From 8f8ccb9901cab457c6e1d52bdb25acf658fd5777 Mon Sep 17 00:00:00 2001
From: Chris Sinjakli <chris@sinjakli.co.uk>
Date: Sun, 14 Sep 2014 12:22:29 +0200
Subject: Don't convert empty arrays to nils when deep munging params

---
 actionpack/CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'actionpack/CHANGELOG.md')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 3b02994459..115ad54190 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,14 @@
+*   Stop converting empty arrays in `params` to `nil`
+
+    This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
+
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
+
+    *Chris Sinjakli*
+
 *   Fixed usage of optional scopes in URL helpers.
 
     *Alex Robbin*
-- 
cgit v1.2.3