| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |\ \ \
| |/ /
|/| | |
Remove test for XML YAML parsing
|
| |/ /
| |
| |
| |
| | |
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See 43109ec for more detail.
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
dealing with empty hashes. Thanks Damien Mathieu
|
| | | |
| | |
| | |
| | | |
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It includes security bug fixes and changes the initialization of
Rack::File to accept a hash, otherwise generating warnings.
See 295806e for the warnings fix.
Conflicts:
actionpack/actionpack.gemspec
|
| | | |
| | |
| | |
| | | |
Eliminate Rack::File headers deprecation warning
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
(cherry picked from commit e2e513621d732abb8efff9120bd9a444836720d6)
(cherry picked from commit dcdde7da481e11660634278a8004175a1ce20f39)
Backport of #6183, original issue was #6179
Conflicts:
activesupport/lib/active_support/core_ext/time/calculations.rb
activesupport/test/core_ext/time_ext_test
Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
|
| | | |
| | |
| | |
| | | |
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is an improvement for issue #8673:
"Comparing a BigDecimal to true/false on write_attribute is slow"
It seems to be an issue with Ruby itself, related to the "coerce" method
being called in TrueClass/FalseClass due to the == condition, triggering
method_missing, then raising a NameError that's later catched.
This issue was also opened in Ruby tracker:
https://bugs.ruby-lang.org/issues/7645.
This refactoring avoid the coerce call by using a case statement, which
gives us better readability as well. A simple benchmark:
----------
require 'benchmark/ips'
require 'bigdecimal'
Benchmark.ips do |x|
x.report("== true") { BigDecimal('3') == true }
x.report("TrueClass") { TrueClass === BigDecimal('3') }
x.report("== 0") { BigDecimal('3') == 0 }
x.report("Numeric") { Numeric === BigDecimal('3') }
end
Calculating -------------------------------------
== true 6427 i/100ms
TrueClass 47297 i/100ms
== 0 35923 i/100ms
Numeric 55530 i/100ms
-------------------------------------------------
== true 75878.5 (±21.6%) i/s - 359912 in 5.004392s
TrueClass 1249547.0 (±13.1%) i/s - 6148610 in 5.035964s
== 0 666856.3 (±13.3%) i/s - 3268993 in 5.013789s
Numeric 1269300.9 (±11.3%) i/s - 6274890 in 5.028458s
----------
Master has a very different implementation, and there are apparently no
similar conversions at this point, it's mainly delegated to the column
type cast, but I'll check if something needs to be changed there as well.
Closes #8673.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Closes #8804 [ci skip]
Conflicts:
activerecord/lib/active_record/scoping/named.rb
|
| | | |
| | |
| | |
| | | |
prepared_statements as value
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also covers any non-castable case by returning nil, which
is in-line with the intention of the former implementation,
but covers the odd cases which respond to to_i but raise
an error when it's called, such as NaN, Infinity and -Infinity.
Fixes #8757
Backport of #8781
Conflicts:
activerecord/CHANGELOG.md
activerecord/test/cases/column_test.rb
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
actionpack/lib/action_view/helpers/form_helper.rb
actionpack/test/template/form_helper_test.rb
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
(cherry picked from commit 6500d7994e94af439587ba0b6088b14532940ad2)
[ci skip]
Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
|
| |\ \ \
| |_|/
|/| |
| | |
| | | |
Backport 4f0f1b5 into 3-2-stable.
When running the test with warnings enabled, it fails without this change.
|
| |/ /
| |
| |
| |
| | |
Conflicts:
actionpack/test/controller/render_test.rb
|
| | |
| |
| |
| |
| | |
Conflicts:
.travis.yml
|
| |\ \
| | |
| | | |
Fix undefined method `to_i' introduced since 3.2.8
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit fixes a bug introduced in 96a13fc7 which breaks behaviour of
integer fields in 3.2.8.
In 3.2.8, setting the value of an integer field to a non-integer (eg.
Array, Hash, etc.) would default to 1 (true) :
# 3.2.8
p = Post.new
p.category_id = [ 1, 2 ]
p.category_id # => 1
p.category_id = { 3 => 4 }
p.category_id # => 1
In 3.2.9 and above, this will raise a NoMethodError :
# 3.2.9
p = Post.new
p.category_id = [ 1, 2 ]
NoMethodError: undefined method `to_i' for [1, 2]:Array
Whilst at first blush this appear to be sensible, it combines in bad
ways with scoping.
For example, it is common to use scopes to control access to data :
@collection = Posts.where(:category_id => [ 1, 2 ])
@new_post = @collection.new
In 3.2.8, this would work as expected, creating a new Post object
(albeit with @new_post.category_id = 1). However, in 3.2.9 this will
cause the NoMethodError to be raised as above.
It is difficult to avoid triggering this error without descoping before
calling .new, breaking any apps running on 3.2.8 that rely on this
behaviour.
This patch deviates from 3.2.8 in that it does not retain the somewhat
spurious behaviour of setting the attribute to 1. Instead, it explicitly
sets these invalid values to nil :
p = Post.new
p.category_id = [ 1, 2 ]
p.category_id # => nil
This also fixes the situation where a scope using an array will
"pollute" any newly instantiated records.
@new_post = @collection.new
@new_post.category_id # => nil
Finally, 3.2.8 exhibited a behaviour where setting an object to an
integer field caused it to be coerced to "1". This has not been
retained, as it is spurious and surprising in the same way that setting
Arrays and Heshes was :
c = Category.find(6)
p = Post.new
# 3.2.8
p.category_id = c
p.category_id # => 1
# This patch
p.category_id = c
p.category_id # => nil
This commit includes explicit test cases that expose the original issue
with calling new on a scope that uses an Array. As this is a common
situation, an explicit test case is the best way to prevent regressions
in the future.
It also updates and separates existing tests to be explicit about the
situation that is being tested (eg. AR objects vs. other objects vs.
non-integers)
|
| |\ \
| | |
| | |
| | |
| | | |
update directory tree in the generated README in Rails 3.2
[ci skip]
|
| |/ /
| |
| |
| | |
[ci skip]
|
| |\ \
| | |
| | | |
Merged latest released tag (v3.2.10) into the stable branch (3-2-stable)
|
| | |\|
| | |
| | |
| | | |
Latest released tag was not fully merged into the stable branch (missed version bumping)
|
| | | | |
|
| |/ /
| |
| |
| | |
Fix typo on form_tag_helper.rb [ci skip]
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
Backport #8701, do not append a second slash with `trailing_slash: true`
Closes #8700
|
| |/ / |
|
| | |
| |
| |
| | |
Fix format and wrong changelog entry
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* 3-2-stable:
fix block.arity raise nil error when not given a block to "content_tag_for"
removes the Ajax on Rails early draft
Revert "Merge pull request #8665 from senny/8661_should_not_append_charset_if_already_present"
backport #8662, charset should not be appended for `head` responses
Revert "Fix `validates_presence_of` with `:allow_nil` or `:allow_blank` options."
Fix `validates_presence_of` with `:allow_nil` or `:allow_blank` options.
backport #8616, quote column names in generated fixture files
|
| | |\ \
| | | |
| | | | |
fix block.arity will raise nil error
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
There was a few attempts at writing this guide, but we
never passed from the work in progress stage. In spite
of not being included in the table of contents, this
draft was still indexed by bots and showed up in searches.
Steve Klabnik has written "Working with JavaScript in Rails"
which is going to be released with Rails 4. So better get
rid of this altogether.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
senny/8661_should_not_append_charset_if_already_present"
This reverts commit e48dc194231830f42f179704596b88215f062c23, reversing
changes made to d38c8caa48a732d41c7402a5e71deece4e313559.
|
| | |\ \ \
| | |/ /
| |/| |
| | | |
| | | | |
senny/8661_should_not_append_charset_if_already_present
backport #8662, charset should not be appended for `head` responses
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
1) Failure:
test_head_created_with_image_png_content_type(RenderTest) [test/controller/render_test.rb:1238]:
Expected: "image/png"
Actual: "image/png; charset=utf-8"
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
options."
This reverts commit 93366c7c913bf0883f140fa782d3e198593477be.
REASON: This is backward incompatible. Also this behavior is documented
on the guides.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Fix #8621
[Colin Kelley + Rafael Mendonça França]
|
| | |\ \
| | | |
| | | | |
backport #8616, quote column names in generated fixture files
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
railties/CHANGELOG.md
railties/lib/rails/generators/test_unit/model/model_generator.rb
railties/lib/rails/generators/test_unit/model/templates/fixtures.yml
railties/test/generators/model_generator_test.rb
|
| |\ \ \
| |/ /
|/| /
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
CVE-2012-5664 options hashes should only be extracted if there are extra parameters
updating changelog
updating the changelogs
updating the changelog for the CVE
Add release date of Rails 3.2.9 to documentation
Conflicts:
actionmailer/CHANGELOG.md
actionpack/CHANGELOG.md
activemodel/CHANGELOG.md
activerecord/CHANGELOG.md
activeresource/CHANGELOG.md
activesupport/CHANGELOG.md
railties/CHANGELOG.md
|
| | |
| |
| |
| | |
parameters
|
