From 23434f6162304292e8c4e28f2744e2cce719b372 Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Wed, 27 Feb 2013 10:01:29 -0800 Subject: Update CHANGELOGs for 3.2.13 release. --- actionpack/CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'actionpack') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index b71d004033..86bee63549 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,10 @@ ## unreleased ## +* No changes. + + +## Rails 3.2.13 (Feb 17, 2013) ## + * Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). -- cgit v1.2.3 From 5ca59b02d1cc80f3463eef062ced079eb1b3998c Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Wed, 27 Feb 2013 12:19:06 -0800 Subject: Preparing for 3.2.13.rc1 release --- actionpack/lib/action_pack/version.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 9236f257c2..d63c797188 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,8 +2,8 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 12 - PRE = nil + TINY = 13 + PRE = "rc1" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From ccf256d8dcc68d975bbf00780c3b4096f47e29d3 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 6 Mar 2013 15:05:13 -0800 Subject: bumping to rc2 --- actionpack/lib/action_pack/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index d63c797188..1ae910183f 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc1" + PRE = "rc2" STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3 From 488699166c3558963fa82d4689a35f8c3fd93f47 Mon Sep 17 00:00:00 2001 From: Carlos Antonio da Silva Date: Sat, 9 Mar 2013 06:48:04 -0800 Subject: Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb --- actionpack/CHANGELOG.md | 17 +++++++++++++++++ actionpack/lib/action_view/helpers/form_helper.rb | 2 +- actionpack/test/template/form_options_helper_test.rb | 8 ++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 86bee63549..f1eb9e84f6 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,6 +5,23 @@ ## Rails 3.2.13 (Feb 17, 2013) ## +* Fix incorrectly appended square brackets to a multiple select box + if an explicit name has been given and it already ends with "[]". + + Before: + + select(:category, [], {}, multiple: true, name: "post[category][]") + # => + + Backport #9616. + + *Olek Janiszewski* + * Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index 7df74d96fb..920dc3f794 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -1207,7 +1207,7 @@ module ActionView options["id"] = options.fetch("id"){ tag_id } end - options["name"] += "[]" if options["multiple"] + options["name"] += "[]" if options["multiple"] && !options["name"].ends_with?("[]") options["id"] = [options.delete('namespace'), options["id"]].compact.join("_").presence end diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb index 3009fa5330..72c2609a48 100644 --- a/actionpack/test/template/form_options_helper_test.rb +++ b/actionpack/test/template/form_options_helper_test.rb @@ -515,6 +515,14 @@ class FormOptionsHelperTest < ActionView::TestCase ) end + def test_select_with_multiple_and_with_explicit_name_ending_with_brackets + output_buffer = select(:post, :category, "", {}, :multiple => true, :name => 'post[category][]') + assert_dom_equal( + "", + output_buffer + ) + end + def test_select_with_multiple_and_disabled_to_add_disabled_hidden_input output_buffer = select(:post, :category, "", {}, :multiple => true, :disabled => true) assert_dom_equal( -- cgit v1.2.3 From ff3b9ca1308056b2c939ce77fbea1c4665f3619e Mon Sep 17 00:00:00 2001 From: Charlie Somerville Date: Wed, 13 Feb 2013 09:09:53 +1100 Subject: fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] --- .../lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 6 +++--- actionpack/test/template/html-scanner/sanitizer_test.rb | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index af06bffa16..02eea58263 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -110,8 +110,8 @@ module HTML style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end @@ -122,7 +122,7 @@ module HTML elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 844484ee47..4e2ad4e955 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -256,6 +256,11 @@ class SanitizerTest < ActionController::TestCase assert_equal '', sanitize_css(raw) end + def test_should_sanitize_across_newlines + raw = %(\nwidth:\nexpression(alert('XSS'));\n) + assert_equal '', sanitize_css(raw) + end + def test_should_sanitize_img_vbscript assert_sanitized %(), '' end -- cgit v1.2.3 From 99123ad12f71ce3e7fe70656810e53133665527c Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Fri, 15 Mar 2013 15:04:00 -0700 Subject: fix protocol checking in sanitization [CVE-2013-1857] Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb --- .../action_controller/vendor/html-scanner/html/sanitizer.rb | 4 ++-- actionpack/test/template/html-scanner/sanitizer_test.rb | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 02eea58263..994e11563d 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -66,7 +66,7 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -171,7 +171,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 4e2ad4e955..dee60c9d00 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -176,6 +176,7 @@ class SanitizerTest < ActionController::TestCase %(), %(), %(), + %(), %()].each_with_index do |img_hack, i| define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do assert_sanitized img_hack, "" @@ -281,6 +282,15 @@ class SanitizerTest < ActionController::TestCase assert_sanitized "" end + def test_x03a + assert_sanitized %(), "" + assert_sanitized %(), "" + assert_sanitized %(), %() + assert_sanitized %(), "" + assert_sanitized %(), "" + assert_sanitized %(), %() + end + protected def assert_sanitized(input, expected = nil) @sanitizer ||= HTML::WhiteListSanitizer.new -- cgit v1.2.3 From a4b55827721a5967299f3c1531afb3d6d81e4ac0 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Mon, 18 Mar 2013 09:23:04 -0700 Subject: bumping to 3.2.13 --- actionpack/lib/action_pack/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 1ae910183f..f319266765 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -3,7 +3,7 @@ module ActionPack MAJOR = 3 MINOR = 2 TINY = 13 - PRE = "rc2" + PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end -- cgit v1.2.3