actionpack 4.1.14.1 → 4.1.14.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5b640d7f98307eb1b7a059c99c9dce9b7739adee
-  data.tar.gz: 3c9170fe7b6551a9a9754eec569e2066a38b05b4
+  metadata.gz: 8b48de0dcb0b60febd912f8d0b016bfcf75348c6
+  data.tar.gz: 9598423c008d62382d358d2e29ff910e402db2aa
 SHA512:
-  metadata.gz: e0a9862c2f96e3764c694d0eb6e09f086e0f73ec5908fd46ae01981e75247cd530adb241234eb8e73a29fd3adde949e601f27cdd8bc225ab6c9e232e21a0910b
-  data.tar.gz: 2cd2ba5527130b8859e6f4a349dd4993da8d6c155d82a2418fb69bf1c6fccecf55ffd49a57f52d0bc00d5a91c2be9585db4fd84e49aaa64aa60a76173456ee83
+  metadata.gz: a7f4c59c40888c916e8b8f3d2079ea9be6ea6563a7a7e3ae05084ffe94413eb875de1129ca61fa7b300b00187f37d83b9371df7238acf60a66f5aacb4685e55c
+  data.tar.gz: de6fe9288fc725fb27cc2eac2ca27ce6f3319b7da40846d186a69e50995420cf0d6b981cf53eb2ac7062c19b3a806b14c42932c40b4a2fa4b91846ebfe8fd41f

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## Rails 4.1.14.2 (February 26, 2016) ##
+
+*   Do not allow render with unpermitted parameter.
+
+    Fixes CVE-2016-2098.
+
+    *Arthur Neves*
+
+
+## Rails 4.1.14.1 (January 25, 2015) ##
+
+*   No changes.
+
+
 ## Rails 4.1.14 (November 12, 2015) ##
 
 *   No changes.

data/lib/abstract_controller/rendering.rb

@@ -77,13 +77,13 @@ module AbstractController
     # render "foo/bar" to render :file => "foo/bar".
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      case action
-      when ActionController::Parameters
-        unless action.permitted?
+      if action.respond_to?(:permitted?)
+        if action.permitted?
+          action
+        else
           raise ArgumentError, "render parameters are not permitted"
         end
-        action
-      when Hash
+      elsif action.is_a?(Hash)
         action
       else
         options

data/lib/action_pack/gem_version.rb

@@ -8,7 +8,7 @@ module ActionPack
     MAJOR = 4
     MINOR = 1
     TINY  = 14
-    PRE   = "1"
+    PRE   = "2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.1.14.1
+  version: 4.1.14.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-25 00:00:00.000000000 Z
+date: 2016-02-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com