1.0.x

CHANGELOG

@@ -1,3 +1,64 @@
+== 1.0.13 "The weekend has landed" 2009-10-30
+
+* [merb_datamapper] Support for dm-0.10.x (identity map wrapping is now perforemd at the rack level)
+* [merb-core] Fix run_later to work on servers other than just 'merb' (Thin or Phusion Passenger for example)
+* [merb-gen] Don't add resource route to config/routes.rb when using -p or -d with merb-gen resource
+* [merb-gen] Explain how to load dependencies in (very) flat apps
+* [merb] Fixed failing rake install due to missing merb-more
+* [merb] rake uninstall now uninstalls everything that got rake install'ed
+* [merb-core] Allow testing without webrat
+* [merb-haml] Fixed compilation of sass files
+* [merb-helpers] Select the correct field in bound select tags
+
+* [merb-core] -i and --irb-console take precedence over config in init.rb.
+
+  This change allows you to have default adapter set
+  in the init.rb and still if you want to run Merb in
+  IRB you can do it. Currently you can't because setting
+  adapter in init.rb override the config value from ARGV
+  parsing.
+
+* [merb-helpers] Generate valid html id attributes
+
+  This patch changes any occurrence of '[' or ']' in id attributes to '_'.
+  The brackets are not valid characters in an HTML id attribute value.
+
+* [merb-core] Fix potential timing attack on cookie sessions
+
+  This patch fixes a potential timing attack on the HMAC authentication
+  used to verify cookie session contents by ensuring a constant time
+  algorithm is used to compare the hashes.  For more information see:
+
+  http://codahale.com/a-lesson-in-timing-attacks/
+
+* [merb-auth-slice-password] Use proper config value
+
+  Without this change, the default password strategy
+  is always activated because the wrong config key is
+  used.
+
+* [merb-gen] Fixing generated thor task to work with RubyGems 1.3.5.
+
+  Setting thor dependency to "~> 0.9.9", as newer versions will break
+  the default merb-gen app bundling tasks
+
+* [merb-core] Fixed multipart specs (including spec10)
+
+  The previous version of the spec was wrong in expecting that
+
+    file_params[:tempfile].should be_a_kind_of(File)
+
+  This spec only passed because of a now resolved bug in older versions of rspec.
+  The correct spec for the tempfile param now reads:
+
+    file_params[:tempfile].should be_a_kind_of(Tempfile)
+
+* To run merb's specsuite (rake spec or rake specs:oneoh) you will either need webrat-0.3.1 or webrat-0.4.0
+  installed. webrat-0.4 is recommended for use in your app's specs, using newer versions of webrat may be
+  possible but is not explicitly supported.
+
+* Minor docfixes
+
 == 1.0.1
 * generate unique session_id_key with new apps
 

LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Engine Yard
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Rakefile

@@ -43,12 +43,11 @@ merb_release = {
       "merb-mailer",
       "merb-param-protection",
       "merb_datamapper",
-      "merb",
-      "merb-more"
+      "merb"
     ]
 }
 
-merb_gem_paths = %w[merb merb-core merb_datamapper] + merb_more_gem_paths
+merb_gem_paths = %w[merb-core merb_datamapper] + merb_more_gem_paths + %w[merb]
 
 merb_gems = merb_gem_paths.map { |p| File.basename(p) }
 merb_more_gems = merb_more_gem_paths.map { |p| File.basename(p) }
@@ -115,11 +114,17 @@ task :install do
   merb_gems.each do |gem|
     Merb::RakeHelper.install(gem, :version => Merb::VERSION)
   end
-  puts %x{sudo gem install pkg/merb-more-#{Merb::VERSION}.gem}
 end
 
 desc "Uninstall all gems"
-task :uninstall => ['uninstall:core', 'uninstall:more']
+task :uninstall do
+  merb_gems.each do |gem|
+    Merb::RakeHelper.uninstall(gem, :version => Merb::VERSION)
+  end
+  Merb::RakeHelper.uninstall('merb-auth-slice-password', :version => Merb::VERSION)
+  Merb::RakeHelper.uninstall('merb-auth-more', :version => Merb::VERSION)
+  Merb::RakeHelper.uninstall('merb-auth-core', :version => Merb::VERSION)
+end
 
 desc "Build the merb-more gems"
 task :build_gems do

merb-action-args/Rakefile

@@ -31,7 +31,7 @@ spec = Gem::Specification.new do |s|
   s.author = AUTHOR
   s.email = EMAIL
   s.homepage = PROJECT_URL
-  s.add_dependency('merb-core', ">= #{Merb::VERSION}")
+  s.add_dependency('merb-core', "~> #{Merb::VERSION}")
   s.add_dependency('ruby2ruby', '>= 1.1.9')
   s.add_dependency('ParseTree', '>= 2.1.1')
   s.require_path = 'lib'

merb-assets/Rakefile

@@ -31,7 +31,7 @@ spec = Gem::Specification.new do |s|
   s.author = GEM_AUTHOR
   s.email = GEM_EMAIL
   s.homepage = PROJECT_URL
-  s.add_dependency('merb-core', ">= #{Merb::VERSION}")
+  s.add_dependency('merb-core', "~> #{Merb::VERSION}")
   s.require_path = 'lib'
   s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec}/**/*")
 end

merb-assets/spec/merb-assets_spec.rb

@@ -73,8 +73,8 @@
   end
 
   it "should convert objects that respond to to_json to json" do
-    js({'user' => 'Lewis', 'page' => 'home'}).should ==
-      "{\"user\":\"Lewis\",\"page\":\"home\"}"
+    expected = {'user' => 'Lewis', 'page' => 'home'}
+    JSON.parse(js(expected)).should == expected
   end
 
   it "should convert objects using inspect that don't respond to_json to json" do

merb-auth/merb-auth-more/lib/merb-auth-more/mixins/salted_user/dm_salted_user.rb

@@ -5,8 +5,8 @@ module DMClassMethods
         def self.extended(base)
           base.class_eval do
 
-            property :crypted_password,           String
-            property :salt,                       String
+            property :crypted_password, String, :length => 60
+            property :salt,             String
 
             validates_present        :password, :if => proc{|m| m.password_required?}
             validates_is_confirmed   :password, :if => proc{|m| m.password_required?}

merb-auth/merb-auth-slice-password/lib/merb-auth-slice-password.rb

@@ -36,7 +36,7 @@ def self.loaded
     # Initialization hook - runs before AfterAppLoads BootLoader
     def self.init
       require 'merb-auth-more/mixins/redirect_back'      
-      unless MerbAuthSlicePassword[:no_default_strategies]
+      unless ::Merb::Slices::config[:"merb-auth-slice-password"][:no_default_strategies]
         ::Merb::Authentication.activate!(:default_password_form)
       end
     end

merb-cache/Rakefile

@@ -31,7 +31,7 @@ spec = Gem::Specification.new do |s|
   s.author = GEM_AUTHOR
   s.email = GEM_EMAIL
   s.homepage = PROJECT_URL
-  s.add_dependency('merb-core', ">= #{Merb::VERSION}")
+  s.add_dependency('merb-core', "~> #{Merb::VERSION}")
   s.require_path = 'lib'
   s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec}/**/*")
 end

merb-cache/spec/merb-cache/stores/strategy/action_store_spec.rb

@@ -158,7 +158,7 @@ def ticker
     end
 
     it "should cache the stats action by team, start_date & end_date parameters" do
-      start_date, end_date = Time.today.to_s, Time.now.to_s
+      start_date, end_date = (Time.now - 60).to_s, Time.now.to_s
       dispatch_to(MLBScores, :stats, :start_date => start_date, :end_date => end_date)
 
       @dummy.data("MLBScores#stats", :team => :all, :start_date => start_date, :end_date => end_date).should == "MLBScores stats(all, #{start_date}, #{end_date})"

merb-core/Rakefile

@@ -66,7 +66,7 @@ spec = Gem::Specification.new do |s|
   s.add_dependency "rspec"
   s.add_dependency "rack"
   s.add_dependency "mime-types"
-  s.add_dependency "thor", ">= 0.9.9"
+  s.add_dependency "thor", "~> 0.9.9"
   # this escalates to "regular" dependencies, comment it out
   # for now. RubyGems need some love.
   #s.add_development_dependency "libxml-ruby"
@@ -352,7 +352,7 @@ def contributors(since_release = nil)
   git_log(since_release).split("\n").uniq.sort
 end
 
-PREVIOUS_RELEASE = '0.9.9'
+PREVIOUS_RELEASE = '0.9.10'
 namespace :history do
   namespace :update do
     desc "updates contributors list"

merb-core/lib/merb-core.rb

@@ -154,6 +154,9 @@ def start(argv = ARGV)
         Merb::Config.parse_args(argv)
       end
 
+      # Keep information that we run inside IRB to guard it against overriding in init.rb
+      @running_irb = Merb::Config[:adapter] == 'irb'
+
       Merb::Config[:log_stream] = STDOUT
 
       Merb.environment = Merb::Config[:environment]
@@ -786,6 +789,11 @@ def on_windows?
     def run_later(&blk)
       Merb::Dispatcher.work_queue << blk
     end
+
+    # :api: private
+    def running_irb?
+      @running_irb
+    end
   end
 end
 

merb-core/lib/merb-core/bootloader.rb

@@ -418,6 +418,7 @@ def self.enable_json_gem
   rescue LoadError
     gem "json_pure"
     require "json/pure"
+    require "merb-core/core_ext/json_pure_fix"
   end
 
   # Resets the logger and sets the log_stream to Merb::Config[:log_file]
@@ -1268,6 +1269,8 @@ class Merb::BootLoader::ChooseAdapter < Merb::BootLoader
   #
   # :api: plugin
   def self.run
+    # Check if we running in IRB if so run IRB adapter
+    Merb::Config[:adapter] = 'irb' if Merb.running_irb?
     Merb.adapter = Merb::Rack::Adapter.get(Merb::Config[:adapter])
   end
 end
@@ -1306,6 +1309,19 @@ def self.run
   end
 end
 
+class Merb::BootLoader::BackgroundServices < Merb::BootLoader
+  # Start background services, such as the run_later worker thread.
+  #
+  # ==== Returns
+  # nil
+  #
+  # :api: plugin
+  def self.run
+    Merb::Worker.start unless Merb.testing? || Merb::Worker.started?
+    nil
+  end
+end
+
 class Merb::BootLoader::ReloadClasses < Merb::BootLoader
 
   class TimedExecutor

merb-core/lib/merb-core/config.rb

@@ -151,6 +151,10 @@ def to_yaml
       #
       # :api: private
       def setup(settings = {})
+        # Merge new settings with any existing configuration settings
+        settings = @configuration.merge(settings) unless @configuration.nil?
+
+        # Merge new settings with default settings
         config = defaults.merge(settings)
 
         unless config[:reload_classes]

merb-core/lib/merb-core/constants.rb

@@ -38,7 +38,7 @@ module Const
     JSON_MIME_TYPE_REGEXP    = %r{^application/json|^text/x-json}.freeze
     XML_MIME_TYPE_REGEXP     = %r{^application/xml|^text/xml}.freeze
     FORM_URL_ENCODED_REGEXP  = %r{^application/x-www-form-urlencoded}.freeze
-    LOCAL_IP_REGEXP          = /^unknown$|^(127|10|172\.16|192\.168)\./i.freeze
+    LOCAL_IP_REGEXP          = /^unknown$|^(127|10|172\.16|192\.168)\.|^(172\.(1[6-9]|2[0-9]|3[0-1]))\.|^(169\.254)\./i.freeze
     XML_HTTP_REQUEST_REGEXP  = /XMLHttpRequest/i.freeze
     UPCASE_CONTENT_TYPE      = 'CONTENT_TYPE'.freeze
     CONTENT_TYPE             = "Content-Type".freeze

merb-core/lib/merb-core/core_ext.rb

@@ -1,7 +1,7 @@
 begin
   require "extlib"
 rescue LoadError => e
-  puts "Merb-core 0.9.4 and later uses extlib for Ruby core class extensions. Install it from github.com/sam/extlib."
+  puts "Merb-core 0.9.4 and later uses extlib for Ruby core class extensions. Install it from github.com/datamapper/extlib."
   exit
 end
 

merb-core/lib/merb-core/core_ext/json_pure_fix.rb

@@ -0,0 +1,14 @@
+if defined?(JSON::Pure::Parser::STRING)
+  class JSON::Pure::Parser
+    if JSON::Pure::Parser::STRING.source.include?('\\[\x20-\xff]')
+      remove_const(:STRING)
+      STRING = /" ((?:[^\x0-\x1f"\\] |
+                \\["\\\/bfnrt] |
+                \\u[0-9a-fA-F]{4} |
+                \\[\x20-\x21\x23-\x2e\x30-\x5b\x5d-\x61\x63-\x65\x67-\x6d\x6f-\x71\x73\x75-\xff])*)
+               "/nx
+      warn("You are running an outdated an vulnerable version of JSON::Pure. Merb has fixed the vulnerability, but " \
+           "you should upgrade to the latest version of JSON::Pure or use the json gem")
+    end
+  end
+end

merb-core/lib/merb-core/core_ext/kernel.rb

@@ -436,7 +436,7 @@ def __profile__(name, min=1, iter=100)
   #
   # :api: public
   def extract_options_from_args!(args)
-    args.pop if Hash === args.last
+    args.pop if (args.last.instance_of?(Hash) || args.last.instance_of?(Mash))
   end
 
   # Checks that the given objects quack like the given conditions.

merb-core/lib/merb-core/dispatch/router/behavior.rb

@@ -303,7 +303,7 @@ def match(path = {}, conditions = {}, &block)
       # r<Behavior>:: +optional+ - The to behavior object.
       # 
       # ==== Returns
-      # Route:: It registers a new route and returns it.
+      # Behavior:: The route definition behavior defining the created route
       # 
       # ==== Examples
       #   match('/:controller/:id).to(:action => 'show')

merb-core/lib/merb-core/dispatch/router/route.rb

@@ -183,7 +183,7 @@ def identify(obj, param_key = nil)
       def identifier_for(obj)
         return if obj.is_a?(String)    || obj.is_a?(Symbol)     || obj.is_a?(Numeric)  ||
                   obj.is_a?(TrueClass) || obj.is_a?(FalseClass) || obj.is_a?(NilClass) ||
-                  obj.is_a?(Array)     || obj.is_a?(Hash)
+                  obj.is_a?(Array)     || obj.instance_of?(Hash)
 
         @identifiers.each do |klass, identifier|
           return identifier if obj.is_a?(klass)

merb-core/lib/merb-core/dispatch/session/cookie.rb

@@ -148,6 +148,36 @@ def to_cookie
     def generate_digest(data)
       OpenSSL::HMAC.hexdigest(DIGEST, @secret, data)
     end
+
+    # Securely compare two digests using a constant time algorithm.
+    # This avoids leaking information about the calculated HMAC
+    #
+    # Based on code by Michael Koziarski <[email protected]>
+    # http://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
+    #
+    # ==== Parameters
+    # a, b<~to_s>:: digests to compare.
+    #
+    # ==== Returns
+    # Boolean:: Do the digests validate?
+    def secure_compare(a, b)
+      if a.length == b.length
+
+        # unpack to forty characters.
+        # needed for 1.8 and 1.9 compat
+        a_bytes = a.unpack('C*')
+        b_bytes = b.unpack('C*')
+
+        result = 0
+        for i in 0..(a_bytes.length - 1)
+          result |= a_bytes[i] ^ b_bytes[i]
+        end
+        result == 0
+      else
+        false
+      end
+    end
+
 
     # Unmarshal cookie data to a hash and verify its integrity.
     # 
@@ -167,7 +197,7 @@ def unmarshal(cookie)
       else
         data, digest = Merb::Parse.unescape(cookie).split('--')
         return {} if data.blank? || digest.blank?
-        unless digest == generate_digest(data)
+        unless secure_compare(generate_digest(data), digest)
           clear
           unless Merb::Config[:ignore_tampered_cookies]
             raise TamperedWithCookie, "Maybe the site's session_secret_key has changed?"

merb-core/lib/merb-core/dispatch/worker.rb

@@ -21,6 +21,14 @@ def start
         end
         @worker
       end      
+
+      # ==== Returns
+      # Whether the Merb::Worker instance is already started.
+      #
+      # :api: private
+      def started?
+        [email protected]?
+      end
     end
 
     # Creates a new worker thread that loops over the work queue.