| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
| |
|
|
|
|
|
|
|
|
| |
Generated engines should call `protect_from_forgery`. If this method
isn't called, then the Engine could be susceptible to XSS attacks.
Thanks @tomekr for reporting this to us!
Conflicts:
railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
railties/test/generators/plugin_generator_test.rb
|
| |
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
| |
|
|
| |
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
|
| |
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
| |
|
|
|
| |
Due to a change in test-unit 3.1.6 that supports yielding from setup to
run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
|
| | |
|
| |\
| |
| | |
Fix 3-2-stable 1.8 compatibility.
|
| | |
| |
| |
| | |
activerecord/test/cases/nested_attributes_test.rb.
|
| |/
|
|
| |
closes GH-23248
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
bumping version
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.
The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.
CVE-2015-7577
|
| | |
| |
| |
| |
| |
| |
| | |
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
this will avoid timing attacks against applications that use basic auth.
Conflicts:
activesupport/lib/active_support/security_utils.rb
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
CVE-2015-7576
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
|
| | | |
|
| |\ \
| | |
| | | |
Fix typo in version number
|
| |/ /
| |
| | |
Fixes a simple copy-and-paste mistake by bumping the patch version number in the CHANGELOG.
|
| |\| |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
XML documents that are too deep can cause an stack overflow, which in
turn will cause a potential DoS attack.
CVE-2015-3227
Conflicts:
activesupport/lib/active_support/xml_mini.rb
|
| |\
| |
| | |
Fix ruby 2.2 comparable warnings
|
| |/
|
|
|
| |
Check for correct value type in activerecord/fixtures.rb
Check that zone can respond to expected values to make the comparison.
|
| | |
|
| | |
|
| |
|
|
|
| |
Instead show a error message asking users to add the gem to their
Gemfile if test-unit could not be loaded.
|
| |\
| |
| | |
3-2-stable: ruby 2.2 compatibility
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails.
Changed based on reference from http://bugs.ruby-lang.org/issues/7609
Conflicts:
activesupport/lib/active_support/core_ext/class/attribute.rb
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
