Merge branch '3-2-sec' into 3-2-stable

20 files changed, 63 insertions, 22 deletions

diff --git a/RAILS_VERSION b/RAILS_VERSION
index 66870d92b1..0698331f6a 100644
--- a/RAILS_VERSION
+++ b/RAILS_VERSION
@@ -1 +1 @@
-3.2.21
+3.2.22
diff --git a/RELEASING_RAILS.rdoc b/RELEASING_RAILS.rdoc
index 7bad1d01b8..f9fdd0f687 100644
--- a/RELEASING_RAILS.rdoc
+++ b/RELEASING_RAILS.rdoc
@@ -105,9 +105,6 @@ then realise it is broken.
 
 === Release the gem.
 
-IMPORTANT: Due to YAML parse problems on the rubygems.org server, it is safest
-to use Ruby 1.8 when releasing.
-
 Run `rake release`.  This will populate the gemspecs with data from
 RAILS_VERSION, commit the changes, tag it, and push the gems to rubygems.org.
 Here are the commands that `rake release` should use, so you can understand
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index d7ed55ef4c..76d8028dc6 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 * No changes.
diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb
index b1d18690eb..ef12355cd7 100644
--- a/actionmailer/lib/action_mailer/version.rb
+++ b/actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 15fc0af20e..b4cd115cf4 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 *   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 6d37c72867..f608225e63 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 4f2e4e1959..50a4852f63 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 * No changes.
diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
index 73ef6f9c6d..a44ecbdb41 100644
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 0334f4454e..34d14f1a80 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 *   Fix SQL Injection Vulnerability in 'bitstring' quoting.
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index 2b18007bff..f964aef280 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md
index 64509399e8..e88d9982b9 100644
--- a/activeresource/CHANGELOG.md
+++ b/activeresource/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.19 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 * No changes.
diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb
index 186c983c02..aa9c06cad2 100644
--- a/activeresource/lib/active_resource/version.rb
+++ b/activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 6123be4ab4..6b88ab8343 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+*   Fix denial of service vulnerability in the XML processing.
+
+    CVE-2015-3227.
+
+    *Aaron Patterson*
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 *   Make sure Active Support configurations are applied correctly.
diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index c6ce40f0fd..4ff3b521a5 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb
index a4ac1d7041..afe9c4a3e9 100644
--- a/activesupport/lib/active_support/xml_mini.rb
+++ b/activesupport/lib/active_support/xml_mini.rb
@@ -77,6 +77,9 @@ module ActiveSupport
     end
 
     attr_reader :backend
+    attr_accessor :depth
+    self.depth = 100
+
     delegate :parse, :to => :backend
 
     def backend=(name)
diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb
index 8d23ce4e18..8d64bc2aa2 100644
--- a/activesupport/lib/active_support/xml_mini/jdom.rb
+++ b/activesupport/lib/active_support/xml_mini/jdom.rb
@@ -47,7 +47,7 @@ module ActiveSupport
         xml_string_reader = StringReader.new(data)
         xml_input_source = InputSource.new(xml_string_reader)
         doc = @dbf.new_document_builder.parse(xml_input_source)
-        merge_element!({CONTENT_KEY => ''}, doc.document_element)
+        merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth)
       end
     end
 
@@ -59,9 +59,10 @@ module ActiveSupport
     #   Hash to merge the converted element into.
     # element::
     #   XML element to merge into hash
-    def merge_element!(hash, element)
+    def merge_element!(hash, element, depth)
+      raise 'Document too deep!' if depth == 0
       delete_empty(hash)
-      merge!(hash, element.tag_name, collapse(element))
+      merge!(hash, element.tag_name, collapse(element, depth))
     end
 
     def delete_empty(hash)
@@ -72,14 +73,14 @@ module ActiveSupport
     #
     # element::
     #   The document element to be collapsed.
-    def collapse(element)
+    def collapse(element, depth)
       hash = get_attributes(element)
 
       child_nodes = element.child_nodes
       if child_nodes.length > 0
         for i in 0...child_nodes.length
           child = child_nodes.item(i)
-          merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE
+          merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE
         end
         merge_texts!(hash, element) unless empty_content?(element)
         hash
diff --git a/activesupport/lib/active_support/xml_mini/rexml.rb b/activesupport/lib/active_support/xml_mini/rexml.rb
index a13ad10118..cb2a4f43a8 100644
--- a/activesupport/lib/active_support/xml_mini/rexml.rb
+++ b/activesupport/lib/active_support/xml_mini/rexml.rb
@@ -30,7 +30,7 @@ module ActiveSupport
         doc = REXML::Document.new(data)
 
         if doc.root
-          merge_element!({}, doc.root)
+          merge_element!({}, doc.root, XmlMini.depth)
         else
           raise REXML::ParseException,
             "The document #{doc.to_s.inspect} does not have a valid root"
@@ -45,19 +45,20 @@ module ActiveSupport
       #   Hash to merge the converted element into.
       # element::
       #   XML element to merge into hash
-      def merge_element!(hash, element)
-        merge!(hash, element.name, collapse(element))
+      def merge_element!(hash, element, depth)
+        raise REXML::ParseException, "The document is too deep" if depth == 0
+        merge!(hash, element.name, collapse(element, depth))
       end
 
       # Actually converts an XML document element into a data structure.
       #
       # element::
       #   The document element to be collapsed.
-      def collapse(element)
+      def collapse(element, depth)
         hash = get_attributes(element)
 
         if element.has_elements?
-          element.each_element {|child| merge_element!(hash, child) }
+          element.each_element {|child| merge_element!(hash, child, depth - 1) }
           merge_texts!(hash, element) unless empty_content?(element)
           hash
         else
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 0ff661cc9f..7b82fe5361 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 3.2.22 (Jun 16, 2015) ##
+
+* No changes.
+
+
 ## Rails 3.2.19 (Jul 2, 2014) ##
 
 * No changes.
diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb
index 6689169256..9a42f80024 100644
--- a/railties/lib/rails/version.rb
+++ b/railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/version.rb b/version.rb
index 6689169256..9a42f80024 100644
--- a/version.rb
+++ b/version.rb
@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 21
+    TINY  = 22
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')