From 430b6bb442ed555241c4977b25cedc9931e982d0 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 12:02:35 +0100 Subject: [PATCH 1/8] Improve on broken MySQL handling of login tokens #1234 --- app/controllers/account_controller.rb | 6 +++--- app/controllers/application_controller.rb | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index b97c91ad..4f0faa0d 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -37,7 +37,7 @@ class AccountController < ApplicationController def lost_password redirect_to(home_url) && return unless Setting.lost_password? if params[:token] - @token = Token.find_by_action_and_value("recovery", params[:token]) + @token = Token.find_by_action_and_value("recovery", params[:token].to_s) redirect_to(home_url) && return unless @token and !@token.expired? @user = @token.user if request.post? @@ -53,7 +53,7 @@ class AccountController < ApplicationController return else if request.post? - user = User.find_by_mail(params[:mail]) + user = User.find_by_mail(params[:mail].to_s) # user not found in db (flash.now[:error] = l(:notice_account_unknown_email); return) unless user # user uses an external authentification @@ -109,7 +109,7 @@ class AccountController < ApplicationController # Token based account activation def activate redirect_to(home_url) && return unless Setting.self_registration? && params[:token] - token = Token.find_by_action_and_value('register', params[:token]) + token = Token.find_by_action_and_value('register', params[:token].to_s) redirect_to(home_url) && return unless token and !token.expired? user = token.user redirect_to(home_url) && return unless user.registered? diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7b2e6eea..abdc46a8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -82,11 +82,11 @@ class ApplicationController < ActionController::Base user elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) # RSS key authentication does not start a session - User.find_by_rss_key(params[:key]) + User.find_by_rss_key(params[:key].to_s) elsif Setting.rest_api_enabled? && api_request? if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action]) # Use API key - User.find_by_api_key(key) + User.find_by_api_key(key.to_s) else # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| From fd306095c609a83f510f10945355fc6ae32d31ed Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 12:03:48 +0100 Subject: [PATCH 2/8] Bump Rails to 2.3.17 #1233 --- Gemfile | 2 +- config/environment.rb | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 58d8c990..d62e3032 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- source :rubygems -gem "rails", "2.3.16" +gem "rails", "2.3.17" gem "coderay", "~> 1.0.0" gem "i18n", "~> 0.4.2" diff --git a/config/environment.rb b/config/environment.rb index 464adcea..bf5251e3 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -21,9 +21,6 @@ # use RACK_ENV if we are running as a simple rack app ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV'] -# Specifies gem version of Rails to use when vendor/rails is not present -RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION - # this is replaced by config.encoding = "utf-8" in rails3 if RUBY_VERSION >= '1.9' Encoding.default_external = 'UTF-8' From 0b567641bcde8b639f4cfea6f4db7a207fffd798 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 12:10:38 +0100 Subject: [PATCH 3/8] Don't set YAML on serialized fields #1233 --- app/models/issue.rb | 2 +- app/models/wiki_content.rb | 2 +- ...dd_changes_from_journal_details_for_acts_as_journalized.rb | 2 +- .../20100804112053_merge_wiki_versions_with_journals.rb | 2 +- test/test_helper.rb | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/models/issue.rb b/app/models/issue.rb index e4c215c9..d9047ae2 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -368,7 +368,7 @@ class Issue < ActiveRecord::Base def attachment_removed(obj) init_journal(User.current) create_journal - last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]}.to_yaml) + last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]}) end # Return true if the issue is closed, otherwise false diff --git a/app/models/wiki_content.rb b/app/models/wiki_content.rb index 1444fd4a..88e62c11 100644 --- a/app/models/wiki_content.rb +++ b/app/models/wiki_content.rb @@ -98,7 +98,7 @@ class WikiContent < ActiveRecord::Base changes.delete("text") changes["data"] = hash[:text] changes["compression"] = hash[:compression] - update_attribute(:changes, changes.to_yaml) + update_attribute(:changes, changes) end def text diff --git a/db/migrate/20100714111654_add_changes_from_journal_details_for_acts_as_journalized.rb b/db/migrate/20100714111654_add_changes_from_journal_details_for_acts_as_journalized.rb index 1690623e..35c093e1 100644 --- a/db/migrate/20100714111654_add_changes_from_journal_details_for_acts_as_journalized.rb +++ b/db/migrate/20100714111654_add_changes_from_journal_details_for_acts_as_journalized.rb @@ -31,7 +31,7 @@ class AddChangesFromJournalDetailsForActsAsJournalized < ActiveRecord::Migration changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value] end begin - journal.update_attribute(:changes, changes.to_yaml) + journal.update_attribute(:changes, changes) rescue ActiveRecord::RecordInvalid => ex puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}" end diff --git a/db/migrate/20100804112053_merge_wiki_versions_with_journals.rb b/db/migrate/20100804112053_merge_wiki_versions_with_journals.rb index 3cc034af..58efa457 100644 --- a/db/migrate/20100804112053_merge_wiki_versions_with_journals.rb +++ b/db/migrate/20100804112053_merge_wiki_versions_with_journals.rb @@ -39,7 +39,7 @@ class MergeWikiVersionsWithJournals < ActiveRecord::Migration changes = {} changes["compression"] = wv.compression changes["data"] = wv.data - journal.update_attribute(:changes, changes.to_yaml) + journal.update_attribute(:changes, changes) journal.update_attribute(:version, wv.version) end # drop_table :wiki_content_versions diff --git a/test/test_helper.rb b/test/test_helper.rb index b66a5ebe..f8adc32d 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -170,14 +170,14 @@ class ActiveSupport::TestCase should "use the new value's name" do @detail = IssueJournal.generate(:version => 1, :journaled => Issue.last) - @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml) + @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}) assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true) end should "use the old value's name" do @detail = IssueJournal.generate(:version => 1, :journaled => Issue.last) - @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml) + @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}) assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true) end From 6d3dc6e6194085aeb7a74206a743bb84838690fb Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 12:49:00 +0100 Subject: [PATCH 4/8] Bump json gem to a safe version for CVE-2013-0269, CVE-2013-0333 --- Gemfile | 1 + config/initializers/10-patches.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/Gemfile b/Gemfile index d62e3032..af1049e4 100644 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,7 @@ source :rubygems gem "rails", "2.3.17" +gem "json", "~> 1.7.7" gem "coderay", "~> 1.0.0" gem "i18n", "~> 0.4.2" gem "rubytree", "~> 0.5.2", :require => 'tree' diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index 45a4371d..1ad5a3ee 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -212,3 +212,7 @@ module ActionView::Helpers::TagHelper ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } end end + +# Workaround for CVE-2013-0333 +# https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ +ActiveSupport::JSON.backend = "JSONGem" From 8b357a118de99197c7492ef69fd19325f64f2120 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 12:49:50 +0100 Subject: [PATCH 5/8] Remove monkey patch which is already included in Rails 2.3.17 #1233 --- config/initializers/10-patches.rb | 47 ------------------------------- 1 file changed, 47 deletions(-) diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index 1ad5a3ee..dfacf525 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -159,53 +159,6 @@ module ActionController end end -# Backported fix for CVE-2012-3464 -# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J -# TODO: Remove this once we are on Rails >= 3.2.8 -require 'active_support/core_ext/string/output_safety' -class ERB - module Util - HTML_ESCAPE["'"] = ''' - - if RUBY_VERSION >= '1.9' - # A utility method for escaping HTML tag characters. - # This method is also aliased as h. - # - # In your ERB templates, use this method to escape any unsafe content. For example: - # <%=h @person.name %> - # - # ==== Example: - # puts html_escape("is a > 0 & a < 10?") - # # => is a > 0 & a < 10? - def html_escape(s) - s = s.to_s - if s.html_safe? - s - else - s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe - end - end - else - def html_escape(s) #:nodoc: - s = s.to_s - if s.html_safe? - s - else - s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe - end - end - end - - # Aliasing twice issues a warning "discarding old...". Remove first to avoid it. - remove_method(:h) - alias h html_escape - - module_function :h - - singleton_class.send(:remove_method, :html_escape) - module_function :html_escape - end -end require 'action_view/helpers/tag_helper' module ActionView::Helpers::TagHelper def escape_once(html) From 595e60fb9c83534198d3cb4bb362801faca28f10 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 12 Feb 2013 13:15:31 +0100 Subject: [PATCH 6/8] Fix stupidity in last filter of liquid #1235 --- lib/chili_project/liquid/filters.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/chili_project/liquid/filters.rb b/lib/chili_project/liquid/filters.rb index 4ee76679..683a0e9a 100644 --- a/lib/chili_project/liquid/filters.rb +++ b/lib/chili_project/liquid/filters.rb @@ -59,7 +59,7 @@ module ChiliProject # Example: # {{ product.images | last | to_img }} def last(array, count=nil) - array.last if count=nil? && array.respond_to?(:last) + return array.last if count.nil? && array.respond_to?(:last) if array.respond_to?(:[]) count.to_i > 0 ? array[(count.to_i * -1)..-1] : [] end From 31ad2ef6c37b0abf762c8a7851a27d1a90c5620e Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 13 Feb 2013 15:48:47 +0100 Subject: [PATCH 7/8] Update changelog for 3.7.0 release --- doc/CHANGELOG.rdoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/CHANGELOG.rdoc b/doc/CHANGELOG.rdoc index 2353f6f1..903c77bc 100644 --- a/doc/CHANGELOG.rdoc +++ b/doc/CHANGELOG.rdoc @@ -1,5 +1,11 @@ = ChiliProject Changelog +== 2013-02-13 v3.7.0 + +* Security - Feature #1233: Bump rails to 2.3.17 to address [CVE-2013-0276] +* Security - Bug #1234: Potential vulnerability in token authentication when running on MySQL +* Bug #1235: Liquid's last filter errors out + == 2013-01-29 v3.6.0 * Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues From 63976e6522185482b96e85a9ad26ff45fcdf0887 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 13 Feb 2013 15:49:17 +0100 Subject: [PATCH 8/8] Bump the version to v3.7.0 --- lib/chili_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/chili_project/version.rb b/lib/chili_project/version.rb index e1429cc9..af2818e5 100644 --- a/lib/chili_project/version.rb +++ b/lib/chili_project/version.rb @@ -18,7 +18,7 @@ module ChiliProject module VERSION #:nodoc: MAJOR = 3 - MINOR = 6 + MINOR = 7 PATCH = 0 TINY = PATCH # Redmine compat