actionpack 3.2.22 → 3.2.22.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/action_controller/metal/http_authentication.rb +6 -1
  3. data/lib/action_dispatch/http/mime_type.rb +16 -2
  4. data/lib/action_pack/version.rb +1 -1
  5. data/lib/action_view/template/resolver.rb +17 -0
  6. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6efaa79668a2f1506e7dafd4cb0a3cb9c7263bf4
4
- data.tar.gz: 1fc55fc7fc7dbed9de6ada5c4e8e8e7994f46a47
3
+ metadata.gz: 8f81786e02adf6e3a78e5ce661cd08e6b0c0b428
4
+ data.tar.gz: d3b8c6df5d3a0b05ea9eed8489b7b056f03d139d
5
5
  SHA512:
6
- metadata.gz: 9680438e9bd275263d4c10b16607db1c22c12e9a12bc84ef3117e03ada6af7db63c5feb911f4f29536697a8e3b9f23b30c26e8a73cd3cb0cf09a60fffcac16a1
7
- data.tar.gz: e143b76f02121dec0af4974a839ca2793f227a18b434ee3e54065f4234733008fba44e58b5c267839f00de8ecd4cbfccdbcf9b26afdb330557f70b83c2140787
6
+ metadata.gz: 07fae5ccd71863bf5b5bb24215e707722db0c0af5447daaa21c4452a0e6ac5272a522073a588cc037ddfcb5ea11c393d166208e57fbe99b387bd6ba5cf30bae0
7
+ data.tar.gz: 44ed5a30d711d7e80b5ef4114bf413a69398911039e1b155a504380f3bed5bf93ec0133a3b7ca1ad35bad6286b8a166a3b5fa55589a3c69009e18f7285edaed3
data/lib/action_controller/metal/http_authentication.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  require 'active_support/base64'
2
2
  require 'active_support/core_ext/object/blank'
3
+ require 'active_support/security_utils'
3
4
 
4
5
  module ActionController
5
6
  module HttpAuthentication
@@ -111,7 +112,11 @@ module ActionController
111
112
  def http_basic_authenticate_with(options = {})
112
113
  before_filter(options.except(:name, :password, :realm)) do
113
114
  authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
114
- name == options[:name] && password == options[:password]
115
+ # This comparison uses & so that it doesn't short circuit and
116
+ # uses `variable_size_secure_compare` so that length information
117
+ # isn't leaked.
118
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
119
+ ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
115
120
  end
116
121
  end
117
122
  end
data/lib/action_dispatch/http/mime_type.rb CHANGED
@@ -22,7 +22,7 @@ module Mime
22
22
 
23
23
  SET = Mimes.new
24
24
  EXTENSION_LOOKUP = {}
25
- LOOKUP = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? }
25
+ LOOKUP = {}
26
26
 
27
27
  def self.[](type)
28
28
  return type if type.is_a?(Type)
@@ -85,7 +85,7 @@ module Mime
85
85
  Q_SEPARATOR_REGEXP = /;\s*q=/
86
86
 
87
87
  def lookup(string)
88
- LOOKUP[string]
88
+ LOOKUP[string] || Type.new(string)
89
89
  end
90
90
 
91
91
  def lookup_by_extension(extension)
@@ -204,9 +204,12 @@ module Mime
204
204
  end
205
205
  end
206
206
 
207
+ attr_reader :hash
208
+
207
209
  def initialize(string, symbol = nil, synonyms = [])
208
210
  @symbol, @synonyms = symbol, synonyms
209
211
  @string = string
212
+ @hash = [@string, @synonyms, @symbol].hash
210
213
  end
211
214
 
212
215
  def to_s
@@ -240,6 +243,13 @@ module Mime
240
243
  end
241
244
  end
242
245
 
246
+ def eql?(other)
247
+ super || (self.class == other.class &&
248
+ @string == other.string &&
249
+ @synonyms == other.synonyms &&
250
+ @symbol == other.symbol)
251
+ end
252
+
243
253
  def =~(mime_type)
244
254
  return false if mime_type.blank?
245
255
  regexp = Regexp.new(Regexp.quote(mime_type.to_s))
@@ -262,6 +272,10 @@ module Mime
262
272
  super || method.to_s =~ /(\w+)\?$/
263
273
  end
264
274
 
275
+ protected
276
+
277
+ attr_reader :string, :synonyms
278
+
265
279
  private
266
280
  def method_missing(method, *args)
267
281
  if method.to_s =~ /(\w+)\?$/
data/lib/action_pack/version.rb CHANGED
@@ -3,7 +3,7 @@ module ActionPack
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
5
  TINY = 22
6
- PRE = nil
6
+ PRE = "1"
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
9
9
  end
data/lib/action_view/template/resolver.rb CHANGED
@@ -110,6 +110,9 @@ module ActionView
110
110
  super()
111
111
  end
112
112
 
113
+ cattr_accessor :allow_external_files, instance_reader: false, instance_writer: false
114
+ self.allow_external_files = false
115
+
113
116
  private
114
117
 
115
118
  def find_templates(name, prefix, partial, details)
@@ -122,6 +125,10 @@ module ActionView
122
125
 
123
126
  template_paths = find_template_paths query
124
127
 
128
+ unless self.class.allow_external_files
129
+ template_paths = reject_files_external_to_app(template_paths)
130
+ end
131
+
125
132
  template_paths.map { |template|
126
133
  handler, format = extract_handler_and_format(template, formats)
127
134
  contents = File.binread template
@@ -133,6 +140,10 @@ module ActionView
133
140
  }
134
141
  end
135
142
 
143
+ def reject_files_external_to_app(files)
144
+ files.reject { |filename| !inside_path?(@path, filename) }
145
+ end
146
+
136
147
  if RUBY_VERSION >= '2.2.0'
137
148
  def find_template_paths(query)
138
149
  Dir[query].reject { |filename|
@@ -153,6 +164,12 @@ module ActionView
153
164
  end
154
165
  end
155
166
 
167
+ def inside_path?(path, filename)
168
+ filename = File.expand_path(filename)
169
+ path = File.join(path, '')
170
+ filename.start_with?(path)
171
+ end
172
+
156
173
  # Helper for building query glob string based on resolver's pattern.
157
174
  def build_query(path, details)
158
175
  query = @pattern.dup
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.22
4
+ version: 3.2.22.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-06-16 00:00:00.000000000 Z
11
+ date: 2016-01-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 3.2.22
19
+ version: 3.2.22.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 3.2.22
26
+ version: 3.2.22.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 3.2.22
33
+ version: 3.2.22.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 3.2.22
40
+ version: 3.2.22.1
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: rack-cache
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -369,7 +369,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
369
369
  requirements:
370
370
  - none
371
371
  rubyforge_project:
372
- rubygems_version: 2.4.5
372
+ rubygems_version: 2.5.1
373
373
  signing_key:
374
374
  specification_version: 4
375
375
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).