##// END OF EJS Templates
jro_apps » redmine
RSS
1.4-stable: add a link to a mail posted on 14 Jan 2013 about Rails 2.3 CVE-2013-0155...
Toshi MARUYAMA -
r10978:5c077abb0eac
parent child
Show More
Side by Side Unified
Context file:
r10978:5c077abb0eac Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,157 +1,159
1 # Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
1 # Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
2 if RUBY_VERSION >= '1.9.3'
2 if RUBY_VERSION >= '1.9.3'
3 MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
3 MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
4 end
4 end
5
5
6 require 'active_record'
6 require 'active_record'
7
7
8 module ActiveRecord
8 module ActiveRecord
9 class Base
9 class Base
10 include Redmine::I18n
10 include Redmine::I18n
11
11
12 # Translate attribute names for validation errors display
12 # Translate attribute names for validation errors display
13 def self.human_attribute_name(attr, *args)
13 def self.human_attribute_name(attr, *args)
14 l("field_#{attr.to_s.gsub(/_id$/, '')}", :default => attr)
14 l("field_#{attr.to_s.gsub(/_id$/, '')}", :default => attr)
15 end
15 end
16 end
16 end
17 end
17 end
18
18
19 module ActionView
19 module ActionView
20 module Helpers
20 module Helpers
21 module DateHelper
21 module DateHelper
22 # distance_of_time_in_words breaks when difference is greater than 30 years
22 # distance_of_time_in_words breaks when difference is greater than 30 years
23 def distance_of_date_in_words(from_date, to_date = 0, options = {})
23 def distance_of_date_in_words(from_date, to_date = 0, options = {})
24 from_date = from_date.to_date if from_date.respond_to?(:to_date)
24 from_date = from_date.to_date if from_date.respond_to?(:to_date)
25 to_date = to_date.to_date if to_date.respond_to?(:to_date)
25 to_date = to_date.to_date if to_date.respond_to?(:to_date)
26 distance_in_days = (to_date - from_date).abs
26 distance_in_days = (to_date - from_date).abs
27
27
28 I18n.with_options :locale => options[:locale], :scope => :'datetime.distance_in_words' do |locale|
28 I18n.with_options :locale => options[:locale], :scope => :'datetime.distance_in_words' do |locale|
29 case distance_in_days
29 case distance_in_days
30 when 0..60 then locale.t :x_days, :count => distance_in_days.round
30 when 0..60 then locale.t :x_days, :count => distance_in_days.round
31 when 61..720 then locale.t :about_x_months, :count => (distance_in_days / 30).round
31 when 61..720 then locale.t :about_x_months, :count => (distance_in_days / 30).round
32 else locale.t :over_x_years, :count => (distance_in_days / 365).floor
32 else locale.t :over_x_years, :count => (distance_in_days / 365).floor
33 end
33 end
34 end
34 end
35 end
35 end
36 end
36 end
37 end
37 end
38 end
38 end
39
39
40 ActionView::Base.field_error_proc = Proc.new{ |html_tag, instance| "#{html_tag}" }
40 ActionView::Base.field_error_proc = Proc.new{ |html_tag, instance| "#{html_tag}" }
41
41
42 module AsynchronousMailer
42 module AsynchronousMailer
43 # Adds :async_smtp and :async_sendmail delivery methods
43 # Adds :async_smtp and :async_sendmail delivery methods
44 # to perform email deliveries asynchronously
44 # to perform email deliveries asynchronously
45 %w(smtp sendmail).each do |type|
45 %w(smtp sendmail).each do |type|
46 define_method("perform_delivery_async_#{type}") do |mail|
46 define_method("perform_delivery_async_#{type}") do |mail|
47 Thread.start do
47 Thread.start do
48 send "perform_delivery_#{type}", mail
48 send "perform_delivery_#{type}", mail
49 end
49 end
50 end
50 end
51 end
51 end
52
52
53 # Adds a delivery method that writes emails in tmp/emails for testing purpose
53 # Adds a delivery method that writes emails in tmp/emails for testing purpose
54 def perform_delivery_tmp_file(mail)
54 def perform_delivery_tmp_file(mail)
55 dest_dir = File.join(Rails.root, 'tmp', 'emails')
55 dest_dir = File.join(Rails.root, 'tmp', 'emails')
56 Dir.mkdir(dest_dir) unless File.directory?(dest_dir)
56 Dir.mkdir(dest_dir) unless File.directory?(dest_dir)
57 File.open(File.join(dest_dir, mail.message_id.gsub(/[<>]/, '') + '.eml'), 'wb') {|f| f.write(mail.encoded) }
57 File.open(File.join(dest_dir, mail.message_id.gsub(/[<>]/, '') + '.eml'), 'wb') {|f| f.write(mail.encoded) }
58 end
58 end
59 end
59 end
60
60
61 ActionMailer::Base.send :include, AsynchronousMailer
61 ActionMailer::Base.send :include, AsynchronousMailer
62
62
63 module TMail
63 module TMail
64 # TMail::Unquoter.convert_to_with_fallback_on_iso_8859_1 introduced in TMail 1.2.7
64 # TMail::Unquoter.convert_to_with_fallback_on_iso_8859_1 introduced in TMail 1.2.7
65 # triggers a test failure in test_add_issue_with_japanese_keywords(MailHandlerTest)
65 # triggers a test failure in test_add_issue_with_japanese_keywords(MailHandlerTest)
66 class Unquoter
66 class Unquoter
67 class << self
67 class << self
68 alias_method :convert_to, :convert_to_without_fallback_on_iso_8859_1
68 alias_method :convert_to, :convert_to_without_fallback_on_iso_8859_1
69 end
69 end
70 end
70 end
71
71
72 # Patch for TMail 1.2.7. See http://www.redmine.org/issues/8751
72 # Patch for TMail 1.2.7. See http://www.redmine.org/issues/8751
73 class Encoder
73 class Encoder
74 def puts_meta(str)
74 def puts_meta(str)
75 add_text str
75 add_text str
76 end
76 end
77 end
77 end
78 end
78 end
79
79
80 module ActionController
80 module ActionController
81 module MimeResponds
81 module MimeResponds
82 class Responder
82 class Responder
83 def api(&block)
83 def api(&block)
84 any(:xml, :json, &block)
84 any(:xml, :json, &block)
85 end
85 end
86 end
86 end
87 end
87 end
88
88
89 # CVE-2012-2660
89 # CVE-2012-2660
90 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
90 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
91 # CVE-2012-2694
91 # CVE-2012-2694
92 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
92 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
93 class Request
93 class Request
94 protected
94 protected
95
95
96 # Remove nils from the params hash
96 # Remove nils from the params hash
97 def deep_munge(hash)
97 def deep_munge(hash)
98 keys = hash.keys.find_all { |k| hash[k] == [nil] }
98 keys = hash.keys.find_all { |k| hash[k] == [nil] }
99 keys.each { |k| hash[k] = nil }
99 keys.each { |k| hash[k] = nil }
100
100
101 hash.each_value do |v|
101 hash.each_value do |v|
102 case v
102 case v
103 when Array
103 when Array
104 v.grep(Hash) { |x| deep_munge(x) }
104 v.grep(Hash) { |x| deep_munge(x) }
105 v.compact!
105 v.compact!
106 when Hash
106 when Hash
107 deep_munge(v)
107 deep_munge(v)
108 end
108 end
109 end
109 end
110 hash
110 hash
111 end
111 end
112
112
113 def parse_query(qs)
113 def parse_query(qs)
114 deep_munge(super)
114 deep_munge(super)
115 end
115 end
116 end
116 end
117 end
117 end
118
118
119 # Fix for CVE-2013-0155
119 # Fix for CVE-2013-0155
120 # https://groups.google.com/d/msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ
120 # https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
121 # https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
122 # https://github.com/rails/rails/blob/v2.3.15/activerecord/lib/active_record/base.rb#L2340
121 module ActiveRecord
123 module ActiveRecord
122 class Base
124 class Base
123 class << self
125 class << self
124 protected
126 protected
125 def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
127 def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
126 attrs = expand_hash_conditions_for_aggregates(attrs)
128 attrs = expand_hash_conditions_for_aggregates(attrs)
127
129
128 return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
130 return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
129
131
130 conditions = attrs.map do |attr, value|
132 conditions = attrs.map do |attr, value|
131 table_name = default_table_name
133 table_name = default_table_name
132
134
133 if not value.is_a?(Hash)
135 if not value.is_a?(Hash)
134 attr = attr.to_s
136 attr = attr.to_s
135
137
136 # Extract table name from qualified attribute names.
138 # Extract table name from qualified attribute names.
137 if attr.include?('.') and top_level
139 if attr.include?('.') and top_level
138 attr_table_name, attr = attr.split('.', 2)
140 attr_table_name, attr = attr.split('.', 2)
139 attr_table_name = connection.quote_table_name(attr_table_name)
141 attr_table_name = connection.quote_table_name(attr_table_name)
140 else
142 else
141 attr_table_name = table_name
143 attr_table_name = table_name
142 end
144 end
143
145
144 attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
146 attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
145 elsif top_level
147 elsif top_level
146 sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
148 sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
147 else
149 else
148 raise ActiveRecord::StatementInvalid
150 raise ActiveRecord::StatementInvalid
149 end
151 end
150 end.join(' AND ')
152 end.join(' AND ')
151
153
152 replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
154 replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
153 end
155 end
154 alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
156 alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
155 end
157 end
156 end
158 end
157 end
159 end
General Comments 0
You need to be logged in to leave comments. Login now