actionpack 4.0.12 → 4.0.13.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 82d6dcc940311b422bf9ce808108e1e94ac236e3
-  data.tar.gz: 0c5bce2d5f63158f709e2f00c2472557d035a68d
+  metadata.gz: 12c05d6e1da13c09d54b5c23faff8cba79279875
+  data.tar.gz: 7172e0ad913a8f34d9f6ac6ea1211ee00e055a73
 SHA512:
-  metadata.gz: a8bee8098159b28ced7c7c79bac253dd3a2eca13a1a5e57c3c34343b585956891c122bd26dfee45819f3b1be391547bffcd259f439ab4df07c6dd6786aabf979
-  data.tar.gz: 3d8b4124171b15426a2448a3c957f4506280d7b9a34982c6faa5092dadbb7203c218429ba20d03aefc87dcf1e680aba6d99736eb53b610ba7c92e90e84f0c3b6
+  metadata.gz: c0e12d6ccaac076fa171cee84d229df7893211688f0dcb86ac9cbe87d9722175f725c0f438014ee683cb8e385538ffd931b352a42341de67c0d345d19089102c
+  data.tar.gz: 348757867135fdcb4ed5cbce7dfcd45b505f2d885698f3291e861571aa1819eff4aa5f133d89f7cdbfcc12440a475f6c0b800595a131785443a2f309cc6a1b4f

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+*   Added an explicit error message, in `ActionView::PartialRenderer`
+    for partial `rendering`, when the value of option `as` has invalid characters.
+
+    *Angelo Capilleri*
+
+*   Restore handling of a bare `Authorization` header, without `token=`
+    prefix.
+
+    Fixes #17108.
+
+    *Guo Xiang Tan*
+
+
+## Rails 4.0.12 (November 16, 2014) ##
+
 *   Fix a bug where malformed query strings lead to 500.
 
     fixes #11502.
@@ -5,6 +20,20 @@
     *Yuki Nishijima*
 
 
+## Rails 4.0.11.1 (November 19, 2014) ##
+
+*   Fix arbitrary file existence disclosure in Action Pack.
+
+    CVE-2014-7829.
+
+
+## Rails 4.0.11 (September 11, 2014) ##
+
+*   Fix arbitrary file existence disclosure in Action Pack.
+
+    CVE-2014-7818.
+
+
 ## Rails 4.0.10 (September 11, 2014) ##
 
 *   Return an absolute instead of relative path from an asset url in the case

data/lib/action_controller/metal/http_authentication.rb

@@ -385,6 +385,7 @@ module ActionController
     #
     #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
     module Token
+      TOKEN_KEY = 'token='
       TOKEN_REGEX = /^Token /
       AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
       extend self
@@ -459,7 +460,13 @@ module ActionController
       # pairs by the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        auth.sub(TOKEN_REGEX, '').split(/"\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+
+        if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+          _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
+        end
+
+        _raw_params
       end
 
       # Encodes the given token and options into an Authorization header value.
@@ -469,7 +476,7 @@ module ActionController
       #
       # Returns String.
       def encode_credentials(token, options = {})
-        values = ["token=#{token.to_s.inspect}"] + options.map do |key, value|
+        values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
         end
         "Token #{values * ", "}"

data/lib/action_dispatch/middleware/flash.rb

@@ -125,7 +125,7 @@ module ActionDispatch
       end
 
       def key?(name)
-        @flashes.key? name
+        @flashes.key? name.to_s
       end
 
       def delete(key)

data/lib/action_pack/version.rb

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.12"
+    Gem::Version.new "4.0.13.rc1"
   end
 
   module VERSION #:nodoc:

data/lib/action_view/helpers/form_helper.rb

@@ -1875,6 +1875,8 @@ module ActionView
   end
 
   ActiveSupport.on_load(:action_view) do
-    cattr_accessor(:default_form_builder) { ::ActionView::Helpers::FormBuilder }
+    cattr_accessor(:default_form_builder, instance_writer: false, instance_reader: false) do
+      ::ActionView::Helpers::FormBuilder
+    end
   end
 end

data/lib/action_view/helpers/tags/search_field.rb

@@ -3,20 +3,18 @@ module ActionView
     module Tags # :nodoc:
       class SearchField < TextField # :nodoc:
         def render
-          options = @options.stringify_keys
-
-          if options["autosave"]
-            if options["autosave"] == true
-              options["autosave"] = request.host.split(".").reverse.join(".")
+          super do |options|
+            if options["autosave"]
+              if options["autosave"] == true
+                options["autosave"] = request.host.split(".").reverse.join(".")
+              end
+              options["results"] ||= 10
             end
-            options["results"] ||= 10
-          end
 
-          if options["onsearch"]
-            options["incremental"] = true unless options.has_key?("incremental")
+            if options["onsearch"]
+              options["incremental"] = true unless options.has_key?("incremental")
+            end
           end
-
-          super
         end
       end
     end

data/lib/action_view/helpers/tags/text_field.rb

@@ -8,6 +8,7 @@ module ActionView
           options["type"] ||= field_type
           options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
           options["value"] &&= ERB::Util.html_escape(options["value"])
+          yield options if block_given?
           add_default_name_and_id(options)
           tag("input", options)
         end

data/lib/action_view/renderer/partial_renderer.rb

@@ -347,7 +347,7 @@ module ActionView
       end
 
       if as = options[:as]
-        raise_invalid_identifier(as) unless as.to_s =~ /\A[a-z_]\w*\z/
+        raise_invalid_option_as(as) unless as.to_s =~ /\A[a-z_]\w*\z/
         as = as.to_sym
       end
 
@@ -482,11 +482,19 @@ module ActionView
     end
 
     IDENTIFIER_ERROR_MESSAGE = "The partial name (%s) is not a valid Ruby identifier; " +
-                               "make sure your partial name starts with a lowercase letter or underscore, " +
+                               "make sure your partial name starts with underscore, " +
+                               "and is followed by any combination of letters, numbers and underscores."
+
+    OPTION_AS_ERROR_MESSAGE  = "The value (%s) of the option `as` is not a valid Ruby identifier; " +
+                               "make sure it starts with lowercase letter, " +
                                "and is followed by any combination of letters, numbers and underscores."
 
     def raise_invalid_identifier(path)
       raise ArgumentError.new(IDENTIFIER_ERROR_MESSAGE % (path))
     end
+
+    def raise_invalid_option_as(as)
+      raise ArgumentError.new(OPTION_AS_ERROR_MESSAGE % (as))
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.0.12
+  version: 4.0.13.rc1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-16 00:00:00.000000000 Z
+date: 2015-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.12
+        version: 4.0.13.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.12
+        version: 4.0.13.rc1
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.12
+        version: 4.0.13.rc1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.12
+        version: 4.0.13.rc1
 - !ruby/object:Gem::Dependency
   name: tzinfo
   requirement: !ruby/object:Gem::Requirement
@@ -375,13 +375,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.4.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).