diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:04 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:04 -0700 |
| commit | afcd01bf25c0d7742d07b10dd8a465cffef4b9fe (patch) | |
| tree | a486bd447e95fb4e8b1cbc195c28b23efd335a1c /activesupport/lib/active_support | |
| parent | 491d6916c976c40bb8e0f0992f35d85ff7169d89 (diff) | |
| parent | a4b55827721a5967299f3c1531afb3d6d81e4ac0 (diff) | |
| download | rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.tar.gz rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.tar.bz2 rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.zip | |
Merge branch '3-2-13' into 3-2-stable
* 3-2-13:
bumping to 3.2.13
fix protocol checking in sanitization [CVE-2013-1857]
JDOM XXE Protection [CVE-2013-1856]
fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
stop calling to_sym when building arel nodes [CVE-2013-1854]
Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets
bumping to rc2
Revert "Merge pull request #8209 from senny/backport_8176"
Freeze columns only once per Result
Preparing for 3.2.13.rc1 release
Update CHANGELOGs for 3.2.13 release.
Conflicts:
actionmailer/CHANGELOG.md
actionpack/CHANGELOG.md
activemodel/CHANGELOG.md
activeresource/CHANGELOG.md
activesupport/CHANGELOG.md
railties/CHANGELOG.md
Diffstat (limited to 'activesupport/lib/active_support')
| -rw-r--r-- | activesupport/lib/active_support/version.rb | 2 | ||||
| -rw-r--r-- | activesupport/lib/active_support/xml_mini/jdom.rb | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 2230c5b78e..03b1e511d9 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 + TINY = 13 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 6c222b83ba..8d23ce4e18 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -38,6 +38,12 @@ module ActiveSupport {} else @dbf = DocumentBuilderFactory.new_instance + # secure processing of java xml + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) |