Merge branch '3-2-sec' into 3-2-stable

Conflicts: actionpack/CHANGELOG.md
author: Rafael Mendonça França <rafaelmfranca@gmail.com> 2014-05-06 13:31:07 -0300
committer: Rafael Mendonça França <rafaelmfranca@gmail.com> 2014-05-06 13:31:07 -0300
commit: bbec7d72bed585d24f3d0d827b4911e30a887708 (patch)
tree: 65c65beb5cf9e1992a993dd1ee8ac133f825653a /actionpack/CHANGELOG.md
parent: a3bda38467377cb8c3cdd52b6fcf6c6c31f74b82 (diff)
parent: 50d6b4549d56ac3a82f2096bd479a7b2305b0bf3 (diff)
download: rails-bbec7d72bed585d24f3d0d827b4911e30a887708.tar.gz
rails-bbec7d72bed585d24f3d0d827b4911e30a887708.tar.bz2
rails-bbec7d72bed585d24f3d0d827b4911e30a887708.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a5dbfbd12d..643e926312 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,6 +5,18 @@
 
     *Shota Fukumori (sora_h)*
 
+
+## Rails 3.2.18 (May 6, 2014) ##
+
+*   Only accept actions without File::SEPARATOR in the name.
+
+    This will avoid directory traversal in implicit render.
+
+    Fixes: CVE-2014-0130
+
+    *Rafael Mendonça França*
+
+
 ## Rails 3.2.17 (Feb 18, 2014) ##
 
 *   Use the reference for the mime type to get the format
author	Rafael Mendonça França <rafaelmfranca@gmail.com>	2014-05-06 13:31:07 -0300
committer	Rafael Mendonça França <rafaelmfranca@gmail.com>	2014-05-06 13:31:07 -0300
commit	bbec7d72bed585d24f3d0d827b4911e30a887708 (patch)
tree	65c65beb5cf9e1992a993dd1ee8ac133f825653a /actionpack/CHANGELOG.md
parent	a3bda38467377cb8c3cdd52b6fcf6c6c31f74b82 (diff)
parent	50d6b4549d56ac3a82f2096bd479a7b2305b0bf3 (diff)
download	rails-bbec7d72bed585d24f3d0d827b4911e30a887708.tar.gz rails-bbec7d72bed585d24f3d0d827b4911e30a887708.tar.bz2 rails-bbec7d72bed585d24f3d0d827b4911e30a887708.zip