Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    NZKoz committed
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
     X-CSRF-Token: ...
    This fixes CVE-2011-0447
Commits on Dec 15, 2008
  1. @fcheung @josh

    Fixed session related memory leak [#1558 state:resolved]

    fcheung committed with josh
    Signed-off-by: Joshua Peek <>
Commits on Nov 18, 2008
  1. @NZKoz

    Verify form submissions for text/plain posts too.

    NZKoz committed
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
Commits on Oct 24, 2008
  1. @packagethief @jeremy

    Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    packagethief committed with jeremy
    Signed-off-by: Jeremy Kemper <>
  2. @packagethief @jeremy

    Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    packagethief committed with jeremy
    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    Signed-off-by: Jeremy Kemper <>
Commits on Oct 19, 2008
  1. @NZKoz

    Sanitize the URLs passed to redirect_to to prevent a potential respon…

    NZKoz committed
    …se spli
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
Commits on Sep 7, 2008
  1. @al2o3cr @josh

    Ensure routing optimizations are cleared when new routes are added [#981

    al2o3cr committed with josh
    Signed-off-by: Joshua Peek <>
Commits on Aug 30, 2008
  1. @jeremy

    Fix bad merge from e21ed3e

    jeremy committed
Commits on Aug 28, 2008
  1. @michaelklishin @jeremy

    Request#remote_ip handles the uncommon case that REMOTE_ADDR is a com…

    michaelklishin committed with jeremy
    …ma-separated list.
    [#523 state:resolved]
    Signed-off-by: Jeremy Kemper <>
  2. @timhaines @jeremy

    Add TestUploadFile.content_type= to match Request.UploadedFile

    timhaines committed with jeremy
    [#920 state:resolved]
    Signed-off-by: Jeremy Kemper <>
Commits on Aug 24, 2008
  1. @tarmo
  2. @josh @tarmo
  3. @tarmo

    Use fully-qualified controller name when logging. [#600 state:resolved]

    Ripta Pasay committed with tarmo
    Signed-off-by: Pratik Naik <>
  4. @chuyeow @tarmo

    Ensure url_for(nil) falls back to url_for({}). [#472 state:resolved]

    chuyeow committed with tarmo
    Signed-off-by: Pratik Naik <>
Commits on Jul 30, 2008
  1. @miloops @jeremy

    Prototype helpers should generate Element.insert instead of Insertion…

    miloops committed with jeremy
    ….new, which has been deprecated in Prototype 1.6.
Commits on Jul 24, 2008
  1. @tarmo @NZKoz

    Use :namespace instead of :path_prefix for finding controller. [#544

    tarmo committed with NZKoz
    :namespace is supposed to be the module where controller exists.
    :path_prefix can contain anything, including variables, which
    makes it unsuitable for determining the module for a controller.
    Signed-off-by: Pratik Naik <>
    Signed-off-by: Michael Koziarski <>
Commits on Jul 10, 2008
  1. @clemens @NZKoz

    Added notes to Routing documentation and routes.rb regarding defaults…

    clemens committed with NZKoz
    … routes opening the whole application for GET requests
    Signed-off-by: Michael Koziarski <>
Commits on Jul 9, 2008
  1. @NZKoz

    Deprecate the limited follow_redirect in functional tests. If you wis…

    NZKoz committed
    …h to follow redirects, use integration tests.
Commits on Jul 4, 2008
  1. @jeremy
Commits on Jul 2, 2008
  1. @timhaines @lifo

    Make sure render :template works with :locals. [#524 state:resolved]

    timhaines committed with lifo
    Signed-off-by: Pratik Naik <>
Commits on Jun 25, 2008
  1. @jimmybaker @jeremy

    Patched HTML::Document#initialize call to Node.parse so that it inclu…

    jimmybaker committed with jeremy
    …des the strict argument. [#330 state:resolved]
Commits on Jun 23, 2008
  1. @jeremy

    Fixed polymorphic_url to be able to handle singleton resources.

    Tammer Saleh committed with jeremy
    Example usage:
    polymorphic_url([:admin, @user, :blog, @post]) # => admin_user_blog_post_url(@user, @post)
    [#461 state:resolved]
Commits on Jun 17, 2008
  1. @lifo

    Fix url_for with no arguments when default_url_options is not explici…

    Luke Redpath committed with lifo
    …tly defined. [#339 state:resolved]
    Signed-off-by: Pratik Naik <>
  2. @adkron @lifo

    verify :redirect_to => :back should redirect to the referrer. [#280 s…

    adkron committed with lifo
    Signed-off-by: Pratik Naik <>
  3. @akaspick @jeremy
Commits on Jun 13, 2008
  1. @lifo @jeremy
Commits on Jun 9, 2008
  1. @josh

    Namespace Inflector, Dependencies, OrderedOptions, and TimeZone under…

    josh committed
    … ActiveSupport [#238 state:resolved]
Commits on Jun 7, 2008
  1. @jeremy
  2. @jeremy
  3. @jeremy
Commits on Jun 3, 2008
  1. @dhh

    Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and …

    dhh committed
    …HTTP_X_FORWARDED_FOR doesnt match (not just if theyre both present) [Mark Imbriaco, Bradford Folkens]
  2. @gtd @NZKoz

    Fix assert_redirected_to for nested controllers and named routes

    gtd committed with NZKoz
    [#308 state:resolved]
    Signed-off-by: Michael Koziarski <>
Commits on May 31, 2008
  1. @jeremy
Commits on May 30, 2008
  1. @jeremy

    Require ruby-prof 0.6.1 or later. Use resume/pause to omit extraneous…

    jeremy committed
    … machinery from profile.
Commits on May 25, 2008
  1. @lifo

    Merge docrails.

    lifo committed
    Signed-off-by: Pratik Naik <>
Something went wrong with that request. Please try again.