From 153cc843ad95930b00b0ca91d30b599b7dec9680 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 9 Jun 2015 11:24:25 -0700 Subject: enforce a depth limit on XML documents XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 Conflicts: activesupport/lib/active_support/xml_mini.rb --- activesupport/lib/active_support/xml_mini.rb | 3 +++ activesupport/lib/active_support/xml_mini/jdom.rb | 11 ++++++----- activesupport/lib/active_support/xml_mini/rexml.rb | 11 ++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb index a4ac1d7041..afe9c4a3e9 100644 --- a/activesupport/lib/active_support/xml_mini.rb +++ b/activesupport/lib/active_support/xml_mini.rb @@ -77,6 +77,9 @@ module ActiveSupport end attr_reader :backend + attr_accessor :depth + self.depth = 100 + delegate :parse, :to => :backend def backend=(name) diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 8d23ce4e18..8d64bc2aa2 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -47,7 +47,7 @@ module ActiveSupport xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) - merge_element!({CONTENT_KEY => ''}, doc.document_element) + merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth) end end @@ -59,9 +59,10 @@ module ActiveSupport # Hash to merge the converted element into. # element:: # XML element to merge into hash - def merge_element!(hash, element) + def merge_element!(hash, element, depth) + raise 'Document too deep!' if depth == 0 delete_empty(hash) - merge!(hash, element.tag_name, collapse(element)) + merge!(hash, element.tag_name, collapse(element, depth)) end def delete_empty(hash) @@ -72,14 +73,14 @@ module ActiveSupport # # element:: # The document element to be collapsed. - def collapse(element) + def collapse(element, depth) hash = get_attributes(element) child_nodes = element.child_nodes if child_nodes.length > 0 for i in 0...child_nodes.length child = child_nodes.item(i) - merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE + merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE end merge_texts!(hash, element) unless empty_content?(element) hash diff --git a/activesupport/lib/active_support/xml_mini/rexml.rb b/activesupport/lib/active_support/xml_mini/rexml.rb index a13ad10118..cb2a4f43a8 100644 --- a/activesupport/lib/active_support/xml_mini/rexml.rb +++ b/activesupport/lib/active_support/xml_mini/rexml.rb @@ -30,7 +30,7 @@ module ActiveSupport doc = REXML::Document.new(data) if doc.root - merge_element!({}, doc.root) + merge_element!({}, doc.root, XmlMini.depth) else raise REXML::ParseException, "The document #{doc.to_s.inspect} does not have a valid root" @@ -45,19 +45,20 @@ module ActiveSupport # Hash to merge the converted element into. # element:: # XML element to merge into hash - def merge_element!(hash, element) - merge!(hash, element.name, collapse(element)) + def merge_element!(hash, element, depth) + raise REXML::ParseException, "The document is too deep" if depth == 0 + merge!(hash, element.name, collapse(element, depth)) end # Actually converts an XML document element into a data structure. # # element:: # The document element to be collapsed. - def collapse(element) + def collapse(element, depth) hash = get_attributes(element) if element.has_elements? - element.each_element {|child| merge_element!(hash, child) } + element.each_element {|child| merge_element!(hash, child, depth - 1) } merge_texts!(hash, element) unless empty_content?(element) hash else -- cgit v1.2.3 From 180aad3a5b405141efde0b73a088aa5accbc683a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 16 Jun 2015 12:31:59 -0300 Subject: Preparing for 3.2.22 release --- RAILS_VERSION | 2 +- actionmailer/CHANGELOG.md | 5 +++++ actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/CHANGELOG.md | 5 +++++ actionpack/lib/action_pack/version.rb | 2 +- activemodel/CHANGELOG.md | 5 +++++ activemodel/lib/active_model/version.rb | 2 +- activerecord/CHANGELOG.md | 5 +++++ activerecord/lib/active_record/version.rb | 2 +- activeresource/CHANGELOG.md | 5 +++++ activeresource/lib/active_resource/version.rb | 2 +- activesupport/CHANGELOG.md | 9 +++++++++ activesupport/lib/active_support/version.rb | 2 +- railties/CHANGELOG.md | 5 +++++ railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 16 files changed, 48 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index 66870d92b1..0698331f6a 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.21 +3.2.22 diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index d7ed55ef4c..76d8028dc6 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * No changes. diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index b1d18690eb..ef12355cd7 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,7 +2,7 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 15fc0af20e..b4cd115cf4 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 6d37c72867..f608225e63 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 4f2e4e1959..50a4852f63 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * No changes. diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index 73ef6f9c6d..a44ecbdb41 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,7 +2,7 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 0334f4454e..34d14f1a80 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * Fix SQL Injection Vulnerability in 'bitstring' quoting. diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 2b18007bff..f964aef280 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index 64509399e8..e88d9982b9 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * No changes. diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index 186c983c02..aa9c06cad2 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,7 +2,7 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 6123be4ab4..6b88ab8343 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,12 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* Fix denial of service vulnerability in the XML processing. + + CVE-2015-3227. + + *Aaron Patterson* + + ## Rails 3.2.19 (Jul 2, 2014) ## * Make sure Active Support configurations are applied correctly. diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index c6ce40f0fd..4ff3b521a5 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 0ff661cc9f..7b82fe5361 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.22 (Jun 16, 2015) ## + +* No changes. + + ## Rails 3.2.19 (Jul 2, 2014) ## * No changes. diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index 6689169256..9a42f80024 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/version.rb b/version.rb index 6689169256..9a42f80024 100644 --- a/version.rb +++ b/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 21 + TINY = 22 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') -- cgit v1.2.3 From 9dc8ddc39424818a3d713a353353ac20cb431218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 16 Jun 2015 13:12:47 -0300 Subject: Removing inaccurate note on the releasing guide --- RELEASING_RAILS.rdoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/RELEASING_RAILS.rdoc b/RELEASING_RAILS.rdoc index 7bad1d01b8..f9fdd0f687 100644 --- a/RELEASING_RAILS.rdoc +++ b/RELEASING_RAILS.rdoc @@ -105,9 +105,6 @@ then realise it is broken. === Release the gem. -IMPORTANT: Due to YAML parse problems on the rubygems.org server, it is safest -to use Ruby 1.8 when releasing. - Run `rake release`. This will populate the gemspecs with data from RAILS_VERSION, commit the changes, tag it, and push the gems to rubygems.org. Here are the commands that `rake release` should use, so you can understand -- cgit v1.2.3