github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:01 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,491 Commits 34 Branches 105 Tags
7684d715ef570549cbb40ccaf6ad20e040a46ea1
Commit Graph

8398 Commits

Author SHA1 Message Date
Charlie Somerville
7684d715ef Merge remote-tracking branch 'upstream/3-2-stable' into 3-2-github 2014-09-15 14:04:33 +10:00
Santiago Pastorino
11fd052aa8 Regenerate sid when sbdy tries to fixate the session 
Fixed broken test.

Thanks Stephen Richards for reporting.
 2014-08-04 11:36:43 -03:00
Rafael Mendonça França
53c845cb18 Preparing for 3.2.19 release 2014-07-02 12:55:09 -03:00
Aaron Patterson
6a051299f9 Feature detect based on Ruby version. 
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0.  Checking for a
case-insensitive FS seems too hard, so just check Ruby version  Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
 2014-05-18 12:00:57 -07:00
Aaron Patterson
c40df47055 feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 2014-05-10 11:53:02 -07:00
Aaron Patterson
03e016f22a use fnmatch to test for case insensitive file systems 
this is due to:

  https://bugs.ruby-lang.org/issues/5994
 2014-05-09 14:46:46 -07:00
Rafael Mendonça França
bbec7d72be Merge branch '3-2-sec' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-05-06 13:31:07 -03:00
Rafael Mendonça França
50d6b4549d Fix broken tests of the previous release 2014-05-06 13:03:21 -03:00
Rafael Mendonça França
4e8f1d2588 Preparing for 3.2.18 release 2014-05-06 11:33:10 -03:00
Rafael Mendonça França
0f3b7d1a31 Only accept actions without File::SEPARATOR in the name. 
This will avoid directory traversal in implicit render.

Fixes: CVE-2014-0130
 2014-05-05 11:37:34 -03:00
Charlie Somerville
a54e2e4a72 bump to builder 3.2 2014-04-10 22:53:51 +10:00
Rafael Mendonça França
a3bda38467 Merge branch '3-2-17' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-02-18 15:57:32 -03:00
Rafael Mendonça França
666e9f65bd Preparing for 3.2.17 release 2014-02-18 15:16:57 -03:00
Rafael Mendonça França
388d2f8888 Use the reference for the mime type to get the format 
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
 2014-02-18 15:02:54 -03:00
Rafael Mendonça França
eaa2101b29 Escape format, negative_format and units options of number helpers 
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081
 2014-02-18 15:02:29 -03:00
Josef Šimánek
c13eb1c727 Fix force_ssl.rb documentation. Close tt tag. 
[ci skip]
 2014-01-06 15:28:35 +01:00
Carlos Antonio da Silva
31a485fa5a Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_option 
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
 2013-12-04 22:34:15 -02:00
Rafael Mendonça França
c82025fcd6 Fix documentation of number_to_currency helper 
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
 2013-12-04 10:22:46 -02:00
Tobias Kraze
9e625d6465 repair a test broken by the number_to_currency XSS fix 2013-12-04 12:16:05 +01:00
Aaron Patterson
64226302d8 updating the changelog 2013-12-02 16:17:19 -08:00
Michael Koziarski
d5a4095ca5 Deep Munge the parameters for GET and POST 
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417

Conflicts:
	actionpack/lib/action_dispatch/http/request.rb
 2013-12-02 14:14:35 -08:00
Michael Koziarski
78790e4bce Stop using i18n's built in HTML error handling. 
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
 2013-12-02 14:02:15 -08:00
Michael Koziarski
5ed70c591f Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
 2013-12-02 13:49:41 -08:00
Aaron Patterson
bee3b7f937 Only use valid mime type symbols as cache keys 
CVE-2013-6414
 2013-11-30 17:03:18 -08:00
Aaron Patterson
538f8ba0c1 updating changelogs 2013-10-16 10:01:01 -07:00
Aaron Patterson
2a0c4403fd bumping to 3.2.15 2013-10-15 11:48:53 -07:00
Aaron Patterson
eb8807e84d Merge branch '3-2-15' into 3-2-sec 
* 3-2-15:
  bumping to rc3
  Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
  Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
  bumping to rc2
  Merge pull request #12443 from arthurnn/add_inverse_of_add_target
  bumping version to 3.2.15.rc1
  Fix STI scopes using benolee's suggestion. Fixes #11939
 2013-10-15 11:15:08 -07:00
Aaron Patterson
e3abd78ee5 bumping to rc3 2013-10-11 14:16:06 -07:00
Aaron Patterson
5ede19b772 bumping to rc2 2013-10-04 13:46:35 -07:00
Aaron Patterson
5e277c8208 bumping version to 3.2.15.rc1 2013-10-03 11:52:44 -07:00
Aaron Patterson
befeeb2d0a Merge branch '3-2-stable' into 3-2-sec 
* 3-2-stable:
  make sure both headers are set before checking for ip spoofing
  Move set_inverse_instance to association.build_record
 2013-10-03 10:27:58 -07:00
Tamir Duberstein
85106decc4 make sure both headers are set before checking for ip spoofing 2013-10-01 01:26:07 -07:00
Michael Koziarski
5aee516b5e Remove the use of String#% when formatting durations in log messages 
This avoids potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
 2013-09-30 14:42:11 -07:00
Eugene Kalenkovich
c9642e31b1 Fix FinderMethods#last unscoped primary key 
Fixes table.joins(:relation).last(N) breaking on sqlite

Conflicts:
	activerecord/CHANGELOG.md
	activerecord/test/cases/finder_test.rb
 2013-09-12 14:08:02 -03:00
Brian Hahn
03ac291526 pass the extra params to the rack test environment so that routes with block constraints have access 2013-09-06 11:08:41 -07:00
Kassio Borges
424a5a7d46 fix issue #11605 2013-08-24 15:24:36 -03:00
Rafael Mendonça França
e0db277be0 Fix actionpack CHANGELOG entry 
It was included by git on the wrong release
 2013-07-22 20:25:20 -03:00
Rafael Mendonça França
2b3ce8627b Merge branch '3-2-14' into 3-2-stable 2013-07-22 20:24:09 -03:00
Rafael Mendonça França
2fcd13eff2 Preparing for 3.2.14 release 2013-07-22 12:05:41 -03:00
Rafael Mendonça França
47fb44fc7a Update CHANGELOG entry 2013-07-22 11:57:02 -03:00
Alexey Chernenkov
0f5ba6e124 Fix assert_redirected_to does not show user-supplied message. 
Issue: when `assert_redirected_to` fails due to the response redirect not
matching the expected redirect the user-supplied message (second parameter)
is not shown. This message is only shown if the response is not a redirect.
 2013-07-18 10:54:36 +06:00
Arun Agrawal
fc0faaa590 Removed unused test file 
This test file is not be running from a long time
This test is already covered in controller/caching_test.rb
 2013-07-17 11:47:24 +02:00
Rafael Mendonça França
a96df04aac Preparing for 3.2.14.rc2 release 2013-07-16 13:00:33 -03:00
Rafael Mendonça França
facfc24f25 Preparing for 3.2.14.rc1 release 2013-07-12 21:06:50 -03:00
Rafael Mendonça França
2ce875dfbd Add license to the gemspec 2013-07-08 14:51:19 -03:00
Santiago Pastorino
e359e3ab93 Add missing require 2013-07-02 17:00:33 -07:00
Andrew White
b0c65978ab Use old style hash syntax for 3-2-stable 2013-06-25 12:24:06 +01:00
Andrew White
622e4ab424 Fix shorthand routes where controller and action are in the scope 
Merge `:action` from routing scope and assign endpoint if both `:controller`
and `:action` are present. The endpoint assignment only occurs if there is
no `:to` present in the options hash so should only affect routes using the
shorthand syntax (i.e. endpoint is inferred from the the path).

Fixes #9856

Backport of 37b4276
 2013-06-25 11:00:19 +01:00
Rafael Mendonça França
ca23e6d4d3 Add CHANGELOG entry for #10971 
[ci skip]
 2013-06-24 16:19:38 -03:00
Rafael Mendonça França
2553bd785c Merge pull request #10971 from dtaniwaki/escape_link_to_unless 
Always escape the result of link_to_unless method
 2013-06-24 16:15:56 -03:00