Commit c3b0a454 authored by Antonio Terceiro's avatar Antonio Terceiro

Imported Upstream version 4.2.5.2

parent 14e50388
......@@ -14,55 +14,55 @@ GIT
PATH
remote: .
specs:
actionmailer (4.2.5)
actionpack (= 4.2.5)
actionview (= 4.2.5)
activejob (= 4.2.5)
actionmailer (4.2.5.2)
actionpack (= 4.2.5.2)
actionview (= 4.2.5.2)
activejob (= 4.2.5.2)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 1.0, >= 1.0.5)
actionpack (4.2.5)
actionview (= 4.2.5)
activesupport (= 4.2.5)
actionpack (4.2.5.2)
actionview (= 4.2.5.2)
activesupport (= 4.2.5.2)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.5)
activesupport (= 4.2.5)
actionview (4.2.5.2)
activesupport (= 4.2.5.2)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
activejob (4.2.5)
activesupport (= 4.2.5)
activejob (4.2.5.2)
activesupport (= 4.2.5.2)
globalid (>= 0.3.0)
activemodel (4.2.5)
activesupport (= 4.2.5)
activemodel (4.2.5.2)
activesupport (= 4.2.5.2)
builder (~> 3.1)
activerecord (4.2.5)
activemodel (= 4.2.5)
activesupport (= 4.2.5)
activerecord (4.2.5.2)
activemodel (= 4.2.5.2)
activesupport (= 4.2.5.2)
arel (~> 6.0)
activesupport (4.2.5)
activesupport (4.2.5.2)
i18n (~> 0.7)
json (~> 1.7, >= 1.7.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
rails (4.2.5)
actionmailer (= 4.2.5)
actionpack (= 4.2.5)
actionview (= 4.2.5)
activejob (= 4.2.5)
activemodel (= 4.2.5)
activerecord (= 4.2.5)
activesupport (= 4.2.5)
rails (4.2.5.2)
actionmailer (= 4.2.5.2)
actionpack (= 4.2.5.2)
actionview (= 4.2.5.2)
activejob (= 4.2.5.2)
activemodel (= 4.2.5.2)
activerecord (= 4.2.5.2)
activesupport (= 4.2.5.2)
bundler (>= 1.3.0, < 2.0)
railties (= 4.2.5)
railties (= 4.2.5.2)
sprockets-rails
railties (4.2.5)
actionpack (= 4.2.5)
activesupport (= 4.2.5)
railties (4.2.5.2)
actionpack (= 4.2.5.2)
activesupport (= 4.2.5.2)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* No changes.
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* Do not allow render with unpermitted parameter.
Fixes CVE-2016-2098.
*Arthur Neves*
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* `ActionController::TestCase` can teardown gracefully if an error is raised
......
......@@ -77,13 +77,13 @@ def view_assigns
# render "foo/bar" to render :file => "foo/bar".
# :api: plugin
def _normalize_args(action=nil, options={})
case action
when ActionController::Parameters
unless action.permitted?
if action.respond_to?(:permitted?)
if action.permitted?
action
else
raise ArgumentError, "render parameters are not permitted"
end
action
when Hash
elsif action.is_a?(Hash)
action
else
options
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
......@@ -62,6 +62,10 @@ def dynamic_render
render params[:id] # => String, AC:Params
end
def dynamic_render_permit
render params[:id].permit(:file)
end
def dynamic_render_with_file
# This is extremely bad, but should be possible to do.
file = params[:id] # => String, AC:Params
......@@ -280,9 +284,24 @@ def accessing_logger_in_template
end
end
class MetalWithoutAVTestController < ActionController::Metal
include AbstractController::Rendering
include ActionController::Rendering
include ActionController::StrongParameters
def dynamic_params_render
render params
end
end
class ExpiresInRenderTest < ActionController::TestCase
tests TestController
def setup
super
ActionController::Base.view_paths.paths.each(&:clear_cache)
end
def test_dynamic_render_with_file
# This is extremely bad, but should be possible to do.
assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
......@@ -291,6 +310,18 @@ def test_dynamic_render_with_file
response.body
end
def test_dynamic_render_with_absolute_path
file = Tempfile.new('name')
file.write "secrets!"
file.flush
assert_raises ActionView::MissingTemplate do
response = get :dynamic_render, { id: file.path }
end
ensure
file.close
file.unlink
end
def test_dynamic_render
assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
assert_raises ActionView::MissingTemplate do
......@@ -298,10 +329,18 @@ def test_dynamic_render
end
end
def test_permitted_dynamic_render_file_hash
assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
response = get :dynamic_render_permit, { id: { file: '../\\../test/abstract_unit.rb' } }
assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')),
response.body
end
def test_dynamic_render_file_hash
assert_raises ArgumentError do
e = assert_raises ArgumentError do
get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
end
assert_equal "render parameters are not permitted", e.message
end
def test_expires_in_header
......@@ -500,6 +539,17 @@ def test_access_to_logger_in_view
end
end
class MetalRenderWithoutAVTest < ActionController::TestCase
tests MetalWithoutAVTestController
def test_dynamic_params_render
e = assert_raises ArgumentError do
get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
end
assert_equal "render parameters are not permitted", e.message
end
end
class HeadRenderTest < ActionController::TestCase
tests TestController
......
## Rails 4.2.5.2 (February 26, 2016) ##
* Do not allow render with unpermitted parameter.
Fixes CVE-2016-2098.
*Arthur Neves*
## Rails 4.2.5.1 (January 25, 2015) ##
* Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates`
method.
*Aaron Patterson*
## Rails 4.2.5 (November 12, 2015) ##
* Fix `mail_to` when called with `nil` as argument.
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
......@@ -17,6 +17,10 @@ def initialize(lookup_context)
# Main render entry point shared by AV and AC.
def render(context, options)
if options.respond_to?(:permitted?) && !options.permitted?
raise ArgumentError, "render parameters are not permitted"
end
if options.key?(:partial)
render_partial(context, options)
else
......
......@@ -130,8 +130,8 @@ def find_all_anywhere(name, prefix, partial=false, details={}, key=nil, locals=[
# This is what child classes implement. No defaults are needed
# because Resolver guarantees that the arguments are present and
# normalized.
def find_templates(name, prefix, partial, details)
raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details) method"
def find_templates(name, prefix, partial, details, outside_app_allowed)
raise NotImplementedError, "Subclasses must implement a find_templates(name, prefix, partial, details, outside_app_allowed) method"
end
# Helpers that builds a path. Useful for building virtual paths.
......
......@@ -148,6 +148,25 @@ def test_render_outside_path
end
end
def test_render_with_strong_parameters
params = { :inline => '<%= RUBY_VERSION %>' }
def params.permitted?
false
end
e = assert_raises ArgumentError do
@view.render(params)
end
assert_equal "render parameters are not permitted", e.message
end
def test_render_with_permitted_strong_parameters
params = { inline: "<%= 'hello' %>" }
def params.permitted?
true
end
assert_equal 'hello', @view.render(params)
end
def test_render_partial
assert_equal "only partial", @view.render(:partial => "test/partial_only")
end
......
......@@ -44,11 +44,11 @@ def test_simple_format
end
def test_simple_format_should_sanitize_input_when_sanitize_option_is_not_false
assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
assert_equal "<p><b> test with unsafe string </b>code!</p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
end
def test_simple_format_should_sanitize_input_when_sanitize_option_is_true
assert_equal '<p><b> test with unsafe string </b></p>',
assert_equal '<p><b> test with unsafe string </b>code!</p>',
simple_format('<b> test with unsafe string </b><script>code!</script>', {}, sanitize: true)
end
......@@ -199,7 +199,7 @@ def test_highlight_should_return_blank_string_for_nil
def test_highlight_should_sanitize_input
assert_equal(
"This is a <mark>beautiful</mark> morning",
"This is a <mark>beautiful</mark> morningcode!",
highlight("This is a beautiful morning<script>code!</script>", "beautiful")
)
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* No changes.
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* No changes.
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* No longer pass deprecated option `-i` to `pg_dump`.
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* Fix `TimeWithZone#eql?` to properly handle `TimeWithZone` created from `DateTime`:
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* No changes.
......
## Rails 4.2.5.2 (February 26, 2016) ##
* No changes.
## Rails 4.2.5.1 (January 25, 2015) ##
* No changes.
## Rails 4.2.5 (November 12, 2015) ##
* Fix displaying mailer previews on non local requests when config
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
......@@ -8,7 +8,7 @@ module VERSION
MAJOR = 4
MINOR = 2
TINY = 5
PRE = "1"
PRE = "2"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment