Permalink
Commits on Jan 17, 2011
  1. Change the CSRF whitelisting to only apply to get requests

    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
    NZKoz committed Jan 13, 2011
Commits on Sep 11, 2009
  1. Remove redundant checks for valid character regexp in ActiveSupport::…

    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    bohford committed with jeremy Sep 10, 2009
Commits on Sep 1, 2009
  1. Clean tag attributes before passing through the escape_once logic.

    Addresses CVE-2009-3009
    NZKoz committed Aug 31, 2009
  2. Add methods for string verification and encoding cleanup code.

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    Manfred committed with NZKoz Sep 1, 2009
Commits on Feb 12, 2009
  1. Allow memcache-client versions > 1.5.x to override bundled version

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    Joshua Sierles committed with josh Feb 12, 2009
Commits on Jan 15, 2009
Commits on Jan 4, 2009
Commits on Dec 16, 2008
  1. Revert "Make constantize look into ancestors"

    [#410 state:open]
    
    This reverts commit eca79e6.
    jeremy committed Dec 16, 2008
Commits on Dec 15, 2008
  1. Make constantize look into ancestors

    [#410 state:resolved]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb
    jeremy committed Dec 15, 2008
  2. Fixed session related memory leak [#1558 state:resolved]

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    fcheung committed with josh Dec 11, 2008
Commits on Dec 10, 2008
  1. Revert "Fix: counter_cache should decrement on deleting associated re…

    …cords."
    
    [#1196 state:open]
    
    This reverts commit 757e436.
    jeremy committed Dec 10, 2008
  2. Fix: counter_cache should decrement on deleting associated records.

    [#1195 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    miloops committed with jeremy Dec 2, 2008
Commits on Dec 8, 2008
  1. Change field_changed? method to handle the case where a nullable inte…

    …ger column is changed from 0 to '0'
    
    [#1530 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    Ben Symonds committed with jeremy Dec 8, 2008
Commits on Nov 23, 2008
  1. Changed the fallback String#each_char to use valid 1.9 syntax.

    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    tomlea committed with jeremy Aug 14, 2008
Commits on Nov 18, 2008
  1. Verify form submissions for text/plain posts too.

    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
    NZKoz committed Nov 16, 2008
  2. Update bundled TZInfo to 0.3.12

    gbuesing committed Nov 18, 2008
Commits on Nov 14, 2008
Commits on Oct 26, 2008
Commits on Oct 25, 2008
  1. Fix binary data corruption bug in PostgreSQL adaptor

      1. Move the binary escape/unescape from column to the driver - we should store binary data AR just like most other adaptors
      2. check to make sure we only unescape bytea data
         PGresult.ftype( column ) == 17
      that is passed to us in escaped format
         PGresult.fformat( column ) == 0
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    [#1063 state:committed]
    AdamMajer committed with NZKoz Sep 20, 2008
Commits on Oct 24, 2008
  1. Revert "Fix script/console --sandbox warning. [#1194 state:resolved]"

    This reverts commit bbb2fda.
    lifo committed Oct 24, 2008
  2. Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    packagethief committed with jeremy Oct 22, 2008
  3. Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    packagethief committed with jeremy Oct 22, 2008
Commits on Oct 23, 2008
  1. Latest release.rb script

    dhh committed Oct 23, 2008
  2. Make ready for the 2.1.2 release

    dhh committed Oct 23, 2008
Commits on Oct 21, 2008
  1. Fix script/generate warning

    lifo committed Oct 21, 2008
Commits on Oct 20, 2008
  1. Bundle TzInfo version 0.3.11

    gbuesing committed Oct 20, 2008
Commits on Oct 19, 2008
  1. Sanitize the URLs passed to redirect_to to prevent a potential respon…

    …se spli
    
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
    NZKoz committed Oct 14, 2008