activesupport 3.2.10 → 3.2.11

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
- metadata.gz: 9ebbf393801a3ebd00f9a8d31f0888929486e86e
4
- data.tar.gz: 039464479406858f262d1da2e9edb2c5f65bee2a
3
+ metadata.gz: 9f107489d40d530bb99b4b0d56e787b7455544e6
4
+ data.tar.gz: 44e39249e6b793dac59f702d5583c5d5634e776d
5
5
  !binary "U0hBNTEy":
6
- metadata.gz: fca30fb81575567ed505cb09c1611e2cd73a9242513df756edfd69365e5e46ac7b3fc924163bb34989fef2ef3b66288c92c564532773d6d66c9b75be518d48f7
7
- data.tar.gz: d83e259835c2bf05892ac0f3349e088a2b4371a81d7cc2951baf40cfceace53384b9377a77aff6a28dd7d4b58c08a0458d7f4efc8d065143ba499bce60cefd2b
6
+ metadata.gz: 6e56157585db548253e82a8897ce7357e86952f083e8f7da01affb52dc6117b3db1ff07b916c22d0b244b9a315a2821913c20f095e5b39a81665fc297c8f1106
7
+ data.tar.gz: 99c5bd237aa7881a077658c0e70960fab81b221eb1bb28c208215be19d7518e8f56a54cfba3299ec2e3fdbb185722c4c5e5821b72160ae2b1cbd8e04725fd315
@@ -1,3 +1,12 @@
1
+ ## Rails 3.2.10 (Jan 8, 2012) ##
2
+
3
+ * Hash.from_xml raises when it encounters type="symbol" or type="yaml".
4
+ Use Hash.from_trusted_xml to parse this XML.
5
+
6
+ CVE-2013-0156
7
+
8
+ *Jeremy Kemper*
9
+
1
10
  ## Rails 3.2.9 (Nov 12, 2012) ##
2
11
 
3
12
  * Add logger.push_tags and .pop_tags to complement logger.tagged:
@@ -85,15 +85,33 @@ class Hash
85
85
  end
86
86
  end
87
87
 
88
+ class DisallowedType < StandardError #:nodoc:
89
+ def initialize(type)
90
+ super "Disallowed type attribute: #{type.inspect}"
91
+ end
92
+ end
93
+
94
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
95
+
88
96
  class << self
89
- def from_xml(xml)
90
- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
97
+ def from_xml(xml, disallowed_types = nil)
98
+ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
99
+ end
100
+
101
+ def from_trusted_xml(xml)
102
+ from_xml xml, []
91
103
  end
92
104
 
93
105
  private
94
- def typecast_xml_value(value)
106
+ def typecast_xml_value(value, disallowed_types = nil)
107
+ disallowed_types ||= DISALLOWED_XML_TYPES
108
+
95
109
  case value.class.to_s
96
110
  when 'Hash'
111
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
112
+ raise DisallowedType, value['type']
113
+ end
114
+
97
115
  if value['type'] == 'array'
98
116
  _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
99
117
  if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -101,9 +119,9 @@ class Hash
101
119
  else
102
120
  case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
103
121
  when "Array"
104
- entries.collect { |v| typecast_xml_value(v) }
122
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
105
123
  when "Hash"
106
- [typecast_xml_value(entries)]
124
+ [typecast_xml_value(entries, disallowed_types)]
107
125
  else
108
126
  raise "can't typecast #{entries.inspect}"
109
127
  end
@@ -127,14 +145,14 @@ class Hash
127
145
  elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash)
128
146
  nil
129
147
  else
130
- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }]
148
+ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }]
131
149
 
132
150
  # Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with
133
151
  # how multipart uploaded files from HTML appear
134
152
  xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
135
153
  end
136
154
  when 'Array'
137
- value.map! { |i| typecast_xml_value(i) }
155
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
138
156
  value.length > 1 ? value : value.first
139
157
  when 'String'
140
158
  value
@@ -2,7 +2,7 @@ module ActiveSupport
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
- TINY = 10
5
+ TINY = 11
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.10
4
+ version: 3.2.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2012-12-23 00:00:00.000000000 Z
11
+ date: 2013-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -280,7 +280,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
280
280
  version: '0'
281
281
  requirements: []
282
282
  rubyforge_project:
283
- rubygems_version: 2.0.0.preview2.1
283
+ rubygems_version: 2.0.0.preview3
284
284
  signing_key:
285
285
  specification_version: 4
286
286
  summary: A toolkit of support libraries and Ruby core extensions extracted from the