wicked 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. data/CHANGELOG.md +4 -0
  2. data/VERSION +1 -1
  3. data/lib/wicked.rb +2 -0
  4. data/lib/wicked/controller/concerns/render_redirect.rb +1 -1
  5. data/test/integration/security_test.rb +23 -0
  6. data/wicked.gemspec +3 -2
  7. metadata +4 -3
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 1.0.1 (8/08/2013)
2
+
3
+ * Fix security issue #94
4
+
1
5
  ## 1.0.0 (8/03/2013)
2
6
 
3
7
  * Rails 4 compatible tested version released
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.0.0
1
+ 1.0.1
data/lib/wicked.rb CHANGED
@@ -1,3 +1,5 @@
1
+ require 'erb'
2
+
1
3
  module Wicked
2
4
  FINISH_STEP = "wicked_finish"
3
5
  FIRST_STEP = "wicked_first"
data/lib/wicked/controller/concerns/render_redirect.rb CHANGED
@@ -26,7 +26,7 @@ module Wicked::Controller::Concerns::RenderRedirect
26
26
  if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
27
27
  redirect_to_finish_wizard options
28
28
  else
29
- render the_step, options
29
+ render ERB::Util.url_encode(the_step), options
30
30
  end
31
31
  end
32
32
 
data/test/integration/security_test.rb ADDED
@@ -0,0 +1,23 @@
1
+ require 'test_helper'
2
+
3
+ class SecurityTest < ActiveSupport::IntegrationCase
4
+
5
+ test 'does not show database.yml' do
6
+ step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
7
+ assert_raise ActionView::MissingTemplate do
8
+ visit(bar_path(step))
9
+ end
10
+ refute has_content?('sqlite3')
11
+ end
12
+
13
+ # only works on *nix systems
14
+ test 'does not show arbitrary system file' do
15
+ root = '%2E%2F%2E' * 100 # root of system
16
+ step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'
17
+
18
+ assert_raise ActionView::MissingTemplate do
19
+ visit(bar_path(step))
20
+ end
21
+ refute has_content?('aardvark')
22
+ end
23
+ end
data/wicked.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "wicked"
8
- s.version = "1.0.0"
8
+ s.version = "1.0.1"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["schneems"]
12
- s.date = "2013-08-03"
12
+ s.date = "2013-10-08"
13
13
  s.description = "Wicked is a Rails engine for producing easy wizard controllers"
14
14
  s.email = "richard.schneeman@gmail.com"
15
15
  s.extra_rdoc_files = [
@@ -103,6 +103,7 @@ Gem::Specification.new do |s|
103
103
  "test/integration/navigation_test.rb",
104
104
  "test/integration/nested_builder_test.rb",
105
105
  "test/integration/redirect_to_next_test.rb",
106
+ "test/integration/security_test.rb",
106
107
  "test/integration/steps_test.rb",
107
108
  "test/support/integration_case.rb",
108
109
  "test/test_helper.rb",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wicked
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-08-03 00:00:00.000000000 Z
12
+ date: 2013-10-08 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rails
@@ -217,6 +217,7 @@ files:
217
217
  - test/integration/navigation_test.rb
218
218
  - test/integration/nested_builder_test.rb
219
219
  - test/integration/redirect_to_next_test.rb
220
+ - test/integration/security_test.rb
220
221
  - test/integration/steps_test.rb
221
222
  - test/support/integration_case.rb
222
223
  - test/test_helper.rb
@@ -237,7 +238,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
237
238
  version: '0'
238
239
  segments:
239
240
  - 0
240
- hash: 3122053690204350933
241
+ hash: -4073254236286297794
241
242
  required_rubygems_version: !ruby/object:Gem::Requirement
242
243
  none: false
243
244
  requirements: