Commit 5516d2e4 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'rs-rails-security' into 'master'

Update rails, rails-html-sanitizer, and nokogiri for security fixes

See https://dev.gitlab.org/gitlab/gitlabhq/issues/2643

See merge request !2603
parents d369cd29 47ff1c56
source "https://rubygems.org" source "https://rubygems.org"
gem 'rails', '4.2.5' gem 'rails', '4.2.5.1'
gem 'rails-deprecated_sanitizer', '~> 1.0.3' gem 'rails-deprecated_sanitizer', '~> 1.0.3'
# Responders respond_to and respond_with # Responders respond_to and respond_with
...@@ -103,7 +103,8 @@ gem 'asciidoctor', '~> 1.5.2' ...@@ -103,7 +103,8 @@ gem 'asciidoctor', '~> 1.5.2'
gem 'rouge', '~> 1.10.1' gem 'rouge', '~> 1.10.1'
# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s # See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
gem 'nokogiri', '1.6.7.1' # and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
gem 'nokogiri', '1.6.7.2'
# Diffs # Diffs
gem 'diffy', '~> 3.0.3' gem 'diffy', '~> 3.0.3'
......
...@@ -4,41 +4,41 @@ GEM ...@@ -4,41 +4,41 @@ GEM
CFPropertyList (2.3.2) CFPropertyList (2.3.2)
RedCloth (4.2.9) RedCloth (4.2.9)
ace-rails-ap (2.0.1) ace-rails-ap (2.0.1)
actionmailer (4.2.5) actionmailer (4.2.5.1)
actionpack (= 4.2.5) actionpack (= 4.2.5.1)
actionview (= 4.2.5) actionview (= 4.2.5.1)
activejob (= 4.2.5) activejob (= 4.2.5.1)
mail (~> 2.5, >= 2.5.4) mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
actionpack (4.2.5) actionpack (4.2.5.1)
actionview (= 4.2.5) actionview (= 4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
rack (~> 1.6) rack (~> 1.6)
rack-test (~> 0.6.2) rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2) rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.5) actionview (4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
builder (~> 3.1) builder (~> 3.1)
erubis (~> 2.7.0) erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2) rails-html-sanitizer (~> 1.0, >= 1.0.2)
activejob (4.2.5) activejob (4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
globalid (>= 0.3.0) globalid (>= 0.3.0)
activemodel (4.2.5) activemodel (4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
builder (~> 3.1) builder (~> 3.1)
activerecord (4.2.5) activerecord (4.2.5.1)
activemodel (= 4.2.5) activemodel (= 4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
arel (~> 6.0) arel (~> 6.0)
activerecord-deprecated_finders (1.0.4) activerecord-deprecated_finders (1.0.4)
activerecord-session_store (0.1.2) activerecord-session_store (0.1.2)
actionpack (>= 4.0.0, < 5) actionpack (>= 4.0.0, < 5)
activerecord (>= 4.0.0, < 5) activerecord (>= 4.0.0, < 5)
railties (>= 4.0.0, < 5) railties (>= 4.0.0, < 5)
activesupport (4.2.5) activesupport (4.2.5.1)
i18n (~> 0.7) i18n (~> 0.7)
json (~> 1.7, >= 1.7.7) json (~> 1.7, >= 1.7.7)
minitest (~> 5.1) minitest (~> 5.1)
...@@ -482,7 +482,7 @@ GEM ...@@ -482,7 +482,7 @@ GEM
grape grape
newrelic_rpm newrelic_rpm
newrelic_rpm (3.9.4.245) newrelic_rpm (3.9.4.245)
nokogiri (1.6.7.1) nokogiri (1.6.7.2)
mini_portile2 (~> 2.0.0.rc2) mini_portile2 (~> 2.0.0.rc2)
nprogress-rails (0.1.6.7) nprogress-rails (0.1.6.7)
oauth (0.4.7) oauth (0.4.7)
...@@ -588,16 +588,16 @@ GEM ...@@ -588,16 +588,16 @@ GEM
rack rack
rack-test (0.6.3) rack-test (0.6.3)
rack (>= 1.0) rack (>= 1.0)
rails (4.2.5) rails (4.2.5.1)
actionmailer (= 4.2.5) actionmailer (= 4.2.5.1)
actionpack (= 4.2.5) actionpack (= 4.2.5.1)
actionview (= 4.2.5) actionview (= 4.2.5.1)
activejob (= 4.2.5) activejob (= 4.2.5.1)
activemodel (= 4.2.5) activemodel (= 4.2.5.1)
activerecord (= 4.2.5) activerecord (= 4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
bundler (>= 1.3.0, < 2.0) bundler (>= 1.3.0, < 2.0)
railties (= 4.2.5) railties (= 4.2.5.1)
sprockets-rails sprockets-rails
rails-deprecated_sanitizer (1.0.3) rails-deprecated_sanitizer (1.0.3)
activesupport (>= 4.2.0.alpha) activesupport (>= 4.2.0.alpha)
...@@ -605,11 +605,11 @@ GEM ...@@ -605,11 +605,11 @@ GEM
activesupport (>= 4.2.0.beta, < 5.0) activesupport (>= 4.2.0.beta, < 5.0)
nokogiri (~> 1.6.0) nokogiri (~> 1.6.0)
rails-deprecated_sanitizer (>= 1.0.1) rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.2) rails-html-sanitizer (1.0.3)
loofah (~> 2.0) loofah (~> 2.0)
railties (4.2.5) railties (4.2.5.1)
actionpack (= 4.2.5) actionpack (= 4.2.5.1)
activesupport (= 4.2.5) activesupport (= 4.2.5.1)
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
rainbow (2.0.0) rainbow (2.0.0)
...@@ -962,7 +962,7 @@ DEPENDENCIES ...@@ -962,7 +962,7 @@ DEPENDENCIES
net-ssh (~> 3.0.1) net-ssh (~> 3.0.1)
newrelic-grape newrelic-grape
newrelic_rpm (~> 3.9.4.245) newrelic_rpm (~> 3.9.4.245)
nokogiri (= 1.6.7.1) nokogiri (= 1.6.7.2)
nprogress-rails (~> 0.1.6.7) nprogress-rails (~> 0.1.6.7)
oauth2 (~> 1.0.0) oauth2 (~> 1.0.0)
octokit (~> 3.7.0) octokit (~> 3.7.0)
...@@ -988,7 +988,7 @@ DEPENDENCIES ...@@ -988,7 +988,7 @@ DEPENDENCIES
rack-attack (~> 4.3.1) rack-attack (~> 4.3.1)
rack-cors (~> 0.4.0) rack-cors (~> 0.4.0)
rack-oauth2 (~> 1.2.1) rack-oauth2 (~> 1.2.1)
rails (= 4.2.5) rails (= 4.2.5.1)
rails-deprecated_sanitizer (~> 1.0.3) rails-deprecated_sanitizer (~> 1.0.3)
raphael-rails (~> 2.1.2) raphael-rails (~> 2.1.2)
rblineprof rblineprof
......
...@@ -48,4 +48,10 @@ FactoryGirl::SyntaxRunner.class_eval do ...@@ -48,4 +48,10 @@ FactoryGirl::SyntaxRunner.class_eval do
include RSpec::Mocks::ExampleMethods include RSpec::Mocks::ExampleMethods
end end
# Work around a Rails 4.2.5.1 issue
# See https://github.com/rspec/rspec-rails/issues/1532
RSpec::Rails::ViewRendering::EmptyTemplatePathSetDecorator.class_eval do
alias_method :find_all_anywhere, :find_all
end
ActiveRecord::Migration.maintain_test_schema! ActiveRecord::Migration.maintain_test_schema!
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment