aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-113-5/+22
|\ | | | | | | | | | | * 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
| * bumping versionAaron Patterson2016-08-101-1/+1
| |
| * ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-102-4/+21
| | | | | | | | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* | update rendering commentArthur Neves2016-03-141-1/+1
| | | | | | | | [skip ci]
* | Require hash_with_indifferent_access before using itRafael Mendonça França2016-03-081-0/+2
| |
* | fix 1.8 hash syntaxArthur Neves2016-03-011-1/+1
| |
* | Add missing require to fileArthur Neves2016-03-011-0/+1
|/
* Preparing for 3.2.22.2 releaseRafael Mendonça França2016-02-291-1/+1
|
* Don't allow render(params) in view/controllerArthur Neves2016-02-293-6/+79
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-299-103/+79
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Fix hash syntax for 1.8.7eileencodes2016-01-281-1/+1
| | | | Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* Use 1.8 compatible hash syntaxAndrew White2016-01-251-4/+4
|
* Use Ruby 1.8 compat syntax in actionpack/lib/action_view/template/resolver.rb.Josef Šimánek2016-01-261-1/+1
| | | | closes GH-23248
* bumping versionAaron Patterson2016-01-251-1/+1
|
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-224-4/+69
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-221-1/+6
| | | | | | | | | | | | this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
* Preparing for 3.2.22 releaseRafael Mendonça França2015-06-162-1/+6
|
* add parens to fix warningAman Gupta2015-01-051-1/+1
|
* parse stringified mime typeAman Gupta2015-01-021-1/+1
|
* fix regex caseAman Gupta2015-01-021-1/+1
|
* restore I18n.locale after testAman Gupta2015-01-021-0/+8
|
* convert another incompatible assert_raise invocationAman Gupta2015-01-021-1/+2
|
* switch to minitest and test-unit compatible assert_raise syntaxKouhei Sutou2015-01-021-1/+2
|
* blacklist test-unit's @internal_data ivarAman Gupta2015-01-021-0/+1
|
* bumping version for relesaseAaron Patterson2014-11-161-1/+1
|
* correctly escape backslashes in request path globsAaron Patterson2014-11-162-2/+44
| | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829
* Merge branch '3.2.20' into 3-2-stableAaron Patterson2014-10-303-2/+39
|\ | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root
| * bumping version to 3.2.20Aaron Patterson2014-10-291-1/+1
| |
| * FileHandler should not be called for files outside the rootAaron Patterson2014-10-292-1/+38
| | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* | Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-042-12/+11
|/ | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* Preparing for 3.2.19 releaseRafael Mendonça França2014-07-022-1/+3
|
* Feature detect based on Ruby version.Aaron Patterson2014-05-181-1/+1
| | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version.
* feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053Aaron Patterson2014-05-101-5/+21
|
* use fnmatch to test for case insensitive file systemsAaron Patterson2014-05-091-4/+2
| | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-064-5/+54
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-061-5/+5
| |
| * Preparing for 3.2.18 releaseRafael Mendonça França2014-05-062-1/+15
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-052-4/+41
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-186-4/+95
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Preparing for 3.2.17 releaseRafael Mendonça França2014-02-182-1/+11
| |
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-182-1/+18
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-182-1/+64
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Fix force_ssl.rb documentation. Close tt tag.Josef Šimánek2014-01-061-1/+1
| | | | | | [ci skip]
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-043-1/+24
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-042-5/+5
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* updating the changelogAaron Patterson2013-12-022-1/+9
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-18 04:20:14 +0000