actionpack 3.2.15 → 3.2.16
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3c6647553515329d0446de1814849e0e230b604d
|
4
|
+
data.tar.gz: 36ba47062aea7e6469d635a2d4bf447a17056eea
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a277bd49091be4af902fda13218021fa2d481d1b4b2a6b7257580311582b0345160773573573c1dcec67529fbfbbda6751fc5702ac020f8105c05a22324e11ab
|
7
|
+
data.tar.gz: 9be391a5e0055d40177ced734e75be73e0cb6373026347c10072ef2449825a76108f33d78c78cc3d26770314818669d734212beb62359641d5b73f46957554dd
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
|
2
|
+
|
3
|
+
* Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
|
4
|
+
|
5
|
+
* Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
|
6
|
+
|
7
|
+
* Only use valid mime type symbols as cache keys CVE-2013-6414
|
8
|
+
|
1
9
|
## Rails 3.2.15 (Oct 16, 2013) ##
|
2
10
|
|
3
11
|
* Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
|
@@ -228,13 +228,13 @@ module ActionDispatch
|
|
228
228
|
|
229
229
|
# Override Rack's GET method to support indifferent access
|
230
230
|
def GET
|
231
|
-
@env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
|
231
|
+
@env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {})
|
232
232
|
end
|
233
233
|
alias :query_parameters :GET
|
234
234
|
|
235
235
|
# Override Rack's POST method to support indifferent access
|
236
236
|
def POST
|
237
|
-
@env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
|
237
|
+
@env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {})
|
238
238
|
end
|
239
239
|
alias :request_parameters :POST
|
240
240
|
|
data/lib/action_pack/version.rb
CHANGED
@@ -156,7 +156,7 @@ module ActionView
|
|
156
156
|
|
157
157
|
begin
|
158
158
|
value = number_with_precision(number, options.merge(:raise => true))
|
159
|
-
format.gsub(/%n/, value).gsub(/%u/, unit).html_safe
|
159
|
+
format.gsub(/%n/, ERB::Util.html_escape(value)).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
|
160
160
|
rescue InvalidNumberError => e
|
161
161
|
if options[:raise]
|
162
162
|
raise
|
@@ -1,24 +1,14 @@
|
|
1
1
|
require 'action_view/helpers/tag_helper'
|
2
2
|
require 'i18n/exceptions'
|
3
3
|
|
4
|
-
module I18n
|
5
|
-
class ExceptionHandler
|
6
|
-
include Module.new {
|
7
|
-
def call(exception, locale, key, options)
|
8
|
-
exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
|
9
|
-
end
|
10
|
-
}
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
4
|
module ActionView
|
15
5
|
# = Action View Translation Helpers
|
16
6
|
module Helpers
|
17
7
|
module TranslationHelper
|
18
8
|
# Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
|
19
9
|
#
|
20
|
-
# First, it
|
21
|
-
#
|
10
|
+
# First, it will ensure that any thrown +MissingTranslation+ messages will be turned
|
11
|
+
# into inline spans that:
|
22
12
|
#
|
23
13
|
# * have a "translation-missing" class set,
|
24
14
|
# * contain the missing key as a title attribute and
|
@@ -44,7 +34,9 @@ module ActionView
|
|
44
34
|
# naming convention helps to identify translations that include HTML tags so that
|
45
35
|
# you know what kind of output to expect when you call translate in a template.
|
46
36
|
def translate(key, options = {})
|
47
|
-
|
37
|
+
# If the user has specified rescue_format then pass it all through, otherwise use
|
38
|
+
# raise and do the work ourselves
|
39
|
+
options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
|
48
40
|
if html_safe_translation_key?(key)
|
49
41
|
html_safe_options = options.dup
|
50
42
|
options.except(*I18n::RESERVED_KEYS).each do |name, value|
|
@@ -58,6 +50,9 @@ module ActionView
|
|
58
50
|
else
|
59
51
|
I18n.translate(scope_key_by_partial(key), options)
|
60
52
|
end
|
53
|
+
rescue I18n::MissingTranslationData => e
|
54
|
+
keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
|
55
|
+
content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
|
61
56
|
end
|
62
57
|
alias :t :translate
|
63
58
|
|
@@ -62,6 +62,13 @@ module ActionView
|
|
62
62
|
@details_keys = Hash.new
|
63
63
|
|
64
64
|
def self.get(details)
|
65
|
+
if details[:formats]
|
66
|
+
details = details.dup
|
67
|
+
syms = Set.new Mime::SET.symbols
|
68
|
+
details[:formats] = details[:formats].select { |v|
|
69
|
+
syms.include? v
|
70
|
+
}
|
71
|
+
end
|
65
72
|
@details_keys[details] ||= new
|
66
73
|
end
|
67
74
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.2.
|
4
|
+
version: 3.2.16
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-
|
11
|
+
date: 2013-12-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 3.2.
|
19
|
+
version: 3.2.16
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 3.2.
|
26
|
+
version: 3.2.16
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activemodel
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 3.2.
|
33
|
+
version: 3.2.16
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 3.2.
|
40
|
+
version: 3.2.16
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rack-cache
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|