AtHeartEngineer/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,466 Commits 34 Branches 105 Tags
a09c04585e67b94db993b2565ce58bb97714b302
Commit Graph

28466 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Charlie Somerville
a09c04585e rm this test because it fails and we don't particularly care about plugins 2014-04-10 20:35:10 +10:00
Charlie Somerville
3672a16373 don't override singleton_class? if it already exists 2014-04-10 20:27:14 +10:00
Charlie Somerville
c9acba55f1 define info_signal for new minitests 2014-04-10 19:47:39 +10:00
Charlie Somerville
76cd0b9ecd check in Gemfile.lock because the lack of it is causing problems 2014-04-10 19:23:27 +10:00
Charlie Somerville
e8bfacec38 remove --local from Gemfile 2014-04-10 19:23:27 +10:00
Charlie Somerville
112c9bdecf delete unnecessary platforms 2014-04-10 19:23:11 +10:00
Charlie Somerville
f20f5f8d20 check in gems 2014-04-10 19:12:24 +10:00
Charlie Somerville
3bb90b907a add script/cibuild 2014-04-10 19:10:09 +10:00
Rafael Mendonça França
a3bda38467 Merge branch '3-2-17' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-02-18 15:57:32 -03:00
Rafael Mendonça França
666e9f65bd Preparing for 3.2.17 release 2014-02-18 15:16:57 -03:00
Rafael Mendonça França
388d2f8888 Use the reference for the mime type to get the format 
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
 2014-02-18 15:02:54 -03:00
Rafael Mendonça França
eaa2101b29 Escape format, negative_format and units options of number helpers 
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081
 2014-02-18 15:02:29 -03:00
Damien Mathieu
5a84d3eb81 Merge pull request #13613 from simi/patch-1 
Fix force_ssl.rb documentation. Close tt tag.
 2014-01-06 06:29:25 -08:00
Josef Šimánek
c13eb1c727 Fix force_ssl.rb documentation. Close tt tag. 
[ci skip]
 2014-01-06 15:28:35 +01:00
Rafael Mendonça França
3a429e6b5d Merge pull request #13315 from tyre/patch-1 
Update Session Store Documentation
 2013-12-13 18:02:20 -08:00
Chris Maddox
1805682efa Update Session Store Documentation 
session_id doesn't need to be a text column, just string (VARCHAR)
 2013-12-13 17:02:16 -08:00
Carlos Antonio da Silva
31a485fa5a Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_option 
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
 2013-12-04 22:34:15 -02:00
Rafael Mendonça França
c82025fcd6 Fix documentation of number_to_currency helper 
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
 2013-12-04 10:22:46 -02:00
Rafael Mendonça França
9c60e3df9f Merge pull request #13162 from makandra/3-2-stable 
Repair a test broken by the number_to_currency XSS fix
 2013-12-04 04:14:55 -08:00
Tobias Kraze
9e625d6465 repair a test broken by the number_to_currency XSS fix 2013-12-04 12:16:05 +01:00
Aaron Patterson
64226302d8 updating the changelog 2013-12-02 16:17:19 -08:00
Michael Koziarski
d5a4095ca5 Deep Munge the parameters for GET and POST 
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417

Conflicts:
	actionpack/lib/action_dispatch/http/request.rb
 2013-12-02 14:14:35 -08:00
Michael Koziarski
78790e4bce Stop using i18n's built in HTML error handling. 
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
 2013-12-02 14:02:15 -08:00
Michael Koziarski
5ed70c591f Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
 2013-12-02 13:49:41 -08:00
Aaron Patterson
bee3b7f937 Only use valid mime type symbols as cache keys 
CVE-2013-6414
 2013-11-30 17:03:18 -08:00
Aaron Patterson
5f844d6cc6 Merge branch '3-2-sec' into 3-2-stable 
* 3-2-sec:
  updating changelogs
  bumping to 3.2.15
  bumping to rc3
  Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
  Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
  bumping to rc2
  Merge pull request #12443 from arthurnn/add_inverse_of_add_target
  bumping version to 3.2.15.rc1
  Remove the use of String#% when formatting durations in log messages

Conflicts:
	activerecord/CHANGELOG.md
 2013-10-16 10:20:36 -07:00
Aaron Patterson
538f8ba0c1 updating changelogs 2013-10-16 10:01:01 -07:00
Aaron Patterson
2a0c4403fd bumping to 3.2.15 2013-10-15 11:48:53 -07:00
Aaron Patterson
eb8807e84d Merge branch '3-2-15' into 3-2-sec 
* 3-2-15:
  bumping to rc3
  Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
  Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
  bumping to rc2
  Merge pull request #12443 from arthurnn/add_inverse_of_add_target
  bumping version to 3.2.15.rc1
  Fix STI scopes using benolee's suggestion. Fixes #11939
 2013-10-15 11:15:08 -07:00
Aaron Patterson
e3abd78ee5 bumping to rc3 2013-10-11 14:16:06 -07:00
Rafael Mendonça França
38aefa51c3 Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build" 
This reverts commit ccd11d5891, reversing
changes made to 54c05acdba.

Reason: This caused a regression when the associated record is created
in a before_create callback. See
https://github.com/rails/rails/pull/12413#issuecomment-25848163
 2013-10-10 14:55:12 -03:00
Rafael Mendonça França
fbc69ac560 Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target" 
This reverts commit 7ed5bdc834, reversing
changes made to 31c79e291f.

Reason: this caused a regression when the associated record is creted in
a before_create callback.

See https://github.com/rails/rails/pull/12413#issuecomment-25848163
 2013-10-10 14:55:07 -03:00
Rafael Mendonça França
6a185aa0a8 Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build" 
This reverts commit ccd11d5891, reversing
changes made to 54c05acdba.

Reason: This caused a regression when the associated record is created
in a before_create callback. See
https://github.com/rails/rails/pull/12413#issuecomment-25848163
 2013-10-10 14:41:37 -03:00
Rafael Mendonça França
9639f65af5 Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target" 
This reverts commit 7ed5bdc834, reversing
changes made to 31c79e291f.

Reason: this caused a regression when the associated record is creted in
a before_create callback.

See https://github.com/rails/rails/pull/12413#issuecomment-25848163
 2013-10-10 14:40:24 -03:00
Aaron Patterson
5ede19b772 bumping to rc2 2013-10-04 13:46:35 -07:00
Rafael Mendonça França
73dff26125 Merge pull request #12443 from arthurnn/add_inverse_of_add_target 
Add inverse of add target
 2013-10-04 13:58:36 -03:00
Rafael Mendonça França
7ed5bdc834 Merge pull request #12443 from arthurnn/add_inverse_of_add_target 
Add inverse of add target
 2013-10-04 09:57:17 -07:00
Arthur Neves
fc59e997d7 add regression test for set_inverse_instance on add_to_target 2013-10-04 11:15:55 -04:00
Arthur Neves
655396cc10 Add back set_inverse_instance on .add_to_target 
We must have it in there too, so when an existent record is being concat to another,
we will have the inverse relation.
 2013-10-04 10:15:22 -04:00
Aaron Patterson
5e277c8208 bumping version to 3.2.15.rc1 2013-10-03 11:52:44 -07:00
Aaron Patterson
31c79e291f Merge pull request #12084 from Ben-M/3-2-stable 
Fix STI scopes using benolee's suggestion. Fixes #11939
 2013-10-03 11:14:19 -07:00
Aaron Patterson
befeeb2d0a Merge branch '3-2-stable' into 3-2-sec 
* 3-2-stable:
  make sure both headers are set before checking for ip spoofing
  Move set_inverse_instance to association.build_record
 2013-10-03 10:27:58 -07:00
Andrew White
83c4b0a7f9 Merge pull request #12410 from tamird/fix-ip-spoof-errors 
Fix ip spoof errors
 2013-10-01 01:28:07 -07:00
Tamir Duberstein
85106decc4 make sure both headers are set before checking for ip spoofing 2013-10-01 01:26:07 -07:00
Michael Koziarski
5aee516b5e Remove the use of String#% when formatting durations in log messages 
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
 2013-09-30 14:42:11 -07:00
Rafael Mendonça França
ccd11d5891 Merge pull request #12413 from arthurnn/inverse_of_on_build 
Inverse of on build
 2013-09-30 14:38:58 -07:00
Arthur Neves
679860400f Move set_inverse_instance to association.build_record 
[fixes #10371]
 2013-09-30 17:20:26 -04:00
Rafael Mendonça França
54c05acdba Merge pull request #12375 from arthurnn/inverse_after_find_or_initialize 
Inverse after find or initialize
 2013-09-28 17:22:01 -07:00
Rafael Mendonça França
50a96446bc Use Ruby 1.8 hash syntax 2013-09-28 20:56:15 -03:00
Arthur Neves
fed6ac9c66 fix inverse_of when find_or_initialize_by_* 
inverse_of relation was not being set when calling find_or_initialize_by_ and the entry was
found on the db.
 2013-09-26 14:55:10 -04:00