actionpack 4.0.4 → 4.0.5

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+## Rails 4.0.5 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
 ## Rails 4.0.4 (March 14, 2014) ##
 
 *   Fix label translation for more than 10 nested elements.

data/lib/abstract_controller/base.rb

@@ -127,7 +127,7 @@ module AbstractController
     def process(action, *args)
       @_action_name = action_name = action.to_s
 
-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
         raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
       end
 
@@ -160,7 +160,7 @@ module AbstractController
     # ==== Returns
     # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
     def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
     end
 
     private
@@ -203,6 +203,23 @@ module AbstractController
         action_missing(@_action_name, *args)
       end
 
+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
       # Takes an action name and returns the name of the method that will
       # handle the action. In normal cases, this method returns the same
       # name as it receives. By default, if #method_for_action receives
@@ -225,7 +242,7 @@ module AbstractController
       #
       # ==== Returns
       # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
       def method_for_action(action_name)
         if action_method?(action_name)
           action_name
@@ -233,5 +250,10 @@ module AbstractController
           "_handle_action_missing"
         end
       end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
   end
 end

data/lib/action_pack/version.rb

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.4"
+    Gem::Version.new "4.0.5"
   end
 
   module VERSION #:nodoc:

metadata

@@ -1,111 +1,126 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.0.4
+  version: 4.0.5
+  prerelease: 
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-14 00:00:00.000000000 Z
+date: 2014-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.4
+        version: 4.0.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.4
+        version: 4.0.5
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 3.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 3.1.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.5.2
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.6.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.6.2
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 2.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 2.7.0
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.4
+        version: 4.0.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.4
+        version: 4.0.5
 - !ruby/object:Gem::Dependency
   name: tzinfo
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.3.37
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.3.37
 description: Web apps on Rails. Simple, battle-tested conventions for building and
@@ -116,9 +131,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- MIT-LICENSE
 - README.rdoc
-- lib/abstract_controller.rb
+- MIT-LICENSE
 - lib/abstract_controller/asset_paths.rb
 - lib/abstract_controller/base.rb
 - lib/abstract_controller/callbacks.rb
@@ -131,14 +145,13 @@ files:
 - lib/abstract_controller/translation.rb
 - lib/abstract_controller/url_for.rb
 - lib/abstract_controller/view_paths.rb
-- lib/action_controller.rb
+- lib/abstract_controller.rb
 - lib/action_controller/base.rb
-- lib/action_controller/caching.rb
 - lib/action_controller/caching/fragments.rb
-- lib/action_controller/deprecated.rb
+- lib/action_controller/caching.rb
 - lib/action_controller/deprecated/integration_test.rb
+- lib/action_controller/deprecated.rb
 - lib/action_controller/log_subscriber.rb
-- lib/action_controller/metal.rb
 - lib/action_controller/metal/conditional_get.rb
 - lib/action_controller/metal/cookies.rb
 - lib/action_controller/metal/data_streaming.rb
@@ -165,6 +178,7 @@ files:
 - lib/action_controller/metal/strong_parameters.rb
 - lib/action_controller/metal/testing.rb
 - lib/action_controller/metal/url_for.rb
+- lib/action_controller/metal.rb
 - lib/action_controller/middleware.rb
 - lib/action_controller/model_naming.rb
 - lib/action_controller/railtie.rb
@@ -172,7 +186,7 @@ files:
 - lib/action_controller/record_identifier.rb
 - lib/action_controller/test_case.rb
 - lib/action_controller/vendor/html-scanner.rb
-- lib/action_dispatch.rb
+- lib/action_controller.rb
 - lib/action_dispatch/http/cache.rb
 - lib/action_dispatch/http/filter_parameters.rb
 - lib/action_dispatch/http/filter_redirect.rb
@@ -187,7 +201,6 @@ files:
 - lib/action_dispatch/http/response.rb
 - lib/action_dispatch/http/upload.rb
 - lib/action_dispatch/http/url.rb
-- lib/action_dispatch/journey.rb
 - lib/action_dispatch/journey/backwards.rb
 - lib/action_dispatch/journey/formatter.rb
 - lib/action_dispatch/journey/gtg/builder.rb
@@ -203,15 +216,16 @@ files:
 - lib/action_dispatch/journey/parser_extras.rb
 - lib/action_dispatch/journey/path/pattern.rb
 - lib/action_dispatch/journey/route.rb
-- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/router/strexp.rb
 - lib/action_dispatch/journey/router/utils.rb
+- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/routes.rb
 - lib/action_dispatch/journey/scanner.rb
 - lib/action_dispatch/journey/visitors.rb
 - lib/action_dispatch/journey/visualizer/fsm.css
 - lib/action_dispatch/journey/visualizer/fsm.js
 - lib/action_dispatch/journey/visualizer/index.html.erb
+- lib/action_dispatch/journey.rb
 - lib/action_dispatch/middleware/callbacks.rb
 - lib/action_dispatch/middleware/cookies.rb
 - lib/action_dispatch/middleware/debug_exceptions.rb
@@ -243,7 +257,6 @@ files:
 - lib/action_dispatch/middleware/templates/routes/_table.html.erb
 - lib/action_dispatch/railtie.rb
 - lib/action_dispatch/request/session.rb
-- lib/action_dispatch/routing.rb
 - lib/action_dispatch/routing/inspector.rb
 - lib/action_dispatch/routing/mapper.rb
 - lib/action_dispatch/routing/polymorphic_routes.rb
@@ -251,26 +264,26 @@ files:
 - lib/action_dispatch/routing/route_set.rb
 - lib/action_dispatch/routing/routes_proxy.rb
 - lib/action_dispatch/routing/url_for.rb
-- lib/action_dispatch/testing/assertions.rb
+- lib/action_dispatch/routing.rb
 - lib/action_dispatch/testing/assertions/dom.rb
 - lib/action_dispatch/testing/assertions/response.rb
 - lib/action_dispatch/testing/assertions/routing.rb
 - lib/action_dispatch/testing/assertions/selector.rb
 - lib/action_dispatch/testing/assertions/tag.rb
+- lib/action_dispatch/testing/assertions.rb
 - lib/action_dispatch/testing/integration.rb
 - lib/action_dispatch/testing/test_process.rb
 - lib/action_dispatch/testing/test_request.rb
 - lib/action_dispatch/testing/test_response.rb
-- lib/action_pack.rb
+- lib/action_dispatch.rb
 - lib/action_pack/version.rb
-- lib/action_view.rb
+- lib/action_pack.rb
 - lib/action_view/base.rb
 - lib/action_view/buffers.rb
 - lib/action_view/context.rb
 - lib/action_view/dependency_tracker.rb
 - lib/action_view/digestor.rb
 - lib/action_view/flows.rb
-- lib/action_view/helpers.rb
 - lib/action_view/helpers/active_model_helper.rb
 - lib/action_view/helpers/asset_tag_helper.rb
 - lib/action_view/helpers/asset_url_helper.rb
@@ -291,7 +304,6 @@ files:
 - lib/action_view/helpers/rendering_helper.rb
 - lib/action_view/helpers/sanitize_helper.rb
 - lib/action_view/helpers/tag_helper.rb
-- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/tags/base.rb
 - lib/action_view/helpers/tags/check_box.rb
 - lib/action_view/helpers/tags/checkable.rb
@@ -325,9 +337,11 @@ files:
 - lib/action_view/helpers/tags/time_zone_select.rb
 - lib/action_view/helpers/tags/url_field.rb
 - lib/action_view/helpers/tags/week_field.rb
+- lib/action_view/helpers/tags.rb
 - lib/action_view/helpers/text_helper.rb
 - lib/action_view/helpers/translation_helper.rb
 - lib/action_view/helpers/url_helper.rb
+- lib/action_view/helpers.rb
 - lib/action_view/locale/en.yml
 - lib/action_view/log_subscriber.rb
 - lib/action_view/lookup_context.rb
@@ -342,47 +356,49 @@ files:
 - lib/action_view/renderer/template_renderer.rb
 - lib/action_view/routing_url_for.rb
 - lib/action_view/tasks/dependencies.rake
-- lib/action_view/template.rb
 - lib/action_view/template/error.rb
-- lib/action_view/template/handlers.rb
 - lib/action_view/template/handlers/builder.rb
 - lib/action_view/template/handlers/erb.rb
 - lib/action_view/template/handlers/raw.rb
+- lib/action_view/template/handlers.rb
 - lib/action_view/template/resolver.rb
 - lib/action_view/template/text.rb
 - lib/action_view/template/types.rb
+- lib/action_view/template.rb
 - lib/action_view/test_case.rb
 - lib/action_view/testing/resolvers.rb
-- lib/action_view/vendor/html-scanner.rb
 - lib/action_view/vendor/html-scanner/html/document.rb
 - lib/action_view/vendor/html-scanner/html/node.rb
 - lib/action_view/vendor/html-scanner/html/sanitizer.rb
 - lib/action_view/vendor/html-scanner/html/selector.rb
 - lib/action_view/vendor/html-scanner/html/tokenizer.rb
 - lib/action_view/vendor/html-scanner/html/version.rb
+- lib/action_view/vendor/html-scanner.rb
+- lib/action_view.rb
 homepage: http://www.rubyonrails.org
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 1.8.23.2
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 76284102c5e3e95bc96e779fd3133db1a1fea577
-  data.tar.gz: f309f506ec80ddefb45acfd9938ff89e1ca77ec7
-SHA512:
-  metadata.gz: 30986562373636a8731d934aa1318843c024aff108b7594eb4a298c66d058f6264804ee844d2f047850f8cdf31152e9848678304d50116df53747c6d1ac06012
-  data.tar.gz: 36d2352dacaabd4e5ab6ccef725aef6749073a8c825d6cb2668e8302b69eb60cd752b46b8834ba1dd1bb9d4e32b9d444c6de33512042ed3b161f9ecb3b522396