diff options
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | RAILS_VERSION | 2 | ||||
| -rw-r--r-- | actionmailer/CHANGELOG.md | 15 | ||||
| -rw-r--r-- | actionmailer/lib/action_mailer/version.rb | 2 | ||||
| -rw-r--r-- | actionpack/CHANGELOG.md | 12 | ||||
| -rw-r--r-- | actionpack/lib/abstract_controller/base.rb | 28 | ||||
| -rw-r--r-- | actionpack/lib/action_pack/version.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/new_base/render_implicit_action_test.rb | 17 | ||||
| -rw-r--r-- | activemodel/CHANGELOG.md | 15 | ||||
| -rw-r--r-- | activemodel/lib/active_model/version.rb | 2 | ||||
| -rw-r--r-- | activerecord/CHANGELOG.md | 15 | ||||
| -rw-r--r-- | activerecord/lib/active_record/version.rb | 2 | ||||
| -rw-r--r-- | activeresource/CHANGELOG.md | 16 | ||||
| -rw-r--r-- | activeresource/lib/active_resource/version.rb | 2 | ||||
| -rw-r--r-- | activesupport/CHANGELOG.md | 15 | ||||
| -rw-r--r-- | activesupport/lib/active_support/version.rb | 2 | ||||
| -rw-r--r-- | railties/CHANGELOG.md | 16 | ||||
| -rw-r--r-- | railties/lib/rails/version.rb | 2 | ||||
| -rw-r--r-- | version.rb | 2 |
19 files changed, 155 insertions, 14 deletions
@@ -22,7 +22,7 @@ end gem 'uglifier', '>= 1.0.3', :require => false gem 'rake', '>= 0.8.7' -gem 'mocha', '>= 0.13.0', :require => false +gem 'mocha', '~> 0.14', :require => false group :doc do # The current sdoc cannot generate GitHub links due diff --git a/RAILS_VERSION b/RAILS_VERSION index ff8001a0f1..f05489d385 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.17 +3.2.18 diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index b8c375306e..94d3f54bea 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index e33d01ac4c..8212a9b108 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,7 +2,7 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a5dbfbd12d..643e926312 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,6 +5,18 @@ *Shota Fukumori (sora_h)* + +## Rails 3.2.18 (May 6, 2014) ## + +* Only accept actions without File::SEPARATOR in the name. + + This will avoid directory traversal in implicit render. + + Fixes: CVE-2014-0130 + + *Rafael Mendonça França* + + ## Rails 3.2.17 (Feb 18, 2014) ## * Use the reference for the mime type to get the format diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb index fd6a46fbec..2541125ec6 100644 --- a/actionpack/lib/abstract_controller/base.rb +++ b/actionpack/lib/abstract_controller/base.rb @@ -112,7 +112,7 @@ module AbstractController def process(action, *args) @_action_name = action_name = action.to_s - unless action_name = method_for_action(action_name) + unless action_name = _find_action_name(action_name) raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}" end @@ -138,7 +138,7 @@ module AbstractController # available action consider actions that are also available # through other means, for example, implicit render ones. def available_action?(action_name) - method_for_action(action_name).present? + _find_action_name(action_name).present? end private @@ -182,6 +182,23 @@ module AbstractController end # Takes an action name and returns the name of the method that will + # handle the action. + # + # It checks if the action name is valid and returns false otherwise. + # + # See method_for_action for more information. + # + # ==== Parameters + # * <tt>action_name</tt> - An action name to find a method name for + # + # ==== Returns + # * <tt>string</tt> - The name of the method that handles the action + # * false - No valid method name could be found. Raise ActionNotFound. + def _find_action_name(action_name) + _valid_action_name?(action_name) && method_for_action(action_name) + end + + # Takes an action name and returns the name of the method that will # handle the action. In normal cases, this method returns the same # name as it receives. By default, if #method_for_action receives # a name that is not an action, it will look for an #action_missing @@ -203,11 +220,16 @@ module AbstractController # # ==== Returns # * <tt>string</tt> - The name of the method that handles the action - # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound. + # * <tt>nil</tt> - No method name could be found. def method_for_action(action_name) if action_method?(action_name) then action_name elsif respond_to?(:action_missing, true) then "_handle_action_missing" end end + + # Checks if the action name is valid and returns false otherwise. + def _valid_action_name?(action_name) + action_name.to_s !~ Regexp.new(File::SEPARATOR) + end end end diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 4d278814c8..ac6d3343b9 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/test/controller/new_base/render_implicit_action_test.rb b/actionpack/test/controller/new_base/render_implicit_action_test.rb index 1e2191d417..5b4885f7e0 100644 --- a/actionpack/test/controller/new_base/render_implicit_action_test.rb +++ b/actionpack/test/controller/new_base/render_implicit_action_test.rb @@ -6,7 +6,7 @@ module RenderImplicitAction "render_implicit_action/simple/hello_world.html.erb" => "Hello world!", "render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!", "render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented" - )] + ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))] def hello_world() end end @@ -33,10 +33,25 @@ module RenderImplicitAction assert_status 200 end + test "render does not traverse the file system" do + assert_raises(AbstractController::ActionNotFound) do + action_name = %w(.. .. fixtures shared).join(File::SEPARATOR) + SimpleController.action(action_name).call(Rack::MockRequest.env_for("/")) + end + end + test "available_action? returns true for implicit actions" do assert SimpleController.new.available_action?(:hello_world) assert SimpleController.new.available_action?(:"hyphen-ated") assert SimpleController.new.available_action?(:not_implemented) end + + test "available_action? does not allow File::SEPARATOR on the name" do + action_name = %w(evil .. .. path).join(File::SEPARATOR) + assert_equal false, SimpleController.new.available_action?(action_name.to_sym) + + action_name = %w(evil path).join(File::SEPARATOR) + assert_equal false, SimpleController.new.available_action?(action_name.to_sym) + end end end diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 7db08549d9..fb4bfda149 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index 08d437cbc2..e675c7454c 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,7 +2,7 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 878e5eeebc..6ac368f379 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * When calling the method .find_or_initialize_by_* from a collection_proxy diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index cced9eae8f..3dd782af9f 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index c1f0fa3403..4a555cf6b8 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -1,7 +1,23 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. + ## Rails 3.2.14 (Jul 22, 2013) ## * Fixes an issue that ActiveResource models ignores ActiveResource::Base.include_root_in_json. diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index ea9b7a51e9..dee96b8fd8 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,7 +2,7 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 29f7db53eb..e22aded195 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,18 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * Fix ActiveSupport::Cache::FileStore#cleanup to no longer rely on missing each_key method. diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 95faab1dd6..10c9fca86c 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 3e075a8f9f..ce832d12ee 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,7 +1,23 @@ +## Rails 3.2.18 (May 6, 2014) ## + +* No changes. + + +## Rails 3.2.17 (Feb 18, 2014) ## + +* No changes. + + +## Rails 3.2.16 (Dec 3, 2013) ## + +* No changes. + + ## Rails 3.2.15 (Oct 16, 2013) ## * No changes. + ## Rails 3.2.14 (Jul 22, 2013) ## * Fix bugs that crashed `rake test:benchmark`, `rails profiler` and diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index 38890e162d..ec2f5467f0 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/version.rb b/version.rb index 38890e162d..ec2f5467f0 100644 --- a/version.rb +++ b/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 17 + TINY = 18 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') |