activesupport 3.0.18 → 3.0.19

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of activesupport might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG +9 -0
  3. data/lib/active_support/core_ext/hash/conversions.rb +25 -7
  4. data/lib/active_support/version.rb +1 -1
  5. metadata +7 -12
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ !binary "U0hBMQ==":
3
+ metadata.gz: 6cb3ad3c0372d8514caee7e2d5217d2be827a88f
4
+ data.tar.gz: 50718fbe4e4d817a3cb79708e32e08a8e465a2d9
5
+ !binary "U0hBNTEy":
6
+ metadata.gz: acd964ef057809cb947c30db00cc34d4a8eadb32ef3e80f33199fe76287bda8fbb53dddf004718d41eea99ac6bde63fe730561f98e401b0c8ec11b2e20be37c1
7
+ data.tar.gz: 02b7c6804a3844706f83e66dc0325098cf2e4576fa485e64468eaaba60b7f559d33f61bccf0a2f371ad6b14a3515a5b2689904e9b9864cb21d5c169e83e6adba
data/CHANGELOG CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 3.0.19 (Jan 8, 2012) ##
2
+
3
+ * Hash.from_xml raises when it encounters type="symbol" or type="yaml".
4
+ Use Hash.from_trusted_xml to parse this XML.
5
+
6
+ CVE-2013-0156
7
+
8
+ *Jeremy Kemper*
9
+
1
10
  ## Rails 3.0.18
2
11
 
3
12
  ## Rails 3.0.17 (Aug 9, 2012)
data/lib/active_support/core_ext/hash/conversions.rb CHANGED
@@ -73,15 +73,33 @@ class Hash
73
73
  end
74
74
  end
75
75
 
76
+ class DisallowedType < StandardError #:nodoc:
77
+ def initialize(type)
78
+ super "Disallowed type attribute: #{type.inspect}"
79
+ end
80
+ end
81
+
82
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
83
+
76
84
  class << self
77
- def from_xml(xml)
78
- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
85
+ def from_xml(xml, disallowed_types = nil)
86
+ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
87
+ end
88
+
89
+ def from_trusted_xml(xml)
90
+ from_xml xml, []
79
91
  end
80
92
 
81
93
  private
82
- def typecast_xml_value(value)
94
+ def typecast_xml_value(value, disallowed_types = nil)
95
+ disallowed_types ||= DISALLOWED_XML_TYPES
96
+
83
97
  case value.class.to_s
84
98
  when 'Hash'
99
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
100
+ raise DisallowedType, value['type']
101
+ end
102
+
85
103
  if value['type'] == 'array'
86
104
  _, entries = Array.wrap(value.detect { |k,v| k != 'type' })
87
105
  if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -89,9 +107,9 @@ class Hash
89
107
  else
90
108
  case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
91
109
  when "Array"
92
- entries.collect { |v| typecast_xml_value(v) }
110
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
93
111
  when "Hash"
94
- [typecast_xml_value(entries)]
112
+ [typecast_xml_value(entries, disallowed_types)]
95
113
  else
96
114
  raise "can't typecast #{entries.inspect}"
97
115
  end
@@ -116,7 +134,7 @@ class Hash
116
134
  nil
117
135
  else
118
136
  xml_value = value.inject({}) do |h,(k,v)|
119
- h[k] = typecast_xml_value(v)
137
+ h[k] = typecast_xml_value(v, disallowed_types)
120
138
  h
121
139
  end
122
140
 
@@ -125,7 +143,7 @@ class Hash
125
143
  xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
126
144
  end
127
145
  when 'Array'
128
- value.map! { |i| typecast_xml_value(i) }
146
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
129
147
  value.length > 1 ? value : value.first
130
148
  when 'String'
131
149
  value
data/lib/active_support/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActiveSupport
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 0
5
- TINY = 18
5
+ TINY = 19
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
metadata CHANGED
@@ -1,15 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.18
5
- prerelease:
4
+ version: 3.0.19
6
5
  platform: ruby
7
6
  authors:
8
7
  - David Heinemeier Hansson
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2012-12-23 00:00:00.000000000 Z
11
+ date: 2013-01-08 00:00:00.000000000 Z
13
12
  dependencies: []
14
13
  description: A toolkit of support libraries and Ruby core extensions extracted from
15
14
  the Rails framework. Rich support for multibyte strings, internationalization, time
@@ -230,30 +229,26 @@ files:
230
229
  - lib/active_support.rb
231
230
  homepage: http://www.rubyonrails.org
232
231
  licenses: []
232
+ metadata: {}
233
233
  post_install_message:
234
234
  rdoc_options: []
235
235
  require_paths:
236
236
  - lib
237
237
  required_ruby_version: !ruby/object:Gem::Requirement
238
- none: false
239
238
  requirements:
240
- - - ! '>='
239
+ - - ">="
241
240
  - !ruby/object:Gem::Version
242
241
  version: 1.8.7
243
242
  required_rubygems_version: !ruby/object:Gem::Requirement
244
- none: false
245
243
  requirements:
246
- - - ! '>='
244
+ - - ">="
247
245
  - !ruby/object:Gem::Version
248
246
  version: '0'
249
- segments:
250
- - 0
251
- hash: -2978729202858728316
252
247
  requirements: []
253
248
  rubyforge_project: activesupport
254
- rubygems_version: 1.8.24
249
+ rubygems_version: 2.0.0.preview3
255
250
  signing_key:
256
- specification_version: 3
251
+ specification_version: 4
257
252
  summary: A toolkit of support libraries and Ruby core extensions extracted from the
258
253
  Rails framework.
259
254
  test_files: []