Skip to content
This repository

Jan 17, 2011

  1. Michael Koziarski

    Change the CSRF whitelisting to only apply to get requests

    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
    authored

Nov 27, 2009

  1. Gabe da Silveira

    Make sure strip_tags removes tags which start with a non-printable ch…

    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored NZKoz committed

Sep 12, 2009

  1. Michael Koziarski

    Dup the arguments to string compare so we can use force_encoding.

    authored

Sep 08, 2009

  1. Michael Koziarski

    1.9 compatible secure_compare

    authored

Sep 04, 2009

  1. risk danger olson

    Prepare for Rails 2.2.3 release.

    authored

Aug 31, 2009

  1. Michael Koziarski

    Clean tag attributes before passing through the escape_once logic.

    Addresses CVE-2009-3009
    authored

Aug 23, 2009

  1. Michael Koziarski

    Fix timing attack vulnerability in the Cookie Store

    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
    authored

Feb 25, 2009

  1. Sam Granieri

    Ruby 1.9 compat: silence a warning about regexp languages

    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    authored jeremy committed

Feb 22, 2009

  1. Andrew White

    Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    …xp requirements with capturing parentheses
    authored NZKoz committed
  2. Andrew White

    Fix requirements regexp for path segments

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored NZKoz committed

Feb 21, 2009

  1. MOROHASHI Kyosuke

    fix test data, should specify encoding to use multibyte chars on Ruby…

    … 1.9
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    authored jeremy committed

Feb 10, 2009

  1. Jeremy Kemper

    Add missing test for parsing a multivalued query string

    authored

Feb 05, 2009

  1. Daniel

    check for template with specified extension but without template hand…

    …ler extension [#1798 state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    authored josh committed

Jan 22, 2009

  1. Michael Koziarski

    Bring back relative_url_root but deprecate it

    authored

Jan 21, 2009

  1. Michael Koziarski

    Rationalise the session options to one hash, prevents rack or integra…

    …tion tests from seeing incorrect defaults
    authored

Jan 05, 2009

  1. Joshua Peek

    Cache AssetTag timestamps

    authored dhh committed
  2. Joshua Peek

    Revert to the good old days when AssetTag didn't cause anyone problems

    authored dhh committed

Jan 02, 2009

  1. David Heinemeier Hansson

    Make sure #compute_public_path caching allows to return different res…

    …ults
    
    for different given sources [#1471 state:resolved]
    authored

Jan 01, 2009

  1. David Heinemeier Hansson

    Fixed the AssetTagHelper cache to use the computed asset host as part…

    … of the cache key instead of just assuming the its a string [#1299 state:fixed]
    authored

Dec 15, 2008

  1. Frederick Cheung

    Fixed session related memory leak [#1558 state:resolved]

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    authored josh committed

Nov 30, 2008

  1. Jeremy Kemper

    Extract named_helper module_eval so it's easier to override

    authored

Nov 24, 2008

  1. Geoff Garside

    Test default singleton resource route to ensure it uses GET. This is …

    …important if using map.root :resource instead of map.root :resources for some reason.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored NZKoz committed
  2. Geoff Garside

    Reorder the way in which map.resource routes are added to the set. Th…

    …is prevents the singular named route from hitting :create instead of :show.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored NZKoz committed

Nov 23, 2008

  1. Jeremy Kemper

    Changelog for #1448. Mention updating old translations with storage_u…

    …nits key.
    authored
  2. Yaroslav Markin

    Add i18n for number_to_human_size() helper storage units. Translation…

    … key is number.human.storage_units.
    
    [#1448 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    authored jeremy committed
  3. Joshua Peek

    A back support for legacy TemplateHandler#render API

    authored

Nov 21, 2008

  1. David Heinemeier Hansson

    Prepped for release

    authored

Nov 20, 2008

  1. David Heinemeier Hansson

    Cleaned up deprecation notices

    authored
  2. David Heinemeier Hansson

    Next release will be 2.2.2, might as well prepare for that

    authored

Nov 19, 2008

  1. Aaron Batalion

    need to make sure the asset type is cached with it in Cache.. name is…

    … sufficient, not self
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    authored jeremy committed
  2. Aaron Batalion

    Fixed asset host to not cache objects [#1419 state:resolved]

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    authored josh committed
  3. David Heinemeier Hansson

    Deprecated the :file default for ActionView#render to prepare for 2.3…

    …'s new :partial default [DHH]
    authored
  4. Hiroshi Saito

    Let polymorphic_path treat an array contains single name as without a…

    …rray [#1386 state:committed]
    
    Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
    authored dhh committed

Nov 18, 2008

  1. Gabe da Silveira

    Make optimized named routes respect all reserved options and tie it i…

    …nto UrlRewriter::RESERVED_OPTIONS so it's DRY
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored NZKoz committed
  2. Luke Melia

    Fix rendering html partial via inline render when with :js format [#1399

    state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    authored josh committed
Something went wrong with that request. Please try again.