1233f96f807c0dc8b447b84b7b7d031267147203
4
+ data.tar.gz: d1a329c22c422cf76385feda31f9200f4afe1b10
5
+ SHA512:
6
+ metadata.gz: c9a95139477e0cfa773bb32f27e18588d79580402313f865f5193a308c8d422dced7e957e4e46422501f7020d5a957ec0f5996a910b7f240314353b82fbbc462
7
+ data.tar.gz: 232a6d69810531cb7496203f04a304f6b9cab4c5180bf2c34ddfc29775d375dae3e5d7da3782497888692aaf007fdf1aac8e0e42885f68cbc875e4d5e615adbf
data/CHANGELOG CHANGED
@@ -1,8 +1,14 @@
1
- ## Rails 3.0.19
1
+ ## Rails 3.0.20 (unreleased)
2
+
3
+ * Fixed JSON params parsing regression for non-object JSON content.
4
+
5
+ ## Rails 3.0.19 (Jan 8, 2013)
2
6
 
3
7
  * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
4
8
 
5
- ## Rails 3.0.18
9
+ ## Rails 3.0.18 (Jan 2, 2013)
10
+
11
+ * No changes.
6
12
 
7
13
  ## Rails 3.0.17 (Aug 9, 2012)
8
14
 
@@ -13,9 +19,9 @@
13
19
 
14
20
  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
15
21
 
16
- * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
22
+ * When an "include_blank" value is supplied to the `select_tag` helper, the "include_blank" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
17
23
  Vulnerable code will look something like this:
18
- select_tag("name", options, :prompt => UNTRUSTED_INPUT)
24
+ select_tag("name", options, :include_blank => UNTRUSTED_INPUT)
19
25
 
20
26
  *Santiago Pastorino*
21
27
 
data/lib/action_dispatch/http/filter_parameters.rb CHANGED
@@ -26,8 +26,6 @@ module ActionDispatch
26
26
  module FilterParameters
27
27
  extend ActiveSupport::Concern
28
28
 
29
- @@parameter_filter_for = {}
30
-
31
29
  # Return a hash of parameters with all sensitive data replaced.
32
30
  def filtered_parameters
33
31
  @filtered_parameters ||= parameter_filter.filter(parameters)
@@ -54,7 +52,7 @@ module ActionDispatch
54
52
  end
55
53
 
56
54
  def parameter_filter_for(filters)
57
- @@parameter_filter_for[filters] ||= ParameterFilter.new(filters)
55
+ ParameterFilter.new(filters)
58
56
  end
59
57
 
60
58
  KV_RE = '[^&;=]+'
data/lib/action_dispatch/middleware/params_parser.rb CHANGED
@@ -44,10 +44,10 @@ module ActionDispatch
44
44
  when :yaml
45
45
  YAML.load(request.raw_post)
46
46
  when :json
47
- data = request.deep_munge ActiveSupport::JSON.decode(request.body)
47
+ data = ActiveSupport::JSON.decode(request.body)
48
48
  request.body.rewind if request.body.respond_to?(:rewind)
49
49
  data = {:_json => data} unless data.is_a?(Hash)
50
- data.with_indifferent_access
50
+ request.deep_munge(data).with_indifferent_access
51
51
  else
52
52
  false
53
53
  end
data/lib/action_pack/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 0
5
- TINY = 19
5
+ TINY = 20
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.19
4
+ version: 3.0.20
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-01-08 00:00:00.000000000 Z
11
+ date: 2013-01-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 3.0.19
19
+ version: 3.0.20
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 3.0.19
26
+ version: 3.0.20
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 3.0.19
33
+ version: 3.0.20
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 3.0.19
40
+ version: 3.0.20
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: builder
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -327,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
327
327
  requirements:
328
328
  - none
329
329
  rubyforge_project: actionpack
330
- rubygems_version: 2.0.0.preview3
330
+ rubygems_version: 2.0.0.preview3.1
331
331
  signing_key:
332
332
  specification_version: 4
333
333
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).