nori 1.0.2 → 1.0.3

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+== 1.0.3 (2013-01-10)
+
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
+
 == 1.0.2 (2011-07-04)
 
 * Fix: When specifying a custom formula to convert tags, XML attributes were ignored.
@@ -54,7 +60,7 @@
 
 == 0.2.1 (2011-05-15)
 
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.  
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
 
       <multiRef id="id1">

data/lib/nori/version.rb

@@ -1,5 +1,5 @@
 module Nori
 
-  VERSION = "1.0.2"
+  VERSION = "1.0.3"
 
 end

data/lib/nori/xml_utility_node.rb

@@ -52,9 +52,7 @@ module Nori
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
 
     self.available_typecasts = self.typecasts.keys

data/spec/nori/nori_spec.rb

@@ -367,7 +367,8 @@ describe Nori do
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -386,7 +387,7 @@ describe Nori do
             <replies-close-in type="integer">2592000000</replies-close-in>
             <written-on type="date">2003-07-16</written-on>
             <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
-            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
+            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true</content>
             <author-email-address>david@loudthinking.com</author-email-address>
             <parent-id></parent-id>
             <ad-revenue type="decimal">1.5</ad-revenue>
@@ -407,12 +408,13 @@ describe Nori do
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
 
         parse(topic_xml)["topic"].each do |k,v|

metadata

@@ -1,79 +1,72 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: nori
-version: !ruby/object:Gem::Version 
-  hash: 19
+version: !ruby/object:Gem::Version
+  version: 1.0.3
   prerelease: 
-  segments: 
-  - 1
-  - 0
-  - 2
-  version: 1.0.2
 platform: ruby
-authors: 
+authors:
 - Daniel Harrington
 - John Nunemaker
 - Wynn Netherland
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2011-07-04 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2013-01-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: nokogiri
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 7
-        segments: 
-        - 1
-        - 4
-        - 0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
         version: 1.4.0
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 27
-        segments: 
-        - 2
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 2.5.0
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: autotest
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+- !ruby/object:Gem::Dependency
+  name: autotest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id003
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: XML to Hash translator
 email: me@rubiii.com
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - .rspec
 - .travis.yml
@@ -105,38 +98,29 @@ files:
 - spec/spec_helper.rb
 homepage: http://github.com/rubiii/nori
 licenses: []
-
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: nori
-rubygems_version: 1.8.5
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: XML to Hash translator
-test_files: 
+test_files:
 - spec/nori/core_ext/hash_spec.rb
 - spec/nori/core_ext/object_spec.rb
 - spec/nori/core_ext/string_spec.rb