actionpack 3.2.16 → 3.2.17

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. data/CHANGELOG.md +10 -0
  2. data/lib/action_pack/version.rb +1 -1
  3. data/lib/action_view/helpers/number_helper.rb +13 -1
  4. data/lib/action_view/template/text.rb +1 -1
  5. metadata +176 -135
  6. checksums.yaml +0 -7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ * Use the reference for the mime type to get the format
2
+
3
+ Fixes: CVE-2014-0082
4
+
5
+ * Escape format, negative_format and units options of number helpers
6
+
7
+ Fixes: CVE-2014-0081
8
+
9
+ ## Rails 3.2.16 (Dec 12, 2013) ##
10
+
1
11
  * Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
2
12
 
3
13
  * Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
data/lib/action_pack/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActionPack
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
- TINY = 16
5
+ TINY = 17
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
data/lib/action_view/helpers/number_helper.rb CHANGED
@@ -138,12 +138,18 @@ module ActionView
138
138
 
139
139
  options.symbolize_keys!
140
140
 
141
+ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
142
+ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
143
+ options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
144
+ options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
145
+
141
146
  defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
142
147
  currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {})
143
148
  currency[:negative_format] ||= "-" + currency[:format] if currency[:format]
144
149
 
145
150
  defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency)
146
151
  defaults[:negative_format] = "-" + options[:format] if options[:format]
152
+
147
153
  options = defaults.merge!(options)
148
154
 
149
155
  unit = options.delete(:unit)
@@ -206,6 +212,9 @@ module ActionView
206
212
 
207
213
  options.symbolize_keys!
208
214
 
215
+ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
216
+ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
217
+
209
218
  defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
210
219
  percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {})
211
220
  defaults = defaults.merge(percentage)
@@ -255,6 +264,9 @@ module ActionView
255
264
  def number_with_delimiter(number, options = {})
256
265
  options.symbolize_keys!
257
266
 
267
+ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
268
+ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
269
+
258
270
  begin
259
271
  Float(number)
260
272
  rescue ArgumentError, TypeError
@@ -578,7 +590,7 @@ module ActionView
578
590
  units = options.delete :units
579
591
  unit_exponents = case units
580
592
  when Hash
581
- units
593
+ units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }]
582
594
  when String, Symbol
583
595
  I18n.translate(:"#{units}", :locale => options[:locale], :raise => true)
584
596
  when nil
data/lib/action_view/template/text.rb CHANGED
@@ -23,7 +23,7 @@ module ActionView #:nodoc:
23
23
  end
24
24
 
25
25
  def formats
26
- [@mime_type.to_sym]
26
+ [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
27
27
  end
28
28
  end
29
29
  end
metadata CHANGED
@@ -1,162 +1,191 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
- version: !ruby/object:Gem::Version
4
- version: 3.2.16
3
+ version: !ruby/object:Gem::Version
4
+ hash: 45
5
+ prerelease:
6
+ segments:
7
+ - 3
8
+ - 2
9
+ - 17
10
+ version: 3.2.17
5
11
  platform: ruby
6
- authors:
12
+ authors:
7
13
  - David Heinemeier Hansson
8
14
  autorequire:
9
15
  bindir: bin
10
16
  cert_chain: []
11
- date: 2013-12-03 00:00:00.000000000 Z
12
- dependencies:
13
- - !ruby/object:Gem::Dependency
17
+
18
+ date: 2014-02-18 00:00:00 -03:00
19
+ default_executable:
20
+ dependencies:
21
+ - !ruby/object:Gem::Dependency
22
+ type: :runtime
23
+ version_requirements: &id001 !ruby/object:Gem::Requirement
24
+ none: false
25
+ requirements:
26
+ - - "="
27
+ - !ruby/object:Gem::Version
28
+ hash: 45
29
+ segments:
30
+ - 3
31
+ - 2
32
+ - 17
33
+ version: 3.2.17
34
+ prerelease: false
35
+ requirement: *id001
14
36
  name: activesupport
15
- requirement: !ruby/object:Gem::Requirement
16
- requirements:
17
- - - '='
18
- - !ruby/object:Gem::Version
19
- version: 3.2.16
37
+ - !ruby/object:Gem::Dependency
20
38
  type: :runtime
39
+ version_requirements: &id002 !ruby/object:Gem::Requirement
40
+ none: false
41
+ requirements:
42
+ - - "="
43
+ - !ruby/object:Gem::Version
44
+ hash: 45
45
+ segments:
46
+ - 3
47
+ - 2
48
+ - 17
49
+ version: 3.2.17
21
50
  prerelease: false
22
- version_requirements: !ruby/object:Gem::Requirement
23
- requirements:
24
- - - '='
25
- - !ruby/object:Gem::Version
26
- version: 3.2.16
27
- - !ruby/object:Gem::Dependency
51
+ requirement: *id002
28
52
  name: activemodel
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - '='
32
- - !ruby/object:Gem::Version
33
- version: 3.2.16
53
+ - !ruby/object:Gem::Dependency
34
54
  type: :runtime
55
+ version_requirements: &id003 !ruby/object:Gem::Requirement
56
+ none: false
57
+ requirements:
58
+ - - ~>
59
+ - !ruby/object:Gem::Version
60
+ hash: 11
61
+ segments:
62
+ - 1
63
+ - 2
64
+ version: "1.2"
35
65
  prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - '='
39
- - !ruby/object:Gem::Version
40
- version: 3.2.16
41
- - !ruby/object:Gem::Dependency
66
+ requirement: *id003
42
67
  name: rack-cache
43
- requirement: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - "~>"
46
- - !ruby/object:Gem::Version
47
- version: '1.2'
68
+ - !ruby/object:Gem::Dependency
48
69
  type: :runtime
70
+ version_requirements: &id004 !ruby/object:Gem::Requirement
71
+ none: false
72
+ requirements:
73
+ - - ~>
74
+ - !ruby/object:Gem::Version
75
+ hash: 7
76
+ segments:
77
+ - 3
78
+ - 0
79
+ - 0
80
+ version: 3.0.0
49
81
  prerelease: false
50
- version_requirements: !ruby/object:Gem::Requirement
51
- requirements:
52
- - - "~>"
53
- - !ruby/object:Gem::Version
54
- version: '1.2'
55
- - !ruby/object:Gem::Dependency
82
+ requirement: *id004
56
83
  name: builder
57
- requirement: !ruby/object:Gem::Requirement
58
- requirements:
59
- - - "~>"
60
- - !ruby/object:Gem::Version
61
- version: 3.0.0
84
+ - !ruby/object:Gem::Dependency
62
85
  type: :runtime
86
+ version_requirements: &id005 !ruby/object:Gem::Requirement
87
+ none: false
88
+ requirements:
89
+ - - ~>
90
+ - !ruby/object:Gem::Version
91
+ hash: 13
92
+ segments:
93
+ - 1
94
+ - 4
95
+ - 5
96
+ version: 1.4.5
63
97
  prerelease: false
64
- version_requirements: !ruby/object:Gem::Requirement
65
- requirements:
66
- - - "~>"
67
- - !ruby/object:Gem::Version
68
- version: 3.0.0
69
- - !ruby/object:Gem::Dependency
98
+ requirement: *id005
70
99
  name: rack
71
- requirement: !ruby/object:Gem::Requirement
72
- requirements:
73
- - - "~>"
74
- - !ruby/object:Gem::Version
75
- version: 1.4.5
100
+ - !ruby/object:Gem::Dependency
76
101
  type: :runtime
102
+ version_requirements: &id006 !ruby/object:Gem::Requirement
103
+ none: false
104
+ requirements:
105
+ - - ~>
106
+ - !ruby/object:Gem::Version
107
+ hash: 5
108
+ segments:
109
+ - 0
110
+ - 6
111
+ - 1
112
+ version: 0.6.1
77
113
  prerelease: false
78
- version_requirements: !ruby/object:Gem::Requirement
79
- requirements:
80
- - - "~>"
81
- - !ruby/object:Gem::Version
82
- version: 1.4.5
83
- - !ruby/object:Gem::Dependency
114
+ requirement: *id006
84
115
  name: rack-test
85
- requirement: !ruby/object:Gem::Requirement
86
- requirements:
87
- - - "~>"
88
- - !ruby/object:Gem::Version
89
- version: 0.6.1
116
+ - !ruby/object:Gem::Dependency
90
117
  type: :runtime
118
+ version_requirements: &id007 !ruby/object:Gem::Requirement
119
+ none: false
120
+ requirements:
121
+ - - ~>
122
+ - !ruby/object:Gem::Version
123
+ hash: 31
124
+ segments:
125
+ - 1
126
+ - 0
127
+ - 4
128
+ version: 1.0.4
91
129
  prerelease: false
92
- version_requirements: !ruby/object:Gem::Requirement
93
- requirements:
94
- - - "~>"
95
- - !ruby/object:Gem::Version
96
- version: 0.6.1
97
- - !ruby/object:Gem::Dependency
130
+ requirement: *id007
98
131
  name: journey
99
- requirement: !ruby/object:Gem::Requirement
100
- requirements:
101
- - - "~>"
102
- - !ruby/object:Gem::Version
103
- version: 1.0.4
132
+ - !ruby/object:Gem::Dependency
104
133
  type: :runtime
134
+ version_requirements: &id008 !ruby/object:Gem::Requirement
135
+ none: false
136
+ requirements:
137
+ - - ~>
138
+ - !ruby/object:Gem::Version
139
+ hash: 5
140
+ segments:
141
+ - 2
142
+ - 2
143
+ - 1
144
+ version: 2.2.1
105
145
  prerelease: false
106
- version_requirements: !ruby/object:Gem::Requirement
107
- requirements:
108
- - - "~>"
109
- - !ruby/object:Gem::Version
110
- version: 1.0.4
111
- - !ruby/object:Gem::Dependency
146
+ requirement: *id008
112
147
  name: sprockets
113
- requirement: !ruby/object:Gem::Requirement
114
- requirements:
115
- - - "~>"
116
- - !ruby/object:Gem::Version
117
- version: 2.2.1
148
+ - !ruby/object:Gem::Dependency
118
149
  type: :runtime
119
- prerelease: false
120
- version_requirements: !ruby/object:Gem::Requirement
121
- requirements:
122
- - - "~>"
123
- - !ruby/object:Gem::Version
124
- version: 2.2.1
125
- - !ruby/object:Gem::Dependency
126
- name: erubis
127
- requirement: !ruby/object:Gem::Requirement
128
- requirements:
129
- - - "~>"
130
- - !ruby/object:Gem::Version
150
+ version_requirements: &id009 !ruby/object:Gem::Requirement
151
+ none: false
152
+ requirements:
153
+ - - ~>
154
+ - !ruby/object:Gem::Version
155
+ hash: 19
156
+ segments:
157
+ - 2
158
+ - 7
159
+ - 0
131
160
  version: 2.7.0
132
- type: :runtime
133
161
  prerelease: false
134
- version_requirements: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - "~>"
137
- - !ruby/object:Gem::Version
138
- version: 2.7.0
139
- - !ruby/object:Gem::Dependency
140
- name: tzinfo
141
- requirement: !ruby/object:Gem::Requirement
142
- requirements:
143
- - - "~>"
144
- - !ruby/object:Gem::Version
145
- version: 0.3.29
162
+ requirement: *id009
163
+ name: erubis
164
+ - !ruby/object:Gem::Dependency
146
165
  type: :development
147
- prerelease: false
148
- version_requirements: !ruby/object:Gem::Requirement
149
- requirements:
150
- - - "~>"
151
- - !ruby/object:Gem::Version
166
+ version_requirements: &id010 !ruby/object:Gem::Requirement
167
+ none: false
168
+ requirements:
169
+ - - ~>
170
+ - !ruby/object:Gem::Version
171
+ hash: 41
172
+ segments:
173
+ - 0
174
+ - 3
175
+ - 29
152
176
  version: 0.3.29
153
- description: Web apps on Rails. Simple, battle-tested conventions for building and
154
- testing MVC web applications. Works with any Rack-compatible server.
177
+ prerelease: false
178
+ requirement: *id010
179
+ name: tzinfo
180
+ description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
155
181
  email: david@loudthinking.com
156
182
  executables: []
183
+
157
184
  extensions: []
185
+
158
186
  extra_rdoc_files: []
159
- files:
187
+
188
+ files:
160
189
  - CHANGELOG.md
161
190
  - README.rdoc
162
191
  - MIT-LICENSE
@@ -348,29 +377,41 @@ files:
348
377
  - lib/sprockets/helpers.rb
349
378
  - lib/sprockets/railtie.rb
350
379
  - lib/sprockets/static_compiler.rb
380
+ has_rdoc: true
351
381
  homepage: http://www.rubyonrails.org
352
- licenses:
382
+ licenses:
353
383
  - MIT
354
- metadata: {}
355
384
  post_install_message:
356
385
  rdoc_options: []
357
- require_paths:
386
+
387
+ require_paths:
358
388
  - lib
359
- required_ruby_version: !ruby/object:Gem::Requirement
360
- requirements:
389
+ required_ruby_version: !ruby/object:Gem::Requirement
390
+ none: false
391
+ requirements:
361
392
  - - ">="
362
- - !ruby/object:Gem::Version
393
+ - !ruby/object:Gem::Version
394
+ hash: 57
395
+ segments:
396
+ - 1
397
+ - 8
398
+ - 7
363
399
  version: 1.8.7
364
- required_rubygems_version: !ruby/object:Gem::Requirement
365
- requirements:
400
+ required_rubygems_version: !ruby/object:Gem::Requirement
401
+ none: false
402
+ requirements:
366
403
  - - ">="
367
- - !ruby/object:Gem::Version
368
- version: '0'
369
- requirements:
404
+ - !ruby/object:Gem::Version
405
+ hash: 3
406
+ segments:
407
+ - 0
408
+ version: "0"
409
+ requirements:
370
410
  - none
371
411
  rubyforge_project:
372
- rubygems_version: 2.0.2
412
+ rubygems_version: 1.6.2
373
413
  signing_key:
374
- specification_version: 4
414
+ specification_version: 3
375
415
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
376
416
  test_files: []
417
+
checksums.yaml DELETED
@@ -1,7 +0,0 @@
1
- ---
2
- SHA1:
3
- metadata.gz: 3c6647553515329d0446de1814849e0e230b604d
4
- data.tar.gz: 36ba47062aea7e6469d635a2d4bf447a17056eea
5
- SHA512:
6
- metadata.gz: a277bd49091be4af902fda13218021fa2d481d1b4b2a6b7257580311582b0345160773573573c1dcec67529fbfbbda6751fc5702ac020f8105c05a22324e11ab
7
- data.tar.gz: 9be391a5e0055d40177ced734e75be73e0cb6373026347c10072ef2449825a76108f33d78c78cc3d26770314818669d734212beb62359641d5b73f46957554dd