Permalink
Switch branches/tags
Commits on Jan 17, 2011
  1. Change the CSRF whitelisting to only apply to get requests

    NZKoz committed Jan 13, 2011
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
Commits on Nov 27, 2009
  1. Make sure strip_tags removes tags which start with a non-printable ch…

    gtd authored and NZKoz committed Nov 17, 2009
    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Sep 13, 2009
Commits on Sep 12, 2009
Commits on Sep 11, 2009
  1. Remove redundant checks for valid character regexp in ActiveSupport::…

    bohford authored and jeremy committed Sep 10, 2009
    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Sep 8, 2009
  1. 1.9 compatible secure_compare

    NZKoz committed Sep 8, 2009
  2. Revert "Ruby 1.9: fix MessageVerifier#secure_compare"

    NZKoz committed Sep 8, 2009
    This reverts commit 91f65b7.
    
    MessageVerifier was never in 2.2
  3. Fix AS test breakage

    jeremy committed Sep 8, 2009
Commits on Sep 4, 2009
Commits on Aug 31, 2009
  1. Clean tag attributes before passing through the escape_once logic.

    NZKoz committed Aug 31, 2009
    Addresses CVE-2009-3009
  2. Add verify and clean methods to ActiveSupport::Multibyte.

    NZKoz committed Aug 31, 2009
    When accepting character input from outside of your application you can't
    blindly trust that all strings are properly encoded. With these methods
    you can check incoming strings and clean them up if necessary.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    
    Conflicts:
    
    	activesupport/lib/active_support/multibyte/chars.rb
Commits on Aug 23, 2009
  1. Fix timing attack vulnerability in the Cookie Store

    NZKoz committed Aug 23, 2009
    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
Commits on Apr 20, 2009
  1. Ensure JoinAssociation uses aliased table name when multiple associat…

    lifo committed Apr 20, 2009
    …ions have hash conditions on the same table
Commits on Apr 1, 2009
  1. Don't use the transaction instance method so that people with has_one…

    fcheung authored and lifo committed Dec 10, 2008
    …/belongs_to :transaction aren't fubared
    
    [#1551 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Mar 11, 2009
Commits on Feb 25, 2009
  1. Ruby 1.9 compat: silence a warning about regexp languages

    samgranieri authored and jeremy committed Feb 23, 2009
    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  2. Fixed bug that makes named_scopes _forgot_ current scope

    oboxodo authored and technoweenie committed Feb 13, 2009
    Signed-off-by: rick <technoweenie@gmail.com>
    [#1960 #1677 state:resolved]
Commits on Feb 22, 2009
  1. Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    pixeltrix authored and NZKoz committed Feb 22, 2009
    …xp requirements with capturing parentheses
  2. Fix requirements regexp for path segments

    pixeltrix authored and NZKoz committed Jan 16, 2009
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Feb 21, 2009
  1. Update changelog for URI.unescape fix

    jeremy committed Feb 21, 2009
    [#2033 state:committed]
  2. Broaden URI.unescape fix to all affected 1.9.x by checking for broken…

    jeremy committed Feb 21, 2009
    … behavior instead of specific patchlevel
  3. fix test data, should specify encoding to use multibyte chars on Ruby…

    moro authored and jeremy committed Feb 15, 2009
    … 1.9
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  4. Ruby 1.9.1p0's URI.decode() bug fix

    moro authored and jeremy committed Feb 15, 2009
    backport to fix Ruby 1.9.1p0 bug on [ruby-dev:38005].
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Feb 20, 2009
  1. Make atomic_write() puts the check_file in the cache dir, not in appl…

    brunetton authored and josh committed Feb 20, 2009
    …ication
    
    root [#1962 state:resolved]
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Feb 17, 2009
  1. Ruby 1.9 compat: fix JSON decoding to work properly with multibyte va…

    amatsuda authored and jeremy committed Feb 14, 2009
    …lues
    
    [#1969 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Feb 12, 2009
  1. Allow memcache-client versions > 1.5.x to override bundled version

    Joshua Sierles authored and josh committed Feb 12, 2009
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Feb 10, 2009
Commits on Feb 6, 2009
  1. Handle every error that can come out of the Iconv branch by rescuing …

    NZKoz committed Feb 6, 2009
    …and returning nil
    
    [#1195 state:committed]
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb