Merge tag 'v3.6.0' into backbone.ws
This commit is contained in:
commit
b4e5f6cd0d
2
Gemfile
2
Gemfile
|
@ -1,7 +1,7 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
source :rubygems
|
source :rubygems
|
||||||
|
|
||||||
gem "rails", "2.3.15"
|
gem "rails", "2.3.16"
|
||||||
|
|
||||||
gem "coderay", "~> 1.0.0"
|
gem "coderay", "~> 1.0.0"
|
||||||
gem "i18n", "~> 0.4.2"
|
gem "i18n", "~> 0.4.2"
|
||||||
|
|
|
@ -403,6 +403,8 @@ class User < Principal
|
||||||
when 'only_my_events'
|
when 'only_my_events'
|
||||||
if object.is_a?(Issue) && (object.author == self || object.assigned_to == self)
|
if object.is_a?(Issue) && (object.author == self || object.assigned_to == self)
|
||||||
true
|
true
|
||||||
|
elsif object.respond_to?(:watched_by?) && object.watched_by?(self) # Make it clear that we always want to be notified about things we watch in this case
|
||||||
|
true
|
||||||
else
|
else
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
||||||
|
|
||||||
# Specifies gem version of Rails to use when vendor/rails is not present
|
# Specifies gem version of Rails to use when vendor/rails is not present
|
||||||
RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION
|
RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION
|
||||||
|
|
||||||
# this is replaced by config.encoding = "utf-8" in rails3
|
# this is replaced by config.encoding = "utf-8" in rails3
|
||||||
if RUBY_VERSION >= '1.9'
|
if RUBY_VERSION >= '1.9'
|
||||||
|
|
|
@ -12,11 +12,6 @@
|
||||||
# See doc/COPYRIGHT.rdoc for more details.
|
# See doc/COPYRIGHT.rdoc for more details.
|
||||||
#++
|
#++
|
||||||
|
|
||||||
# Patches active_support/core_ext/load_error.rb to support 1.9.3 LoadError message
|
|
||||||
if RUBY_VERSION >= '1.9.3'
|
|
||||||
MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
|
|
||||||
end
|
|
||||||
|
|
||||||
require 'active_record'
|
require 'active_record'
|
||||||
|
|
||||||
module ActiveRecord
|
module ActiveRecord
|
||||||
|
@ -162,92 +157,6 @@ module ActionController
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Backported fix for
|
|
||||||
# CVE-2012-2660
|
|
||||||
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
|
|
||||||
#
|
|
||||||
# CVE-2012-2694
|
|
||||||
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
|
|
||||||
#
|
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.6
|
|
||||||
require 'action_controller/request'
|
|
||||||
class Request
|
|
||||||
protected
|
|
||||||
|
|
||||||
# Remove nils from the params hash
|
|
||||||
def deep_munge(hash)
|
|
||||||
keys = hash.keys.find_all { |k| hash[k] == [nil] }
|
|
||||||
keys.each { |k| hash[k] = nil }
|
|
||||||
|
|
||||||
hash.each_value do |v|
|
|
||||||
case v
|
|
||||||
when Array
|
|
||||||
v.grep(Hash) { |x| deep_munge(x) }
|
|
||||||
v.compact!
|
|
||||||
when Hash
|
|
||||||
deep_munge(v)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
hash
|
|
||||||
end
|
|
||||||
|
|
||||||
def parse_query(qs)
|
|
||||||
deep_munge(super)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Fix for CVE-2013-0155
|
|
||||||
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
|
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.11
|
|
||||||
module ActiveRecord
|
|
||||||
class Base
|
|
||||||
class << self
|
|
||||||
protected
|
|
||||||
def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
|
|
||||||
attrs = expand_hash_conditions_for_aggregates(attrs)
|
|
||||||
|
|
||||||
return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
|
|
||||||
|
|
||||||
conditions = attrs.map do |attr, value|
|
|
||||||
table_name = default_table_name
|
|
||||||
|
|
||||||
if not value.is_a?(Hash)
|
|
||||||
attr = attr.to_s
|
|
||||||
|
|
||||||
# Extract table name from qualified attribute names.
|
|
||||||
if attr.include?('.') and top_level
|
|
||||||
attr_table_name, attr = attr.split('.', 2)
|
|
||||||
attr_table_name = connection.quote_table_name(attr_table_name)
|
|
||||||
else
|
|
||||||
attr_table_name = table_name
|
|
||||||
end
|
|
||||||
|
|
||||||
attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
|
|
||||||
elsif top_level
|
|
||||||
sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
|
|
||||||
else
|
|
||||||
raise ActiveRecord::StatementInvalid
|
|
||||||
end
|
|
||||||
end.join(' AND ')
|
|
||||||
|
|
||||||
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
|
|
||||||
end
|
|
||||||
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Backported fix for CVE-2012-3465
|
|
||||||
# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
|
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.8
|
|
||||||
require 'action_view/helpers/sanitize_helper'
|
|
||||||
module ActionView::Helpers::SanitizeHelper
|
|
||||||
def strip_tags(html)
|
|
||||||
self.class.full_sanitizer.sanitize(html)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Backported fix for CVE-2012-3464
|
# Backported fix for CVE-2012-3464
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
= ChiliProject Changelog
|
= ChiliProject Changelog
|
||||||
|
|
||||||
|
== 2013-01-29 v3.6.0
|
||||||
|
|
||||||
|
* Bug #1216: "Only for things I watch or I'm involved in" sends notifications only for issues
|
||||||
|
* Security - Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)
|
||||||
|
|
||||||
== 2013-01-16 v3.5.1
|
== 2013-01-16 v3.5.1
|
||||||
|
|
||||||
* Security - Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
|
* Security - Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
|
||||||
|
|
|
@ -18,8 +18,8 @@ module ChiliProject
|
||||||
module VERSION #:nodoc:
|
module VERSION #:nodoc:
|
||||||
|
|
||||||
MAJOR = 3
|
MAJOR = 3
|
||||||
MINOR = 5
|
MINOR = 6
|
||||||
PATCH = 1
|
PATCH = 0
|
||||||
TINY = PATCH # Redmine compat
|
TINY = PATCH # Redmine compat
|
||||||
|
|
||||||
# Used by semver to define the special version (if any).
|
# Used by semver to define the special version (if any).
|
||||||
|
|
Loading…
Reference in New Issue