RubyGems - wicked - Versions diffs - 1.0.0 → 1.0.1 - Mend

wicked 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/CHANGELOG.md +4 -0
data/VERSION +1 -1
data/lib/wicked.rb +2 -0
data/lib/wicked/controller/concerns/render_redirect.rb +1 -1
data/test/integration/security_test.rb +23 -0
data/wicked.gemspec +3 -2
metadata +4 -3

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 1.0.1 (8/08/2013)
+* Fix security issue #94
 ## 1.0.0 (8/03/2013)
 * Rails 4 compatible tested version released

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 1.0.0
1	+ 1.0.1

data/lib/wicked.rb CHANGED

@@ -1,3 +1,5 @@
+require 'erb'
 module Wicked
   FINISH_STEP = "wicked_finish"
   FIRST_STEP  = "wicked_first"

data/lib/wicked/controller/concerns/render_redirect.rb CHANGED

@@ -26,7 +26,7 @@ module Wicked::Controller::Concerns::RenderRedirect
     if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
       redirect_to_finish_wizard options
     else
-      render the_step, options
+      render ERB::Util.url_encode(the_step), options
     end
   end

data/test/integration/security_test.rb ADDED

@@ -0,0 +1,23 @@
+require 'test_helper'
+class SecurityTest < ActiveSupport::IntegrationCase
+  test 'does not show database.yml' do
+    step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
+    assert_raise ActionView::MissingTemplate do
+      visit(bar_path(step))
+    end
+    refute has_content?('sqlite3')
+  end
+  # only works on *nix systems
+  test 'does not show arbitrary system file' do
+    root = '%2E%2F%2E' * 100 # root of system
+    step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'
+    assert_raise ActionView::MissingTemplate do
+      visit(bar_path(step))
+    end
+    refute has_content?('aardvark')
+  end
+end

data/wicked.gemspec CHANGED

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = "wicked"
-  s.version = "1.0.0"
+  s.version = "1.0.1"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2013-08-03"
+  s.date = "2013-10-08"
   s.description = "Wicked is a Rails engine for producing easy wizard controllers"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [
@@ -103,6 +103,7 @@ Gem::Specification.new do |s|
     "test/integration/navigation_test.rb",
     "test/integration/nested_builder_test.rb",
     "test/integration/redirect_to_next_test.rb",
+    "test/integration/security_test.rb",
     "test/integration/steps_test.rb",
     "test/support/integration_case.rb",
     "test/test_helper.rb",

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wicked
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-08-03 00:00:00.000000000 Z
+date: 2013-10-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -217,6 +217,7 @@ files:
 - test/integration/navigation_test.rb
 - test/integration/nested_builder_test.rb
 - test/integration/redirect_to_next_test.rb
+- test/integration/security_test.rb
 - test/integration/steps_test.rb
 - test/support/integration_case.rb
 - test/test_helper.rb
@@ -237,7 +238,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3122053690204350933
+      hash: -4073254236286297794
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: