11 files changed, 81 insertions, 18 deletions

diff --git a/Gemfile b/Gemfile
index 04fa16eba..b86e04d55 100644
--- a/Gemfile
+++ b/Gemfile
@@ -49,7 +49,7 @@ gem 'globalize3', :git => 'git://github.com/henare/globalize3.git', :branch => '
 gem 'locale'
 gem 'routing-filter'
 gem 'unicode'
-gem 'unidecode'
+gem 'unidecoder'
 
 group :test do
   gem 'fakeweb'
diff --git a/Gemfile.lock b/Gemfile.lock
index 4494c2342..9accf0283 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -136,7 +136,7 @@ GEM
     net-ssh (2.6.7)
     net-ssh-gateway (1.2.0)
       net-ssh (>= 2.6.5)
-    newrelic_rpm (3.6.2.96)
+    newrelic_rpm (3.6.8.164)
     nokogiri (1.5.9)
     paper_trail (2.7.2)
       activerecord (~> 3.0)
@@ -236,7 +236,7 @@ GEM
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
     unicode (0.4.4)
-    unidecode (1.0.0)
+    unidecoder (1.1.2)
     vpim (0.695)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -293,7 +293,7 @@ DEPENDENCIES
   statistics2 (~> 0.54)
   syslog_protocol
   unicode
-  unidecode
+  unidecoder
   vpim
   webrat
   will_paginate
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index 40fa69290..72c092221 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -181,7 +181,8 @@ class TrackController < ApplicationController
         if new_medium == 'delete'
             track_thing.destroy
             flash[:notice] = _("You are no longer following {{track_description}}.", :track_description => track_thing.params[:list_description])
-            redirect_to params[:r]
+            redirect_to URI.parse(params[:r]).path
+
         # Reuse code like this if we let medium change again.
         #elsif new_medium == 'email_daily'
         #    track_thing.track_medium = new_medium
diff --git a/commonlib b/commonlib
-Subproject 9462a28fe12b25637d6e67d7140d444632e3ff7
+Subproject 77a6b09daa5da3808be4431799521f8bee5ab21
diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
index 8ae78c80c..4041ef7a8 100644
--- a/config/initializers/alaveteli.rb
+++ b/config/initializers/alaveteli.rb
@@ -50,6 +50,7 @@ require 'normalize_string'
 require 'alaveteli_file_types'
 require 'alaveteli_localization'
 require 'message_prominence'
+require 'actionmailer_patches'
 
 AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales,
                                   AlaveteliConfiguration::default_locale)
diff --git a/lib/actionmailer_patches.rb b/lib/actionmailer_patches.rb
new file mode 100644
index 000000000..600d3c8cc
--- /dev/null
+++ b/lib/actionmailer_patches.rb
@@ -0,0 +1,15 @@
+# Monkey patch for CVE-2013-4389
+# derived from http://seclists.org/oss-sec/2013/q4/118 to fix
+# a possible DoS vulnerability in the log subscriber component of
+# Action Mailer.
+
+require 'action_mailer'
+module ActionMailer
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def deliver(event)
+      recipients = Array.wrap(event.payload[:to]).join(', ')
+      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")
+      debug(event.payload[:mail])
+    end
+  end
+end
diff --git a/lib/tasks/stats.rake b/lib/tasks/stats.rake
index 4eda27289..eb36204c6 100644
--- a/lib/tasks/stats.rake
+++ b/lib/tasks/stats.rake
@@ -94,7 +94,7 @@ namespace :stats do
   desc 'Update statistics in the public_bodies table'
   task :update_public_bodies_stats => :environment do
     verbose = ENV['VERBOSE'] == '1'
-    PublicBody.all.each do |public_body|
+    PublicBody.find_each(:batch_size => 10) do |public_body|
       puts "Counting overdue requests for #{public_body.name}" if verbose
 
       # Look for values of 'waiting_response_overdue' and
@@ -102,7 +102,8 @@ namespace :stats do
       # described_state column, and instead need to be calculated:
       overdue_count = 0
       very_overdue_count = 0
-      InfoRequest.find_each(:conditions => {:public_body_id => public_body.id}) do |ir|
+      InfoRequest.find_each(:batch_size => 200,
+                            :conditions => {:public_body_id => public_body.id}) do |ir|
         case ir.calculate_status
         when 'waiting_response_very_overdue'
           very_overdue_count += 1
diff --git a/spec/controllers/track_controller_spec.rb b/spec/controllers/track_controller_spec.rb
index a16024828..57d084f6b 100644
--- a/spec/controllers/track_controller_spec.rb
+++ b/spec/controllers/track_controller_spec.rb
@@ -55,6 +55,39 @@ describe TrackController, "when making a new track on a request" do
 
 end
 
+describe TrackController, "when unsubscribing from a track" do
+
+    before do
+        @track_thing = FactoryGirl.create(:track_thing)
+    end
+
+    it 'should destroy the track thing' do
+        get :update, {:track_id => @track_thing.id,
+                      :track_medium => 'delete',
+                      :r => 'http://example.com'},
+                     {:user_id => @track_thing.tracking_user.id}
+        TrackThing.find(:first, :conditions => ['id = ? ', @track_thing.id]).should == nil
+    end
+
+    it 'should redirect to a URL on the site' do
+        get :update, {:track_id => @track_thing.id,
+                      :track_medium => 'delete',
+                      :r => '/'},
+                     {:user_id => @track_thing.tracking_user.id}
+        response.should redirect_to('/')
+    end
+
+    it 'should not redirect to a url on another site' do
+        track_thing = FactoryGirl.create(:track_thing)
+        get :update, {:track_id => @track_thing.id,
+                      :track_medium => 'delete',
+                      :r => 'http://example.com/'},
+                     {:user_id => @track_thing.tracking_user.id}
+        response.should redirect_to('/')
+    end
+
+end
+
 describe TrackController, "when sending alerts for a track" do
     render_views
 
diff --git a/spec/factories.rb b/spec/factories.rb
index 653525920..7d8f94ac1 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -137,4 +137,11 @@ FactoryGirl.define do
         last_edit_comment "Making an edit"
     end
 
+    factory :track_thing do
+        association :tracking_user, :factory => :user
+        track_medium 'email_daily'
+        track_type 'search_query'
+        track_query 'Example Query'
+    end
+
 end
diff --git a/spec/fixtures/files/fake-authority-type.csv b/spec/fixtures/files/fake-authority-type.csv
index cb25050c6..a320941c7 100644
--- a/spec/fixtures/files/fake-authority-type.csv
+++ b/spec/fixtures/files/fake-authority-type.csv
@@ -2,3 +2,5 @@
 ,Scottish Fake Authority,scottish_foi@localhost
 ,Fake Authority of Northern Ireland,ni_foi@localhost
 ,Gobierno de Aragón,spain_foi@localhost
+,Nordic æøå,no_foi@localhost
+
diff --git a/spec/models/public_body_spec.rb b/spec/models/public_body_spec.rb
index 0324e3f5a..7a2c60722 100644
--- a/spec/models/public_body_spec.rb
+++ b/spec/models/public_body_spec.rb
@@ -320,14 +320,15 @@ describe PublicBody, " when loading CSV files" do
         csv_contents = normalize_string_to_utf8(load_file_fixture("fake-authority-type.csv"))
         errors, notes = PublicBody.import_csv(csv_contents, '', 'replace', true, 'someadmin') # true means dry run
         errors.should == []
-        notes.size.should == 5
-        notes[0..3].should == [
+        notes.size.should == 6
+        notes[0..4].should == [
             "line 1: creating new authority 'North West Fake Authority' (locale: en):\n\t\{\"name\":\"North West Fake Authority\",\"request_email\":\"north_west_foi@localhost\"\}",
             "line 2: creating new authority 'Scottish Fake Authority' (locale: en):\n\t\{\"name\":\"Scottish Fake Authority\",\"request_email\":\"scottish_foi@localhost\"\}",
             "line 3: creating new authority 'Fake Authority of Northern Ireland' (locale: en):\n\t\{\"name\":\"Fake Authority of Northern Ireland\",\"request_email\":\"ni_foi@localhost\"\}",
             "line 4: creating new authority 'Gobierno de Aragón' (locale: en):\n\t\{\"name\":\"Gobierno de Arag\\u00f3n\",\"request_email\":\"spain_foi@localhost\"}",
+            "line 5: creating new authority 'Nordic æøå' (locale: en):\n\t{\"name\":\"Nordic \\u00e6\\u00f8\\u00e5\",\"request_email\":\"no_foi@localhost\"}"
         ]
-        notes[4].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
+        notes[5].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
 
         PublicBody.count.should == original_count
     end
@@ -338,16 +339,17 @@ describe PublicBody, " when loading CSV files" do
         csv_contents = normalize_string_to_utf8(load_file_fixture("fake-authority-type.csv"))
         errors, notes = PublicBody.import_csv(csv_contents, '', 'replace', false, 'someadmin') # false means real run
         errors.should == []
-        notes.size.should == 5
-        notes[0..3].should == [
+        notes.size.should == 6
+        notes[0..4].should == [
             "line 1: creating new authority 'North West Fake Authority' (locale: en):\n\t\{\"name\":\"North West Fake Authority\",\"request_email\":\"north_west_foi@localhost\"\}",
             "line 2: creating new authority 'Scottish Fake Authority' (locale: en):\n\t\{\"name\":\"Scottish Fake Authority\",\"request_email\":\"scottish_foi@localhost\"\}",
             "line 3: creating new authority 'Fake Authority of Northern Ireland' (locale: en):\n\t\{\"name\":\"Fake Authority of Northern Ireland\",\"request_email\":\"ni_foi@localhost\"\}",
             "line 4: creating new authority 'Gobierno de Aragón' (locale: en):\n\t\{\"name\":\"Gobierno de Arag\\u00f3n\",\"request_email\":\"spain_foi@localhost\"}",
+            "line 5: creating new authority 'Nordic æøå' (locale: en):\n\t{\"name\":\"Nordic \\u00e6\\u00f8\\u00e5\",\"request_email\":\"no_foi@localhost\"}"
         ]
-        notes[4].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
+        notes[5].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
 
-        PublicBody.count.should == original_count + 4
+        PublicBody.count.should == original_count + 5
     end
 
     it "should do imports without a tag successfully" do
@@ -356,15 +358,16 @@ describe PublicBody, " when loading CSV files" do
         csv_contents = normalize_string_to_utf8(load_file_fixture("fake-authority-type.csv"))
         errors, notes = PublicBody.import_csv(csv_contents, '', 'replace', false, 'someadmin') # false means real run
         errors.should == []
-        notes.size.should == 5
-        notes[0..3].should == [
+        notes.size.should == 6
+        notes[0..4].should == [
             "line 1: creating new authority 'North West Fake Authority' (locale: en):\n\t\{\"name\":\"North West Fake Authority\",\"request_email\":\"north_west_foi@localhost\"\}",
             "line 2: creating new authority 'Scottish Fake Authority' (locale: en):\n\t\{\"name\":\"Scottish Fake Authority\",\"request_email\":\"scottish_foi@localhost\"\}",
             "line 3: creating new authority 'Fake Authority of Northern Ireland' (locale: en):\n\t\{\"name\":\"Fake Authority of Northern Ireland\",\"request_email\":\"ni_foi@localhost\"\}",
             "line 4: creating new authority 'Gobierno de Aragón' (locale: en):\n\t\{\"name\":\"Gobierno de Arag\\u00f3n\",\"request_email\":\"spain_foi@localhost\"}",
+            "line 5: creating new authority 'Nordic æøå' (locale: en):\n\t{\"name\":\"Nordic \\u00e6\\u00f8\\u00e5\",\"request_email\":\"no_foi@localhost\"}"
         ]
-        notes[4].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
-        PublicBody.count.should == original_count + 4
+        notes[5].should =~ /Notes: Some  bodies are in database, but not in CSV file:\n(    .+\n)*You may want to delete them manually.\n/
+        PublicBody.count.should == original_count + 5
     end
 
     it "should handle a field list and fields out of order" do