Revert "Merge branch 'master-sec'"

This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing
changes made to f049016cd348627bf8db0d72382d7580bf802a79.

3 files changed, 10 insertions, 52 deletions

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 5848f9712f..08bec2f4ae 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,12 +1,5 @@
 ## Rails 4.0.0 (unreleased) ##
 
-*   Hash.from_xml raises when it encounters type="symbol" or type="yaml".
-    Use Hash.from_trusted_xml to parse this XML.
-
-    CVE-2013-0156
-
-    *Jeremy Kemper*
-
 *   Deprecate `assert_present` and `assert_blank` in favor of
     `assert object.blank?` and `assert object.present?`
 
diff --git a/activesupport/lib/active_support/core_ext/hash/conversions.rb b/activesupport/lib/active_support/core_ext/hash/conversions.rb
index 8930376ac8..6cb7434e5f 100644
--- a/activesupport/lib/active_support/core_ext/hash/conversions.rb
+++ b/activesupport/lib/active_support/core_ext/hash/conversions.rb
@@ -101,33 +101,17 @@ class Hash
     #
     #   hash = Hash.from_xml(xml)
     #   # => {"hash"=>{"foo"=>1, "bar"=>2}}
-    #
-    # DisallowedType is raise if the XML contains attributes with <tt>type="yaml"</tt> or
-    # <tt>type="symbol"</tt>. Use <tt>Hash.from_trusted_xml</tt> to parse this XML.
-    def from_xml(xml, disallowed_types = nil)
-      ActiveSupport::XMLConverter.new(xml, disallowed_types).to_h
+    def from_xml(xml)
+      ActiveSupport::XMLConverter.new(xml).to_h
     end
 
-    # Builds a Hash from XML just like <tt>Hash.from_xml</tt>, but also allows Symbol and YAML.
-    def from_trusted_xml(xml)
-      from_xml xml, []
-    end
   end
 end
 
 module ActiveSupport
   class XMLConverter # :nodoc:
-    class DisallowedType < StandardError
-      def initialize(type)
-        super "Disallowed type attribute: #{type.inspect}"
-      end
-    end
-
-    DISALLOWED_TYPES = %w(symbol yaml)
-
-    def initialize(xml, disallowed_types = nil)
+    def initialize(xml)
       @xml = normalize_keys(XmlMini.parse(xml))
-      @disallowed_types = disallowed_types || DISALLOWED_TYPES
     end
 
     def to_h
@@ -135,6 +119,7 @@ module ActiveSupport
     end
 
     private
+
       def normalize_keys(params)
         case params
           when Hash
@@ -160,10 +145,6 @@ module ActiveSupport
       end
 
       def process_hash(value)
-        if value.include?('type') && !value['type'].is_a?(Hash) && @disallowed_types.include?(value['type'])
-          raise DisallowedType, value['type']
-        end
-
         if become_array?(value)
           _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
           if entries.nil? || value['__content__'].try(:empty?)
diff --git a/activesupport/test/core_ext/hash_ext_test.rb b/activesupport/test/core_ext/hash_ext_test.rb
index 30d95b75bc..84dd9bc983 100644
--- a/activesupport/test/core_ext/hash_ext_test.rb
+++ b/activesupport/test/core_ext/hash_ext_test.rb
@@ -1015,10 +1015,12 @@ class HashToXmlTest < ActiveSupport::TestCase
         <replies-close-in type="integer">2592000000</replies-close-in>
         <written-on type="date">2003-07-16</written-on>
         <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
+        <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n</content>
         <author-email-address>david@loudthinking.com</author-email-address>
         <parent-id></parent-id>
         <ad-revenue type="decimal">1.5</ad-revenue>
         <optimum-viewing-angle type="float">135</optimum-viewing-angle>
+        <resident type="symbol">yes</resident>
       </topic>
     EOT
 
@@ -1031,10 +1033,12 @@ class HashToXmlTest < ActiveSupport::TestCase
       :replies_close_in => 2592000000,
       :written_on => Date.new(2003, 7, 16),
       :viewed_at => Time.utc(2003, 7, 16, 9, 28),
+      :content => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
       :author_email_address => "david@loudthinking.com",
       :parent_id => nil,
       :ad_revenue => BigDecimal("1.50"),
       :optimum_viewing_angle => 135.0,
+      :resident => :yes
     }.stringify_keys
 
     assert_equal expected_topic_hash, Hash.from_xml(topic_xml)["topic"]
@@ -1048,6 +1052,7 @@ class HashToXmlTest < ActiveSupport::TestCase
         <approved type="boolean"></approved>
         <written-on type="date"></written-on>
         <viewed-at type="datetime"></viewed-at>
+        <content type="yaml"></content>
         <parent-id></parent-id>
       </topic>
     EOT
@@ -1058,6 +1063,7 @@ class HashToXmlTest < ActiveSupport::TestCase
       :approved   => nil,
       :written_on => nil,
       :viewed_at  => nil,
+      :content    => nil,
       :parent_id  => nil
     }.stringify_keys
 
@@ -1284,28 +1290,6 @@ class HashToXmlTest < ActiveSupport::TestCase
     assert_equal expected_product_hash, Hash.from_xml(product_xml)["product"]
   end
 
-  def test_from_xml_raises_on_disallowed_type_attributes
-    assert_raise ActiveSupport::XMLConverter::DisallowedType do
-      Hash.from_xml '<product><name type="foo">value</name></product>', %w(foo)
-    end
-  end
-
-  def test_from_xml_disallows_symbol_and_yaml_types_by_default
-    assert_raise ActiveSupport::XMLConverter::DisallowedType do
-      Hash.from_xml '<product><name type="symbol">value</name></product>'
-    end
-
-    assert_raise ActiveSupport::XMLConverter::DisallowedType do
-      Hash.from_xml '<product><name type="yaml">value</name></product>'
-    end
-  end
-
-  def test_from_trusted_xml_allows_symbol_and_yaml_types
-    expected = { 'product' => { 'name' => :value }}
-    assert_equal expected, Hash.from_trusted_xml('<product><name type="symbol">value</name></product>')
-    assert_equal expected, Hash.from_trusted_xml('<product><name type="yaml">:value</name></product>')
-  end
-
   def test_should_use_default_value_for_unknown_key
     hash_wia = HashWithIndifferentAccess.new(3)
     assert_equal 3, hash_wia[:new_key]