actionpack 4.1.0 → 4.1.1

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+## Rails 4.1.1 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
+## Rails 4.1.0 (April 8, 2014) ##
+
 *   Swapped the parameters of assert_equal in `assert_select` so that the
     proper values were printed correctly
 

data/lib/abstract_controller/base.rb

@@ -127,7 +127,7 @@ module AbstractController
     def process(action, *args)
       @_action_name = action_name = action.to_s
 
-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
         raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
       end
 
@@ -160,7 +160,7 @@ module AbstractController
     # ==== Returns
     # * <tt>TrueClass</tt>, <tt>FalseClass</tt>
     def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
     end
 
     private
@@ -203,6 +203,23 @@ module AbstractController
         action_missing(@_action_name, *args)
       end
 
+      # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
       # Takes an action name and returns the name of the method that will
       # handle the action. In normal cases, this method returns the same
       # name as it receives. By default, if #method_for_action receives
@@ -225,7 +242,7 @@ module AbstractController
       #
       # ==== Returns
       # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
       def method_for_action(action_name)
         if action_method?(action_name)
           action_name
@@ -233,5 +250,10 @@ module AbstractController
           "_handle_action_missing"
         end
       end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
   end
 end

data/lib/action_pack/gem_version.rb

@@ -7,7 +7,7 @@ module ActionPack
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 0
+    TINY  = 1
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,85 +1,96 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.1.1
+  prerelease: 
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-08 00:00:00.000000000 Z
+date: 2014-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.5.2
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.6.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.6.2
 - !ruby/object:Gem::Dependency
   name: actionview
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.1.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -88,9 +99,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- MIT-LICENSE
 - README.rdoc
-- lib/abstract_controller.rb
+- MIT-LICENSE
 - lib/abstract_controller/asset_paths.rb
 - lib/abstract_controller/base.rb
 - lib/abstract_controller/callbacks.rb
@@ -101,12 +111,11 @@ files:
 - lib/abstract_controller/rendering.rb
 - lib/abstract_controller/translation.rb
 - lib/abstract_controller/url_for.rb
-- lib/action_controller.rb
+- lib/abstract_controller.rb
 - lib/action_controller/base.rb
-- lib/action_controller/caching.rb
 - lib/action_controller/caching/fragments.rb
+- lib/action_controller/caching.rb
 - lib/action_controller/log_subscriber.rb
-- lib/action_controller/metal.rb
 - lib/action_controller/metal/conditional_get.rb
 - lib/action_controller/metal/cookies.rb
 - lib/action_controller/metal/data_streaming.rb
@@ -133,12 +142,13 @@ files:
 - lib/action_controller/metal/strong_parameters.rb
 - lib/action_controller/metal/testing.rb
 - lib/action_controller/metal/url_for.rb
+- lib/action_controller/metal.rb
 - lib/action_controller/middleware.rb
 - lib/action_controller/model_naming.rb
 - lib/action_controller/railtie.rb
 - lib/action_controller/railties/helpers.rb
 - lib/action_controller/test_case.rb
-- lib/action_dispatch.rb
+- lib/action_controller.rb
 - lib/action_dispatch/http/cache.rb
 - lib/action_dispatch/http/filter_parameters.rb
 - lib/action_dispatch/http/filter_redirect.rb
@@ -153,7 +163,6 @@ files:
 - lib/action_dispatch/http/response.rb
 - lib/action_dispatch/http/upload.rb
 - lib/action_dispatch/http/url.rb
-- lib/action_dispatch/journey.rb
 - lib/action_dispatch/journey/backwards.rb
 - lib/action_dispatch/journey/formatter.rb
 - lib/action_dispatch/journey/gtg/builder.rb
@@ -169,15 +178,16 @@ files:
 - lib/action_dispatch/journey/parser_extras.rb
 - lib/action_dispatch/journey/path/pattern.rb
 - lib/action_dispatch/journey/route.rb
-- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/router/strexp.rb
 - lib/action_dispatch/journey/router/utils.rb
+- lib/action_dispatch/journey/router.rb
 - lib/action_dispatch/journey/routes.rb
 - lib/action_dispatch/journey/scanner.rb
 - lib/action_dispatch/journey/visitors.rb
 - lib/action_dispatch/journey/visualizer/fsm.css
 - lib/action_dispatch/journey/visualizer/fsm.js
 - lib/action_dispatch/journey/visualizer/index.html.erb
+- lib/action_dispatch/journey.rb
 - lib/action_dispatch/middleware/callbacks.rb
 - lib/action_dispatch/middleware/cookies.rb
 - lib/action_dispatch/middleware/debug_exceptions.rb
@@ -216,7 +226,6 @@ files:
 - lib/action_dispatch/railtie.rb
 - lib/action_dispatch/request/session.rb
 - lib/action_dispatch/request/utils.rb
-- lib/action_dispatch/routing.rb
 - lib/action_dispatch/routing/inspector.rb
 - lib/action_dispatch/routing/mapper.rb
 - lib/action_dispatch/routing/polymorphic_routes.rb
@@ -224,42 +233,45 @@ files:
 - lib/action_dispatch/routing/route_set.rb
 - lib/action_dispatch/routing/routes_proxy.rb
 - lib/action_dispatch/routing/url_for.rb
-- lib/action_dispatch/testing/assertions.rb
+- lib/action_dispatch/routing.rb
 - lib/action_dispatch/testing/assertions/dom.rb
 - lib/action_dispatch/testing/assertions/response.rb
 - lib/action_dispatch/testing/assertions/routing.rb
 - lib/action_dispatch/testing/assertions/selector.rb
 - lib/action_dispatch/testing/assertions/tag.rb
+- lib/action_dispatch/testing/assertions.rb
 - lib/action_dispatch/testing/integration.rb
 - lib/action_dispatch/testing/test_process.rb
 - lib/action_dispatch/testing/test_request.rb
 - lib/action_dispatch/testing/test_response.rb
-- lib/action_pack.rb
+- lib/action_dispatch.rb
 - lib/action_pack/gem_version.rb
 - lib/action_pack/version.rb
+- lib/action_pack.rb
 homepage: http://www.rubyonrails.org
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.2.0
+rubygems_version: 1.8.23.2
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 6aca4db694cd6ab760d544c05c9c449ef0701bfd
-  data.tar.gz: c8a1825d7cd7ed1099b4ec2c5e1584758006602c
-SHA512:
-  metadata.gz: 13e06982a7503a95fdda5119a5e1f3e8258717f4e15997fd5a7b4c9d85d77e1831631d237cefedbe973d5a82d8595fba9c7fcaf8ccb356c5b06695c28e53506c
-  data.tar.gz: 5e3e440b0e205429bc797256c93297073c3d15d8d3f8865d0facf46edf22815e79102024bdf4a79b3a78bdff0be66d903d25b4900ea76a6d6c45a5d9c8b3693a