Hello community, here is the log from the commit of package rubygem-actionpack-3_2.2589 for openSUSE:13.1:Update checked in at 2014-02-26 10:19:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/rubygem-actionpack-3_2.2589 (Old) and /work/SRC/openSUSE:13.1:Update/.rubygem-actionpack-3_2.2589.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-actionpack-3_2.2589" Changes: -------- New Changes file: --- /dev/null 2014-02-13 01:09:38.344032506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.rubygem-actionpack-3_2.2589.new/rubygem-actionpack-3_2.changes 2014-02-26 10:19:28.000000000 +0100 @@ -0,0 +1,212 @@ +------------------------------------------------------------------- +Fri Feb 21 11:05:34 UTC 2014 - jmassaguerpla@suse.com + +- fix rubygem patches are not applied to the gem but only to the tree + (bnc#864873) + +------------------------------------------------------------------- +Wed Feb 19 17:25:03 UTC 2014 - jmassaguerpla@suse.com + +- fix CVE-2014-0081: XSS Vulnerability in number_to_currency, + number_to_percentage and number_to_human (bnc#864433) + +- fix CVE-2014-0082: Denial of Service Vulnerability in Action View + when using render :text (bnc#864431) + +- added patches: + * CVE-2014-0081.patch: contains fix for CVE-2014-0081 + * CVE-2014-0082.patch: contains fix for CVE-2014-0082 +------------------------------------------------------------------- +Thu Dec 12 17:28:43 UTC 2013 - jmassaguerpla@suse.com + +- fix CVE-2013-4389: rubygem-actionmailer-3_1: possible DoS + vulnerability in the log subscriber component (bnc#846239) + File CVE-2013-4389.patch contains the fix. + +------------------------------------------------------------------- +Tue Dec 10 16:20:08 UTC 2013 - jmassaguerpla@suse.com + +- fix CVE-2013-4491: rubygem-actionpack: i18n missing translation + XSS (bnc#853625). File CVE-2013-4491.patch contains the patch +- fix CVE-2013-6414: rubygem-actionpack: Action View DoS + (bnc#853633). File CVE-2013-6414.patch contains the patch. +- fix CVE-2013-6415: rubygem-actionpack: number_to_currency XSS + (bnc#853632). File CVE-2013-6415.patch contains the patch. +- fix CVE-2013-6417: rubygem-actionpack: unsafe query generation + risk (incomplete fix for CVE-2013-0155) (bnc#853627). File + CVE-2013-6417.patch contains the patch. + +------------------------------------------------------------------- +Mon Mar 18 19:51:31 UTC 2013 - coolo@suse.com + +- updated to version 3.2.13 + * Fix incorrectly appended square brackets to a multiple select box + if an explicit name has been given and it already ends with "[]". + * Determine the controller#action from only the matched path when using the + shorthand syntax. Previously the complete path was used, which led + to problems with nesting (scopes and namespaces). + Fixes #7554. + * Fix `assert_template` with `render :stream => true`. + Fix #1743. + * Eagerly populate the http method loookup cache so local project inflections do + not interfere with use of underscore method ( and we don't need locks ) + * `BestStandardsSupport` no longer duplicates `X-UA-Compatible` values on + each request to prevent header size from blowing up. + * Fixed JSON params parsing regression for non-object JSON content. + * Prevent unnecessary asset compilation when using `javascript_include_tag` on + files with non-standard extensions. + * Fixes issue where duplicate assets can be required with sprockets. + +------------------------------------------------------------------- +Tue Feb 12 13:38:03 UTC 2013 - coolo@suse.com + +- updated to version 3.2.12, version bump + +------------------------------------------------------------------- +Tue Jan 8 20:13:38 UTC 2013 - coolo@suse.com + +- updated to version 3.2.11 + * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] + +------------------------------------------------------------------- +Thu Jan 3 22:42:51 UTC 2013 - coolo@suse.com + +- updated to version 3.2.10, version bump + +------------------------------------------------------------------- +Tue Nov 13 13:56:59 UTC 2012 - coolo@suse.com + +- updated to version 3.2.9 + * Clear url helpers when reloading routes. + * Accept :remote as symbolic option for `link_to` helper. *Riley Lynch* + * Warn when the `:locals` option is passed to `assert_template` outside of a view test case + Fix #3415 + * Rename internal variables on ActionController::TemplateAssertions to prevent + naming collisions. @partials, @templates and @layouts are now prefixed with an underscore. + Fix #7459 + * `resource` and `resources` don't modify the passed options hash + Fix #7777 + * Precompiled assets include aliases from foo.js to foo/index.js and vice versa. + # Precompiles phone-<digest>.css and aliases phone/index.css to phone.css. + config.assets.precompile = [ 'phone.css' ] + * `assert_template` is no more passing with what ever string that matches + with the template name. + Fixes #3849. + * Handle `ActionDispatch::Http::UploadedFile` like `Rack::Test::UploadedFile`, don't call to_param on it. Since + `Rack::Test::UploadedFile` isn't API compatible this is needed to test file uploads that rely on `tempfile` + being available. + * Respect `config.digest = false` for `asset_path` + * Fix #7646, the log now displays the correct status code when an exception is raised. + * Fix handling of date selects when using both disabled and discard options. + Fixes #7431. + * Fix select_tag when option_tags is nil. + Fixes #7404. + * `javascript_include_tag :all` will now not include `application.js` if the file does not exists. *Prem Sichanugrist* + * Support cookie jar options (e.g., domain :all) for all session stores. + Fixes GH#3047, GH#2483. + * Performance Improvement to send_file: Avoid having to pass an open file handle as the response body. Rack::Sendfile + will usually intercept the response and just uses the path directly, so no reason to open the file. This performance + +------------------------------------------------------------------- +Fri Aug 10 06:29:13 UTC 2012 - coolo@suse.com + +- updated to version 3.2.8 + * html_escape should escape single quotes. + * Reverted the deprecation of :confirm. + * Reverted the deprecation of :disable_with. + * Reverted the deprecation of :mouseover option to image_tag. + * Reverted the deprecation of button_to_function and link_to_function helpers. + +------------------------------------------------------------------- +Fri Jul 27 13:32:25 UTC 2012 - coolo@suse.com + +- update to 3.2.7 + * Do not convert digest auth strings to symbols. CVE-2012-3424 + * Bump Journey requirements to 1.0.4 + * Add support for optional root segments containing slashes + * Fixed bug creating invalid HTML in select options + * Show in log correct wrapped keys + * Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations. + * ActionController::Metal doesn't have logger method, check it and then delegate + * ActionController::Caching depends on RackDelegation and AbstractController::Callbacks + +------------------------------------------------------------------- +Thu Jun 28 12:57:50 UTC 2012 - coolo@suse.com + +- update to 3.2.6 + * nil is removed from array parameter values + CVE-2012-2694 + * Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag +` helpers. + * Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki* + * Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki* + * Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy Walker* + * Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to`, `button_tag` and `submit_tag` helpers. + * Deprecate `:mouseover` option for `image_tag` helper. *Rafael Mendonça França* + * Deprecate `button_to_function` and `link_to_function` helpers. *Rafael Mendonça França* + * Don't break Haml with textarea newline fix. GH #393, #4000, #5190, #5191 + * Fix options handling on labels. GH #2492, #5614 + * Added config.action_view.embed_authenticity_token_in_remote_forms to deal + with regression from 16ee611fa + * Set rendered_format when doing render :inline. GH #5632 + * Fix the redirect when it receive blocks with arity of 1. Closes #5677 + * Strip [nil] from parameters hash. Thanks to Ben Murphy for + reporting this! CVE-2012-2660 + +------------------------------------------------------------------- +Mon May 14 12:17:06 UTC 2012 - coolo@suse.com + +- add generic provides + +------------------------------------------------------------------- +Mon Apr 23 09:03:39 UTC 2012 - saschpe@suse.de + +- Fix dependencies, (build)require actionpack-3_2, rack-cache-1_2 + and activesupport-3_2 directly (instead of unversioned packages) + +------------------------------------------------------------------- +Wed Apr 4 15:31:30 UTC 2012 - coolo@suse.com + +- update to 3.2.3 + * Remove the leading \n added by textarea on assert_select. *Santiago Pastorino* + * Fix #5632, render :inline set the proper rendered format. *Santiago Pastorino* + * Fix textarea rendering when using plugins like HAML. Such plugins encode the first newline character in the content. This issue was introduced in https://github.com/rails/rails/pull/5191 *James Coleman* + * Add `config.action_view.embed_authenticity_token_in_remote_forms` (defaults to true) which allows to set if authenticity token will be included by default in remote forms. If you change it to false, you can still force authenticity token by passing `:authenticity_token => true` in form options *Piotr Sarnacki* + * Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value *DHH* + * Turn off verbose mode of rack-cache, we still have X-Rack-Cache to + check that info. Closes #5245. *Santiago Pastorino* + * Fix #5238, rendered_format is not set when template is not rendered. *Piotr Sarnacki* + * Upgrade rack-cache to 1.2. *José Valim* + * ActionController::SessionManagement is deprecated. *Santiago Pastorino* + * Since the router holds references to many parts of the system like engines, controllers and the application itself, inspecting the route set can actually be really slow, therefore we default alias inspect to to_s. *José Valim* + * Add a new line after the textarea opening tag. Closes #393 *Rafael Mendonça França* + * Always pass a respond block from to responder. We should let the responder to decide what to do with the given overridden response block, and not short circuit it. *sikachu* + * Fixes layout rendering regression from 3.2.2. *José Valim* + + ## Rails 3.2.2 (March 1, 2012) ## + * Format lookup for partials is derived from the format in which the template is being rendered. Closes #5025 part 2 *Santiago Pastorino* + * Use the right format when a partial is missing. Closes #5025. *Santiago Pastorino* + * Default responder will now always use your overridden block in `respond_with` to render your response. *Prem Sichanugrist* + * check_box helper with :disabled => true will generate a disabled hidden field to conform with the HTML convention where disabled fields are not submitted with the form. + This is a behavior change, previously the hidden tag had a value of the disabled checkbox. + *Tadas Tamosauskas* + +------------------------------------------------------------------- +Fri Mar 23 10:43:18 UTC 2012 - saschpe@suse.de + +- Spec file cleanup: ++++ 15 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.rubygem-actionpack-3_2.2589.new/rubygem-actionpack-3_2.changes New: ---- CVE-2013-4389.patch CVE-2013-4491.patch CVE-2013-6414.patch CVE-2013-6415.patch CVE-2013-6417.patch CVE-2014-0081.patch CVE-2014-0082.patch actionpack-3.2.13.gem rubygem-actionpack-3_2.changes rubygem-actionpack-3_2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-3_2.spec ++++++ # # spec file for package rubygem-actionpack-3_2 # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-actionpack-3_2 Version: 3.2.13 Release: 0 %define mod_name actionpack %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ruby-macros >= 1 Requires: ruby >= 1.8.7 BuildRequires: ruby-devel >= 1.8.7 Url: http://www.rubyonrails.org Source: http://rubygems.org/gems/%{mod_full_name}.gem Source1: CVE-2013-4491.patch Source2: CVE-2013-6414.patch Source3: CVE-2013-6415.patch Source4: CVE-2013-6417.patch Source5: CVE-2013-4389.patch Source6: CVE-2014-0081.patch Source7: CVE-2014-0082.patch Summary: Web-flow and rendering framework putting the VC in MVC (part of License: MIT Group: Development/Languages/Ruby %description Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %prep gem unpack --verbose %{S:0} pushd %{mod_full_name} chmod -R go-w . gem spec --ruby %{S:0} > %{mod_full_name}.gemspec patch -p2 < %{S:1} patch -p2 < %{S:2} patch -p2 < %{S:3} patch -p2 < %{S:4} patch -p2 < %{S:5} patch -p2 < %{S:6} patch -p2 < %{S:7} gem build %{mod_full_name}.gemspec popd %build %install %gem_install -f %files %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %changelog ++++++ CVE-2013-4389.patch ++++++ diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 8d813a8..57ce27c 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -23,7 +23,7 @@ exception_class_name = payload[:exception].first status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name) end - message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration + message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}" message << " (#{additions.join(" | ")})" unless additions.blank? info(message) @@ -34,9 +34,7 @@ end def send_file(event) - message = "Sent file %s" - message << " (%.1fms)" - info(message % [event.payload[:path], event.duration]) + info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})") end def redirect_to(event) @@ -44,7 +42,7 @@ end def send_data(event) - info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration]) + info("Sent data #{event.payload[:filename]} (#{format_duration(event.duration)})") end %w(write_fragment read_fragment exist_fragment? @@ -53,7 +51,8 @@ def #{method}(event) key_or_path = event.payload[:key] || event.payload[:path] human_name = #{method.to_s.humanize.inspect} - info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}") + duration = format_duration(event.duration) + info("\#{human_name} \#{key_or_path} \#{duration}") end METHOD end ++++++ CVE-2013-4491.patch ++++++ diff --git a/actionpack/lib/action_view/helpers/translation_helper.rb b/actionpack/lib/action_view/helpers/translation_helper.rb index cc74eff..6ef652d 100644 --- a/actionpack/lib/action_view/helpers/translation_helper.rb +++ b/actionpack/lib/action_view/helpers/translation_helper.rb @@ -1,24 +1,14 @@ require 'action_view/helpers/tag_helper' require 'i18n/exceptions' -module I18n - class ExceptionHandler - include Module.new { - def call(exception, locale, key, options) - exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super - end - } - end -end - module ActionView # = Action View Translation Helpers module Helpers module TranslationHelper # Delegates to <tt>I18n#translate</tt> but also performs three additional functions. # - # First, it'll pass the <tt>:rescue_format => :html</tt> option to I18n so that any - # thrown +MissingTranslation+ messages will be turned into inline spans that + # First, it will ensure that any thrown +MissingTranslation+ messages will be turned + # into inline spans that: # # * have a "translation-missing" class set, # * contain the missing key as a title attribute and @@ -44,7 +34,9 @@ module ActionView # naming convention helps to identify translations that include HTML tags so that # you know what kind of output to expect when you call translate in a template. def translate(key, options = {}) - options.merge!(:rescue_format => :html) unless options.key?(:rescue_format) + # If the user has specified rescue_format then pass it all through, otherwise use + # raise and do the work ourselves + options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format) if html_safe_translation_key?(key) html_safe_options = options.dup options.except(*I18n::RESERVED_KEYS).each do |name, value| @@ -58,6 +50,9 @@ module ActionView else I18n.translate(scope_key_by_partial(key), options) end + rescue I18n::MissingTranslationData => e + keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope]) + content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}") end alias :t :translate ++++++ CVE-2013-6414.patch ++++++ diff --git a/actionpack/lib/action_view/lookup_context.rb b/actionpack/lib/action_view/lookup_context.rb index 9f617a9..9331d13 100644 --- a/actionpack/lib/action_view/lookup_context.rb +++ b/actionpack/lib/action_view/lookup_context.rb @@ -56,6 +56,13 @@ module ActionView @details_keys = Hash.new def self.get(details) + if details[:formats] + details = details.dup + syms = Set.new Mime::SET.symbols + details[:formats] = details[:formats].select { |v| + syms.include? v + } + end @details_keys[details] ||= new end ++++++ CVE-2013-6415.patch ++++++ diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb index ad86d13..eee9e59 100644 --- a/actionpack/lib/action_view/helpers/number_helper.rb +++ b/actionpack/lib/action_view/helpers/number_helper.rb @@ -156,7 +156,7 @@ begin value = number_with_precision(number, options.merge(:raise => true)) - format.gsub(/%n/, value).gsub(/%u/, unit).html_safe + format.gsub(/%n/, ERB::Util.html_escape(value)).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe rescue InvalidNumberError => e if options[:raise] raise ++++++ CVE-2013-6417.patch ++++++ diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 3115573..0f92b82 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -228,13 +228,13 @@ # Override Rack's GET method to support indifferent access def GET - @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {}) + @env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {}) end alias :query_parameters :GET # Override Rack's POST method to support indifferent access def POST - @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {}) + @env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {}) end alias :request_parameters :POST ++++++ CVE-2014-0081.patch ++++++ diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb index 2e04ff4..8ebd7e2 100644 --- a/actionpack/lib/action_view/helpers/number_helper.rb +++ b/actionpack/lib/action_view/helpers/number_helper.rb @@ -138,12 +138,18 @@ options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + options[:format] = ERB::Util.html_escape(options[:format]) if options[:format] + options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format] + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {}) currency[:negative_format] ||= "-" + currency[:format] if currency[:format] defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency) defaults[:negative_format] = "-" + options[:format] if options[:format] + options = defaults.merge!(options) unit = options.delete(:unit) @@ -206,6 +212,9 @@ options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {}) defaults = defaults.merge(percentage) @@ -255,6 +264,9 @@ def number_with_delimiter(number, options = {}) options.symbolize_keys! + options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] + options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] + begin Float(number) rescue ArgumentError, TypeError @@ -578,7 +590,7 @@ units = options.delete :units unit_exponents = case units when Hash - units + units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }] when String, Symbol I18n.translate(:"#{units}", :locale => options[:locale], :raise => true) when nil ++++++ CVE-2014-0082.patch ++++++ diff --git a/actionpack/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb index 4261c3b..d90e43b 100644 --- a/actionpack/lib/action_view/template/text.rb +++ b/actionpack/lib/action_view/template/text.rb @@ -23,7 +23,7 @@ module ActionView #:nodoc: end def formats - [@mime_type.to_sym] + [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s] end end end -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org