actionpack 4.0.4 → 4.0.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- data/CHANGELOG.md +11 -0
- data/lib/abstract_controller/base.rb +25 -3
- data/lib/action_pack/version.rb +1 -1
- metadata +55 -39
- checksums.yaml +0 -7
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
## Rails 4.0.5 (May 6, 2014) ##
|
2
|
+
|
3
|
+
* Only accept actions without File::SEPARATOR in the name.
|
4
|
+
|
5
|
+
This will avoid directory traversal in implicit render.
|
6
|
+
|
7
|
+
Fixes: CVE-2014-0130
|
8
|
+
|
9
|
+
*Rafael Mendonça França*
|
10
|
+
|
11
|
+
|
1
12
|
## Rails 4.0.4 (March 14, 2014) ##
|
2
13
|
|
3
14
|
* Fix label translation for more than 10 nested elements.
|
@@ -127,7 +127,7 @@ module AbstractController
|
|
127
127
|
def process(action, *args)
|
128
128
|
@_action_name = action_name = action.to_s
|
129
129
|
|
130
|
-
unless action_name =
|
130
|
+
unless action_name = _find_action_name(action_name)
|
131
131
|
raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
|
132
132
|
end
|
133
133
|
|
@@ -160,7 +160,7 @@ module AbstractController
|
|
160
160
|
# ==== Returns
|
161
161
|
# * <tt>TrueClass</tt>, <tt>FalseClass</tt>
|
162
162
|
def available_action?(action_name)
|
163
|
-
|
163
|
+
_find_action_name(action_name).present?
|
164
164
|
end
|
165
165
|
|
166
166
|
private
|
@@ -203,6 +203,23 @@ module AbstractController
|
|
203
203
|
action_missing(@_action_name, *args)
|
204
204
|
end
|
205
205
|
|
206
|
+
# Takes an action name and returns the name of the method that will
|
207
|
+
# handle the action.
|
208
|
+
#
|
209
|
+
# It checks if the action name is valid and returns false otherwise.
|
210
|
+
#
|
211
|
+
# See method_for_action for more information.
|
212
|
+
#
|
213
|
+
# ==== Parameters
|
214
|
+
# * <tt>action_name</tt> - An action name to find a method name for
|
215
|
+
#
|
216
|
+
# ==== Returns
|
217
|
+
# * <tt>string</tt> - The name of the method that handles the action
|
218
|
+
# * false - No valid method name could be found. Raise ActionNotFound.
|
219
|
+
def _find_action_name(action_name)
|
220
|
+
_valid_action_name?(action_name) && method_for_action(action_name)
|
221
|
+
end
|
222
|
+
|
206
223
|
# Takes an action name and returns the name of the method that will
|
207
224
|
# handle the action. In normal cases, this method returns the same
|
208
225
|
# name as it receives. By default, if #method_for_action receives
|
@@ -225,7 +242,7 @@ module AbstractController
|
|
225
242
|
#
|
226
243
|
# ==== Returns
|
227
244
|
# * <tt>string</tt> - The name of the method that handles the action
|
228
|
-
# * <tt>nil</tt> - No method name could be found.
|
245
|
+
# * <tt>nil</tt> - No method name could be found.
|
229
246
|
def method_for_action(action_name)
|
230
247
|
if action_method?(action_name)
|
231
248
|
action_name
|
@@ -233,5 +250,10 @@ module AbstractController
|
|
233
250
|
"_handle_action_missing"
|
234
251
|
end
|
235
252
|
end
|
253
|
+
|
254
|
+
# Checks if the action name is valid and returns false otherwise.
|
255
|
+
def _valid_action_name?(action_name)
|
256
|
+
action_name.to_s !~ Regexp.new(File::SEPARATOR)
|
257
|
+
end
|
236
258
|
end
|
237
259
|
end
|
data/lib/action_pack/version.rb
CHANGED
metadata
CHANGED
@@ -1,111 +1,126 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.5
|
5
|
+
prerelease:
|
5
6
|
platform: ruby
|
6
7
|
authors:
|
7
8
|
- David Heinemeier Hansson
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date: 2014-
|
12
|
+
date: 2014-05-06 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: activesupport
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
16
18
|
requirements:
|
17
19
|
- - '='
|
18
20
|
- !ruby/object:Gem::Version
|
19
|
-
version: 4.0.
|
21
|
+
version: 4.0.5
|
20
22
|
type: :runtime
|
21
23
|
prerelease: false
|
22
24
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
23
26
|
requirements:
|
24
27
|
- - '='
|
25
28
|
- !ruby/object:Gem::Version
|
26
|
-
version: 4.0.
|
29
|
+
version: 4.0.5
|
27
30
|
- !ruby/object:Gem::Dependency
|
28
31
|
name: builder
|
29
32
|
requirement: !ruby/object:Gem::Requirement
|
33
|
+
none: false
|
30
34
|
requirements:
|
31
|
-
- -
|
35
|
+
- - ~>
|
32
36
|
- !ruby/object:Gem::Version
|
33
37
|
version: 3.1.0
|
34
38
|
type: :runtime
|
35
39
|
prerelease: false
|
36
40
|
version_requirements: !ruby/object:Gem::Requirement
|
41
|
+
none: false
|
37
42
|
requirements:
|
38
|
-
- -
|
43
|
+
- - ~>
|
39
44
|
- !ruby/object:Gem::Version
|
40
45
|
version: 3.1.0
|
41
46
|
- !ruby/object:Gem::Dependency
|
42
47
|
name: rack
|
43
48
|
requirement: !ruby/object:Gem::Requirement
|
49
|
+
none: false
|
44
50
|
requirements:
|
45
|
-
- -
|
51
|
+
- - ~>
|
46
52
|
- !ruby/object:Gem::Version
|
47
53
|
version: 1.5.2
|
48
54
|
type: :runtime
|
49
55
|
prerelease: false
|
50
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
none: false
|
51
58
|
requirements:
|
52
|
-
- -
|
59
|
+
- - ~>
|
53
60
|
- !ruby/object:Gem::Version
|
54
61
|
version: 1.5.2
|
55
62
|
- !ruby/object:Gem::Dependency
|
56
63
|
name: rack-test
|
57
64
|
requirement: !ruby/object:Gem::Requirement
|
65
|
+
none: false
|
58
66
|
requirements:
|
59
|
-
- -
|
67
|
+
- - ~>
|
60
68
|
- !ruby/object:Gem::Version
|
61
69
|
version: 0.6.2
|
62
70
|
type: :runtime
|
63
71
|
prerelease: false
|
64
72
|
version_requirements: !ruby/object:Gem::Requirement
|
73
|
+
none: false
|
65
74
|
requirements:
|
66
|
-
- -
|
75
|
+
- - ~>
|
67
76
|
- !ruby/object:Gem::Version
|
68
77
|
version: 0.6.2
|
69
78
|
- !ruby/object:Gem::Dependency
|
70
79
|
name: erubis
|
71
80
|
requirement: !ruby/object:Gem::Requirement
|
81
|
+
none: false
|
72
82
|
requirements:
|
73
|
-
- -
|
83
|
+
- - ~>
|
74
84
|
- !ruby/object:Gem::Version
|
75
85
|
version: 2.7.0
|
76
86
|
type: :runtime
|
77
87
|
prerelease: false
|
78
88
|
version_requirements: !ruby/object:Gem::Requirement
|
89
|
+
none: false
|
79
90
|
requirements:
|
80
|
-
- -
|
91
|
+
- - ~>
|
81
92
|
- !ruby/object:Gem::Version
|
82
93
|
version: 2.7.0
|
83
94
|
- !ruby/object:Gem::Dependency
|
84
95
|
name: activemodel
|
85
96
|
requirement: !ruby/object:Gem::Requirement
|
97
|
+
none: false
|
86
98
|
requirements:
|
87
99
|
- - '='
|
88
100
|
- !ruby/object:Gem::Version
|
89
|
-
version: 4.0.
|
101
|
+
version: 4.0.5
|
90
102
|
type: :development
|
91
103
|
prerelease: false
|
92
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
|
+
none: false
|
93
106
|
requirements:
|
94
107
|
- - '='
|
95
108
|
- !ruby/object:Gem::Version
|
96
|
-
version: 4.0.
|
109
|
+
version: 4.0.5
|
97
110
|
- !ruby/object:Gem::Dependency
|
98
111
|
name: tzinfo
|
99
112
|
requirement: !ruby/object:Gem::Requirement
|
113
|
+
none: false
|
100
114
|
requirements:
|
101
|
-
- -
|
115
|
+
- - ~>
|
102
116
|
- !ruby/object:Gem::Version
|
103
117
|
version: 0.3.37
|
104
118
|
type: :development
|
105
119
|
prerelease: false
|
106
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
none: false
|
107
122
|
requirements:
|
108
|
-
- -
|
123
|
+
- - ~>
|
109
124
|
- !ruby/object:Gem::Version
|
110
125
|
version: 0.3.37
|
111
126
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
@@ -116,9 +131,8 @@ extensions: []
|
|
116
131
|
extra_rdoc_files: []
|
117
132
|
files:
|
118
133
|
- CHANGELOG.md
|
119
|
-
- MIT-LICENSE
|
120
134
|
- README.rdoc
|
121
|
-
-
|
135
|
+
- MIT-LICENSE
|
122
136
|
- lib/abstract_controller/asset_paths.rb
|
123
137
|
- lib/abstract_controller/base.rb
|
124
138
|
- lib/abstract_controller/callbacks.rb
|
@@ -131,14 +145,13 @@ files:
|
|
131
145
|
- lib/abstract_controller/translation.rb
|
132
146
|
- lib/abstract_controller/url_for.rb
|
133
147
|
- lib/abstract_controller/view_paths.rb
|
134
|
-
- lib/
|
148
|
+
- lib/abstract_controller.rb
|
135
149
|
- lib/action_controller/base.rb
|
136
|
-
- lib/action_controller/caching.rb
|
137
150
|
- lib/action_controller/caching/fragments.rb
|
138
|
-
- lib/action_controller/
|
151
|
+
- lib/action_controller/caching.rb
|
139
152
|
- lib/action_controller/deprecated/integration_test.rb
|
153
|
+
- lib/action_controller/deprecated.rb
|
140
154
|
- lib/action_controller/log_subscriber.rb
|
141
|
-
- lib/action_controller/metal.rb
|
142
155
|
- lib/action_controller/metal/conditional_get.rb
|
143
156
|
- lib/action_controller/metal/cookies.rb
|
144
157
|
- lib/action_controller/metal/data_streaming.rb
|
@@ -165,6 +178,7 @@ files:
|
|
165
178
|
- lib/action_controller/metal/strong_parameters.rb
|
166
179
|
- lib/action_controller/metal/testing.rb
|
167
180
|
- lib/action_controller/metal/url_for.rb
|
181
|
+
- lib/action_controller/metal.rb
|
168
182
|
- lib/action_controller/middleware.rb
|
169
183
|
- lib/action_controller/model_naming.rb
|
170
184
|
- lib/action_controller/railtie.rb
|
@@ -172,7 +186,7 @@ files:
|
|
172
186
|
- lib/action_controller/record_identifier.rb
|
173
187
|
- lib/action_controller/test_case.rb
|
174
188
|
- lib/action_controller/vendor/html-scanner.rb
|
175
|
-
- lib/
|
189
|
+
- lib/action_controller.rb
|
176
190
|
- lib/action_dispatch/http/cache.rb
|
177
191
|
- lib/action_dispatch/http/filter_parameters.rb
|
178
192
|
- lib/action_dispatch/http/filter_redirect.rb
|
@@ -187,7 +201,6 @@ files:
|
|
187
201
|
- lib/action_dispatch/http/response.rb
|
188
202
|
- lib/action_dispatch/http/upload.rb
|
189
203
|
- lib/action_dispatch/http/url.rb
|
190
|
-
- lib/action_dispatch/journey.rb
|
191
204
|
- lib/action_dispatch/journey/backwards.rb
|
192
205
|
- lib/action_dispatch/journey/formatter.rb
|
193
206
|
- lib/action_dispatch/journey/gtg/builder.rb
|
@@ -203,15 +216,16 @@ files:
|
|
203
216
|
- lib/action_dispatch/journey/parser_extras.rb
|
204
217
|
- lib/action_dispatch/journey/path/pattern.rb
|
205
218
|
- lib/action_dispatch/journey/route.rb
|
206
|
-
- lib/action_dispatch/journey/router.rb
|
207
219
|
- lib/action_dispatch/journey/router/strexp.rb
|
208
220
|
- lib/action_dispatch/journey/router/utils.rb
|
221
|
+
- lib/action_dispatch/journey/router.rb
|
209
222
|
- lib/action_dispatch/journey/routes.rb
|
210
223
|
- lib/action_dispatch/journey/scanner.rb
|
211
224
|
- lib/action_dispatch/journey/visitors.rb
|
212
225
|
- lib/action_dispatch/journey/visualizer/fsm.css
|
213
226
|
- lib/action_dispatch/journey/visualizer/fsm.js
|
214
227
|
- lib/action_dispatch/journey/visualizer/index.html.erb
|
228
|
+
- lib/action_dispatch/journey.rb
|
215
229
|
- lib/action_dispatch/middleware/callbacks.rb
|
216
230
|
- lib/action_dispatch/middleware/cookies.rb
|
217
231
|
- lib/action_dispatch/middleware/debug_exceptions.rb
|
@@ -243,7 +257,6 @@ files:
|
|
243
257
|
- lib/action_dispatch/middleware/templates/routes/_table.html.erb
|
244
258
|
- lib/action_dispatch/railtie.rb
|
245
259
|
- lib/action_dispatch/request/session.rb
|
246
|
-
- lib/action_dispatch/routing.rb
|
247
260
|
- lib/action_dispatch/routing/inspector.rb
|
248
261
|
- lib/action_dispatch/routing/mapper.rb
|
249
262
|
- lib/action_dispatch/routing/polymorphic_routes.rb
|
@@ -251,26 +264,26 @@ files:
|
|
251
264
|
- lib/action_dispatch/routing/route_set.rb
|
252
265
|
- lib/action_dispatch/routing/routes_proxy.rb
|
253
266
|
- lib/action_dispatch/routing/url_for.rb
|
254
|
-
- lib/action_dispatch/
|
267
|
+
- lib/action_dispatch/routing.rb
|
255
268
|
- lib/action_dispatch/testing/assertions/dom.rb
|
256
269
|
- lib/action_dispatch/testing/assertions/response.rb
|
257
270
|
- lib/action_dispatch/testing/assertions/routing.rb
|
258
271
|
- lib/action_dispatch/testing/assertions/selector.rb
|
259
272
|
- lib/action_dispatch/testing/assertions/tag.rb
|
273
|
+
- lib/action_dispatch/testing/assertions.rb
|
260
274
|
- lib/action_dispatch/testing/integration.rb
|
261
275
|
- lib/action_dispatch/testing/test_process.rb
|
262
276
|
- lib/action_dispatch/testing/test_request.rb
|
263
277
|
- lib/action_dispatch/testing/test_response.rb
|
264
|
-
- lib/
|
278
|
+
- lib/action_dispatch.rb
|
265
279
|
- lib/action_pack/version.rb
|
266
|
-
- lib/
|
280
|
+
- lib/action_pack.rb
|
267
281
|
- lib/action_view/base.rb
|
268
282
|
- lib/action_view/buffers.rb
|
269
283
|
- lib/action_view/context.rb
|
270
284
|
- lib/action_view/dependency_tracker.rb
|
271
285
|
- lib/action_view/digestor.rb
|
272
286
|
- lib/action_view/flows.rb
|
273
|
-
- lib/action_view/helpers.rb
|
274
287
|
- lib/action_view/helpers/active_model_helper.rb
|
275
288
|
- lib/action_view/helpers/asset_tag_helper.rb
|
276
289
|
- lib/action_view/helpers/asset_url_helper.rb
|
@@ -291,7 +304,6 @@ files:
|
|
291
304
|
- lib/action_view/helpers/rendering_helper.rb
|
292
305
|
- lib/action_view/helpers/sanitize_helper.rb
|
293
306
|
- lib/action_view/helpers/tag_helper.rb
|
294
|
-
- lib/action_view/helpers/tags.rb
|
295
307
|
- lib/action_view/helpers/tags/base.rb
|
296
308
|
- lib/action_view/helpers/tags/check_box.rb
|
297
309
|
- lib/action_view/helpers/tags/checkable.rb
|
@@ -325,9 +337,11 @@ files:
|
|
325
337
|
- lib/action_view/helpers/tags/time_zone_select.rb
|
326
338
|
- lib/action_view/helpers/tags/url_field.rb
|
327
339
|
- lib/action_view/helpers/tags/week_field.rb
|
340
|
+
- lib/action_view/helpers/tags.rb
|
328
341
|
- lib/action_view/helpers/text_helper.rb
|
329
342
|
- lib/action_view/helpers/translation_helper.rb
|
330
343
|
- lib/action_view/helpers/url_helper.rb
|
344
|
+
- lib/action_view/helpers.rb
|
331
345
|
- lib/action_view/locale/en.yml
|
332
346
|
- lib/action_view/log_subscriber.rb
|
333
347
|
- lib/action_view/lookup_context.rb
|
@@ -342,47 +356,49 @@ files:
|
|
342
356
|
- lib/action_view/renderer/template_renderer.rb
|
343
357
|
- lib/action_view/routing_url_for.rb
|
344
358
|
- lib/action_view/tasks/dependencies.rake
|
345
|
-
- lib/action_view/template.rb
|
346
359
|
- lib/action_view/template/error.rb
|
347
|
-
- lib/action_view/template/handlers.rb
|
348
360
|
- lib/action_view/template/handlers/builder.rb
|
349
361
|
- lib/action_view/template/handlers/erb.rb
|
350
362
|
- lib/action_view/template/handlers/raw.rb
|
363
|
+
- lib/action_view/template/handlers.rb
|
351
364
|
- lib/action_view/template/resolver.rb
|
352
365
|
- lib/action_view/template/text.rb
|
353
366
|
- lib/action_view/template/types.rb
|
367
|
+
- lib/action_view/template.rb
|
354
368
|
- lib/action_view/test_case.rb
|
355
369
|
- lib/action_view/testing/resolvers.rb
|
356
|
-
- lib/action_view/vendor/html-scanner.rb
|
357
370
|
- lib/action_view/vendor/html-scanner/html/document.rb
|
358
371
|
- lib/action_view/vendor/html-scanner/html/node.rb
|
359
372
|
- lib/action_view/vendor/html-scanner/html/sanitizer.rb
|
360
373
|
- lib/action_view/vendor/html-scanner/html/selector.rb
|
361
374
|
- lib/action_view/vendor/html-scanner/html/tokenizer.rb
|
362
375
|
- lib/action_view/vendor/html-scanner/html/version.rb
|
376
|
+
- lib/action_view/vendor/html-scanner.rb
|
377
|
+
- lib/action_view.rb
|
363
378
|
homepage: http://www.rubyonrails.org
|
364
379
|
licenses:
|
365
380
|
- MIT
|
366
|
-
metadata: {}
|
367
381
|
post_install_message:
|
368
382
|
rdoc_options: []
|
369
383
|
require_paths:
|
370
384
|
- lib
|
371
385
|
required_ruby_version: !ruby/object:Gem::Requirement
|
386
|
+
none: false
|
372
387
|
requirements:
|
373
|
-
- -
|
388
|
+
- - ! '>='
|
374
389
|
- !ruby/object:Gem::Version
|
375
390
|
version: 1.9.3
|
376
391
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
392
|
+
none: false
|
377
393
|
requirements:
|
378
|
-
- -
|
394
|
+
- - ! '>='
|
379
395
|
- !ruby/object:Gem::Version
|
380
396
|
version: '0'
|
381
397
|
requirements:
|
382
398
|
- none
|
383
399
|
rubyforge_project:
|
384
|
-
rubygems_version:
|
400
|
+
rubygems_version: 1.8.23.2
|
385
401
|
signing_key:
|
386
|
-
specification_version:
|
402
|
+
specification_version: 3
|
387
403
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
388
404
|
test_files: []
|
checksums.yaml
DELETED
@@ -1,7 +0,0 @@
|
|
1
|
-
---
|
2
|
-
SHA1:
|
3
|
-
metadata.gz: 76284102c5e3e95bc96e779fd3133db1a1fea577
|
4
|
-
data.tar.gz: f309f506ec80ddefb45acfd9938ff89e1ca77ec7
|
5
|
-
SHA512:
|
6
|
-
metadata.gz: 30986562373636a8731d934aa1318843c024aff108b7594eb4a298c66d058f6264804ee844d2f047850f8cdf31152e9848678304d50116df53747c6d1ac06012
|
7
|
-
data.tar.gz: 36d2352dacaabd4e5ab6ccef725aef6749073a8c825d6cb2668e8302b69eb60cd752b46b8834ba1dd1bb9d4e32b9d444c6de33512042ed3b161f9ecb3b522396
|