Bump json gem to a safe version for CVE-2013-0269, CVE-2013-0333

3265c3fa · Holger Just · 296db927 · 3265c3fa · 3265c3fa
Commit 3265c3fa authored Feb 12, 2013 by Holger Just
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

Gemfile Gemfile +1 -0

10-patches.rb config/initializers/10-patches.rb +4 -0

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,7 @@ source :rubygems

 gem "rails", "2.3.17"

+gem "json", "~> 1.7.7"
 gem "coderay", "~> 0.9.7"
 gem "i18n", "~> 0.4.2"
 gem "rubytree", "~> 0.5.2", :require => 'tree'

--- a/config/initializers/10-patches.rb
+++ b/config/initializers/10-patches.rb
@@ -165,3 +165,7 @@ module ActionView::Helpers::TagHelper
    ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"\'><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
  end
 end
+
+# Workaround for CVE-2013-0333
+# https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/1h2DR63ViGo/GOUVafeaF1IJ
+ActiveSupport::JSON.backend = "JSONGem"