wicked 1.0.1 → 1.0.2

data/.rvmrc

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-ruby_string="ruby-1.9.2-p290"
+ruby_string="ruby-1.9.3"
 gemset_name="wicked"
 
 if rvm list strings | grep -q "${ruby_string}" ; then

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.0.2 (8/15/2013)
+
+* Contains Security updates plz upgrade
+* Only allow params[:id] to be used as step if in valid list
+* Better redirect handling thanks @gabrielg
+
 ## 1.0.1 (8/08/2013)
 
 * Fix security issue #94

data/VERSION

@@ -1 +1 @@
-1.0.1
+1.0.2

data/lib/wicked/controller/concerns/render_redirect.rb

@@ -26,7 +26,7 @@ module Wicked::Controller::Concerns::RenderRedirect
     if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
       redirect_to_finish_wizard options
     else
-      render ERB::Util.url_encode(the_step), options
+      render the_step, options
     end
   end
 

data/lib/wicked/wizard.rb

@@ -2,6 +2,18 @@ module Wicked
   module Wizard
     extend ActiveSupport::Concern
 
+    class InvalidStepError < RuntimeError
+      def initialize
+        super "The requested step did not match any steps defined for this controller."
+      end
+    end
+
+    class UndefinedStepsError < RuntimeError
+      def initialize
+        super "No step definitions have been supplied; if setting via `before_filter`, use `prepend_before_filter`"
+      end
+    end
+
     # Include the modules!!
     include Wicked::Controller::Concerns::Path
     include Wicked::Controller::Concerns::RenderRedirect
@@ -19,7 +31,7 @@ module Wicked
 
     # forward to first step with whatever params are provided
     def index
-      redirect_to wizard_path(steps.first, clean_params)
+      redirect_to "#{wizard_path(steps.first)}?#{request.query_parameters.to_query}"
     end
 
     # returns the canonical value for a step name, needed for translation support
@@ -29,25 +41,26 @@ module Wicked
 
     private
 
-    def clean_params
-      params.except(:action, :controller)
-    end
-
     def check_redirect_to_first_last!(step)
       redirect_to wizard_path(steps.first) if step.to_s == Wicked::FIRST_STEP
       redirect_to wizard_path(steps.last)  if step.to_s == Wicked::LAST_STEP
     end
 
     def setup_step_from(the_step)
-      the_step = the_step || steps.try(:first)
+      return if steps.nil?
+
+      the_step ||= steps.first
       check_redirect_to_first_last!(the_step)
-      step = steps.detect {|stp| stp.to_s == the_step } if steps.present? && the_step.present?
-      return step || the_step
+
+      valid_steps = steps + self.class::PROTECTED_STEPS
+      the_step = valid_steps.detect { |stp| stp.to_s == the_step }
+
+      raise InvalidStepError if the_step.nil?
+      the_step
     end
 
-    def check_steps!(the_step)
-      return false if step.nil?
-      raise "Wicked Wizard steps expected but not yet set, if setting via `before_filter` use `prepend_before_filter`" if steps.nil?
+    def check_steps!
+      raise UndefinedStepsError if steps.nil?
     end
 
     def set_previous_next(step)
@@ -56,8 +69,10 @@ module Wicked
     end
 
     def setup_wizard
+      check_steps!
+      return if params[:id].nil?
+
       @step = setup_step_from(params[:id])
-      check_steps!(@step)
       set_previous_next(@step)
     end
     public

data/lib/wicked/wizard/translated.rb

@@ -79,9 +79,7 @@ module Wicked
       #
       def setup_wizard_translated
         self.steps = wizard_translations.keys     # must come before setting previous/next steps
-        @step      = setup_step_from(params[:id])
-        check_steps!(@step)
-        set_previous_next(@step)
+        setup_wizard
       end
       public
     end

data/test/integration/navigation_test.rb

@@ -41,7 +41,7 @@ class IncludeNavigationTest < ActiveSupport::IntegrationCase
 
   test 'invalid step' do
     step = :notastep
-    assert_raise(ActionView::MissingTemplate) do
+    assert_raise(Wicked::Wizard::InvalidStepError) do
       visit(bar_path(step))
     end
   end

data/test/integration/security_test.rb

@@ -4,7 +4,7 @@ class SecurityTest < ActiveSupport::IntegrationCase
 
   test 'does not show database.yml' do
     step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
-    assert_raise ActionView::MissingTemplate do
+    assert_raise(Wicked::Wizard::InvalidStepError) do
       visit(bar_path(step))
     end
     refute has_content?('sqlite3')
@@ -15,7 +15,7 @@ class SecurityTest < ActiveSupport::IntegrationCase
     root = '%2E%2F%2E' * 100 # root of system
     step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'
 
-    assert_raise ActionView::MissingTemplate do
+    assert_raise(Wicked::Wizard::InvalidStepError) do
       visit(bar_path(step))
     end
     refute has_content?('aardvark')

data/wicked.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "wicked"
-  s.version = "1.0.1"
+  s.version = "1.0.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2013-10-08"
+  s.date = "2013-10-16"
   s.description = "Wicked is a Rails engine for producing easy wizard controllers"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wicked
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-08 00:00:00.000000000 Z
+date: 2013-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -238,7 +238,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -4073254236286297794
+      hash: 3158381855714249075
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: