actionpack 3.0.19 → 3.0.20
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
5
|
-
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 1233f96f807c0dc8b447b84b7b7d031267147203
|
4
|
+
data.tar.gz: d1a329c22c422cf76385feda31f9200f4afe1b10
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: c9a95139477e0cfa773bb32f27e18588d79580402313f865f5193a308c8d422dced7e957e4e46422501f7020d5a957ec0f5996a910b7f240314353b82fbbc462
|
7
|
+
data.tar.gz: 232a6d69810531cb7496203f04a304f6b9cab4c5180bf2c34ddfc29775d375dae3e5d7da3782497888692aaf007fdf1aac8e0e42885f68cbc875e4d5e615adbf
|
data/CHANGELOG
CHANGED
@@ -1,8 +1,14 @@
|
|
1
|
-
## Rails 3.0.
|
1
|
+
## Rails 3.0.20 (unreleased)
|
2
|
+
|
3
|
+
* Fixed JSON params parsing regression for non-object JSON content.
|
4
|
+
|
5
|
+
## Rails 3.0.19 (Jan 8, 2013)
|
2
6
|
|
3
7
|
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
|
4
8
|
|
5
|
-
## Rails 3.0.18
|
9
|
+
## Rails 3.0.18 (Jan 2, 2013)
|
10
|
+
|
11
|
+
* No changes.
|
6
12
|
|
7
13
|
## Rails 3.0.17 (Aug 9, 2012)
|
8
14
|
|
@@ -13,9 +19,9 @@
|
|
13
19
|
|
14
20
|
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
|
15
21
|
|
16
|
-
* When
|
22
|
+
* When an "include_blank" value is supplied to the `select_tag` helper, the "include_blank" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
|
17
23
|
Vulnerable code will look something like this:
|
18
|
-
select_tag("name", options, :
|
24
|
+
select_tag("name", options, :include_blank => UNTRUSTED_INPUT)
|
19
25
|
|
20
26
|
*Santiago Pastorino*
|
21
27
|
|
@@ -26,8 +26,6 @@ module ActionDispatch
|
|
26
26
|
module FilterParameters
|
27
27
|
extend ActiveSupport::Concern
|
28
28
|
|
29
|
-
@@parameter_filter_for = {}
|
30
|
-
|
31
29
|
# Return a hash of parameters with all sensitive data replaced.
|
32
30
|
def filtered_parameters
|
33
31
|
@filtered_parameters ||= parameter_filter.filter(parameters)
|
@@ -54,7 +52,7 @@ module ActionDispatch
|
|
54
52
|
end
|
55
53
|
|
56
54
|
def parameter_filter_for(filters)
|
57
|
-
|
55
|
+
ParameterFilter.new(filters)
|
58
56
|
end
|
59
57
|
|
60
58
|
KV_RE = '[^&;=]+'
|
@@ -44,10 +44,10 @@ module ActionDispatch
|
|
44
44
|
when :yaml
|
45
45
|
YAML.load(request.raw_post)
|
46
46
|
when :json
|
47
|
-
data =
|
47
|
+
data = ActiveSupport::JSON.decode(request.body)
|
48
48
|
request.body.rewind if request.body.respond_to?(:rewind)
|
49
49
|
data = {:_json => data} unless data.is_a?(Hash)
|
50
|
-
data.with_indifferent_access
|
50
|
+
request.deep_munge(data).with_indifferent_access
|
51
51
|
else
|
52
52
|
false
|
53
53
|
end
|
data/lib/action_pack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.20
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-01-
|
11
|
+
date: 2013-01-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 3.0.
|
19
|
+
version: 3.0.20
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 3.0.
|
26
|
+
version: 3.0.20
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activemodel
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 3.0.
|
33
|
+
version: 3.0.20
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 3.0.
|
40
|
+
version: 3.0.20
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: builder
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -327,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
327
327
|
requirements:
|
328
328
|
- none
|
329
329
|
rubyforge_project: actionpack
|
330
|
-
rubygems_version: 2.0.0.preview3
|
330
|
+
rubygems_version: 2.0.0.preview3.1
|
331
331
|
signing_key:
|
332
332
|
specification_version: 4
|
333
333
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|