nori 2.0.0 → 2.0.3

data/CHANGELOG.md

@@ -1,4 +1,19 @@
-# 2.0 (2012-12-12)
+
+# 2.0.3 (2013-01-10)
+
+* Fix for remote code execution bug. For more in-depth information, read about the
+  recent [Rails hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
+  Please make sure to upgrade now!
+
+# 2.0.2 (YANKED)
+
+* Yanked because of a problem with XML that starts with an instruction tag.
+
+# 2.0.1 (YANKED)
+
+* Yanked because of a problem with XML that starts with an instruction tag.
+
+# 2.0.0 (2012-12-12)
 
 Please make sure to read the updated README for how to use the new version.
 
@@ -100,7 +115,7 @@ Please make sure to read the updated README for how to use the new version.
 
 ## 0.2.1 (2011-05-15)
 
-* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.  
+* Fix: Changed XML attributes converted to Hash keys to be prefixed with an @-sign.
   This avoids problems with attributes and child nodes having the same name.
 
       <multiRef id="id1">

data/lib/nori/version.rb

@@ -1,5 +1,5 @@
 class Nori
 
-  VERSION = "2.0.0"
+  VERSION = "2.0.3"
 
 end

data/lib/nori/xml_utility_node.rb

@@ -77,9 +77,7 @@ class Nori
     self.typecasts["decimal"]       = lambda { |v| v.nil? ? nil : BigDecimal(v.to_s) }
     self.typecasts["double"]        = lambda { |v| v.nil? ? nil : v.to_f }
     self.typecasts["float"]         = lambda { |v| v.nil? ? nil : v.to_f }
-    self.typecasts["symbol"]        = lambda { |v| v.nil? ? nil : v.to_sym }
     self.typecasts["string"]        = lambda { |v| v.to_s }
-    self.typecasts["yaml"]          = lambda { |v| v.nil? ? nil : YAML.load(v) }
     self.typecasts["base64Binary"]  = lambda { |v| v.unpack('m').first }
 
     self.available_typecasts = self.typecasts.keys

data/spec/nori/api_spec.rb

@@ -72,7 +72,7 @@ describe Nori do
       # parsers are loaded lazily by default
       require "nori/parser/nokogiri"
 
-      Nori::Parser::Nokogiri.should_receive(:parse).once
+      Nori::Parser::Nokogiri.should_receive(:parse).and_return({})
       nori.parse("<any>thing</any>")
     end
 
@@ -96,7 +96,7 @@ describe Nori do
       # parsers are loaded lazily by default
       require "nori/parser/rexml"
 
-      Nori::Parser::REXML.should_receive(:parse).once
+      Nori::Parser::REXML.should_receive(:parse).and_return({})
       nori(:parser => :rexml).parse("<any>thing</any>")
     end
   end

data/spec/nori/nori_spec.rb

@@ -348,7 +348,8 @@ describe Nori do
           'approved'   => nil,
           'written_on' => nil,
           'viewed_at'  => nil,
-          'content'    => nil,
+          # don't execute arbitary YAML code
+          'content'    => { "@type" => "yaml" },
           'parent_id'  => nil,
           'nil_true'   => nil,
           'namespaced' => nil
@@ -367,7 +368,7 @@ describe Nori do
             <replies-close-in type="integer">2592000000</replies-close-in>
             <written-on type="date">2003-07-16</written-on>
             <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
-            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
+            <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true</content>
             <author-email-address>david@loudthinking.com</author-email-address>
             <parent-id></parent-id>
             <ad-revenue type="decimal">1.5</ad-revenue>
@@ -388,12 +389,13 @@ describe Nori do
           # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
           # The line in ActiveSupport is
           # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-          'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+          'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true",
           'author_email_address' => "david@loudthinking.com",
           'parent_id' => nil,
           'ad_revenue' => BigDecimal("1.50"),
           'optimum_viewing_angle' => 135.0,
-          'resident' => :yes
+          # don't create symbols from arbitary remote code
+          'resident' => "yes"
         }
 
         parse(topic_xml)["topic"].each do |k,v|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nori
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.3
   prerelease: 
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-12 00:00:00.000000000 Z
+date: 2013-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -109,7 +109,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 378604752016210991
+      hash: 3728758796378487229
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -118,10 +118,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 378604752016210991
+      hash: 3728758796378487229
 requirements: []
 rubyforge_project: nori
-rubygems_version: 1.8.23
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: XML to Hash translator