Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: 2-1-stable
Commits on Jan 17, 2011
  1. Michael Koziarski

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
Commits on Sep 11, 2009
  1. Beau Harrington Jeremy Kemper

    Remove redundant checks for valid character regexp in ActiveSupport::…

    bohford authored jeremy committed
    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Sep 1, 2009
  1. Michael Koziarski

    Clean tag attributes before passing through the escape_once logic.

    NZKoz authored
    Addresses CVE-2009-3009
  2. Manfred Stienstra Michael Koziarski

    Add methods for string verification and encoding cleanup code.

    Manfred authored NZKoz committed
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Feb 12, 2009
  1. Joshua Peek

    Allow memcache-client versions > 1.5.x to override bundled version

    Joshua Sierles authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Jan 15, 2009
  1. Jeremy Kemper
Commits on Jan 4, 2009
  1. Geoff Buesing
Commits on Dec 16, 2008
  1. Jeremy Kemper

    Revert "Make constantize look into ancestors"

    jeremy authored
    [#410 state:open]
    
    This reverts commit eca79e6.
Commits on Dec 15, 2008
  1. Jeremy Kemper

    Make constantize look into ancestors

    jeremy authored
    [#410 state:resolved]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb
  2. Frederick Cheung Joshua Peek

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Dec 10, 2008
  1. Jeremy Kemper

    Revert "Fix: counter_cache should decrement on deleting associated re…

    jeremy authored
    …cords."
    
    [#1196 state:open]
    
    This reverts commit 757e436.
  2. Emilio Tagua Jeremy Kemper

    Fix: counter_cache should decrement on deleting associated records.

    miloops authored jeremy committed
    [#1195 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Dec 8, 2008
  1. Jeremy Kemper

    Change field_changed? method to handle the case where a nullable inte…

    Ben Symonds authored jeremy committed
    …ger column is changed from 0 to '0'
    
    [#1530 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Nov 23, 2008
  1. Tom Lea Jeremy Kemper

    Changed the fallback String#each_char to use valid 1.9 syntax.

    cwninja authored jeremy committed
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Nov 18, 2008
  1. Michael Koziarski

    Verify form submissions for text/plain posts too.

    NZKoz authored
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
  2. Geoff Buesing
  3. Geoff Buesing
  4. Phil Ross Geoff Buesing
  5. Geoff Buesing
Commits on Nov 14, 2008
  1. Pratik
  2. Pratik
  3. Pratik
Commits on Oct 26, 2008
  1. Michael Koziarski
Commits on Oct 25, 2008
  1. AdamMajer Michael Koziarski

    Fix binary data corruption bug in PostgreSQL adaptor

    AdamMajer authored NZKoz committed
      1. Move the binary escape/unescape from column to the driver - we should store binary data AR just like most other adaptors
      2. check to make sure we only unescape bytea data
         PGresult.ftype( column ) == 17
      that is passed to us in escaped format
         PGresult.fformat( column ) == 0
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    [#1063 state:committed]
Commits on Oct 24, 2008
  1. Pratik
  2. Jeffrey Hardy Jeremy Kemper

    Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    packagethief authored jeremy committed
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  3. Jeffrey Hardy Jeremy Kemper

    Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    packagethief authored jeremy committed
    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Oct 23, 2008
  1. David Heinemeier Hansson

    Latest release.rb script

    dhh authored
  2. David Heinemeier Hansson
  3. David Heinemeier Hansson

    Make ready for the 2.1.2 release

    dhh authored
Commits on Oct 21, 2008
  1. Pratik

    Fix script/generate warning

    lifo authored
Commits on Oct 20, 2008
  1. Geoff Garside Geoff Buesing
  2. Geoff Buesing
  3. Geoff Buesing

    Bundle TzInfo version 0.3.11

    gbuesing authored
Commits on Oct 19, 2008
  1. Michael Koziarski

    Sanitize the URLs passed to redirect_to to prevent a potential respon…

    NZKoz authored
    …se spli
    
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
Something went wrong with that request. Please try again.