AtHeartEngineer/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-07 22:04:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,542 Commits 34 Branches 105 Tags
3-2-github
Commit Graph

28542 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Charlie Somerville
4040266a60 update Gemfile.lock and vendor/cache 2014-09-15 14:09:33 +10:00
Charlie Somerville
7684d715ef Merge remote-tracking branch 'upstream/3-2-stable' into 3-2-github 2014-09-15 14:04:33 +10:00
Charlie Somerville
9cbc2c3550 ci on ruby 2.1.2 2014-09-15 14:02:45 +10:00
Charlie Somerville
aa7515977f bundle --local 2014-09-15 14:01:51 +10:00
Santiago Pastorino
11fd052aa8 Regenerate sid when sbdy tries to fixate the session 
Fixed broken test.

Thanks Stephen Richards for reporting.
 2014-08-04 11:36:43 -03:00
Rafael Mendonça França
c43f20a404 Merge branch '3-2-sec' into 3-2-stable 2014-07-02 14:18:47 -03:00
Rafael Mendonça França
53c845cb18 Preparing for 3.2.19 release 2014-07-02 12:55:09 -03:00
Rafael Mendonça França
1f2192e46d Check against bit string values using multiline regexp 
Fix CVE-2014-3482.
 2014-07-02 12:49:01 -03:00
Rafael Mendonça França
3622858ed5 Use a version of execjs compatible with Ruby 1.8 2014-06-26 22:10:32 -03:00
Rafael Mendonça França
297bff7f8f Make sure Active Support configurations are applied correctly 
Before this patch configuration set using config.active_support
would not be set.

Closes #15364
 2014-06-26 18:40:23 -03:00
Guillermo Iguaran
bc90ea63e9 Revert "Merge pull request #15794 from vishalzambre/patch-1" 
This reverts commit 6d800a909e, reversing
changes made to 6a051299f9.

We don't apply non-security fixes to 3-2-stable branch!!!
 2014-06-18 00:37:46 -05:00
Guillermo Iguaran
6d800a909e Merge pull request #15794 from vishalzambre/patch-1 
File.exists? is a deprecated name, use File.exist?
 2014-06-18 00:33:00 -05:00
Vishal Zambre
fca3cc23fa File.exists? is a deprecated name, use File.exist? 
File.exists? is a deprecated name, use File.exist?
 2014-06-18 10:51:27 +05:30
Aaron Patterson
6a051299f9 Feature detect based on Ruby version. 
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0.  Checking for a
case-insensitive FS seems too hard, so just check Ruby version  Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
 2014-05-18 12:00:57 -07:00
Aaron Patterson
c40df47055 feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 2014-05-10 11:53:02 -07:00
Aaron Patterson
03e016f22a use fnmatch to test for case insensitive file systems 
this is due to:

  https://bugs.ruby-lang.org/issues/5994
 2014-05-09 14:46:46 -07:00
Rafael Mendonça França
bbec7d72be Merge branch '3-2-sec' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-05-06 13:31:07 -03:00
Rafael Mendonça França
50d6b4549d Fix broken tests of the previous release 2014-05-06 13:03:21 -03:00
Rafael Mendonça França
4e8f1d2588 Preparing for 3.2.18 release 2014-05-06 11:33:10 -03:00
Rafael Mendonça França
0f3b7d1a31 Only accept actions without File::SEPARATOR in the name. 
This will avoid directory traversal in implicit render.

Fixes: CVE-2014-0130
 2014-05-05 11:37:34 -03:00
Charlie Somerville
4bbf1da870 Merge pull request #57 from github/3-2-github+builder-3.2 
Bump to builder 3.2
 2014-04-10 23:04:35 +10:00
Charlie Somerville
a54e2e4a72 bump to builder 3.2 2014-04-10 22:53:51 +10:00
Charlie Somerville
c5cb8cd58f commit unrelated Gemfile changes 2014-04-10 22:53:51 +10:00
Charlie Somerville
1f230b83a5 Merge pull request #56 from github/3-2-github+ci 
Get 3-2-github CI'd
 2014-04-10 21:51:16 +10:00
Charlie Somerville
bb861052e8 only run tests with sqlite 2014-04-10 21:35:48 +10:00
Charlie Somerville
32f98697a7 go away generator tests 2014-04-10 21:22:06 +10:00
Charlie Somerville
a09c04585e rm this test because it fails and we don't particularly care about plugins 2014-04-10 20:35:10 +10:00
Charlie Somerville
3672a16373 don't override singleton_class? if it already exists 2014-04-10 20:27:14 +10:00
Charlie Somerville
c9acba55f1 define info_signal for new minitests 2014-04-10 19:47:39 +10:00
Charlie Somerville
76cd0b9ecd check in Gemfile.lock because the lack of it is causing problems 2014-04-10 19:23:27 +10:00
Charlie Somerville
e8bfacec38 remove --local from Gemfile 2014-04-10 19:23:27 +10:00
Charlie Somerville
112c9bdecf delete unnecessary platforms 2014-04-10 19:23:11 +10:00
Charlie Somerville
f20f5f8d20 check in gems 2014-04-10 19:12:24 +10:00
Charlie Somerville
3bb90b907a add script/cibuild 2014-04-10 19:10:09 +10:00
Rafael Mendonça França
a3bda38467 Merge branch '3-2-17' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-02-18 15:57:32 -03:00
Rafael Mendonça França
666e9f65bd Preparing for 3.2.17 release 2014-02-18 15:16:57 -03:00
Rafael Mendonça França
388d2f8888 Use the reference for the mime type to get the format 
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
 2014-02-18 15:02:54 -03:00
Rafael Mendonça França
eaa2101b29 Escape format, negative_format and units options of number helpers 
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081
 2014-02-18 15:02:29 -03:00
Damien Mathieu
5a84d3eb81 Merge pull request #13613 from simi/patch-1 
Fix force_ssl.rb documentation. Close tt tag.
 2014-01-06 06:29:25 -08:00
Josef Šimánek
c13eb1c727 Fix force_ssl.rb documentation. Close tt tag. 
[ci skip]
 2014-01-06 15:28:35 +01:00
Rafael Mendonça França
3a429e6b5d Merge pull request #13315 from tyre/patch-1 
Update Session Store Documentation
 2013-12-13 18:02:20 -08:00
Chris Maddox
1805682efa Update Session Store Documentation 
session_id doesn't need to be a text column, just string (VARCHAR)
 2013-12-13 17:02:16 -08:00
Carlos Antonio da Silva
31a485fa5a Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_option 
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
 2013-12-04 22:34:15 -02:00
Rafael Mendonça França
c82025fcd6 Fix documentation of number_to_currency helper 
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
 2013-12-04 10:22:46 -02:00
Rafael Mendonça França
9c60e3df9f Merge pull request #13162 from makandra/3-2-stable 
Repair a test broken by the number_to_currency XSS fix
 2013-12-04 04:14:55 -08:00
Tobias Kraze
9e625d6465 repair a test broken by the number_to_currency XSS fix 2013-12-04 12:16:05 +01:00
Aaron Patterson
64226302d8 updating the changelog 2013-12-02 16:17:19 -08:00
Michael Koziarski
d5a4095ca5 Deep Munge the parameters for GET and POST 
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417

Conflicts:
	actionpack/lib/action_dispatch/http/request.rb
 2013-12-02 14:14:35 -08:00
Michael Koziarski
78790e4bce Stop using i18n's built in HTML error handling. 
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
 2013-12-02 14:02:15 -08:00
Michael Koziarski
5ed70c591f Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
 2013-12-02 13:49:41 -08:00