aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-299-103/+79
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Generated engines should protect from forgeryAaron Patterson2016-02-011-0/+1
| | | | | | | | | | Generated engines should call `protect_from_forgery`. If this method isn't called, then the Engine could be susceptible to XSS attacks. Thanks @tomekr for reporting this to us! Conflicts: railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt railties/test/generators/plugin_generator_test.rb
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Fix hash syntax for 1.8.7eileencodes2016-01-281-1/+1
| | | | Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* Lock test-unit to 3.0.x releasesAndrew White2016-01-261-1/+1
| | | | | Due to a change in test-unit 3.1.6 that supports yielding from setup to run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
* Use 1.8 compatible hash syntaxAndrew White2016-01-251-4/+4
|
* Merge pull request #23250 from simi/3-2-stable-1-8Aaron Patterson2016-01-252-5/+5
|\ | | | | Fix 3-2-stable 1.8 compatibility.
| * Use Ruby 1.8 compat syntax in test of security fix in ↵Josef Šimánek2016-01-261-4/+4
| | | | | | | | activerecord/test/cases/nested_attributes_test.rb.
| * Use Ruby 1.8 compat syntax in actionpack/lib/action_view/template/resolver.rb.Josef Šimánek2016-01-261-1/+1
|/ | | | closes GH-23248
* Merge branch '3-2-sec' into 3-2-stableAaron Patterson2016-01-2518-18/+152
|\ | | | | | | | | | | | | | | | | * 3-2-sec: bumping version allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
| * bumping versionAaron Patterson2016-01-259-9/+9
| |
| * allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-224-4/+69
| | | | | | | | | | | | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
| * Don't short-circuit reject_if procAndrew White2016-01-222-2/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577
| * stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | | | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
| * use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-222-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
* | update bundler messageArthur Neves2016-01-151-3/+2
| |
* | rack-cache 1.3+ dont work with old ruby versionsArthur Neves2016-01-151-0/+4
| |
* | Fix mysql2 buildArthur Neves2016-01-151-1/+1
| | | | | | | | mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
* | fix build, forcing i18n to verion 0.6.xArthur Neves2016-01-141-3/+1
| |
* | Merge pull request #20629 from moklett/patch-1Rafael Mendonça França2015-06-181-1/+1
|\ \ | | | | | | Fix typo in version number
| * | Fix typo in version numberMichael Klett2015-06-181-1/+1
|/ / | | | | Fixes a simple copy-and-paste mistake by bumping the patch version number in the CHANGELOG.
* | Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2015-06-1620-22/+63
|\|
| * Removing inaccurate note on the releasing guideRafael Mendonça França2015-06-161-3/+0
| |
| * Preparing for 3.2.22 releaseRafael Mendonça França2015-06-1616-9/+48
| |
| * enforce a depth limit on XML documentsAaron Patterson2015-06-163-10/+15
|/ | | | | | | | | | XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 Conflicts: activesupport/lib/active_support/xml_mini.rb
* Merge pull request #18718 from jgeiger/fix_ruby_2_2_comparable_warningsRafael Mendonça França2015-01-292-1/+2
|\ | | | | Fix ruby 2.2 comparable warnings
| * Fix ruby 2.2 comparable warningsJoey Geiger2015-01-292-1/+2
|/ | | | | Check for correct value type in activerecord/fixtures.rb Check that zone can respond to expected values to make the comparison.
* pg 0.18 not support Ruby < 1.9.3Rafael Mendonça França2015-01-071-1/+5
|
* Only use old i18n when version is not compatibleRafael Mendonça França2015-01-071-2/+4
|
* Remove hard dependency on test-unitRafael Mendonça França2015-01-075-4/+17
| | | | | Instead show a error message asking users to add the gem to their Gemfile if test-unit could not be loaded.
* Merge pull request #18306 from tmm1/rm-3-2-with-ruby-2-1-plusRafael Mendonça França2015-01-0713-13/+39
|\ | | | | 3-2-stable: ruby 2.2 compatibility
| * add parens to fix warningAman Gupta2015-01-051-1/+1
| |
| * fix whitespace to match surrounding codeAman Gupta2015-01-021-1/+1
| |
| * use self.method syntax to resolve circular argument issuesAman Gupta2015-01-022-5/+5
| |
| * Fix `singleton_class?`Vipul A M2015-01-021-3/+5
| | | | | | | | | | | | | | | | Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails. Changed based on reference from http://bugs.ruby-lang.org/issues/7609 Conflicts: activesupport/lib/active_support/core_ext/class/attribute.rb
| * parse stringified mime typeAman Gupta2015-01-021-1/+1
| |
| * fix yaml compat on ruby 2.2Aman Gupta2015-01-021-1/+3
| |
| * fix regex caseAman Gupta2015-01-021-1/+1
| |
| * restore I18n.locale after testAman Gupta2015-01-021-0/+8
| |
| * convert another incompatible assert_raise invocationAman Gupta2015-01-021-1/+2
| |
| * switch to minitest and test-unit compatible assert_raise syntaxKouhei Sutou2015-01-021-1/+2
| |
| * blacklist test-unit's @internal_data ivarAman Gupta2015-01-021-0/+1
| |
| * try using newer test-unit gemAman Gupta2015-01-021-1/+1
| |
| * added dependency of test-unit into activesupportSHIBATA Hiroshi2015-01-021-0/+1
| |
| * Lock i18n to a version that works with Ruby 1.8Rafael Mendonça França2015-01-021-0/+2
| |
| * Merge pull request #18160 from tmm1/3-2-ruby-2-2Rafael Mendonça França2015-01-023-6/+12
| |\ | | | | | | | | | 3-2-stable: add ruby 2.2 compatibility
| | * Check `respond_to` before delegation due to: ↵Aaron Patterson2014-12-221-1/+7
| | | | | | | | | | | | https://github.com/ruby/ruby/commit/d781caaf313b8649948c107bba277e5ad7307314
| | * fix ruby 2.2 warning: circular argument referenceAman Gupta2014-12-222-5/+5
| |/ |/|
| * Test Rails 3.2 with Ruby 2.1 and 2.2Rafael Mendonça França2015-01-011-0/+2
|/
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-06 09:51:39 +0000