aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * bumping versionAaron Patterson2016-08-119-9/+9
| |
| * Include missing module in tag_helperCarlos Antonio da Silva2016-08-111-0/+1
| | | | | | | | | | | | | | | | | | Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to join the content when an Array is given, so we must include the dependent module here to make sure it's available when this module is used alone. This was making Simple Form tests to fail with current master due to the missing dependency.
* | Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-1111-13/+30
|\| | | | | | | | | | | * 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
| * bumping versionAaron Patterson2016-08-109-9/+9
| |
| * ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-102-4/+21
| | | | | | | | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* | Merge pull request #25043 from tlrdstd/support_ruby_2_3Rafael França2016-05-204-3/+9
|\ \ | | | | | | Associations do not call `.to_proc` on Hash
| * | Associations do not call `.to_proc` on HashTyler Distad2016-05-164-3/+9
|/ / | | | | | | Fixes #25010
* | update rendering commentArthur Neves2016-03-141-1/+1
| | | | | | | | [skip ci]
* | Require hash_with_indifferent_access before using itRafael Mendonça França2016-03-081-0/+2
| |
* | fix 1.8 hash syntaxArthur Neves2016-03-011-1/+1
| |
* | Add missing require to fileArthur Neves2016-03-011-0/+1
|/
* Preparing for 3.2.22.2 releaseRafael Mendonça França2016-02-299-9/+9
|
* Add bundle check to release taskRafael Mendonça França2016-02-291-1/+5
|
* Don't allow render(params) in view/controllerArthur Neves2016-02-293-6/+79
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-299-103/+79
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Generated engines should protect from forgeryAaron Patterson2016-02-011-0/+1
| | | | | | | | | | Generated engines should call `protect_from_forgery`. If this method isn't called, then the Engine could be susceptible to XSS attacks. Thanks @tomekr for reporting this to us! Conflicts: railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt railties/test/generators/plugin_generator_test.rb
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Fix hash syntax for 1.8.7eileencodes2016-01-281-1/+1
| | | | Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* Lock test-unit to 3.0.x releasesAndrew White2016-01-261-1/+1
| | | | | Due to a change in test-unit 3.1.6 that supports yielding from setup to run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
* Use 1.8 compatible hash syntaxAndrew White2016-01-251-4/+4
|
* Merge pull request #23250 from simi/3-2-stable-1-8Aaron Patterson2016-01-252-5/+5
|\ | | | | Fix 3-2-stable 1.8 compatibility.
| * Use Ruby 1.8 compat syntax in test of security fix in ↵Josef Šimánek2016-01-261-4/+4
| | | | | | | | activerecord/test/cases/nested_attributes_test.rb.
| * Use Ruby 1.8 compat syntax in actionpack/lib/action_view/template/resolver.rb.Josef Šimánek2016-01-261-1/+1
|/ | | | closes GH-23248
* Merge branch '3-2-sec' into 3-2-stableAaron Patterson2016-01-2518-18/+152
|\ | | | | | | | | | | | | | | | | * 3-2-sec: bumping version allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
| * bumping versionAaron Patterson2016-01-259-9/+9
| |
| * allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-224-4/+69
| | | | | | | | | | | | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
| * Don't short-circuit reject_if procAndrew White2016-01-222-2/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577
| * stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | | | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
| * use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-222-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
* | update bundler messageArthur Neves2016-01-151-3/+2
| |
* | rack-cache 1.3+ dont work with old ruby versionsArthur Neves2016-01-151-0/+4
| |
* | Fix mysql2 buildArthur Neves2016-01-151-1/+1
| | | | | | | | mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
* | fix build, forcing i18n to verion 0.6.xArthur Neves2016-01-141-3/+1
| |
* | Merge pull request #20629 from moklett/patch-1Rafael Mendonça França2015-06-181-1/+1
|\ \ | | | | | | Fix typo in version number
| * | Fix typo in version numberMichael Klett2015-06-181-1/+1
|/ / | | | | Fixes a simple copy-and-paste mistake by bumping the patch version number in the CHANGELOG.
* | Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2015-06-1620-22/+63
|\|
| * Removing inaccurate note on the releasing guideRafael Mendonça França2015-06-161-3/+0
| |
| * Preparing for 3.2.22 releaseRafael Mendonça França2015-06-1616-9/+48
| |
| * enforce a depth limit on XML documentsAaron Patterson2015-06-163-10/+15
|/ | | | | | | | | | XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 Conflicts: activesupport/lib/active_support/xml_mini.rb
* Merge pull request #18718 from jgeiger/fix_ruby_2_2_comparable_warningsRafael Mendonça França2015-01-292-1/+2
|\ | | | | Fix ruby 2.2 comparable warnings
| * Fix ruby 2.2 comparable warningsJoey Geiger2015-01-292-1/+2
|/ | | | | Check for correct value type in activerecord/fixtures.rb Check that zone can respond to expected values to make the comparison.
* pg 0.18 not support Ruby < 1.9.3Rafael Mendonça França2015-01-071-1/+5
|
* Only use old i18n when version is not compatibleRafael Mendonça França2015-01-071-2/+4
|
* Remove hard dependency on test-unitRafael Mendonça França2015-01-075-4/+17
| | | | | Instead show a error message asking users to add the gem to their Gemfile if test-unit could not be loaded.
* Merge pull request #18306 from tmm1/rm-3-2-with-ruby-2-1-plusRafael Mendonça França2015-01-0713-13/+39
|\ | | | | 3-2-stable: ruby 2.2 compatibility
| * add parens to fix warningAman Gupta2015-01-051-1/+1
| |
| * fix whitespace to match surrounding codeAman Gupta2015-01-021-1/+1
| |
| * use self.method syntax to resolve circular argument issuesAman Gupta2015-01-022-5/+5
| |
| * Fix `singleton_class?`Vipul A M2015-01-021-3/+5
| | | | | | | | | | | | | | | | Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails. Changed based on reference from http://bugs.ruby-lang.org/issues/7609 Conflicts: activesupport/lib/active_support/core_ext/class/attribute.rb
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 13:35:42 +0000