AtHeartEngineer/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,542 Commits 34 Branches 105 Tags
3-2-github
Commit Graph

4078 Commits

Author SHA1 Message Date
Greg Ose
e1c7a232ca update FlashHash for 3.2 2014-09-24 12:39:03 -05:00
Charlie Somerville
283923f530 we don't care about deserializing old marshal sessions anymore 2014-09-23 16:41:38 +10:00
Greg Ose
18d37237c4 attribute flash hash test source 2014-09-23 16:22:28 +10:00
Greg Ose
d12475ba60 support old marshalled cookies 2014-09-23 16:22:15 +10:00
Greg Ose
67b3fd5cb8 Custom cookie serializer test 
Adapted from
b23ffd0dac/actionpack/test/dispatch/cookies_test.rb (L382-L413)
 2014-09-23 16:21:49 +10:00
Greg Ose
0342deaa22 update flash hash test for 3.0 backport 2014-09-23 16:21:44 +10:00
Greg Ose
91bbe59e17 add flash hash tests 2014-09-23 16:21:37 +10:00
Greg Ose
f0895f838f 📗? Update tests and FlashHash cleanup 
* Make FlashHash more like 4.1 (654a2de7a9)
* Move tests to stringified keys (b97e087321)
* Fix tests to properly load / store to session
 2014-09-23 16:19:09 +10:00
Charlie Somerville
88827a2cab rip out a bunch of sprockets stuff 2014-09-15 14:35:28 +10:00
Charlie Somerville
94331729a1 rename SprocketsApp here to RackApp to not confuse me when grepping 2014-09-15 14:35:17 +10:00
Santiago Pastorino
11fd052aa8 Regenerate sid when sbdy tries to fixate the session 
Fixed broken test.

Thanks Stephen Richards for reporting.
 2014-08-04 11:36:43 -03:00
Rafael Mendonça França
bbec7d72be Merge branch '3-2-sec' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-05-06 13:31:07 -03:00
Rafael Mendonça França
50d6b4549d Fix broken tests of the previous release 2014-05-06 13:03:21 -03:00
Rafael Mendonça França
0f3b7d1a31 Only accept actions without File::SEPARATOR in the name. 
This will avoid directory traversal in implicit render.

Fixes: CVE-2014-0130
 2014-05-05 11:37:34 -03:00
Rafael Mendonça França
a3bda38467 Merge branch '3-2-17' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-02-18 15:57:32 -03:00
Rafael Mendonça França
388d2f8888 Use the reference for the mime type to get the format 
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
 2014-02-18 15:02:54 -03:00
Rafael Mendonça França
eaa2101b29 Escape format, negative_format and units options of number helpers 
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081
 2014-02-18 15:02:29 -03:00
Carlos Antonio da Silva
31a485fa5a Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_option 
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
 2013-12-04 22:34:15 -02:00
Rafael Mendonça França
c82025fcd6 Fix documentation of number_to_currency helper 
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
 2013-12-04 10:22:46 -02:00
Tobias Kraze
9e625d6465 repair a test broken by the number_to_currency XSS fix 2013-12-04 12:16:05 +01:00
Michael Koziarski
d5a4095ca5 Deep Munge the parameters for GET and POST 
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417

Conflicts:
	actionpack/lib/action_dispatch/http/request.rb
 2013-12-02 14:14:35 -08:00
Michael Koziarski
78790e4bce Stop using i18n's built in HTML error handling. 
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
 2013-12-02 14:02:15 -08:00
Michael Koziarski
5ed70c591f Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
 2013-12-02 13:49:41 -08:00
Brian Hahn
03ac291526 pass the extra params to the rack test environment so that routes with block constraints have access 2013-09-06 11:08:41 -07:00
Kassio Borges
424a5a7d46 fix issue #11605 2013-08-24 15:24:36 -03:00
Alexey Chernenkov
0f5ba6e124 Fix assert_redirected_to does not show user-supplied message. 
Issue: when `assert_redirected_to` fails due to the response redirect not
matching the expected redirect the user-supplied message (second parameter)
is not shown. This message is only shown if the response is not a redirect.
 2013-07-18 10:54:36 +06:00
Arun Agrawal
fc0faaa590 Removed unused test file 
This test file is not be running from a long time
This test is already covered in controller/caching_test.rb
 2013-07-17 11:47:24 +02:00
Andrew White
b0c65978ab Use old style hash syntax for 3-2-stable 2013-06-25 12:24:06 +01:00
Andrew White
622e4ab424 Fix shorthand routes where controller and action are in the scope 
Merge `:action` from routing scope and assign endpoint if both `:controller`
and `:action` are present. The endpoint assignment only occurs if there is
no `:to` present in the options hash so should only affect routes using the
shorthand syntax (i.e. endpoint is inferred from the the path).

Fixes #9856

Backport of 37b4276
 2013-06-25 11:00:19 +01:00
Rafael Mendonça França
2553bd785c Merge pull request #10971 from dtaniwaki/escape_link_to_unless 
Always escape the result of link_to_unless method
 2013-06-24 16:15:56 -03:00
Rafael Mendonça França
9f754e801f Compare host scheme using case-insensitive regexp 
Before:

    image_tag("HTTP://google.com")
    # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
    image_tag("http://google.com")
    # => "<img alt=\"Google\" src=\"http://google.com\" />"

After:

    image_tag("HTTP://google.com")
    # => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
    image_tag("http://google.com")
    # => "<img alt=\"Google\" src=\"http://google.com\" />"

Backport of #10969
 2013-06-16 22:05:26 -03:00
Rafael Mendonça França
0be27b709b So not make Fixnum#/ private on Ruby verions less than 1.9.3 
In those version to_date call Fixnum#/, what will cause a failure
 2013-05-10 14:10:10 -03:00
Ben Tucker
5a6d9d5491 Merging in fix from #8222 2013-05-06 09:36:40 -04:00
Ryan McGeary
44a9aedd7b Fix explicit names on multiple file fields 
If a file field tag is passed the multiple option, it is turned into an
array field (appending "[]"), but if the file field is passed an
explicit name as an option, leave the name alone (do not append "[]").

Fixes #9830
 2013-04-05 15:35:20 -04:00
Carlos Antonio da Silva
fe58853765 Fix typo in view name 
Introduced in 2c22376fe0
 2013-04-03 20:59:44 -03:00
Carlos Antonio da Silva
e252e0ffe1 Use 1.8 hash style in test views 
Introduced in 2c22376fe0
 2013-04-03 20:59:40 -03:00
Dmitry Vorotilin
2c22376fe0 Common behavior with adding formats to lookup_context for TemplateRenderer and PartialRenderer 2013-04-02 10:36:23 -07:00
Mack Earnhardt
74e59ea8b6 Backport #5808 
df36c5f - Fix assert_template assertion with :layout option
4bd05a7 - Fix assert_template :layout => nil assertion
0d19a08 - Improve assert_template layout checking
 2013-03-24 08:16:26 -04:00
Rafael Mendonça França
69599b63de Fix test to Ruby 1.8 
Pathname doesn't respond to to_path
 2013-03-21 09:33:22 -03:00
Aaron Patterson
d1577cfe3d Merge branch '3-2-stable' into fredwu-slow_view_loading_fix 
* 3-2-stable:
  Merge pull request #9802 from newsline/fix-broken-action-missing
  Remove bad changelog entry from AR [ci skip]
  Wrong exception is occured when raising no translatable exception
  Don't crash exception translation w/ nil result attribute.

Conflicts:
	actionpack/CHANGELOG.md
 2013-03-20 16:41:01 -07:00
Rafael Mendonça França
2c8f349953 Merge pull request #9802 from newsline/fix-broken-action-missing 
Fix missing action_missing

Conflicts:
	actionpack/CHANGELOG.md

Conflicts:
	actionpack/test/controller/base_test.rb

Fixes #9799
 2013-03-20 18:22:31 -03:00
Fred Wu
687e68d88f Fixed assets loading performance in 3.2.13 
The PR #8756 uses Sprockets for resolving files that already exists on disk, for those files their extensions don't need to be rewritten.

Fixes #9803
 2013-03-20 16:13:30 +11:00
hoffm
1b12d08a0f Backport #9347 to rails 3.2 2013-03-19 09:30:50 -05:00
Aaron Patterson
afcd01bf25 Merge branch '3-2-13' into 3-2-stable 
* 3-2-13:
  bumping to 3.2.13
  fix protocol checking in sanitization [CVE-2013-1857]
  JDOM XXE Protection [CVE-2013-1856]
  fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
  stop calling to_sym when building arel nodes [CVE-2013-1854]
  Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets
  bumping to rc2
  Revert "Merge pull request #8209 from senny/backport_8176"
  Freeze columns only once per Result
  Preparing for 3.2.13.rc1 release
  Update CHANGELOGs for 3.2.13 release.

Conflicts:
	actionmailer/CHANGELOG.md
	actionpack/CHANGELOG.md
	activemodel/CHANGELOG.md
	activeresource/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md
 2013-03-18 10:17:04 -07:00
Aaron Patterson
99123ad12f fix protocol checking in sanitization [CVE-2013-1857] 
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
 2013-03-15 17:48:42 -07:00
Charlie Somerville
ff3b9ca130 fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] 2013-03-15 17:48:12 -07:00
Juan Barreneche
ce755697fc Extract hardcoded lists to Redo::RestaurantsList 2013-03-14 18:02:20 -03:00
Carlos Antonio da Silva
488699166c Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets 
Fix incorrectly appended square brackets to a multiple select box

Before:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][][]" ...>

After:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][]" ...>

Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_view/helpers/tags/base.rb
	actionpack/test/template/form_options_helper_test.rb
 2013-03-12 19:58:22 -03:00
Carlos Antonio da Silva
a0c3c1e1f7 Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets 
Fix incorrectly appended square brackets to a multiple select box

Before:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][][]" ...>

After:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][]" ...>

Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_view/helpers/tags/base.rb
	actionpack/test/template/form_options_helper_test.rb
 2013-03-09 12:05:30 -03:00
maximerety
d0f22a99f9 Backport fixes about #7774 to 3-2-stable 
Fix ActionDispatch::Request#formats when HTTP_ACCEPT header is an empty
string.
 2013-03-05 12:53:10 +01:00