CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.

author: Jeremy Kemper <jeremy@bitsweat.net> 2013-01-05 17:46:26 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2013-01-08 12:03:34 -0800
commit: 2ced6f2f8a85957b160710ae5d9fb245a6106550 (patch)
tree: 49639ba51eea7ae97731e1ce3e8d15be954ba5e4 /activesupport/CHANGELOG.md
parent: d99e8c9e1618f509bb35f052d4bd0d1848bce771 (diff)
download: rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.gz
rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.bz2
rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 08bec2f4ae..5848f9712f 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,5 +1,12 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Hash.from_xml raises when it encounters type="symbol" or type="yaml".
+    Use Hash.from_trusted_xml to parse this XML.
+
+    CVE-2013-0156
+
+    *Jeremy Kemper*
+
 *   Deprecate `assert_present` and `assert_blank` in favor of
     `assert object.blank?` and `assert object.present?`
author	Jeremy Kemper <jeremy@bitsweat.net>	2013-01-05 17:46:26 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2013-01-08 12:03:34 -0800
commit	2ced6f2f8a85957b160710ae5d9fb245a6106550 (patch)
tree	49639ba51eea7ae97731e1ce3e8d15be954ba5e4 /activesupport/CHANGELOG.md
parent	d99e8c9e1618f509bb35f052d4bd0d1848bce771 (diff)
download	rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.gz rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.bz2 rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.zip