actionview 4.1.14.1 → 4.1.14.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3c1584ed23b0d7430632b83ed06cc2fc38212e4e
-  data.tar.gz: 47f940efff8a3065e971f34191e7bdb05a86c8b1
+  metadata.gz: 89d7128f5c566c491b781cf337ae549052608506
+  data.tar.gz: de5e9a7ba01502a505654b915610d7189e796675
 SHA512:
-  metadata.gz: 5658503cad9e3b25ca5542cd39755ce2f7c63e0214f1eb8a9af11a7130cc42211eb167f9226915c17fcd8863d8944697b3035bbb27d6b35d144de9a14ce0d775
-  data.tar.gz: 4350674e46a91e253a2eec43a20a355ac8412eee11235fd02dd61370721250efbe2de06d9ab3ead65be75007fd213d3f8e83f9759f63e6f43ca1fce5cd5c06bc
+  metadata.gz: 70a985c0058ac987fd7aae56e733e9e5e275207faed7df4e081701c43c71a04bffb618385db03ccba8c3eb2689949fe86f645d54d59dafa529456971205015cf
+  data.tar.gz: 07f9aef43484a6a5faa5322d33b5536bb62869d110e1a27803a5b45f5807f789d99f001c917e6aebcf52b7c8933275b11ee25708e87ee7dbe674f95a3512e43b

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+## Rails 4.1.14.2 (February 26, 2016) ##
+
+*   Do not allow render with unpermitted parameter.
+
+    Fixes CVE-2016-2098.
+
+    *Arthur Neves*
+
+
+*   Changed the meaning of `render "foo/bar"`.
+
+    Previously, calling `render "foo/bar"` in a controller action is equivalent
+    to `render file: "foo/bar"`. This has been changed to mean
+    `render template: "foo/bar"` instead. If you need to render a file, please
+    change your code to use the explicit form (`render file: "foo/bar"`) instead.
+
+    Fixes CVE-2016-2097.
+
+    *Eileen Uchitelle*
+
+
+## Rails 4.2.5.1 (January 25, 2015) ##
+
+*   No changes.
+
+
 ## Rails 4.1.14 (November 12, 2015) ##
 
 *   Fix `mail_to` when called with `nil` as argument.

data/lib/action_view/gem_version.rb

@@ -8,7 +8,7 @@ module ActionView
     MAJOR = 4
     MINOR = 1
     TINY  = 14
-    PRE   = "1"
+    PRE   = "2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/renderer/renderer.rb

@@ -17,6 +17,10 @@ module ActionView
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if options.respond_to?(:permitted?) && !options.permitted?
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else

data/lib/action_view/rendering.rb

@@ -107,7 +107,7 @@ module ActionView
       end
 
       # Normalize args by converting render "foo" to render :action => "foo" and
-      # render "foo/bar" to render :file => "foo/bar".
+      # render "foo/bar" to render :template => "foo/bar".
       # :api: private
       def _normalize_args(action=nil, options={})
         options = super(action, options)
@@ -117,7 +117,7 @@ module ActionView
           options = action
         when String, Symbol
           action = action.to_s
-          key = action.include?(?/) ? :file : :action
+          key = action.include?(?/) ? :template : :action
           options[key] = action
         else
           options[:partial] = action

data/lib/action_view/template/resolver.rb

@@ -129,8 +129,8 @@ module ActionView
     # This is what child classes implement. No defaults are needed
     # because Resolver guarantees that the arguments are present and
     # normalized.
-    def find_templates(name, prefix, partial, details)
-      raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details) method"
+    def find_templates(name, prefix, partial, details, outside_app_allowed = false)
+      raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details, outside_app_allowed) method"
     end
 
     # Helpers that builds a path. Useful for building virtual paths.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 4.1.14.1
+  version: 4.1.14.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-25 00:00:00.000000000 Z
+date: 2016-02-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.14.1
+        version: 4.1.14.2
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []