Permalink
Commits on Jan 17, 2011
  1. Change the CSRF whitelisting to only apply to get requests

    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
    NZKoz committed Jan 13, 2011
Commits on Nov 27, 2009
  1. Make sure strip_tags removes tags which start with a non-printable ch…

    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    gtd committed with NZKoz Nov 17, 2009
Commits on Sep 13, 2009
Commits on Sep 12, 2009
Commits on Sep 11, 2009
  1. Remove redundant checks for valid character regexp in ActiveSupport::…

    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    bohford committed with jeremy Sep 10, 2009
Commits on Sep 8, 2009
  1. 1.9 compatible secure_compare

    NZKoz committed Sep 8, 2009
  2. Revert "Ruby 1.9: fix MessageVerifier#secure_compare"

    This reverts commit 91f65b7.
    
    MessageVerifier was never in 2.2
    NZKoz committed Sep 8, 2009
  3. Fix AS test breakage

    jeremy committed Sep 8, 2009
Commits on Sep 4, 2009
Commits on Aug 31, 2009
  1. Clean tag attributes before passing through the escape_once logic.

    Addresses CVE-2009-3009
    NZKoz committed Aug 31, 2009
  2. Add verify and clean methods to ActiveSupport::Multibyte.

    When accepting character input from outside of your application you can't
    blindly trust that all strings are properly encoded. With these methods
    you can check incoming strings and clean them up if necessary.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    
    Conflicts:
    
    	activesupport/lib/active_support/multibyte/chars.rb
    NZKoz committed Aug 31, 2009
Commits on Aug 23, 2009
  1. Fix timing attack vulnerability in the Cookie Store

    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
    NZKoz committed Aug 23, 2009
Commits on Apr 20, 2009
  1. Ensure JoinAssociation uses aliased table name when multiple associat…

    …ions have hash conditions on the same table
    lifo committed Apr 20, 2009
Commits on Apr 1, 2009
  1. Don't use the transaction instance method so that people with has_one…

    …/belongs_to :transaction aren't fubared
    
    [#1551 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    fcheung committed with lifo Dec 10, 2008
Commits on Mar 11, 2009
Commits on Feb 25, 2009
  1. Ruby 1.9 compat: silence a warning about regexp languages

    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    samgranieri committed with jeremy Feb 23, 2009
  2. Fixed bug that makes named_scopes _forgot_ current scope

    Signed-off-by: rick <technoweenie@gmail.com>
    [#1960 #1677 state:resolved]
    oboxodo committed with technoweenie Feb 13, 2009
Commits on Feb 22, 2009
  1. Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    …xp requirements with capturing parentheses
    pixeltrix committed with NZKoz Feb 22, 2009
  2. Fix requirements regexp for path segments

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    pixeltrix committed with NZKoz Jan 16, 2009
Commits on Feb 21, 2009
  1. Update changelog for URI.unescape fix

    [#2033 state:committed]
    jeremy committed Feb 21, 2009
  2. Broaden URI.unescape fix to all affected 1.9.x by checking for broken…

    … behavior instead of specific patchlevel
    jeremy committed Feb 21, 2009
  3. fix test data, should specify encoding to use multibyte chars on Ruby…

    … 1.9
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    moro committed with jeremy Feb 15, 2009
  4. Ruby 1.9.1p0's URI.decode() bug fix

    backport to fix Ruby 1.9.1p0 bug on [ruby-dev:38005].
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    moro committed with jeremy Feb 15, 2009
Commits on Feb 20, 2009
  1. Make atomic_write() puts the check_file in the cache dir, not in appl…

    …ication
    
    root [#1962 state:resolved]
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    brunetton committed with josh Feb 20, 2009
Commits on Feb 17, 2009
  1. Ruby 1.9 compat: fix JSON decoding to work properly with multibyte va…

    …lues
    
    [#1969 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    amatsuda committed with jeremy Feb 14, 2009
Commits on Feb 12, 2009
  1. Allow memcache-client versions > 1.5.x to override bundled version

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    Joshua Sierles committed with josh Feb 12, 2009
Commits on Feb 10, 2009
Commits on Feb 6, 2009
  1. Handle every error that can come out of the Iconv branch by rescuing …

    …and returning nil
    
    [#1195 state:committed]
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb
    NZKoz committed Feb 6, 2009