Merge tag 'v3.7.0' into backbone.ws

This commit is contained in:
Kolan Sh 2013-02-14 00:52:45 +04:00
commit 6978a86c97
13 changed files with 25 additions and 64 deletions

View File

@ -1,8 +1,9 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
source :rubygems source :rubygems
gem "rails", "2.3.16" gem "rails", "2.3.17"
gem "json", "~> 1.7.7"
gem "coderay", "~> 1.0.0" gem "coderay", "~> 1.0.0"
gem "i18n", "~> 0.4.2" gem "i18n", "~> 0.4.2"
gem "rubytree", "~> 0.5.2", :require => 'tree' gem "rubytree", "~> 0.5.2", :require => 'tree'

View File

@ -37,7 +37,7 @@ class AccountController < ApplicationController
def lost_password def lost_password
redirect_to(home_url) && return unless Setting.lost_password? redirect_to(home_url) && return unless Setting.lost_password?
if params[:token] if params[:token]
@token = Token.find_by_action_and_value("recovery", params[:token]) @token = Token.find_by_action_and_value("recovery", params[:token].to_s)
redirect_to(home_url) && return unless @token and !@token.expired? redirect_to(home_url) && return unless @token and !@token.expired?
@user = @token.user @user = @token.user
if request.post? if request.post?
@ -53,7 +53,7 @@ class AccountController < ApplicationController
return return
else else
if request.post? if request.post?
user = User.find_by_mail(params[:mail]) user = User.find_by_mail(params[:mail].to_s)
# user not found in db # user not found in db
(flash.now[:error] = l(:notice_account_unknown_email); return) unless user (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
# user uses an external authentification # user uses an external authentification
@ -109,7 +109,7 @@ class AccountController < ApplicationController
# Token based account activation # Token based account activation
def activate def activate
redirect_to(home_url) && return unless Setting.self_registration? && params[:token] redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
token = Token.find_by_action_and_value('register', params[:token]) token = Token.find_by_action_and_value('register', params[:token].to_s)
redirect_to(home_url) && return unless token and !token.expired? redirect_to(home_url) && return unless token and !token.expired?
user = token.user user = token.user
redirect_to(home_url) && return unless user.registered? redirect_to(home_url) && return unless user.registered?

View File

@ -82,11 +82,11 @@ class ApplicationController < ActionController::Base
user user
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
# RSS key authentication does not start a session # RSS key authentication does not start a session
User.find_by_rss_key(params[:key]) User.find_by_rss_key(params[:key].to_s)
elsif Setting.rest_api_enabled? && api_request? elsif Setting.rest_api_enabled? && api_request?
if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action]) if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
# Use API key # Use API key
User.find_by_api_key(key) User.find_by_api_key(key.to_s)
else else
# HTTP Basic, either username/password or API key/random # HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password| authenticate_with_http_basic do |username, password|

View File

@ -368,7 +368,7 @@ class Issue < ActiveRecord::Base
def attachment_removed(obj) def attachment_removed(obj)
init_journal(User.current) init_journal(User.current)
create_journal create_journal
last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]}.to_yaml) last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]})
end end
# Return true if the issue is closed, otherwise false # Return true if the issue is closed, otherwise false

View File

@ -98,7 +98,7 @@ class WikiContent < ActiveRecord::Base
changes.delete("text") changes.delete("text")
changes["data"] = hash[:text] changes["data"] = hash[:text]
changes["compression"] = hash[:compression] changes["compression"] = hash[:compression]
update_attribute(:changes, changes.to_yaml) update_attribute(:changes, changes)
end end
def text def text

View File

@ -21,9 +21,6 @@
# use RACK_ENV if we are running as a simple rack app # use RACK_ENV if we are running as a simple rack app
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV'] ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
# Specifies gem version of Rails to use when vendor/rails is not present
RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION
# this is replaced by config.encoding = "utf-8" in rails3 # this is replaced by config.encoding = "utf-8" in rails3
if RUBY_VERSION >= '1.9' if RUBY_VERSION >= '1.9'
Encoding.default_external = 'UTF-8' Encoding.default_external = 'UTF-8'

View File

@ -159,56 +159,13 @@ module ActionController
end end
end end
# Backported fix for CVE-2012-3464
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'active_support/core_ext/string/output_safety'
class ERB
module Util
HTML_ESCAPE["'"] = '&#39;'
if RUBY_VERSION >= '1.9'
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
# In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
# puts html_escape("is a > 0 & a < 10?")
# # => is a &gt; 0 &amp; a &lt; 10?
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
else
def html_escape(s) #:nodoc:
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
end
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
remove_method(:h)
alias h html_escape
module_function :h
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
end
end
require 'action_view/helpers/tag_helper' require 'action_view/helpers/tag_helper'
module ActionView::Helpers::TagHelper module ActionView::Helpers::TagHelper
def escape_once(html) def escape_once(html)
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
end end
end end
# Workaround for CVE-2013-0333
# https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ
ActiveSupport::JSON.backend = "JSONGem"

View File

@ -31,7 +31,7 @@ class AddChangesFromJournalDetailsForActsAsJournalized < ActiveRecord::Migration
changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value] changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value]
end end
begin begin
journal.update_attribute(:changes, changes.to_yaml) journal.update_attribute(:changes, changes)
rescue ActiveRecord::RecordInvalid => ex rescue ActiveRecord::RecordInvalid => ex
puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}" puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}"
end end

View File

@ -39,7 +39,7 @@ class MergeWikiVersionsWithJournals < ActiveRecord::Migration
changes = {} changes = {}
changes["compression"] = wv.compression changes["compression"] = wv.compression
changes["data"] = wv.data changes["data"] = wv.data
journal.update_attribute(:changes, changes.to_yaml) journal.update_attribute(:changes, changes)
journal.update_attribute(:version, wv.version) journal.update_attribute(:version, wv.version)
end end
# drop_table :wiki_content_versions # drop_table :wiki_content_versions

View File

@ -1,5 +1,11 @@
= ChiliProject Changelog = ChiliProject Changelog
== 2013-02-13 v3.7.0
* Security - Feature #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
* Security - Bug #1234: Potential vulnerability in token authentication when running on MySQL
* Bug #1235: Liquid's last filter errors out
== 2013-01-29 v3.6.0 == 2013-01-29 v3.6.0
* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues * Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues

View File

@ -59,7 +59,7 @@ module ChiliProject
# Example: # Example:
# {{ product.images | last | to_img }} # {{ product.images | last | to_img }}
def last(array, count=nil) def last(array, count=nil)
array.last if count=nil? && array.respond_to?(:last) return array.last if count.nil? && array.respond_to?(:last)
if array.respond_to?(:[]) if array.respond_to?(:[])
count.to_i > 0 ? array[(count.to_i * -1)..-1] : [] count.to_i > 0 ? array[(count.to_i * -1)..-1] : []
end end

View File

@ -18,7 +18,7 @@ module ChiliProject
module VERSION #:nodoc: module VERSION #:nodoc:
MAJOR = 3 MAJOR = 3
MINOR = 6 MINOR = 7
PATCH = 0 PATCH = 0
TINY = PATCH # Redmine compat TINY = PATCH # Redmine compat

View File

@ -170,14 +170,14 @@ class ActiveSupport::TestCase
should "use the new value's name" do should "use the new value's name" do
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last) @detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml) @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true) assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true)
end end
should "use the old value's name" do should "use the old value's name" do
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last) @detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml) @detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true) assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true)
end end