actionpack 3.2.10 → 3.2.11

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/action_dispatch/http/request.rb +4 -6
  4. data/lib/action_dispatch/middleware/params_parser.rb +2 -2
  5. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -0
  6. data/lib/action_pack/version.rb +1 -1
  7. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
- metadata.gz: e93042eba846d70b2702aa517c6cbba339a6f6c5
4
- data.tar.gz: 1fd021147ff9f8b3f9acbf927fc56c6aa2f9d524
3
+ metadata.gz: 3a07abaffe43401851fb7bc9cc90467c560ad121
4
+ data.tar.gz: b12c03bbd8aee1fd54d33723a57bbb31bdc78f81
5
5
  !binary "U0hBNTEy":
6
- metadata.gz: b341980f8e716a24abf16c815bb4b9aff078af4a2955729fb3b9c91718cef25bb9f2e6242df26fac7a6808af4a8378bdb5b837657a3d60be75707812838ccd77
7
- data.tar.gz: f29b74dcc1fb04c0651bd88a9422d3a9f5fd80929cad64e6f6db62e9e193325849d61496bf30a2fe154e6197cbc4d00e46460fc8aa5a8f862238e503ae034a48
6
+ metadata.gz: 1492eaab5dbca1b9683b3ac9277e18dbc9e135366e19b98e98d27542042636b13afb513fa77d9a0809c537a943f583e94644bb90562b110ab3a0d79ddd135b70
7
+ data.tar.gz: 8e5a41925674a956188a1d4aaeee4389bc775aa7373c9b2dc1e84b76d594fe54b4ef80d126892a60ab6fb3e4530734897bf1aeb5dea43016854dfc4594e9f297
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## Rails 3.2.11 ##
2
+
3
+ * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
4
+
1
5
  ## Rails 3.2.10 ##
2
6
 
3
7
  ## Rails 3.2.9 (Nov 12, 2012) ##
data/lib/action_dispatch/http/request.rb CHANGED
@@ -247,18 +247,14 @@ module ActionDispatch
247
247
  LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
248
248
  end
249
249
 
250
- protected
251
-
252
250
  # Remove nils from the params hash
253
251
  def deep_munge(hash)
254
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
255
- keys.each { |k| hash[k] = nil }
256
-
257
- hash.each_value do |v|
252
+ hash.each do |k, v|
258
253
  case v
259
254
  when Array
260
255
  v.grep(Hash) { |x| deep_munge(x) }
261
256
  v.compact!
257
+ hash[k] = nil if v.empty?
262
258
  when Hash
263
259
  deep_munge(v)
264
260
  end
@@ -267,6 +263,8 @@ module ActionDispatch
267
263
  hash
268
264
  end
269
265
 
266
+ protected
267
+
270
268
  def parse_query(qs)
271
269
  deep_munge(super)
272
270
  end
data/lib/action_dispatch/middleware/params_parser.rb CHANGED
@@ -38,13 +38,13 @@ module ActionDispatch
38
38
  when Proc
39
39
  strategy.call(request.raw_post)
40
40
  when :xml_simple, :xml_node
41
- data = Hash.from_xml(request.body.read) || {}
41
+ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
42
42
  request.body.rewind if request.body.respond_to?(:rewind)
43
43
  data.with_indifferent_access
44
44
  when :yaml
45
45
  YAML.load(request.raw_post)
46
46
  when :json
47
- data = ActiveSupport::JSON.decode(request.body)
47
+ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
48
48
  request.body.rewind if request.body.respond_to?(:rewind)
49
49
  data = {:_json => data} unless data.is_a?(Hash)
50
50
  data.with_indifferent_access
data/lib/action_dispatch/middleware/session/abstract_store.rb CHANGED
@@ -25,6 +25,8 @@ module ActionDispatch
25
25
  module Compatibility
26
26
  def initialize(app, options = {})
27
27
  options[:key] ||= '_session_id'
28
+ # FIXME Rack's secret is not being used
29
+ options[:secret] ||= SecureRandom.hex(30)
28
30
  super
29
31
  end
30
32
 
data/lib/action_pack/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
- TINY = 10
5
+ TINY = 11
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.10
4
+ version: 3.2.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2012-12-23 00:00:00.000000000 Z
11
+ date: 2013-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 3.2.10
19
+ version: 3.2.11
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 3.2.10
26
+ version: 3.2.11
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 3.2.10
33
+ version: 3.2.11
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 3.2.10
40
+ version: 3.2.11
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: rack-cache
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -368,7 +368,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
368
368
  requirements:
369
369
  - none
370
370
  rubyforge_project:
371
- rubygems_version: 2.0.0.preview2.1
371
+ rubygems_version: 2.0.0.preview3
372
372
  signing_key:
373
373
  specification_version: 4
374
374
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).