actionpack 3.0.4.rc1 → 3.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (10) hide show
  1. data/lib/action_controller/metal/rendering.rb +1 -1
  2. data/lib/action_controller/metal/request_forgery_protection.rb +9 -10
  3. data/lib/action_dispatch/http/mime_type.rb +5 -1
  4. data/lib/action_dispatch/http/request.rb +2 -1
  5. data/lib/action_pack/version.rb +1 -1
  6. data/lib/action_view/helpers/url_helper.rb +3 -1
  7. data/lib/action_view/lookup_context.rb +2 -2
  8. data/lib/action_view/template.rb +1 -1
  9. data/lib/action_view/template/resolver.rb +9 -3
  10. metadata +12 -17
data/lib/action_controller/metal/rendering.rb CHANGED
@@ -7,7 +7,7 @@ module ActionController
7
7
 
8
8
  # Before processing, set the request formats in current controller formats.
9
9
  def process_action(*) #:nodoc:
10
- self.formats = request.formats.map { |x| x.to_sym }
10
+ self.formats = request.formats.map { |x| x.ref }
11
11
  super
12
12
  end
13
13
 
data/lib/action_controller/metal/request_forgery_protection.rb CHANGED
@@ -89,25 +89,24 @@ module ActionController #:nodoc:
89
89
  end
90
90
 
91
91
  protected
92
-
93
- def protect_from_forgery(options = {})
94
- self.request_forgery_protection_token ||= :authenticity_token
95
- before_filter :verify_authenticity_token, options
96
- end
97
-
98
92
  # The actual before_filter that is used. Modify this to change how you handle unverified requests.
99
93
  def verify_authenticity_token
100
- verified_request? || raise(ActionController::InvalidAuthenticityToken)
94
+ verified_request? || handle_unverified_request
95
+ end
96
+
97
+ def handle_unverified_request
98
+ reset_session
101
99
  end
102
100
 
103
101
  # Returns true or false if a request is verified. Checks:
104
102
  #
105
- # * is the format restricted? By default, only HTML requests are checked.
106
103
  # * is it a GET request? Gets should be safe and idempotent
107
104
  # * Does the form_authenticity_token match the given token value from the params?
105
+ # * Does the X-CSRF-Token header match the form_authenticity_token
108
106
  def verified_request?
109
- !protect_against_forgery? || request.forgery_whitelisted? ||
110
- form_authenticity_token == params[request_forgery_protection_token]
107
+ !protect_against_forgery? || request.get? ||
108
+ form_authenticity_token == params[request_forgery_protection_token] ||
109
+ form_authenticity_token == request.headers['X-CSRF-Token']
111
110
  end
112
111
 
113
112
  # Sets the token value for the current session.
data/lib/action_dispatch/http/mime_type.rb CHANGED
@@ -176,7 +176,11 @@ module Mime
176
176
  end
177
177
 
178
178
  def to_sym
179
- @symbol || @string.to_sym
179
+ @symbol
180
+ end
181
+
182
+ def ref
183
+ to_sym || to_s
180
184
  end
181
185
 
182
186
  def ===(list)
data/lib/action_dispatch/http/request.rb CHANGED
@@ -141,8 +141,9 @@ module ActionDispatch
141
141
  end
142
142
 
143
143
  def forgery_whitelisted?
144
- get? || xhr? || content_mime_type.nil? || !content_mime_type.verify_request?
144
+ get?
145
145
  end
146
+ deprecate :forgery_whitelisted? => "it is just an alias for 'get?' now, update your code"
146
147
 
147
148
  def media_type
148
149
  content_mime_type.to_s
data/lib/action_pack/version.rb CHANGED
@@ -3,7 +3,7 @@ module ActionPack
3
3
  MAJOR = 3
4
4
  MINOR = 0
5
5
  TINY = 4
6
- PRE = "rc1"
6
+ PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
9
9
  end
data/lib/action_view/helpers/url_helper.rb CHANGED
@@ -490,7 +490,9 @@ module ActionView
490
490
  string = ''
491
491
 
492
492
  if encode == "javascript"
493
- "document.write('#{content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))}');".each_byte do |c|
493
+ html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
494
+ html = escape_javascript(html)
495
+ "document.write('#{html}');".each_byte do |c|
494
496
  string << sprintf("%%%x", c)
495
497
  end
496
498
  "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>".html_safe
data/lib/action_view/lookup_context.rb CHANGED
@@ -145,11 +145,11 @@ module ActionView
145
145
  @frozen_formats = true
146
146
  end
147
147
 
148
- # Overload formats= to reject [:"*/*"] values.
148
+ # Overload formats= to reject ["*/*"] values.
149
149
  def formats=(values)
150
150
  if values && values.size == 1
151
151
  value = values.first
152
- values = nil if value == :"*/*"
152
+ values = nil if value == "*/*"
153
153
  values << :html if value == :js
154
154
  end
155
155
  super(values)
data/lib/action_view/template.rb CHANGED
@@ -117,7 +117,7 @@ module ActionView
117
117
  @method_names = {}
118
118
 
119
119
  format = details[:format] || :html
120
- @formats = Array.wrap(format).map(&:to_sym)
120
+ @formats = Array.wrap(format).map { |f| f.is_a?(Mime::Type) ? f.ref : f }
121
121
  @virtual_path = details[:virtual_path].try(:sub, ".#{format}", "")
122
122
  end
123
123
 
data/lib/action_view/template/resolver.rb CHANGED
@@ -72,14 +72,20 @@ module ActionView
72
72
  query.gsub!(/\{\.html,/, "{.html,.text.html,")
73
73
  query.gsub!(/\{\.text,/, "{.text,.text.plain,")
74
74
 
75
- Dir[query].reject { |p| File.directory?(p) }.map do |p|
76
- handler, format = extract_handler_and_format(p, formats)
75
+ templates = []
76
+ sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
77
+
78
+ Dir[query].each do |p|
79
+ next if File.directory?(p) || !sanitizer[p].include?(p)
77
80
 
81
+ handler, format = extract_handler_and_format(p, formats)
78
82
  contents = File.open(p, "rb") {|io| io.read }
79
83
 
80
- Template.new(contents, File.expand_path(p), handler,
84
+ templates << Template.new(contents, File.expand_path(p), handler,
81
85
  :virtual_path => path, :format => format)
82
86
  end
87
+
88
+ templates
83
89
  end
84
90
 
85
91
  # Extract handler and formats from path. If a format cannot be a found neither
metadata CHANGED
@@ -1,14 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 977940590
5
- prerelease: true
4
+ hash: 15
5
+ prerelease: false
6
6
  segments:
7
7
  - 3
8
8
  - 0
9
9
  - 4
10
- - rc1
11
- version: 3.0.4.rc1
10
+ version: 3.0.4
12
11
  platform: ruby
13
12
  authors:
14
13
  - David Heinemeier Hansson
@@ -16,7 +15,7 @@ autorequire:
16
15
  bindir: bin
17
16
  cert_chain: []
18
17
 
19
- date: 2011-01-31 00:00:00 +13:00
18
+ date: 2011-02-09 00:00:00 +13:00
20
19
  default_executable:
21
20
  dependencies:
22
21
  - !ruby/object:Gem::Dependency
@@ -27,13 +26,12 @@ dependencies:
27
26
  requirements:
28
27
  - - "="
29
28
  - !ruby/object:Gem::Version
30
- hash: 977940590
29
+ hash: 15
31
30
  segments:
32
31
  - 3
33
32
  - 0
34
33
  - 4
35
- - rc1
36
- version: 3.0.4.rc1
34
+ version: 3.0.4
37
35
  type: :runtime
38
36
  version_requirements: *id001
39
37
  - !ruby/object:Gem::Dependency
@@ -44,13 +42,12 @@ dependencies:
44
42
  requirements:
45
43
  - - "="
46
44
  - !ruby/object:Gem::Version
47
- hash: 977940590
45
+ hash: 15
48
46
  segments:
49
47
  - 3
50
48
  - 0
51
49
  - 4
52
- - rc1
53
- version: 3.0.4.rc1
50
+ version: 3.0.4
54
51
  type: :runtime
55
52
  version_requirements: *id002
56
53
  - !ruby/object:Gem::Dependency
@@ -360,14 +357,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
360
357
  required_rubygems_version: !ruby/object:Gem::Requirement
361
358
  none: false
362
359
  requirements:
363
- - - ">"
360
+ - - ">="
364
361
  - !ruby/object:Gem::Version
365
- hash: 25
362
+ hash: 3
366
363
  segments:
367
- - 1
368
- - 3
369
- - 1
370
- version: 1.3.1
364
+ - 0
365
+ version: "0"
371
366
  requirements:
372
367
  - none
373
368
  rubyforge_project: actionpack