Merge branch 'release-v3.6.0' into stable

2013-01-29 22:37:23 +01:00 · 2013-01-29 22:37:23 +01:00 · 3f9007b909
parent 2854524ba9 6bef9c26ab
commit 3f9007b909
6 changed files with 11 additions and 95 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 source :rubygems

-gem "rails", "2.3.15"
+gem "rails", "2.3.16"

 gem "coderay", "~> 1.0.0"
 gem "i18n", "~> 0.4.2"
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -403,6 +403,8 @@ class User < Principal
    when 'only_my_events'
      if object.is_a?(Issue) && (object.author == self || object.assigned_to == self)
        true
+      elsif object.respond_to?(:watched_by?) && object.watched_by?(self) # Make it clear that we always want to be notified about things we watch in this case
+        true
      else
        false
      end
--- a/config/environment.rb
+++ b/config/environment.rb
@ -22,7 +22,7 @@
 ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']

 # Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION

 # this is replaced by config.encoding = "utf-8" in rails3
 if RUBY_VERSION >= '1.9'
--- a/config/initializers/10-patches.rb
+++ b/config/initializers/10-patches.rb
@ -12,11 +12,6 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++

-# Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
-if RUBY_VERSION >= '1.9.3'
-  MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
-end
-
 require 'active_record'

 module ActiveRecord
@ -162,92 +157,6 @@ module ActionController
      end
    end
  end
-
-  # Backported fix for
-  # CVE-2012-2660
-  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
-  #
-  # CVE-2012-2694
-  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
-  #
-  # TODO: Remove this once we are on Rails >= 3.2.6
-  require 'action_controller/request'
-  class Request
-    protected
-
-    # Remove nils from the params hash
-    def deep_munge(hash)
-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
-      keys.each { |k| hash[k] = nil }
-
-      hash.each_value do |v|
-        case v
-        when Array
-          v.grep(Hash) { |x| deep_munge(x) }
-          v.compact!
-        when Hash
-          deep_munge(v)
-        end
-      end
-
-      hash
-    end
-
-    def parse_query(qs)
-      deep_munge(super)
-    end
-  end
-end
-
-# Fix for CVE-2013-0155
-# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
-# TODO: Remove this once we are on Rails >= 3.2.11
-module ActiveRecord
-  class Base
-    class << self
-    protected
-      def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
-        attrs = expand_hash_conditions_for_aggregates(attrs)
-
-        return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
-
-        conditions = attrs.map do |attr, value|
-          table_name = default_table_name
-
-          if not value.is_a?(Hash)
-            attr = attr.to_s
-
-            # Extract table name from qualified attribute names.
-            if attr.include?('.') and top_level
-              attr_table_name, attr = attr.split('.', 2)
-              attr_table_name = connection.quote_table_name(attr_table_name)
-            else
-              attr_table_name = table_name
-            end
-
-            attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
-          elsif top_level
-            sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
-          else
-            raise ActiveRecord::StatementInvalid
-          end
-        end.join(' AND ')
-
-        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
-      end
-      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
-    end
-  end
-end
-
-# Backported fix for CVE-2012-3465
-# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
-# TODO: Remove this once we are on Rails >= 3.2.8
-require 'action_view/helpers/sanitize_helper'
-module ActionView::Helpers::SanitizeHelper
-  def strip_tags(html)
-    self.class.full_sanitizer.sanitize(html)
-  end
 end

 # Backported fix for CVE-2012-3464
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@ -1,5 +1,10 @@
 = ChiliProject Changelog

+== 2013-01-29 v3.6.0
+
+* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues
+* Security - Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)
+
 == 2013-01-16 v3.5.1

 * Security - Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
--- a/lib/chili_project/version.rb
+++ b/lib/chili_project/version.rb
@ -18,8 +18,8 @@ module ChiliProject
  module VERSION #:nodoc:

    MAJOR = 3
-    MINOR = 5
-    PATCH = 1
+    MINOR = 6
+    PATCH = 0
    TINY  = PATCH # Redmine compat

    # Used by semver to define the special version (if any).