| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\
| |
| |
| |
| |
| | |
* 3-2-22-3:
bumping version
Include missing module in tag_helper
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to
join the content when an Array is given, so we must include the dependent
module here to make sure it's available when this module is used alone.
This was making Simple Form tests to fail with current master due to the
missing dependency.
|
|\|
| |
| |
| |
| |
| | |
* 3-2-22-3:
bumping version
ensure tag/content_tag escapes " in attribute vals
|
| | |
|
| |
| |
| |
| |
| |
| | |
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
|
| |
| |
| |
| | |
[skip ci]
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
|
|
|
| |
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
|
|
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
| |
|
|
|
|
| |
closes GH-23248
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
|
|
|
|
|
|
| |
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
|
|
|
|
|
|
|
|
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
Conflicts:
activesupport/lib/active_support/security_utils.rb
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
CVE-2015-7576
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
make sure that unreadable files are also not leaked
CVE-2014-7829
|
|\
| |
| |
| |
| |
| | |
* 3.2.20:
bumping version to 3.2.20
FileHandler should not be called for files outside the root
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
FileHandler#matches? should return false for files that are outside the
"root" path.
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
actionpack/test/dispatch/static_test.rb
|
|/
|
|
|
|
| |
Fixed broken test.
Thanks Stephen Richards for reporting.
|
| |
|
|
|
|
|
|
|
| |
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0. Checking for a
case-insensitive FS seems too hard, so just check Ruby version Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
|
| |
|
|
|
|
|
|
| |
this is due to:
https://bugs.ruby-lang.org/issues/5994
|
|\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
|
|\|
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| | |
[ci skip]
|