From 23434f6162304292e8c4e28f2744e2cce719b372 Mon Sep 17 00:00:00 2001
From: Steve Klabnik <steve@steveklabnik.com>
Date: Wed, 27 Feb 2013 10:01:29 -0800
Subject: Update CHANGELOGs for 3.2.13 release.

---
 activesupport/CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'activesupport')

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 117e34a822..ea72f692d3 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,5 +1,11 @@
 ## unreleased ##
 
+*   No changes.
+
+
+## Rails 3.2.13 (Feb 17, 2013) ##
+
+
 *   Fix DateTime comparison with DateTime::Infinity object.
 
     *Dan Kubb*
-- 
cgit v1.2.3


From 5ca59b02d1cc80f3463eef062ced079eb1b3998c Mon Sep 17 00:00:00 2001
From: Steve Klabnik <steve@steveklabnik.com>
Date: Wed, 27 Feb 2013 12:19:06 -0800
Subject: Preparing for 3.2.13.rc1 release

---
 activesupport/lib/active_support/version.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index 2230c5b78e..2e1c2ac36e 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -2,8 +2,8 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 12
-    PRE   = nil
+    TINY  = 13
+    PRE   = "rc1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
-- 
cgit v1.2.3


From ccf256d8dcc68d975bbf00780c3b4096f47e29d3 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 6 Mar 2013 15:05:13 -0800
Subject: bumping to rc2

---
 activesupport/lib/active_support/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index 2e1c2ac36e..ce6a47f110 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -3,7 +3,7 @@ module ActiveSupport
     MAJOR = 3
     MINOR = 2
     TINY  = 13
-    PRE   = "rc1"
+    PRE   = "rc2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
-- 
cgit v1.2.3


From c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f Mon Sep 17 00:00:00 2001
From: Ben Murphy <benmmurphy@gmail.com>
Date: Fri, 8 Feb 2013 02:48:22 +0000
Subject: JDOM XXE Protection [CVE-2013-1856]

Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
---
 activesupport/lib/active_support/xml_mini/jdom.rb |  6 ++++
 activesupport/test/fixtures/xml/jdom_doctype.dtd  |  1 +
 activesupport/test/fixtures/xml/jdom_entities.txt |  1 +
 activesupport/test/fixtures/xml/jdom_include.txt  |  1 +
 activesupport/test/xml_mini/jdom_engine_test.rb   | 39 +++++++++++++++++++++--
 5 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 activesupport/test/fixtures/xml/jdom_doctype.dtd
 create mode 100644 activesupport/test/fixtures/xml/jdom_entities.txt
 create mode 100644 activesupport/test/fixtures/xml/jdom_include.txt

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb
index 6c222b83ba..8d23ce4e18 100644
--- a/activesupport/lib/active_support/xml_mini/jdom.rb
+++ b/activesupport/lib/active_support/xml_mini/jdom.rb
@@ -38,6 +38,12 @@ module ActiveSupport
         {}
       else
         @dbf = DocumentBuilderFactory.new_instance
+        # secure processing of java xml
+        # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
+        @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+        @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
         xml_string_reader = StringReader.new(data)
         xml_input_source = InputSource.new(xml_string_reader)
         doc = @dbf.new_document_builder.parse(xml_input_source)
diff --git a/activesupport/test/fixtures/xml/jdom_doctype.dtd b/activesupport/test/fixtures/xml/jdom_doctype.dtd
new file mode 100644
index 0000000000..89480496ef
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd
@@ -0,0 +1 @@
+<!ENTITY a "external entity">
diff --git a/activesupport/test/fixtures/xml/jdom_entities.txt b/activesupport/test/fixtures/xml/jdom_entities.txt
new file mode 100644
index 0000000000..0337fdaa08
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_entities.txt
@@ -0,0 +1 @@
+<!ENTITY a "hello">
diff --git a/activesupport/test/fixtures/xml/jdom_include.txt b/activesupport/test/fixtures/xml/jdom_include.txt
new file mode 100644
index 0000000000..239ca3afaf
--- /dev/null
+++ b/activesupport/test/fixtures/xml/jdom_include.txt
@@ -0,0 +1 @@
+include me
diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb
index 7f809e7898..ec81ada736 100644
--- a/activesupport/test/xml_mini/jdom_engine_test.rb
+++ b/activesupport/test/xml_mini/jdom_engine_test.rb
@@ -3,9 +3,11 @@ if RUBY_PLATFORM =~ /java/
   require 'active_support/xml_mini'
   require 'active_support/core_ext/hash/conversions'
 
-  class JDOMEngineTest < Test::Unit::TestCase
+  class JDOMEngineTest < ActiveSupport::TestCase
     include ActiveSupport
 
+    FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
+
     def setup
       @default_backend = XmlMini.backend
       XmlMini.backend = 'JDOM'
@@ -30,10 +32,41 @@ if RUBY_PLATFORM =~ /java/
        assert_equal 'image/png', file.content_type
     end
 
+    def test_not_allowed_to_expand_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
+  def test_not_allowed_to_expand_parameter_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
+        %b;
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_raise Java::OrgXmlSax::SAXParseException do
+        assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+      end
+    end
+
+
+    def test_not_allowed_to_load_external_doctypes
+      attack_xml = <<-EOT
+      <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
     def test_exception_thrown_on_expansion_attack
-      assert_raise NativeException do
+      assert_raise Java::OrgXmlSax::SAXParseException do
         attack_xml = <<-EOT
-      <?xml version="1.0" encoding="UTF-8"?>
       <!DOCTYPE member [
         <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
         <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
-- 
cgit v1.2.3


From a4b55827721a5967299f3c1531afb3d6d81e4ac0 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 18 Mar 2013 09:23:04 -0700
Subject: bumping to 3.2.13

---
 activesupport/lib/active_support/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activesupport')

diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb
index ce6a47f110..03b1e511d9 100644
--- a/activesupport/lib/active_support/version.rb
+++ b/activesupport/lib/active_support/version.rb
@@ -3,7 +3,7 @@ module ActiveSupport
     MAJOR = 3
     MINOR = 2
     TINY  = 13
-    PRE   = "rc2"
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
-- 
cgit v1.2.3