aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* bumping version for relesaseAaron Patterson2014-11-169-9/+9
|
* correctly escape backslashes in request path globsAaron Patterson2014-11-162-2/+44
| | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829
* Merge branch '3.2.20' into 3-2-stableAaron Patterson2014-10-3011-10/+47
|\ | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root
| * bumping version to 3.2.20Aaron Patterson2014-10-299-9/+9
| |
| * FileHandler should not be called for files outside the rootAaron Patterson2014-10-292-1/+38
| | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* | Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-042-12/+11
| | | | | | | | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* | Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-07-0218-12/+58
|\|
| * Preparing for 3.2.19 releaseRafael Mendonça França2014-07-0216-9/+50
| |
| * Check against bit string values using multiline regexpRafael Mendonça França2014-07-022-3/+8
| | | | | | | | Fix CVE-2014-3482.
* | Use a version of execjs compatible with Ruby 1.8Rafael Mendonça França2014-06-261-0/+3
|/
* Make sure Active Support configurations are applied correctlyRafael Mendonça França2014-06-262-0/+19
| | | | | | | Before this patch configuration set using config.active_support would not be set. Closes #15364
* Revert "Merge pull request #15794 from vishalzambre/patch-1"Guillermo Iguaran2014-06-181-1/+1
| | | | | | | This reverts commit 6d800a909e24465ca6f3fa5206222fa7d78967f6, reversing changes made to 6a051299f98ee43864326c6c0a4f7d169d22b3f8. We don't apply non-security fixes to 3-2-stable branch!!!
* Merge pull request #15794 from vishalzambre/patch-1Guillermo Iguaran2014-06-181-1/+1
|\ | | | | File.exists? is a deprecated name, use File.exist?
| * File.exists? is a deprecated name, use File.exist?Vishal Zambre2014-06-181-1/+1
|/ | | File.exists? is a deprecated name, use File.exist?
* Feature detect based on Ruby version.Aaron Patterson2014-05-181-1/+1
| | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version.
* feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053Aaron Patterson2014-05-101-5/+21
|
* use fnmatch to test for case insensitive file systemsAaron Patterson2014-05-091-4/+2
| | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-0619-14/+155
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-062-6/+6
| |
| * Preparing for 3.2.18 releaseRafael Mendonça França2014-05-0616-9/+115
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-052-4/+41
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-1814-12/+103
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Preparing for 3.2.17 releaseRafael Mendonça França2014-02-1810-9/+19
| |
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-182-1/+18
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-182-1/+64
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13613 from simi/patch-1Damien Mathieu2014-01-061-1/+1
|\ \ | | | | | | Fix force_ssl.rb documentation. Close tt tag.
| * | Fix force_ssl.rb documentation. Close tt tag.Josef Šimánek2014-01-061-1/+1
|/ / | | | | [ci skip]
* | Merge pull request #13315 from tyre/patch-1Rafael Mendonça França2013-12-131-1/+1
|\ \ | | | | | | Update Session Store Documentation
| * | Update Session Store DocumentationChris Maddox2013-12-131-1/+1
|/ / | | | | session_id doesn't need to be a text column, just string (VARCHAR)
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-043-1/+24
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-042-5/+5
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | Merge pull request #13162 from makandra/3-2-stableRafael Mendonça França2013-12-041-4/+4
|\ \ | |/ |/| Repair a test broken by the number_to_currency XSS fix
| * repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* updating the changelogAaron Patterson2013-12-0210-9/+17
|
* Deep Munge the parameters for GET and POSTMichael Koziarski2013-12-022-2/+17
| | | | | | | | | | | The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-022-14/+9
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-022-4/+5
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* Only use valid mime type symbols as cache keysAaron Patterson2013-11-301-0/+7
| | | | CVE-2013-6414
* Merge branch '3-2-sec' into 3-2-stableAaron Patterson2013-10-1619-21/+40
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 3-2-sec: updating changelogs bumping to 3.2.15 bumping to rc3 Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build" Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target" bumping to rc2 Merge pull request #12443 from arthurnn/add_inverse_of_add_target bumping version to 3.2.15.rc1 Remove the use of String#% when formatting durations in log messages Conflicts: activerecord/CHANGELOG.md
| * updating changelogsAaron Patterson2013-10-167-3/+19
| |
| * bumping to 3.2.15Aaron Patterson2013-10-159-9/+9
| |
| * Merge branch '3-2-15' into 3-2-secAaron Patterson2013-10-1516-28/+30
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 3-2-15: bumping to rc3 Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build" Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target" bumping to rc2 Merge pull request #12443 from arthurnn/add_inverse_of_add_target bumping version to 3.2.15.rc1 Fix STI scopes using benolee's suggestion. Fixes #11939
| | * bumping to rc3Aaron Patterson2013-10-119-9/+9
| | |
| | * Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"Rafael Mendonça França2013-10-104-10/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit ccd11d58910059f07b28cc518dbdad42cbc8ea0c, reversing changes made to 54c05acdba138f3a7a3d44dfc922b0fe4e4cf554. Reason: This caused a regression when the associated record is created in a before_create callback. See https://github.com/rails/rails/pull/12413#issuecomment-25848163
| | * Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"Rafael Mendonça França2013-10-102-14/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 7ed5bdc834479c39e3b0ad5a38bcffe27983c10d, reversing changes made to 31c79e291f42b1d862df06c552fe002864aae705. Reason: this caused a regression when the associated record is creted in a before_create callback. See https://github.com/rails/rails/pull/12413#issuecomment-25848163
| | * bumping to rc2Aaron Patterson2013-10-049-9/+9
| | |
| | * Merge pull request #12443 from arthurnn/add_inverse_of_add_targetRafael Mendonça França2013-10-042-0/+14
| | | | | | | | | | | | Add inverse of add target
| | * bumping version to 3.2.15.rc1Aaron Patterson2013-10-039-17/+17
| | |
| * | Merge branch '3-2-stable' into 3-2-secAaron Patterson2013-10-037-3/+29
| |\ \ | | | | | | | | | | | | | | | | | | | | * 3-2-stable: make sure both headers are set before checking for ip spoofing Move set_inverse_instance to association.build_record
| * | | Remove the use of String#% when formatting durations in log messagesMichael Koziarski2013-09-303-9/+12
| | | | | | | | | | | | | | | | | | | | This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-06 14:26:16 +0000