diff options
author | Jeremy Kemper <jeremy@bitsweat.net> | 2013-01-05 17:46:26 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:42:29 -0800 |
commit | 46e0d2397ea10a0bf380926c9fe3cfcf14d5c499 (patch) | |
tree | 1001415a74aa4ba81cc8fc305f4cb7a0bc145afc /activesupport/CHANGELOG.md | |
parent | 8e577fe560d5756fcc67840ba304d79ada6804e4 (diff) | |
download | rails-46e0d2397ea10a0bf380926c9fe3cfcf14d5c499.tar.gz rails-46e0d2397ea10a0bf380926c9fe3cfcf14d5c499.tar.bz2 rails-46e0d2397ea10a0bf380926c9fe3cfcf14d5c499.zip |
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
Diffstat (limited to 'activesupport/CHANGELOG.md')
-rw-r--r-- | activesupport/CHANGELOG.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 08bec2f4ae..5848f9712f 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,5 +1,12 @@ ## Rails 4.0.0 (unreleased) ## +* Hash.from_xml raises when it encounters type="symbol" or type="yaml". + Use Hash.from_trusted_xml to parse this XML. + + CVE-2013-0156 + + *Jeremy Kemper* + * Deprecate `assert_present` and `assert_blank` in favor of `assert object.blank?` and `assert object.present?` |