Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
c31cc963
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
c31cc963
编写于
1月 05, 2013
作者:
J
Jeremy Kemper
提交者:
Aaron Patterson
1月 08, 2013
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Revert "Merge branch 'master-sec'"
This reverts commit
88cc1688
, reversing changes made to
f049016c
.
上级
88cc1688
变更
9
隐藏空白更改
内联
并排
Showing
9 changed file
with
15 addition
and
109 deletion
+15
-109
actionpack/lib/action_dispatch/http/request.rb
actionpack/lib/action_dispatch/http/request.rb
+3
-4
actionpack/lib/action_dispatch/middleware/params_parser.rb
actionpack/lib/action_dispatch/middleware/params_parser.rb
+2
-2
actionpack/test/controller/webservice_test.rb
actionpack/test/controller/webservice_test.rb
+0
-13
actionpack/test/dispatch/request/json_params_parsing_test.rb
actionpack/test/dispatch/request/json_params_parsing_test.rb
+0
-15
actionpack/test/dispatch/request/xml_params_parsing_test.rb
actionpack/test/dispatch/request/xml_params_parsing_test.rb
+0
-17
activerecord/test/cases/relation/where_test.rb
activerecord/test/cases/relation/where_test.rb
+0
-6
activesupport/CHANGELOG.md
activesupport/CHANGELOG.md
+0
-7
activesupport/lib/active_support/core_ext/hash/conversions.rb
...vesupport/lib/active_support/core_ext/hash/conversions.rb
+4
-23
activesupport/test/core_ext/hash_ext_test.rb
activesupport/test/core_ext/hash_ext_test.rb
+6
-22
未找到文件。
actionpack/lib/action_dispatch/http/request.rb
浏览文件 @
c31cc963
...
...
@@ -276,14 +276,15 @@ def local?
LOCALHOST
=~
remote_addr
&&
LOCALHOST
=~
remote_ip
end
protected
# Remove nils from the params hash
def
deep_munge
(
hash
)
hash
.
each
do
|
k
,
v
|
hash
.
each
_value
do
|
v
|
case
v
when
Array
v
.
grep
(
Hash
)
{
|
x
|
deep_munge
(
x
)
}
v
.
compact!
hash
[
k
]
=
nil
if
v
.
empty?
when
Hash
deep_munge
(
v
)
end
...
...
@@ -292,8 +293,6 @@ def deep_munge(hash)
hash
end
protected
def
parse_query
(
qs
)
deep_munge
(
super
)
end
...
...
actionpack/lib/action_dispatch/middleware/params_parser.rb
浏览文件 @
c31cc963
...
...
@@ -47,12 +47,12 @@ def parse_formatted_parameters(env)
when
Proc
strategy
.
call
(
request
.
raw_post
)
when
:xml_simple
,
:xml_node
data
=
request
.
deep_munge
(
Hash
.
from_xml
(
request
.
body
.
read
)
||
{})
data
=
Hash
.
from_xml
(
request
.
raw_post
)
||
{}
data
.
with_indifferent_access
when
:yaml
YAML
.
load
(
request
.
raw_post
)
when
:json
data
=
request
.
deep_munge
ActiveSupport
::
JSON
.
decode
(
request
.
body
)
data
=
ActiveSupport
::
JSON
.
decode
(
request
.
raw_post
)
data
=
{
:_json
=>
data
}
unless
data
.
is_a?
(
Hash
)
data
.
with_indifferent_access
else
...
...
actionpack/test/controller/webservice_test.rb
浏览文件 @
c31cc963
...
...
@@ -116,19 +116,6 @@ def test_post_xml_using_an_attributted_node_named_type
end
end
def
test_post_xml_using_a_disallowed_type_attribute
$stderr
=
StringIO
.
new
with_test_route_set
do
post
'/'
,
'<foo type="symbol">value</foo>'
,
'CONTENT_TYPE'
=>
'application/xml'
assert_response
500
post
'/'
,
'<foo type="yaml">value</foo>'
,
'CONTENT_TYPE'
=>
'application/xml'
assert_response
500
end
ensure
$stderr
=
STDERR
end
def
test_register_and_use_yaml
with_test_route_set
do
with_params_parsers
Mime
::
YAML
=>
Proc
.
new
{
|
d
|
YAML
.
load
(
d
)
}
do
...
...
actionpack/test/dispatch/request/json_params_parsing_test.rb
浏览文件 @
c31cc963
...
...
@@ -30,21 +30,6 @@ def teardown
)
end
test
"nils are stripped from collections"
do
assert_parses
(
{
"person"
=>
nil
},
"{
\"
person
\"
:[null]}"
,
{
'CONTENT_TYPE'
=>
'application/json'
}
)
assert_parses
(
{
"person"
=>
[
'foo'
]},
"{
\"
person
\"
:[
\"
foo
\"
,null]}"
,
{
'CONTENT_TYPE'
=>
'application/json'
}
)
assert_parses
(
{
"person"
=>
nil
},
"{
\"
person
\"
:[null, null]}"
,
{
'CONTENT_TYPE'
=>
'application/json'
}
)
end
test
"logs error if parsing unsuccessful"
do
with_test_routing
do
output
=
StringIO
.
new
...
...
actionpack/test/dispatch/request/xml_params_parsing_test.rb
浏览文件 @
c31cc963
...
...
@@ -30,23 +30,6 @@ def call(env)
assert_equal
"<ok>bar</ok>"
,
resp
.
body
end
def
assert_parses
(
expected
,
xml
)
with_test_routing
do
post
"/parse"
,
xml
,
default_headers
assert_response
:ok
assert_equal
(
expected
,
TestController
.
last_request_parameters
)
end
end
test
"nils are stripped from collections"
do
assert_parses
(
{
"hash"
=>
{
"person"
=>
nil
}
},
"<hash><person type=
\"
array
\"
><person nil=
\"
true
\"
/></person></hash>"
)
assert_parses
(
{
"hash"
=>
{
"person"
=>
[
'foo'
]}
},
"<hash><person type=
\"
array
\"
><person>foo</person><person nil=
\"
true
\"
/></person>
\n
</hash>"
)
end
test
"parses hash params"
do
with_test_routing
do
xml
=
"<person><name>David</name></person>"
...
...
activerecord/test/cases/relation/where_test.rb
浏览文件 @
c31cc963
...
...
@@ -90,12 +90,6 @@ def test_where_with_blank_conditions
[[],
{},
nil
,
""
].
each
do
|
blank
|
assert_equal
4
,
Edge
.
where
(
blank
).
order
(
"sink_id"
).
to_a
.
size
end
def
test_where_with_table_name_and_empty_array
assert_equal
0
,
Post
.
where
(
:id
=>
[]).
count
end
def
test_where_with_empty_hash_and_no_foreign_key
assert_equal
0
,
Edge
.
where
(
:sink
=>
{}).
count
end
end
end
activesupport/CHANGELOG.md
浏览文件 @
c31cc963
## Rails 4.0.0 (unreleased) ##
*
Hash.from_xml raises when it encounters type="symbol" or type="yaml".
Use Hash.from_trusted_xml to parse this XML.
CVE-2013-0156
*Jeremy Kemper*
*
Deprecate
`assert_present`
and
`assert_blank`
in favor of
`assert object.blank?`
and
`assert object.present?`
...
...
activesupport/lib/active_support/core_ext/hash/conversions.rb
浏览文件 @
c31cc963
...
...
@@ -101,33 +101,17 @@ class << self
#
# hash = Hash.from_xml(xml)
# # => {"hash"=>{"foo"=>1, "bar"=>2}}
#
# DisallowedType is raise if the XML contains attributes with <tt>type="yaml"</tt> or
# <tt>type="symbol"</tt>. Use <tt>Hash.from_trusted_xml</tt> to parse this XML.
def
from_xml
(
xml
,
disallowed_types
=
nil
)
ActiveSupport
::
XMLConverter
.
new
(
xml
,
disallowed_types
).
to_h
def
from_xml
(
xml
)
ActiveSupport
::
XMLConverter
.
new
(
xml
).
to_h
end
# Builds a Hash from XML just like <tt>Hash.from_xml</tt>, but also allows Symbol and YAML.
def
from_trusted_xml
(
xml
)
from_xml
xml
,
[]
end
end
end
module
ActiveSupport
class
XMLConverter
# :nodoc:
class
DisallowedType
<
StandardError
def
initialize
(
type
)
super
"Disallowed type attribute:
#{
type
.
inspect
}
"
end
end
DISALLOWED_TYPES
=
%w(symbol yaml)
def
initialize
(
xml
,
disallowed_types
=
nil
)
def
initialize
(
xml
)
@xml
=
normalize_keys
(
XmlMini
.
parse
(
xml
))
@disallowed_types
=
disallowed_types
||
DISALLOWED_TYPES
end
def
to_h
...
...
@@ -135,6 +119,7 @@ def to_h
end
private
def
normalize_keys
(
params
)
case
params
when
Hash
...
...
@@ -160,10 +145,6 @@ def deep_to_h(value)
end
def
process_hash
(
value
)
if
value
.
include?
(
'type'
)
&&
!
value
[
'type'
].
is_a?
(
Hash
)
&&
@disallowed_types
.
include?
(
value
[
'type'
])
raise
DisallowedType
,
value
[
'type'
]
end
if
become_array?
(
value
)
_
,
entries
=
Array
.
wrap
(
value
.
detect
{
|
k
,
v
|
not
v
.
is_a?
(
String
)
})
if
entries
.
nil?
||
value
[
'__content__'
].
try
(
:empty?
)
...
...
activesupport/test/core_ext/hash_ext_test.rb
浏览文件 @
c31cc963
...
...
@@ -1015,10 +1015,12 @@ def test_single_record_from_xml
<replies-close-in type="integer">2592000000</replies-close-in>
<written-on type="date">2003-07-16</written-on>
<viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
<content type="yaml">---
\n
1: should be an integer
\n
:message: Have a nice day
\n
array:
\n
- should-have-dashes: true
\n
should_have_underscores: true
\n
</content>
<author-email-address>david@loudthinking.com</author-email-address>
<parent-id></parent-id>
<ad-revenue type="decimal">1.5</ad-revenue>
<optimum-viewing-angle type="float">135</optimum-viewing-angle>
<resident type="symbol">yes</resident>
</topic>
EOT
...
...
@@ -1031,10 +1033,12 @@ def test_single_record_from_xml
:replies_close_in
=>
2592000000
,
:written_on
=>
Date
.
new
(
2003
,
7
,
16
),
:viewed_at
=>
Time
.
utc
(
2003
,
7
,
16
,
9
,
28
),
:content
=>
{
:message
=>
"Have a nice day"
,
1
=>
"should be an integer"
,
"array"
=>
[{
"should-have-dashes"
=>
true
,
"should_have_underscores"
=>
true
}]
},
:author_email_address
=>
"david@loudthinking.com"
,
:parent_id
=>
nil
,
:ad_revenue
=>
BigDecimal
(
"1.50"
),
:optimum_viewing_angle
=>
135.0
,
:resident
=>
:yes
}.
stringify_keys
assert_equal
expected_topic_hash
,
Hash
.
from_xml
(
topic_xml
)[
"topic"
]
...
...
@@ -1048,6 +1052,7 @@ def test_single_record_from_xml_with_nil_values
<approved type="boolean"></approved>
<written-on type="date"></written-on>
<viewed-at type="datetime"></viewed-at>
<content type="yaml"></content>
<parent-id></parent-id>
</topic>
EOT
...
...
@@ -1058,6 +1063,7 @@ def test_single_record_from_xml_with_nil_values
:approved
=>
nil
,
:written_on
=>
nil
,
:viewed_at
=>
nil
,
:content
=>
nil
,
:parent_id
=>
nil
}.
stringify_keys
...
...
@@ -1284,28 +1290,6 @@ def test_type_trickles_through_when_unknown
assert_equal
expected_product_hash
,
Hash
.
from_xml
(
product_xml
)[
"product"
]
end
def
test_from_xml_raises_on_disallowed_type_attributes
assert_raise
ActiveSupport
::
XMLConverter
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="foo">value</name></product>'
,
%w(foo)
end
end
def
test_from_xml_disallows_symbol_and_yaml_types_by_default
assert_raise
ActiveSupport
::
XMLConverter
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="symbol">value</name></product>'
end
assert_raise
ActiveSupport
::
XMLConverter
::
DisallowedType
do
Hash
.
from_xml
'<product><name type="yaml">value</name></product>'
end
end
def
test_from_trusted_xml_allows_symbol_and_yaml_types
expected
=
{
'product'
=>
{
'name'
=>
:value
}}
assert_equal
expected
,
Hash
.
from_trusted_xml
(
'<product><name type="symbol">value</name></product>'
)
assert_equal
expected
,
Hash
.
from_trusted_xml
(
'<product><name type="yaml">:value</name></product>'
)
end
def
test_should_use_default_value_for_unknown_key
hash_wia
=
HashWithIndifferentAccess
.
new
(
3
)
assert_equal
3
,
hash_wia
[
:new_key
]
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录