mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch '4-1-5' into 4-1-stable 

Conflicts:
	actionmailer/CHANGELOG.md
	actionview/CHANGELOG.md
	activerecord/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md
This commit is contained in:
Rafael Mendonça França 2014-08-18 14:05:48 -03:00
parent 28c1a81f9a 9bb76261d3
commit 9c297ce936
19 changed files with 93 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
RAILS_VERSION
View File

@ -1 +1 @@
4.1.4
4.1.5

5
actionmailer/CHANGELOG.md
View File

@ -13,6 +13,11 @@
*Yves Senn*
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

2
actionmailer/lib/action_mailer/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActionMailer
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

2
actionpack/lib/action_pack/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActionPack
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

5
actionview/CHANGELOG.md
View File

@ -16,6 +16,11 @@
*Jiri Pospisil*
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

2
actionview/lib/action_view/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActionView
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

5
activemodel/CHANGELOG.md
View File

@ -1,3 +1,8 @@
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

1
activemodel/lib/active_model/forbidden_attributes_protection.rb
View File

@ -23,5 +23,6 @@ module ActiveModel
attributes
end
end
alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
end
end

2
activemodel/lib/active_model/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActiveModel
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

5
activerecord/CHANGELOG.md
View File

@ -157,6 +157,11 @@
*Arun Agrawal*
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* Fix regression added from the latest security fix.

2
activerecord/lib/active_record/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActiveRecord
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

16
activerecord/lib/active_record/relation/query_methods.rb
View File

@ -1,9 +1,12 @@
require 'active_support/core_ext/array/wrap'
require 'active_model/forbidden_attributes_protection'
module ActiveRecord
module QueryMethods
extend ActiveSupport::Concern
include ActiveModel::ForbiddenAttributesProtection
# WhereChain objects act as placeholder for queries in which #where does not have any parameter.
# In this case, #where must be chained with #not to return a new relation.
class WhereChain
@ -561,7 +564,10 @@ module ActiveRecord
if opts == :chain
WhereChain.new(self)
else
references!(PredicateBuilder.references(opts)) if Hash === opts
if Hash === opts
opts = sanitize_forbidden_attributes(opts)
references!(PredicateBuilder.references(opts))
end
self.where_values += build_where(opts, rest)
self
@ -711,7 +717,13 @@ module ActiveRecord
end
def create_with!(value) # :nodoc:
self.create_with_value = value ? create_with_value.merge(value) : {}
if value
value = sanitize_forbidden_attributes(value)
self.create_with_value = create_with_value.merge(value)
else
self.create_with_value = {}
end
self
end

30
activerecord/test/cases/forbidden_attributes_protection_test.rb
View File

@ -66,4 +66,34 @@ class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
person = Person.new
assert_nil person.assign_attributes(ProtectedParams.new({}))
end
def test_create_with_checks_permitted
params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
assert_raises(ActiveModel::ForbiddenAttributesError) do
Person.create_with(params).create!
end
end
def test_create_with_works_with_params_values
params = ProtectedParams.new(first_name: 'Guille')
person = Person.create_with(first_name: params[:first_name]).create!
assert_equal 'Guille', person.first_name
end
def test_where_checks_permitted
params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
assert_raises(ActiveModel::ForbiddenAttributesError) do
Person.where(params).create!
end
end
def test_where_works_with_params_values
params = ProtectedParams.new(first_name: 'Guille')
person = Person.where(first_name: params[:first_name]).create!
assert_equal 'Guille', person.first_name
end
end

5
activesupport/CHANGELOG.md
View File

@ -27,6 +27,11 @@
*Juanjo Bazán*
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

2
activesupport/lib/active_support/gem_version.rb
View File

@ -7,7 +7,7 @@ module ActiveSupport
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

5
guides/CHANGELOG.md
View File

@ -1,3 +1,8 @@
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

9
railties/CHANGELOG.md
View File

@ -13,6 +13,15 @@
*Yves Senn*, *Carlos Antonio da Silva*, *Robin Dupret*
## Rails 4.1.5 (August 18, 2014) ##
* Check attributes passed to `create_with` and `where`.
Fixes CVE-2014-3514.
*Rafael Mendonça França*
## Rails 4.1.4 (July 2, 2014) ##
* No changes.

2
railties/lib/rails/gem_version.rb
View File

@ -7,7 +7,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

2
version.rb
View File

@ -7,7 +7,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 1
TINY = 4
TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")