| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| | |
* 3-2-22-3:
bumping version
ensure tag/content_tag escapes " in attribute vals
|
| | |
|
| |
| |
| |
| |
| |
| | |
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
|
| |
| |
| |
| | |
[skip ci]
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
|
|
|
| |
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
|
|
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
| |
|
|
|
|
| |
closes GH-23248
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
|
|
|
|
|
|
| |
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
|
|
|
|
|
|
|
|
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
Conflicts:
activesupport/lib/active_support/security_utils.rb
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
CVE-2015-7576
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
make sure that unreadable files are also not leaked
CVE-2014-7829
|
|\
| |
| |
| |
| |
| | |
* 3.2.20:
bumping version to 3.2.20
FileHandler should not be called for files outside the root
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
FileHandler#matches? should return false for files that are outside the
"root" path.
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
actionpack/test/dispatch/static_test.rb
|
|/
|
|
|
|
| |
Fixed broken test.
Thanks Stephen Richards for reporting.
|
| |
|
|
|
|
|
|
|
| |
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0. Checking for a
case-insensitive FS seems too hard, so just check Ruby version Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
|
| |
|
|
|
|
|
|
| |
this is due to:
https://bugs.ruby-lang.org/issues/5994
|
|\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
|
|\|
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| |
| | |
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
Now users have to explicit mark the unit as safe if they trust it.
Closes #13161
|
|/ |
|
| |
|