diff options
| -rw-r--r-- | actionmailer/CHANGELOG.md | 16 | ||||
| -rw-r--r-- | actionpack/CHANGELOG.md | 121 | ||||
| -rw-r--r-- | activemodel/CHANGELOG.md | 14 | ||||
| -rw-r--r-- | activerecord/CHANGELOG.md | 86 | ||||
| -rw-r--r-- | activesupport/CHANGELOG.md | 27 |
5 files changed, 231 insertions, 33 deletions
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index 96cfb43e0b..d2b8c35124 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -6,6 +6,22 @@ * Asynchronously send messages via the Rails Queue *Brian Cardarella* + +## Rails 3.2.8 (Aug 9, 2012) ## + +* No changes. + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* No changes. + + +## Rails 3.2.6 (Jun 12, 2012) ## + +* No changes. + + ## Rails 3.2.5 (Jun 1, 2012) ## * No changes. diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e1937e14a2..8f845ce7e1 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -17,19 +17,19 @@ We recommend the use of Unobtrusive JavaScript instead. For example: - link_to "Greeting", "#", :class => "nav_link" + link_to "Greeting", "#", :class => "nav_link" - $(function() { - $('.nav_link').click(function() { - // Some complex code + $(function() { + $('.nav_link').click(function() { + // Some complex code - return false; + return false; + }); }); - }); or - link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link" + link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link" for simple cases. @@ -46,18 +46,18 @@ * Added ActionController::Live. Mix it in to your controller and you can stream data to the client live. For example: - class FooController < ActionController::Base - include ActionController::Live + class FooController < ActionController::Base + include ActionController::Live - def index - 100.times { - # Client will see this as it's written - response.stream.write "hello world\n" - sleep 1 - } - response.stream.close + def index + 100.times { + # Client will see this as it's written + response.stream.write "hello world\n" + sleep 1 + } + response.stream.close + end end - end * Remove ActionDispatch::Head middleware in favor of Rack::Head. *Santiago Pastorino* @@ -266,13 +266,13 @@ * Add `collection_check_boxes` form helper, similar to `collection_select`: Example: - collection_check_boxes :post, :author_ids, Author.all, :id, :name - # Outputs something like: - <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" /> - <label for="post_author_ids_1">D. Heinemeier Hansson</label> - <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" /> - <label for="post_author_ids_2">D. Thomas</label> - <input name="post[author_ids][]" type="hidden" value="" /> + collection_check_boxes :post, :author_ids, Author.all, :id, :name + # Outputs something like: + <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" /> + <label for="post_author_ids_1">D. Heinemeier Hansson</label> + <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" /> + <label for="post_author_ids_2">D. Thomas</label> + <input name="post[author_ids][]" type="hidden" value="" /> The label/check_box pairs can be customized with a block. @@ -281,12 +281,12 @@ * Add `collection_radio_buttons` form helper, similar to `collection_select`: Example: - collection_radio_buttons :post, :author_id, Author.all, :id, :name - # Outputs something like: - <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" /> - <label for="post_author_id_1">D. Heinemeier Hansson</label> - <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" /> - <label for="post_author_id_2">D. Thomas</label> + collection_radio_buttons :post, :author_id, Author.all, :id, :name + # Outputs something like: + <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" /> + <label for="post_author_id_1">D. Heinemeier Hansson</label> + <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" /> + <label for="post_author_id_2">D. Thomas</label> The label/radio_button pairs can be customized with a block. @@ -330,6 +330,67 @@ HTML5 `mark` element. *Brian Cardarella* +## Rails 3.2.8 (Aug 9, 2012) ## + +* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the + helper doesn't correctly handle malformed html. As a result an attacker can + execute arbitrary javascript through the use of specially crafted malformed + html. + + *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino* + +* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. + If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. + Vulnerable code will look something like this: + select_tag("name", options, :prompt => UNTRUSTED_INPUT) + + *Santiago Pastorino* + +* Reverted the deprecation of `:confirm`. *Rafael Mendonça França* + +* Reverted the deprecation of `:disable_with`. *Rafael Mendonça França* + +* Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França* + +* Reverted the deprecation of `button_to_function` and `link_to_function` helpers. + + *Rafael Mendonça França* + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* Do not convert digest auth strings to symbols. CVE-2012-3424 + +* Bump Journey requirements to 1.0.4 + +* Add support for optional root segments containing slashes + +* Fixed bug creating invalid HTML in select options + +* Show in log correct wrapped keys + +* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations. + +* ActionController::Metal doesn't have logger method, check it and then delegate + +* ActionController::Caching depends on RackDelegation and AbstractController::Callbacks + + +## Rails 3.2.6 (Jun 12, 2012) ## + +* nil is removed from array parameter values + + CVE-2012-2694 + +* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers. + + *Carlos Galdino* + +* Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki* + +* Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki* + + ## Rails 3.2.5 (Jun 1, 2012) ## * No changes. diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 847ae7f237..9188719b78 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -39,10 +39,24 @@ * When `^` or `$` are used in the regular expression provided to `validates_format_of` and the :multiline option is not set to true, an exception will be raised. This is to prevent security vulnerabilities when using `validates_format_of`. The problem is described in detail in the Rails security guide. + +## Rails 3.2.8 (Aug 9, 2012) ## + +* No changes. + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* `validates_inclusion_of` and `validates_exclusion_of` now accept `:within` option as alias of `:in` as documented. + +* Fix the the backport of the object dup with the ruby 1.9.3p194. + + ## Rails 3.2.6 (Jun 12, 2012) ## * No changes. + ## Rails 3.2.5 (Jun 1, 2012) ## * No changes. diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 66e4335e30..fc3f754b9f 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -468,11 +468,11 @@ The `add_index` method now supports a `where` option that receives a string with the partial index criteria. - add_index(:accounts, :code, :where => "active") + add_index(:accounts, :code, :where => "active") - Generates + Generates - CREATE INDEX index_accounts_on_code ON accounts(code) WHERE active + CREATE INDEX index_accounts_on_code ON accounts(code) WHERE active *Marcelo Silveira* @@ -582,6 +582,86 @@ * PostgreSQL hstore types are automatically deserialized from the database. +## Rails 3.2.8 (Aug 9, 2012) ## + +* Do not consider the numeric attribute as changed if the old value is zero and the new value + is not a string. + Fixes #7237. + + *Rafael Mendonça França* + +* Do not consider the numeric attribute as changed if the old value is zero and the new value + is not a string. + Fixes #7237. + + *Rafael Mendonça França* + +* Removes the deprecation of `update_attribute`. *fxn* + +* Reverted the deprecation of `composed_of`. *Rafael Mendonça França* + +* Reverted the deprecation of `*_sql` association options. They will + be deprecated in 4.0 instead. *Jon Leighton* + +* Do not eager load AR session store. ActiveRecord::SessionStore depends on the abstract store + in Action Pack. Eager loading this class would break client code that eager loads Active Record + standalone. + Fixes #7160 + + *Xavier Noria* + +* Do not set RAILS_ENV to "development" when using `db:test:prepare` and related rake tasks. + This was causing the truncation of the development database data when using RSpec. + Fixes #7175. + + *Rafael Mendonça França* + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* `:finder_sql` and `:counter_sql` options on collection associations + are deprecated. Please transition to using scopes. + + *Jon Leighton* + +* `:insert_sql` and `:delete_sql` options on `has_and_belongs_to_many` + associations are deprecated. Please transition to using `has_many + :through` + + *Jon Leighton* + +* `composed_of` has been deprecated. You'll have to write your own accessor + and mutator methods if you'd like to use value objects to represent some + portion of your models. + + *Steve Klabnik* + +* `update_attribute` has been deprecated. Use `update_column` if + you want to bypass mass-assignment protection, validations, callbacks, + and touching of updated_at. Otherwise please use `update_attributes`. + + *Steve Klabnik* + + +## Rails 3.2.6 (Jun 12, 2012) ## + +* protect against the nesting of hashes changing the + table context in the next call to build_from_hash. This fix + covers this case as well. + + CVE-2012-2695 + +* Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). This + change introduced a regression (GH #6609). assoc.clear and + assoc.delete_all have loaded the association before doing the delete + since at least Rails 2.3. Doing the delete without loading the + records means that the `before_remove` and `after_remove` callbacks do + not get invoked. Therefore, this change was less a fix a more an + optimisation, which should only have gone into master. + + *Jon Leighton* + + ## Rails 3.2.5 (Jun 1, 2012) ## * Restore behavior of Active Record 3.2.3 scopes. diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index ddd6a8b568..b0b21a1563 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -105,6 +105,33 @@ * Remove deprecated ActiveSupport::JSON::Variable. *Erich Menge* +## Rails 3.2.8 (Aug 9, 2012) ## + +* Fix ActiveSupport integration with Mocha > 0.12.1. *Mike Gunderloy* + +* Reverted the deprecation of ActiveSupport::JSON::Variable. *Rafael Mendonça França* + +* ERB::Util.html_escape now escapes single quotes. *Santiago Pastorino* + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* Hash#fetch(fetch) is not the same as doing hash[key] + +* adds a missing require [fixes #6896] + +* make sure the inflection rules are loaded when cherry-picking active_support/core_ext/string/inflections.rb [fixes #6884] + +* Merge pull request #6857 from rsutphin/as_core_ext_time_missing_require + +* bump AS deprecation_horizon to 4.0 + + +## Rails 3.2.6 (Jun 12, 2012) ## + +* No changes. + + ## Rails 3.2.5 (Jun 1, 2012) ## * ActiveSupport::JSON::Variable is deprecated. Define your own #as_json and #encode_json methods |