Merge branch 'release-v3.5.0' into stable
This commit is contained in:
commit
d8536ced55
2
Gemfile
2
Gemfile
|
@ -1,7 +1,7 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
source :rubygems
|
source :rubygems
|
||||||
|
|
||||||
gem "rails", "2.3.14"
|
gem "rails", "2.3.15"
|
||||||
|
|
||||||
gem "coderay", "~> 1.0.0"
|
gem "coderay", "~> 1.0.0"
|
||||||
gem "i18n", "~> 0.4.2"
|
gem "i18n", "~> 0.4.2"
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
|
||||||
|
|
||||||
# Specifies gem version of Rails to use when vendor/rails is not present
|
# Specifies gem version of Rails to use when vendor/rails is not present
|
||||||
RAILS_GEM_VERSION = '2.3.14' unless defined? RAILS_GEM_VERSION
|
RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION
|
||||||
|
|
||||||
# this is replaced by config.encoding = "utf-8" in rails3
|
# this is replaced by config.encoding = "utf-8" in rails3
|
||||||
if RUBY_VERSION >= '1.9'
|
if RUBY_VERSION >= '1.9'
|
||||||
|
|
|
@ -199,181 +199,6 @@ module ActionController
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
require 'active_record/base'
|
|
||||||
module ActiveRecord
|
|
||||||
class Base
|
|
||||||
class << self
|
|
||||||
# Backported fix for CVE-2012-2695
|
|
||||||
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
|
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.6
|
|
||||||
def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
|
|
||||||
attrs = expand_hash_conditions_for_aggregates(attrs)
|
|
||||||
|
|
||||||
conditions = attrs.map do |attr, value|
|
|
||||||
table_name = default_table_name
|
|
||||||
|
|
||||||
if not value.is_a?(Hash)
|
|
||||||
attr = attr.to_s
|
|
||||||
|
|
||||||
# Extract table name from qualified attribute names.
|
|
||||||
if attr.include?('.') and top_level
|
|
||||||
attr_table_name, attr = attr.split('.', 2)
|
|
||||||
attr_table_name = connection.quote_table_name(attr_table_name)
|
|
||||||
else
|
|
||||||
attr_table_name = table_name
|
|
||||||
end
|
|
||||||
|
|
||||||
attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
|
|
||||||
elsif top_level
|
|
||||||
sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
|
|
||||||
else
|
|
||||||
raise ActiveRecord::StatementInvalid
|
|
||||||
end
|
|
||||||
end.join(' AND ')
|
|
||||||
|
|
||||||
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
|
|
||||||
end
|
|
||||||
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
|
|
||||||
|
|
||||||
# CVE-2012-5664
|
|
||||||
# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
|
|
||||||
# TODO: remove once we are on Rails >= 3.2.10
|
|
||||||
def method_missing(method_id, *arguments, &block)
|
|
||||||
if match = DynamicFinderMatch.match(method_id)
|
|
||||||
attribute_names = match.attribute_names
|
|
||||||
super unless all_attributes_exists?(attribute_names)
|
|
||||||
if match.finder?
|
|
||||||
finder = match.finder
|
|
||||||
bang = match.bang?
|
|
||||||
# def self.find_by_login_and_activated(*args)
|
|
||||||
# options = args.extract_options!
|
|
||||||
# attributes = construct_attributes_from_arguments(
|
|
||||||
# [:login,:activated],
|
|
||||||
# args
|
|
||||||
# )
|
|
||||||
# finder_options = { :conditions => attributes }
|
|
||||||
# validate_find_options(options)
|
|
||||||
# set_readonly_option!(options)
|
|
||||||
#
|
|
||||||
# if options[:conditions]
|
|
||||||
# with_scope(:find => finder_options) do
|
|
||||||
# find(:first, options)
|
|
||||||
# end
|
|
||||||
# else
|
|
||||||
# find(:first, options.merge(finder_options))
|
|
||||||
# end
|
|
||||||
# end
|
|
||||||
self.class_eval <<-EOS, __FILE__, __LINE__ + 1
|
|
||||||
def self.#{method_id}(*args)
|
|
||||||
options = if args.length > #{attribute_names.size}
|
|
||||||
args.extract_options!
|
|
||||||
else
|
|
||||||
{}
|
|
||||||
end
|
|
||||||
attributes = construct_attributes_from_arguments(
|
|
||||||
[:#{attribute_names.join(',:')}],
|
|
||||||
args
|
|
||||||
)
|
|
||||||
finder_options = { :conditions => attributes }
|
|
||||||
validate_find_options(options)
|
|
||||||
set_readonly_option!(options)
|
|
||||||
|
|
||||||
#{'result = ' if bang}if options[:conditions]
|
|
||||||
with_scope(:find => finder_options) do
|
|
||||||
find(:#{finder}, options)
|
|
||||||
end
|
|
||||||
else
|
|
||||||
find(:#{finder}, options.merge(finder_options))
|
|
||||||
end
|
|
||||||
#{'result || raise(RecordNotFound, "Couldn\'t find #{name} with #{attributes.to_a.collect {|pair| "#{pair.first} = #{pair.second}"}.join(\', \')}")' if bang}
|
|
||||||
end
|
|
||||||
EOS
|
|
||||||
send(method_id, *arguments)
|
|
||||||
elsif match.instantiator?
|
|
||||||
instantiator = match.instantiator
|
|
||||||
# def self.find_or_create_by_user_id(*args)
|
|
||||||
# guard_protected_attributes = false
|
|
||||||
#
|
|
||||||
# if args[0].is_a?(Hash)
|
|
||||||
# guard_protected_attributes = true
|
|
||||||
# attributes = args[0].with_indifferent_access
|
|
||||||
# find_attributes = attributes.slice(*[:user_id])
|
|
||||||
# else
|
|
||||||
# find_attributes = attributes = construct_attributes_from_arguments([:user_id], args)
|
|
||||||
# end
|
|
||||||
#
|
|
||||||
# options = { :conditions => find_attributes }
|
|
||||||
# set_readonly_option!(options)
|
|
||||||
#
|
|
||||||
# record = find(:first, options)
|
|
||||||
#
|
|
||||||
# if record.nil?
|
|
||||||
# record = self.new { |r| r.send(:attributes=, attributes, guard_protected_attributes) }
|
|
||||||
# yield(record) if block_given?
|
|
||||||
# record.save
|
|
||||||
# record
|
|
||||||
# else
|
|
||||||
# record
|
|
||||||
# end
|
|
||||||
# end
|
|
||||||
self.class_eval <<-EOS, __FILE__, __LINE__ + 1
|
|
||||||
def self.#{method_id}(*args)
|
|
||||||
attributes = [:#{attribute_names.join(',:')}]
|
|
||||||
protected_attributes_for_create, unprotected_attributes_for_create = {}, {}
|
|
||||||
args.each_with_index do |arg, i|
|
|
||||||
if arg.is_a?(Hash)
|
|
||||||
protected_attributes_for_create = args[i].with_indifferent_access
|
|
||||||
else
|
|
||||||
unprotected_attributes_for_create[attributes[i]] = args[i]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
find_attributes = (protected_attributes_for_create.merge(unprotected_attributes_for_create)).slice(*attributes)
|
|
||||||
|
|
||||||
options = { :conditions => find_attributes }
|
|
||||||
set_readonly_option!(options)
|
|
||||||
|
|
||||||
record = find(:first, options)
|
|
||||||
|
|
||||||
if record.nil?
|
|
||||||
record = self.new do |r|
|
|
||||||
r.send(:attributes=, protected_attributes_for_create, true) unless protected_attributes_for_create.empty?
|
|
||||||
r.send(:attributes=, unprotected_attributes_for_create, false) unless unprotected_attributes_for_create.empty?
|
|
||||||
end
|
|
||||||
#{'yield(record) if block_given?'}
|
|
||||||
#{'record.save' if instantiator == :create}
|
|
||||||
record
|
|
||||||
else
|
|
||||||
record
|
|
||||||
end
|
|
||||||
end
|
|
||||||
EOS
|
|
||||||
send(method_id, *arguments, &block)
|
|
||||||
end
|
|
||||||
elsif match = DynamicScopeMatch.match(method_id)
|
|
||||||
attribute_names = match.attribute_names
|
|
||||||
super unless all_attributes_exists?(attribute_names)
|
|
||||||
if match.scope?
|
|
||||||
self.class_eval <<-EOS, __FILE__, __LINE__ + 1
|
|
||||||
def self.#{method_id}(*args) # def self.scoped_by_user_name_and_password(*args)
|
|
||||||
options = args.extract_options! # options = args.extract_options!
|
|
||||||
attributes = construct_attributes_from_arguments( # attributes = construct_attributes_from_arguments(
|
|
||||||
[:#{attribute_names.join(',:')}], args # [:user_name, :password], args
|
|
||||||
) # )
|
|
||||||
#
|
|
||||||
scoped(:conditions => attributes) # scoped(:conditions => attributes)
|
|
||||||
end # end
|
|
||||||
EOS
|
|
||||||
send(method_id, *arguments)
|
|
||||||
end
|
|
||||||
else
|
|
||||||
super
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Backported fix for CVE-2012-3465
|
# Backported fix for CVE-2012-3465
|
||||||
# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
|
# https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
|
||||||
# TODO: Remove this once we are on Rails >= 3.2.8
|
# TODO: Remove this once we are on Rails >= 3.2.8
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
= ChiliProject Changelog
|
= ChiliProject Changelog
|
||||||
|
|
||||||
|
== 2013-01-09 v3.5.0
|
||||||
|
|
||||||
|
* Security - Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
|
||||||
|
|
||||||
== 2013-01-06 v3.4.0
|
== 2013-01-06 v3.4.0
|
||||||
|
|
||||||
* Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier
|
* Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier
|
||||||
|
|
|
@ -18,7 +18,7 @@ module ChiliProject
|
||||||
module VERSION #:nodoc:
|
module VERSION #:nodoc:
|
||||||
|
|
||||||
MAJOR = 3
|
MAJOR = 3
|
||||||
MINOR = 4
|
MINOR = 5
|
||||||
PATCH = 0
|
PATCH = 0
|
||||||
TINY = PATCH # Redmine compat
|
TINY = PATCH # Redmine compat
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue