aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-064-5/+54
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-061-5/+5
| |
| * Preparing for 3.2.18 releaseRafael Mendonça França2014-05-062-1/+15
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-052-4/+41
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-186-4/+95
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Preparing for 3.2.17 releaseRafael Mendonça França2014-02-182-1/+11
| |
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-182-1/+18
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-182-1/+64
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Fix force_ssl.rb documentation. Close tt tag.Josef Šimánek2014-01-061-1/+1
| | | | | | [ci skip]
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-043-1/+24
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-042-5/+5
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* updating the changelogAaron Patterson2013-12-022-1/+9
|
* Deep Munge the parameters for GET and POSTMichael Koziarski2013-12-022-2/+17
| | | | | | | | | | | The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-022-14/+9
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-022-4/+5
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* Only use valid mime type symbols as cache keysAaron Patterson2013-11-301-0/+7
| | | | CVE-2013-6414
* updating changelogsAaron Patterson2013-10-161-1/+1
|
* bumping to 3.2.15Aaron Patterson2013-10-151-1/+1
|
* Merge branch '3-2-15' into 3-2-secAaron Patterson2013-10-151-2/+2
|\ | | | | | | | | | | | | | | | | | | | | * 3-2-15: bumping to rc3 Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build" Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target" bumping to rc2 Merge pull request #12443 from arthurnn/add_inverse_of_add_target bumping version to 3.2.15.rc1 Fix STI scopes using benolee's suggestion. Fixes #11939
| * bumping to rc3Aaron Patterson2013-10-111-1/+1
| |
| * bumping to rc2Aaron Patterson2013-10-041-1/+1
| |
| * bumping version to 3.2.15.rc1Aaron Patterson2013-10-031-2/+2
| |
* | Merge branch '3-2-stable' into 3-2-secAaron Patterson2013-10-032-1/+9
|\| | | | | | | | | | | * 3-2-stable: make sure both headers are set before checking for ip spoofing Move set_inverse_instance to association.build_record
| * make sure both headers are set before checking for ip spoofingTamir Duberstein2013-10-012-1/+9
| |
* | Remove the use of String#% when formatting durations in log messagesMichael Koziarski2013-09-301-6/+5
|/ | | | | This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called.
* Fix FinderMethods#last unscoped primary keyEugene Kalenkovich2013-09-121-1/+0
| | | | | | | | Fixes table.joins(:relation).last(N) breaking on sqlite Conflicts: activerecord/CHANGELOG.md activerecord/test/cases/finder_test.rb
* pass the extra params to the rack test environment so that routes with block ↵Brian Hahn2013-09-064-4/+25
| | | | constraints have access
* fix issue #11605Kassio Borges2013-08-2412-31/+16
|
* Fix actionpack CHANGELOG entryRafael Mendonça França2013-07-221-1/+4
| | | | It was included by git on the wrong release
* Merge branch '3-2-14' into 3-2-stableRafael Mendonça França2013-07-222-2/+2
|\
| * Preparing for 3.2.14 releaseRafael Mendonça França2013-07-221-1/+1
| |
| * Update CHANGELOG entryRafael Mendonça França2013-07-221-6/+1
| |
| * Preparing for 3.2.14.rc2 releaseRafael Mendonça França2013-07-162-2/+7
| |
| * Preparing for 3.2.14.rc1 releaseRafael Mendonça França2013-07-122-3/+3
| |
* | Fix `assert_redirected_to` does not show user-supplied message.Alexey Chernenkov2013-07-183-2/+11
| | | | | | | | | | | | Issue: when `assert_redirected_to` fails due to the response redirect not matching the expected redirect the user-supplied message (second parameter) is not shown. This message is only shown if the response is not a redirect.
* | Removed unused test fileArun Agrawal2013-07-171-32/+0
|/ | | | This test file is not be running from a long time This test is already covered in controller/caching_test.rb
* Add license to the gemspecRafael Mendonça França2013-07-081-0/+3
|
* Add missing requireSantiago Pastorino2013-07-021-0/+1
|
* Use old style hash syntax for 3-2-stableAndrew White2013-06-251-2/+2
|
* Fix shorthand routes where controller and action are in the scopeAndrew White2013-06-253-0/+30
| | | | | | | | | | | Merge `:action` from routing scope and assign endpoint if both `:controller` and `:action` are present. The endpoint assignment only occurs if there is no `:to` present in the options hash so should only affect routes using the shorthand syntax (i.e. endpoint is inferred from the the path). Fixes #9856 Backport of 37b4276
* Add CHANGELOG entry for #10971Rafael Mendonça França2013-06-241-0/+14
| | | | [ci skip]
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-242-1/+6
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-163-11/+52
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* So not make Fixnum#/ private on Ruby verions less than 1.9.3Rafael Mendonça França2013-05-101-4/+3
| | | | In those version to_date call Fixnum#/, what will cause a failure
* Merge pull request #10478 from cainlevy/patch-1Rafael Mendonça França2013-05-061-1/+1
| | | | | | use canonical #controller_path logic in controller test cases Conflicts: actionpack/lib/action_controller/test_case.rb
* Merging in fix from #8222Ben Tucker2013-05-062-1/+6
|
* just clear the caches on clear! rather than replacing. fixes #10251Aaron Patterson2013-04-171-8/+4
|
* Improve the changelog entry [ci skip]Rafael Mendonça França2013-04-051-3/+4
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-053-8/+24
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 01:36:34 +0000