Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
70adb961
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
70adb961
编写于
1月 05, 2013
作者:
J
Jeremy Kemper
提交者:
Aaron Patterson
1月 08, 2013
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
上级
5b8db450
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
66 addition
and
14 deletion
+66
-14
actionpack/test/controller/webservice_test.rb
actionpack/test/controller/webservice_test.rb
+13
-0
activesupport/CHANGELOG
activesupport/CHANGELOG
+6
-0
activesupport/lib/active_support/core_ext/hash/conversions.rb
...vesupport/lib/active_support/core_ext/hash/conversions.rb
+24
-7
activesupport/test/core_ext/hash_ext_test.rb
activesupport/test/core_ext/hash_ext_test.rb
+23
-7
未找到文件。
actionpack/test/controller/webservice_test.rb
浏览文件 @
70adb961
...
...
@@ -121,6 +121,19 @@ def test_post_xml_using_an_attributted_node_named_type
end
end
def
test_post_xml_using_a_disallowed_type_attribute
$stderr
=
StringIO
.
new
with_test_route_set
do
post
'/'
,
'<foo type="symbol">value</foo>'
,
'CONTENT_TYPE'
=>
'application/xml'
assert_response
500
post
'/'
,
'<foo type="yaml">value</foo>'
,
'CONTENT_TYPE'
=>
'application/xml'
assert_response
500
end
ensure
$stderr
=
STDERR
end
def
test_register_and_use_yaml
with_test_route_set
do
ActionController
::
Base
.
param_parsers
[
Mime
::
YAML
]
=
Proc
.
new
{
|
d
|
YAML
.
load
(
d
)
}
...
...
activesupport/CHANGELOG
浏览文件 @
70adb961
## Rails 2.3.15 (Jan 8, 2012) ##
* Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy Kemper]
*2.3.11 (February 9, 2011)*
*2.3.10 (October 15, 2010)*
...
...
activesupport/lib/active_support/core_ext/hash/conversions.rb
浏览文件 @
70adb961
...
...
@@ -26,6 +26,13 @@ def content_type
end
end
DISALLOWED_XML_TYPES
=
%w(symbol yaml)
class
DisallowedType
<
StandardError
#:nodoc:
def
initialize
(
type
)
super
"Disallowed type attribute:
#{
type
.
inspect
}
"
end
end
XML_TYPE_NAMES
=
{
"Symbol"
=>
"symbol"
,
"Fixnum"
=>
"integer"
,
...
...
@@ -160,14 +167,24 @@ def rename_key(key, options = {})
end
module
ClassMethods
def
from_xml
(
xml
)
typecast_xml_value
(
unrename_keys
(
XmlMini
.
parse
(
xml
)))
def
from_xml
(
xml
,
disallowed_types
=
nil
)
typecast_xml_value
(
unrename_keys
(
XmlMini
.
parse
(
xml
)),
disallowed_types
)
end
def
from_trusted_xml
(
xml
)
from_xml
xml
,
[]
end
private
def
typecast_xml_value
(
value
)
def
typecast_xml_value
(
value
,
disallowed_types
=
nil
)
disallowed_types
||=
DISALLOWED_XML_TYPES
case
value
.
class
.
to_s
when
'Hash'
if
value
.
include?
(
'type'
)
&&
!
value
[
'type'
].
is_a?
(
Hash
)
&&
disallowed_types
.
include?
(
value
[
'type'
])
raise
DisallowedType
,
value
[
'type'
]
end
if
value
[
'type'
]
==
'array'
child_key
,
entries
=
value
.
detect
{
|
k
,
v
|
k
!=
'type'
}
# child_key is throwaway
if
entries
.
nil?
||
(
c
=
value
[
'__content__'
]
&&
c
.
blank?
)
...
...
@@ -175,9 +192,9 @@ def typecast_xml_value(value)
else
case
entries
.
class
.
to_s
# something weird with classes not matching here. maybe singleton methods breaking is_a?
when
"Array"
entries
.
collect
{
|
v
|
typecast_xml_value
(
v
)
}
entries
.
collect
{
|
v
|
typecast_xml_value
(
v
,
disallowed_types
)
}
when
"Hash"
[
typecast_xml_value
(
entries
)]
[
typecast_xml_value
(
entries
,
disallowed_types
)]
else
raise
"can't typecast
#{
entries
.
inspect
}
"
end
...
...
@@ -205,7 +222,7 @@ def typecast_xml_value(value)
nil
else
xml_value
=
value
.
inject
({})
do
|
h
,(
k
,
v
)
|
h
[
k
]
=
typecast_xml_value
(
v
)
h
[
k
]
=
typecast_xml_value
(
v
,
disallowed_types
)
h
end
...
...
@@ -214,7 +231,7 @@ def typecast_xml_value(value)
xml_value
[
"file"
].
is_a?
(
StringIO
)
?
xml_value
[
"file"
]
:
xml_value
end
when
'Array'
value
.
map!
{
|
i
|
typecast_xml_value
(
i
)
}
value
.
map!
{
|
i
|
typecast_xml_value
(
i
,
disallowed_types
)
}
case
value
.
length
when
0
then
nil
when
1
then
value
.
first
...
...
activesupport/test/core_ext/hash_ext_test.rb
浏览文件 @
70adb961
...
...
@@ -575,12 +575,10 @@ def test_single_record_from_xml
<replies-close-in type="integer">2592000000</replies-close-in>
<written-on type="date">2003-07-16</written-on>
<viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
<content type="yaml">---
\n
1: should be an integer
\n
:message: Have a nice day
\n
array:
\n
- should-have-dashes: true
\n
should_have_underscores: true
\n
</content>
<author-email-address>david@loudthinking.com</author-email-address>
<parent-id></parent-id>
<ad-revenue type="decimal">1.5</ad-revenue>
<optimum-viewing-angle type="float">135</optimum-viewing-angle>
<resident type="symbol">yes</resident>
</topic>
EOT
...
...
@@ -593,12 +591,10 @@ def test_single_record_from_xml
:replies_close_in
=>
2592000000
,
:written_on
=>
Date
.
new
(
2003
,
7
,
16
),
:viewed_at
=>
Time
.
utc
(
2003
,
7
,
16
,
9
,
28
),
:content
=>
{
:message
=>
"Have a nice day"
,
1
=>
"should be an integer"
,
"array"
=>
[{
"should-have-dashes"
=>
true
,
"should_have_underscores"
=>
true
}]
},
:author_email_address
=>
"david@loudthinking.com"
,
:parent_id
=>
nil
,
:ad_revenue
=>
BigDecimal
(
"1.50"
),
:optimum_viewing_angle
=>
135.0
,
:resident
=>
:yes
}.
stringify_keys
assert_equal
expected_topic_hash
,
Hash
.
from_xml
(
topic_xml
)[
"topic"
]
...
...
@@ -612,7 +608,6 @@ def test_single_record_from_xml_with_nil_values
<approved type="boolean"></approved>
<written-on type="date"></written-on>
<viewed-at type="datetime"></viewed-at>
<content type="yaml"></content>
<parent-id></parent-id>
</topic>
EOT
...
...
@@ -623,7 +618,6 @@ def test_single_record_from_xml_with_nil_values
:approved
=>
nil
,
:written_on
=>
nil
,
:viewed_at
=>
nil
,
:content
=>
nil
,
:parent_id
=>
nil
}.
stringify_keys
...
...
@@ -833,6 +827,28 @@ def test_type_trickles_through_when_unknown
assert_equal
expected_product_hash
,
Hash
.
from_xml
(
product_xml
)[
"product"
]
end
def
test_from_xml_raises_on_disallowed_type_attributes
assert_raise
Hash
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="foo">value</name></product>'
,
%w(foo)
end
end
def
test_from_xml_disallows_symbol_and_yaml_types_by_default
assert_raise
Hash
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="symbol">value</name></product>'
end
assert_raise
Hash
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="yaml">value</name></product>'
end
end
def
test_from_trusted_xml_allows_symbol_and_yaml_types
expected
=
{
'product'
=>
{
'name'
=>
:value
}}
assert_equal
expected
,
Hash
.
from_trusted_xml
(
'<product><name type="symbol">value</name></product>'
)
assert_equal
expected
,
Hash
.
from_trusted_xml
(
'<product><name type="yaml">:value</name></product>'
)
end
def
test_should_use_default_value_for_unknown_key
hash_wia
=
HashWithIndifferentAccess
.
new
(
3
)
assert_equal
3
,
hash_wia
[
:new_key
]
...
...
@@ -867,7 +883,7 @@ def test_kernel_method_names_to_xml
def
test_empty_string_works_for_typecast_xml_value
assert_nothing_raised
do
Hash
.
__send__
(
:typecast_xml_value
,
""
)
Hash
.
__send__
(
:typecast_xml_value
,
""
,
[]
)
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录