activesupport 3.2.21 → 3.2.22

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of activesupport might be problematic. Click here for more details.

Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/lib/active_support/core_ext/big_decimal/conversions.rb +3 -1
  4. data/lib/active_support/core_ext/class/attribute.rb +5 -3
  5. data/lib/active_support/core_ext/date_time/calculations.rb +7 -1
  6. data/lib/active_support/test_case.rb +5 -1
  7. data/lib/active_support/testing/isolation.rb +6 -1
  8. data/lib/active_support/values/time_zone.rb +2 -1
  9. data/lib/active_support/version.rb +1 -1
  10. data/lib/active_support/xml_mini.rb +3 -0
  11. data/lib/active_support/xml_mini/jdom.rb +6 -5
  12. data/lib/active_support/xml_mini/rexml.rb +6 -5
  13. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6bded9f02fdf2d36d822eaa68d5839ee205f58e4
4
- data.tar.gz: c768383acc14b5120dc72a3376789f3ceb419e44
3
+ metadata.gz: a9430f2c7b260f6a3e92fcb72a6bc1f24e4e05e6
4
+ data.tar.gz: 91faa7710848ad3250e152c3964d67ff59cababe
5
5
  SHA512:
6
- metadata.gz: 53d762c61f5d9ac5d938d75a210e24007fa237d83c248331b01b6dbf64f4c837472dd747a410beb42f90d8666cbe438ab5fd7b8e4ea10ef65f15b61d7a90c6e1
7
- data.tar.gz: 077ad916fffe16fc20b74590b7760f44eea2488cfae84ca9530b6013cc3214c7446f9cfa5f1ec1ea6d2999a5bc22a66110cc56f359d579806e2a904cac9669cb
6
+ metadata.gz: e686c722964e68bb04fc372ec3759089d1fd82dc8193a18aae6c71b9bb5901f0d27bd46e1a69980b9a6fe5b464d6627b37cbd1708ff58ba0b11550d3ddb31470
7
+ data.tar.gz: 37129f462c828e4fb7a887c1a30368601c3340028255f6366a51f7de1ec06dbcf67d637aa8cb0f0fe50d472a3cc6b6c768bcd24d4be648496ba27a4020bd3106
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 3.2.22 (Jun 16, 2015) ##
2
+
3
+ * Fix denial of service vulnerability in the XML processing.
4
+
5
+ CVE-2015-3227.
6
+
7
+ *Aaron Patterson*
8
+
9
+
1
10
  ## Rails 3.2.19 (Jul 2, 2014) ##
2
11
 
3
12
  * Make sure Active Support configurations are applied correctly.
data/lib/active_support/core_ext/big_decimal/conversions.rb CHANGED
@@ -16,7 +16,9 @@ class BigDecimal
16
16
  #
17
17
  # Note that reconstituting YAML floats to native floats may lose precision.
18
18
  def to_yaml(opts = {})
19
- return super if defined?(YAML::ENGINE) && !YAML::ENGINE.syck?
19
+ return super if
20
+ (defined?(YAML::ENGINE) && !YAML::ENGINE.syck?) ||
21
+ (defined?(Psych) && YAML == Psych)
20
22
 
21
23
  YAML.quick_emit(nil, opts) do |out|
22
24
  string = to_s
data/lib/active_support/core_ext/class/attribute.rb CHANGED
@@ -109,7 +109,9 @@ class Class
109
109
  end
110
110
 
111
111
  private
112
- def singleton_class?
113
- ancestors.first != self
114
- end
112
+ unless respond_to?(:singleton_class?)
113
+ def singleton_class?
114
+ ancestors.first != self
115
+ end
116
+ end
115
117
  end
data/lib/active_support/core_ext/date_time/calculations.rb CHANGED
@@ -138,6 +138,12 @@ class DateTime
138
138
 
139
139
  # Layers additional behavior on DateTime#<=> so that Time and ActiveSupport::TimeWithZone instances can be compared with a DateTime
140
140
  def <=>(other)
141
- super other.kind_of?(Infinity) ? other : other.to_datetime
141
+ if other.kind_of?(Infinity)
142
+ super
143
+ elsif other.respond_to? :to_datetime
144
+ super other.to_datetime
145
+ else
146
+ nil
147
+ end
142
148
  end
143
149
  end
data/lib/active_support/test_case.rb CHANGED
@@ -1,4 +1,8 @@
1
- require 'test/unit/testcase'
1
+ begin
2
+ require 'test/unit/testcase'
3
+ rescue LoadError => e
4
+ raise LoadError, "Please add test-unit gem to your Gemfile: `gem 'test-unit', '~> 3.0'` (#{e.message})", e.backtrace
5
+ end
2
6
  require 'active_support/testing/setup_and_teardown'
3
7
  require 'active_support/testing/assertions'
4
8
  require 'active_support/testing/deprecation'
data/lib/active_support/testing/isolation.rb CHANGED
@@ -156,7 +156,12 @@ end
156
156
 
157
157
  # Only in subprocess for windows / jruby.
158
158
  if ENV['ISOLATION_TEST']
159
- require "test/unit/collector/objectspace"
159
+ begin
160
+ require "test/unit/collector/objectspace"
161
+ rescue LoadError => e
162
+ raise LoadError, "Please add test-unit gem to your Gemfile: `gem 'test-unit', '~> 3.0'` (#{e.message})", e.backtrace
163
+ end
164
+
160
165
  class Test::Unit::Collector::ObjectSpace
161
166
  def include?(test)
162
167
  super && test.method_name == ENV['ISOLATION_TEST']
data/lib/active_support/values/time_zone.rb CHANGED
@@ -223,6 +223,7 @@ module ActiveSupport
223
223
  # Compare this time zone to the parameter. The two are compared first on
224
224
  # their offsets, and then by name.
225
225
  def <=>(zone)
226
+ return unless zone.respond_to?(:utc_offset) && zone.respond_to?(:name)
226
227
  result = (utc_offset <=> zone.utc_offset)
227
228
  result = (name <=> zone.name) if result == 0
228
229
  result
@@ -267,7 +268,7 @@ module ActiveSupport
267
268
  #
268
269
  # Time.zone.now # => Fri, 31 Dec 1999 14:00:00 HST -10:00
269
270
  # Time.zone.parse('22:30:00') # => Fri, 31 Dec 1999 22:30:00 HST -10:00
270
- def parse(str, now=now)
271
+ def parse(str, now=self.now)
271
272
  parts = Date._parse(str, false)
272
273
  return if parts.empty?
273
274
 
data/lib/active_support/version.rb CHANGED
@@ -2,7 +2,7 @@ module ActiveSupport
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
- TINY = 21
5
+ TINY = 22
6
6
  PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
data/lib/active_support/xml_mini.rb CHANGED
@@ -77,6 +77,9 @@ module ActiveSupport
77
77
  end
78
78
 
79
79
  attr_reader :backend
80
+ attr_accessor :depth
81
+ self.depth = 100
82
+
80
83
  delegate :parse, :to => :backend
81
84
 
82
85
  def backend=(name)
data/lib/active_support/xml_mini/jdom.rb CHANGED
@@ -47,7 +47,7 @@ module ActiveSupport
47
47
  xml_string_reader = StringReader.new(data)
48
48
  xml_input_source = InputSource.new(xml_string_reader)
49
49
  doc = @dbf.new_document_builder.parse(xml_input_source)
50
- merge_element!({CONTENT_KEY => ''}, doc.document_element)
50
+ merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth)
51
51
  end
52
52
  end
53
53
 
@@ -59,9 +59,10 @@ module ActiveSupport
59
59
  # Hash to merge the converted element into.
60
60
  # element::
61
61
  # XML element to merge into hash
62
- def merge_element!(hash, element)
62
+ def merge_element!(hash, element, depth)
63
+ raise 'Document too deep!' if depth == 0
63
64
  delete_empty(hash)
64
- merge!(hash, element.tag_name, collapse(element))
65
+ merge!(hash, element.tag_name, collapse(element, depth))
65
66
  end
66
67
 
67
68
  def delete_empty(hash)
@@ -72,14 +73,14 @@ module ActiveSupport
72
73
  #
73
74
  # element::
74
75
  # The document element to be collapsed.
75
- def collapse(element)
76
+ def collapse(element, depth)
76
77
  hash = get_attributes(element)
77
78
 
78
79
  child_nodes = element.child_nodes
79
80
  if child_nodes.length > 0
80
81
  for i in 0...child_nodes.length
81
82
  child = child_nodes.item(i)
82
- merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE
83
+ merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE
83
84
  end
84
85
  merge_texts!(hash, element) unless empty_content?(element)
85
86
  hash
data/lib/active_support/xml_mini/rexml.rb CHANGED
@@ -30,7 +30,7 @@ module ActiveSupport
30
30
  doc = REXML::Document.new(data)
31
31
 
32
32
  if doc.root
33
- merge_element!({}, doc.root)
33
+ merge_element!({}, doc.root, XmlMini.depth)
34
34
  else
35
35
  raise REXML::ParseException,
36
36
  "The document #{doc.to_s.inspect} does not have a valid root"
@@ -45,19 +45,20 @@ module ActiveSupport
45
45
  # Hash to merge the converted element into.
46
46
  # element::
47
47
  # XML element to merge into hash
48
- def merge_element!(hash, element)
49
- merge!(hash, element.name, collapse(element))
48
+ def merge_element!(hash, element, depth)
49
+ raise REXML::ParseException, "The document is too deep" if depth == 0
50
+ merge!(hash, element.name, collapse(element, depth))
50
51
  end
51
52
 
52
53
  # Actually converts an XML document element into a data structure.
53
54
  #
54
55
  # element::
55
56
  # The document element to be collapsed.
56
- def collapse(element)
57
+ def collapse(element, depth)
57
58
  hash = get_attributes(element)
58
59
 
59
60
  if element.has_elements?
60
- element.each_element {|child| merge_element!(hash, child) }
61
+ element.each_element {|child| merge_element!(hash, child, depth - 1) }
61
62
  merge_texts!(hash, element) unless empty_content?(element)
62
63
  hash
63
64
  else
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.21
4
+ version: 3.2.22
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-11-16 00:00:00.000000000 Z
11
+ date: 2015-06-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n
@@ -287,7 +287,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
287
287
  version: '0'
288
288
  requirements: []
289
289
  rubyforge_project:
290
- rubygems_version: 2.4.2
290
+ rubygems_version: 2.4.5
291
291
  signing_key:
292
292
  specification_version: 4
293
293
  summary: A toolkit of support libraries and Ruby core extensions extracted from the