actionpack 3.0.6.rc2 → 3.0.6

data/CHANGELOG

@@ -1,4 +1,14 @@
-*Rails 3.0.6 (unreleased)*
+*Rails 3.0.6 (April 5, 2011)
+
+* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks input as
+  html safe.  Please make sure that calls to auto_link() are wrapped in a
+  sanitize(), or a raw() depending on the type of input passed to auto_link().
+  For example:
+
+    <%= sanitize(auto_link(some_user_input)) %>
+
+  Thanks to Torben Schulz for reporting this.  The fix can be found here:
+  61ee3449674c591747db95f9b3472c5c3bd9e84d
 
 * Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
 

data/lib/action_pack/version.rb

@@ -3,7 +3,7 @@ module ActionPack
     MAJOR = 3
     MINOR = 0
     TINY  = 6
-    PRE   = "rc2"
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end

data/lib/action_view/helpers/text_helper.rb

@@ -299,7 +299,7 @@ module ActionView
       #   # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
       #         Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
       def auto_link(text, *args, &block)#link = :all, html = {}, &block)
-        return ''.html_safe if text.blank?
+        return '' if text.blank?
 
         options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
         unless args.empty?
@@ -503,7 +503,7 @@ module ActionView
               end
               content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
             end
-          end.html_safe
+          end
         end
 
         # Turns all email addresses into clickable links.  If a block is given,

metadata

@@ -1,15 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  hash: 15424065
-  prerelease: 6
+  hash: 11
+  prerelease: 
   segments: 
   - 3
   - 0
   - 6
-  - rc
-  - 2
-  version: 3.0.6.rc2
+  version: 3.0.6
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -17,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-30 00:00:00 -07:00
+date: 2011-04-05 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -28,14 +26,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 15424065
+        hash: 11
         segments: 
         - 3
         - 0
         - 6
-        - rc
-        - 2
-        version: 3.0.6.rc2
+        version: 3.0.6
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -46,14 +42,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 15424065
+        hash: 11
         segments: 
         - 3
         - 0
         - 6
-        - rc
-        - 2
-        version: 3.0.6.rc2
+        version: 3.0.6
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency 
@@ -364,14 +358,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version 
-      hash: 25
+      hash: 3
       segments: 
-      - 1
-      - 3
-      - 1
-      version: 1.3.1
+      - 0
+      version: "0"
 requirements: 
 - none
 rubyforge_project: actionpack