Merge branch '2-3-sec' into 2-3-stable

* 2-3-sec:
  bumping to 2.3.17
  fix serialization vulnerability
  fixing attr_protected CVE-2013-0276

actionmailer/Rakefile

@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
   s.rubyforge_project = "actionmailer"
   s.homepage = "http://www.rubyonrails.org"
 
-  s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
+  s.add_dependency('actionpack', '= 2.3.17' + PKG_BUILD)
 
   s.requirements << 'none'
   s.require_path = 'lib'

actionmailer/actionmailer.gemspec

 Gem::Specification.new do |s|
   s.name = 'actionmailer'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Service layer for easy email delivery and testing.'
   s.description = 'Makes it trivial to test and deliver emails sent from a single service layer.'
 
@@ -10,5 +10,5 @@
 
   s.require_path = 'lib'
 
-  s.add_dependency 'actionpack', '= 2.3.16'
+  s.add_dependency 'actionpack', '= 2.3.17'
 end

actionmailer/lib/action_mailer/version.rb

@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

actionpack/Rakefile

@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
 
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
   s.add_dependency('rack', '~> 1.1.0')
 
   s.require_path = 'lib'

actionpack/actionpack.gemspec

 Gem::Specification.new do |s|
   s.name = 'actionpack'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Web-flow and rendering framework putting the VC in MVC.'
   s.description = 'Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn\'t require a browser.'
 
@@ -10,6 +10,6 @@
 
   s.require_path = 'lib'
 
-  s.add_dependency 'activesupport', '= 2.3.16'
+  s.add_dependency 'activesupport', '= 2.3.17'
   s.add_dependency 'rack', '~> 1.1.0'
 end

actionpack/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

activerecord/Rakefile

@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
     s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
   end
 
-  s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
 
   s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
   s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"

activerecord/activerecord.gemspec

 Gem::Specification.new do |s|
   s.name = 'activerecord'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Implements the ActiveRecord pattern for ORM.'
   s.description = 'Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.'
 
@@ -13,5 +13,5 @@
   s.rdoc_options = ['--main', 'README']
   s.extra_rdoc_files = ['README']
 
-  s.add_dependency 'activesupport', '= 2.3.16'
+  s.add_dependency 'activesupport', '= 2.3.17'
 end

activerecord/lib/active_record/attribute_methods.rb

@@ -80,7 +80,9 @@ def define_attribute_methods
           end
 
           unless instance_method_already_implemented?("#{name}=")
-            if create_time_zone_conversion_attribute?(name, column)
+            if self.serialized_attributes[name]
+              define_write_method_for_serialized_attribute(name)
+            elsif create_time_zone_conversion_attribute?(name, column)
               define_write_method_for_time_zone_conversion(name)
             else  
               define_write_method(name.to_sym)
@@ -130,7 +132,7 @@ def cache_attribute?(attr_name)
         # Suffixes a, ?, c become regexp /(a|\?|c)$/
         def rebuild_attribute_method_regexp
           suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
-          @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
+          @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
         end
 
         # Default to =, ?, _before_type_cast
@@ -184,6 +186,19 @@ def define_question_method(attr_name)
         def define_write_method(attr_name)
           evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
         end
+
+        # Defined for all serialized attributes. Disallows assigning already serialized YAML.
+        def define_write_method_for_serialized_attribute(attr_name)
+          method_body = <<-EOV
+            def #{attr_name}=(value)
+              if value.is_a?(String) and value =~ /^---/
+                raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+              end
+              write_attribute(:#{attr_name}, value)
+            end
+          EOV
+          evaluate_attribute_method attr_name, method_body, "#{attr_name}="
+        end
         
         # Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
         # This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.

activerecord/lib/active_record/base.rb

@@ -2998,11 +2998,11 @@ def convert_number_column_value(value)
       def remove_attributes_protected_from_mass_assignment(attributes)
         safe_attributes =
           if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
-            attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+            attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
           elsif self.class.protected_attributes.nil?
-            attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+            attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
           elsif self.class.accessible_attributes.nil?
-            attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+            attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
           else
             raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
           end

activerecord/lib/active_record/version.rb

@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

activerecord/test/cases/base_test.rb

@@ -1499,6 +1499,12 @@ def test_nil_serialized_attribute_with_class_constraint
     assert_nil topic.content
   end
 
+  def test_should_raise_exception_on_assigning_already_serialized_content
+    topic = Topic.new
+    serialized_content = %w[foo bar].to_yaml
+    assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
+  end
+
   def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
     myobj = MyObject.new('value1', 'value2')
     topic = Topic.new(:content => myobj)

activeresource/Rakefile

@@ -66,7 +66,7 @@ spec = Gem::Specification.new do |s|
     s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
   end
   
-  s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
 
   s.require_path = 'lib'
 

activeresource/activeresource.gemspec

 Gem::Specification.new do |s|
   s.name = 'activeresource'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Think Active Record for web resources.'
   s.description = 'Wraps web resources in model classes that can be manipulated through XML over REST.'
 
@@ -13,5 +13,5 @@
   s.rdoc_options = ['--main', 'README']
   s.extra_rdoc_files = ['README']
 
-  s.add_dependency 'activesupport', '= 2.3.16'
+  s.add_dependency 'activesupport', '= 2.3.17'
 end

activeresource/lib/active_resource/version.rb

@@ -2,7 +2,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

activesupport/activesupport.gemspec

 Gem::Specification.new do |s|
   s.name = 'activesupport'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Support and utility classes used by the Rails framework.'
   s.description = 'Utility library which carries commonly used classes and goodies from the Rails framework'
 

activesupport/lib/active_support/version.rb

@@ -2,7 +2,7 @@ module ActiveSupport
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

railties/Rakefile

@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
   EOF
 
   s.add_dependency('rake', '>= 0.8.3')
-  s.add_dependency('activesupport',    '= 2.3.16' + PKG_BUILD)
-  s.add_dependency('activerecord',     '= 2.3.16' + PKG_BUILD)
-  s.add_dependency('actionpack',       '= 2.3.16' + PKG_BUILD)
-  s.add_dependency('actionmailer',     '= 2.3.16' + PKG_BUILD)
-  s.add_dependency('activeresource',   '= 2.3.16' + PKG_BUILD)
+  s.add_dependency('activesupport',    '= 2.3.17' + PKG_BUILD)
+  s.add_dependency('activerecord',     '= 2.3.17' + PKG_BUILD)
+  s.add_dependency('actionpack',       '= 2.3.17' + PKG_BUILD)
+  s.add_dependency('actionmailer',     '= 2.3.17' + PKG_BUILD)
+  s.add_dependency('activeresource',   '= 2.3.17' + PKG_BUILD)
 
   s.rdoc_options << '--exclude' << '.'
 

railties/lib/rails/version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 16
+    TINY  = 17
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

railties/railties.gemspec

 Gem::Specification.new do |s|
   s.name = 'rails'
-  s.version = '2.3.16'
+  s.version = '2.3.17'
   s.summary = 'Web-application framework with template engine, control-flow layer, and ORM.'
   s.description = "Rails is a framework for building web-application using CGI, FCGI, mod_ruby, or WEBrick\non top of either MySQL, PostgreSQL, SQLite, DB2, SQL Server, or Oracle with eRuby- or Builder-based templates."
 
@@ -14,9 +14,9 @@
   s.rdoc_options = ['--exclude', '.']
 
   s.add_dependency 'rake',           '>= 0.8.3'
-  s.add_dependency 'activesupport',  '= 2.3.16'
-  s.add_dependency 'activerecord',   '= 2.3.16'
-  s.add_dependency 'actionpack',     '= 2.3.16'
-  s.add_dependency 'actionmailer',   '= 2.3.16'
-  s.add_dependency 'activeresource', '= 2.3.16'
+  s.add_dependency 'activesupport',  '= 2.3.17'
+  s.add_dependency 'activerecord',   '= 2.3.17'
+  s.add_dependency 'actionpack',     '= 2.3.17'
+  s.add_dependency 'actionmailer',   '= 2.3.17'
+  s.add_dependency 'activeresource', '= 2.3.17'
 end