github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-13 00:27:56 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,355 Commits 34 Branches 105 Tags
github44
Commit Graph

1999 Commits

Author SHA1 Message Date
Mastahyeti
a5697840d6 escape format for CVE-2014-0081 2014-02-18 15:25:05 -06:00
Charlie Somerville
221477dc21 fix this bit 2014-01-21 12:51:40 +11:00
Mislav Marohnić
18c7c1f753 Disable auto-generated form field IDs by passing nil for "id" attribute 
Previously it was not possible to opt out of auto-generated ID values
for various form fields.
 2014-01-13 13:22:06 -08:00
Mislav Marohnić
fa41bedf6b Don't rely on default encoding always being ASCII-8BIT 2014-01-08 17:41:17 -08:00
Mislav Marohnić
d4a4facfcc Add test for extracting the cache fragment with mixed encodings 2014-01-08 17:12:18 -08:00
Charlie Somerville
df387ab385 remove FastCGI crap 2013-12-30 14:28:24 +11:00
Charlie Somerville
f699184047 test that we never call build_middleware_stack after initialization 2013-12-30 13:59:18 +11:00
Nathan Witmer
72cebbcb59 Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415.

Previously the values were trusted blindly allowing for potential XSS attacks.

This is different from the original upstream patch for 3.x in that return values
from other number helper methods are not marked as html_safe, so the html
escaping always applies. This requires applications to explicitly set .html_safe
on unit strings and number separators when calling number_to_currency.
 2013-12-03 14:32:26 -07:00
Charlie Somerville
15678eac1c delete rjs templates 2013-10-24 12:58:08 -04:00
Charlie Somerville
2e21cced12 more test fixing 2013-10-24 12:54:06 -04:00
Charlie Somerville
aa4dfa6937 delete link_to_function and button_to_function 2013-10-24 12:46:41 -04:00
Charlie Somerville
ca7a53cbe9 fix tests 2013-10-24 12:46:30 -04:00
Charlie Somerville
6db8e71ad8 delete tests that hit PrototypeHelper 2013-10-24 12:25:38 -04:00
Charlie Somerville
a4274b33f7 rip out scriptaculous 2013-10-24 12:23:20 -04:00
Charlie Somerville
9645f8be89 delete prototype.js helpers 2013-10-24 12:21:25 -04:00
Charlie Somerville
050be61caf delete test for formatted_ 2013-10-02 14:29:50 +10:00
Charlie Somerville
685cb901fc Merge pull request #13 from github/backport-message_verifier 
Backport ActiveSupport::MessageVerifier from Rails 3
 2013-08-27 03:55:52 -07:00
Charlie Somerville
e9f9d05a94 pass digest as a key in an options hash 2013-08-27 20:51:18 +10:00
Greg Ose
ecd6fb250a Test for form_for authenticity_token backport 2013-08-12 13:21:03 -05:00
Charlie Somerville
33e9676968 more respond_to? fixes 2013-08-08 20:37:30 -07:00
Charlie Somerville
28a87a2d54 update vendored html-scanner 2013-08-08 20:37:30 -07:00
Charlie Somerville
3aaacc67e8 fix actionpack test 2013-08-08 20:37:30 -07:00
Charlie Somerville
2ff2fecb37 respond_to crap 2013-08-08 20:37:30 -07:00
Charlie Somerville
e423b0095f fix broken tests and warnings 2013-08-07 00:46:51 -07:00
Charlie Somerville
06d4ca0254 establish a baseline by skipping all tests failing before 2.0.0 2013-08-06 17:41:45 -07:00
Aaron Patterson
37ea897a44 fix protocol checking in sanitization [CVE-2013-1857] 
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
	actionpack/test/controller/html-scanner/sanitizer_test.rb
 2013-03-18 15:01:49 -03:00
Xavier Noria
2eede7e5ac s/escape_once/html_escape/, since html safety is the contract that now says whether something has to be escaped 
Conflicts:
	actionpack/CHANGELOG
	actionpack/lib/action_view/helpers/form_tag_helper.rb
	actionpack/lib/action_view/helpers/url_helper.rb
	actionpack/test/template/url_helper_test.rb
 2013-02-16 20:44:20 -08:00
rizwanreza
3df96518be Allow content_tag options to take an array [#1741 state:resolved] [rizwanreza, Nick Quaranto] 
Example:
  content_tag('p', "limelight", :class => ["song", "play"])
  # => <p class="song play">limelight</p>

Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
 2013-02-16 20:22:41 -08:00
Aman Gupta
b18f5c9af1 bump mocha dependency 2012-12-08 20:35:13 -08:00
Aaron Patterson
60f783d9ce fixing strip tags vulnerability 2011-08-16 14:58:13 -07:00
Aaron Patterson
11dafeaa75 fixing response splitting problem 2011-08-16 14:25:45 -07:00
José Valim
d793a56121 Merged pull request #198 from robdimarco/2-3-stable. 
Patch for issue 6440 - Session Reset undefined method `destroy' for {}:Hash
 2011-04-28 00:37:53 -07:00
gmarik
b0be721dd9 respect :expire_after option 
- it was broken after
[commit](e0eb8e9c65)
- there's also
[issue](https://rails.lighthouseapp.com/projects/8994/tickets/6634-railsrack-inconsistency-about-expires_afterexpires-cookie-option)

- also: maybe it worth making Rack understand :expire_after as we
duplicate same logic in [cookie_store](https://github.com/gmarik/rails/blob/v2.3.11/actionpack/lib/action_controller/session/cookie_store.rb#L114)

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-04-14 13:48:35 +02:00
Rob Di Marco
589ce09564 Unit test that shows calling reset session twice results in an exception 2011-02-28 22:53:36 -05:00
Michael Koziarski
7e86f9b4d2 Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-09 09:20:17 +13:00
Michael Koziarski
abe97736b8 Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. 
This fixes CVE-2011-0446
 2011-02-09 09:20:16 +13:00
Michael Koziarski
6d916329b8 Require thread explicitly rather than relying on rubygems to do it. 2010-12-20 11:16:55 +13:00
Pascal Friederich
e0eb8e9c65 Let Rack::Utils.set_cookie_header! create the Set-Cookie header instead of manually fiddling with the response headers [#4941 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-01 11:58:45 +01:00
José Valim
2826324e56 Revert "Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings" 
This reverts commit 36b91e34f4.

Conflicts:

	actionpack/test/activerecord/active_record_store_test.rb
 2010-12-01 11:48:31 +01:00
Andrew White
25139ac92c Don't write out secure cookies unless the request is secure 2010-10-27 15:04:29 +01:00
Andrew White
0e52a609fd Don't create a deprecation proxy object if the variable was passed in local_assigns [#1671 state:resolved] 2010-10-26 12:57:21 +01:00
Aaron Patterson
df78de2bc8 removing space errors 2010-10-21 10:30:18 -07:00
Omar Qureshi
36b91e34f4 Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings 2010-10-21 10:28:54 -07:00
Michael Koziarski
dbbf2fd19c Revert "Makes form_helper use overriden model accessors backport" 
This change introduced breakages and test failures.

This reverts commit 8141f0894e.
 2010-09-27 12:20:54 +13:00
W. Andrew Loe III
17f2fb44c0 Only send secure cookies over SSL. 2010-09-14 11:52:40 -07:00
Andrew Kaspick
a159fd0b8c Fix fixtures in integration test sessions 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2010-09-10 10:45:23 +12:00
Santiago Pastorino
43e2bbe28e Making time_zone_options_for_select return a html_safe string master backport 2010-08-15 10:07:38 -03:00
Santiago Pastorino
8141f0894e Makes form_helper use overriden model accessors backport 
[#3374]
 2010-08-01 19:49:45 -03:00
Jon Yurek
fb615cd7fd Fix for integration tests not serializing arrays in multipart forms correctly. 
Signed-off-by: wycats <wycats@gmail.com>
 2010-07-17 13:01:50 -05:00
Michael Lovitt
257a29d3cc Sessions should not be created until written to and session data should be destroyed on reset. [#4938 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-07-14 08:04:37 +02:00