| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to
join the content when an Array is given, so we must include the dependent
module here to make sure it's available when this module is used alone.
This was making Simple Form tests to fail with current master due to the
missing dependency.
|
|
|
|
|
|
| |
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
| |
closes GH-23248
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
| |
|
|
|
|
|
|
|
| |
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0. Checking for a
case-insensitive FS seems too hard, so just check Ruby version Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
|
| |
|
|
|
|
|
|
| |
this is due to:
https://bugs.ruby-lang.org/issues/5994
|
|\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| |
| |
| |
| |
| | |
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.
Conflicts:
actionpack/CHANGELOG.md
|
|/
|
|
|
|
| |
Now users have to explicit mark the unit as safe if they trust it.
Closes #13161
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
Conflicts:
actionpack/lib/action_view/helpers/translation_helper.rb
Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
|
|
|
|
|
|
| |
Fixes CVE-2013-6415
Previously the values were trusted blindly allowing for potential XSS attacks.
|
|
|
|
| |
CVE-2013-6414
|
| |
|
|
|
|
| |
Always escape the result of link_to_unless method
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
image_tag("HTTP://google.com")
# => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
image_tag("http://google.com")
# => "<img alt=\"Google\" src=\"http://google.com\" />"
After:
image_tag("HTTP://google.com")
# => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
image_tag("http://google.com")
# => "<img alt=\"Google\" src=\"http://google.com\" />"
Backport of #10969
|
| |
|
|
|
|
|
|
|
|
| |
If a file field tag is passed the multiple option, it is turned into an
array field (appending "[]"), but if the file field is passed an
explicit name as an option, leave the name alone (do not append "[]").
Fixes #9830
|
|
|
|
| |
and PartialRenderer
|
| |
|
|
|
|
| |
Closes #9767.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix incorrectly appended square brackets to a multiple select box
Before:
select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
# => <select name="post[category][][]" ...>
After:
select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
# => <select name="post[category][]" ...>
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_view/helpers/tags/base.rb
actionpack/test/template/form_options_helper_test.rb
|
| |
|
|
|
|
|
| |
Another missing dependency, now affecting #number_to_percentage.
It depends on reverse_merge.
|
|
|
| |
symbolize_keys depends on hash/keys AS core extension
|
|
|
|
|
|
| |
Conflicts:
actionpack/lib/action_view/helpers/form_helper.rb
actionpack/test/template/form_helper_test.rb
|
|
|
|
| |
Fix typo on form_tag_helper.rb [ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because DateTime#to_time returns self when it has a non-zero offset
and subtracting two DateTime instances returns a Rational then the
distance_of_time_in_words methods outputs an incorrect value.
This is fixed in master because we can rely on Ruby 1.9.3's
implementation of to_time but it can't be fixed on Ruby 1.8.7 as
there is no way to map the DateTime to a Time with a non-zero offset.
We can workaround the problem by casting to Float before doing
the subtraction in the distance_of_time_in_words method.
Closes #8390
|
|
|
|
|
|
|
|
|
|
| |
This commit fixes the output of distance_of_time_in_words when
using integer or duration arguments. Previously a distance of
more than 30 seconds would be output as 'Less than 1 minute'
when using integer arguments and '1 minute' when using two
Time instances more than 30 seconds apart.
Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
|
|
|
|
|
|
|
| |
whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
Conflicts:
actionpack/test/template/template_test.rb
|
|
|
|
|
|
|
|
|
| |
senny/8376_descriptive_error_message_for_partial_layout_true
More descriptive error when rendering a partial with `:layout => true`
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_view/renderer/partial_renderer.rb
|
|
|
|
| |
This is a backport of rails/rails#7997.
|
|
|
|
|
|
|
|
| |
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/template/template_test.rb
|
| |
|
|
|
|
|
|
|
| |
Support :multiple option on input tags that also have :index
Conflicts:
actionpack/lib/action_view/helpers/tags/base.rb
actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
senny/7459_prefix_tempalte_assertion_variables"
This reverts commit 2bad605873b5b720d77ae6388a995827ab7fe705.
Conflicts:
actionpack/CHANGELOG.md
Reason: This added a regression related with shoulda-matchers, since it
is expecting the instance variable @layouts
See https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74
This will introduce back #7459 but this stable release will be backward compatible.
Related with #8068.
|
|
|
|
|
| |
Accept either :remote or 'remote' in both the html_options and
(url_)options hash arguments to link_to.
|
|
|
|
|
|
|
|
|
| |
prefix TemplateAssertions ivars.
Closes #7459
Conflicts:
actionpack/lib/action_controller/test_case.rb
actionpack/lib/action_view/test_case.rb
|
|
|
|
|
|
|
|
|
|
|
|
| |
we should take disabled option not only from `html_options` hash but from
`options` hash too like `build_select` method does it. So
datetime_select("post", "updated_at", { :discard_minute => true }, { :disabled => true })
datetime_select("post", "updated_at", :discard_minute => true , :disabled => true)
both these variants work now
closes #7431
|
|
|
|
|
|
| |
option_tags coerced to "" instead of nil
Closes #7404
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Thanks to Marek Labos & Nethemba
CVE-2012-3465
|
| |
| |
| |
| | |
CVE-2012-3463
|