actionpack 4.0.1 → 4.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/lib/action_dispatch/http/request.rb +2 -2
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_view/helpers/number_helper.rb +1 -0
- data/lib/action_view/helpers/text_helper.rb +1 -1
- data/lib/action_view/helpers/translation_helper.rb +9 -13
- data/lib/action_view/lookup_context.rb +7 -0
- metadata +19 -19
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6fbfd3478ffdabae6c448f11b8d2555183dc9afa
|
4
|
+
data.tar.gz: c943680b657f1ee41a97fc0b3e45ed917f651ff6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: de8fa29de785a8374d2f42a857d0cfaa6767dd509d2b8550367a57af9adcc07d0aa0a3fe5853e3983481d2c77d4879eb016dce956d0d7a8fbbcae66eba1adf93
|
7
|
+
data.tar.gz: fc2e767c978ef701d1b7cac55cd691ee3aa202c0afe2ebb28710dbc5f6bdccbcc5679c18a2e7d670f50df90f5429d741e759b21e81b08d9ee12b17c431cc30c2
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
* Ensure simple_format escapes its html attributes. This fixes CVE-2013-6416
|
2
|
+
|
3
|
+
* Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
|
4
|
+
|
5
|
+
* Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
|
6
|
+
|
7
|
+
* Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
|
8
|
+
|
9
|
+
* Only use valid mime type symbols as cache keys CVE-2013-6414
|
10
|
+
|
11
|
+
|
1
12
|
## Rails 4.0.1 (November 01, 2013) ##
|
2
13
|
|
3
14
|
* Respect `SCRIPT_NAME` when using `redirect` with a relative path
|
@@ -271,7 +271,7 @@ module ActionDispatch
|
|
271
271
|
|
272
272
|
# Override Rack's GET method to support indifferent access
|
273
273
|
def GET
|
274
|
-
@env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {})
|
274
|
+
@env["action_dispatch.request.query_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
|
275
275
|
rescue TypeError => e
|
276
276
|
raise ActionController::BadRequest.new(:query, e)
|
277
277
|
end
|
@@ -279,7 +279,7 @@ module ActionDispatch
|
|
279
279
|
|
280
280
|
# Override Rack's POST method to support indifferent access
|
281
281
|
def POST
|
282
|
-
@env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {})
|
282
|
+
@env["action_dispatch.request.request_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
|
283
283
|
rescue TypeError => e
|
284
284
|
raise ActionController::BadRequest.new(:request, e)
|
285
285
|
end
|
data/lib/action_pack/version.rb
CHANGED
@@ -411,6 +411,7 @@ module ActionView
|
|
411
411
|
def escape_unsafe_delimiters_and_separators(options)
|
412
412
|
options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
|
413
413
|
options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
|
414
|
+
options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
|
414
415
|
options
|
415
416
|
end
|
416
417
|
|
@@ -266,7 +266,7 @@ module ActionView
|
|
266
266
|
content_tag(wrapper_tag, nil, html_options)
|
267
267
|
else
|
268
268
|
paragraphs.map { |paragraph|
|
269
|
-
content_tag(wrapper_tag, paragraph, html_options
|
269
|
+
content_tag(wrapper_tag, raw(paragraph), html_options)
|
270
270
|
}.join("\n\n").html_safe
|
271
271
|
end
|
272
272
|
end
|
@@ -1,24 +1,14 @@
|
|
1
1
|
require 'action_view/helpers/tag_helper'
|
2
2
|
require 'i18n/exceptions'
|
3
3
|
|
4
|
-
module I18n
|
5
|
-
class ExceptionHandler
|
6
|
-
include Module.new {
|
7
|
-
def call(exception, locale, key, options)
|
8
|
-
exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
|
9
|
-
end
|
10
|
-
}
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
4
|
module ActionView
|
15
5
|
# = Action View Translation Helpers
|
16
6
|
module Helpers
|
17
7
|
module TranslationHelper
|
18
8
|
# Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
|
19
9
|
#
|
20
|
-
# First, it
|
21
|
-
#
|
10
|
+
# First, it will ensure that any thrown +MissingTranslation+ messages will be turned
|
11
|
+
# into inline spans that:
|
22
12
|
#
|
23
13
|
# * have a "translation-missing" class set,
|
24
14
|
# * contain the missing key as a title attribute and
|
@@ -44,8 +34,11 @@ module ActionView
|
|
44
34
|
# naming convention helps to identify translations that include HTML tags so that
|
45
35
|
# you know what kind of output to expect when you call translate in a template.
|
46
36
|
def translate(key, options = {})
|
47
|
-
options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
|
48
37
|
options[:default] = wrap_translate_defaults(options[:default]) if options[:default]
|
38
|
+
|
39
|
+
# If the user has specified rescue_format then pass it all through, otherwise use
|
40
|
+
# raise and do the work ourselves
|
41
|
+
options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
|
49
42
|
if html_safe_translation_key?(key)
|
50
43
|
html_safe_options = options.dup
|
51
44
|
options.except(*I18n::RESERVED_KEYS).each do |name, value|
|
@@ -59,6 +52,9 @@ module ActionView
|
|
59
52
|
else
|
60
53
|
I18n.translate(scope_key_by_partial(key), options)
|
61
54
|
end
|
55
|
+
rescue I18n::MissingTranslationData => e
|
56
|
+
keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
|
57
|
+
content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
|
62
58
|
end
|
63
59
|
alias :t :translate
|
64
60
|
|
@@ -62,6 +62,13 @@ module ActionView
|
|
62
62
|
@details_keys = ThreadSafe::Cache.new
|
63
63
|
|
64
64
|
def self.get(details)
|
65
|
+
if details[:formats]
|
66
|
+
details = details.dup
|
67
|
+
syms = Set.new Mime::SET.symbols
|
68
|
+
details[:formats] = details[:formats].select { |v|
|
69
|
+
syms.include? v
|
70
|
+
}
|
71
|
+
end
|
65
72
|
@details_keys[details] ||= new
|
66
73
|
end
|
67
74
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-
|
11
|
+
date: 2013-12-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,68 +16,68 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 4.0.
|
19
|
+
version: 4.0.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 4.0.
|
26
|
+
version: 4.0.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: builder
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - ~>
|
31
|
+
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
33
|
version: 3.1.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - ~>
|
38
|
+
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: 3.1.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rack
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - ~>
|
45
|
+
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
47
|
version: 1.5.2
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- - ~>
|
52
|
+
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: 1.5.2
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rack-test
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
|
-
- - ~>
|
59
|
+
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
61
|
version: 0.6.2
|
62
62
|
type: :runtime
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
|
-
- - ~>
|
66
|
+
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: 0.6.2
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: erubis
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
|
-
- - ~>
|
73
|
+
- - "~>"
|
74
74
|
- !ruby/object:Gem::Version
|
75
75
|
version: 2.7.0
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
|
-
- - ~>
|
80
|
+
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: 2.7.0
|
83
83
|
- !ruby/object:Gem::Dependency
|
@@ -86,26 +86,26 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - '='
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: 4.0.
|
89
|
+
version: 4.0.2
|
90
90
|
type: :development
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - '='
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: 4.0.
|
96
|
+
version: 4.0.2
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: tzinfo
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
|
-
- - ~>
|
101
|
+
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
103
|
version: 0.3.37
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
|
-
- - ~>
|
108
|
+
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
110
|
version: 0.3.37
|
111
111
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
@@ -370,18 +370,18 @@ require_paths:
|
|
370
370
|
- lib
|
371
371
|
required_ruby_version: !ruby/object:Gem::Requirement
|
372
372
|
requirements:
|
373
|
-
- -
|
373
|
+
- - ">="
|
374
374
|
- !ruby/object:Gem::Version
|
375
375
|
version: 1.9.3
|
376
376
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
377
377
|
requirements:
|
378
|
-
- -
|
378
|
+
- - ">="
|
379
379
|
- !ruby/object:Gem::Version
|
380
380
|
version: '0'
|
381
381
|
requirements:
|
382
382
|
- none
|
383
383
|
rubyforge_project:
|
384
|
-
rubygems_version: 2.0.
|
384
|
+
rubygems_version: 2.0.2
|
385
385
|
signing_key:
|
386
386
|
specification_version: 4
|
387
387
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|