Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 17, 2011
  1. Michael Koziarski

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
Commits on Dec 15, 2008
  1. Frederick Cheung Joshua Peek

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Nov 18, 2008
  1. Michael Koziarski

    Verify form submissions for text/plain posts too.

    NZKoz authored
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
Commits on Oct 24, 2008
  1. Jeffrey Hardy Jeremy Kemper

    Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    packagethief authored jeremy committed
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  2. Jeffrey Hardy Jeremy Kemper

    Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    packagethief authored jeremy committed
    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Oct 19, 2008
  1. Michael Koziarski

    Sanitize the URLs passed to redirect_to to prevent a potential respon…

    NZKoz authored
    …se spli
    
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
Commits on Sep 7, 2008
  1. Matt Jones Joshua Peek

    Ensure routing optimizations are cleared when new routes are added [#981

    al2o3cr authored josh committed
     state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Aug 30, 2008
  1. Jeremy Kemper

    Fix bad merge from e21ed3e

    jeremy authored
Commits on Aug 28, 2008
  1. Michael Klishin Jeremy Kemper

    Request#remote_ip handles the uncommon case that REMOTE_ADDR is a com…

    michaelklishin authored jeremy committed
    …ma-separated list.
    
    [#523 state:resolved]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  2. Tim Haines Jeremy Kemper

    Add TestUploadFile.content_type= to match Request.UploadedFile

    timhaines authored jeremy committed
    [#920 state:resolved]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Aug 24, 2008
  1. Tarmo Tänav
  2. Joshua Peek Tarmo Tänav

    All 2xx requests are considered successful [#217 state:resolved]

    josh authored tarmo committed
  3. Tarmo Tänav

    Use fully-qualified controller name when logging. [#600 state:resolved]

    Ripta Pasay authored tarmo committed
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
  4. Cheah Chu Yeow Tarmo Tänav

    Ensure url_for(nil) falls back to url_for({}). [#472 state:resolved]

    chuyeow authored tarmo committed
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Commits on Jul 30, 2008
  1. Emilio Tagua Jeremy Kemper

    Prototype helpers should generate Element.insert instead of Insertion…

    miloops authored jeremy committed
    ….new, which has been deprecated in Prototype 1.6.
Commits on Jul 24, 2008
  1. Tarmo Tänav Michael Koziarski

    Use :namespace instead of :path_prefix for finding controller. [#544

    tarmo authored NZKoz committed
    …state:resolved]
    
    :namespace is supposed to be the module where controller exists.
    :path_prefix can contain anything, including variables, which
    makes it unsuitable for determining the module for a controller.
    
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
    
    Conflicts:
    
    	actionpack/test/controller/routing_test.rb
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Jul 10, 2008
  1. Clemens Kofler Michael Koziarski

    Added notes to Routing documentation and routes.rb regarding defaults…

    clemens authored NZKoz committed
    … routes opening the whole application for GET requests
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Jul 9, 2008
  1. Michael Koziarski

    Deprecate the limited follow_redirect in functional tests. If you wis…

    NZKoz authored
    …h to follow redirects, use integration tests.
Commits on Jul 4, 2008
  1. Jeremy Kemper
Commits on Jul 2, 2008
  1. Tim Haines Pratik

    Make sure render :template works with :locals. [#524 state:resolved]

    timhaines authored lifo committed
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Commits on Jun 25, 2008
  1. Jimmy Baker Jeremy Kemper

    Patched HTML::Document#initialize call to Node.parse so that it inclu…

    jimmybaker authored jeremy committed
    …des the strict argument. [#330 state:resolved]
Commits on Jun 23, 2008
  1. Jeremy Kemper

    Fixed polymorphic_url to be able to handle singleton resources.

    Tammer Saleh authored jeremy committed
    Example usage:
    polymorphic_url([:admin, @user, :blog, @post]) # => admin_user_blog_post_url(@user, @post)
    
    [#461 state:resolved]
Commits on Jun 17, 2008
  1. Pratik

    Fix url_for with no arguments when default_url_options is not explici…

    Luke Redpath authored lifo committed
    …tly defined. [#339 state:resolved]
    
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
  2. Amos King Pratik

    verify :redirect_to => :back should redirect to the referrer. [#280 s…

    adkron authored lifo committed
    …tate:resolved]
    
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
  3. Andrew Kaspick Jeremy Kemper

    Correct code example in dom_id docs. [#437 state:resolved]

    akaspick authored jeremy committed
Commits on Jun 13, 2008
  1. Pratik Jeremy Kemper
Commits on Jun 9, 2008
  1. Joshua Peek

    Namespace Inflector, Dependencies, OrderedOptions, and TimeZone under…

    josh authored
    … ActiveSupport [#238 state:resolved]
Commits on Jun 7, 2008
  1. Jeremy Kemper
  2. Jeremy Kemper
  3. Jeremy Kemper
Commits on Jun 3, 2008
  1. David Heinemeier Hansson

    Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and …

    dhh authored
    …HTTP_X_FORWARDED_FOR doesnt match (not just if theyre both present) [Mark Imbriaco, Bradford Folkens]
  2. Gabe da Silveira Michael Koziarski

    Fix assert_redirected_to for nested controllers and named routes

    gtd authored NZKoz committed
    [#308 state:resolved]
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on May 31, 2008
  1. Jeremy Kemper
Commits on May 30, 2008
  1. Jeremy Kemper

    Require ruby-prof 0.6.1 or later. Use resume/pause to omit extraneous…

    jeremy authored
    … machinery from profile.
Commits on May 25, 2008
  1. Pratik

    Merge docrails.

    lifo authored
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Something went wrong with that request. Please try again.