Merge tag 'v3.7.0' into backbone.ws
This commit is contained in:
commit
6978a86c97
3
Gemfile
3
Gemfile
|
@ -1,8 +1,9 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
source :rubygems
|
source :rubygems
|
||||||
|
|
||||||
gem "rails", "2.3.16"
|
gem "rails", "2.3.17"
|
||||||
|
|
||||||
|
gem "json", "~> 1.7.7"
|
||||||
gem "coderay", "~> 1.0.0"
|
gem "coderay", "~> 1.0.0"
|
||||||
gem "i18n", "~> 0.4.2"
|
gem "i18n", "~> 0.4.2"
|
||||||
gem "rubytree", "~> 0.5.2", :require => 'tree'
|
gem "rubytree", "~> 0.5.2", :require => 'tree'
|
||||||
|
|
|
@ -37,7 +37,7 @@ class AccountController < ApplicationController
|
||||||
def lost_password
|
def lost_password
|
||||||
redirect_to(home_url) && return unless Setting.lost_password?
|
redirect_to(home_url) && return unless Setting.lost_password?
|
||||||
if params[:token]
|
if params[:token]
|
||||||
@token = Token.find_by_action_and_value("recovery", params[:token])
|
@token = Token.find_by_action_and_value("recovery", params[:token].to_s)
|
||||||
redirect_to(home_url) && return unless @token and !@token.expired?
|
redirect_to(home_url) && return unless @token and !@token.expired?
|
||||||
@user = @token.user
|
@user = @token.user
|
||||||
if request.post?
|
if request.post?
|
||||||
|
@ -53,7 +53,7 @@ class AccountController < ApplicationController
|
||||||
return
|
return
|
||||||
else
|
else
|
||||||
if request.post?
|
if request.post?
|
||||||
user = User.find_by_mail(params[:mail])
|
user = User.find_by_mail(params[:mail].to_s)
|
||||||
# user not found in db
|
# user not found in db
|
||||||
(flash.now[:error] = l(:notice_account_unknown_email); return) unless user
|
(flash.now[:error] = l(:notice_account_unknown_email); return) unless user
|
||||||
# user uses an external authentification
|
# user uses an external authentification
|
||||||
|
@ -109,7 +109,7 @@ class AccountController < ApplicationController
|
||||||
# Token based account activation
|
# Token based account activation
|
||||||
def activate
|
def activate
|
||||||
redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
|
redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
|
||||||
token = Token.find_by_action_and_value('register', params[:token])
|
token = Token.find_by_action_and_value('register', params[:token].to_s)
|
||||||
redirect_to(home_url) && return unless token and !token.expired?
|
redirect_to(home_url) && return unless token and !token.expired?
|
||||||
user = token.user
|
user = token.user
|
||||||
redirect_to(home_url) && return unless user.registered?
|
redirect_to(home_url) && return unless user.registered?
|
||||||
|
|
|
@ -82,11 +82,11 @@ class ApplicationController < ActionController::Base
|
||||||
user
|
user
|
||||||
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
|
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
|
||||||
# RSS key authentication does not start a session
|
# RSS key authentication does not start a session
|
||||||
User.find_by_rss_key(params[:key])
|
User.find_by_rss_key(params[:key].to_s)
|
||||||
elsif Setting.rest_api_enabled? && api_request?
|
elsif Setting.rest_api_enabled? && api_request?
|
||||||
if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
|
if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
|
||||||
# Use API key
|
# Use API key
|
||||||
User.find_by_api_key(key)
|
User.find_by_api_key(key.to_s)
|
||||||
else
|
else
|
||||||
# HTTP Basic, either username/password or API key/random
|
# HTTP Basic, either username/password or API key/random
|
||||||
authenticate_with_http_basic do |username, password|
|
authenticate_with_http_basic do |username, password|
|
||||||
|
|
|
@ -368,7 +368,7 @@ class Issue < ActiveRecord::Base
|
||||||
def attachment_removed(obj)
|
def attachment_removed(obj)
|
||||||
init_journal(User.current)
|
init_journal(User.current)
|
||||||
create_journal
|
create_journal
|
||||||
last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]}.to_yaml)
|
last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]})
|
||||||
end
|
end
|
||||||
|
|
||||||
# Return true if the issue is closed, otherwise false
|
# Return true if the issue is closed, otherwise false
|
||||||
|
|
|
@ -98,7 +98,7 @@ class WikiContent < ActiveRecord::Base
|
||||||
changes.delete("text")
|
changes.delete("text")
|
||||||
changes["data"] = hash[:text]
|
changes["data"] = hash[:text]
|
||||||
changes["compression"] = hash[:compression]
|
changes["compression"] = hash[:compression]
|
||||||
update_attribute(:changes, changes.to_yaml)
|
update_attribute(:changes, changes)
|
||||||
end
|
end
|
||||||
|
|
||||||
def text
|
def text
|
||||||
|
|
|
@ -21,9 +21,6 @@
|
||||||
# use RACK_ENV if we are running as a simple rack app
|
# use RACK_ENV if we are running as a simple rack app
|
||||||
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
||||||
|
|
||||||
# Specifies gem version of Rails to use when vendor/rails is not present
|
|
||||||
RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION
|
|
||||||
|
|
||||||
# this is replaced by config.encoding = "utf-8" in rails3
|
# this is replaced by config.encoding = "utf-8" in rails3
|
||||||
if RUBY_VERSION >= '1.9'
|
if RUBY_VERSION >= '1.9'
|
||||||
Encoding.default_external = 'UTF-8'
|
Encoding.default_external = 'UTF-8'
|
||||||
|
|
|
@ -159,56 +159,13 @@ module ActionController
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Backported fix for CVE-2012-3464
|
|
||||||
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
|
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.8
|
|
||||||
require 'active_support/core_ext/string/output_safety'
|
|
||||||
class ERB
|
|
||||||
module Util
|
|
||||||
HTML_ESCAPE["'"] = '''
|
|
||||||
|
|
||||||
if RUBY_VERSION >= '1.9'
|
|
||||||
# A utility method for escaping HTML tag characters.
|
|
||||||
# This method is also aliased as <tt>h</tt>.
|
|
||||||
#
|
|
||||||
# In your ERB templates, use this method to escape any unsafe content. For example:
|
|
||||||
# <%=h @person.name %>
|
|
||||||
#
|
|
||||||
# ==== Example:
|
|
||||||
# puts html_escape("is a > 0 & a < 10?")
|
|
||||||
# # => is a > 0 & a < 10?
|
|
||||||
def html_escape(s)
|
|
||||||
s = s.to_s
|
|
||||||
if s.html_safe?
|
|
||||||
s
|
|
||||||
else
|
|
||||||
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
else
|
|
||||||
def html_escape(s) #:nodoc:
|
|
||||||
s = s.to_s
|
|
||||||
if s.html_safe?
|
|
||||||
s
|
|
||||||
else
|
|
||||||
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
|
|
||||||
remove_method(:h)
|
|
||||||
alias h html_escape
|
|
||||||
|
|
||||||
module_function :h
|
|
||||||
|
|
||||||
singleton_class.send(:remove_method, :html_escape)
|
|
||||||
module_function :html_escape
|
|
||||||
end
|
|
||||||
end
|
|
||||||
require 'action_view/helpers/tag_helper'
|
require 'action_view/helpers/tag_helper'
|
||||||
module ActionView::Helpers::TagHelper
|
module ActionView::Helpers::TagHelper
|
||||||
def escape_once(html)
|
def escape_once(html)
|
||||||
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
|
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Workaround for CVE-2013-0333
|
||||||
|
# https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ
|
||||||
|
ActiveSupport::JSON.backend = "JSONGem"
|
||||||
|
|
|
@ -31,7 +31,7 @@ class AddChangesFromJournalDetailsForActsAsJournalized < ActiveRecord::Migration
|
||||||
changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value]
|
changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value]
|
||||||
end
|
end
|
||||||
begin
|
begin
|
||||||
journal.update_attribute(:changes, changes.to_yaml)
|
journal.update_attribute(:changes, changes)
|
||||||
rescue ActiveRecord::RecordInvalid => ex
|
rescue ActiveRecord::RecordInvalid => ex
|
||||||
puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}"
|
puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}"
|
||||||
end
|
end
|
||||||
|
|
|
@ -39,7 +39,7 @@ class MergeWikiVersionsWithJournals < ActiveRecord::Migration
|
||||||
changes = {}
|
changes = {}
|
||||||
changes["compression"] = wv.compression
|
changes["compression"] = wv.compression
|
||||||
changes["data"] = wv.data
|
changes["data"] = wv.data
|
||||||
journal.update_attribute(:changes, changes.to_yaml)
|
journal.update_attribute(:changes, changes)
|
||||||
journal.update_attribute(:version, wv.version)
|
journal.update_attribute(:version, wv.version)
|
||||||
end
|
end
|
||||||
# drop_table :wiki_content_versions
|
# drop_table :wiki_content_versions
|
||||||
|
|
|
@ -1,5 +1,11 @@
|
||||||
= ChiliProject Changelog
|
= ChiliProject Changelog
|
||||||
|
|
||||||
|
== 2013-02-13 v3.7.0
|
||||||
|
|
||||||
|
* Security - Feature #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
|
||||||
|
* Security - Bug #1234: Potential vulnerability in token authentication when running on MySQL
|
||||||
|
* Bug #1235: Liquid's last filter errors out
|
||||||
|
|
||||||
== 2013-01-29 v3.6.0
|
== 2013-01-29 v3.6.0
|
||||||
|
|
||||||
* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues
|
* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues
|
||||||
|
|
|
@ -59,7 +59,7 @@ module ChiliProject
|
||||||
# Example:
|
# Example:
|
||||||
# {{ product.images | last | to_img }}
|
# {{ product.images | last | to_img }}
|
||||||
def last(array, count=nil)
|
def last(array, count=nil)
|
||||||
array.last if count=nil? && array.respond_to?(:last)
|
return array.last if count.nil? && array.respond_to?(:last)
|
||||||
if array.respond_to?(:[])
|
if array.respond_to?(:[])
|
||||||
count.to_i > 0 ? array[(count.to_i * -1)..-1] : []
|
count.to_i > 0 ? array[(count.to_i * -1)..-1] : []
|
||||||
end
|
end
|
||||||
|
|
|
@ -18,7 +18,7 @@ module ChiliProject
|
||||||
module VERSION #:nodoc:
|
module VERSION #:nodoc:
|
||||||
|
|
||||||
MAJOR = 3
|
MAJOR = 3
|
||||||
MINOR = 6
|
MINOR = 7
|
||||||
PATCH = 0
|
PATCH = 0
|
||||||
TINY = PATCH # Redmine compat
|
TINY = PATCH # Redmine compat
|
||||||
|
|
||||||
|
|
|
@ -170,14 +170,14 @@ class ActiveSupport::TestCase
|
||||||
|
|
||||||
should "use the new value's name" do
|
should "use the new value's name" do
|
||||||
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
|
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
|
||||||
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml)
|
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
|
||||||
|
|
||||||
assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true)
|
assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true)
|
||||||
end
|
end
|
||||||
|
|
||||||
should "use the old value's name" do
|
should "use the old value's name" do
|
||||||
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
|
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
|
||||||
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml)
|
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
|
||||||
|
|
||||||
assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true)
|
assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue