aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Don't short-circuit reject_if procAndrew White2016-01-222-2/+25
| | | | | | | | | | | | | When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577
* stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-222-1/+33
| | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
* Removing inaccurate note on the releasing guideRafael Mendonça França2015-06-161-3/+0
|
* Preparing for 3.2.22 releaseRafael Mendonça França2015-06-1616-9/+48
|
* enforce a depth limit on XML documentsAaron Patterson2015-06-163-10/+15
| | | | | | | | | | XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227 Conflicts: activesupport/lib/active_support/xml_mini.rb
* Merge pull request #18718 from jgeiger/fix_ruby_2_2_comparable_warningsRafael Mendonça França2015-01-292-1/+2
|\ | | | | Fix ruby 2.2 comparable warnings
| * Fix ruby 2.2 comparable warningsJoey Geiger2015-01-292-1/+2
|/ | | | | Check for correct value type in activerecord/fixtures.rb Check that zone can respond to expected values to make the comparison.
* pg 0.18 not support Ruby < 1.9.3Rafael Mendonça França2015-01-071-1/+5
|
* Only use old i18n when version is not compatibleRafael Mendonça França2015-01-071-2/+4
|
* Remove hard dependency on test-unitRafael Mendonça França2015-01-075-4/+17
| | | | | Instead show a error message asking users to add the gem to their Gemfile if test-unit could not be loaded.
* Merge pull request #18306 from tmm1/rm-3-2-with-ruby-2-1-plusRafael Mendonça França2015-01-0713-13/+39
|\ | | | | 3-2-stable: ruby 2.2 compatibility
| * add parens to fix warningAman Gupta2015-01-051-1/+1
| |
| * fix whitespace to match surrounding codeAman Gupta2015-01-021-1/+1
| |
| * use self.method syntax to resolve circular argument issuesAman Gupta2015-01-022-5/+5
| |
| * Fix `singleton_class?`Vipul A M2015-01-021-3/+5
| | | | | | | | | | | | | | | | Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails. Changed based on reference from http://bugs.ruby-lang.org/issues/7609 Conflicts: activesupport/lib/active_support/core_ext/class/attribute.rb
| * parse stringified mime typeAman Gupta2015-01-021-1/+1
| |
| * fix yaml compat on ruby 2.2Aman Gupta2015-01-021-1/+3
| |
| * fix regex caseAman Gupta2015-01-021-1/+1
| |
| * restore I18n.locale after testAman Gupta2015-01-021-0/+8
| |
| * convert another incompatible assert_raise invocationAman Gupta2015-01-021-1/+2
| |
| * switch to minitest and test-unit compatible assert_raise syntaxKouhei Sutou2015-01-021-1/+2
| |
| * blacklist test-unit's @internal_data ivarAman Gupta2015-01-021-0/+1
| |
| * try using newer test-unit gemAman Gupta2015-01-021-1/+1
| |
| * added dependency of test-unit into activesupportSHIBATA Hiroshi2015-01-021-0/+1
| |
| * Lock i18n to a version that works with Ruby 1.8Rafael Mendonça França2015-01-021-0/+2
| |
| * Merge pull request #18160 from tmm1/3-2-ruby-2-2Rafael Mendonça França2015-01-023-6/+12
| |\ | | | | | | | | | 3-2-stable: add ruby 2.2 compatibility
| | * Check `respond_to` before delegation due to: ↵Aaron Patterson2014-12-221-1/+7
| | | | | | | | | | | | https://github.com/ruby/ruby/commit/d781caaf313b8649948c107bba277e5ad7307314
| | * fix ruby 2.2 warning: circular argument referenceAman Gupta2014-12-222-5/+5
| |/ |/|
| * Test Rails 3.2 with Ruby 2.1 and 2.2Rafael Mendonça França2015-01-011-0/+2
|/
* bumping version for relesaseAaron Patterson2014-11-169-9/+9
|
* correctly escape backslashes in request path globsAaron Patterson2014-11-162-2/+44
| | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829
* Merge branch '3.2.20' into 3-2-stableAaron Patterson2014-10-3011-10/+47
|\ | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root
| * bumping version to 3.2.20Aaron Patterson2014-10-299-9/+9
| |
| * FileHandler should not be called for files outside the rootAaron Patterson2014-10-292-1/+38
| | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* | Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-042-12/+11
| | | | | | | | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* | Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-07-0218-12/+58
|\|
| * Preparing for 3.2.19 releaseRafael Mendonça França2014-07-0216-9/+50
| |
| * Check against bit string values using multiline regexpRafael Mendonça França2014-07-022-3/+8
| | | | | | | | Fix CVE-2014-3482.
* | Use a version of execjs compatible with Ruby 1.8Rafael Mendonça França2014-06-261-0/+3
|/
* Make sure Active Support configurations are applied correctlyRafael Mendonça França2014-06-262-0/+19
| | | | | | | Before this patch configuration set using config.active_support would not be set. Closes #15364
* Revert "Merge pull request #15794 from vishalzambre/patch-1"Guillermo Iguaran2014-06-181-1/+1
| | | | | | | This reverts commit 6d800a909e24465ca6f3fa5206222fa7d78967f6, reversing changes made to 6a051299f98ee43864326c6c0a4f7d169d22b3f8. We don't apply non-security fixes to 3-2-stable branch!!!
* Merge pull request #15794 from vishalzambre/patch-1Guillermo Iguaran2014-06-181-1/+1
|\ | | | | File.exists? is a deprecated name, use File.exist?
| * File.exists? is a deprecated name, use File.exist?Vishal Zambre2014-06-181-1/+1
|/ | | File.exists? is a deprecated name, use File.exist?
* Feature detect based on Ruby version.Aaron Patterson2014-05-181-1/+1
| | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version.
* feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053Aaron Patterson2014-05-101-5/+21
|
* use fnmatch to test for case insensitive file systemsAaron Patterson2014-05-091-4/+2
| | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-0619-14/+155
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-062-6/+6
| |
| * Preparing for 3.2.18 releaseRafael Mendonça França2014-05-0616-9/+115
| |