diff --git a/Gemfile b/Gemfile index e91bf209..8e20dbd3 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- source :rubygems -gem "rails", "2.3.15" +gem "rails", "2.3.16" gem "coderay", "~> 1.0.0" gem "i18n", "~> 0.4.2" diff --git a/app/models/user.rb b/app/models/user.rb index 8ffb5654..cff63e06 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -403,6 +403,8 @@ class User < Principal when 'only_my_events' if object.is_a?(Issue) && (object.author == self || object.assigned_to == self) true + elsif object.respond_to?(:watched_by?) && object.watched_by?(self) # Make it clear that we always want to be notified about things we watch in this case + true else false end diff --git a/config/environment.rb b/config/environment.rb index bc898648..464adcea 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -22,7 +22,7 @@ ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV'] # Specifies gem version of Rails to use when vendor/rails is not present -RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION +RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION # this is replaced by config.encoding = "utf-8" in rails3 if RUBY_VERSION >= '1.9' diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index 4222b3e4..45a4371d 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -12,11 +12,6 @@ # See doc/COPYRIGHT.rdoc for more details. #++ -# Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message -if RUBY_VERSION >= '1.9.3' - MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1] -end - require 'active_record' module ActiveRecord @@ -162,92 +157,6 @@ module ActionController end end end - - # Backported fix for - # CVE-2012-2660 - # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f - # - # CVE-2012-2694 - # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e - # - # TODO: Remove this once we are on Rails >= 3.2.6 - require 'action_controller/request' - class Request - protected - - # Remove nils from the params hash - def deep_munge(hash) - keys = hash.keys.find_all { |k| hash[k] == [nil] } - keys.each { |k| hash[k] = nil } - - hash.each_value do |v| - case v - when Array - v.grep(Hash) { |x| deep_munge(x) } - v.compact! - when Hash - deep_munge(v) - end - end - - hash - end - - def parse_query(qs) - deep_munge(super) - end - end -end - -# Fix for CVE-2013-0155 -# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J -# TODO: Remove this once we are on Rails >= 3.2.11 -module ActiveRecord - class Base - class << self - protected - def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) - attrs = expand_hash_conditions_for_aggregates(attrs) - - return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty? - - conditions = attrs.map do |attr, value| - table_name = default_table_name - - if not value.is_a?(Hash) - attr = attr.to_s - - # Extract table name from qualified attribute names. - if attr.include?('.') and top_level - attr_table_name, attr = attr.split('.', 2) - attr_table_name = connection.quote_table_name(attr_table_name) - else - attr_table_name = table_name - end - - attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) - elsif top_level - sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) - else - raise ActiveRecord::StatementInvalid - end - end.join(' AND ') - - replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) - end - alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions - end - end -end - -# Backported fix for CVE-2012-3465 -# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J -# TODO: Remove this once we are on Rails >= 3.2.8 -require 'action_view/helpers/sanitize_helper' -module ActionView::Helpers::SanitizeHelper - def strip_tags(html) - self.class.full_sanitizer.sanitize(html) - end end # Backported fix for CVE-2012-3464 diff --git a/doc/CHANGELOG.rdoc b/doc/CHANGELOG.rdoc index 879fa4fa..2353f6f1 100644 --- a/doc/CHANGELOG.rdoc +++ b/doc/CHANGELOG.rdoc @@ -1,5 +1,10 @@ = ChiliProject Changelog +== 2013-01-29 v3.6.0 + +* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues +* Security - Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333) + == 2013-01-16 v3.5.1 * Security - Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) diff --git a/lib/chili_project/version.rb b/lib/chili_project/version.rb index 09837f93..e1429cc9 100644 --- a/lib/chili_project/version.rb +++ b/lib/chili_project/version.rb @@ -18,8 +18,8 @@ module ChiliProject module VERSION #:nodoc: MAJOR = 3 - MINOR = 5 - PATCH = 1 + MINOR = 6 + PATCH = 0 TINY = PATCH # Redmine compat # Used by semver to define the special version (if any).