aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
Commit message (Collapse)AuthorAgeFilesLines
* TestCase does not need to be loaded when loading the frameworkAaron Patterson2016-12-021-1/+2
| | | | (cherry picked from commit 8b35a239fb2dd9bfeed7f99f10e826a82dfb59da)
* Double assign locals to avoid unused variables warningAndrew White2016-11-021-1/+2
|
* Fix File.exists? deprecation warnings in Action PackAndrew White2016-11-022-2/+2
|
* Fix inconsistencies in path with missing helpersAndrew White2016-11-021-1/+14
| | | | | | Ruby 2.0 and later demonstrate some inconsistencies when a helper file is not found with the path method on LoadError. By creating a subclass of LoadError we can cater for the inconsistencies.
* bumping versionAaron Patterson2016-09-141-1/+1
|
* adds a couple of missing requiresXavier Noria2016-08-222-0/+3
|
* Remove dead code and ensure values are strings before calling gsubMike Virata-Stone2016-08-111-2/+1
|
* Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-112-1/+2
|\ | | | | | | | | | | * 3-2-22-3: bumping version Include missing module in tag_helper
| * bumping versionAaron Patterson2016-08-111-1/+1
| |
| * Include missing module in tag_helperCarlos Antonio da Silva2016-08-111-0/+1
| | | | | | | | | | | | | | | | | | Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to join the content when an Array is given, so we must include the dependent module here to make sure it's available when this module is used alone. This was making Simple Form tests to fail with current master due to the missing dependency.
* | Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-112-5/+12
|\| | | | | | | | | | | * 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
| * bumping versionAaron Patterson2016-08-101-1/+1
| |
| * ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-101-4/+11
| | | | | | | | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* | update rendering commentArthur Neves2016-03-141-1/+1
| | | | | | | | [skip ci]
* | Require hash_with_indifferent_access before using itRafael Mendonça França2016-03-081-0/+2
| |
* | Add missing require to fileArthur Neves2016-03-011-0/+1
|/
* Preparing for 3.2.22.2 releaseRafael Mendonça França2016-02-291-1/+1
|
* Don't allow render(params) in view/controllerArthur Neves2016-02-291-0/+5
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-297-27/+50
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Use Ruby 1.8 compat syntax in actionpack/lib/action_view/template/resolver.rb.Josef Šimánek2016-01-261-1/+1
| | | | closes GH-23248
* bumping versionAaron Patterson2016-01-251-1/+1
|
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-221-0/+17
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-221-1/+6
| | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
* Preparing for 3.2.22 releaseRafael Mendonça França2015-06-161-1/+1
|
* blacklist test-unit's @internal_data ivarAman Gupta2015-01-021-0/+1
|
* bumping version for relesaseAaron Patterson2014-11-161-1/+1
|
* correctly escape backslashes in request path globsAaron Patterson2014-11-161-2/+3
| | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829
* Merge branch '3.2.20' into 3-2-stableAaron Patterson2014-10-302-2/+21
|\ | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root
| * bumping version to 3.2.20Aaron Patterson2014-10-291-1/+1
| |
| * FileHandler should not be called for files outside the rootAaron Patterson2014-10-291-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* | Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-041-3/+3
|/ | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* Preparing for 3.2.19 releaseRafael Mendonça França2014-07-021-1/+1
|
* Feature detect based on Ruby version.Aaron Patterson2014-05-181-1/+1
| | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version.
* feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053Aaron Patterson2014-05-101-5/+21
|
* use fnmatch to test for case insensitive file systemsAaron Patterson2014-05-091-4/+2
| | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-062-4/+26
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Preparing for 3.2.18 releaseRafael Mendonça França2014-05-061-1/+1
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-051-3/+25
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-183-3/+15
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Preparing for 3.2.17 releaseRafael Mendonça França2014-02-181-1/+1
| |
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-1/+1
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-1/+13
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Fix force_ssl.rb documentation. Close tt tag.Josef Šimánek2014-01-061-1/+1
| | | | | | [ci skip]
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-1/+9
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-4/+4
|/ | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* updating the changelogAaron Patterson2013-12-021-1/+1
|
* Deep Munge the parameters for GET and POSTMichael Koziarski2013-12-021-2/+2
| | | | | | | | | | | The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-13/+8
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-1/+1
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 02:16:56 +0000