actionpack 3.1.9 → 3.1.10

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/action_dispatch/http/request.rb +4 -6
  4. data/lib/action_dispatch/middleware/params_parser.rb +2 -2
  5. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -0
  6. data/lib/action_pack/version.rb +1 -1
  7. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
- metadata.gz: 30b727e1c49903c1015968d3dfee8ec171c730c4
4
- data.tar.gz: 64fbd9f755c1b098832d11be6e08dde202ee7298
3
+ metadata.gz: 90968dc970e80ff89a11d7d2aa97c5cfa67bbf7b
4
+ data.tar.gz: 0d05b45c288729d7a5e17cd7df18fe652f1d6429
5
5
  !binary "U0hBNTEy":
6
- metadata.gz: 03249e735f5e4dcddff6df4341226669b3062f99ed32e46016f2e6bc84182a7649c21a3127898ad41a47240d1003614763f865b0971c4e5f3c364e130cfbe55f
7
- data.tar.gz: e8c364f08a7e2737f2489cf4bb286bfbcde66e67a0903577c27d088ec103460eac83a334e7a8a96b3004a50381e441e739e67b52d55f959143e5171d50cf0713
6
+ metadata.gz: e3ab880006ca03db0c7f425582637ff5aa4f00680d80fcf4007f60645f5c1a20d96635332ea3a1592fcef55f35a9e184177df6ef43e2f9f97a79842885f2823d
7
+ data.tar.gz: ce0c161b8ac8343f61f5dba717f7028340d8a5c833d238fb9b33faa3d2b1cc862dc708d08cd8fe036ecc1b8056b32b7a90ad47d752772f4d3bc0d8f1694f5e48
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## Rails 3.1.10
2
+
3
+ * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
4
+
1
5
  ## Rails 3.1.9
2
6
 
3
7
  ## Rails 3.1.8 (Aug 9, 2012)
data/lib/action_dispatch/http/request.rb CHANGED
@@ -267,18 +267,14 @@ module ActionDispatch
267
267
  LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
268
268
  end
269
269
 
270
- protected
271
-
272
270
  # Remove nils from the params hash
273
271
  def deep_munge(hash)
274
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
275
- keys.each { |k| hash[k] = nil }
276
-
277
- hash.each_value do |v|
272
+ hash.each do |k, v|
278
273
  case v
279
274
  when Array
280
275
  v.grep(Hash) { |x| deep_munge(x) }
281
276
  v.compact!
277
+ hash[k] = nil if v.empty?
282
278
  when Hash
283
279
  deep_munge(v)
284
280
  end
@@ -287,6 +283,8 @@ module ActionDispatch
287
283
  hash
288
284
  end
289
285
 
286
+ protected
287
+
290
288
  def parse_query(qs)
291
289
  deep_munge(super)
292
290
  end
data/lib/action_dispatch/middleware/params_parser.rb CHANGED
@@ -38,13 +38,13 @@ module ActionDispatch
38
38
  when Proc
39
39
  strategy.call(request.raw_post)
40
40
  when :xml_simple, :xml_node
41
- data = Hash.from_xml(request.body.read) || {}
41
+ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
42
42
  request.body.rewind if request.body.respond_to?(:rewind)
43
43
  data.with_indifferent_access
44
44
  when :yaml
45
45
  YAML.load(request.raw_post)
46
46
  when :json
47
- data = ActiveSupport::JSON.decode(request.body)
47
+ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
48
48
  request.body.rewind if request.body.respond_to?(:rewind)
49
49
  data = {:_json => data} unless data.is_a?(Hash)
50
50
  data.with_indifferent_access
data/lib/action_dispatch/middleware/session/abstract_store.rb CHANGED
@@ -25,6 +25,8 @@ module ActionDispatch
25
25
  module Compatibility
26
26
  def initialize(app, options = {})
27
27
  options[:key] ||= '_session_id'
28
+ # FIXME Rack's secret is not being used
29
+ options[:secret] ||= SecureRandom.hex(30)
28
30
  super
29
31
  end
30
32
 
data/lib/action_pack/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 1
5
- TINY = 9
5
+ TINY = 10
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.9
4
+ version: 3.1.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2012-12-23 00:00:00.000000000 Z
11
+ date: 2013-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 3.1.9
19
+ version: 3.1.10
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 3.1.9
26
+ version: 3.1.10
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 3.1.9
33
+ version: 3.1.10
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 3.1.9
40
+ version: 3.1.10
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: rack-cache
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -379,7 +379,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
379
379
  requirements:
380
380
  - none
381
381
  rubyforge_project:
382
- rubygems_version: 2.0.0.preview2.1
382
+ rubygems_version: 2.0.0.preview3
383
383
  signing_key:
384
384
  specification_version: 4
385
385
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).