RubyGems - activesupport - Versions diffs - 2.3.14 → 2.3.15 - Mend

activesupport 2.3.14 → 2.3.15

Potentially problematic release.

This version of activesupport might be problematic. Click here for more details.

Files changed (4) hide show

data/CHANGELOG +6 -0
data/lib/active_support/core_ext/hash/conversions.rb +24 -7
data/lib/active_support/version.rb +1 -1
metadata +7 -10

data/CHANGELOG CHANGED

@@ -1,5 +1,11 @@
+## Rails 2.3.15 (Jan 8, 2012) ##
+* Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy Kemper]
 *2.3.11 (February 9, 2011)*
 *2.3.10 (October 15, 2010)*

data/lib/active_support/core_ext/hash/conversions.rb CHANGED

@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc:
           end
         end
+        DISALLOWED_XML_TYPES = %w(symbol yaml)
+        class DisallowedType < StandardError #:nodoc:
+          def initialize(type)
+            super "Disallowed type attribute: #{type.inspect}"
+          end
+        end
         XML_TYPE_NAMES = {
           "Symbol"     => "symbol",
           "Fixnum"     => "integer",
@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc:
         end
         module ClassMethods
-          def from_xml(xml)
-            typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
+          def from_xml(xml, disallowed_types = nil)
+            typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
+          end
+          def from_trusted_xml(xml)
+            from_xml xml, []
           end
           private
-            def typecast_xml_value(value)
+            def typecast_xml_value(value, disallowed_types = nil)
+              disallowed_types ||= DISALLOWED_XML_TYPES
               case value.class.to_s
                 when 'Hash'
+                  if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
+                    raise DisallowedType, value['type']
+                  end
                   if value['type'] == 'array'
                     child_key, entries = value.detect { |k,v| k != 'type' }   # child_key is throwaway
                     if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc:
                     else
                       case entries.class.to_s   # something weird with classes not matching here.  maybe singleton methods breaking is_a?
                       when "Array"
-                        entries.collect { |v| typecast_xml_value(v) }
+                        entries.collect { |v| typecast_xml_value(v, disallowed_types) }
                       when "Hash"
-                        [typecast_xml_value(entries)]
+                        [typecast_xml_value(entries, disallowed_types)]
                       else
                         raise "can't typecast #{entries.inspect}"
                       end
@@ -205,7 +222,7 @@ module ActiveSupport #:nodoc:
                     nil
                   else
                     xml_value = value.inject({}) do |h,(k,v)|
-                      h[k] = typecast_xml_value(v)
+                      h[k] = typecast_xml_value(v, disallowed_types)
                       h
                     end
@@ -214,7 +231,7 @@ module ActiveSupport #:nodoc:
                     xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
                   end
                 when 'Array'
-                  value.map! { |i| typecast_xml_value(i) }
+                  value.map! { |i| typecast_xml_value(i, disallowed_types) }
                   case value.length
                     when 0 then nil
                     when 1 then value.first

data/lib/active_support/version.rb CHANGED

@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 14
+    TINY  = 15
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

metadata CHANGED

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification
 name: activesupport
 version: !ruby/object:Gem::Version
-  hash: 31
-  prerelease:
+  prerelease: false
   segments:
   - 2
   - 3
-  - 14
-  version: 2.3.14
+  - 15
+  version: 2.3.15
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -15,7 +14,8 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-08-16 00:00:00 Z
+date: 2013-01-08 00:00:00 -08:00
+default_executable:
 dependencies: []
 description: Utility library which carries commonly used classes and goodies from the Rails framework
@@ -403,6 +403,7 @@ files:
 - lib/active_support/xml_mini.rb
 - lib/active_support.rb
 - lib/activesupport.rb
+has_rdoc: true
 homepage: http://www.rubyonrails.org
 licenses: []
@@ -412,27 +413,23 @@ rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      hash: 3
       segments:
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      hash: 3
       segments:
       - 0
       version: "0"
 requirements: []
 rubyforge_project: activesupport
-rubygems_version: 1.8.8
+rubygems_version: 1.3.6
 signing_key:
 specification_version: 3
 summary: Support and utility classes used by the Rails framework.