actionpack 3.2.17 → 3.2.18

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+## Rails 3.2.18 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
+## Rails 3.2.17 (Feb 18, 2014) ##
+
 *   Use the reference for the mime type to get the format
 
     Fixes: CVE-2014-0082
@@ -6,6 +19,7 @@
 
     Fixes: CVE-2014-0081
 
+
 ## Rails 3.2.16 (Dec 12, 2013) ##
 
 *   Deep Munge the parameters for GET and POST Fixes CVE-2013-6417

data/lib/abstract_controller/base.rb

@@ -112,7 +112,7 @@ module AbstractController
     def process(action, *args)
       @_action_name = action_name = action.to_s
 
-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
         raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
       end
 
@@ -138,7 +138,7 @@ module AbstractController
     # available action consider actions that are also available
     # through other means, for example, implicit render ones.
     def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
     end
 
     private
@@ -181,6 +181,23 @@ module AbstractController
         action_missing(@_action_name, *args)
       end
 
+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
       # Takes an action name and returns the name of the method that will
       # handle the action. In normal cases, this method returns the same
       # name as it receives. By default, if #method_for_action receives
@@ -203,11 +220,16 @@ module AbstractController
       #
       # ==== Returns
       # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
       def method_for_action(action_name)
         if action_method?(action_name) then action_name
         elsif respond_to?(:action_missing, true) then "_handle_action_missing"
         end
       end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
   end
 end

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 17
+    TINY  = 18
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  hash: 45
+  hash: 43
   prerelease: 
   segments: 
   - 3
   - 2
-  - 17
-  version: 3.2.17
+  - 18
+  version: 3.2.18
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -15,43 +15,43 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2014-02-18 00:00:00 -03:00
-default_executable: 
+date: 2014-05-06 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: activesupport
   version_requirements: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 45
+        hash: 43
         segments: 
         - 3
         - 2
-        - 17
-        version: 3.2.17
+        - 18
+        version: 3.2.18
   prerelease: false
   requirement: *id001
-  name: activesupport
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: activemodel
   version_requirements: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 45
+        hash: 43
         segments: 
         - 3
         - 2
-        - 17
-        version: 3.2.17
+        - 18
+        version: 3.2.18
   prerelease: false
   requirement: *id002
-  name: activemodel
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: rack-cache
   version_requirements: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -64,9 +64,9 @@ dependencies:
         version: "1.2"
   prerelease: false
   requirement: *id003
-  name: rack-cache
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: builder
   version_requirements: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -80,9 +80,9 @@ dependencies:
         version: 3.0.0
   prerelease: false
   requirement: *id004
-  name: builder
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: rack
   version_requirements: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -96,9 +96,9 @@ dependencies:
         version: 1.4.5
   prerelease: false
   requirement: *id005
-  name: rack
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: rack-test
   version_requirements: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -112,9 +112,9 @@ dependencies:
         version: 0.6.1
   prerelease: false
   requirement: *id006
-  name: rack-test
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: journey
   version_requirements: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -128,9 +128,9 @@ dependencies:
         version: 1.0.4
   prerelease: false
   requirement: *id007
-  name: journey
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: sprockets
   version_requirements: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -144,9 +144,9 @@ dependencies:
         version: 2.2.1
   prerelease: false
   requirement: *id008
-  name: sprockets
 - !ruby/object:Gem::Dependency 
   type: :runtime
+  name: erubis
   version_requirements: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -160,9 +160,9 @@ dependencies:
         version: 2.7.0
   prerelease: false
   requirement: *id009
-  name: erubis
 - !ruby/object:Gem::Dependency 
   type: :development
+  name: tzinfo
   version_requirements: &id010 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -176,7 +176,6 @@ dependencies:
         version: 0.3.29
   prerelease: false
   requirement: *id010
-  name: tzinfo
 description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
 executables: []
@@ -377,7 +376,6 @@ files:
 - lib/sprockets/helpers.rb
 - lib/sprockets/railtie.rb
 - lib/sprockets/static_compiler.rb
-has_rdoc: true
 homepage: http://www.rubyonrails.org
 licenses: 
 - MIT
@@ -409,7 +407,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: 
 - none
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).