actionpack 4.0.12 → 4.0.13.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +29 -0
- data/lib/action_controller/metal/http_authentication.rb +9 -2
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_view/helpers/form_helper.rb +3 -1
- data/lib/action_view/helpers/tags/search_field.rb +9 -11
- data/lib/action_view/helpers/tags/text_field.rb +1 -0
- data/lib/action_view/renderer/partial_renderer.rb +10 -2
- metadata +9 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 12c05d6e1da13c09d54b5c23faff8cba79279875
|
4
|
+
data.tar.gz: 7172e0ad913a8f34d9f6ac6ea1211ee00e055a73
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c0e12d6ccaac076fa171cee84d229df7893211688f0dcb86ac9cbe87d9722175f725c0f438014ee683cb8e385538ffd931b352a42341de67c0d345d19089102c
|
7
|
+
data.tar.gz: 348757867135fdcb4ed5cbce7dfcd45b505f2d885698f3291e861571aa1819eff4aa5f133d89f7cdbfcc12440a475f6c0b800595a131785443a2f309cc6a1b4f
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,18 @@
|
|
1
|
+
* Added an explicit error message, in `ActionView::PartialRenderer`
|
2
|
+
for partial `rendering`, when the value of option `as` has invalid characters.
|
3
|
+
|
4
|
+
*Angelo Capilleri*
|
5
|
+
|
6
|
+
* Restore handling of a bare `Authorization` header, without `token=`
|
7
|
+
prefix.
|
8
|
+
|
9
|
+
Fixes #17108.
|
10
|
+
|
11
|
+
*Guo Xiang Tan*
|
12
|
+
|
13
|
+
|
14
|
+
## Rails 4.0.12 (November 16, 2014) ##
|
15
|
+
|
1
16
|
* Fix a bug where malformed query strings lead to 500.
|
2
17
|
|
3
18
|
fixes #11502.
|
@@ -5,6 +20,20 @@
|
|
5
20
|
*Yuki Nishijima*
|
6
21
|
|
7
22
|
|
23
|
+
## Rails 4.0.11.1 (November 19, 2014) ##
|
24
|
+
|
25
|
+
* Fix arbitrary file existence disclosure in Action Pack.
|
26
|
+
|
27
|
+
CVE-2014-7829.
|
28
|
+
|
29
|
+
|
30
|
+
## Rails 4.0.11 (September 11, 2014) ##
|
31
|
+
|
32
|
+
* Fix arbitrary file existence disclosure in Action Pack.
|
33
|
+
|
34
|
+
CVE-2014-7818.
|
35
|
+
|
36
|
+
|
8
37
|
## Rails 4.0.10 (September 11, 2014) ##
|
9
38
|
|
10
39
|
* Return an absolute instead of relative path from an asset url in the case
|
@@ -385,6 +385,7 @@ module ActionController
|
|
385
385
|
#
|
386
386
|
# RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
|
387
387
|
module Token
|
388
|
+
TOKEN_KEY = 'token='
|
388
389
|
TOKEN_REGEX = /^Token /
|
389
390
|
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
|
390
391
|
extend self
|
@@ -459,7 +460,13 @@ module ActionController
|
|
459
460
|
# pairs by the standardized `:`, `;`, or `\t` delimiters defined in
|
460
461
|
# `AUTHN_PAIR_DELIMITERS`.
|
461
462
|
def raw_params(auth)
|
462
|
-
auth.sub(TOKEN_REGEX, '').split(
|
463
|
+
_raw_params = auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
|
464
|
+
|
465
|
+
if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
|
466
|
+
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
|
467
|
+
end
|
468
|
+
|
469
|
+
_raw_params
|
463
470
|
end
|
464
471
|
|
465
472
|
# Encodes the given token and options into an Authorization header value.
|
@@ -469,7 +476,7 @@ module ActionController
|
|
469
476
|
#
|
470
477
|
# Returns String.
|
471
478
|
def encode_credentials(token, options = {})
|
472
|
-
values = ["
|
479
|
+
values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
|
473
480
|
"#{key}=#{value.to_s.inspect}"
|
474
481
|
end
|
475
482
|
"Token #{values * ", "}"
|
data/lib/action_pack/version.rb
CHANGED
@@ -1875,6 +1875,8 @@ module ActionView
|
|
1875
1875
|
end
|
1876
1876
|
|
1877
1877
|
ActiveSupport.on_load(:action_view) do
|
1878
|
-
cattr_accessor(:default_form_builder
|
1878
|
+
cattr_accessor(:default_form_builder, instance_writer: false, instance_reader: false) do
|
1879
|
+
::ActionView::Helpers::FormBuilder
|
1880
|
+
end
|
1879
1881
|
end
|
1880
1882
|
end
|
@@ -3,20 +3,18 @@ module ActionView
|
|
3
3
|
module Tags # :nodoc:
|
4
4
|
class SearchField < TextField # :nodoc:
|
5
5
|
def render
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
6
|
+
super do |options|
|
7
|
+
if options["autosave"]
|
8
|
+
if options["autosave"] == true
|
9
|
+
options["autosave"] = request.host.split(".").reverse.join(".")
|
10
|
+
end
|
11
|
+
options["results"] ||= 10
|
11
12
|
end
|
12
|
-
options["results"] ||= 10
|
13
|
-
end
|
14
13
|
|
15
|
-
|
16
|
-
|
14
|
+
if options["onsearch"]
|
15
|
+
options["incremental"] = true unless options.has_key?("incremental")
|
16
|
+
end
|
17
17
|
end
|
18
|
-
|
19
|
-
super
|
20
18
|
end
|
21
19
|
end
|
22
20
|
end
|
@@ -8,6 +8,7 @@ module ActionView
|
|
8
8
|
options["type"] ||= field_type
|
9
9
|
options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
|
10
10
|
options["value"] &&= ERB::Util.html_escape(options["value"])
|
11
|
+
yield options if block_given?
|
11
12
|
add_default_name_and_id(options)
|
12
13
|
tag("input", options)
|
13
14
|
end
|
@@ -347,7 +347,7 @@ module ActionView
|
|
347
347
|
end
|
348
348
|
|
349
349
|
if as = options[:as]
|
350
|
-
|
350
|
+
raise_invalid_option_as(as) unless as.to_s =~ /\A[a-z_]\w*\z/
|
351
351
|
as = as.to_sym
|
352
352
|
end
|
353
353
|
|
@@ -482,11 +482,19 @@ module ActionView
|
|
482
482
|
end
|
483
483
|
|
484
484
|
IDENTIFIER_ERROR_MESSAGE = "The partial name (%s) is not a valid Ruby identifier; " +
|
485
|
-
"make sure your partial name starts with
|
485
|
+
"make sure your partial name starts with underscore, " +
|
486
|
+
"and is followed by any combination of letters, numbers and underscores."
|
487
|
+
|
488
|
+
OPTION_AS_ERROR_MESSAGE = "The value (%s) of the option `as` is not a valid Ruby identifier; " +
|
489
|
+
"make sure it starts with lowercase letter, " +
|
486
490
|
"and is followed by any combination of letters, numbers and underscores."
|
487
491
|
|
488
492
|
def raise_invalid_identifier(path)
|
489
493
|
raise ArgumentError.new(IDENTIFIER_ERROR_MESSAGE % (path))
|
490
494
|
end
|
495
|
+
|
496
|
+
def raise_invalid_option_as(as)
|
497
|
+
raise ArgumentError.new(OPTION_AS_ERROR_MESSAGE % (as))
|
498
|
+
end
|
491
499
|
end
|
492
500
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.13.rc1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2015-01-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 4.0.
|
19
|
+
version: 4.0.13.rc1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 4.0.
|
26
|
+
version: 4.0.13.rc1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -86,14 +86,14 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - '='
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: 4.0.
|
89
|
+
version: 4.0.13.rc1
|
90
90
|
type: :development
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - '='
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: 4.0.
|
96
|
+
version: 4.0.13.rc1
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: tzinfo
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -375,13 +375,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
375
375
|
version: 1.9.3
|
376
376
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
377
377
|
requirements:
|
378
|
-
- - "
|
378
|
+
- - ">"
|
379
379
|
- !ruby/object:Gem::Version
|
380
|
-
version:
|
380
|
+
version: 1.3.1
|
381
381
|
requirements:
|
382
382
|
- none
|
383
383
|
rubyforge_project:
|
384
|
-
rubygems_version: 2.4.
|
384
|
+
rubygems_version: 2.4.5
|
385
385
|
signing_key:
|
386
386
|
specification_version: 4
|
387
387
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|