actionpack 3.2.17 → 3.2.18
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- data/CHANGELOG.md +14 -0
- data/lib/abstract_controller/base.rb +25 -3
- data/lib/action_pack/version.rb +1 -1
- metadata +21 -23
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,16 @@
|
|
1
|
+
## Rails 3.2.18 (May 6, 2014) ##
|
2
|
+
|
3
|
+
* Only accept actions without File::SEPARATOR in the name.
|
4
|
+
|
5
|
+
This will avoid directory traversal in implicit render.
|
6
|
+
|
7
|
+
Fixes: CVE-2014-0130
|
8
|
+
|
9
|
+
*Rafael Mendonça França*
|
10
|
+
|
11
|
+
|
12
|
+
## Rails 3.2.17 (Feb 18, 2014) ##
|
13
|
+
|
1
14
|
* Use the reference for the mime type to get the format
|
2
15
|
|
3
16
|
Fixes: CVE-2014-0082
|
@@ -6,6 +19,7 @@
|
|
6
19
|
|
7
20
|
Fixes: CVE-2014-0081
|
8
21
|
|
22
|
+
|
9
23
|
## Rails 3.2.16 (Dec 12, 2013) ##
|
10
24
|
|
11
25
|
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
|
@@ -112,7 +112,7 @@ module AbstractController
|
|
112
112
|
def process(action, *args)
|
113
113
|
@_action_name = action_name = action.to_s
|
114
114
|
|
115
|
-
unless action_name =
|
115
|
+
unless action_name = _find_action_name(action_name)
|
116
116
|
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
|
117
117
|
end
|
118
118
|
|
@@ -138,7 +138,7 @@ module AbstractController
|
|
138
138
|
# available action consider actions that are also available
|
139
139
|
# through other means, for example, implicit render ones.
|
140
140
|
def available_action?(action_name)
|
141
|
-
|
141
|
+
_find_action_name(action_name).present?
|
142
142
|
end
|
143
143
|
|
144
144
|
private
|
@@ -181,6 +181,23 @@ module AbstractController
|
|
181
181
|
action_missing(@_action_name, *args)
|
182
182
|
end
|
183
183
|
|
184
|
+
# Takes an action name and returns the name of the method that will
|
185
|
+
# handle the action.
|
186
|
+
#
|
187
|
+
# It checks if the action name is valid and returns false otherwise.
|
188
|
+
#
|
189
|
+
# See method_for_action for more information.
|
190
|
+
#
|
191
|
+
# ==== Parameters
|
192
|
+
# * <tt>action_name</tt> - An action name to find a method name for
|
193
|
+
#
|
194
|
+
# ==== Returns
|
195
|
+
# * <tt>string</tt> - The name of the method that handles the action
|
196
|
+
# * false - No valid method name could be found. Raise ActionNotFound.
|
197
|
+
def _find_action_name(action_name)
|
198
|
+
_valid_action_name?(action_name) && method_for_action(action_name)
|
199
|
+
end
|
200
|
+
|
184
201
|
# Takes an action name and returns the name of the method that will
|
185
202
|
# handle the action. In normal cases, this method returns the same
|
186
203
|
# name as it receives. By default, if #method_for_action receives
|
@@ -203,11 +220,16 @@ module AbstractController
|
|
203
220
|
#
|
204
221
|
# ==== Returns
|
205
222
|
# * <tt>string</tt> - The name of the method that handles the action
|
206
|
-
# * <tt>nil</tt> - No method name could be found.
|
223
|
+
# * <tt>nil</tt> - No method name could be found.
|
207
224
|
def method_for_action(action_name)
|
208
225
|
if action_method?(action_name) then action_name
|
209
226
|
elsif respond_to?(:action_missing, true) then "_handle_action_missing"
|
210
227
|
end
|
211
228
|
end
|
229
|
+
|
230
|
+
# Checks if the action name is valid and returns false otherwise.
|
231
|
+
def _valid_action_name?(action_name)
|
232
|
+
action_name.to_s !~ Regexp.new(File::SEPARATOR)
|
233
|
+
end
|
212
234
|
end
|
213
235
|
end
|
data/lib/action_pack/version.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 43
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 3
|
8
8
|
- 2
|
9
|
-
-
|
10
|
-
version: 3.2.
|
9
|
+
- 18
|
10
|
+
version: 3.2.18
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- David Heinemeier Hansson
|
@@ -15,43 +15,43 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2014-
|
19
|
-
default_executable:
|
18
|
+
date: 2014-05-06 00:00:00 Z
|
20
19
|
dependencies:
|
21
20
|
- !ruby/object:Gem::Dependency
|
22
21
|
type: :runtime
|
22
|
+
name: activesupport
|
23
23
|
version_requirements: &id001 !ruby/object:Gem::Requirement
|
24
24
|
none: false
|
25
25
|
requirements:
|
26
26
|
- - "="
|
27
27
|
- !ruby/object:Gem::Version
|
28
|
-
hash:
|
28
|
+
hash: 43
|
29
29
|
segments:
|
30
30
|
- 3
|
31
31
|
- 2
|
32
|
-
-
|
33
|
-
version: 3.2.
|
32
|
+
- 18
|
33
|
+
version: 3.2.18
|
34
34
|
prerelease: false
|
35
35
|
requirement: *id001
|
36
|
-
name: activesupport
|
37
36
|
- !ruby/object:Gem::Dependency
|
38
37
|
type: :runtime
|
38
|
+
name: activemodel
|
39
39
|
version_requirements: &id002 !ruby/object:Gem::Requirement
|
40
40
|
none: false
|
41
41
|
requirements:
|
42
42
|
- - "="
|
43
43
|
- !ruby/object:Gem::Version
|
44
|
-
hash:
|
44
|
+
hash: 43
|
45
45
|
segments:
|
46
46
|
- 3
|
47
47
|
- 2
|
48
|
-
-
|
49
|
-
version: 3.2.
|
48
|
+
- 18
|
49
|
+
version: 3.2.18
|
50
50
|
prerelease: false
|
51
51
|
requirement: *id002
|
52
|
-
name: activemodel
|
53
52
|
- !ruby/object:Gem::Dependency
|
54
53
|
type: :runtime
|
54
|
+
name: rack-cache
|
55
55
|
version_requirements: &id003 !ruby/object:Gem::Requirement
|
56
56
|
none: false
|
57
57
|
requirements:
|
@@ -64,9 +64,9 @@ dependencies:
|
|
64
64
|
version: "1.2"
|
65
65
|
prerelease: false
|
66
66
|
requirement: *id003
|
67
|
-
name: rack-cache
|
68
67
|
- !ruby/object:Gem::Dependency
|
69
68
|
type: :runtime
|
69
|
+
name: builder
|
70
70
|
version_requirements: &id004 !ruby/object:Gem::Requirement
|
71
71
|
none: false
|
72
72
|
requirements:
|
@@ -80,9 +80,9 @@ dependencies:
|
|
80
80
|
version: 3.0.0
|
81
81
|
prerelease: false
|
82
82
|
requirement: *id004
|
83
|
-
name: builder
|
84
83
|
- !ruby/object:Gem::Dependency
|
85
84
|
type: :runtime
|
85
|
+
name: rack
|
86
86
|
version_requirements: &id005 !ruby/object:Gem::Requirement
|
87
87
|
none: false
|
88
88
|
requirements:
|
@@ -96,9 +96,9 @@ dependencies:
|
|
96
96
|
version: 1.4.5
|
97
97
|
prerelease: false
|
98
98
|
requirement: *id005
|
99
|
-
name: rack
|
100
99
|
- !ruby/object:Gem::Dependency
|
101
100
|
type: :runtime
|
101
|
+
name: rack-test
|
102
102
|
version_requirements: &id006 !ruby/object:Gem::Requirement
|
103
103
|
none: false
|
104
104
|
requirements:
|
@@ -112,9 +112,9 @@ dependencies:
|
|
112
112
|
version: 0.6.1
|
113
113
|
prerelease: false
|
114
114
|
requirement: *id006
|
115
|
-
name: rack-test
|
116
115
|
- !ruby/object:Gem::Dependency
|
117
116
|
type: :runtime
|
117
|
+
name: journey
|
118
118
|
version_requirements: &id007 !ruby/object:Gem::Requirement
|
119
119
|
none: false
|
120
120
|
requirements:
|
@@ -128,9 +128,9 @@ dependencies:
|
|
128
128
|
version: 1.0.4
|
129
129
|
prerelease: false
|
130
130
|
requirement: *id007
|
131
|
-
name: journey
|
132
131
|
- !ruby/object:Gem::Dependency
|
133
132
|
type: :runtime
|
133
|
+
name: sprockets
|
134
134
|
version_requirements: &id008 !ruby/object:Gem::Requirement
|
135
135
|
none: false
|
136
136
|
requirements:
|
@@ -144,9 +144,9 @@ dependencies:
|
|
144
144
|
version: 2.2.1
|
145
145
|
prerelease: false
|
146
146
|
requirement: *id008
|
147
|
-
name: sprockets
|
148
147
|
- !ruby/object:Gem::Dependency
|
149
148
|
type: :runtime
|
149
|
+
name: erubis
|
150
150
|
version_requirements: &id009 !ruby/object:Gem::Requirement
|
151
151
|
none: false
|
152
152
|
requirements:
|
@@ -160,9 +160,9 @@ dependencies:
|
|
160
160
|
version: 2.7.0
|
161
161
|
prerelease: false
|
162
162
|
requirement: *id009
|
163
|
-
name: erubis
|
164
163
|
- !ruby/object:Gem::Dependency
|
165
164
|
type: :development
|
165
|
+
name: tzinfo
|
166
166
|
version_requirements: &id010 !ruby/object:Gem::Requirement
|
167
167
|
none: false
|
168
168
|
requirements:
|
@@ -176,7 +176,6 @@ dependencies:
|
|
176
176
|
version: 0.3.29
|
177
177
|
prerelease: false
|
178
178
|
requirement: *id010
|
179
|
-
name: tzinfo
|
180
179
|
description: Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
|
181
180
|
email: david@loudthinking.com
|
182
181
|
executables: []
|
@@ -377,7 +376,6 @@ files:
|
|
377
376
|
- lib/sprockets/helpers.rb
|
378
377
|
- lib/sprockets/railtie.rb
|
379
378
|
- lib/sprockets/static_compiler.rb
|
380
|
-
has_rdoc: true
|
381
379
|
homepage: http://www.rubyonrails.org
|
382
380
|
licenses:
|
383
381
|
- MIT
|
@@ -409,7 +407,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
409
407
|
requirements:
|
410
408
|
- none
|
411
409
|
rubyforge_project:
|
412
|
-
rubygems_version: 1.
|
410
|
+
rubygems_version: 1.8.15
|
413
411
|
signing_key:
|
414
412
|
specification_version: 3
|
415
413
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|