Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Don't short-circuit reject_if proc | Andrew White | 2016-01-22 | 2 | -2/+25 |
| | | | | | | | | | | | | | When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577 | ||||
* | stop caching mime types globally | Aaron Patterson | 2016-01-22 | 1 | -2/+16 |
| | | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751 | ||||
* | use secure string comparisons for basic auth username / password | Aaron Patterson | 2016-01-22 | 2 | -1/+33 |
| | | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576 | ||||
* | Removing inaccurate note on the releasing guide | Rafael Mendonça França | 2015-06-16 | 1 | -3/+0 |
| | |||||
* | Preparing for 3.2.22 release | Rafael Mendonça França | 2015-06-16 | 16 | -9/+48 |
| | |||||
* | enforce a depth limit on XML documents | Aaron Patterson | 2015-06-16 | 3 | -10/+15 |
| | | | | | | | | | | XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 Conflicts: activesupport/lib/active_support/xml_mini.rb | ||||
* | Merge pull request #18718 from jgeiger/fix_ruby_2_2_comparable_warnings | Rafael Mendonça França | 2015-01-29 | 2 | -1/+2 |
|\ | | | | | Fix ruby 2.2 comparable warnings | ||||
| * | Fix ruby 2.2 comparable warnings | Joey Geiger | 2015-01-29 | 2 | -1/+2 |
|/ | | | | | Check for correct value type in activerecord/fixtures.rb Check that zone can respond to expected values to make the comparison. | ||||
* | pg 0.18 not support Ruby < 1.9.3 | Rafael Mendonça França | 2015-01-07 | 1 | -1/+5 |
| | |||||
* | Only use old i18n when version is not compatible | Rafael Mendonça França | 2015-01-07 | 1 | -2/+4 |
| | |||||
* | Remove hard dependency on test-unit | Rafael Mendonça França | 2015-01-07 | 5 | -4/+17 |
| | | | | | Instead show a error message asking users to add the gem to their Gemfile if test-unit could not be loaded. | ||||
* | Merge pull request #18306 from tmm1/rm-3-2-with-ruby-2-1-plus | Rafael Mendonça França | 2015-01-07 | 13 | -13/+39 |
|\ | | | | | 3-2-stable: ruby 2.2 compatibility | ||||
| * | add parens to fix warning | Aman Gupta | 2015-01-05 | 1 | -1/+1 |
| | | |||||
| * | fix whitespace to match surrounding code | Aman Gupta | 2015-01-02 | 1 | -1/+1 |
| | | |||||
| * | use self.method syntax to resolve circular argument issues | Aman Gupta | 2015-01-02 | 2 | -5/+5 |
| | | |||||
| * | Fix `singleton_class?` | Vipul A M | 2015-01-02 | 1 | -3/+5 |
| | | | | | | | | | | | | | | | | Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails. Changed based on reference from http://bugs.ruby-lang.org/issues/7609 Conflicts: activesupport/lib/active_support/core_ext/class/attribute.rb | ||||
| * | parse stringified mime type | Aman Gupta | 2015-01-02 | 1 | -1/+1 |
| | | |||||
| * | fix yaml compat on ruby 2.2 | Aman Gupta | 2015-01-02 | 1 | -1/+3 |
| | | |||||
| * | fix regex case | Aman Gupta | 2015-01-02 | 1 | -1/+1 |
| | | |||||
| * | restore I18n.locale after test | Aman Gupta | 2015-01-02 | 1 | -0/+8 |
| | | |||||
| * | convert another incompatible assert_raise invocation | Aman Gupta | 2015-01-02 | 1 | -1/+2 |
| | | |||||
| * | switch to minitest and test-unit compatible assert_raise syntax | Kouhei Sutou | 2015-01-02 | 1 | -1/+2 |
| | | |||||
| * | blacklist test-unit's @internal_data ivar | Aman Gupta | 2015-01-02 | 1 | -0/+1 |
| | | |||||
| * | try using newer test-unit gem | Aman Gupta | 2015-01-02 | 1 | -1/+1 |
| | | |||||
| * | added dependency of test-unit into activesupport | SHIBATA Hiroshi | 2015-01-02 | 1 | -0/+1 |
| | | |||||
| * | Lock i18n to a version that works with Ruby 1.8 | Rafael Mendonça França | 2015-01-02 | 1 | -0/+2 |
| | | |||||
| * | Merge pull request #18160 from tmm1/3-2-ruby-2-2 | Rafael Mendonça França | 2015-01-02 | 3 | -6/+12 |
| |\ | | | | | | | | | | 3-2-stable: add ruby 2.2 compatibility | ||||
| | * | Check `respond_to` before delegation due to: ↵ | Aaron Patterson | 2014-12-22 | 1 | -1/+7 |
| | | | | | | | | | | | | https://github.com/ruby/ruby/commit/d781caaf313b8649948c107bba277e5ad7307314 | ||||
| | * | fix ruby 2.2 warning: circular argument reference | Aman Gupta | 2014-12-22 | 2 | -5/+5 |
| |/ |/| | |||||
| * | Test Rails 3.2 with Ruby 2.1 and 2.2 | Rafael Mendonça França | 2015-01-01 | 1 | -0/+2 |
|/ | |||||
* | bumping version for relesase | Aaron Patterson | 2014-11-16 | 9 | -9/+9 |
| | |||||
* | correctly escape backslashes in request path globs | Aaron Patterson | 2014-11-16 | 2 | -2/+44 |
| | | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829 | ||||
* | Merge branch '3.2.20' into 3-2-stable | Aaron Patterson | 2014-10-30 | 11 | -10/+47 |
|\ | | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root | ||||
| * | bumping version to 3.2.20 | Aaron Patterson | 2014-10-29 | 9 | -9/+9 |
| | | |||||
| * | FileHandler should not be called for files outside the root | Aaron Patterson | 2014-10-29 | 2 | -1/+38 |
| | | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb | ||||
* | | Regenerate sid when sbdy tries to fixate the session | Santiago Pastorino | 2014-08-04 | 2 | -12/+11 |
| | | | | | | | | | | | | Fixed broken test. Thanks Stephen Richards for reporting. | ||||
* | | Merge branch '3-2-sec' into 3-2-stable | Rafael Mendonça França | 2014-07-02 | 18 | -12/+58 |
|\| | |||||
| * | Preparing for 3.2.19 release | Rafael Mendonça França | 2014-07-02 | 16 | -9/+50 |
| | | |||||
| * | Check against bit string values using multiline regexp | Rafael Mendonça França | 2014-07-02 | 2 | -3/+8 |
| | | | | | | | | Fix CVE-2014-3482. | ||||
* | | Use a version of execjs compatible with Ruby 1.8 | Rafael Mendonça França | 2014-06-26 | 1 | -0/+3 |
|/ | |||||
* | Make sure Active Support configurations are applied correctly | Rafael Mendonça França | 2014-06-26 | 2 | -0/+19 |
| | | | | | | | Before this patch configuration set using config.active_support would not be set. Closes #15364 | ||||
* | Revert "Merge pull request #15794 from vishalzambre/patch-1" | Guillermo Iguaran | 2014-06-18 | 1 | -1/+1 |
| | | | | | | | This reverts commit 6d800a909e24465ca6f3fa5206222fa7d78967f6, reversing changes made to 6a051299f98ee43864326c6c0a4f7d169d22b3f8. We don't apply non-security fixes to 3-2-stable branch!!! | ||||
* | Merge pull request #15794 from vishalzambre/patch-1 | Guillermo Iguaran | 2014-06-18 | 1 | -1/+1 |
|\ | | | | | File.exists? is a deprecated name, use File.exist? | ||||
| * | File.exists? is a deprecated name, use File.exist? | Vishal Zambre | 2014-06-18 | 1 | -1/+1 |
|/ | | | File.exists? is a deprecated name, use File.exist? | ||||
* | Feature detect based on Ruby version. | Aaron Patterson | 2014-05-18 | 1 | -1/+1 |
| | | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version. | ||||
* | feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 | Aaron Patterson | 2014-05-10 | 1 | -5/+21 |
| | |||||
* | use fnmatch to test for case insensitive file systems | Aaron Patterson | 2014-05-09 | 1 | -4/+2 |
| | | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994 | ||||
* | Merge branch '3-2-sec' into 3-2-stable | Rafael Mendonça França | 2014-05-06 | 19 | -14/+155 |
|\ | | | | | | | | | Conflicts: actionpack/CHANGELOG.md | ||||
| * | Fix broken tests of the previous release | Rafael Mendonça França | 2014-05-06 | 2 | -6/+6 |
| | | |||||
| * | Preparing for 3.2.18 release | Rafael Mendonça França | 2014-05-06 | 16 | -9/+115 |
| | |