diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2014-07-10 10:20:16 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2014-07-10 10:20:16 -0700 |
commit | 93fb4c1e62dc9605eecbfaffda2becc85890fa5f (patch) | |
tree | d614c3eed3fc10a3d77c2a9fd95f684a76e20d77 /actionpack/CHANGELOG.md | |
parent | 6b6832eeeb43c5f2553373f84677350ba654346a (diff) | |
parent | 4003a5bd76ece6d5273e00bf9f468fbdcf9ce1d6 (diff) | |
download | rails-93fb4c1e62dc9605eecbfaffda2becc85890fa5f.tar.gz rails-93fb4c1e62dc9605eecbfaffda2becc85890fa5f.tar.bz2 rails-93fb4c1e62dc9605eecbfaffda2becc85890fa5f.zip |
Merge branch 'rosetta_flash' of https://github.com/gcampbell/rails into gcampbell-rosetta_flash
* 'rosetta_flash' of https://github.com/gcampbell/rails:
Address CVE-2014-4671 (JSONP Flash exploit)
Conflicts:
actionpack/CHANGELOG.md
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 6abc0a8077..fb36396167 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 + ("Rosetta Flash") + + *Greg Campbell* + * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to |