Conflicts: activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb Conflicts: activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
While the patched PredicateBuilder in 3.1.5 prevents a user from specifying a table name using the `table.column` format, it doesn't protect against the nesting of hashes changing the table context in the next call to build_from_hash. This fix covers this case as well.
Thanks to Ben Murphy for reporting this CVE-2012-2661
This is a back-port of rails/rails#6525. See the commit notes there for details.
This commit improves the handling of default_url_options in integration tests by making behave closer to how a real application operates. Specifically the following issues have been addressed: * Options specified in routes.rb are used (fixes #546) * Options specified in controllers are used * Request parameters are recalled correctly * Tests can override default_url_options directly
A callable object passed as a constraint for a route may access the request parameters as part of its check. This causes the combined parameters hash to be cached in the environment hash. If the constraint fails then any subsequent access of the request parameters will be against that stale hash. To fix this we delete the cache after every call to `matches?`. This may have a negative performance impact if the contraint wraps a large number of routes as the parameters hash is built by merging GET, POST and path parameters. Fixes #2510. (cherry picked from commit 5603050)