diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
commit | 3b4398bb605cc7b6f475bf76c19aa0702700a199 (patch) | |
tree | 13285c577d9b6aff2fde072a2030b0468a775423 /actionpack/lib | |
parent | d25e79fba6090d56769da6f0fbb401bb1afdb28a (diff) | |
parent | 8d86637fb64ae8ae81ab71a286ddba02cc3144a4 (diff) | |
download | rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.gz rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.bz2 rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.zip |
Merge branch '3-2-sec' into 3-2-stable
* 3-2-sec:
bumping version
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 7 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/http/mime_type.rb | 18 | ||||
-rw-r--r-- | actionpack/lib/action_pack/version.rb | 2 | ||||
-rw-r--r-- | actionpack/lib/action_view/template/resolver.rb | 17 |
4 files changed, 40 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index fe4ab65bba..2ae516097a 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -1,5 +1,6 @@ require 'active_support/base64' require 'active_support/core_ext/object/blank' +require 'active_support/security_utils' module ActionController module HttpAuthentication @@ -111,7 +112,11 @@ module ActionController def http_basic_authenticate_with(options = {}) before_filter(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| - name == options[:name] && password == options[:password] + # This comparison uses & so that it doesn't short circuit and + # uses `variable_size_secure_compare` so that length information + # isn't leaked. + ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & + ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb index 2152351703..be0088b562 100644 --- a/actionpack/lib/action_dispatch/http/mime_type.rb +++ b/actionpack/lib/action_dispatch/http/mime_type.rb @@ -22,7 +22,7 @@ module Mime SET = Mimes.new EXTENSION_LOOKUP = {} - LOOKUP = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? } + LOOKUP = {} def self.[](type) return type if type.is_a?(Type) @@ -85,7 +85,7 @@ module Mime Q_SEPARATOR_REGEXP = /;\s*q=/ def lookup(string) - LOOKUP[string] + LOOKUP[string] || Type.new(string) end def lookup_by_extension(extension) @@ -204,9 +204,12 @@ module Mime end end + attr_reader :hash + def initialize(string, symbol = nil, synonyms = []) @symbol, @synonyms = symbol, synonyms @string = string + @hash = [@string, @synonyms, @symbol].hash end def to_s @@ -240,6 +243,13 @@ module Mime end end + def eql?(other) + super || (self.class == other.class && + @string == other.string && + @synonyms == other.synonyms && + @symbol == other.symbol) + end + def =~(mime_type) return false if mime_type.blank? regexp = Regexp.new(Regexp.quote(mime_type.to_s)) @@ -262,6 +272,10 @@ module Mime super || method.to_s =~ /(\w+)\?$/ end + protected + + attr_reader :string, :synonyms + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index f608225e63..f9cbb645c5 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 22 - PRE = nil + PRE = "1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index 47ea8a3c9b..c6db6685e4 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -110,6 +110,9 @@ module ActionView super() end + cattr_accessor :allow_external_files, instance_reader: false, instance_writer: false + self.allow_external_files = false + private def find_templates(name, prefix, partial, details) @@ -122,6 +125,10 @@ module ActionView template_paths = find_template_paths query + unless self.class.allow_external_files + template_paths = reject_files_external_to_app(template_paths) + end + template_paths.map { |template| handler, format = extract_handler_and_format(template, formats) contents = File.binread template @@ -133,6 +140,10 @@ module ActionView } end + def reject_files_external_to_app(files) + files.reject { |filename| !inside_path?(@path, filename) } + end + if RUBY_VERSION >= '2.2.0' def find_template_paths(query) Dir[query].reject { |filename| @@ -153,6 +164,12 @@ module ActionView end end + def inside_path?(path, filename) + filename = File.expand_path(filename) + path = File.join(path, '') + filename.start_with?(path) + end + # Helper for building query glob string based on resolver's pattern. def build_query(path, details) query = @pattern.dup |