Commit 88f909c9 authored by Francisco Juan's avatar Francisco Juan

Update chiliproject to version 'v2.11.0'

parents 075edb2c 2f84fa09
source :rubygems
gem "rails", "2.3.16"
gem "rails", "2.3.18"
gem "json", "~> 1.7.7"
gem "coderay", "~> 0.9.7"
gem "i18n", "~> 0.4.2"
gem "rubytree", "~> 0.5.2", :require => 'tree'
......
......@@ -37,7 +37,7 @@ class AccountController < ApplicationController
def lost_password
redirect_to(home_url) && return unless Setting.lost_password?
if params[:token]
@token = Token.find_by_action_and_value("recovery", params[:token])
@token = Token.find_by_action_and_value("recovery", params[:token].to_s)
redirect_to(home_url) && return unless @token and !@token.expired?
@user = @token.user
if request.post?
......@@ -53,7 +53,7 @@ class AccountController < ApplicationController
return
else
if request.post?
user = User.find_by_mail(params[:mail])
user = User.find_by_mail(params[:mail].to_s)
# user not found in db
(flash.now[:error] = l(:notice_account_unknown_email); return) unless user
# user uses an external authentification
......@@ -109,7 +109,7 @@ class AccountController < ApplicationController
# Token based account activation
def activate
redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
token = Token.find_by_action_and_value('register', params[:token])
token = Token.find_by_action_and_value('register', params[:token].to_s)
redirect_to(home_url) && return unless token and !token.expired?
user = token.user
redirect_to(home_url) && return unless user.registered?
......
......@@ -94,11 +94,11 @@ class ApplicationController < ActionController::Base
user
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
# RSS key authentication does not start a session
User.find_by_rss_key(params[:key])
User.find_by_rss_key(params[:key].to_s)
elsif Setting.rest_api_enabled? && api_request?
if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
# Use API key
User.find_by_api_key(key)
User.find_by_api_key(key.to_s)
else
# HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password|
......
......@@ -364,7 +364,7 @@ class Issue < ActiveRecord::Base
def attachment_removed(obj)
init_journal(User.current)
create_journal
last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]}.to_yaml)
last_journal.update_attribute(:changes, {"attachments_" + obj.id.to_s => [obj.filename, nil]})
end
# Return true if the issue is closed, otherwise false
......
......@@ -98,7 +98,7 @@ class WikiContent < ActiveRecord::Base
changes.delete("text")
changes["data"] = hash[:text]
changes["compression"] = hash[:compression]
update_attribute(:changes, changes.to_yaml)
update_attribute(:changes, changes)
end
def text
......
......@@ -21,9 +21,6 @@
# use RACK_ENV if we are running as a simple rack app
ENV['RAILS_ENV'] ||= ENV['RACK_ENV'] if ENV['RACK_ENV']
# Specifies gem version of Rails to use when vendor/rails is not present
RAILS_GEM_VERSION = '2.3.16' unless defined? RAILS_GEM_VERSION
if RUBY_VERSION >= '1.9'
Encoding.default_external = 'UTF-8'
Encoding.default_internal = 'UTF-8'
......
......@@ -112,56 +112,13 @@ module ActionController
end
end
# Backported fix for CVE-2012-3464
# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
# TODO: Remove this once we are on Rails >= 3.2.8
require 'active_support/core_ext/string/output_safety'
class ERB
module Util
HTML_ESCAPE["'"] = '&#39;'
if RUBY_VERSION >= '1.9'
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
# In your ERB templates, use this method to escape any unsafe content. For example:
# <%=h @person.name %>
#
# ==== Example:
# puts html_escape("is a > 0 & a < 10?")
# # => is a &gt; 0 &amp; a &lt; 10?
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
end
end
else
def html_escape(s) #:nodoc:
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
end
# Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
remove_method(:h)
alias h html_escape
module_function :h
singleton_class.send(:remove_method, :html_escape)
module_function :html_escape
end
end
require 'action_view/helpers/tag_helper'
module ActionView::Helpers::TagHelper
def escape_once(html)
ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
end
end
# Workaround for CVE-2013-0333
# https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ
ActiveSupport::JSON.backend = "JSONGem"
......@@ -31,7 +31,7 @@ class AddChangesFromJournalDetailsForActsAsJournalized < ActiveRecord::Migration
changes["attachments_" + detail.prop_key.to_s] = [detail.old_value, detail.value]
end
begin
journal.update_attribute(:changes, changes.to_yaml)
journal.update_attribute(:changes, changes)
rescue ActiveRecord::RecordInvalid => ex
puts "Error saving: #{journal.class.to_s}##{journal.id} - #{ex.message}"
end
......
......@@ -37,7 +37,7 @@ class MergeWikiVersionsWithJournals < ActiveRecord::Migration
changes = {}
changes["compression"] = wv.compression
changes["data"] = wv.data
journal.update_attribute(:changes, changes.to_yaml)
journal.update_attribute(:changes, changes)
journal.update_attribute(:version, wv.version)
end
# drop_table :wiki_content_versions
......
= ChiliProject changelog
== 2013-02-13 2.11.0
* Security - Feature #1252: Update Rails to 2.3.18
== 2013-02-13 2.10.0
* Security - Feature #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
* Security - Bug #1234: Potential vulnerability in token authentication when running on MySQL
== 2013-01-29 v2.9.0
* Security - Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)
......
......@@ -18,7 +18,7 @@ module ChiliProject
module VERSION #:nodoc:
MAJOR = 2
MINOR = 9
MINOR = 11
PATCH = 0
TINY = PATCH # Redmine compat
......
......@@ -29,7 +29,7 @@ class ActivitiesControllerTest < ActionController::TestCase
:child => { :tag => "dt",
:attributes => { :class => /issue/ },
:child => { :tag => "a",
:content => /(#{IssueStatus.find(2).name})/,
:content => /(#{ERB::Util.h IssueStatus.find(2).name})/,
}
}
}
......@@ -47,7 +47,7 @@ class ActivitiesControllerTest < ActionController::TestCase
:child => { :tag => "dt",
:attributes => { :class => /issue/ },
:child => { :tag => "a",
:content => /#{Issue.find(1).subject}/,
:content => /#{ERB::Util.h Issue.find(1).subject}/,
}
}
}
......@@ -65,7 +65,7 @@ class ActivitiesControllerTest < ActionController::TestCase
:child => { :tag => "dt",
:attributes => { :class => /issue/ },
:child => { :tag => "a",
:content => /#{Issue.find(1).subject}/,
:content => /#{ERB::Util.h Issue.find(1).subject}/,
}
}
}
......@@ -83,7 +83,7 @@ class ActivitiesControllerTest < ActionController::TestCase
:child => { :tag => "dt",
:attributes => { :class => /issue/ },
:child => { :tag => "a",
:content => /#{Issue.find(1).subject}/,
:content => /#{ERB::Util.h Issue.find(1).subject}/,
}
}
}
......
......@@ -56,7 +56,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_nil assigns(:project)
assert_tag :tag => 'a', :content => /Can't print recipes/
assert_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
# private projects hidden
assert_no_tag :tag => 'a', :content => /Issue of a private subproject/
......@@ -72,7 +72,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_nil assigns(:project)
assert_no_tag :tag => 'a', :content => /Can't print recipes/
assert_no_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
end
......@@ -83,7 +83,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_nil assigns(:project)
assert_no_tag :tag => 'a', :content => /Can't print recipes/
assert_no_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
end
......@@ -93,7 +93,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_response :success
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_tag :tag => 'a', :content => /Can't print recipes/
assert_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_no_tag :tag => 'a', :content => /Subproject issue/
end
......@@ -103,7 +103,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_response :success
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_tag :tag => 'a', :content => /Can't print recipes/
assert_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
assert_no_tag :tag => 'a', :content => /Issue of a private subproject/
end
......@@ -115,7 +115,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_response :success
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_tag :tag => 'a', :content => /Can't print recipes/
assert_tag :tag => 'a', :content => /Can&#39;t print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
assert_tag :tag => 'a', :content => /Issue of a private subproject/
end
......@@ -1049,7 +1049,7 @@ class IssuesControllerTest < ActionController::TestCase
assert_response :success
assert_template 'edit'
assert_error_tag :descendant => {:content => /Activity can't be blank/}
assert_error_tag :descendant => {:content => /Activity can&#39;t be blank/}
assert_tag :textarea, :attributes => { :name => 'notes' }, :content => notes
assert_tag :input, :attributes => { :name => 'time_entry[hours]', :value => "2z" }
end
......@@ -1067,8 +1067,8 @@ class IssuesControllerTest < ActionController::TestCase
assert_response :success
assert_template 'edit'
assert_error_tag :descendant => {:content => /Activity can't be blank/}
assert_error_tag :descendant => {:content => /Hours can't be blank/}
assert_error_tag :descendant => {:content => /Activity can&#39;t be blank/}
assert_error_tag :descendant => {:content => /Hours can&#39;t be blank/}
assert_tag :textarea, :attributes => { :name => 'notes' }, :content => notes
assert_tag :input, :attributes => { :name => 'time_entry[comments]', :value => "this is my comment" }
end
......
......@@ -168,14 +168,14 @@ class ActiveSupport::TestCase
should "use the new value's name" do
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
assert_match @new_value.class.find(@new_value.id).name, @detail.render_detail(prop_key, true)
end
should "use the old value's name" do
@detail = IssueJournal.generate(:version => 1, :journaled => Issue.last)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]}.to_yaml)
@detail.update_attribute(:changes, {prop_key => [@old_value.id, @new_value.id]})
assert_match @old_value.class.find(@old_value.id).name, @detail.render_detail(prop_key, true)
end
......
......@@ -441,7 +441,7 @@ RAW
expected = <<-EXPECTED
<p><a href="/projects/ecookbook/wiki/CookBook_documentation" class="wiki-page">CookBook documentation</a></p>
<p><a href="/issues/1" class="issue status-1 priority-1" title="Can't print recipes (New)">#1</a></p>
<p><a href="/issues/1" class="issue status-1 priority-1" title="Can&#39;t print recipes (New)">#1</a></p>
<pre>
[[CookBook documentation]]
......
......@@ -37,7 +37,7 @@ class MailerTest < ActiveSupport::TestCase
assert_select_email do
# link to the main ticket
assert_select "a[href=?]", "https://mydomain.foo/issues/1", :text => "Bug #1: Can't print recipes"
assert_select "a[href=?]", "https://mydomain.foo/issues/1", :text => "Bug #1: Can&#39;t print recipes"
# link to a referenced ticket
assert_select "a[href=?][title=?]", "https://mydomain.foo/issues/2", "Add ingredients categories (Assigned)", :text => "#2"
# link to a changeset
......@@ -59,7 +59,7 @@ class MailerTest < ActiveSupport::TestCase
assert_select_email do
# link to the main ticket
assert_select "a[href=?]", "http://mydomain.foo/rdm/issues/1", :text => "Bug #1: Can't print recipes"
assert_select "a[href=?]", "http://mydomain.foo/rdm/issues/1", :text => "Bug #1: Can&#39;t print recipes"
# link to a referenced ticket
assert_select "a[href=?][title=?]", "http://mydomain.foo/rdm/issues/2", "Add ingredients categories (Assigned)", :text => "#2"
# link to a changeset
......@@ -84,7 +84,7 @@ class MailerTest < ActiveSupport::TestCase
assert_select_email do
# link to the main ticket
assert_select "a[href=?]", "http://mydomain.foo/rdm/issues/1", :text => "Bug #1: Can't print recipes"
assert_select "a[href=?]", "http://mydomain.foo/rdm/issues/1", :text => "Bug #1: Can&#39;t print recipes"
# link to a referenced ticket
assert_select "a[href=?][title=?]", "http://mydomain.foo/rdm/issues/2", "Add ingredients categories (Assigned)", :text => "#2"
# link to a changeset
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment