RubyGems - actionpack - Versions diffs - 3.2.16 → 3.2.17 - Mend

actionpack 3.2.16 → 3.2.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show

data/CHANGELOG.md +10 -0
data/lib/action_pack/version.rb +1 -1
data/lib/action_view/helpers/number_helper.rb +13 -1
data/lib/action_view/template/text.rb +1 -1
metadata +176 -135
checksums.yaml +0 -7

data/CHANGELOG.md CHANGED

@@ -1,3 +1,13 @@
+*   Use the reference for the mime type to get the format
+    Fixes: CVE-2014-0082
+*   Escape format, negative_format and units options of number helpers
+    Fixes: CVE-2014-0081
+## Rails 3.2.16 (Dec 12, 2013) ##
 *   Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
 *   Stop using i18n's built in HTML error handling.  Fixes: CVE-2013-4491

data/lib/action_pack/version.rb CHANGED

@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 16
+    TINY  = 17
     PRE   = nil
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/action_view/helpers/number_helper.rb CHANGED

@@ -138,12 +138,18 @@ module ActionView
         options.symbolize_keys!
+        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
+        options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
+        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
         defaults  = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
         currency  = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {})
         currency[:negative_format] ||= "-" + currency[:format] if currency[:format]
         defaults  = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency)
         defaults[:negative_format] = "-" + options[:format] if options[:format]
         options   = defaults.merge!(options)
         unit      = options.delete(:unit)
@@ -206,6 +212,9 @@ module ActionView
         options.symbolize_keys!
+        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
         defaults   = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
         percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {})
         defaults  = defaults.merge(percentage)
@@ -255,6 +264,9 @@ module ActionView
       def number_with_delimiter(number, options = {})
         options.symbolize_keys!
+        options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+        options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
         begin
           Float(number)
         rescue ArgumentError, TypeError
@@ -578,7 +590,7 @@ module ActionView
         units = options.delete :units
         unit_exponents = case units
         when Hash
-          units
+          units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }]
         when String, Symbol
           I18n.translate(:"#{units}", :locale => options[:locale], :raise => true)
         when nil

data/lib/action_view/template/text.rb CHANGED

@@ -23,7 +23,7 @@ module ActionView #:nodoc:
       end
       def formats
-        [@mime_type.to_sym]
+        [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
       end
     end
   end

metadata CHANGED

@@ -1,162 +1,191 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: actionpack
-version: !ruby/object:Gem::Version
-  version: 3.2.16
+version: !ruby/object:Gem::Version
+  hash: 45
+  prerelease:
+  segments:
+  - 3
+  - 2
+  - 17
+  version: 3.2.17
 platform: ruby
-authors:
+authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-12-03 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2014-02-18 00:00:00 -03:00
+default_executable:
+dependencies:
+- !ruby/object:Gem::Dependency
+  type: :runtime
+  version_requirements: &id001 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - "="
+      - !ruby/object:Gem::Version
+        hash: 45
+        segments:
+        - 3
+        - 2
+        - 17
+        version: 3.2.17
+  prerelease: false
+  requirement: *id001
   name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 3.2.16
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id002 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - "="
+      - !ruby/object:Gem::Version
+        hash: 45
+        segments:
+        - 3
+        - 2
+        - 17
+        version: 3.2.17
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 3.2.16
-- !ruby/object:Gem::Dependency
+  requirement: *id002
   name: activemodel
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 3.2.16
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id003 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 11
+        segments:
+        - 1
+        - 2
+        version: "1.2"
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 3.2.16
-- !ruby/object:Gem::Dependency
+  requirement: *id003
   name: rack-cache
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id004 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 7
+        segments:
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
-- !ruby/object:Gem::Dependency
+  requirement: *id004
   name: builder
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.0.0
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id005 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 13
+        segments:
+        - 1
+        - 4
+        - 5
+        version: 1.4.5
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.0.0
-- !ruby/object:Gem::Dependency
+  requirement: *id005
   name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.4.5
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id006 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 5
+        segments:
+        - 0
+        - 6
+        - 1
+        version: 0.6.1
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.4.5
-- !ruby/object:Gem::Dependency
+  requirement: *id006
   name: rack-test
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.1
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id007 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 31
+        segments:
+        - 1
+        - 0
+        - 4
+        version: 1.0.4
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.1
-- !ruby/object:Gem::Dependency
+  requirement: *id007
   name: journey
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.4
+- !ruby/object:Gem::Dependency
   type: :runtime
+  version_requirements: &id008 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 5
+        segments:
+        - 2
+        - 2
+        - 1
+        version: 2.2.1
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.0.4
-- !ruby/object:Gem::Dependency
+  requirement: *id008
   name: sprockets
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.2.1
+- !ruby/object:Gem::Dependency
   type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.2.1
-- !ruby/object:Gem::Dependency
-  name: erubis
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
+  version_requirements: &id009 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 19
+        segments:
+        - 2
+        - 7
+        - 0
         version: 2.7.0
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.7.0
-- !ruby/object:Gem::Dependency
-  name: tzinfo
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.3.29
+  requirement: *id009
+  name: erubis
+- !ruby/object:Gem::Dependency
   type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
+  version_requirements: &id010 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        hash: 41
+        segments:
+        - 0
+        - 3
+        - 29
         version: 0.3.29
-description: Web apps on Rails. Simple, battle-tested conventions for building and
-  testing MVC web applications. Works with any Rack-compatible server.
+  prerelease: false
+  requirement: *id010
+  name: tzinfo
+description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - CHANGELOG.md
 - README.rdoc
 - MIT-LICENSE
@@ -348,29 +377,41 @@ files:
 - lib/sprockets/helpers.rb
 - lib/sprockets/railtie.rb
 - lib/sprockets/static_compiler.rb
+has_rdoc: true
 homepage: http://www.rubyonrails.org
-licenses:
+licenses:
 - MIT
-metadata: {}
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
+    - !ruby/object:Gem::Version
+      hash: 57
+      segments:
+      - 1
+      - 8
+      - 7
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
-requirements:
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+requirements:
 - none
 rubyforge_project:
-rubygems_version: 2.0.2
+rubygems_version: 1.6.2
 signing_key:
-specification_version: 4
+specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []

checksums.yaml DELETED

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 3c6647553515329d0446de1814849e0e230b604d
-  data.tar.gz: 36ba47062aea7e6469d635a2d4bf447a17056eea
-SHA512:
-  metadata.gz: a277bd49091be4af902fda13218021fa2d481d1b4b2a6b7257580311582b0345160773573573c1dcec67529fbfbbda6751fc5702ac020f8105c05a22324e11ab
-  data.tar.gz: 9be391a5e0055d40177ced734e75be73e0cb6373026347c10072ef2449825a76108f33d78c78cc3d26770314818669d734212beb62359641d5b73f46957554dd