From 95fe9ef945a35f56fa1c3ef356aec4a3b868937c Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Tue, 8 Jan 2013 00:25:24 -0200
Subject: Avoid Rack security warning no secret provided

This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
---
 actionpack/lib/action_dispatch/middleware/session/abstract_store.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
index c04fee21dc..cb6d98f09a 100644
--- a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -25,6 +25,8 @@ module ActionDispatch
     module Compatibility
       def initialize(app, options = {})
         options[:key] ||= '_session_id'
+        # FIXME Rack's secret is not being used
+        options[:secret] ||= SecureRandom.hex(30)
         super
       end
 
-- 
cgit v1.2.3


From d5cd97baa44fa66dc681041a213092b45c57c32f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 4 Jan 2013 12:02:22 -0800
Subject: * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
 * dealing with empty hashes. Thanks Damien Mathieu

---
 actionpack/CHANGELOG.md                                 |  4 ++++
 actionpack/lib/action_dispatch/http/request.rb          | 10 ++++------
 .../lib/action_dispatch/middleware/params_parser.rb     |  4 ++--
 .../test/dispatch/request/json_params_parsing_test.rb   | 15 +++++++++++++++
 .../test/dispatch/request/xml_params_parsing_test.rb    | 17 +++++++++++++++++
 5 files changed, 42 insertions(+), 8 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 4d7035e63f..d07ef733aa 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.2.11 ##
+
+* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+
 ## Rails 3.2.10 ##
 
 ## Rails 3.2.9 (Nov 12, 2012) ##
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index afc0496ef9..dea8e86808 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -247,18 +247,14 @@ module ActionDispatch
       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
     end
 
-    protected
-
     # Remove nils from the params hash
     def deep_munge(hash)
-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
-      keys.each { |k| hash[k] = nil }
-
-      hash.each_value do |v|
+      hash.each do |k, v|
         case v
         when Array
           v.grep(Hash) { |x| deep_munge(x) }
           v.compact!
+          hash[k] = nil if v.empty?
         when Hash
           deep_munge(v)
         end
@@ -267,6 +263,8 @@ module ActionDispatch
       hash
     end
 
+    protected
+
     def parse_query(qs)
       deep_munge(super)
     end
diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb
index 6ded9dbfed..ac726895fa 100644
--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb
+++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb
@@ -38,13 +38,13 @@ module ActionDispatch
         when Proc
           strategy.call(request.raw_post)
         when :xml_simple, :xml_node
-          data = Hash.from_xml(request.body.read) || {}
+          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
           request.body.rewind if request.body.respond_to?(:rewind)
           data.with_indifferent_access
         when :yaml
           YAML.load(request.raw_post)
         when :json
-          data = ActiveSupport::JSON.decode(request.body)
+          data = request.deep_munge ActiveSupport::JSON.decode(request.body)
           request.body.rewind if request.body.respond_to?(:rewind)
           data = {:_json => data} unless data.is_a?(Hash)
           data.with_indifferent_access
diff --git a/actionpack/test/dispatch/request/json_params_parsing_test.rb b/actionpack/test/dispatch/request/json_params_parsing_test.rb
index ad44b4b16a..fbf2ce1fbe 100644
--- a/actionpack/test/dispatch/request/json_params_parsing_test.rb
+++ b/actionpack/test/dispatch/request/json_params_parsing_test.rb
@@ -30,6 +30,21 @@ class JsonParamsParsingTest < ActionDispatch::IntegrationTest
     )
   end
 
+  test "nils are stripped from collections" do
+    assert_parses(
+      {"person" => nil},
+      "{\"person\":[null]}", { 'CONTENT_TYPE' => 'application/json' }
+    )
+    assert_parses(
+      {"person" => ['foo']},
+      "{\"person\":[\"foo\",null]}", { 'CONTENT_TYPE' => 'application/json' }
+    )
+    assert_parses(
+      {"person" => nil},
+      "{\"person\":[null, null]}", { 'CONTENT_TYPE' => 'application/json' }
+    )
+  end
+
   test "logs error if parsing unsuccessful" do
     with_test_routing do
       output = StringIO.new
diff --git a/actionpack/test/dispatch/request/xml_params_parsing_test.rb b/actionpack/test/dispatch/request/xml_params_parsing_test.rb
index 0984f00066..cadafa7f38 100644
--- a/actionpack/test/dispatch/request/xml_params_parsing_test.rb
+++ b/actionpack/test/dispatch/request/xml_params_parsing_test.rb
@@ -30,6 +30,23 @@ class XmlParamsParsingTest < ActionDispatch::IntegrationTest
     assert_equal "<ok>bar</ok>", resp.body
   end
 
+  def assert_parses(expected, xml)
+    with_test_routing do
+      post "/parse", xml, default_headers
+      assert_response :ok
+      assert_equal(expected, TestController.last_request_parameters)
+    end
+  end
+
+  test "nils are stripped from collections" do
+    assert_parses(
+      {"hash" => { "person" => nil} },
+      "<hash><person type=\"array\"><person nil=\"true\"/></person></hash>")
+    assert_parses(
+      {"hash" => { "person" => ['foo']} },
+      "<hash><person type=\"array\"><person>foo</person><person nil=\"true\"/></person>\n</hash>")
+  end
+
   test "parses hash params" do
     with_test_routing do
       xml = "<person><name>David</name></person>"
-- 
cgit v1.2.3


From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Sat, 5 Jan 2013 17:46:26 -0700
Subject: CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or
 yaml.

---
 actionpack/test/controller/webservice_test.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'actionpack')

diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb
index ae8588cbb0..13b6f4fc39 100644
--- a/actionpack/test/controller/webservice_test.rb
+++ b/actionpack/test/controller/webservice_test.rb
@@ -118,6 +118,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_post_xml_using_a_disallowed_type_attribute
+    $stderr = StringIO.new
+    with_test_route_set do
+      post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+
+      post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+    end
+  ensure
+    $stderr = STDERR
+  end
+
   def test_register_and_use_yaml
     with_test_route_set do
       with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
-- 
cgit v1.2.3


From 746dbd89faf8197e6d6f35f6e428a024923116a2 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 7 Jan 2013 16:15:56 -0800
Subject: bumping version

---
 actionpack/lib/action_pack/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index ad2546a13d..10832373e1 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 10
+    TINY  = 11
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
-- 
cgit v1.2.3