RubyGems - nori - Versions diffs - 1.0.2 → 1.0.3 - Mend

nori 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/CHANGELOG.md CHANGED

@@ -1,3 +1,9 @@
+== 1.0.3 (2013-01-10)
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
 == 1.0.2 (2011-07-04)
 * Fix: When specifying a custom formula to convert tags, XML attributes were ignored.
@@ -54,7 +60,7 @@
 == 0.2.1 (2011-05-15)
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
       <multiRef id="id1">

data/lib/nori/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Nori
-  VERSION = "1.0.2"
+  VERSION = "1.0.3"
 end

data/lib/nori/xml_utility_node.rb CHANGED

@@ -52,9 +52,7 @@ module Nori
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
     self.available_typecasts = self.typecasts.keys

data/spec/nori/nori_spec.rb CHANGED

@@ -367,7 +367,8 @@ describe Nori do
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -386,7 +387,7 @@ describe Nori do
             <replies-close-in type="integer">2592000000</replies-close-in>
             <written-on type="date">2003-07-16</written-on>
             <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
-            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
+            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true</content>
             <author-email-address>david@loudthinking.com</author-email-address>
             <parent-id></parent-id>
             <ad-revenue type="decimal">1.5</ad-revenue>
@@ -407,12 +408,13 @@ describe Nori do
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
         parse(topic_xml)["topic"].each do |k,v|

metadata CHANGED

@@ -1,79 +1,72 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: nori
-version: !ruby/object:Gem::Version
-  hash: 19
+version: !ruby/object:Gem::Version
+  version: 1.0.3
   prerelease:
-  segments:
-  - 1
-  - 0
-  - 2
-  version: 1.0.2
 platform: ruby
-authors:
+authors:
 - Daniel Harrington
 - John Nunemaker
 - Wynn Netherland
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-07-04 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2013-01-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: nokogiri
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 1
-        - 4
-        - 0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
         version: 1.4.0
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: rspec
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 27
-        segments:
-        - 2
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 2.5.0
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency
-  name: autotest
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+- !ruby/object:Gem::Dependency
+  name: autotest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id003
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: XML to Hash translator
 email: me@rubiii.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - .gitignore
 - .rspec
 - .travis.yml
@@ -105,38 +98,29 @@ files:
 - spec/spec_helper.rb
 homepage: http://github.com/rubiii/nori
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: nori
-rubygems_version: 1.8.5
+rubygems_version: 1.8.24
 signing_key:
 specification_version: 3
 summary: XML to Hash translator
-test_files:
+test_files:
 - spec/nori/core_ext/hash_spec.rb
 - spec/nori/core_ext/object_spec.rb
 - spec/nori/core_ext/string_spec.rb