diff options
author | Jeremy Kemper <jeremy@bitsweat.net> | 2013-01-05 17:46:26 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:03:34 -0800 |
commit | 2ced6f2f8a85957b160710ae5d9fb245a6106550 (patch) | |
tree | 49639ba51eea7ae97731e1ce3e8d15be954ba5e4 /activesupport/CHANGELOG.md | |
parent | d99e8c9e1618f509bb35f052d4bd0d1848bce771 (diff) | |
download | rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.gz rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.tar.bz2 rails-2ced6f2f8a85957b160710ae5d9fb245a6106550.zip |
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
Diffstat (limited to 'activesupport/CHANGELOG.md')
-rw-r--r-- | activesupport/CHANGELOG.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 08bec2f4ae..5848f9712f 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,5 +1,12 @@ ## Rails 4.0.0 (unreleased) ## +* Hash.from_xml raises when it encounters type="symbol" or type="yaml". + Use Hash.from_trusted_xml to parse this XML. + + CVE-2013-0156 + + *Jeremy Kemper* + * Deprecate `assert_present` and `assert_blank` in favor of `assert object.blank?` and `assert object.present?` |