activesupport 4.2.1 → 4.2.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activesupport might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4e5062a0722828d18bc780a31c587c2b2886d6a1
4
- data.tar.gz: f3ac74fba2240efbabd740c5995822e0d62957ee
3
+ metadata.gz: 34309be029cb1c5691c007e017e1885972eb8471
4
+ data.tar.gz: af61a044fa53999d9182cd5e048a29734c0cf20f
5
5
  SHA512:
6
- metadata.gz: 49774838728ee647543f0801c66260a20262a8b9b1b5f74d79188e1c9744b9a457fa5206673999262fd9966125932b4ce1fe778446f1613d519a5ac8f5f05c24
7
- data.tar.gz: c81c5b6346391125d19e8d532678e651e32b923cacffc4f22b82269bd0d98289b8777892dd9bba21757d955734a210f12fa943d638ea1b7b776b28b7d50c7a5e
6
+ metadata.gz: 92415b4900a8e3ca73756db0308c1ae74339f376f36b0561fe775a37358fc2142b77ad80e06de6aafb61a79bb36ce02834a189c12f8f13d22a173f90949b5824
7
+ data.tar.gz: 84965a10900fbba7b1c30cf762a3b0382a8bfcfca0db6d4b83a94428f130961087cd3f1a373f90c61d9b20dbeb58a67ded812bfd76c4a98641469121247dbac7
@@ -1,3 +1,18 @@
1
+ ## Rails 4.2.2 (June 16, 2015) ##
2
+
3
+ * Fix XSS vulnerability in `ActiveSupport::JSON.encode` method.
4
+
5
+ CVE-2015-3226.
6
+
7
+ *Rafael Mendonça França*
8
+
9
+ * Fix denial of service vulnerability in the XML processing.
10
+
11
+ CVE-2015-3227.
12
+
13
+ *Aaron Patterson*
14
+
15
+
1
16
  ## Rails 4.2.1 (March 19, 2014) ##
2
17
 
3
18
  * Fixed a problem where String#truncate_words would get stuck with a complex
@@ -7,7 +7,7 @@ module ActiveSupport
7
7
  module VERSION
8
8
  MAJOR = 4
9
9
  MINOR = 2
10
- TINY = 1
10
+ TINY = 2
11
11
  PRE = nil
12
12
 
13
13
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
@@ -58,6 +58,10 @@ module ActiveSupport
58
58
  super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
59
59
  end
60
60
  end
61
+
62
+ def to_s
63
+ self
64
+ end
61
65
  end
62
66
 
63
67
  # Mark these as private so we don't leak encoding-specific constructs
@@ -78,6 +78,9 @@ module ActiveSupport
78
78
  )
79
79
  end
80
80
 
81
+ attr_accessor :depth
82
+ self.depth = 100
83
+
81
84
  delegate :parse, :to => :backend
82
85
 
83
86
  def backend
@@ -46,7 +46,7 @@ module ActiveSupport
46
46
  xml_string_reader = StringReader.new(data)
47
47
  xml_input_source = InputSource.new(xml_string_reader)
48
48
  doc = @dbf.new_document_builder.parse(xml_input_source)
49
- merge_element!({CONTENT_KEY => ''}, doc.document_element)
49
+ merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth)
50
50
  end
51
51
  end
52
52
 
@@ -58,9 +58,10 @@ module ActiveSupport
58
58
  # Hash to merge the converted element into.
59
59
  # element::
60
60
  # XML element to merge into hash
61
- def merge_element!(hash, element)
61
+ def merge_element!(hash, element, depth)
62
+ raise 'Document too deep!' if depth == 0
62
63
  delete_empty(hash)
63
- merge!(hash, element.tag_name, collapse(element))
64
+ merge!(hash, element.tag_name, collapse(element, depth))
64
65
  end
65
66
 
66
67
  def delete_empty(hash)
@@ -71,14 +72,14 @@ module ActiveSupport
71
72
  #
72
73
  # element::
73
74
  # The document element to be collapsed.
74
- def collapse(element)
75
+ def collapse(element, depth)
75
76
  hash = get_attributes(element)
76
77
 
77
78
  child_nodes = element.child_nodes
78
79
  if child_nodes.length > 0
79
80
  (0...child_nodes.length).each do |i|
80
81
  child = child_nodes.item(i)
81
- merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE
82
+ merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE
82
83
  end
83
84
  merge_texts!(hash, element) unless empty_content?(element)
84
85
  hash
@@ -29,7 +29,7 @@ module ActiveSupport
29
29
  doc = REXML::Document.new(data)
30
30
 
31
31
  if doc.root
32
- merge_element!({}, doc.root)
32
+ merge_element!({}, doc.root, XmlMini.depth)
33
33
  else
34
34
  raise REXML::ParseException,
35
35
  "The document #{doc.to_s.inspect} does not have a valid root"
@@ -44,19 +44,20 @@ module ActiveSupport
44
44
  # Hash to merge the converted element into.
45
45
  # element::
46
46
  # XML element to merge into hash
47
- def merge_element!(hash, element)
48
- merge!(hash, element.name, collapse(element))
47
+ def merge_element!(hash, element, depth)
48
+ raise REXML::ParseException, "The document is too deep" if depth == 0
49
+ merge!(hash, element.name, collapse(element, depth))
49
50
  end
50
51
 
51
52
  # Actually converts an XML document element into a data structure.
52
53
  #
53
54
  # element::
54
55
  # The document element to be collapsed.
55
- def collapse(element)
56
+ def collapse(element, depth)
56
57
  hash = get_attributes(element)
57
58
 
58
59
  if element.has_elements?
59
- element.each_element {|child| merge_element!(hash, child) }
60
+ element.each_element {|child| merge_element!(hash, child, depth - 1) }
60
61
  merge_texts!(hash, element) unless empty_content?(element)
61
62
  hash
62
63
  else
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activesupport
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.2.1
4
+ version: 4.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-03-19 00:00:00.000000000 Z
11
+ date: 2015-06-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: i18n