| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
|
|
|
|
|
|
| |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
Conflicts:
actionpack/lib/action_dispatch/http/request.rb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
Conflicts:
actionpack/lib/action_view/helpers/translation_helper.rb
Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
|
|
|
|
|
|
| |
Fixes CVE-2013-6415
Previously the values were trusted blindly allowing for potential XSS attacks.
|
|
|
|
| |
CVE-2013-6414
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-15:
bumping to rc3
Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
bumping to rc2
Merge pull request #12443 from arthurnn/add_inverse_of_add_target
bumping version to 3.2.15.rc1
Fix STI scopes using benolee's suggestion. Fixes #11939
|
| | |
|
| | |
|
| | |
|
|\|
| |
| |
| |
| |
| | |
* 3-2-stable:
make sure both headers are set before checking for ip spoofing
Move set_inverse_instance to association.build_record
|
| | |
|
|/
|
|
|
| |
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
|
|
|
|
|
|
|
|
| |
Fixes table.joins(:relation).last(N) breaking on sqlite
Conflicts:
activerecord/CHANGELOG.md
activerecord/test/cases/finder_test.rb
|
|
|
|
| |
constraints have access
|
| |
|
|
|
|
| |
It was included by git on the wrong release
|
|\ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
Issue: when `assert_redirected_to` fails due to the response redirect not
matching the expected redirect the user-supplied message (second parameter)
is not shown. This message is only shown if the response is not a redirect.
|
|/
|
|
| |
This test file is not be running from a long time
This test is already covered in controller/caching_test.rb
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Merge `:action` from routing scope and assign endpoint if both `:controller`
and `:action` are present. The endpoint assignment only occurs if there is
no `:to` present in the options hash so should only affect routes using the
shorthand syntax (i.e. endpoint is inferred from the the path).
Fixes #9856
Backport of 37b4276
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
Always escape the result of link_to_unless method
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
image_tag("HTTP://google.com")
# => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
image_tag("http://google.com")
# => "<img alt=\"Google\" src=\"http://google.com\" />"
After:
image_tag("HTTP://google.com")
# => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
image_tag("http://google.com")
# => "<img alt=\"Google\" src=\"http://google.com\" />"
Backport of #10969
|
|
|
|
| |
In those version to_date call Fixnum#/, what will cause a failure
|
|
|
|
|
|
| |
use canonical #controller_path logic in controller test cases
Conflicts:
actionpack/lib/action_controller/test_case.rb
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
If a file field tag is passed the multiple option, it is turned into an
array field (appending "[]"), but if the file field is passed an
explicit name as an option, leave the name alone (do not append "[]").
Fixes #9830
|
|
|
|
| |
Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
|
|
|
|
| |
Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
|
|
|
|
| |
and PartialRenderer
|
|
|
|
| |
Sentences starting with # are considered headings.
|
| |
|
|
|
|
|
|
| |
df36c5f - Fix assert_template assertion with :layout option
4bd05a7 - Fix assert_template :layout => nil assertion
0d19a08 - Improve assert_template layout checking
|
|
|
|
| |
Pathname doesn't respond to to_path
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-stable:
Merge pull request #9802 from newsline/fix-broken-action-missing
Remove bad changelog entry from AR [ci skip]
Wrong exception is occured when raising no translatable exception
Don't crash exception translation w/ nil result attribute.
Conflicts:
actionpack/CHANGELOG.md
|