obsolete.ChilliProject/config/initializers/10-patches.rb

#-- encoding: UTF-8
#-- copyright
# ChiliProject is a project management system.
#
# Copyright (C) 2010-2012 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# See doc/COPYRIGHT.rdoc for more details.
#++

# Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
if RUBY_VERSION >= '1.9.3'
  MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
end

require 'active_record'

module ActiveRecord
  class Base
    include Redmine::I18n

    # Translate attribute names for validation errors display
    def self.human_attribute_name(attr)
      l("field_#{attr.to_s.gsub(/_id$/, '')}")
    end
  end
end

module ActiveRecord
  class Errors
    def full_messages(options = {})
      full_messages = []

      @errors.each_key do |attr|
        @errors[attr].each do |message|
          next unless message

          if attr == "base"
            full_messages << message
          elsif attr == "custom_values"
            # Replace the generic "custom values is invalid"
            # with the errors on custom values
            @base.custom_values.each do |value|
              value.errors.each do |attr, msg|
                full_messages << value.custom_field.name + ' ' + msg
              end
            end
          else
            attr_name = @base.class.human_attribute_name(attr)
            full_messages << attr_name + ' ' + message.to_s
          end
        end
      end
      full_messages
    end
  end
end

module ActionView
  module Helpers
    module DateHelper
      # distance_of_time_in_words breaks when difference is greater than 30 years
      def distance_of_date_in_words(from_date, to_date = 0, options = {})
        from_date = from_date.to_date if from_date.respond_to?(:to_date)
        to_date = to_date.to_date if to_date.respond_to?(:to_date)
        distance_in_days = (to_date - from_date).abs

        I18n.with_options :locale => options[:locale], :scope => :'datetime.distance_in_words' do |locale|
          case distance_in_days
            when 0..60     then locale.t :x_days,             :count => distance_in_days.round
            when 61..720   then locale.t :about_x_months,     :count => (distance_in_days / 30).round
            else                locale.t :over_x_years,       :count => (distance_in_days / 365).floor
          end
        end
      end
    end
  end
end

ActionView::Base.field_error_proc = Proc.new{ |html_tag, instance| "#{html_tag}" }

# Adds :async_smtp and :async_sendmail delivery methods
# to perform email deliveries asynchronously
module AsynchronousMailer
  %w(smtp sendmail).each do |type|
    define_method("perform_delivery_async_#{type}") do |mail|
      Thread.start do
        send "perform_delivery_#{type}", mail
      end
    end
  end
end

ActionMailer::Base.send :include, AsynchronousMailer

# TMail::Unquoter.convert_to_with_fallback_on_iso_8859_1 introduced in TMail 1.2.7
# triggers a test failure in test_add_issue_with_japanese_keywords(MailHandlerTest)
module TMail
  class Unquoter
    class << self
      alias_method :convert_to, :convert_to_without_fallback_on_iso_8859_1
    end
  end
end

module ActionController
  module MimeResponds
    class Responder
      def api(&block)
        any(:xml, :json, &block)
      end
    end
  end

  # Backported fix for
  # CVE-2012-2660
  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
  #
  # CVE-2012-2694
  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
  #
  # TODO: Remove this once we are on Rails >= 3.2.6
  require 'action_controller/request'
  class Request
    protected

    # Remove nils from the params hash
    def deep_munge(hash)
      keys = hash.keys.find_all { |k| hash[k] == [nil] }
      keys.each { |k| hash[k] = nil }

      hash.each_value do |v|
        case v
        when Array
          v.grep(Hash) { |x| deep_munge(x) }
          v.compact!
        when Hash
          deep_munge(v)
        end
      end

      hash
    end

    def parse_query(qs)
      deep_munge(super)
    end
  end
end

require 'active_record/base'
module ActiveRecord
  class Base
    class << self
      # Backported fix for CVE-2012-2695
      # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
      # TODO: Remove this once we are on Rails >= 3.2.6
      def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
        attrs = expand_hash_conditions_for_aggregates(attrs)

        conditions = attrs.map do |attr, value|
          table_name = default_table_name

          if not value.is_a?(Hash)
            attr = attr.to_s

            # Extract table name from qualified attribute names.
            if attr.include?('.') and top_level
              attr_table_name, attr = attr.split('.', 2)
              attr_table_name = connection.quote_table_name(attr_table_name)
            else
              attr_table_name = table_name
            end

            attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
          elsif top_level
            sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
          else
            raise ActiveRecord::StatementInvalid
          end
        end.join(' AND ')

        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
      end
      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions

      # CVE-2012-5664
      # https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
      # TODO: remove once we are on Rails >= 3.2.10
      def method_missing(method_id, *arguments, &block)
        if match = DynamicFinderMatch.match(method_id)
          attribute_names = match.attribute_names
          super unless all_attributes_exists?(attribute_names)
          if match.finder?
            finder = match.finder
            bang = match.bang?
            # def self.find_by_login_and_activated(*args)
            #   options = args.extract_options!
            #   attributes = construct_attributes_from_arguments(
            #     [:login,:activated],
            #     args
            #   )
            #   finder_options = { :conditions => attributes }
            #   validate_find_options(options)
            #   set_readonly_option!(options)
            #
            #   if options[:conditions]
            #     with_scope(:find => finder_options) do
            #       find(:first, options)
            #     end
            #   else
            #     find(:first, options.merge(finder_options))
            #   end
            # end
            self.class_eval <<-EOS, __FILE__, __LINE__ + 1
              def self.#{method_id}(*args)
                options = if args.length > #{attribute_names.size}
                            args.extract_options!
                          else
                            {}
                          end
                attributes = construct_attributes_from_arguments(
                  [:#{attribute_names.join(',:')}],
                  args
                )
                finder_options = { :conditions => attributes }
                validate_find_options(options)
                set_readonly_option!(options)

                #{'result = ' if bang}if options[:conditions]
                  with_scope(:find => finder_options) do
                    find(:#{finder}, options)
                  end
                else
                  find(:#{finder}, options.merge(finder_options))
                end
                #{'result || raise(RecordNotFound, "Couldn\'t find #{name} with #{attributes.to_a.collect {|pair| "#{pair.first} = #{pair.second}"}.join(\', \')}")' if bang}
              end
            EOS
            send(method_id, *arguments)
          elsif match.instantiator?
            instantiator = match.instantiator
            # def self.find_or_create_by_user_id(*args)
            #   guard_protected_attributes = false
            #
            #   if args[0].is_a?(Hash)
            #     guard_protected_attributes = true
            #     attributes = args[0].with_indifferent_access
            #     find_attributes = attributes.slice(*[:user_id])
            #   else
            #     find_attributes = attributes = construct_attributes_from_arguments([:user_id], args)
            #   end
            #
            #   options = { :conditions => find_attributes }
            #   set_readonly_option!(options)
            #
            #   record = find(:first, options)
            #
            #   if record.nil?
            #     record = self.new { |r| r.send(:attributes=, attributes, guard_protected_attributes) }
            #     yield(record) if block_given?
            #     record.save
            #     record
            #   else
            #     record
            #   end
            # end
            self.class_eval <<-EOS, __FILE__, __LINE__ + 1
              def self.#{method_id}(*args)
                attributes = [:#{attribute_names.join(',:')}]
                protected_attributes_for_create, unprotected_attributes_for_create = {}, {}
                args.each_with_index do |arg, i|
                  if arg.is_a?(Hash)
                    protected_attributes_for_create = args[i].with_indifferent_access
                  else
                    unprotected_attributes_for_create[attributes[i]] = args[i]
                  end
                end

                find_attributes = (protected_attributes_for_create.merge(unprotected_attributes_for_create)).slice(*attributes)

                options = { :conditions => find_attributes }
                set_readonly_option!(options)

                record = find(:first, options)

                if record.nil?
                  record = self.new do |r|
                    r.send(:attributes=, protected_attributes_for_create, true) unless protected_attributes_for_create.empty?
                    r.send(:attributes=, unprotected_attributes_for_create, false) unless unprotected_attributes_for_create.empty?
                  end
                  #{'yield(record) if block_given?'}
                  #{'record.save' if instantiator == :create}
                  record
                else
                  record
                end
              end
            EOS
            send(method_id, *arguments, &block)
          end
        elsif match = DynamicScopeMatch.match(method_id)
          attribute_names = match.attribute_names
          super unless all_attributes_exists?(attribute_names)
          if match.scope?
            self.class_eval <<-EOS, __FILE__, __LINE__ + 1
              def self.#{method_id}(*args)                        # def self.scoped_by_user_name_and_password(*args)
                options = args.extract_options!                   #   options = args.extract_options!
                attributes = construct_attributes_from_arguments( #   attributes = construct_attributes_from_arguments(
                  [:#{attribute_names.join(',:')}], args          #     [:user_name, :password], args
                )                                                 #   )
                                                                  #
                scoped(:conditions => attributes)                 #   scoped(:conditions => attributes)
              end                                                 # end
            EOS
            send(method_id, *arguments)
          end
        else
          super
        end
      end
    end
  end
end

# Backported fix for CVE-2012-3465
# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'action_view/helpers/sanitize_helper'
module ActionView::Helpers::SanitizeHelper
  def strip_tags(html)
    self.class.full_sanitizer.sanitize(html)
  end
end

# Backported fix for CVE-2012-3464
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'active_support/core_ext/string/output_safety'
class ERB
  module Util
    HTML_ESCAPE["'"] = '&#39;'

    if RUBY_VERSION >= '1.9'
      # A utility method for escaping HTML tag characters.
      # This method is also aliased as <tt>h</tt>.
      #
      # In your ERB templates, use this method to escape any unsafe content. For example:
      # <%=h @person.name %>
      #
      # ==== Example:
      # puts html_escape("is a > 0 & a < 10?")
      # # => is a &gt; 0 &amp; a &lt; 10?
      def html_escape(s)
        s = s.to_s
        if s.html_safe?
          s
        else
          s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
        end
      end
    else
      def html_escape(s) #:nodoc:
        s = s.to_s
        if s.html_safe?
          s
        else
          s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
        end
      end
    end

    # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
    remove_method(:h)
    alias h html_escape

    module_function :h

    singleton_class.send(:remove_method, :html_escape)
    module_function :html_escape
  end
end
require 'action_view/helpers/tag_helper'
module ActionView::Helpers::TagHelper
  def escape_once(html)
    ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
  end
end
Set source encoding to UTF-8 2011-10-29 16:19:11 +04:00			`#-- encoding: UTF-8`
[#197] Upgrade the copyright in the code files 2011-05-30 00:11:52 +04:00			`#-- copyright`
			`# ChiliProject is a project management system.`
[#436] Remove trailing whitespace 2011-05-30 22:52:25 +04:00			`#`
Update copyright for 2012 We programmers have a nice new years tradition: We revisit all of our projects and add 1 to a small number near a "(c)". -- Volker Dusch https://twitter.com/__edorian/status/153801913442373633 2012-01-03 23:36:40 +04:00			`# Copyright (C) 2010-2012 the ChiliProject Team`
[#436] Remove trailing whitespace 2011-05-30 22:52:25 +04:00			`#`
[#197] Upgrade the copyright in the code files 2011-05-30 00:11:52 +04:00			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License`
			`# as published by the Free Software Foundation; either version 2`
			`# of the License, or (at your option) any later version.`
[#436] Remove trailing whitespace 2011-05-30 22:52:25 +04:00			`#`
[#197] Upgrade the copyright in the code files 2011-05-30 00:11:52 +04:00			`# See doc/COPYRIGHT.rdoc for more details.`
			`#++`

Patch for ruby1.9.3 compatibility. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8234 e93f8b46-1217-0410-a6f0-8f06a7374b81 2011-12-15 16:29:02 +04:00			`# Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message`
			`if RUBY_VERSION >= '1.9.3'`
Fix trailing whitespace 2012-01-03 23:43:08 +04:00			`MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]`
Patch for ruby1.9.3 compatibility. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8234 e93f8b46-1217-0410-a6f0-8f06a7374b81 2011-12-15 16:29:02 +04:00			`end`
Merged Rails 2.1 compatibility branch. git-svn-id: http://redmine.rubyforge.org/svn/trunk@1623 e93f8b46-1217-0410-a6f0-8f06a7374b81 2008-07-04 21:58:14 +04:00
Rails 2.3.5 deprecation. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3235 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-12-23 23:55:42 +03:00			`require 'active_record'`
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2493 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-21 14:04:50 +03:00
			`module ActiveRecord`
			`class Base`
			`include Redmine::I18n`
[#436] Remove trailing whitespace 2011-05-30 22:52:25 +04:00
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2493 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-21 14:04:50 +03:00			`# Translate attribute names for validation errors display`
			`def self.human_attribute_name(attr)`
			`l("field_#{attr.to_s.gsub(/_id$/, '')}")`
			`end`
			`end`
			`end`

Patch ActiveRecord::Errors#full_messages so that it contains custom values error messages. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2518 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-22 17:46:32 +03:00			`module ActiveRecord`
			`class Errors`
			`def full_messages(options = {})`
			`full_messages = []`

			`@errors.each_key do \|attr\|`
			`@errors[attr].each do \|message\|`
			`next unless message`

			`if attr == "base"`
			`full_messages << message`
			`elsif attr == "custom_values"`
			`# Replace the generic "custom values is invalid"`
			`# with the errors on custom values`
			`@base.custom_values.each do \|value\|`
			`value.errors.each do \|attr, msg\|`
			`full_messages << value.custom_field.name + ' ' + msg`
			`end`
			`end`
			`else`
			`attr_name = @base.class.human_attribute_name(attr)`
Upgraded to Rails 2.3.4 (#3597) * Ran the Rails upgrade * Upgraded to Rails Engines 2.3.2 * Added a plugin to let Engines override application views. * Converted tests to use the new classes: ActionController::TestCase for functional ActiveSupport::TestCase for units * Converted ActiveRecord::Error message to a string. * ActiveRecord grouping returns an ordered hash which doesn't have #sort! * Updated the I18n storage_units format. * Added some default initializers from a fresh rails app * Changed the order of check_box_tags and hidden_field_tags. The hidden tag needs to appear first in Rails 2.3, otherwise it will override any value in the check_box_tag. * Removed the custom handler for when the cookie store is tampered with. Rails 2.3 removed the TamperedWithCookie exception and instead Rails will not load the data from it when it's been tampered with (e.g. no user login). * Fixed mail layouts, 2.3 has problems with implicit multipart emails that use layouts. Also removed some custom Redmine mailer code. * Fixed a bug that occurred in tests where the "required" span tag would be added to the :field_status translation. This resulted in an email string of: <li>Status<span class="required"> </span><span class="required"> </span> Instead of: <li>Status: New</li> git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2887 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-09-13 21:14:35 +04:00			`full_messages << attr_name + ' ' + message.to_s`
Patch ActiveRecord::Errors#full_messages so that it contains custom values error messages. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2518 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-22 17:46:32 +03:00			`end`
			`end`
			`end`
			`full_messages`
			`end`
			`end`
			`end`

Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2493 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-21 14:04:50 +03:00			`module ActionView`
			`module Helpers`
			`module DateHelper`
			`# distance_of_time_in_words breaks when difference is greater than 30 years`
			`def distance_of_date_in_words(from_date, to_date = 0, options = {})`
			`from_date = from_date.to_date if from_date.respond_to?(:to_date)`
			`to_date = to_date.to_date if to_date.respond_to?(:to_date)`
			`distance_in_days = (to_date - from_date).abs`

			`I18n.with_options :locale => options[:locale], :scope => :'datetime.distance_in_words' do \|locale\|`
			`case distance_in_days`
Fixes distance of date in words calculation. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3016 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-11-07 12:50:16 +03:00			`when 0..60 then locale.t :x_days, :count => distance_in_days.round`
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2493 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-21 14:04:50 +03:00			`when 61..720 then locale.t :about_x_months, :count => (distance_in_days / 30).round`
Fixes distance of date in words calculation. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3016 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-11-07 12:50:16 +03:00			`else locale.t :over_x_years, :count => (distance_in_days / 365).floor`
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2493 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-02-21 14:04:50 +03:00			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
Merged Rails 2.1 compatibility branch. git-svn-id: http://redmine.rubyforge.org/svn/trunk@1623 e93f8b46-1217-0410-a6f0-8f06a7374b81 2008-07-04 21:58:14 +04:00
			`ActionView::Base.field_error_proc = Proc.new{ \|html_tag, instance\| "#{html_tag}" }`
Adds :async_smtp and :async_sendmail delivery methods to perform email deliveries asynchronously. Code from http://www.datanoise.com/articles/2006/7/14/asynchronous-email-delivery. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2339 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-01-31 14:43:54 +03:00
			`# Adds :async_smtp and :async_sendmail delivery methods`
			`# to perform email deliveries asynchronously`
			`module AsynchronousMailer`
			`%w(smtp sendmail).each do \|type\|`
			`define_method("perform_delivery_async_#{type}") do \|mail\|`
			`Thread.start do`
			`send "perform_delivery_#{type}", mail`
[#436] Remove trailing whitespace 2011-05-30 22:52:25 +04:00			`end`
Adds :async_smtp and :async_sendmail delivery methods to perform email deliveries asynchronously. Code from http://www.datanoise.com/articles/2006/7/14/asynchronous-email-delivery. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2339 e93f8b46-1217-0410-a6f0-8f06a7374b81 2009-01-31 14:43:54 +03:00			`end`
			`end`
			`end`

			`ActionMailer::Base.send :include, AsynchronousMailer`
Workaround for i18n 0.4.x with the old style syntax. #6428 #5608 This will also silance the whole trace with the deprecation warning. Contributed by Felix Schäfer git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4183 e93f8b46-1217-0410-a6f0-8f06a7374b81 2010-09-26 21:13:52 +04:00
Updgraded Rails to 2.3.11 (#6887). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4904 e93f8b46-1217-0410-a6f0-8f06a7374b81 2011-02-21 14:02:18 +03:00			`# TMail::Unquoter.convert_to_with_fallback_on_iso_8859_1 introduced in TMail 1.2.7`
			`# triggers a test failure in test_add_issue_with_japanese_keywords(MailHandlerTest)`
			`module TMail`
			`class Unquoter`
			`class << self`
			`alias_method :convert_to, :convert_to_without_fallback_on_iso_8859_1`
Workaround for i18n 0.4.x with the old style syntax. #6428 #5608 This will also silance the whole trace with the deprecation warning. Contributed by Felix Schäfer git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4183 e93f8b46-1217-0410-a6f0-8f06a7374b81 2010-09-26 21:13:52 +04:00			`end`
			`end`
			`end`
Dry Users API responders. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4454 e93f8b46-1217-0410-a6f0-8f06a7374b81 2010-12-03 14:45:55 +03:00
			`module ActionController`
			`module MimeResponds`
			`class Responder`
			`def api(&block)`
			`any(:xml, :json, &block)`
			`end`
			`end`
			`end`
[#1025] Fix Rails vulnerability (CVE-2012-2660) 2012-06-01 22:56:09 +04:00
Fix SQL injection via nested hashes in conditions (CVE-2012-2694) #1036 2012-06-13 11:29:39 +04:00			`# Backported fix for`
			`# CVE-2012-2660`
[#1025] Fix Rails vulnerability (CVE-2012-2660) 2012-06-01 22:56:09 +04:00			`# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f`
Fix SQL injection via nested hashes in conditions (CVE-2012-2694) #1036 2012-06-13 11:29:39 +04:00			`#`
			`# CVE-2012-2694`
			`# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e`
			`#`
			`# TODO: Remove this once we are on Rails >= 3.2.6`
[#1025] Fix Rails vulnerability (CVE-2012-2660) 2012-06-01 22:56:09 +04:00			`require 'action_controller/request'`
			`class Request`
			`protected`

			`# Remove nils from the params hash`
			`def deep_munge(hash)`
Fix SQL injection via nested hashes in conditions (CVE-2012-2694) #1036 2012-06-13 11:29:39 +04:00			`keys = hash.keys.find_all { \|k\| hash[k] == [nil] }`
			`keys.each { \|k\| hash[k] = nil }`

[#1025] Fix Rails vulnerability (CVE-2012-2660) 2012-06-01 22:56:09 +04:00			`hash.each_value do \|v\|`
			`case v`
			`when Array`
			`v.grep(Hash) { \|x\| deep_munge(x) }`
Fix SQL injection via nested hashes in conditions (CVE-2012-2694) #1036 2012-06-13 11:29:39 +04:00			`v.compact!`
[#1025] Fix Rails vulnerability (CVE-2012-2660) 2012-06-01 22:56:09 +04:00			`when Hash`
			`deep_munge(v)`
			`end`
			`end`

			`hash`
			`end`

			`def parse_query(qs)`
			`deep_munge(super)`
			`end`
			`end`
Dry Users API responders. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4454 e93f8b46-1217-0410-a6f0-8f06a7374b81 2010-12-03 14:45:55 +03:00			`end`
Fix SQL injection via nested hashes in conditions. CVE-2012-2695 #1037 2012-06-13 12:12:10 +04:00
			`require 'active_record/base'`
			`module ActiveRecord`
			`class Base`
			`class << self`
SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) #1195 2013-01-06 23:10:27 +04:00			`# Backported fix for CVE-2012-2695`
			`# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59`
			`# TODO: Remove this once we are on Rails >= 3.2.6`
Fix SQL injection via nested hashes in conditions. CVE-2012-2695 #1037 2012-06-13 12:12:10 +04:00			`def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)`
			`attrs = expand_hash_conditions_for_aggregates(attrs)`

			`conditions = attrs.map do \|attr, value\|`
			`table_name = default_table_name`

			`if not value.is_a?(Hash)`
			`attr = attr.to_s`

			`# Extract table name from qualified attribute names.`
			`if attr.include?('.') and top_level`
			`attr_table_name, attr = attr.split('.', 2)`
			`attr_table_name = connection.quote_table_name(attr_table_name)`
			`else`
			`attr_table_name = table_name`
			`end`

			`attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)`
			`elsif top_level`
			`sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)`
			`else`
			`raise ActiveRecord::StatementInvalid`
			`end`
			`end.join(' AND ')`

			`replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))`
			`end`
			`alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions`
SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) #1195 2013-01-06 23:10:27 +04:00
			`# CVE-2012-5664`
			`# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM`
			`# TODO: remove once we are on Rails >= 3.2.10`
			`def method_missing(method_id, *arguments, &block)`
			`if match = DynamicFinderMatch.match(method_id)`
			`attribute_names = match.attribute_names`
			`super unless all_attributes_exists?(attribute_names)`
			`if match.finder?`
			`finder = match.finder`
			`bang = match.bang?`
			`# def self.find_by_login_and_activated(*args)`
			`# options = args.extract_options!`
			`# attributes = construct_attributes_from_arguments(`
			`# [:login,:activated],`
			`# args`
			`# )`
			`# finder_options = { :conditions => attributes }`
			`# validate_find_options(options)`
			`# set_readonly_option!(options)`
			`#`
			`# if options[:conditions]`
			`# with_scope(:find => finder_options) do`
			`# find(:first, options)`
			`# end`
			`# else`
			`# find(:first, options.merge(finder_options))`
			`# end`
			`# end`
			`self.class_eval <<-EOS, __FILE__, __LINE__ + 1`
			`def self.#{method_id}(*args)`
			`options = if args.length > #{attribute_names.size}`
			`args.extract_options!`
			`else`
			`{}`
			`end`
			`attributes = construct_attributes_from_arguments(`
			`[:#{attribute_names.join(',:')}],`
			`args`
			`)`
			`finder_options = { :conditions => attributes }`
			`validate_find_options(options)`
			`set_readonly_option!(options)`

			`#{'result = ' if bang}if options[:conditions]`
			`with_scope(:find => finder_options) do`
			`find(:#{finder}, options)`
			`end`
			`else`
			`find(:#{finder}, options.merge(finder_options))`
			`end`
			`#{'result \|\| raise(RecordNotFound, "Couldn\'t find #{name} with #{attributes.to_a.collect {\|pair\| "#{pair.first} = #{pair.second}"}.join(\', \')}")' if bang}`
			`end`
			`EOS`
			`send(method_id, *arguments)`
			`elsif match.instantiator?`
			`instantiator = match.instantiator`
			`# def self.find_or_create_by_user_id(*args)`
			`# guard_protected_attributes = false`
			`#`
			`# if args[0].is_a?(Hash)`
			`# guard_protected_attributes = true`
			`# attributes = args[0].with_indifferent_access`
			`# find_attributes = attributes.slice(*[:user_id])`
			`# else`
			`# find_attributes = attributes = construct_attributes_from_arguments([:user_id], args)`
			`# end`
			`#`
			`# options = { :conditions => find_attributes }`
			`# set_readonly_option!(options)`
			`#`
			`# record = find(:first, options)`
			`#`
			`# if record.nil?`
			`# record = self.new { \|r\| r.send(:attributes=, attributes, guard_protected_attributes) }`
			`# yield(record) if block_given?`
			`# record.save`
			`# record`
			`# else`
			`# record`
			`# end`
			`# end`
			`self.class_eval <<-EOS, __FILE__, __LINE__ + 1`
			`def self.#{method_id}(*args)`
			`attributes = [:#{attribute_names.join(',:')}]`
			`protected_attributes_for_create, unprotected_attributes_for_create = {}, {}`
			`args.each_with_index do \|arg, i\|`
			`if arg.is_a?(Hash)`
			`protected_attributes_for_create = args[i].with_indifferent_access`
			`else`
			`unprotected_attributes_for_create[attributes[i]] = args[i]`
			`end`
			`end`

			`find_attributes = (protected_attributes_for_create.merge(unprotected_attributes_for_create)).slice(*attributes)`

			`options = { :conditions => find_attributes }`
			`set_readonly_option!(options)`

			`record = find(:first, options)`

			`if record.nil?`
			`record = self.new do \|r\|`
			`r.send(:attributes=, protected_attributes_for_create, true) unless protected_attributes_for_create.empty?`
			`r.send(:attributes=, unprotected_attributes_for_create, false) unless unprotected_attributes_for_create.empty?`
			`end`
			`#{'yield(record) if block_given?'}`
			`#{'record.save' if instantiator == :create}`
			`record`
			`else`
			`record`
			`end`
			`end`
			`EOS`
			`send(method_id, *arguments, &block)`
			`end`
			`elsif match = DynamicScopeMatch.match(method_id)`
			`attribute_names = match.attribute_names`
			`super unless all_attributes_exists?(attribute_names)`
			`if match.scope?`
			`self.class_eval <<-EOS, __FILE__, __LINE__ + 1`
			`def self.#{method_id}(args) # def self.scoped_by_user_name_and_password(args)`
			`options = args.extract_options! # options = args.extract_options!`
			`attributes = construct_attributes_from_arguments( # attributes = construct_attributes_from_arguments(`
			`[:#{attribute_names.join(',:')}], args # [:user_name, :password], args`
			`) # )`
			`#`
			`scoped(:conditions => attributes) # scoped(:conditions => attributes)`
			`end # end`
			`EOS`
			`send(method_id, *arguments)`
			`end`
			`else`
			`super`
			`end`
			`end`
Fix SQL injection via nested hashes in conditions. CVE-2012-2695 #1037 2012-06-13 12:12:10 +04:00			`end`
			`end`
			`end`
Fix XSS vulnerabilities in Rails (CVE-2012-3464, CVE-2012-3465) #1113 #1114 2013-01-06 23:15:05 +04:00
			`# Backported fix for CVE-2012-3465`
			`# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J`
			`# TODO: Remove this once we are on Rails >= 3.2.8`
			`require 'action_view/helpers/sanitize_helper'`
			`module ActionView::Helpers::SanitizeHelper`
			`def strip_tags(html)`
			`self.class.full_sanitizer.sanitize(html)`
			`end`
			`end`

			`# Backported fix for CVE-2012-3464`
			`# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J`
			`# TODO: Remove this once we are on Rails >= 3.2.8`
			`require 'active_support/core_ext/string/output_safety'`
			`class ERB`
			`module Util`
			`HTML_ESCAPE["'"] = '''`

			`if RUBY_VERSION >= '1.9'`
			`# A utility method for escaping HTML tag characters.`
			`# This method is also aliased as <tt>h</tt>.`
			`#`
			`# In your ERB templates, use this method to escape any unsafe content. For example:`
			`# <%=h @person.name %>`
			`#`
			`# ==== Example:`
			`# puts html_escape("is a > 0 & a < 10?")`
			`# # => is a > 0 & a < 10?`
			`def html_escape(s)`
			`s = s.to_s`
			`if s.html_safe?`
			`s`
			`else`
			`s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe`
			`end`
			`end`
			`else`
			`def html_escape(s) #:nodoc:`
			`s = s.to_s`
			`if s.html_safe?`
			`s`
			`else`
			`s.gsub(/[&"'><]/n) { \|special\| HTML_ESCAPE[special] }.html_safe`
			`end`
			`end`
			`end`

			`# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.`
			`remove_method(:h)`
			`alias h html_escape`

			`module_function :h`

			`singleton_class.send(:remove_method, :html_escape)`
			`module_function :html_escape`
			`end`
			`end`
			`require 'action_view/helpers/tag_helper'`
			`module ActionView::Helpers::TagHelper`
			`def escape_once(html)`
			`ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]\|&(?!([a-zA-Z]+\|(#\d+));)/) { \|special\| ERB::Util::HTML_ESCAPE[special] }`
			`end`
			`end`