RubyGems - nori - Versions diffs - 1.1.3 → 1.1.4 - Mend

nori 1.1.3 → 1.1.4

Files changed (5) hide show

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 1.1.4 (2013-01-10)
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
 ## 1.1.3 (2012-07-12)
 * Fix: Merged [pull request 21](https://github.com/rubiii/nori/pull/21) to fix an
@@ -77,7 +83,7 @@
 ## 0.2.1 (2011-05-15)
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
       <multiRef id="id1">

data/lib/nori/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Nori
-  VERSION = "1.1.3"
+  VERSION = "1.1.4"
 end

data/lib/nori/xml_utility_node.rb CHANGED Viewed

@@ -77,9 +77,7 @@ module Nori
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
     self.available_typecasts = self.typecasts.keys

data/spec/nori/nori_spec.rb CHANGED Viewed

@@ -395,7 +395,8 @@ describe Nori do
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -414,7 +415,7 @@ describe Nori do
             <replies-close-in type="integer">2592000000</replies-close-in>
             <written-on type="date">2003-07-16</written-on>
             <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
-            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
+            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true</content>
             <author-email-address>david@loudthinking.com</author-email-address>
             <parent-id></parent-id>
             <ad-revenue type="decimal">1.5</ad-revenue>
@@ -435,12 +436,13 @@ describe Nori do
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
         parse(topic_xml)["topic"].each do |k,v|

metadata CHANGED Viewed

@@ -1,95 +1,88 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: nori
-version: !ruby/object:Gem::Version
-  hash: 21
+version: !ruby/object:Gem::Version
+  version: 1.1.4
   prerelease:
-  segments:
-  - 1
-  - 1
-  - 3
-  version: 1.1.3
 platform: ruby
-authors:
+authors:
 - Daniel Harrington
 - John Nunemaker
 - Wynn Netherland
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-07-12 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  version_requirements: &id001 !ruby/object:Gem::Requirement
+date: 2013-01-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 49
-        segments:
-        - 0
-        - 8
-        - 7
+      - !ruby/object:Gem::Version
         version: 0.8.7
-  name: rake
   type: :development
   prerelease: false
-  requirement: *id001
-- !ruby/object:Gem::Dependency
-  version_requirements: &id002 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 1
-        - 4
-        - 0
-        version: 1.4.0
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.7
+- !ruby/object:Gem::Dependency
   name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
   type: :development
   prerelease: false
-  requirement: *id002
-- !ruby/object:Gem::Dependency
-  version_requirements: &id003 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 27
-        segments:
-        - 2
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 2.5.0
-  name: rspec
   type: :development
   prerelease: false
-  requirement: *id003
-- !ruby/object:Gem::Dependency
-  version_requirements: &id004 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+- !ruby/object:Gem::Dependency
   name: autotest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
   prerelease: false
-  requirement: *id004
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: XML to Hash translator
 email: me@rubiii.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - .gitignore
 - .rspec
 - .travis.yml
@@ -121,38 +114,35 @@ files:
 - spec/spec_helper.rb
 homepage: http://github.com/rubiii/nori
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
       - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+      hash: -4605903016342497062
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
       - 0
-      version: "0"
+      hash: -4605903016342497062
 requirements: []
 rubyforge_project: nori
-rubygems_version: 1.8.21
+rubygems_version: 1.8.24
 signing_key:
 specification_version: 3
 summary: XML to Hash translator
-test_files:
+test_files:
 - spec/nori/core_ext/hash_spec.rb
 - spec/nori/core_ext/object_spec.rb
 - spec/nori/core_ext/string_spec.rb