| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
|
|
|
|
|
|
|
|
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
Conflicts:
activesupport/lib/active_support/security_utils.rb
Conflicts:
actionpack/lib/action_controller/metal/http_authentication.rb
CVE-2015-7576
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
make sure that unreadable files are also not leaked
CVE-2014-7829
|
|\
| |
| |
| |
| |
| | |
* 3.2.20:
bumping version to 3.2.20
FileHandler should not be called for files outside the root
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
FileHandler#matches? should return false for files that are outside the
"root" path.
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
Conflicts:
actionpack/lib/action_dispatch/middleware/static.rb
actionpack/test/dispatch/static_test.rb
|
|/
|
|
|
|
| |
Fixed broken test.
Thanks Stephen Richards for reporting.
|
| |
|
|
|
|
|
|
|
| |
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0. Checking for a
case-insensitive FS seems too hard, so just check Ruby version Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
|
| |
|
|
|
|
|
|
| |
this is due to:
https://bugs.ruby-lang.org/issues/5994
|
|\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
|
|\|
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| |
| | |
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
Now users have to explicit mark the unit as safe if they trust it.
Closes #13161
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
Conflicts:
actionpack/lib/action_dispatch/http/request.rb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
Conflicts:
actionpack/lib/action_view/helpers/translation_helper.rb
Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
|
|
|
|
|
|
| |
Fixes CVE-2013-6415
Previously the values were trusted blindly allowing for potential XSS attacks.
|
|
|
|
| |
CVE-2013-6414
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-15:
bumping to rc3
Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
bumping to rc2
Merge pull request #12443 from arthurnn/add_inverse_of_add_target
bumping version to 3.2.15.rc1
Fix STI scopes using benolee's suggestion. Fixes #11939
|
| | |
|
| | |
|
| | |
|
|\|
| |
| |
| |
| |
| | |
* 3-2-stable:
make sure both headers are set before checking for ip spoofing
Move set_inverse_instance to association.build_record
|
| | |
|
|/
|
|
|
| |
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
|
|
|
|
|
|
|
|
| |
Fixes table.joins(:relation).last(N) breaking on sqlite
Conflicts:
activerecord/CHANGELOG.md
activerecord/test/cases/finder_test.rb
|
|
|
|
| |
constraints have access
|
| |
|
|
|
|
| |
It was included by git on the wrong release
|