Permalink
Browse files

Merge remote-tracking branch 'upstream/master'

  • Loading branch information...
2 parents d49f4a7 + a513cc1 commit e1e5f06d76cc8c9d71341633015e50abdff6d48a @jeroeningen committed Aug 11, 2012
Showing with 715 additions and 239 deletions.
  1. +16 −0 actionmailer/CHANGELOG.md
  2. +96 −30 actionpack/CHANGELOG.md
  3. +8 −2 actionpack/lib/action_controller/metal/url_for.rb
  4. +5 −0 actionpack/lib/action_dispatch/railtie.rb
  5. +15 −10 actionpack/lib/action_dispatch/routing/route_set.rb
  6. +1 −0 actionpack/lib/action_view/helpers/form_helper.rb
  7. +5 −3 actionpack/lib/action_view/helpers/form_options_helper.rb
  8. +0 −18 actionpack/test/dispatch/prefix_generation_test.rb
  9. +14 −0 actionpack/test/template/form_helper_test.rb
  10. +15 −5 actionpack/test/template/form_options_helper_test.rb
  11. +14 −0 activemodel/CHANGELOG.md
  12. +8 −5 activemodel/lib/active_model/naming.rb
  13. +86 −3 activerecord/CHANGELOG.md
  14. +7 −7 activerecord/lib/active_record/associations.rb
  15. +15 −12 activerecord/lib/active_record/associations/builder/association.rb
  16. +25 −32 activerecord/lib/active_record/associations/builder/belongs_to.rb
  17. +10 −8 activerecord/lib/active_record/associations/builder/collection_association.rb
  18. +1 −1 activerecord/lib/active_record/associations/builder/has_and_belongs_to_many.rb
  19. +11 −11 activerecord/lib/active_record/associations/builder/singular_association.rb
  20. +2 −2 activerecord/test/cases/associations/belongs_to_associations_test.rb
  21. +1 −1 activerecord/test/cases/associations/join_model_test.rb
  22. +1 −3 activerecord/test/cases/multiple_db_test.rb
  23. +15 −13 activerecord/test/cases/timestamp_test.rb
  24. +1 −1 activerecord/test/models/author.rb
  25. +2 −3 activerecord/test/models/member.rb
  26. +2 −2 activerecord/test/support/connection.rb
  27. +50 −0 activesupport/CHANGELOG.md
  28. +2 −2 activesupport/lib/active_support/core_ext/object/try.rb
  29. +4 −6 activesupport/lib/active_support/locale/en.yml
  30. +135 −26 activesupport/lib/active_support/number_helper.rb
  31. +42 −0 activesupport/test/number_helper_i18n_test.rb
  32. +3 −4 activesupport/test/number_helper_test.rb
  33. +2 −0 guides/source/4_0_release_notes.textile
  34. +12 −6 guides/source/association_basics.textile
  35. +6 −2 guides/source/configuring.textile
  36. +25 −0 guides/source/contributing_to_ruby_on_rails.textile
  37. +5 −0 railties/CHANGELOG.md
  38. +5 −1 railties/lib/rails/engine.rb
  39. +0 −5 railties/lib/rails/generators/rails/app/templates/config/application.rb
  40. +48 −0 railties/test/railties/engine_test.rb
  41. +0 −15 railties/test/railties/mounted_engine_test.rb
View
@@ -6,6 +6,22 @@
* Asynchronously send messages via the Rails Queue *Brian Cardarella*
+
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* No changes.
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* No changes.
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* No changes.
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* No changes.
View
@@ -1,5 +1,10 @@
## Rails 4.0.0 (unreleased) ##
+* Raises an ArgumentError when the first argument in `form_for` contain `nil`
+ or is empty.
+
+ *Richard Schneeman*
+
* Add 'X-Frame-Options' => 'SAMEORIGIN' and
'X-XSS-Protection' => '1; mode=block'
as default headers.
@@ -12,19 +17,19 @@
We recommend the use of Unobtrusive JavaScript instead. For example:
- link_to "Greeting", "#", :class => "nav_link"
+ link_to "Greeting", "#", :class => "nav_link"
- $(function() {
- $('.nav_link').click(function() {
- // Some complex code
+ $(function() {
+ $('.nav_link').click(function() {
+ // Some complex code
- return false;
+ return false;
+ });
});
- });
or
- link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link"
+ link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link"
for simple cases.
@@ -41,18 +46,18 @@
* Added ActionController::Live. Mix it in to your controller and you can
stream data to the client live. For example:
- class FooController < ActionController::Base
- include ActionController::Live
+ class FooController < ActionController::Base
+ include ActionController::Live
- def index
- 100.times {
- # Client will see this as it's written
- response.stream.write "hello world\n"
- sleep 1
- }
- response.stream.close
+ def index
+ 100.times {
+ # Client will see this as it's written
+ response.stream.write "hello world\n"
+ sleep 1
+ }
+ response.stream.close
+ end
end
- end
* Remove ActionDispatch::Head middleware in favor of Rack::Head. *Santiago Pastorino*
@@ -261,13 +266,13 @@
* Add `collection_check_boxes` form helper, similar to `collection_select`:
Example:
- collection_check_boxes :post, :author_ids, Author.all, :id, :name
- # Outputs something like:
- <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" />
- <label for="post_author_ids_1">D. Heinemeier Hansson</label>
- <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" />
- <label for="post_author_ids_2">D. Thomas</label>
- <input name="post[author_ids][]" type="hidden" value="" />
+ collection_check_boxes :post, :author_ids, Author.all, :id, :name
+ # Outputs something like:
+ <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" />
+ <label for="post_author_ids_1">D. Heinemeier Hansson</label>
+ <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" />
+ <label for="post_author_ids_2">D. Thomas</label>
+ <input name="post[author_ids][]" type="hidden" value="" />
The label/check_box pairs can be customized with a block.
@@ -276,12 +281,12 @@
* Add `collection_radio_buttons` form helper, similar to `collection_select`:
Example:
- collection_radio_buttons :post, :author_id, Author.all, :id, :name
- # Outputs something like:
- <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" />
- <label for="post_author_id_1">D. Heinemeier Hansson</label>
- <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" />
- <label for="post_author_id_2">D. Thomas</label>
+ collection_radio_buttons :post, :author_id, Author.all, :id, :name
+ # Outputs something like:
+ <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" />
+ <label for="post_author_id_1">D. Heinemeier Hansson</label>
+ <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" />
+ <label for="post_author_id_2">D. Thomas</label>
The label/radio_button pairs can be customized with a block.
@@ -325,6 +330,67 @@
HTML5 `mark` element. *Brian Cardarella*
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+ helper doesn't correctly handle malformed html. As a result an attacker can
+ execute arbitrary javascript through the use of specially crafted malformed
+ html.
+
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
+ If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+ Vulnerable code will look something like this:
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+ *Santiago Pastorino*
+
+* Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* Do not convert digest auth strings to symbols. CVE-2012-3424
+
+* Bump Journey requirements to 1.0.4
+
+* Add support for optional root segments containing slashes
+
+* Fixed bug creating invalid HTML in select options
+
+* Show in log correct wrapped keys
+
+* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
+
+* ActionController::Metal doesn't have logger method, check it and then delegate
+
+* ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* nil is removed from array parameter values
+
+ CVE-2012-2694
+
+* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
+
+ *Carlos Galdino*
+
+* Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
+
+* Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* No changes.
@@ -30,9 +30,15 @@ def url_options
:_recall => request.symbolized_path_parameters
).freeze
- if _routes.equal?(env["action_dispatch.routes"])
+ if (same_origin = _routes.equal?(env["action_dispatch.routes"])) ||
+ (script_name = env["ROUTES_#{_routes.object_id}_SCRIPT_NAME"]) ||
+ (original_script_name = env['SCRIPT_NAME'])
@_url_options.dup.tap do |options|
- options[:script_name] = request.script_name.dup
+ if original_script_name
+ options[:original_script_name] = original_script_name
+ else
+ options[:script_name] = same_origin ? request.script_name.dup : script_name
+ end
options.freeze
end
else
@@ -19,6 +19,11 @@ class Railtie < Rails::Railtie
:verbose => false
}
+ config.action_dispatch.default_headers = {
+ 'X-Frame-Options' => 'SAMEORIGIN',
+ 'X-XSS-Protection' => '1; mode=block'
+ }
+
initializer "action_dispatch.configure" do |app|
ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
@@ -163,9 +163,9 @@ def length
private
def define_named_route_methods(name, route)
- define_url_helper route, :"#{name}_path",
+ define_url_helper route, :"#{name}_path",
route.defaults.merge(:use_route => name, :only_path => true)
- define_url_helper route, :"#{name}_url",
+ define_url_helper route, :"#{name}_url",
route.defaults.merge(:use_route => name, :only_path => false)
end
@@ -409,21 +409,19 @@ def build_path(path, requirements, separators, anchor)
def build_conditions(current_conditions, path_values)
conditions = current_conditions.dup
- verbs = conditions[:request_method] || []
-
# Rack-Mount requires that :request_method be a regular expression.
# :request_method represents the HTTP verb that matches this route.
#
# Here we munge values before they get sent on to rack-mount.
+ verbs = conditions[:request_method] || []
unless verbs.empty?
conditions[:request_method] = %r[^#{verbs.join('|')}$]
end
- conditions.keep_if do |k,v|
+
+ conditions.keep_if do |k, _|
k == :action || k == :controller ||
@request_class.public_method_defined?(k) || path_values.include?(k)
end
-
- conditions
end
private :build_conditions
@@ -465,7 +463,7 @@ def current_controller
def use_recall_for(key)
if @recall[key] && (!@options.key?(key) || @options[key] == @recall[key])
if !named_route_exists? || segment_keys.include?(key)
- @options[key] = @recall.delete(key)
+ @options[key] = @recall.delete(key)
end
end
end
@@ -574,7 +572,8 @@ def generate(options, recall = {}, extras = false)
end
RESERVED_OPTIONS = [:host, :protocol, :port, :subdomain, :domain, :tld_length,
- :trailing_slash, :anchor, :params, :only_path, :script_name]
+ :trailing_slash, :anchor, :params, :only_path, :script_name,
+ :original_script_name]
def mounted?
false
@@ -594,7 +593,13 @@ def url_for(options)
user, password = extract_authentication(options)
recall = options.delete(:_recall)
- script_name = options.delete(:script_name).presence || _generate_prefix(options)
+
+ original_script_name = options.delete(:original_script_name).presence
+ script_name = options.delete(:script_name).presence || _generate_prefix(options)
+
+ if script_name && original_script_name
+ script_name = original_script_name + script_name
+ end
path_options = options.except(*RESERVED_OPTIONS)
path_options = yield(path_options) if block_given?
@@ -423,6 +423,7 @@ def form_for(record, options = {}, &proc)
object = nil
else
object = record.is_a?(Array) ? record.last : record
+ raise ArgumentError, "First argument in form cannot contain nil or be empty" if object.blank?
object_name = options[:as] || model_name_from_record_or_class(object).param_key
apply_form_for_options!(record, object, options)
end
@@ -708,9 +708,11 @@ def collection_check_boxes(object, method, collection, value_method, text_method
private
def option_html_attributes(element)
- return {} unless Array === element
-
- Hash[element.select { |e| Hash === e }.reduce({}, :merge).map { |k, v| [k, v] }]
+ if Array === element
+ element.select { |e| Hash === e }.reduce({}, :merge!)
+ else
+ {}
+ end
end
def option_text_and_value(option)
@@ -166,18 +166,6 @@ def setup
assert_equal "/generate", last_response.body
end
- test "[ENGINE] generating application's url includes default_url_options[:script_name]" do
- RailsApplication.routes.default_url_options = {:script_name => "/something"}
- get "/pure-awesomeness/blog/url_to_application"
- assert_equal "/something/generate", last_response.body
- end
-
- test "[ENGINE] generating application's url should give higher priority to default_url_options[:script_name]" do
- RailsApplication.routes.default_url_options = {:script_name => "/something"}
- get "/pure-awesomeness/blog/url_to_application", {}, 'SCRIPT_NAME' => '/foo'
- assert_equal "/something/generate", last_response.body
- end
-
test "[ENGINE] generating engine's url with polymorphic path" do
get "/pure-awesomeness/blog/polymorphic_path_for_engine"
assert_equal "/pure-awesomeness/blog/posts/1", last_response.body
@@ -200,12 +188,6 @@ def setup
assert_equal "/something/awesome/blog/posts/1", last_response.body
end
- test "[APP] generating engine's route should give higher priority to default_url_options[:script_name]" do
- RailsApplication.routes.default_url_options = {:script_name => "/something"}
- get "/generate", {}, 'SCRIPT_NAME' => "/foo"
- assert_equal "/something/awesome/blog/posts/1", last_response.body
- end
-
test "[APP] generating engine's url with polymorphic path" do
get "/polymorphic_path_for_engine"
assert_equal "/awesome/blog/posts/1", last_response.body
@@ -1045,6 +1045,20 @@ def test_form_for_requires_block
end
end
+ def test_form_for_requires_arguments
+ error = assert_raises(ArgumentError) do
+ form_for(nil, :html => { :id => 'create-post' }) do
+ end
+ end
+ assert_equal "First argument in form cannot contain nil or be empty", error.message
+
+ error = assert_raises(ArgumentError) do
+ form_for([nil, nil], :html => { :id => 'create-post' }) do
+ end
+ end
+ assert_equal "First argument in form cannot contain nil or be empty", error.message
+ end
+
def test_form_for
form_for(@post, :html => { :id => 'create-post' }) do |f|
concat f.label(:title) { "The Title" }
Oops, something went wrong.

0 comments on commit e1e5f06

Please sign in to comment.