| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
|
|
|
| |
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
|
|
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
|
|
|
|
| |
Conflicts:
actionpack/test/controller/render_test.rb
|
| |
|
|
|
|
|
|
| |
can't pass :locals to #assert_template without a view test case (#3415)
Conflicts:
actionpack/CHANGELOG.md
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
|
|
|
| |
ActionController::Metal controller.
|
|
|
|
| |
when using the :head method/shortcut
|
|
|
|
| |
Closes #5632
|
|
|
|
|
|
|
|
|
| |
Previously `rendered_format` was set only based on mime types
passed in Accept header, which was wrong if first type from
Accept was different than rendered partial. The fix is to simply
move setting rendered_format to the place where template
is available and grab format from the template. If it fails
we can fallback to formats passed by Accept header.
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes situation where rendering template to string
sets `rendered_format` to the format rendered there.
This is ok to have consistent formats rendered in partials,
but it breaks on next renders if format is explicitly set
or on last render where default format does not necessarily
need to be the format of first rendered template.
|
| |
|
|
|
|
|
| |
Use the constants AbstractController::ActionNotFound and
AbstractController::DoubleRenderError respectively instead.
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
|
| |
fresh_when/stale? conditional get methods from Action Pack"
Needless indirection with no added value.
This reverts commit 535853e83b9092078035a5abb2aa242fba815c05.
|
|
|
|
| |
fresh_when/stale? conditional get methods from Action Pack
|
| |
|
|
|
|
|
|
| |
For example, calling hello.erb is now deprecated. Since Rails 3.0
passing the handler had no effect whatsover. This commit simply
deprecates such cases so we can clean up the code in later releases.
|
| |
|
| |
|
| |
|
|
|
|
| |
fix issues/1951
|
|
|
|
|
| |
https://github.com/rails/rails/issues/1951
Namespaced model partial_path is wrong in namespaced controllers
|
| |
|
| |
|
|
|
|
|
|
| |
filesystems.
This fixes CVE-2011-0449
|
| |
|
| |
|
| |
|
|
|
|
| |
Initialize ivar.
|
|
|
|
| |
and avoiding capitalize. [#5636 state:resolved]
|
| |
|
|
|
|
| |
better default failure messages - let's use them
|
|
|
|
| |
's/[ \t]*$//' -i {} \;)
|
|
|
|
|
|
| |
[#4784 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
not "ActiveRecord"
|
|
|
|
| |
This reverts commit ade756fe42423033bae8e5aea8f58782f7a6c517.
|
|
|
|
| |
This reverts commits af0d1a88157942c6e6398dbf73891cff1e152405 and 64d109e3539ad600f58536d3ecabd2f87b67fd1c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Default Encoding.default_internal to UTF-8
* Eliminated the use of file-wide magic comments to coerce code evaluated inside the file
* Read templates as BINARY, use default_external or template-wide magic comments
inside the Template to set the initial encoding
* This means that template handlers in Ruby 1.9 will receive Strings encoded
in default_internal (UTF-8 by default)
* Create a better Exception for encoding issues, and use it when the template
source has bytes that are not compatible with the specified encoding
* Allow template handlers to opt-into handling BINARY. If they do so, they
need to do some of their own manual encoding work
* Added a "Configuration Gotchas" section to the intro Rails Guide instructing
users to use UTF-8 for everything
* Use config.encoding= in Ruby 1.8, and raise if a value that is an invalid
$KCODE value is used
Also:
* Fixed a few tests that were assert() rather than assert_equal() and
were caught by Minitest requiring a String for the message
* Fixed a test where an assert_select was misformed, also caught by
Minitest being more restrictive
* Fixed a test where a Rack response was returning a String rather
than an Enumerable
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|