github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-12 08:08:14 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,364 Commits 34 Branches 105 Tags
github45
Commit Graph

3408 Commits

Author SHA1 Message Date
Greg Ose
5f6c95e29e Merge branch '2-3-github' into json-sessions 2014-05-13 15:29:47 -05:00
Charlie Somerville
1a45ec57bf CVE-2014-0130 protection 2014-05-09 23:55:20 +10:00
Greg Ose
9070fbcffe Revert nested hash indifference, swap delete order 
Upstream doesnt support nested hashes having indifferent access, we
should stay consistent. Swap order for returned value in session hash.
 2014-05-07 14:27:52 -05:00
Greg Ose
364b534815 support indifferent access for hashes stored within FlashHash 2014-04-30 13:18:28 -05:00
Greg Ose
14da203564 indifferent delete 2014-04-29 10:37:53 -05:00
Greg Ose
f46a4bab08 indifferent access to flash hash 2014-04-29 10:21:16 -05:00
Greg Ose
198aa6ef99 Update tests to load flash from session value 2014-04-28 15:07:52 -05:00
Greg Ose
b3ae51c9fc Add serializer option to cookie store and use Rails 4 Hash flash 
Backport for Rails 4 flash hash based on https://github.com/envato/rails_4_session_flash_backport
 2014-04-28 14:42:24 -05:00
Mastahyeti
a5697840d6 escape format for CVE-2014-0081 2014-02-18 15:25:05 -06:00
Andy Lindeman
e4cd9caf02 Merge pull request #46 from github/runtime_header 
Removes the X-Runtime header from ActionController::Benchmarking
 2014-02-13 22:34:18 -05:00
Andy Lindeman
89e4514704 Removes the X-Runtime header from ActionController::Benchmarking 
The `Rack::Runtime` middleware now provides this header
 2014-02-13 22:25:27 -05:00
Joshua Peek
24711e1e29 Backport env['rack.session.options'][:skip] 2014-02-11 23:22:39 -06:00
Mislav Marohnić
18c7c1f753 Disable auto-generated form field IDs by passing nil for "id" attribute 
Previously it was not possible to opt out of auto-generated ID values
for various form fields.
 2014-01-13 13:22:06 -08:00
Aman Gupta
7224ee1419 Merge pull request #37 from github/erb-freeze 
Freeze ERB string literals
 2014-01-08 20:33:01 -08:00
Aman Gupta
0a8282c557 freeze literals 2014-01-08 17:28:31 -08:00
Aman Gupta
dd4146854a Fix fragment caching in mixed encodings scenario 
To reduce ambiguity between char- and byte-based operations, explicitly
do byte operations when extracting the fragment that needs to be cached.
 2014-01-08 16:35:55 -08:00
Charlie Somerville
8f99d00868 require properly 2013-12-30 14:23:00 +11:00
Charlie Somerville
987b61bd1d kill QueryExtension, it's more dead junk 2013-12-30 14:15:55 +11:00
Charlie Somerville
f05e54a9f3 remove stdinput monkey patch 2013-12-30 14:15:51 +11:00
Charlie Somerville
b9918117bb delete ActionController::CGIHandler and CgiRequest 2013-12-30 14:11:07 +11:00
Charlie Somerville
42f85d118d don't autoload CGIHandler and CgiRequest 2013-12-30 14:10:28 +11:00
Charlie Somerville
acb182d094 @output is never used anywhere, kill it 2013-12-30 14:09:20 +11:00
Charlie Somerville
6e0fcb788d remove CGI from the dispatcher 2013-12-30 14:09:00 +11:00
Charlie Somerville
55d6a9f2df don't reload the middleware stack every request in development 2013-12-30 13:53:48 +11:00
Ted Nyman
d13866d75d Merge pull request #30 from github/CVE-2013-6417 
CVE-2013-6417
 2013-12-03 14:46:53 -08:00
Nathan Witmer
bf0d43bb77 Only escape value if present 2013-12-03 14:47:38 -07:00
Nathan Witmer
72cebbcb59 Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415.

Previously the values were trusted blindly allowing for potential XSS attacks.

This is different from the original upstream patch for 3.x in that return values
from other number helper methods are not marked as html_safe, so the html
escaping always applies. This requires applications to explicitly set .html_safe
on unit strings and number separators when calling number_to_currency.
 2013-12-03 14:32:26 -07:00
Ted Nyman
379dd9071c Documentation for #deep_munge 2013-12-03 13:24:11 -08:00
Ted Nyman
a743f17dbd #deep_munge for CVE-2013-6417 2013-12-03 13:23:02 -08:00
Charlie Somerville
29a72262aa here too 2013-10-25 12:46:48 -04:00
Charlie Somerville
76c5bf4f4b instantiate the cached helper class instead of extending AV::B 2013-10-25 12:46:48 -04:00
Charlie Somerville
416b7171b8 delete ActionView::Base#helpers because it's completely useless 2013-10-25 12:46:48 -04:00
Charlie Somerville
e82a3ba2a0 cache a class that is pre-included with the master helper module 2013-10-25 12:46:48 -04:00
Charlie Somerville
a086a33fd4 misc 2013-10-24 13:18:37 -04:00
Charlie Somerville
fb86dada29 delete RJS template handler 2013-10-24 12:48:56 -04:00
Charlie Somerville
aa4dfa6937 delete link_to_function and button_to_function 2013-10-24 12:46:41 -04:00
Charlie Somerville
ca7a53cbe9 fix tests 2013-10-24 12:46:30 -04:00
Charlie Somerville
1ddf5592e4 forgot to remove this require 2013-10-24 12:31:15 -04:00
Charlie Somerville
425a5d5e2e don't include ScriptaculousHelper in places 2013-10-24 12:26:19 -04:00
Charlie Somerville
c8d7945ae4 delete render :update 2013-10-24 12:25:38 -04:00
Charlie Somerville
0e7a8ce464 don't include PrototypeHelper in places 2013-10-24 12:25:23 -04:00
Charlie Somerville
a4274b33f7 rip out scriptaculous 2013-10-24 12:23:20 -04:00
Charlie Somerville
9645f8be89 delete prototype.js helpers 2013-10-24 12:21:25 -04:00
Charlie Somerville
4baefa4de9 delete formatted_ url helper 2013-10-02 14:25:57 +10:00
Charlie Somerville
bf96f35248 we can used defined?() to check if a method is public or protected 2013-09-17 15:45:25 +10:00
Charlie Somerville
e9f9d05a94 pass digest as a key in an options hash 2013-08-27 20:51:18 +10:00
Charlie Somerville
b2969e6b48 Merge pull request #11 from github/ruby-2.0.0 
Add support for Ruby 2.0.0
 2013-08-08 21:02:37 -07:00
Charlie Somerville
eefc42630f restore 1.9.3 respond_to? behaviour when running on 1.9.3 2013-08-08 20:42:52 -07:00
Charlie Somerville
28a87a2d54 update vendored html-scanner 2013-08-08 20:37:30 -07:00
Charlie Somerville
3aaacc67e8 fix actionpack test 2013-08-08 20:37:30 -07:00