RubyGems - nori - Versions diffs - 1.1.3 → 1.1.4 - Mend

nori 1.1.3 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 1.1.4 (2013-01-10)
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
 ## 1.1.3 (2012-07-12)
 * Fix: Merged [pull request 21](https://github.com/rubiii/nori/pull/21) to fix an
@@ -77,7 +83,7 @@
 ## 0.2.1 (2011-05-15)
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
       <multiRef id="id1">

data/lib/nori/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Nori
-  VERSION = "1.1.3"
+  VERSION = "1.1.4"
 end

data/lib/nori/xml_utility_node.rb CHANGED Viewed

@@ -77,9 +77,7 @@ module Nori
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
     self.available_typecasts = self.typecasts.keys

data/spec/nori/nori_spec.rb CHANGED Viewed

@@ -395,7 +395,8 @@ describe Nori do
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -414,7 +415,7 @@ describe Nori do
             <replies-close-in type="integer">2592000000</replies-close-in>
             <written-on type="date">2003-07-16</written-on>
             <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
-            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
+            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true</content>
             <author-email-address>david@loudthinking.com</author-email-address>
             <parent-id></parent-id>
             <ad-revenue type="decimal">1.5</ad-revenue>
@@ -435,12 +436,13 @@ describe Nori do
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
         parse(topic_xml)["topic"].each do |k,v|

metadata CHANGED Viewed

@@ -1,95 +1,88 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: nori
-version: !ruby/object:Gem::Version
-  hash: 21
+version: !ruby/object:Gem::Version
+  version: 1.1.4
   prerelease:
-  segments:
-  - 1
-  - 1
-  - 3
-  version: 1.1.3
 platform: ruby
-authors:
+authors:
 - Daniel Harrington
 - John Nunemaker
 - Wynn Netherland
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-07-12 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  version_requirements: &id001 !ruby/object:Gem::Requirement
+date: 2013-01-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 49
-        segments:
-        - 0
-        - 8
-        - 7
+      - !ruby/object:Gem::Version
         version: 0.8.7
-  name: rake
   type: :development
   prerelease: false
-  requirement: *id001
-- !ruby/object:Gem::Dependency
-  version_requirements: &id002 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 7
-        segments:
-        - 1
-        - 4
-        - 0
-        version: 1.4.0
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.7
+- !ruby/object:Gem::Dependency
   name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
   type: :development
   prerelease: false
-  requirement: *id002
-- !ruby/object:Gem::Dependency
-  version_requirements: &id003 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version
-        hash: 27
-        segments:
-        - 2
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 2.5.0
-  name: rspec
   type: :development
   prerelease: false
-  requirement: *id003
-- !ruby/object:Gem::Dependency
-  version_requirements: &id004 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 0
-        version: "0"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+- !ruby/object:Gem::Dependency
   name: autotest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
   prerelease: false
-  requirement: *id004
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: XML to Hash translator
 email: me@rubiii.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - .gitignore
 - .rspec
 - .travis.yml
@@ -121,38 +114,35 @@ files:
 - spec/spec_helper.rb
 homepage: http://github.com/rubiii/nori
 licenses: []
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
       - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+      hash: -4605903016342497062
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
       - 0
-      version: "0"
+      hash: -4605903016342497062
 requirements: []
 rubyforge_project: nori
-rubygems_version: 1.8.21
+rubygems_version: 1.8.24
 signing_key:
 specification_version: 3
 summary: XML to Hash translator
-test_files:
+test_files:
 - spec/nori/core_ext/hash_spec.rb
 - spec/nori/core_ext/object_spec.rb
 - spec/nori/core_ext/string_spec.rb