Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Branch: 2-1-stable
Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
Commits on Sep 11, 2009
  1. @bohford @jeremy

    Remove redundant checks for valid character regexp in ActiveSupport::…

    bohford authored jeremy committed
    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Sep 1, 2009
  1. @NZKoz

    Clean tag attributes before passing through the escape_once logic.

    NZKoz authored
    Addresses CVE-2009-3009
  2. @Manfred @NZKoz

    Add methods for string verification and encoding cleanup code.

    Manfred authored NZKoz committed
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Feb 12, 2009
  1. @josh

    Allow memcache-client versions > 1.5.x to override bundled version

    Joshua Sierles authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Jan 15, 2009
  1. @jeremy
Commits on Jan 4, 2009
  1. @gbuesing
Commits on Dec 16, 2008
  1. @jeremy

    Revert "Make constantize look into ancestors"

    jeremy authored
    [#410 state:open]
    
    This reverts commit eca79e6.
Commits on Dec 15, 2008
  1. @jeremy

    Make constantize look into ancestors

    jeremy authored
    [#410 state:resolved]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb
  2. @fcheung @josh

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Dec 10, 2008
  1. @jeremy

    Revert "Fix: counter_cache should decrement on deleting associated re…

    jeremy authored
    …cords."
    
    [#1196 state:open]
    
    This reverts commit 757e436.
  2. @miloops @jeremy

    Fix: counter_cache should decrement on deleting associated records.

    miloops authored jeremy committed
    [#1195 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Dec 8, 2008
  1. @jeremy

    Change field_changed? method to handle the case where a nullable inte…

    Ben Symonds authored jeremy committed
    …ger column is changed from 0 to '0'
    
    [#1530 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Nov 23, 2008
  1. @cwninja @jeremy

    Changed the fallback String#each_char to use valid 1.9 syntax.

    cwninja authored jeremy committed
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Nov 18, 2008
  1. @NZKoz

    Verify form submissions for text/plain posts too.

    NZKoz authored
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
  2. @gbuesing
  3. @gbuesing
  4. @philr @gbuesing
  5. @gbuesing
Commits on Nov 14, 2008
  1. @lifo
  2. @lifo
  3. @lifo
Commits on Oct 26, 2008
  1. @NZKoz
Commits on Oct 25, 2008
  1. @AdamMajer @NZKoz

    Fix binary data corruption bug in PostgreSQL adaptor

    AdamMajer authored NZKoz committed
      1. Move the binary escape/unescape from column to the driver - we should store binary data AR just like most other adaptors
      2. check to make sure we only unescape bytea data
         PGresult.ftype( column ) == 17
      that is passed to us in escaped format
         PGresult.fformat( column ) == 0
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    [#1063 state:committed]
Commits on Oct 24, 2008
  1. @lifo
  2. @packagethief @jeremy

    Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    packagethief authored jeremy committed
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  3. @packagethief @jeremy

    Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    packagethief authored jeremy committed
    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Oct 23, 2008
  1. @dhh

    Latest release.rb script

    dhh authored
  2. @dhh
  3. @dhh

    Make ready for the 2.1.2 release

    dhh authored
Commits on Oct 21, 2008
  1. @lifo

    Fix script/generate warning

    lifo authored
Commits on Oct 20, 2008
  1. @geoffgarside @gbuesing
  2. @gbuesing
  3. @gbuesing

    Bundle TzInfo version 0.3.11

    gbuesing authored
Commits on Oct 19, 2008
  1. @NZKoz

    Sanitize the URLs passed to redirect_to to prevent a potential respon…

    NZKoz authored
    …se spli
    
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
Something went wrong with that request. Please try again.