actionpack 3.2.15 → 3.2.16

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +8 -0
  3. data/lib/action_dispatch/http/request.rb +2 -2
  4. data/lib/action_pack/version.rb +1 -1
  5. data/lib/action_view/helpers/number_helper.rb +1 -1
  6. data/lib/action_view/helpers/translation_helper.rb +8 -13
  7. data/lib/action_view/lookup_context.rb +7 -0
  8. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 455d11505ca31532f8570b62dd5a8cb89ec6b6bd
4
- data.tar.gz: 3cbb9416fae50fc72fc400dd8b82842b055f0ec1
3
+ metadata.gz: 3c6647553515329d0446de1814849e0e230b604d
4
+ data.tar.gz: 36ba47062aea7e6469d635a2d4bf447a17056eea
5
5
  SHA512:
6
- metadata.gz: e906230c1d7d55c88ae0e26cd5f9f0e20666bd6e19f93ce25bb51199081e7ebe4ee64b3e423e94eaf6c30429d876488d0a510fe44a6ff5f71275de0a0e8e485f
7
- data.tar.gz: c39d68a232d12ef7c6bbbe08166f3d92163c1e9eacc8e314ec1039a8c91f05ab8c252d3a7b7d5a273e3cf626219b64a9801b3ebc8f09fc0ddcb951a49f394710
6
+ metadata.gz: a277bd49091be4af902fda13218021fa2d481d1b4b2a6b7257580311582b0345160773573573c1dcec67529fbfbbda6751fc5702ac020f8105c05a22324e11ab
7
+ data.tar.gz: 9be391a5e0055d40177ced734e75be73e0cb6373026347c10072ef2449825a76108f33d78c78cc3d26770314818669d734212beb62359641d5b73f46957554dd
data/CHANGELOG.md CHANGED
@@ -1,3 +1,11 @@
1
+ * Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
2
+
3
+ * Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
4
+
5
+ * Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
6
+
7
+ * Only use valid mime type symbols as cache keys CVE-2013-6414
8
+
1
9
  ## Rails 3.2.15 (Oct 16, 2013) ##
2
10
 
3
11
  * Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
data/lib/action_dispatch/http/request.rb CHANGED
@@ -228,13 +228,13 @@ module ActionDispatch
228
228
 
229
229
  # Override Rack's GET method to support indifferent access
230
230
  def GET
231
- @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
231
+ @env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {})
232
232
  end
233
233
  alias :query_parameters :GET
234
234
 
235
235
  # Override Rack's POST method to support indifferent access
236
236
  def POST
237
- @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
237
+ @env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {})
238
238
  end
239
239
  alias :request_parameters :POST
240
240
 
data/lib/action_pack/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
- TINY = 15
5
+ TINY = 16
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
data/lib/action_view/helpers/number_helper.rb CHANGED
@@ -156,7 +156,7 @@ module ActionView
156
156
 
157
157
  begin
158
158
  value = number_with_precision(number, options.merge(:raise => true))
159
- format.gsub(/%n/, value).gsub(/%u/, unit).html_safe
159
+ format.gsub(/%n/, ERB::Util.html_escape(value)).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
160
160
  rescue InvalidNumberError => e
161
161
  if options[:raise]
162
162
  raise
data/lib/action_view/helpers/translation_helper.rb CHANGED
@@ -1,24 +1,14 @@
1
1
  require 'action_view/helpers/tag_helper'
2
2
  require 'i18n/exceptions'
3
3
 
4
- module I18n
5
- class ExceptionHandler
6
- include Module.new {
7
- def call(exception, locale, key, options)
8
- exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
9
- end
10
- }
11
- end
12
- end
13
-
14
4
  module ActionView
15
5
  # = Action View Translation Helpers
16
6
  module Helpers
17
7
  module TranslationHelper
18
8
  # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
19
9
  #
20
- # First, it'll pass the <tt>:rescue_format => :html</tt> option to I18n so that any
21
- # thrown +MissingTranslation+ messages will be turned into inline spans that
10
+ # First, it will ensure that any thrown +MissingTranslation+ messages will be turned
11
+ # into inline spans that:
22
12
  #
23
13
  # * have a "translation-missing" class set,
24
14
  # * contain the missing key as a title attribute and
@@ -44,7 +34,9 @@ module ActionView
44
34
  # naming convention helps to identify translations that include HTML tags so that
45
35
  # you know what kind of output to expect when you call translate in a template.
46
36
  def translate(key, options = {})
47
- options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
37
+ # If the user has specified rescue_format then pass it all through, otherwise use
38
+ # raise and do the work ourselves
39
+ options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
48
40
  if html_safe_translation_key?(key)
49
41
  html_safe_options = options.dup
50
42
  options.except(*I18n::RESERVED_KEYS).each do |name, value|
@@ -58,6 +50,9 @@ module ActionView
58
50
  else
59
51
  I18n.translate(scope_key_by_partial(key), options)
60
52
  end
53
+ rescue I18n::MissingTranslationData => e
54
+ keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
55
+ content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
61
56
  end
62
57
  alias :t :translate
63
58
 
data/lib/action_view/lookup_context.rb CHANGED
@@ -62,6 +62,13 @@ module ActionView
62
62
  @details_keys = Hash.new
63
63
 
64
64
  def self.get(details)
65
+ if details[:formats]
66
+ details = details.dup
67
+ syms = Set.new Mime::SET.symbols
68
+ details[:formats] = details[:formats].select { |v|
69
+ syms.include? v
70
+ }
71
+ end
65
72
  @details_keys[details] ||= new
66
73
  end
67
74
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.15
4
+ version: 3.2.16
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-10-16 00:00:00.000000000 Z
11
+ date: 2013-12-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 3.2.15
19
+ version: 3.2.16
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 3.2.15
26
+ version: 3.2.16
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 3.2.15
33
+ version: 3.2.16
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 3.2.15
40
+ version: 3.2.16
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: rack-cache
43
43
  requirement: !ruby/object:Gem::Requirement