##// END OF EJS Templates
jro_apps » redmine
RSS
1.4-stable: add a link to a mail posted on 14 Jan 2013 about Rails 2.3 CVE-2013-0155...
Toshi MARUYAMA -
r10978:5c077abb0eac
parent child
Show More
Side by Side Unified
Context file:
r10978:5c077abb0eac Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,157 +1,159
1 1 # Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
2 2 if RUBY_VERSION >= '1.9.3'
3 3 MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
4 4 end
5 5
6 6 require 'active_record'
7 7
8 8 module ActiveRecord
9 9 class Base
10 10 include Redmine::I18n
11 11
12 12 # Translate attribute names for validation errors display
13 13 def self.human_attribute_name(attr, *args)
14 14 l("field_#{attr.to_s.gsub(/_id$/, '')}", :default => attr)
15 15 end
16 16 end
17 17 end
18 18
19 19 module ActionView
20 20 module Helpers
21 21 module DateHelper
22 22 # distance_of_time_in_words breaks when difference is greater than 30 years
23 23 def distance_of_date_in_words(from_date, to_date = 0, options = {})
24 24 from_date = from_date.to_date if from_date.respond_to?(:to_date)
25 25 to_date = to_date.to_date if to_date.respond_to?(:to_date)
26 26 distance_in_days = (to_date - from_date).abs
27 27
28 28 I18n.with_options :locale => options[:locale], :scope => :'datetime.distance_in_words' do |locale|
29 29 case distance_in_days
30 30 when 0..60 then locale.t :x_days, :count => distance_in_days.round
31 31 when 61..720 then locale.t :about_x_months, :count => (distance_in_days / 30).round
32 32 else locale.t :over_x_years, :count => (distance_in_days / 365).floor
33 33 end
34 34 end
35 35 end
36 36 end
37 37 end
38 38 end
39 39
40 40 ActionView::Base.field_error_proc = Proc.new{ |html_tag, instance| "#{html_tag}" }
41 41
42 42 module AsynchronousMailer
43 43 # Adds :async_smtp and :async_sendmail delivery methods
44 44 # to perform email deliveries asynchronously
45 45 %w(smtp sendmail).each do |type|
46 46 define_method("perform_delivery_async_#{type}") do |mail|
47 47 Thread.start do
48 48 send "perform_delivery_#{type}", mail
49 49 end
50 50 end
51 51 end
52 52
53 53 # Adds a delivery method that writes emails in tmp/emails for testing purpose
54 54 def perform_delivery_tmp_file(mail)
55 55 dest_dir = File.join(Rails.root, 'tmp', 'emails')
56 56 Dir.mkdir(dest_dir) unless File.directory?(dest_dir)
57 57 File.open(File.join(dest_dir, mail.message_id.gsub(/[<>]/, '') + '.eml'), 'wb') {|f| f.write(mail.encoded) }
58 58 end
59 59 end
60 60
61 61 ActionMailer::Base.send :include, AsynchronousMailer
62 62
63 63 module TMail
64 64 # TMail::Unquoter.convert_to_with_fallback_on_iso_8859_1 introduced in TMail 1.2.7
65 65 # triggers a test failure in test_add_issue_with_japanese_keywords(MailHandlerTest)
66 66 class Unquoter
67 67 class << self
68 68 alias_method :convert_to, :convert_to_without_fallback_on_iso_8859_1
69 69 end
70 70 end
71 71
72 72 # Patch for TMail 1.2.7. See http://www.redmine.org/issues/8751
73 73 class Encoder
74 74 def puts_meta(str)
75 75 add_text str
76 76 end
77 77 end
78 78 end
79 79
80 80 module ActionController
81 81 module MimeResponds
82 82 class Responder
83 83 def api(&block)
84 84 any(:xml, :json, &block)
85 85 end
86 86 end
87 87 end
88 88
89 89 # CVE-2012-2660
90 90 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
91 91 # CVE-2012-2694
92 92 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
93 93 class Request
94 94 protected
95 95
96 96 # Remove nils from the params hash
97 97 def deep_munge(hash)
98 98 keys = hash.keys.find_all { |k| hash[k] == [nil] }
99 99 keys.each { |k| hash[k] = nil }
100 100
101 101 hash.each_value do |v|
102 102 case v
103 103 when Array
104 104 v.grep(Hash) { |x| deep_munge(x) }
105 105 v.compact!
106 106 when Hash
107 107 deep_munge(v)
108 108 end
109 109 end
110 110 hash
111 111 end
112 112
113 113 def parse_query(qs)
114 114 deep_munge(super)
115 115 end
116 116 end
117 117 end
118 118
119 119 # Fix for CVE-2013-0155
120 # https://groups.google.com/d/msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ
120 121 # https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
122 # https://github.com/rails/rails/blob/v2.3.15/activerecord/lib/active_record/base.rb#L2340
121 123 module ActiveRecord
122 124 class Base
123 125 class << self
124 126 protected
125 127 def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
126 128 attrs = expand_hash_conditions_for_aggregates(attrs)
127 129
128 130 return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
129 131
130 132 conditions = attrs.map do |attr, value|
131 133 table_name = default_table_name
132 134
133 135 if not value.is_a?(Hash)
134 136 attr = attr.to_s
135 137
136 138 # Extract table name from qualified attribute names.
137 139 if attr.include?('.') and top_level
138 140 attr_table_name, attr = attr.split('.', 2)
139 141 attr_table_name = connection.quote_table_name(attr_table_name)
140 142 else
141 143 attr_table_name = table_name
142 144 end
143 145
144 146 attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
145 147 elsif top_level
146 148 sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
147 149 else
148 150 raise ActiveRecord::StatementInvalid
149 151 end
150 152 end.join(' AND ')
151 153
152 154 replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
153 155 end
154 156 alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
155 157 end
156 158 end
157 159 end
General Comments 0
You need to be logged in to leave comments. Login now