Merge pull request #16924 from Sinjo/params-deep-munge-empty-array

Don't convert empty arrays to nils when deep munging params
author: Godfrey Chan <godfreykfc@gmail.com> 2014-12-15 14:46:32 -0800
committer: Godfrey Chan <godfreykfc@gmail.com> 2014-12-15 14:46:32 -0800
commit: 488aefe7426bbd6f071019dff4c4cd1fbfd56742 (patch)
tree: c6d6a90582aa07f37502e34f301a750072f28779 /actionpack/CHANGELOG.md
parent: 485723e87a969984c054f68d1781cf99f8a68a5f (diff)
parent: 8f8ccb9901cab457c6e1d52bdb25acf658fd5777 (diff)
download: rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.tar.gz
rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.tar.bz2
rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 3b02994459..115ad54190 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,14 @@
+*   Stop converting empty arrays in `params` to `nil`
+
+    This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
+
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
+
+    *Chris Sinjakli*
+
 *   Fixed usage of optional scopes in URL helpers.
 
     *Alex Robbin*
author	Godfrey Chan <godfreykfc@gmail.com>	2014-12-15 14:46:32 -0800
committer	Godfrey Chan <godfreykfc@gmail.com>	2014-12-15 14:46:32 -0800
commit	488aefe7426bbd6f071019dff4c4cd1fbfd56742 (patch)
tree	c6d6a90582aa07f37502e34f301a750072f28779 /actionpack/CHANGELOG.md
parent	485723e87a969984c054f68d1781cf99f8a68a5f (diff)
parent	8f8ccb9901cab457c6e1d52bdb25acf658fd5777 (diff)
download	rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.tar.gz rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.tar.bz2 rails-488aefe7426bbd6f071019dff4c4cd1fbfd56742.zip