From 46e0d2397ea10a0bf380926c9fe3cfcf14d5c499 Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Sat, 5 Jan 2013 17:46:26 -0700
Subject: CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or
 yaml.

---
 activesupport/CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'activesupport/CHANGELOG.md')

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 08bec2f4ae..5848f9712f 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,5 +1,12 @@
 ## Rails 4.0.0 (unreleased) ##
 
+*   Hash.from_xml raises when it encounters type="symbol" or type="yaml".
+    Use Hash.from_trusted_xml to parse this XML.
+
+    CVE-2013-0156
+
+    *Jeremy Kemper*
+
 *   Deprecate `assert_present` and `assert_blank` in favor of
     `assert object.blank?` and `assert object.present?`
 
-- 
cgit v1.2.3