activesupport 2.3.14 → 2.3.15

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

data/CHANGELOG CHANGED
@@ -1,5 +1,11 @@
1
+ ## Rails 2.3.15 (Jan 8, 2012) ##
2
+
3
+ * Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy Kemper]
4
+
5
+
1
6
  *2.3.11 (February 9, 2011)*
2
7
 
8
+
3
9
  *2.3.10 (October 15, 2010)*
4
10
 
5
11
 
@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc:
26
26
  end
27
27
  end
28
28
 
29
+ DISALLOWED_XML_TYPES = %w(symbol yaml)
30
+ class DisallowedType < StandardError #:nodoc:
31
+ def initialize(type)
32
+ super "Disallowed type attribute: #{type.inspect}"
33
+ end
34
+ end
35
+
29
36
  XML_TYPE_NAMES = {
30
37
  "Symbol" => "symbol",
31
38
  "Fixnum" => "integer",
@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc:
160
167
  end
161
168
 
162
169
  module ClassMethods
163
- def from_xml(xml)
164
- typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
170
+ def from_xml(xml, disallowed_types = nil)
171
+ typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
172
+ end
173
+
174
+ def from_trusted_xml(xml)
175
+ from_xml xml, []
165
176
  end
166
177
 
167
178
  private
168
- def typecast_xml_value(value)
179
+ def typecast_xml_value(value, disallowed_types = nil)
180
+ disallowed_types ||= DISALLOWED_XML_TYPES
181
+
169
182
  case value.class.to_s
170
183
  when 'Hash'
184
+ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
185
+ raise DisallowedType, value['type']
186
+ end
187
+
171
188
  if value['type'] == 'array'
172
189
  child_key, entries = value.detect { |k,v| k != 'type' } # child_key is throwaway
173
190
  if entries.nil? || (c = value['__content__'] && c.blank?)
@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc:
175
192
  else
176
193
  case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
177
194
  when "Array"
178
- entries.collect { |v| typecast_xml_value(v) }
195
+ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
179
196
  when "Hash"
180
- [typecast_xml_value(entries)]
197
+ [typecast_xml_value(entries, disallowed_types)]
181
198
  else
182
199
  raise "can't typecast #{entries.inspect}"
183
200
  end
@@ -205,7 +222,7 @@ module ActiveSupport #:nodoc:
205
222
  nil
206
223
  else
207
224
  xml_value = value.inject({}) do |h,(k,v)|
208
- h[k] = typecast_xml_value(v)
225
+ h[k] = typecast_xml_value(v, disallowed_types)
209
226
  h
210
227
  end
211
228
 
@@ -214,7 +231,7 @@ module ActiveSupport #:nodoc:
214
231
  xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
215
232
  end
216
233
  when 'Array'
217
- value.map! { |i| typecast_xml_value(i) }
234
+ value.map! { |i| typecast_xml_value(i, disallowed_types) }
218
235
  case value.length
219
236
  when 0 then nil
220
237
  when 1 then value.first
@@ -2,7 +2,7 @@ module ActiveSupport
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 2
4
4
  MINOR = 3
5
- TINY = 14
5
+ TINY = 15
6
6
 
7
7
  STRING = [MAJOR, MINOR, TINY].join('.')
8
8
  end
metadata CHANGED
@@ -1,13 +1,12 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- hash: 31
5
- prerelease:
4
+ prerelease: false
6
5
  segments:
7
6
  - 2
8
7
  - 3
9
- - 14
10
- version: 2.3.14
8
+ - 15
9
+ version: 2.3.15
11
10
  platform: ruby
12
11
  authors:
13
12
  - David Heinemeier Hansson
@@ -15,7 +14,8 @@ autorequire:
15
14
  bindir: bin
16
15
  cert_chain: []
17
16
 
18
- date: 2011-08-16 00:00:00 Z
17
+ date: 2013-01-08 00:00:00 -08:00
18
+ default_executable:
19
19
  dependencies: []
20
20
 
21
21
  description: Utility library which carries commonly used classes and goodies from the Rails framework
@@ -403,6 +403,7 @@ files:
403
403
  - lib/active_support/xml_mini.rb
404
404
  - lib/active_support.rb
405
405
  - lib/activesupport.rb
406
+ has_rdoc: true
406
407
  homepage: http://www.rubyonrails.org
407
408
  licenses: []
408
409
 
@@ -412,27 +413,23 @@ rdoc_options: []
412
413
  require_paths:
413
414
  - lib
414
415
  required_ruby_version: !ruby/object:Gem::Requirement
415
- none: false
416
416
  requirements:
417
417
  - - ">="
418
418
  - !ruby/object:Gem::Version
419
- hash: 3
420
419
  segments:
421
420
  - 0
422
421
  version: "0"
423
422
  required_rubygems_version: !ruby/object:Gem::Requirement
424
- none: false
425
423
  requirements:
426
424
  - - ">="
427
425
  - !ruby/object:Gem::Version
428
- hash: 3
429
426
  segments:
430
427
  - 0
431
428
  version: "0"
432
429
  requirements: []
433
430
 
434
431
  rubyforge_project: activesupport
435
- rubygems_version: 1.8.8
432
+ rubygems_version: 1.3.6
436
433
  signing_key:
437
434
  specification_version: 3
438
435
  summary: Support and utility classes used by the Rails framework.