diff options
| -rw-r--r-- | Gemfile | 5 | ||||
| -rw-r--r-- | Gemfile.lock | 28 | ||||
| -rw-r--r-- | config/deploy.rb | 2 | ||||
| -rw-r--r-- | config/environment.rb | 2 | ||||
| -rw-r--r-- | doc/CHANGES.md | 19 | ||||
| -rw-r--r-- | lib/timezone_fixes.rb | 4 | ||||
| -rw-r--r-- | locale/cy/app.po | 23 | ||||
| -rwxr-xr-x | script/rails-post-deploy | 5 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/LICENSE | 10 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/README | 32 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/init.rb | 3 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/install.rb | 1 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/lib/mongrel_proctitle.rb | 122 | ||||
| -rw-r--r-- | vendor/plugins/mongrel_proctitle/uninstall.rb | 1 |
14 files changed, 61 insertions, 196 deletions
@@ -7,7 +7,10 @@ if File.exist? "/etc/debian_version" and File.open("/etc/debian_version").read.s end source :rubygems -gem 'rails', '2.3.15' +# A fork of rails that is kept up to date with security patches +git "git://github.com/mysociety/rails.git", :branch => "2-3-stable" do + gem 'rails' +end gem 'pg' gem 'fast_gettext', '>= 0.6.0' diff --git a/Gemfile.lock b/Gemfile.lock index d86425d16..422424ffc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,5 +1,7 @@ -GEM - remote: http://rubygems.org/ +GIT + remote: git://github.com/mysociety/rails.git + revision: 541c061c13337b8235a1dcc2357b962f88868ff9 + branch: 2-3-stable specs: actionmailer (2.3.15) actionpack (= 2.3.15) @@ -11,6 +13,17 @@ GEM activeresource (2.3.15) activesupport (= 2.3.15) activesupport (2.3.15) + rails (2.3.15) + actionmailer (= 2.3.15) + actionpack (= 2.3.15) + activerecord (= 2.3.15) + activeresource (= 2.3.15) + activesupport (= 2.3.15) + rake (>= 0.8.3) + +GEM + remote: http://rubygems.org/ + specs: annotate (2.4.0) archive-tar-minitar (0.5.2) bootstrap-sass (2.1.1.0) @@ -77,14 +90,7 @@ GEM newrelic_rpm (3.5.4.34) pg (0.13.2) polyglot (0.3.3) - rack (1.1.4) - rails (2.3.15) - actionmailer (= 2.3.15) - actionpack (= 2.3.15) - activerecord (= 2.3.15) - activeresource (= 2.3.15) - activesupport (= 2.3.15) - rake (>= 0.8.3) + rack (1.1.5) rake (0.9.2.2) rbx-require-relative (0.0.9) rdoc (2.4.3) @@ -167,7 +173,7 @@ DEPENDENCIES newrelic_rpm pg rack (~> 1.1.0) - rails (= 2.3.15) + rails! rake (= 0.9.2.2) rdoc (~> 2.4.3) recaptcha (~> 0.3.1) diff --git a/config/deploy.rb b/config/deploy.rb index 004c3df35..f52883bd4 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -19,7 +19,7 @@ server configuration['server'], :app, :web, :db, :primary => true namespace :rake do namespace :themes do task :install do - run "cd #{release_path} && bundle exec rake themes:install RAILS_ENV=#{rails_env}" + run "cd #{latest_release} && bundle exec rake themes:install RAILS_ENV=#{rails_env}" end end end diff --git a/config/environment.rb b/config/environment.rb index b32eeeb01..21415dfd8 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -43,7 +43,7 @@ require File.join(File.dirname(__FILE__), '../lib/old_rubygems_patch') require 'configuration' # Application version -ALAVETELI_VERSION = '0.6.8' +ALAVETELI_VERSION = '0.6.9' Rails::Initializer.run do |config| # Load intial mySociety config diff --git a/doc/CHANGES.md b/doc/CHANGES.md index b74e46248..2c8692bb5 100644 --- a/doc/CHANGES.md +++ b/doc/CHANGES.md @@ -1,3 +1,22 @@ +# Version 0.6.9 +## Highlighted features +* [Security] Fix for security issue where image files from HTML conversion on hidden/requester-only requests were accessible without authentication [issue #739](https://github.com/mysociety/alaveteli/issues/739). +* [Security] Fix for issue where the zip file download function was available for logged-in users even on hidden/requester-only requests [issue #743](https://github.com/mysociety/alaveteli/issues/743) +* [Security] Upgrades to Rails 2.3.15 to get fixes for Rails security flaws CVE-2012-5664 and CVE-2013-0156. In addition, switches to use Rails pulled from a clone in the mySociety github account, which has had the CVE-2013-0155 2.3 series patch applied to it. +* Isolation of mail handling code in the MailHandler module in lib/mail_handler +* Tests run under Ruby 1.9.3 - *running the app under 1.9 not yet advised*. +* Routes without a locale part can be enabled for the default locale - see upgrade notes +* Fixes to support themed error pages, and allow responsive themes (Matthew Landauer, Brendan Molloy) +* Migrations run under sqlite (Stefan Langenmaier) +* Time zone fixes (Henare Degan) +* Faster tests (Henare Degan) + +* [List of issues on github](https://github.com/mysociety/alaveteli/issues?milestone=25&state=closed) + +## Upgrade notes +* Note the new config variable INCLUDE_DEFAULT_LOCALE_IN_URLS (if not set defaults to true, which should replicate existing behaviour) +* Check out this version and run `rails-post-deploy` as usual. + # Version 0.6.8 ## Highlighted features diff --git a/lib/timezone_fixes.rb b/lib/timezone_fixes.rb index e6d2f9470..1bf326ccd 100644 --- a/lib/timezone_fixes.rb +++ b/lib/timezone_fixes.rb @@ -4,7 +4,9 @@ # Otherwise times get stored wrong during British Summer Time -# Hopefully fixed in later Rails. There is a test in spec/libs/timezone_fixes.rb +# Hopefully fixed in later Rails. There is a test in spec/lib/timezone_fixes_spec.rb + +# This fix is applied in Rails 3.x. So, should be possible to remove this then! # Monkeypatch! module ActiveRecord diff --git a/locale/cy/app.po b/locale/cy/app.po index 2ed1354a8..31a6445ee 100644 --- a/locale/cy/app.po +++ b/locale/cy/app.po @@ -4,13 +4,14 @@ # # Translators: # <alex@alexskene.com>, 2011-2012. +# <graham.craig@gmail.com>, 2013. msgid "" msgstr "" "Project-Id-Version: alaveteli\n" "Report-Msgid-Bugs-To: http://github.com/sebbacon/alaveteli/issues\n" "POT-Creation-Date: 2012-12-18 10:11+0000\n" -"PO-Revision-Date: 2012-12-18 10:14+0000\n" -"Last-Translator: louisecrow <louise@mysociety.org>\n" +"PO-Revision-Date: 2013-01-13 07:34+0000\n" +"Last-Translator: baragouiner <graham.craig@gmail.com>\n" "Language-Team: LANGUAGE <LL@li.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -34,7 +35,7 @@ msgid "" msgstr "" msgid " (you)" -msgstr "" +msgstr "(chi)" msgid " - view and make Freedom of Information requests" msgstr "" @@ -106,10 +107,10 @@ msgid " made by " msgstr "" msgid " or " -msgstr "" +msgstr "neu" msgid " when you send this message." -msgstr "" +msgstr "pan chi'n anfon y neges hon" msgid "" "\"Hello! We have an <a " @@ -145,7 +146,7 @@ msgid "'Pollution levels over time for the River Tyne'" msgstr "" msgid "'{{link_to_authority}}', a public authority" -msgstr "" +msgstr "'{{link_to_authority}}', awdurdod cyhoeddus" msgid "'{{link_to_request}}', a request" msgstr "" @@ -157,13 +158,13 @@ msgid ",\\n\\n\\n\\nYours,\\n\\n{{user_name}}" msgstr "" msgid "- or -" -msgstr "" +msgstr "- neu -" msgid "1. Select an authority" -msgstr "" +msgstr "1. Dewis awdurdod" msgid "2. Ask for Information" -msgstr "" +msgstr "2. Gofyn am wybodaeth" msgid "3. Now check your request" msgstr "" @@ -194,7 +195,7 @@ msgid "" msgstr "" msgid "<a href=\"%s\">details</a>" -msgstr "" +msgstr "<a href=\"%s\">manylion</a>" msgid "<a href=\"%s\">what's that?</a>" msgstr "" @@ -203,7 +204,7 @@ msgid "" "<p>All done! Thank you very much for your help.</p><p>There are <a " "href=\"{{helpus_url}}\">more things you can do</a> to help " "{{site_name}}.</p>" -msgstr "" +msgstr "<p>Wedi gorffen! Diolch yn fawr am eich help.</p><p>Mae <a href=\"{{helpus_url}}\">mwy o bethau i'w wneud</a>er mwyn helpu {{site_name}}.</p>" msgid "" "<p>Thank you! Here are some ideas on what to do next:</p>\\n " diff --git a/script/rails-post-deploy b/script/rails-post-deploy index abc7fab41..a1c613312 100755 --- a/script/rails-post-deploy +++ b/script/rails-post-deploy @@ -76,7 +76,10 @@ if [ "$OPTION_STAGING_SITE" = "0" ] then bundle_install_options="--without development:test --deployment" fi - +if [ "$OPTION_STAGING_SITE" = "1" ] +then + bundle_install_options="--path vendor/bundle" +fi if [ "$TRAVIS" = "true" ] then bundle_install_options="--without development develop --deployment" diff --git a/vendor/plugins/mongrel_proctitle/LICENSE b/vendor/plugins/mongrel_proctitle/LICENSE deleted file mode 100644 index f958401bc..000000000 --- a/vendor/plugins/mongrel_proctitle/LICENSE +++ /dev/null @@ -1,10 +0,0 @@ -Copyright (c) 2007, Alexander Staubo. - -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - * The names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/plugins/mongrel_proctitle/README b/vendor/plugins/mongrel_proctitle/README deleted file mode 100644 index ff0250a7a..000000000 --- a/vendor/plugins/mongrel_proctitle/README +++ /dev/null @@ -1,32 +0,0 @@ -Mongrel process title plugin -============================ - -This is a simple plugin for Rails which changes Mongrel's process title to reflect what it's currently doing. You can then determine a given Mongrel server's status using "ps". For example: - - mongrel_rails [10010/2/358]: handling 127.0.0.1: HEAD /feed/calendar/global/91/6de4 - | | | | | | - | | | | | The current request (method and path) - | | | | | - | | | | The client IP - | | | | - | | | What it's doing - | | | - | | The number of requests processed during the server's lifetime - | | - | The number of requests currently queued/being processed concurrently - | - The port that Mongrel is serving - - -Installing into a Rails Mongrel app ------------------------------------ - -Nothing special. Just drop the plugin in vendor/plugins. - - -Installing into a non-Rails Mongrel app ---------------------------------------- - -Just require the module during startup: - - require "mongrel_proctitle" diff --git a/vendor/plugins/mongrel_proctitle/init.rb b/vendor/plugins/mongrel_proctitle/init.rb deleted file mode 100644 index e9748df5e..000000000 --- a/vendor/plugins/mongrel_proctitle/init.rb +++ /dev/null @@ -1,3 +0,0 @@ -if defined?(Mongrel) - require "mongrel_proctitle" -end diff --git a/vendor/plugins/mongrel_proctitle/install.rb b/vendor/plugins/mongrel_proctitle/install.rb deleted file mode 100644 index f7732d379..000000000 --- a/vendor/plugins/mongrel_proctitle/install.rb +++ /dev/null @@ -1 +0,0 @@ -# Install hook code here diff --git a/vendor/plugins/mongrel_proctitle/lib/mongrel_proctitle.rb b/vendor/plugins/mongrel_proctitle/lib/mongrel_proctitle.rb deleted file mode 100644 index 28f4b46ee..000000000 --- a/vendor/plugins/mongrel_proctitle/lib/mongrel_proctitle.rb +++ /dev/null @@ -1,122 +0,0 @@ -module Mongrel - - # Mongrel process title modification. - class Proctitler - - # Initializes titler. - def initialize(port, prefix) - @prefix = prefix - @port = port - @mutex = Mutex.new - @titles = [] - @queue_length = 0 - @request_count = 0 - end - - # Returns port used in title. - def port - @port - end - - # Return port used in title. - def port=(new_port) - @port = new_port - end - - def request(&block) - titles, mutex = @titles, @mutex - mutex.synchronize do - @queue_length += 1 - titles.push(self.title) - end - begin - yield - ensure - mutex.synchronize do - @queue_length -= 1 - @request_count += 1 - self.title = titles.pop || "xxx" - end - end - end - - # Reports process as being idle. - def set_idle - self.title = "idle" - end - - # Reports process as handling a socket. - def set_processing(socket) - self.title = "handling #{socket.peeraddr.last}" - end - - # Reports process as handling a socket. - def set_handling(request) - params = request.params - address = params['REMOTE_ADDR'] - method = params['REQUEST_METHOD'] - path = params['REQUEST_PATH'] - path = "#{path[0, 60]}..." if path.length > 60 - self.title = "handling #{address}: #{method} #{path}" - end - - # Returns current title - def title - @title - end - - # Sets process title. - def title=(title) - @title = title - update_process_title - end - - # Updates the process title. - def update_process_title - title = "#{@prefix} [" - title << (@port ? "#{@port}" : "?") - title << "/#{@queue_length}" - title << "/#{@request_count}" - title << "]: #{@title}" - $0 = title - end - - end - - # Handler which sets process title before request. - class ProctitleHandler < HttpHandler - def initialize(titler) - @titler = titler - end - - def process(request, response) - @titler.set_handling(request) - end - end - - class HttpServer - - def run_with_proctitle(*args) - @titler = Proctitler.new(self.port, File.basename($0)) - @titler.set_idle - run_without_proctitle - end - alias_method :run_without_proctitle, :run - alias_method :run, :run_with_proctitle - - def process_client_with_proctitle(client) - unless @handler - @handler = ProctitleHandler.new(@titler) - register("/", @handler, true) - end - @titler.request do - @titler.set_processing(client) - return process_client_without_proctitle(client) - end - end - alias_method :process_client_without_proctitle, :process_client - alias_method :process_client, :process_client_with_proctitle - - end - -end diff --git a/vendor/plugins/mongrel_proctitle/uninstall.rb b/vendor/plugins/mongrel_proctitle/uninstall.rb deleted file mode 100644 index 973833346..000000000 --- a/vendor/plugins/mongrel_proctitle/uninstall.rb +++ /dev/null @@ -1 +0,0 @@ -# Uninstall hook code here |