summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVít Ondruch <vondruch@redhat.com>2011-07-04 15:59:43 +0200
committerVít Ondruch <vondruch@redhat.com>2011-07-04 15:59:43 +0200
commitffe9fad1d5f35cf7d74fca361dad49df5c0ad5e5 (patch)
treecb94491ff2ddaf2d24e671947740486cc99b1554
parentb7b20f3144dd4dac42d25b2df5f0f1700884d363 (diff)
downloadrubygem-actionpack-ffe9fad1d5f35cf7d74fca361dad49df5c0ad5e5.zip
rubygem-actionpack-ffe9fad1d5f35cf7d74fca361dad49df5c0ad5e5.tar.gz
rubygem-actionpack-ffe9fad1d5f35cf7d74fca361dad49df5c0ad5e5.tar.xz
Update to ActionPack 3.0.9
-rw-r--r--.gitignore2
-rw-r--r--actionpack-downgrade-dependencies.patch40
-rw-r--r--cve-2011-2197-actionpack-fix.patch252
-rw-r--r--rubygem-actionpack.spec35
-rw-r--r--sources4
5 files changed, 17 insertions, 316 deletions
diff --git a/.gitignore b/.gitignore
index 18bba3a..03f9f4f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@ actionpack-2.3.8.gem
/actionpack-3.0.3.gem
/actionpack-tests.tgz
/actionpack-3.0.5.gem
+/actionpack-3.0.9-tests.tgz
+/actionpack-3.0.9.gem
diff --git a/actionpack-downgrade-dependencies.patch b/actionpack-downgrade-dependencies.patch
deleted file mode 100644
index 0a81d76..0000000
--- a/actionpack-downgrade-dependencies.patch
+++ /dev/null
@@ -1,40 +0,0 @@
---- specifications/actionpack-3.0.5.gemspec.orig 2011-01-18 16:24:30.469405214 -0500
-+++ specifications/actionpack-3.0.5.gemspec 2011-01-18 16:26:01.445405000 -0500
-@@ -25,31 +25,31 @@ Gem::Specification.new do |s|
- s.add_runtime_dependency(%q<activemodel>, ["= 3.0.5"])
- s.add_runtime_dependency(%q<builder>, ["~> 2.1.2"])
- s.add_runtime_dependency(%q<i18n>, ["~> 0.4"])
-- s.add_runtime_dependency(%q<rack>, [">= 1.2.1"])
-- s.add_runtime_dependency(%q<rack-test>, [">= 0.5.7"])
-+ s.add_runtime_dependency(%q<rack>, [">= 1.1.0"])
-+ s.add_runtime_dependency(%q<rack-test>, [">= 0.5.4"])
- s.add_runtime_dependency(%q<rack-mount>, [">= 0.6.13"])
- s.add_runtime_dependency(%q<tzinfo>, ["~> 0.3.23"])
- s.add_runtime_dependency(%q<erubis>, ["~> 2.6.6"])
- else
- s.add_dependency(%q<activesupport>, ["= 3.0.5"])
- s.add_dependency(%q<activemodel>, ["= 3.0.5"])
- s.add_dependency(%q<builder>, ["~> 2.1.2"])
- s.add_dependency(%q<i18n>, ["~> 0.4"])
-- s.add_dependency(%q<rack>, [">= 1.2.1"])
-- s.add_dependency(%q<rack-test>, [">= 0.5.7"])
-+ s.add_dependency(%q<rack>, [">= 1.1.0"])
-+ s.add_dependency(%q<rack-test>, [">= 0.5.4"])
- s.add_dependency(%q<rack-mount>, [">= 0.6.13"])
- s.add_dependency(%q<tzinfo>, ["~> 0.3.23"])
- s.add_dependency(%q<erubis>, ["~> 2.6.6"])
- end
- else
- s.add_dependency(%q<activesupport>, ["= 3.0.5"])
- s.add_dependency(%q<activemodel>, ["= 3.0.5"])
- s.add_dependency(%q<builder>, ["~> 2.1.2"])
- s.add_dependency(%q<i18n>, ["~> 0.4"])
-- s.add_dependency(%q<rack>, [">= 1.2.1"])
-- s.add_dependency(%q<rack-test>, [">= 0.5.7"])
-+ s.add_dependency(%q<rack>, [">= 1.1.0"])
-+ s.add_dependency(%q<rack-test>, [">= 0.5.4"])
- s.add_dependency(%q<rack-mount>, [">= 0.6.13"])
- s.add_dependency(%q<tzinfo>, ["~> 0.3.23"])
- s.add_dependency(%q<erubis>, ["~> 2.6.6"])
- end
- end
diff --git a/cve-2011-2197-actionpack-fix.patch b/cve-2011-2197-actionpack-fix.patch
deleted file mode 100644
index 1690399..0000000
--- a/cve-2011-2197-actionpack-fix.patch
+++ /dev/null
@@ -1,252 +0,0 @@
---- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400
-+++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400
-@@ -115,13 +115,12 @@ module ActionView
- end
- options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
-
-- text = sanitize(text) unless options[:sanitize] == false
-- if text.blank? || phrases.blank?
-- text
-- else
-+ if text.present? && phrases.present?
- match = Array(phrases).map { |p| Regexp.escape(p) }.join('|')
-- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
-- end.html_safe
-+ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
-+ end
-+ text = sanitize(text) unless options[:sanitize] == false
-+ text
- end
-
- # Extracts an excerpt from +text+ that matches the first instance of +phrase+.
-@@ -251,14 +250,16 @@ module ActionView
- # simple_format("Look ma! A class!", :class => 'description')
- # # => "<p class='description'>Look ma! A class!</p>"
- def simple_format(text, html_options={}, options={})
-- text = ''.html_safe if text.nil?
-+ text = text ? text.to_str : ''
-+ text = text.dup if text.frozen?
- start_tag = tag('p', html_options, true)
-- text = sanitize(text) unless options[:sanitize] == false
- text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
- text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
- text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
- text.insert 0, start_tag
-- text.html_safe.safe_concat("</p>")
-+ text.concat("</p>")
-+ text = sanitize(text) unless options[:sanitize] == false
-+ text
- end
-
- # Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
-@@ -477,7 +478,7 @@ module ActionView
- # is yielded and the result is used as the link text.
- def auto_link_urls(text, html_options = {}, options = {})
- link_attributes = html_options.stringify_keys
-- text.gsub(AUTO_LINK_RE) do
-+ text.to_str.gsub(AUTO_LINK_RE) do
- scheme, href = $1, $&
- punctuation = []
-
-@@ -494,14 +495,12 @@ module ActionView
- end
- end
-
-- link_text = block_given?? yield(href) : href
-+ link_text = block_given? ? yield(href) : href
- href = 'http://' + href unless scheme
-
-- unless options[:sanitize] == false
-- link_text = sanitize(link_text)
-- href = sanitize(href)
-- end
-- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
-+ sanitize = options[:sanitize] != false
-+ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
-+
- end
- end.html_safe
- end
-@@ -509,18 +508,14 @@ module ActionView
- # Turns all email addresses into clickable links. If a block is given,
- # each email is yielded and the result is used as the link text.
- def auto_link_email_addresses(text, html_options = {}, options = {})
-- text.gsub(AUTO_EMAIL_RE) do
-+ text.to_str.gsub(AUTO_EMAIL_RE) do
- text = $&
-
- if auto_linked?($`, $')
- text.html_safe
- else
-- display_text = (block_given?) ? yield(text) : text
--
-- unless options[:sanitize] == false
-- text = sanitize(text)
-- display_text = sanitize(display_text) unless text == display_text
-- end
-+ display_text = block_given? ? yield(text) : text
-+ display_text = sanitize(display_text) unless options[:sanitize] == false
- mail_to text, display_text, html_options
- end
- end
---- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400
-+++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400
-@@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC
- assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false)
- end
-
-+ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false
-+ assert !simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false).html_safe?
-+ end
-+
-+
- def test_truncate_should_not_be_html_safe
- assert !truncate("Hello World!", :length => 12).html_safe?
- end
-@@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC
- )
- end
-
-+ def test_highlight_on_an_html_safe_string
-+ assert_equal(
-+ "<p>This is a <b>beautiful</b> morning, but also a <b>beautiful</b> day</p>",
-+ highlight("<p>This is a beautiful morning, but also a beautiful day</p>".html_safe, "beautiful", :highlighter => '<b>\1</b>')
-+ )
-+ end
-+
- def test_highlight_with_html
- assert_equal(
- "<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
-@@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC
- end
- end
-
-- def generate_result(link_text, href = nil, escape = false)
-- href ||= link_text
-- if escape
-- %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
-- else
-- %{<a href="#{href}">#{link_text}</a>}
-- end
-+ def generate_result(link_text, href = nil)
-+ href = CGI::escapeHTML(href || link_text)
-+ text = CGI::escapeHTML(link_text)
-+ %{<a href="#{href}">#{text}</a>}
- end
-
- def test_auto_link_should_be_html_safe
-@@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC
- assert auto_link('').html_safe?
- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
- assert auto_link("hello #{email_raw}").html_safe?
-+ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
-+ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
- end
-
- def test_auto_link
-@@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC
-
- def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
- link_raw = %{http://www.rubyonrails.com?id=1&num=2}
-- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
-+ assert_equal %{<a href="http://www.rubyonrails.com?id=1&amp;num=2">http://www.rubyonrails.com?id=1&amp;num=2</a>}, auto_link(link_raw)
- end
-
- def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
---- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400
-+++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400
-@@ -169,6 +169,7 @@ class BasicController
- config.assets_dir = public_dir
- config.javascripts_dir = "#{public_dir}/javascripts"
- config.stylesheets_dir = "#{public_dir}/stylesheets"
-+ config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" })
- config
- end
- end
---- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400
-+++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400
-@@ -483,7 +483,7 @@ module ActionView
- extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
- extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
-
-- email_address_obfuscated = email_address.dup
-+ email_address_obfuscated = email_address.to_str
- email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
- email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
-
-@@ -491,7 +491,7 @@ module ActionView
-
- if encode == "javascript"
- html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
-- html = escape_javascript(html)
-+ html = escape_javascript(html.to_str)
- "document.write('#{html}');".each_byte do |c|
- string << sprintf("%%%x", c)
- end
---- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400
-+++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400
-@@ -53,7 +53,13 @@ module ActionView
- # This dance is needed because Builder can't use capture
- pos = output_buffer.length
- yield
-- fragment = output_buffer.slice!(pos..-1)
-+ if output_buffer.is_a?(ActionView::OutputBuffer)
-+ safe_output_buffer = output_buffer.to_str
-+ fragment = safe_output_buffer.slice!(pos..-1)
-+ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
-+ else
-+ fragment = output_buffer.slice!(pos..-1)
-+ end
- controller.write_fragment(name, fragment, options)
- end
- end
---- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400
-+++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400
-@@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC
- %{<a href="#{href}">#{text}</a>}
- end
-
-- def test_auto_link_should_be_html_safe
-+ def test_auto_link_should_no_be_html_safe
- email_raw = 'santiago@wyeworks.com'
- link_raw = 'http://www.rubyonrails.org'
-
-- assert auto_link(nil).html_safe?
-- assert auto_link('').html_safe?
-- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
-- assert auto_link("hello #{email_raw}").html_safe?
-- assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
-- assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
-+ assert !auto_link(nil).html_safe?, 'should not be html safe'
-+ assert !auto_link('').html_safe?, 'should not be html safe'
-+ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
-+ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
-+ end
-+
-+ def test_auto_link_email_address
-+ email_raw = 'aaron@tenderlovemaking.com'
-+ email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
-+ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
- end
-
- def test_auto_link
---- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400
-+++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400
-@@ -300,7 +300,7 @@ module ActionView
- # # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
- # Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
- def auto_link(text, *args, &block)#link = :all, html = {}, &block)
-- return ''.html_safe if text.blank?
-+ return '' if text.blank?
-
- options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
- unless args.empty?
-@@ -502,7 +502,7 @@ module ActionView
- content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
-
- end
-- end.html_safe
-+ end
- end
-
- # Turns all email addresses into clickable links. If a block is given,
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index befe029..0e709ae 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -1,15 +1,16 @@
# Generated from actionpack-1.13.5.gem by gem2rpm -*- rpm-spec -*-
-%define gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null)
-%define gemname actionpack
-%define geminstdir %{gemdir}/gems/%{gemname}-%{version}
+%global gemname actionpack
-%define rubyabi 1.8
+%global gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null)
+%global geminstdir %{gemdir}/gems/%{gemname}-%{version}
+
+%global rubyabi 1.8
Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
-Version: 3.0.5
-Release: 3%{?dist}
+Version: 3.0.9
+Release: 1%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -22,9 +23,9 @@ Source1: http://github.com/rails/rails/raw/v%{version}/%{gemname}/Rakefile
# You may check it out like so
# git clone http://github.com/rails/rails.git
# cd rails/actionpack/
-# git checkout v3.0.5
-# tar czvf actionpack-tests.tgz test/
-Source2: actionpack-tests.tgz
+# git checkout v3.0.9
+# tar czvf actionpack-3.0.9-tests.tgz test/
+Source2: actionpack-3.0.9-tests.tgz
Patch0: rubygem-actionpack-enable-test.patch
@@ -36,15 +37,6 @@ Patch1: actionpack-rakefile-fix.patch
# dependency on a file in the greater rails proj
Patch2: actionpack-tests-fix.patch
-Patch3: actionpack-downgrade-dependencies.patch
-
-# CVE-2011-2197
-# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
-# FIXES: https://gist.github.com/b2ceb626fc2bcdfe497f
-# https://github.com/rails/rails/commit/c6503f48bd13c696fcc81f2a4a87b8cd7c009657
-# https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729
-Patch4: cve-2011-2197-actionpack-fix.patch
-
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -102,7 +94,6 @@ pushd .%{geminstdir}
%patch0 -p0
%patch1 -p0
%patch2 -p0
-%patch4 -p0
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -111,9 +102,6 @@ popd
popd
-pushd .%{gemdir}
-%patch3 -p0
-
# Remove backup files
# No! these are needed for rake test
# find ./%{geminstdir} -type f -name "*~" -delete
@@ -173,6 +161,9 @@ rake test --trace
%changelog
+* Mon Jul 04 2011 Vít Ondruch <vondruch@redhat.com> - 1:3.0.9-1
+- Update to ActionPack 3.0.9
+
* Thu Jun 16 2011 Mo Morsi <mmorsi@redhat.com> - 1:3.0.5-3
- Include fix for CVE-2011-2197
diff --git a/sources b/sources
index 2bc6203..91c106a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-af25980a393ab111f9fcef3d65f73c89 actionpack-3.0.5.gem
-00cb87071ba9ad6de3327a347b22e836 actionpack-tests.tgz
+0844368eaac33d7c4bc9cfe68f8336a0 actionpack-3.0.9-tests.tgz
+1c06974f4b81d38284d36e88ca7f95aa actionpack-3.0.9.gem