From 23434f6162304292e8c4e28f2744e2cce719b372 Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Wed, 27 Feb 2013 10:01:29 -0800 Subject: Update CHANGELOGs for 3.2.13 release. --- actionmailer/CHANGELOG.md | 5 +++++ actionpack/CHANGELOG.md | 5 +++++ activemodel/CHANGELOG.md | 5 +++++ activerecord/CHANGELOG.md | 5 +++++ activeresource/CHANGELOG.md | 4 ++++ activesupport/CHANGELOG.md | 6 ++++++ railties/CHANGELOG.md | 5 +++++ 7 files changed, 35 insertions(+) diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index e83469fdab..3bc15fd5a1 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -3,6 +3,11 @@ * No changes. +## Rails 3.2.13 (Feb 17, 2013) ## + +* No changes. + + ## Rails 3.2.12 (Feb 11, 2013) ## * No changes. diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index b71d004033..86bee63549 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,10 @@ ## unreleased ## +* No changes. + + +## Rails 3.2.13 (Feb 17, 2013) ## + * Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 5b78bd950c..1464f52066 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,5 +1,10 @@ ## unreleased ## +* No changes. + + +## Rails 3.2.13 (Feb 17, 2013) ## + * Specify type of singular association during serialization *Steve Klabnik* diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 4434d9ae6a..123fa09055 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,5 +1,10 @@ ## unreleased ## +* No changes. + + +## Rails 3.2.13 (Feb 17, 2013) ## + * Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, 'Quote numeric values compared to string columns.' This caused several regressions. diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index c6ab7bc084..245b000f53 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -3,6 +3,10 @@ * No changes. +## Rails 3.2.13 (Feb 17, 2013) ## + +* No changes. + ## Rails 3.2.12 (Feb 11, 2013) ## * No changes. diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 117e34a822..ea72f692d3 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,5 +1,11 @@ ## unreleased ## +* No changes. + + +## Rails 3.2.13 (Feb 17, 2013) ## + + * Fix DateTime comparison with DateTime::Infinity object. *Dan Kubb* diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 29e75227b5..8064b0b5cc 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -3,6 +3,11 @@ * No changes. +## Rails 3.2.13 (Feb 17, 2013) ## + +* No changes. + + ## Rails 3.2.12 (Feb 11, 2013) ## * No changes. -- cgit v1.2.3 From 5ca59b02d1cc80f3463eef062ced079eb1b3998c Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Wed, 27 Feb 2013 12:19:06 -0800 Subject: Preparing for 3.2.13.rc1 release --- RAILS_VERSION | 2 +- actionmailer/lib/action_mailer/version.rb | 4 ++-- actionpack/lib/action_pack/version.rb | 4 ++-- activemodel/lib/active_model/version.rb | 4 ++-- activerecord/lib/active_record/version.rb | 4 ++-- activeresource/lib/active_resource/version.rb | 4 ++-- activesupport/lib/active_support/version.rb | 4 ++-- railties/lib/rails/version.rb | 4 ++-- version.rb | 4 ++-- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index 275e51e5e5..c6e0bc4fa1 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.12 +3.2.13.rc1 diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index 6c361b306f..845ec1e17e 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,8 +2,8 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 9236f257c2..d63c797188 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,8 +2,8 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index 5f4fd126a6..8743147d4d 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,8 +2,8 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index a340cfaf7d..1647829a1d 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,8 +2,8 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index 0547dbe14d..08e3b37ed2 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,8 +2,8 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 2230c5b78e..2e1c2ac36e 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,8 +2,8 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index ec1335ad34..93539e2979 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,8 +2,8 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/version.rb b/version.rb index ec1335ad34..93539e2979 100644 --- a/version.rb +++ b/version.rb @@ -2,8 +2,8 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From b5445247ad19ee0fb7f9a5ca31fd654cdaf6b005 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 20 Sep 2012 12:59:31 -0300 Subject: Freeze columns only once per Result Conflicts: activerecord/lib/active_record/result.rb --- activerecord/lib/active_record/result.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/activerecord/lib/active_record/result.rb b/activerecord/lib/active_record/result.rb index 9ceab2eabc..b8d2cd2866 100644 --- a/activerecord/lib/active_record/result.rb +++ b/activerecord/lib/active_record/result.rb @@ -26,9 +26,15 @@ module ActiveRecord private def hash_rows - @hash_rows ||= @rows.map { |row| - Hash[@columns.zip(row)] - } + @hash_rows ||= + begin + # We freeze the strings to prevent them getting duped when + # used as keys in ActiveRecord::Model's @attributes hash + columns = @columns.map { |c| c.dup.freeze } + @rows.map { |row| + Hash[columns.zip(row)] + } + end end end end -- cgit v1.2.3 From 1b699fc8ad0eaf3503ec095413866ec5e4794162 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 5 Mar 2013 11:33:16 -0800 Subject: Revert "Merge pull request #8209 from senny/backport_8176" This reverts commit 724020278480855bddfe749c91f1074d4f50f3c6, reversing changes made to e4e2bcce75b85fb8c1c49509a17bd5dfe6034c32. Conflicts: activerecord/CHANGELOG.md activerecord/lib/active_record/relation/calculations.rb activerecord/test/cases/calculations_test.rb --- activerecord/CHANGELOG.md | 15 --------------- activerecord/test/cases/calculations_test.rb | 6 ------ 2 files changed, 21 deletions(-) diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 123fa09055..ec017f8623 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,8 +1,3 @@ -## unreleased ## - -* No changes. - - ## Rails 3.2.13 (Feb 17, 2013) ## * Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, 'Quote numeric values @@ -228,16 +223,6 @@ *Victor Costan* -* `#pluck` can be used on a relation with `select` clause. - Fixes #7551. - Backport of #8176. - - Example: - - Topic.select([:approved, :id]).order(:id).pluck(:id) - - *Yves Senn* - * Use `nil?` instead of `blank?` to check whether dynamic finder with a bang should raise RecordNotFound. Fixes #7238. diff --git a/activerecord/test/cases/calculations_test.rb b/activerecord/test/cases/calculations_test.rb index a1dc1de38d..67137d168b 100644 --- a/activerecord/test/cases/calculations_test.rb +++ b/activerecord/test/cases/calculations_test.rb @@ -493,12 +493,6 @@ class CalculationsTest < ActiveRecord::TestCase assert_equal [1,2,3,4], Topic.order(:id).pluck("topics.id") end - def test_pluck_replaces_select_clause - taks_relation = Topic.select([:approved, :id]).order(:id) - assert_equal [1,2,3,4], taks_relation.pluck(:id) - assert_equal [false, true, true, true], taks_relation.pluck(:approved) - end - def test_pluck_auto_table_name_prefix c = Company.create!(:name => "test", :contracts => [Contract.new]) assert_equal [c.id], Company.joins(:contracts).pluck(:id) -- cgit v1.2.3 From ccf256d8dcc68d975bbf00780c3b4096f47e29d3 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 6 Mar 2013 15:05:13 -0800 Subject: bumping to rc2 --- RAILS_VERSION | 2 +- actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/lib/action_pack/version.rb | 2 +- activemodel/lib/active_model/version.rb | 2 +- activerecord/lib/active_record/version.rb | 2 +- activeresource/lib/active_resource/version.rb | 2 +- activesupport/lib/active_support/version.rb | 2 +- railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index c6e0bc4fa1..734a2ff309 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.13.rc1 +3.2.13.rc2 diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index 845ec1e17e..ba8a058f84 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -3,7 +3,7 @@ module ActionMailer MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index d63c797188..1ae910183f 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index 8743147d4d..dbc3811276 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -3,7 +3,7 @@ module ActiveModel MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 1647829a1d..1cf9f00ad2 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -3,7 +3,7 @@ module ActiveRecord MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index 08e3b37ed2..10b0e0858a 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -3,7 +3,7 @@ module ActiveResource MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 2e1c2ac36e..ce6a47f110 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -3,7 +3,7 @@ module ActiveSupport MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index 93539e2979..4be683e499 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -3,7 +3,7 @@ module Rails MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/version.rb b/version.rb index 93539e2979..4be683e499 100644 --- a/version.rb +++ b/version.rb @@ -3,7 +3,7 @@ module Rails MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From 488699166c3558963fa82d4689a35f8c3fd93f47 Mon Sep 17 00:00:00 2001 From: Carlos Antonio da Silva Date: Sat, 9 Mar 2013 06:48:04 -0800 Subject: Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb --- actionpack/CHANGELOG.md | 17 +++++++++++++++++ actionpack/lib/action_view/helpers/form_helper.rb | 2 +- actionpack/test/template/form_options_helper_test.rb | 8 ++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 86bee63549..f1eb9e84f6 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,6 +5,23 @@ ## Rails 3.2.13 (Feb 17, 2013) ## +* Fix incorrectly appended square brackets to a multiple select box + if an explicit name has been given and it already ends with "[]". + + Before: + + select(:category, [], {}, multiple: true, name: "post[category][]") + # => + + Backport #9616. + + *Olek Janiszewski* + * Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index 7df74d96fb..920dc3f794 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -1207,7 +1207,7 @@ module ActionView options["id"] = options.fetch("id"){ tag_id } end - options["name"] += "[]" if options["multiple"] + options["name"] += "[]" if options["multiple"] && !options["name"].ends_with?("[]") options["id"] = [options.delete('namespace'), options["id"]].compact.join("_").presence end diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb index 3009fa5330..72c2609a48 100644 --- a/actionpack/test/template/form_options_helper_test.rb +++ b/actionpack/test/template/form_options_helper_test.rb @@ -515,6 +515,14 @@ class FormOptionsHelperTest < ActionView::TestCase ) end + def test_select_with_multiple_and_with_explicit_name_ending_with_brackets + output_buffer = select(:post, :category, "", {}, :multiple => true, :name => 'post[category][]') + assert_dom_equal( + "", + output_buffer + ) + end + def test_select_with_multiple_and_disabled_to_add_disabled_hidden_input output_buffer = select(:post, :category, "", {}, :multiple => true, :disabled => true) assert_dom_equal( -- cgit v1.2.3 From f980289fd2c1b9073a94b5d49b780a49f5e2933c Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 5 Mar 2013 14:52:08 -0800 Subject: stop calling to_sym when building arel nodes [CVE-2013-1854] --- activerecord/lib/active_record/relation.rb | 2 +- activerecord/lib/active_record/relation/predicate_builder.rb | 2 +- activerecord/test/cases/method_scoping_test.rb | 10 +++++----- activerecord/test/cases/relation_test.rb | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/activerecord/lib/active_record/relation.rb b/activerecord/lib/active_record/relation.rb index 4b3b30d6ed..ae1a57545e 100644 --- a/activerecord/lib/active_record/relation.rb +++ b/activerecord/lib/active_record/relation.rb @@ -464,7 +464,7 @@ module ActiveRecord node.left.relation.name == table_name } - Hash[equalities.map { |where| [where.left.name, where.right] }] + Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access end def scope_for_create diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index b31fdfd981..413b81cc69 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -20,7 +20,7 @@ module ActiveRecord table = Arel::Table.new(table_name, engine) end - attribute = table[column.to_sym] + attribute = table[column] case value when ActiveRecord::Relation diff --git a/activerecord/test/cases/method_scoping_test.rb b/activerecord/test/cases/method_scoping_test.rb index 0ab4f30363..ac84306eae 100644 --- a/activerecord/test/cases/method_scoping_test.rb +++ b/activerecord/test/cases/method_scoping_test.rb @@ -212,14 +212,14 @@ class MethodScopingTest < ActiveRecord::TestCase table = VerySpecialComment.arel_table relation = VerySpecialComment.scoped relation.where_values << table[:id].not_eq(1) - assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create)) + assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create)) end def test_scoped_create new_comment = nil VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do - assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create)) + assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create)) new_comment = VerySpecialComment.create :body => "Wonderful world" end @@ -228,7 +228,7 @@ class MethodScopingTest < ActiveRecord::TestCase def test_scoped_create_with_join_and_merge Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do - assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create) + assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create) end end @@ -441,7 +441,7 @@ class NestedScopingTest < ActiveRecord::TestCase comment = nil Comment.send(:with_scope, :create => { :post_id => 1}) do Comment.send(:with_scope, :create => { :post_id => 2}) do - assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create)) + assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create)) comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!" end end @@ -453,7 +453,7 @@ class NestedScopingTest < ActiveRecord::TestCase Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do - assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create)) + assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create)) assert_blank Comment.new.body comment = Comment.create :body => "Hey guys" end diff --git a/activerecord/test/cases/relation_test.rb b/activerecord/test/cases/relation_test.rb index 7a75a8436b..6efdeac3d9 100644 --- a/activerecord/test/cases/relation_test.rb +++ b/activerecord/test/cases/relation_test.rb @@ -71,7 +71,7 @@ module ActiveRecord def test_has_values relation = Relation.new Post, Post.arel_table relation.where_values << relation.table[:id].eq(10) - assert_equal({:id => 10}, relation.where_values_hash) + assert_equal({'id' => 10}, relation.where_values_hash) end def test_values_wrong_table @@ -101,7 +101,7 @@ module ActiveRecord def test_create_with_value relation = Relation.new Post, Post.arel_table - hash = { :hello => 'world' } + hash = { 'hello' => 'world' } relation.create_with_value = hash assert_equal hash, relation.scope_for_create end @@ -110,7 +110,7 @@ module ActiveRecord relation = Relation.new Post, Post.arel_table relation.where_values << relation.table[:id].eq(10) relation.create_with_value = {:hello => 'world'} - assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create) + assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create) end # FIXME: is this really wanted or expected behavior? -- cgit v1.2.3 From ff3b9ca1308056b2c939ce77fbea1c4665f3619e Mon Sep 17 00:00:00 2001 From: Charlie Somerville Date: Wed, 13 Feb 2013 09:09:53 +1100 Subject: fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] --- .../lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 6 +++--- actionpack/test/template/html-scanner/sanitizer_test.rb | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index af06bffa16..02eea58263 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -110,8 +110,8 @@ module HTML style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end @@ -122,7 +122,7 @@ module HTML elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 844484ee47..4e2ad4e955 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -256,6 +256,11 @@ class SanitizerTest < ActionController::TestCase assert_equal '', sanitize_css(raw) end + def test_should_sanitize_across_newlines + raw = %(\nwidth:\nexpression(alert('XSS'));\n) + assert_equal '', sanitize_css(raw) + end + def test_should_sanitize_img_vbscript assert_sanitized %(), '' end -- cgit v1.2.3 From c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f Mon Sep 17 00:00:00 2001 From: Ben Murphy Date: Fri, 8 Feb 2013 02:48:22 +0000 Subject: JDOM XXE Protection [CVE-2013-1856] Conflicts: activesupport/test/xml_mini/jdom_engine_test.rb --- activesupport/lib/active_support/xml_mini/jdom.rb | 6 ++++ activesupport/test/fixtures/xml/jdom_doctype.dtd | 1 + activesupport/test/fixtures/xml/jdom_entities.txt | 1 + activesupport/test/fixtures/xml/jdom_include.txt | 1 + activesupport/test/xml_mini/jdom_engine_test.rb | 39 +++++++++++++++++++++-- 5 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 activesupport/test/fixtures/xml/jdom_doctype.dtd create mode 100644 activesupport/test/fixtures/xml/jdom_entities.txt create mode 100644 activesupport/test/fixtures/xml/jdom_include.txt diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 6c222b83ba..8d23ce4e18 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -38,6 +38,12 @@ module ActiveSupport {} else @dbf = DocumentBuilderFactory.new_instance + # secure processing of java xml + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) diff --git a/activesupport/test/fixtures/xml/jdom_doctype.dtd b/activesupport/test/fixtures/xml/jdom_doctype.dtd new file mode 100644 index 0000000000..89480496ef --- /dev/null +++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd @@ -0,0 +1 @@ + diff --git a/activesupport/test/fixtures/xml/jdom_entities.txt b/activesupport/test/fixtures/xml/jdom_entities.txt new file mode 100644 index 0000000000..0337fdaa08 --- /dev/null +++ b/activesupport/test/fixtures/xml/jdom_entities.txt @@ -0,0 +1 @@ + diff --git a/activesupport/test/fixtures/xml/jdom_include.txt b/activesupport/test/fixtures/xml/jdom_include.txt new file mode 100644 index 0000000000..239ca3afaf --- /dev/null +++ b/activesupport/test/fixtures/xml/jdom_include.txt @@ -0,0 +1 @@ +include me diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb index 7f809e7898..ec81ada736 100644 --- a/activesupport/test/xml_mini/jdom_engine_test.rb +++ b/activesupport/test/xml_mini/jdom_engine_test.rb @@ -3,9 +3,11 @@ if RUBY_PLATFORM =~ /java/ require 'active_support/xml_mini' require 'active_support/core_ext/hash/conversions' - class JDOMEngineTest < Test::Unit::TestCase + class JDOMEngineTest < ActiveSupport::TestCase include ActiveSupport + FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml' + def setup @default_backend = XmlMini.backend XmlMini.backend = 'JDOM' @@ -30,10 +32,41 @@ if RUBY_PLATFORM =~ /java/ assert_equal 'image/png', file.content_type end + def test_not_allowed_to_expand_entities_to_files + attack_xml = <<-EOT + + ]> + x&a; + EOT + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + + def test_not_allowed_to_expand_parameter_entities_to_files + attack_xml = <<-EOT + + %b; + ]> + x&a; + EOT + assert_raise Java::OrgXmlSax::SAXParseException do + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + end + + + def test_not_allowed_to_load_external_doctypes + attack_xml = <<-EOT + + x&a; + EOT + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + def test_exception_thrown_on_expansion_attack - assert_raise NativeException do + assert_raise Java::OrgXmlSax::SAXParseException do attack_xml = <<-EOT - -- cgit v1.2.3 From 99123ad12f71ce3e7fe70656810e53133665527c Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Fri, 15 Mar 2013 15:04:00 -0700 Subject: fix protocol checking in sanitization [CVE-2013-1857] Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb --- .../action_controller/vendor/html-scanner/html/sanitizer.rb | 4 ++-- actionpack/test/template/html-scanner/sanitizer_test.rb | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 02eea58263..994e11563d 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -66,7 +66,7 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -171,7 +171,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 4e2ad4e955..dee60c9d00 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -176,6 +176,7 @@ class SanitizerTest < ActionController::TestCase %(), %(), %(), + %(), %()].each_with_index do |img_hack, i| define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do assert_sanitized img_hack, "" @@ -281,6 +282,15 @@ class SanitizerTest < ActionController::TestCase assert_sanitized "" end + def test_x03a + assert_sanitized %(), "" + assert_sanitized %(), "" + assert_sanitized %(), %() + assert_sanitized %(), "" + assert_sanitized %(), "" + assert_sanitized %(), %() + end + protected def assert_sanitized(input, expected = nil) @sanitizer ||= HTML::WhiteListSanitizer.new -- cgit v1.2.3 From a4b55827721a5967299f3c1531afb3d6d81e4ac0 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Mon, 18 Mar 2013 09:23:04 -0700 Subject: bumping to 3.2.13 --- RAILS_VERSION | 2 +- actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/lib/action_pack/version.rb | 2 +- activemodel/lib/active_model/version.rb | 2 +- activerecord/lib/active_record/version.rb | 2 +- activeresource/lib/active_resource/version.rb | 2 +- activesupport/lib/active_support/version.rb | 2 +- railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index 734a2ff309..d883a10059 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.13.rc2 +3.2.13 diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index ba8a058f84..00f0516066 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -3,7 +3,7 @@ module ActionMailer MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 1ae910183f..f319266765 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index dbc3811276..ec0efc72b7 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -3,7 +3,7 @@ module ActiveModel MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 1cf9f00ad2..9069d9964f 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -3,7 +3,7 @@ module ActiveRecord MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index 10b0e0858a..6c3ee00be6 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -3,7 +3,7 @@ module ActiveResource MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index ce6a47f110..03b1e511d9 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -3,7 +3,7 @@ module ActiveSupport MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index 4be683e499..0145879c87 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -3,7 +3,7 @@ module Rails MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end diff --git a/version.rb b/version.rb index 4be683e499..0145879c87 100644 --- a/version.rb +++ b/version.rb @@ -3,7 +3,7 @@ module Rails MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3