5 files changed, 95 insertions, 3 deletions

diff --git a/activesupport/test/fixtures/xml/jdom_doctype.dtd b/activesupport/test/fixtures/xml/jdom_doctype.dtd
new file mode 100644
index 0000000000..89480496ef
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd
@@ -0,0 +1 @@
+<!ENTITY a "external entity">
diff --git a/activesupport/test/fixtures/xml/jdom_entities.txt b/activesupport/test/fixtures/xml/jdom_entities.txt
new file mode 100644
index 0000000000..0337fdaa08
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_entities.txt
@@ -0,0 +1 @@
+<!ENTITY a "hello">
diff --git a/activesupport/test/fixtures/xml/jdom_include.txt b/activesupport/test/fixtures/xml/jdom_include.txt
new file mode 100644
index 0000000000..239ca3afaf
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_include.txt
@@ -0,0 +1 @@
+include me
diff --git a/activesupport/test/time_zone_test.rb b/activesupport/test/time_zone_test.rb
index 8ecfc1e47e..bd4bfca82c 100644
--- a/activesupport/test/time_zone_test.rb
+++ b/activesupport/test/time_zone_test.rb
@@ -198,6 +198,62 @@ class TimeZoneTest < Test::Unit::TestCase
     assert_equal Time.utc(1999,12,31,19), twz.time
   end
 
+  def test_parse_should_not_black_out_system_timezone_dst_jump
+    with_env_tz('EET') do
+      zone = ActiveSupport::TimeZone['Pacific Time (US & Canada)']
+      twz = zone.parse('2012-03-25 03:29:00')
+      assert_equal [0, 29, 3, 25, 3, 2012], twz.to_a[0,6]
+    end
+  end
+
+  def test_parse_should_black_out_app_timezone_dst_jump
+    with_env_tz('EET') do
+      zone = ActiveSupport::TimeZone['Pacific Time (US & Canada)']
+      twz = zone.parse('2012-03-11 02:29:00')
+      assert_equal [0, 29, 3, 11, 3, 2012], twz.to_a[0,6]
+    end
+  end
+
+  def test_parse_with_javascript_date
+    zone = ActiveSupport::TimeZone['Eastern Time (US & Canada)']
+    twz = zone.parse("Mon May 28 2012 00:00:00 GMT-0700 (PDT)")
+    assert_equal Time.utc(2012, 5, 28, 7, 0, 0), twz.utc
+  end
+
+  def test_parse_with_missing_time_components
+    zone = ActiveSupport::TimeZone['Eastern Time (US & Canada)']
+    zone.stubs(:now).returns zone.local(1999, 12, 31, 12, 59, 59)
+    twz = zone.parse('2012-12-01')
+    assert_equal Time.utc(2012, 12, 1), twz.time
+  end
+
+  def test_parse_doesnt_use_local_dst
+    with_env_tz 'US/Eastern' do
+      zone = ActiveSupport::TimeZone['UTC']
+      twz = zone.parse('2013-03-10 02:00:00')
+      assert_equal Time.utc(2013, 3, 10, 2, 0, 0), twz.time
+    end
+  end
+
+  def test_parse_handles_dst_jump
+    with_env_tz 'US/Eastern' do
+      zone = ActiveSupport::TimeZone['Eastern Time (US & Canada)']
+      twz = zone.parse('2013-03-10 02:00:00')
+      assert_equal Time.utc(2013, 3, 10, 3, 0, 0), twz.time
+    end
+  end
+
+  def test_parse_with_fractional_seconds
+    zone = ActiveSupport::TimeZone['Eastern Time (US & Canada)']
+    twz = zone.parse('2013-03-13 00:00:00.000001')
+    assert_equal 1, twz.usec
+
+    if twz.respond_to?(:nsec)
+      twz = zone.parse('2013-03-13 00:00:00.000000001')
+      assert_equal 1, twz.nsec
+    end
+  end
+
   def test_utc_offset_lazy_loaded_from_tzinfo_when_not_passed_in_to_initialize
     tzinfo = TZInfo::Timezone.get('America/New_York')
     zone = ActiveSupport::TimeZone.create(tzinfo.name, nil, tzinfo)
diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb
index 7f809e7898..dfe2c417ca 100644
--- a/activesupport/test/xml_mini/jdom_engine_test.rb
+++ b/activesupport/test/xml_mini/jdom_engine_test.rb
@@ -3,9 +3,11 @@ if RUBY_PLATFORM =~ /java/
   require 'active_support/xml_mini'
   require 'active_support/core_ext/hash/conversions'
 
-  class JDOMEngineTest < Test::Unit::TestCase
+  class JDOMEngineTest < ActiveSupport::TestCase
     include ActiveSupport
 
+    FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
+
     def setup
       @default_backend = XmlMini.backend
       XmlMini.backend = 'JDOM'
@@ -30,10 +32,41 @@ if RUBY_PLATFORM =~ /java/
        assert_equal 'image/png', file.content_type
     end
 
+    def test_not_allowed_to_expand_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
+    def test_not_allowed_to_expand_parameter_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
+        %b;
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_raise Java::OrgXmlSax::SAXParseException do
+        assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+      end
+    end
+
+
+    def test_not_allowed_to_load_external_doctypes
+      attack_xml = <<-EOT
+      <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
     def test_exception_thrown_on_expansion_attack
-      assert_raise NativeException do
+      assert_raise Java::OrgXmlSax::SAXParseException do
         attack_xml = <<-EOT
-      <?xml version="1.0" encoding="UTF-8"?>
       <!DOCTYPE member [
         <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
         <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">