actionpack 4.1.5 → 4.1.6.rc1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 75f52f279a3dcbebd7cd713a60cde986b719a01d
4
- data.tar.gz: 1a11a8b99c12e30e426d95d4022762c610d3b167
3
+ metadata.gz: 96113274b5d28b07e75dabf11541471ebccdccc7
4
+ data.tar.gz: 843e54d51e82a92780cfe8cae6781192457a82e0
5
5
  SHA512:
6
- metadata.gz: 296c74dba601781a69e896a1dcb8c631f0dcbf52602d71993edcc3b3a5d4d9533c0e0548864433b811c534ce42f1b7a6bc365fb839c2c1f814b7eb1445d1dd0d
7
- data.tar.gz: b9ce487a368bec96ef4249c0ccd7774e409beef42b5bfe0b62271f00bff5ed95f50f8e0a262214488e133ae2632a7900379e3334f4da81a8ea5f97a9ccccaada
6
+ metadata.gz: 0a61760da903d7e67557792644ea4642f6e255b4bb726db52c9274747ebf04bb3c0c10f755453c00b7b48d04f1e8c08c6703ecc8b608f5a9545dcd398b35b3c6
7
+ data.tar.gz: e793f5394b46c5a44201bc3f712a14f1b66882f09806617528b82a63f66845ebd9df69225b824e8a1bab83ee51d4d9c44f81a526f5210c2afe1d331ec031b6ad
data/CHANGELOG.md CHANGED
@@ -1,3 +1,52 @@
1
+ ## Rails 4.1.6 (August 19, 2014) ##
2
+
3
+ * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
4
+ ("Rosetta Flash")
5
+
6
+ *Greg Campbell*
7
+
8
+ * Because URI paths may contain non US-ASCII characters we need to force
9
+ the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
10
+ This essentially replicates the functionality of the monkey patch to
11
+ URI.parser.unescape in active_support/core_ext/uri.rb.
12
+
13
+ Fixes #16104.
14
+
15
+ *Karl Entwistle*
16
+
17
+ * Generate shallow paths for all children of shallow resources.
18
+
19
+ Fixes #15783.
20
+
21
+ *Seb Jacobs*
22
+
23
+ * JSONP responses are now rendered with the `text/javascript` content type
24
+ when rendering through a `respond_to` block.
25
+
26
+ Fixes #15081.
27
+
28
+ *Lucas Mazza*
29
+
30
+ * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
31
+
32
+ Fixes #15511.
33
+
34
+ *Larry Lv*
35
+
36
+ * ActionController::Parameters#require now accepts `false` values.
37
+
38
+ Fixes #15685.
39
+
40
+ *Sergio Romano*
41
+
42
+ * With authorization header `Authorization: Token token=`, `authenticate` now
43
+ recognize token as nil, instead of "token".
44
+
45
+ Fixes #14846.
46
+
47
+ *Larry Lv*
48
+
49
+
1
50
  ## Rails 4.1.4 (July 2, 2014) ##
2
51
 
3
52
  * No changes.
@@ -253,7 +253,7 @@ module AbstractController
253
253
 
254
254
  # Checks if the action name is valid and returns false otherwise.
255
255
  def _valid_action_name?(action_name)
256
- action_name.to_s !~ Regexp.new(File::SEPARATOR)
256
+ !action_name.to_s.include? File::SEPARATOR
257
257
  end
258
258
  end
259
259
  end
@@ -121,8 +121,8 @@ module ActionController
121
121
 
122
122
  def authentication_request(controller, realm)
123
123
  controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
124
- controller.response_body = "HTTP Basic: Access denied.\n"
125
124
  controller.status = 401
125
+ controller.response_body = "HTTP Basic: Access denied.\n"
126
126
  end
127
127
  end
128
128
 
@@ -256,8 +256,8 @@ module ActionController
256
256
  def authentication_request(controller, realm, message = nil)
257
257
  message ||= "HTTP Digest: Access denied.\n"
258
258
  authentication_header(controller, realm)
259
- controller.response_body = message
260
259
  controller.status = 401
260
+ controller.response_body = message
261
261
  end
262
262
 
263
263
  def secret_token(request)
@@ -449,7 +449,7 @@ module ActionController
449
449
  authorization_request = request.authorization.to_s
450
450
  if authorization_request[TOKEN_REGEX]
451
451
  params = token_params_from authorization_request
452
- [params.shift.last, Hash[params].with_indifferent_access]
452
+ [params.shift[1], Hash[params].with_indifferent_access]
453
453
  end
454
454
  end
455
455
 
@@ -464,7 +464,7 @@ module ActionController
464
464
 
465
465
  # This removes the `"` characters wrapping the value.
466
466
  def rewrite_param_values(array_params)
467
- array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
467
+ array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, '' }
468
468
  end
469
469
 
470
470
  # This method takes an authorization body and splits up the key-value
@@ -64,6 +64,7 @@ module ActionController
64
64
  # behavior for this case by rescuing ActionController::RedirectBackError.
65
65
  def redirect_to(options = {}, response_status = {}) #:doc:
66
66
  raise ActionControllerError.new("Cannot redirect to nil!") unless options
67
+ raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
67
68
  raise AbstractController::DoubleRenderError if response_body
68
69
 
69
70
  self.status = _extract_redirect_to_status(options, response_status)
@@ -96,8 +96,11 @@ module ActionController
96
96
  json = json.to_json(options) unless json.kind_of?(String)
97
97
 
98
98
  if options[:callback].present?
99
- self.content_type ||= Mime::JS
100
- "#{options[:callback]}(#{json})"
99
+ if self.content_type.nil? || self.content_type == Mime::JSON
100
+ self.content_type = Mime::JS
101
+ end
102
+
103
+ "/**/#{options[:callback]}(#{json})"
101
104
  else
102
105
  self.content_type ||= Mime::JSON
103
106
  json
@@ -180,7 +180,12 @@ module ActionController
180
180
  # ActionController::Parameters.new(person: {}).require(:person)
181
181
  # # => ActionController::ParameterMissing: param not found: person
182
182
  def require(key)
183
- self[key].presence || raise(ParameterMissing.new(key))
183
+ value = self[key]
184
+ if value.present? || value == false
185
+ value
186
+ else
187
+ raise ParameterMissing.new(key)
188
+ end
184
189
  end
185
190
 
186
191
  # Alias of #require.
@@ -63,7 +63,9 @@ module ActionDispatch
63
63
 
64
64
  unless route.path.anchored
65
65
  env['SCRIPT_NAME'] = (script_name.to_s + match.to_s).chomp('/')
66
- env['PATH_INFO'] = match.post_match
66
+ path_info = match.post_match
67
+ env['PATH_INFO'] = path_info
68
+ env['PATH_INFO'] = "/" + path_info unless path_info.start_with? "/"
67
69
  end
68
70
 
69
71
  env[@params_key] = (set_params || {}).merge parameters
@@ -25,9 +25,10 @@ module ActionDispatch
25
25
  # http://tools.ietf.org/html/rfc3986
26
26
  class UriEncoder # :nodoc:
27
27
  ENCODE = "%%%02X".freeze
28
- ENCODING = Encoding::US_ASCII
29
- EMPTY = "".force_encoding(ENCODING).freeze
30
- DEC2HEX = (0..255).to_a.map{ |i| ENCODE % i }.map{ |s| s.force_encoding(ENCODING) }
28
+ US_ASCII = Encoding::US_ASCII
29
+ UTF_8 = Encoding::UTF_8
30
+ EMPTY = "".force_encoding(US_ASCII).freeze
31
+ DEC2HEX = (0..255).to_a.map{ |i| ENCODE % i }.map{ |s| s.force_encoding(US_ASCII) }
31
32
 
32
33
  ALPHA = "a-zA-Z".freeze
33
34
  DIGIT = "0-9".freeze
@@ -53,12 +54,13 @@ module ActionDispatch
53
54
  end
54
55
 
55
56
  def unescape_uri(uri)
56
- uri.gsub(ESCAPED) { [$&[1, 2].hex].pack('C') }.force_encoding(uri.encoding)
57
+ encoding = uri.encoding == US_ASCII ? UTF_8 : uri.encoding
58
+ uri.gsub(ESCAPED) { [$&[1, 2].hex].pack('C') }.force_encoding(encoding)
57
59
  end
58
60
 
59
61
  protected
60
62
  def escape(component, pattern)
61
- component.gsub(pattern){ |unsafe| percent_encode(unsafe) }.force_encoding(ENCODING)
63
+ component.gsub(pattern){ |unsafe| percent_encode(unsafe) }.force_encoding(US_ASCII)
62
64
  end
63
65
 
64
66
  def percent_encode(unsafe)
@@ -16,9 +16,9 @@ module ActionDispatch
16
16
 
17
17
  # Get a session from the cache.
18
18
  def get_session(env, sid)
19
- sid ||= generate_sid
20
- session = @cache.read(cache_key(sid))
21
- session ||= {}
19
+ unless sid and session = @cache.read(cache_key(sid))
20
+ sid, session = generate_sid, {}
21
+ end
22
22
  [sid, session]
23
23
  end
24
24
 
@@ -29,7 +29,7 @@ module ActionDispatch
29
29
  #
30
30
  # Configure your session store in config/initializers/session_store.rb:
31
31
  #
32
- # Myapp::Application.config.session_store :cookie_store, key: '_your_app_session'
32
+ # Rails.application.config.session_store :cookie_store, key: '_your_app_session'
33
33
  #
34
34
  # Configure your secret key in config/secrets.yml:
35
35
  #
@@ -12,7 +12,7 @@ module ActionDispatch
12
12
  # Think of creating routes as drawing a map for your requests. The map tells
13
13
  # them where to go based on some predefined pattern:
14
14
  #
15
- # AppName::Application.routes.draw do
15
+ # Rails.application.routes.draw do
16
16
  # Pattern 1 tells some request to go to one place
17
17
  # Pattern 2 tell them to go to another
18
18
  # ...
@@ -404,6 +404,12 @@ module ActionDispatch
404
404
  # [:action]
405
405
  # The route's action.
406
406
  #
407
+ # [:param]
408
+ # Overrides the default resource identifier `:id` (name of the
409
+ # dynamic segment used to generate the routes).
410
+ # You can access that segment from your controller using
411
+ # <tt>params[<:param>]</tt>.
412
+ #
407
413
  # [:path]
408
414
  # The path prefix for the routes.
409
415
  #
@@ -1382,7 +1388,7 @@ module ActionDispatch
1382
1388
  end
1383
1389
 
1384
1390
  with_scope_level(:nested) do
1385
- if shallow? && shallow_nesting_depth > 1
1391
+ if shallow? && shallow_nesting_depth >= 1
1386
1392
  shallow_scope(parent_resource.nested_scope, nested_options) { yield }
1387
1393
  else
1388
1394
  scope(parent_resource.nested_scope, nested_options) { yield }
@@ -7,8 +7,8 @@ module ActionPack
7
7
  module VERSION
8
8
  MAJOR = 4
9
9
  MINOR = 1
10
- TINY = 5
11
- PRE = nil
10
+ TINY = 6
11
+ PRE = "rc1"
12
12
 
13
13
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
14
14
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.5
4
+ version: 4.1.6.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-18 00:00:00.000000000 Z
11
+ date: 2014-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 4.1.5
19
+ version: 4.1.6.rc1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 4.1.5
26
+ version: 4.1.6.rc1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -58,28 +58,28 @@ dependencies:
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 4.1.5
61
+ version: 4.1.6.rc1
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 4.1.5
68
+ version: 4.1.6.rc1
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: activemodel
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - '='
74
74
  - !ruby/object:Gem::Version
75
- version: 4.1.5
75
+ version: 4.1.6.rc1
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - '='
81
81
  - !ruby/object:Gem::Version
82
- version: 4.1.5
82
+ version: 4.1.6.rc1
83
83
  description: Web apps on Rails. Simple, battle-tested conventions for building and
84
84
  testing MVC web applications. Works with any Rack-compatible server.
85
85
  email: david@loudthinking.com
@@ -252,9 +252,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
252
252
  version: 1.9.3
253
253
  required_rubygems_version: !ruby/object:Gem::Requirement
254
254
  requirements:
255
- - - ">="
255
+ - - ">"
256
256
  - !ruby/object:Gem::Version
257
- version: '0'
257
+ version: 1.3.1
258
258
  requirements:
259
259
  - none
260
260
  rubyforge_project: