github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-20 20:07:57 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,110 Commits 34 Branches 105 Tags
2.3.14.github
Commit Graph

1970 Commits

Author SHA1 Message Date
Aaron Patterson
60f783d9ce fixing strip tags vulnerability 2011-08-16 14:58:13 -07:00
Aaron Patterson
11dafeaa75 fixing response splitting problem 2011-08-16 14:25:45 -07:00
José Valim
d793a56121 Merged pull request #198 from robdimarco/2-3-stable. 
Patch for issue 6440 - Session Reset undefined method `destroy' for {}:Hash
 2011-04-28 00:37:53 -07:00
gmarik
b0be721dd9 respect :expire_after option 
- it was broken after
[commit](e0eb8e9c65)
- there's also
[issue](https://rails.lighthouseapp.com/projects/8994/tickets/6634-railsrack-inconsistency-about-expires_afterexpires-cookie-option)

- also: maybe it worth making Rack understand :expire_after as we
duplicate same logic in [cookie_store](https://github.com/gmarik/rails/blob/v2.3.11/actionpack/lib/action_controller/session/cookie_store.rb#L114)

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-04-14 13:48:35 +02:00
Rob Di Marco
589ce09564 Unit test that shows calling reset session twice results in an exception 2011-02-28 22:53:36 -05:00
Michael Koziarski
7e86f9b4d2 Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-09 09:20:17 +13:00
Michael Koziarski
abe97736b8 Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. 
This fixes CVE-2011-0446
 2011-02-09 09:20:16 +13:00
Michael Koziarski
6d916329b8 Require thread explicitly rather than relying on rubygems to do it. 2010-12-20 11:16:55 +13:00
Pascal Friederich
e0eb8e9c65 Let Rack::Utils.set_cookie_header! create the Set-Cookie header instead of manually fiddling with the response headers [#4941 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-01 11:58:45 +01:00
José Valim
2826324e56 Revert "Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings" 
This reverts commit 36b91e34f4.

Conflicts:

	actionpack/test/activerecord/active_record_store_test.rb
 2010-12-01 11:48:31 +01:00
Andrew White
25139ac92c Don't write out secure cookies unless the request is secure 2010-10-27 15:04:29 +01:00
Andrew White
0e52a609fd Don't create a deprecation proxy object if the variable was passed in local_assigns [#1671 state:resolved] 2010-10-26 12:57:21 +01:00
Aaron Patterson
df78de2bc8 removing space errors 2010-10-21 10:30:18 -07:00
Omar Qureshi
36b91e34f4 Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings 2010-10-21 10:28:54 -07:00
Michael Koziarski
dbbf2fd19c Revert "Makes form_helper use overriden model accessors backport" 
This change introduced breakages and test failures.

This reverts commit 8141f0894e.
 2010-09-27 12:20:54 +13:00
W. Andrew Loe III
17f2fb44c0 Only send secure cookies over SSL. 2010-09-14 11:52:40 -07:00
Andrew Kaspick
a159fd0b8c Fix fixtures in integration test sessions 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2010-09-10 10:45:23 +12:00
Santiago Pastorino
43e2bbe28e Making time_zone_options_for_select return a html_safe string master backport 2010-08-15 10:07:38 -03:00
Santiago Pastorino
8141f0894e Makes form_helper use overriden model accessors backport 
[#3374]
 2010-08-01 19:49:45 -03:00
Jon Yurek
fb615cd7fd Fix for integration tests not serializing arrays in multipart forms correctly. 
Signed-off-by: wycats <wycats@gmail.com>
 2010-07-17 13:01:50 -05:00
Michael Lovitt
257a29d3cc Sessions should not be created until written to and session data should be destroyed on reset. [#4938 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-07-14 08:04:37 +02:00
Aaron Patterson
67e18c523c fisting Session::AbstractStore#clear to actually clear the session. [#5030 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-07-01 14:47:28 -07:00
Jan Berkel
f8f4872fcc Backported patch from [#4762] 
URL fragments should not have safe characters escaped. Ref: Appendix A,
  http://tools.ietf.org/rfc/rfc3986.txt

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-30 13:27:28 +02:00
Prem Sichanugrist
f8f365346e Make sure that Rails doesn't resent session_id cookie over and over again if it's already there [#2485 state:resolved] 
This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-25 09:47:56 +02:00
Michael Koziarski
cbf36cf57c Revert "make text_field and hidden_field omit the value attribute if the developer explicitly passes in :value => nil [#4839 state:reopened]" 
This reverts commit 52c922fad1
 2010-06-23 16:54:05 +12:00
Michael Koziarski
52c922fad1 make text_field and hidden_field omit the value attribute if the developer explicitly passes in :value => nil [#4839 state:resolved] 
Signed-off-by: Michael Koziarski <michael@koziarski.com>

Conflicts:

	actionpack/lib/action_view/helpers/form_helper.rb
 2010-06-23 16:25:19 +12:00
Jesse Storimer
85b6d79d8a CookieStore should preserve the Set-Cookie header Array [#4743 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-06-22 11:25:32 -07:00
Prem Sichanugrist
0f44d37d04 Make sure that rails recognized the full notation of IPv6 loopback address, and recognize 127.0.0.0/8 in IPv4 
[#3257 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-08 19:47:18 +02:00
Michael Koziarski
5796a92433 Merge commit 'mislav/auto_link_2-3-stable' into 2-3-stable 2010-05-29 14:05:21 +12:00
Jeremy Kemper
f7e27bd078 i18n: t() handles single keys returning an Array, also 2010-05-24 20:41:28 -07:00
Jeremy Kemper
6a9e188c0c HTML safety: fix textarea with nil content 2010-05-24 20:13:07 -07:00
Santiago Pastorino
a9032c885f Error messages for asserts 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-24 16:05:39 -07:00
Jeremy Kemper
e8ba5265e0 Work around strange Ruby 1.9 autoload issue by using absolute load paths for tests (ditto for other components' tests) 2010-05-24 16:05:34 -07:00
José Valim
50f3754525 Ensure translations work with symbols. 2010-05-24 23:38:49 +02:00
Santiago Pastorino
4986d5ed04 translate helper method using an array is deprecated 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 23:38:48 +02:00
Jeremy Kemper
9d3bd87045 Work around strange Ruby 1.9 autoload issue by using absolute load paths for tests 2010-05-24 12:16:33 -07:00
Santiago Pastorino
6b0616d1b8 translation method of TranslationHelper module returns a SafeBuffer Array backport 
[#4675 state:committed]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 20:56:44 +02:00
Santiago Pastorino
d3da1a2c66 Revert "translation method of TranslationHelper module returns always SafeBuffer [#4194 status:resolved]" 
This reverts commit 2310aef29b.

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 20:56:44 +02:00
Jeremy Kemper
c66013e2c5 Fix that captured content (e.g. with form_for or div_for) would be HTML-escaped even without the rails_xss plugin installed. Rails 2.3.7, we barely knew ya... 2010-05-24 09:12:00 -07:00
Lance Ivy
9e08e196fa Ensure auto_link does not ignore multiple trailing punctuations 
[#2504 state:resolved]
 2010-05-24 11:47:36 +02:00
Mislav Marohnić
17b4fd25e4 avoid auto_linking already linked emails; more robust detection of linked URLs 
References #1523  [#1862 state:resolved]  [#3591 state:resolved]

Add test that shows how link text can contain HTML if needed:
the trick is using block form in combination with `raw`.
Let link text be automatically HTML-escaped

[#2017 state:resolved]
 2010-05-24 11:18:20 +02:00
Mislav Marohnić
bd9ca9aed0 auto_link: support arbitrary URI schemes like "ftp:" and "file:" 
recognizes all URI scheme allowed characters, such as colon and period.

[#3494 state:resolved]
 2010-05-24 11:18:20 +02:00
Jeremy Kemper
ca5f5d97b9 Fix test rendering unmarked but safe HTML 2010-05-23 15:28:40 -07:00
Jeff Kreeftmeijer
2de364636c partial counters with :as [#2804 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-15 10:32:45 -07:00
Santiago Pastorino
adcfb4e8bd simple_format should return html_safe but not escape text, that's for rails_xss plugin [#3767 state:committed] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-07 11:56:53 -07:00
Jeremy Kemper
9e262de3d8 Fix backport error: wrong exception name 2010-04-24 19:38:10 -07:00
Cezary Baginski
ec7716abcd actionpack: added missing encoding comments [#4466 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-04-24 17:30:59 -07:00
Jeremy Kemper
f6e71c674c Expect an incompatible encoding exception when a template with a magic comment renders a partial without one and its source encoding doesn't match the default external encoding 2010-04-24 17:12:05 -07:00
Jeremy Kemper
fb545f4c60 Expect an incompatible encoding exception when a template doesn't have a magic comment and its source encoding doesn't match the default external encoding 2010-04-24 17:12:00 -07:00
Jeremy Kemper
70034d820f Ensure ERB source begins with the encoding comment 2010-04-24 17:04:50 -07:00