From bf4ed9b37bad4c1a59914464f94ac434f5c51b68 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 9 Jan 2013 13:54:35 +0100 Subject: [PATCH 1/4] Bump Rails version to 2.3.15 #1200 --- Gemfile | 2 +- config/environment.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 765dbe71..9e53008e 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- source :rubygems -gem "rails", "2.3.14" +gem "rails", "2.3.15" gem "coderay", "~> 1.0.0" gem "i18n", "~> 0.4.2" diff --git a/config/environment.rb b/config/environment.rb index 1765fe95..bc898648 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -22,7 +22,7 @@ ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV'] # Specifies gem version of Rails to use when vendor/rails is not present -RAILS_GEM_VERSION = '2.3.14' unless defined? RAILS_GEM_VERSION +RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION # this is replaced by config.encoding = "utf-8" in rails3 if RUBY_VERSION >= '1.9' From c69a0053533db39c203deec9ab7477bcc0a61809 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 9 Jan 2013 13:56:25 +0100 Subject: [PATCH 2/4] Remove Rails patches which are already included in Rails 2.3.15 #1200 --- config/initializers/10-patches.rb | 175 ------------------------------ 1 file changed, 175 deletions(-) diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index a8f4796d..37bf6077 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -199,181 +199,6 @@ module ActionController end end -require 'active_record/base' -module ActiveRecord - class Base - class << self - # Backported fix for CVE-2012-2695 - # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59 - # TODO: Remove this once we are on Rails >= 3.2.6 - def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) - attrs = expand_hash_conditions_for_aggregates(attrs) - - conditions = attrs.map do |attr, value| - table_name = default_table_name - - if not value.is_a?(Hash) - attr = attr.to_s - - # Extract table name from qualified attribute names. - if attr.include?('.') and top_level - attr_table_name, attr = attr.split('.', 2) - attr_table_name = connection.quote_table_name(attr_table_name) - else - attr_table_name = table_name - end - - attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) - elsif top_level - sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) - else - raise ActiveRecord::StatementInvalid - end - end.join(' AND ') - - replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) - end - alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions - - # CVE-2012-5664 - # https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM - # TODO: remove once we are on Rails >= 3.2.10 - def method_missing(method_id, *arguments, &block) - if match = DynamicFinderMatch.match(method_id) - attribute_names = match.attribute_names - super unless all_attributes_exists?(attribute_names) - if match.finder? - finder = match.finder - bang = match.bang? - # def self.find_by_login_and_activated(*args) - # options = args.extract_options! - # attributes = construct_attributes_from_arguments( - # [:login,:activated], - # args - # ) - # finder_options = { :conditions => attributes } - # validate_find_options(options) - # set_readonly_option!(options) - # - # if options[:conditions] - # with_scope(:find => finder_options) do - # find(:first, options) - # end - # else - # find(:first, options.merge(finder_options)) - # end - # end - self.class_eval <<-EOS, __FILE__, __LINE__ + 1 - def self.#{method_id}(*args) - options = if args.length > #{attribute_names.size} - args.extract_options! - else - {} - end - attributes = construct_attributes_from_arguments( - [:#{attribute_names.join(',:')}], - args - ) - finder_options = { :conditions => attributes } - validate_find_options(options) - set_readonly_option!(options) - - #{'result = ' if bang}if options[:conditions] - with_scope(:find => finder_options) do - find(:#{finder}, options) - end - else - find(:#{finder}, options.merge(finder_options)) - end - #{'result || raise(RecordNotFound, "Couldn\'t find #{name} with #{attributes.to_a.collect {|pair| "#{pair.first} = #{pair.second}"}.join(\', \')}")' if bang} - end - EOS - send(method_id, *arguments) - elsif match.instantiator? - instantiator = match.instantiator - # def self.find_or_create_by_user_id(*args) - # guard_protected_attributes = false - # - # if args[0].is_a?(Hash) - # guard_protected_attributes = true - # attributes = args[0].with_indifferent_access - # find_attributes = attributes.slice(*[:user_id]) - # else - # find_attributes = attributes = construct_attributes_from_arguments([:user_id], args) - # end - # - # options = { :conditions => find_attributes } - # set_readonly_option!(options) - # - # record = find(:first, options) - # - # if record.nil? - # record = self.new { |r| r.send(:attributes=, attributes, guard_protected_attributes) } - # yield(record) if block_given? - # record.save - # record - # else - # record - # end - # end - self.class_eval <<-EOS, __FILE__, __LINE__ + 1 - def self.#{method_id}(*args) - attributes = [:#{attribute_names.join(',:')}] - protected_attributes_for_create, unprotected_attributes_for_create = {}, {} - args.each_with_index do |arg, i| - if arg.is_a?(Hash) - protected_attributes_for_create = args[i].with_indifferent_access - else - unprotected_attributes_for_create[attributes[i]] = args[i] - end - end - - find_attributes = (protected_attributes_for_create.merge(unprotected_attributes_for_create)).slice(*attributes) - - options = { :conditions => find_attributes } - set_readonly_option!(options) - - record = find(:first, options) - - if record.nil? - record = self.new do |r| - r.send(:attributes=, protected_attributes_for_create, true) unless protected_attributes_for_create.empty? - r.send(:attributes=, unprotected_attributes_for_create, false) unless unprotected_attributes_for_create.empty? - end - #{'yield(record) if block_given?'} - #{'record.save' if instantiator == :create} - record - else - record - end - end - EOS - send(method_id, *arguments, &block) - end - elsif match = DynamicScopeMatch.match(method_id) - attribute_names = match.attribute_names - super unless all_attributes_exists?(attribute_names) - if match.scope? - self.class_eval <<-EOS, __FILE__, __LINE__ + 1 - def self.#{method_id}(*args) # def self.scoped_by_user_name_and_password(*args) - options = args.extract_options! # options = args.extract_options! - attributes = construct_attributes_from_arguments( # attributes = construct_attributes_from_arguments( - [:#{attribute_names.join(',:')}], args # [:user_name, :password], args - ) # ) - # - scoped(:conditions => attributes) # scoped(:conditions => attributes) - end # end - EOS - send(method_id, *arguments) - end - else - super - end - end - end - end -end - # Backported fix for CVE-2012-3465 # https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J # TODO: Remove this once we are on Rails >= 3.2.8 From 93b2a1daf9e63e2820942794b7a5c9d1613ecefa Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 9 Jan 2013 13:59:26 +0100 Subject: [PATCH 3/4] Update Changelog for v3.5.0 --- doc/CHANGELOG.rdoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/CHANGELOG.rdoc b/doc/CHANGELOG.rdoc index 2988413d..913561c6 100644 --- a/doc/CHANGELOG.rdoc +++ b/doc/CHANGELOG.rdoc @@ -1,5 +1,9 @@ = ChiliProject Changelog +== 2013-01-09 v3.5.0 + +* Security - Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) + == 2013-01-06 v3.4.0 * Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier From 908391d54e943fb50044f5babb318ac1db265300 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Wed, 9 Jan 2013 13:59:50 +0100 Subject: [PATCH 4/4] Bump version to v3.5.0 --- lib/chili_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/chili_project/version.rb b/lib/chili_project/version.rb index 501846b2..db86316a 100644 --- a/lib/chili_project/version.rb +++ b/lib/chili_project/version.rb @@ -18,7 +18,7 @@ module ChiliProject module VERSION #:nodoc: MAJOR = 3 - MINOR = 4 + MINOR = 5 PATCH = 0 TINY = PATCH # Redmine compat