github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-13 00:27:56 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,342 Commits 34 Branches 105 Tags
github40
Commit Graph

3936 Commits

Author SHA1 Message Date
Mastahyeti
a5697840d6 escape format for CVE-2014-0081 2014-02-18 15:25:05 -06:00
Andy Lindeman
e4cd9caf02 Merge pull request #46 from github/runtime_header 
Removes the X-Runtime header from ActionController::Benchmarking
 2014-02-13 22:34:18 -05:00
Andy Lindeman
89e4514704 Removes the X-Runtime header from ActionController::Benchmarking 
The `Rack::Runtime` middleware now provides this header
 2014-02-13 22:25:27 -05:00
Joshua Peek
24711e1e29 Backport env['rack.session.options'][:skip] 2014-02-11 23:22:39 -06:00
Charlie Somerville
221477dc21 fix this bit 2014-01-21 12:51:40 +11:00
Mislav Marohnić
18c7c1f753 Disable auto-generated form field IDs by passing nil for "id" attribute 
Previously it was not possible to opt out of auto-generated ID values
for various form fields.
 2014-01-13 13:22:06 -08:00
Aman Gupta
7224ee1419 Merge pull request #37 from github/erb-freeze 
Freeze ERB string literals
 2014-01-08 20:33:01 -08:00
Mislav Marohnić
fa41bedf6b Don't rely on default encoding always being ASCII-8BIT 2014-01-08 17:41:17 -08:00
Aman Gupta
0a8282c557 freeze literals 2014-01-08 17:28:31 -08:00
Mislav Marohnić
d4a4facfcc Add test for extracting the cache fragment with mixed encodings 2014-01-08 17:12:18 -08:00
Aman Gupta
dd4146854a Fix fragment caching in mixed encodings scenario 
To reduce ambiguity between char- and byte-based operations, explicitly
do byte operations when extracting the fragment that needs to be cached.
 2014-01-08 16:35:55 -08:00
Charlie Somerville
df387ab385 remove FastCGI crap 2013-12-30 14:28:24 +11:00
Charlie Somerville
8f99d00868 require properly 2013-12-30 14:23:00 +11:00
Charlie Somerville
987b61bd1d kill QueryExtension, it's more dead junk 2013-12-30 14:15:55 +11:00
Charlie Somerville
f05e54a9f3 remove stdinput monkey patch 2013-12-30 14:15:51 +11:00
Charlie Somerville
b9918117bb delete ActionController::CGIHandler and CgiRequest 2013-12-30 14:11:07 +11:00
Charlie Somerville
42f85d118d don't autoload CGIHandler and CgiRequest 2013-12-30 14:10:28 +11:00
Charlie Somerville
acb182d094 @output is never used anywhere, kill it 2013-12-30 14:09:20 +11:00
Charlie Somerville
6e0fcb788d remove CGI from the dispatcher 2013-12-30 14:09:00 +11:00
Charlie Somerville
f699184047 test that we never call build_middleware_stack after initialization 2013-12-30 13:59:18 +11:00
Charlie Somerville
55d6a9f2df don't reload the middleware stack every request in development 2013-12-30 13:53:48 +11:00
Ted Nyman
d13866d75d Merge pull request #30 from github/CVE-2013-6417 
CVE-2013-6417
 2013-12-03 14:46:53 -08:00
Nathan Witmer
bf0d43bb77 Only escape value if present 2013-12-03 14:47:38 -07:00
Nathan Witmer
72cebbcb59 Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415.

Previously the values were trusted blindly allowing for potential XSS attacks.

This is different from the original upstream patch for 3.x in that return values
from other number helper methods are not marked as html_safe, so the html
escaping always applies. This requires applications to explicitly set .html_safe
on unit strings and number separators when calling number_to_currency.
 2013-12-03 14:32:26 -07:00
Ted Nyman
379dd9071c Documentation for #deep_munge 2013-12-03 13:24:11 -08:00
Ted Nyman
a743f17dbd #deep_munge for CVE-2013-6417 2013-12-03 13:23:02 -08:00
Charlie Somerville
05cb9e6854 depend on the right versions 2013-11-10 15:20:15 -05:00
Charlie Somerville
1a5734e0b5 use RAILS_VERSION file 2013-11-10 11:43:01 -05:00
Charlie Somerville
29a72262aa here too 2013-10-25 12:46:48 -04:00
Charlie Somerville
76c5bf4f4b instantiate the cached helper class instead of extending AV::B 2013-10-25 12:46:48 -04:00
Charlie Somerville
416b7171b8 delete ActionView::Base#helpers because it's completely useless 2013-10-25 12:46:48 -04:00
Charlie Somerville
e82a3ba2a0 cache a class that is pre-included with the master helper module 2013-10-25 12:46:48 -04:00
Charlie Somerville
a086a33fd4 misc 2013-10-24 13:18:37 -04:00
Charlie Somerville
15678eac1c delete rjs templates 2013-10-24 12:58:08 -04:00
Charlie Somerville
2e21cced12 more test fixing 2013-10-24 12:54:06 -04:00
Charlie Somerville
fb86dada29 delete RJS template handler 2013-10-24 12:48:56 -04:00
Charlie Somerville
aa4dfa6937 delete link_to_function and button_to_function 2013-10-24 12:46:41 -04:00
Charlie Somerville
ca7a53cbe9 fix tests 2013-10-24 12:46:30 -04:00
Charlie Somerville
1ddf5592e4 forgot to remove this require 2013-10-24 12:31:15 -04:00
Charlie Somerville
425a5d5e2e don't include ScriptaculousHelper in places 2013-10-24 12:26:19 -04:00
Charlie Somerville
c8d7945ae4 delete render :update 2013-10-24 12:25:38 -04:00
Charlie Somerville
6db8e71ad8 delete tests that hit PrototypeHelper 2013-10-24 12:25:38 -04:00
Charlie Somerville
0e7a8ce464 don't include PrototypeHelper in places 2013-10-24 12:25:23 -04:00
Charlie Somerville
a4274b33f7 rip out scriptaculous 2013-10-24 12:23:20 -04:00
Charlie Somerville
9645f8be89 delete prototype.js helpers 2013-10-24 12:21:25 -04:00
Charlie Somerville
050be61caf delete test for formatted_ 2013-10-02 14:29:50 +10:00
Charlie Somerville
4baefa4de9 delete formatted_ url helper 2013-10-02 14:25:57 +10:00
Charlie Somerville
bf96f35248 we can used defined?() to check if a method is public or protected 2013-09-17 15:45:25 +10:00
Charlie Somerville
1d6053f5bf remove -w from tests 2013-09-17 15:40:41 +10:00
Charlie Somerville
ca6a64758b bump rack dependency to 1.4 to match what we currently have 2013-09-17 11:24:19 +10:00