From c31cc963daac55f6a3bca9da99b619276911dbd7 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Sat, 5 Jan 2013 17:46:26 -0700 Subject: Revert "Merge branch 'master-sec'" This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing changes made to f049016cd348627bf8db0d72382d7580bf802a79. --- activesupport/CHANGELOG.md | 7 ------ .../active_support/core_ext/hash/conversions.rb | 27 ++++----------------- activesupport/test/core_ext/hash_ext_test.rb | 28 +++++----------------- 3 files changed, 10 insertions(+), 52 deletions(-) (limited to 'activesupport') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 5848f9712f..08bec2f4ae 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,12 +1,5 @@ ## Rails 4.0.0 (unreleased) ## -* Hash.from_xml raises when it encounters type="symbol" or type="yaml". - Use Hash.from_trusted_xml to parse this XML. - - CVE-2013-0156 - - *Jeremy Kemper* - * Deprecate `assert_present` and `assert_blank` in favor of `assert object.blank?` and `assert object.present?` diff --git a/activesupport/lib/active_support/core_ext/hash/conversions.rb b/activesupport/lib/active_support/core_ext/hash/conversions.rb index 8930376ac8..6cb7434e5f 100644 --- a/activesupport/lib/active_support/core_ext/hash/conversions.rb +++ b/activesupport/lib/active_support/core_ext/hash/conversions.rb @@ -101,33 +101,17 @@ class Hash # # hash = Hash.from_xml(xml) # # => {"hash"=>{"foo"=>1, "bar"=>2}} - # - # DisallowedType is raise if the XML contains attributes with type="yaml" or - # type="symbol". Use Hash.from_trusted_xml to parse this XML. - def from_xml(xml, disallowed_types = nil) - ActiveSupport::XMLConverter.new(xml, disallowed_types).to_h + def from_xml(xml) + ActiveSupport::XMLConverter.new(xml).to_h end - # Builds a Hash from XML just like Hash.from_xml, but also allows Symbol and YAML. - def from_trusted_xml(xml) - from_xml xml, [] - end end end module ActiveSupport class XMLConverter # :nodoc: - class DisallowedType < StandardError - def initialize(type) - super "Disallowed type attribute: #{type.inspect}" - end - end - - DISALLOWED_TYPES = %w(symbol yaml) - - def initialize(xml, disallowed_types = nil) + def initialize(xml) @xml = normalize_keys(XmlMini.parse(xml)) - @disallowed_types = disallowed_types || DISALLOWED_TYPES end def to_h @@ -135,6 +119,7 @@ module ActiveSupport end private + def normalize_keys(params) case params when Hash @@ -160,10 +145,6 @@ module ActiveSupport end def process_hash(value) - if value.include?('type') && !value['type'].is_a?(Hash) && @disallowed_types.include?(value['type']) - raise DisallowedType, value['type'] - end - if become_array?(value) _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) }) if entries.nil? || value['__content__'].try(:empty?) diff --git a/activesupport/test/core_ext/hash_ext_test.rb b/activesupport/test/core_ext/hash_ext_test.rb index 30d95b75bc..84dd9bc983 100644 --- a/activesupport/test/core_ext/hash_ext_test.rb +++ b/activesupport/test/core_ext/hash_ext_test.rb @@ -1015,10 +1015,12 @@ class HashToXmlTest < ActiveSupport::TestCase 2592000000 2003-07-16 2003-07-16T09:28:00+0000 + --- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n david@loudthinking.com 1.5 135 + yes EOT @@ -1031,10 +1033,12 @@ class HashToXmlTest < ActiveSupport::TestCase :replies_close_in => 2592000000, :written_on => Date.new(2003, 7, 16), :viewed_at => Time.utc(2003, 7, 16, 9, 28), + :content => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] }, :author_email_address => "david@loudthinking.com", :parent_id => nil, :ad_revenue => BigDecimal("1.50"), :optimum_viewing_angle => 135.0, + :resident => :yes }.stringify_keys assert_equal expected_topic_hash, Hash.from_xml(topic_xml)["topic"] @@ -1048,6 +1052,7 @@ class HashToXmlTest < ActiveSupport::TestCase + EOT @@ -1058,6 +1063,7 @@ class HashToXmlTest < ActiveSupport::TestCase :approved => nil, :written_on => nil, :viewed_at => nil, + :content => nil, :parent_id => nil }.stringify_keys @@ -1284,28 +1290,6 @@ class HashToXmlTest < ActiveSupport::TestCase assert_equal expected_product_hash, Hash.from_xml(product_xml)["product"] end - def test_from_xml_raises_on_disallowed_type_attributes - assert_raise ActiveSupport::XMLConverter::DisallowedType do - Hash.from_xml 'value', %w(foo) - end - end - - def test_from_xml_disallows_symbol_and_yaml_types_by_default - assert_raise ActiveSupport::XMLConverter::DisallowedType do - Hash.from_xml 'value' - end - - assert_raise ActiveSupport::XMLConverter::DisallowedType do - Hash.from_xml 'value' - end - end - - def test_from_trusted_xml_allows_symbol_and_yaml_types - expected = { 'product' => { 'name' => :value }} - assert_equal expected, Hash.from_trusted_xml('value') - assert_equal expected, Hash.from_trusted_xml(':value') - end - def test_should_use_default_value_for_unknown_key hash_wia = HashWithIndifferentAccess.new(3) assert_equal 3, hash_wia[:new_key] -- cgit v1.2.3