From 9212138ad0a9ae3285a2566300afb7d94344214a Mon Sep 17 00:00:00 2001 From: Jeffrey Hardy Date: Mon, 5 Oct 2009 08:27:54 -0400 Subject: MessageVerifier#verify raises InvalidSignature if the signature is blank Signed-off-by: Jeremy Kemper --- activesupport/lib/active_support/message_verifier.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index 74e080a23d..fcdc09ff08 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -26,6 +26,8 @@ module ActiveSupport end def verify(signed_message) + raise InvalidSignature if signed_message.blank? + data, digest = signed_message.split("--") if secure_compare(digest, generate_digest(data)) Marshal.load(ActiveSupport::Base64.decode64(data)) -- cgit v1.2.3 From 9415935902f120a9bac0bfce7129725a0db38ed3 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Thu, 8 Oct 2009 09:31:20 +1300 Subject: Switch to on-by-default XSS escaping for rails. This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. --- .../lib/active_support/core_ext/string.rb | 3 +- .../core_ext/string/output_safety.rb | 43 ++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 activesupport/lib/active_support/core_ext/string/output_safety.rb (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/core_ext/string.rb b/activesupport/lib/active_support/core_ext/string.rb index d06a5a32fb..6c52f12712 100644 --- a/activesupport/lib/active_support/core_ext/string.rb +++ b/activesupport/lib/active_support/core_ext/string.rb @@ -7,4 +7,5 @@ require 'active_support/core_ext/string/access' require 'active_support/core_ext/string/iterators' require 'active_support/core_ext/string/xchar' require 'active_support/core_ext/string/behavior' -require 'active_support/core_ext/string/interpolation' \ No newline at end of file +require 'active_support/core_ext/string/interpolation' +require 'active_support/core_ext/string/output_safety' \ No newline at end of file diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb new file mode 100644 index 0000000000..2cca4763f4 --- /dev/null +++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb @@ -0,0 +1,43 @@ +class String + def html_safe? + defined?(@_rails_html_safe) && @_rails_html_safe + end + + def html_safe! + @_rails_html_safe = true + self + end + + def html_safe + dup.html_safe! + end + + alias original_plus + + def +(other) + result = original_plus(other) + if html_safe? && also_html_safe?(other) + result.html_safe! + else + result + end + end + + alias original_concat << + def <<(other) + result = original_concat(other) + unless html_safe? && also_html_safe?(other) + @_rails_html_safe = false + end + result + end + + def concat(other) + self << other + end + + private + def also_html_safe?(other) + other.respond_to?(:html_safe?) && other.html_safe? + end + +end \ No newline at end of file -- cgit v1.2.3 From 69aa5e8a86b1d33e057076dc6049e37c92b0e50f Mon Sep 17 00:00:00 2001 From: Pratik Naik Date: Fri, 9 Oct 2009 02:26:08 +0100 Subject: Ensure MessageVerifier raises appropriate exception on tampered data --- activesupport/lib/active_support/message_verifier.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb index fcdc09ff08..282346b1a6 100644 --- a/activesupport/lib/active_support/message_verifier.rb +++ b/activesupport/lib/active_support/message_verifier.rb @@ -29,7 +29,7 @@ module ActiveSupport raise InvalidSignature if signed_message.blank? data, digest = signed_message.split("--") - if secure_compare(digest, generate_digest(data)) + if data.present? && digest.present? && secure_compare(digest, generate_digest(data)) Marshal.load(ActiveSupport::Base64.decode64(data)) else raise InvalidSignature -- cgit v1.2.3 From 987d501182971c1e6cdf8acb748635d14cf0c341 Mon Sep 17 00:00:00 2001 From: Pratik Naik Date: Fri, 9 Oct 2009 15:03:18 +0100 Subject: Mute log info coming from the local_cache strategy --- activesupport/lib/active_support/cache.rb | 7 +++++++ activesupport/lib/active_support/cache/memory_store.rb | 2 ++ activesupport/lib/active_support/cache/strategy/local_cache.rb | 10 +++++----- 3 files changed, 14 insertions(+), 5 deletions(-) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/cache.rb b/activesupport/lib/active_support/cache.rb index 25f9555388..a415686020 100644 --- a/activesupport/lib/active_support/cache.rb +++ b/activesupport/lib/active_support/cache.rb @@ -115,6 +115,13 @@ module ActiveSupport self end + def mute + previous_silence, @silence = defined?(@silence) && @silence, true + yield + ensure + @silence = previous_silence + end + # Fetches data from the cache, using the given key. If there is data in # the cache with the given key, then that data is returned. # diff --git a/activesupport/lib/active_support/cache/memory_store.rb b/activesupport/lib/active_support/cache/memory_store.rb index 66ce1bc93a..e6085d97ec 100644 --- a/activesupport/lib/active_support/cache/memory_store.rb +++ b/activesupport/lib/active_support/cache/memory_store.rb @@ -1,3 +1,5 @@ +require 'active_support/core_ext/object/duplicable' + module ActiveSupport module Cache # A cache store implementation which stores everything into memory in the diff --git a/activesupport/lib/active_support/cache/strategy/local_cache.rb b/activesupport/lib/active_support/cache/strategy/local_cache.rb index 3b5fccc737..5f6fe22416 100644 --- a/activesupport/lib/active_support/cache/strategy/local_cache.rb +++ b/activesupport/lib/active_support/cache/strategy/local_cache.rb @@ -44,7 +44,7 @@ module ActiveSupport nil elsif value.nil? value = super - local_cache.write(key, value || NULL) if local_cache + local_cache.mute { local_cache.write(key, value || NULL) } if local_cache value.duplicable? ? value.dup : value else # forcing the value to be immutable @@ -54,12 +54,12 @@ module ActiveSupport def write(key, value, options = nil) value = value.to_s if respond_to?(:raw?) && raw?(options) - local_cache.write(key, value || NULL) if local_cache + local_cache.mute { local_cache.write(key, value || NULL) } if local_cache super end def delete(key, options = nil) - local_cache.write(key, NULL) if local_cache + local_cache.mute { local_cache.write(key, NULL) } if local_cache super end @@ -76,7 +76,7 @@ module ActiveSupport def increment(key, amount = 1) if value = super - local_cache.write(key, value.to_s) if local_cache + local_cache.mute { local_cache.write(key, value.to_s) } if local_cache value else nil @@ -85,7 +85,7 @@ module ActiveSupport def decrement(key, amount = 1) if value = super - local_cache.write(key, value.to_s) if local_cache + local_cache.mute { local_cache.write(key, value.to_s) } if local_cache value else nil -- cgit v1.2.3 From c23d28e2b39eea266bc783c5e6b656b84866ee84 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Wed, 7 Oct 2009 16:59:51 -0700 Subject: To unmarshal MissingSourceFile from child --- activesupport/lib/active_support/testing/isolation.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/testing/isolation.rb b/activesupport/lib/active_support/testing/isolation.rb index cdd6d5f49b..bec303f6ab 100644 --- a/activesupport/lib/active_support/testing/isolation.rb +++ b/activesupport/lib/active_support/testing/isolation.rb @@ -1,3 +1,5 @@ +require 'active_support/core_ext/load_error' + module ActiveSupport module Testing class ProxyTestResult @@ -107,4 +109,4 @@ if ENV['ISOLATION_TEST'] super && test.method_name == ENV['ISOLATION_TEST'] end end -end \ No newline at end of file +end -- cgit v1.2.3