Hello community, here is the log from the commit of package rubygem-actionpack-2_3 for openSUSE:12.2 checked in at 2012-08-09 17:55:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/rubygem-actionpack-2_3 (Old) and /work/SRC/openSUSE:12.2/.rubygem-actionpack-2_3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-2_3", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.2/rubygem-actionpack-2_3/rubygem-actionpack-2_3.changes 2012-06-25 15:52:12.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.rubygem-actionpack-2_3.new/rubygem-actionpack-2_3.changes 2012-08-09 17:56:09.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Jul 18 14:57:18 UTC 2012 - [email protected] + +- added 2 patches to fix security issues: + 2-3-null_param.patch (CVE-2012-2660) (bnc#765097) + 2-3-null_array_param.patch (CVE-2012-2694) (bnc#766791) +- track series file from quilt for easier handling + +------------------------------------------------------------------- New: ---- 2-3-null_array_param.patch 2-3-null_param.patch series ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-2_3.spec ++++++ --- /var/tmp/diff_new_pack.HmidGq/_old 2012-08-09 17:56:09.000000000 +0200 +++ /var/tmp/diff_new_pack.HmidGq/_new 2012-08-09 17:56:09.000000000 +0200 @@ -39,6 +39,9 @@ # Url: http://rubyforge.org/projects/actionpack Source: %{mod_full_name}.gem +Source99: series +Patch0: 2-3-null_param.patch +Patch1: 2-3-null_array_param.patch # Summary: Web-flow and rendering framework putting the VC in MVC %description @@ -66,6 +69,10 @@ %install %gem_install %{S:0} find %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}/ -name \*\~ -print -delete +pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ +patch -p0 < %{P:0} +patch -p0 < %{P:1} +popd %clean %{__rm} -rf %{buildroot} ++++++ 2-3-null_array_param.patch ++++++ Index: lib/action_controller/request.rb =================================================================== --- lib/action_controller/request.rb.orig 2012-07-18 16:28:20.433076369 +0200 +++ lib/action_controller/request.rb 2012-07-18 16:29:56.813242333 +0200 @@ -495,17 +495,19 @@ EOM # Remove nils from the params hash def deep_munge(hash) + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash.each_value do |v| case v when Array v.grep(Hash) { |x| deep_munge(x) } + v.compact! when Hash deep_munge(v) end end - keys = hash.keys.find_all { |k| hash[k] == [nil] } - keys.each { |k| hash[k] = nil } hash end Index: test/controller/request/query_string_parsing_test.rb =================================================================== --- test/controller/request/query_string_parsing_test.rb.orig 2012-07-18 16:28:20.436077868 +0200 +++ test/controller/request/query_string_parsing_test.rb 2012-07-18 16:32:20.072439141 +0200 @@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionCon assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") end + def test_array_parses_without_nil + assert_parses({"action" => ['1']}, "action[]=1&action[]") + end + test "query string with empty key" do assert_parses( { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" }, ++++++ 2-3-null_param.patch ++++++ Index: lib/action_controller/request.rb =================================================================== --- lib/action_controller/request.rb.orig 2012-07-17 18:40:44.473685229 +0200 +++ lib/action_controller/request.rb 2012-07-18 15:56:37.275926093 +0200 @@ -491,5 +491,26 @@ EOM value end end + protected + + # Remove nils from the params hash + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + def parse_query(qs) + deep_munge(super) + end end end Index: test/controller/request/query_string_parsing_test.rb =================================================================== --- test/controller/request/query_string_parsing_test.rb.orig 2012-07-17 18:40:44.537685229 +0200 +++ test/controller/request/query_string_parsing_test.rb 2012-07-18 15:56:04.470818058 +0200 @@ -81,7 +81,12 @@ class QueryStringParsingTest < ActionCon end test "query string without equal" do - assert_parses({ "action" => nil }, "action") + assert_parses({"action" => nil}, "action") + assert_parses({"action" => {"foo" => nil}}, "action[foo]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]") + assert_parses({"action" => {"foo" => nil}}, "action[foo][]") + assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") end test "query string with empty key" do ++++++ series ++++++ 2-3-null_param.patch -p0 2-3-null_array_param.patch -p0 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
