Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
Commits on Nov 27, 2009
  1. @gtd @NZKoz

    Make sure strip_tags removes tags which start with a non-printable ch…

    gtd authored NZKoz committed
    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Sep 12, 2009
  1. @NZKoz
Commits on Sep 8, 2009
  1. @NZKoz

    1.9 compatible secure_compare

    NZKoz authored
Commits on Sep 4, 2009
  1. @technoweenie
Commits on Aug 31, 2009
  1. @NZKoz

    Clean tag attributes before passing through the escape_once logic.

    NZKoz authored
    Addresses CVE-2009-3009
Commits on Aug 23, 2009
  1. @NZKoz

    Fix timing attack vulnerability in the Cookie Store

    NZKoz authored
    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
Commits on Feb 25, 2009
  1. @samgranieri @jeremy

    Ruby 1.9 compat: silence a warning about regexp languages

    samgranieri authored jeremy committed
    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Commits on Feb 22, 2009
  1. @pixeltrix @NZKoz

    Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    pixeltrix authored NZKoz committed
    …xp requirements with capturing parentheses
  2. @pixeltrix @NZKoz

    Fix requirements regexp for path segments

    pixeltrix authored NZKoz committed
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Feb 5, 2009
  1. @dguettler @josh

    check for template with specified extension but without template hand…

    dguettler authored josh committed
    …ler extension [#1798 state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Jan 22, 2009
  1. @NZKoz
Commits on Jan 21, 2009
  1. @NZKoz

    Rationalise the session options to one hash, prevents rack or integra…

    NZKoz authored
    …tion tests from seeing incorrect defaults
Commits on Jan 5, 2009
  1. @josh @dhh

    Cache AssetTag timestamps

    josh authored dhh committed
  2. @josh @dhh
Commits on Jan 2, 2009
  1. @dhh

    Make sure #compute_public_path caching allows to return different res…

    dhh authored
    …ults
    
    for different given sources [#1471 state:resolved]
Commits on Jan 1, 2009
  1. @dhh

    Fixed the AssetTagHelper cache to use the computed asset host as part…

    dhh authored
    … of the cache key instead of just assuming the its a string [#1299 state:fixed]
Commits on Dec 15, 2008
  1. @fcheung @josh

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Commits on Nov 30, 2008
  1. @jeremy
Commits on Nov 24, 2008
  1. @geoffgarside @NZKoz

    Reorder the way in which map.resource routes are added to the set. Th…

    geoffgarside authored NZKoz committed
    …is prevents the singular named route from hitting :create instead of :show.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
Commits on Nov 23, 2008
  1. @yaroslav @jeremy

    Add i18n for number_to_human_size() helper storage units. Translation…

    yaroslav authored jeremy committed
    … key is number.human.storage_units.
    
    [#1448 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  2. @josh
Commits on Nov 20, 2008
  1. @dhh
Commits on Nov 19, 2008
  1. @aaronbatalion @jeremy

    need to make sure the asset type is cached with it in Cache.. name is…

    aaronbatalion authored jeremy committed
    … sufficient, not self
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  2. @aaronbatalion @josh

    Fixed asset host to not cache objects [#1419 state:resolved]

    aaronbatalion authored josh committed
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
  3. @dhh

    Deprecated the :file default for ActionView#render to prepare for 2.3…

    dhh authored
    …'s new :partial default [DHH]
  4. @hiroshi @dhh

    Let polymorphic_path treat an array contains single name as without a…

    hiroshi authored dhh committed
    …rray [#1386 state:committed]
    
    Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
Commits on Nov 18, 2008
  1. @gtd @NZKoz

    Make optimized named routes respect all reserved options and tie it i…

    gtd authored NZKoz committed
    …nto UrlRewriter::RESERVED_OPTIONS so it's DRY
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
  2. @lukemelia @josh

    Fix rendering html partial via inline render when with :js format [#1399

    lukemelia authored josh committed
     state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
  3. @FooBarWidget @jeremy

    Register 'checked' as an HTML boolean attribute.

    FooBarWidget authored jeremy committed
    This way, 'tag :foo, :type => "checkbox", :checked => false' would output
    the expected
    
      <input type="checkbox" />
    
    instead of the old
    
      <input type="checkbox" checked="false" />
    
    The latter would result in a checkbox that's initially checked.
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  4. @NZKoz

    Remove duplicate distribution of prototype and scriptaculous.

    NZKoz authored
    This was previously needed by define_javascript_functions which has been removed for a while.
  5. @NZKoz
  6. @madrobby @NZKoz
  7. @svenfuchs @dhh

    use :en as a default locale (in favor of :en-US)

    svenfuchs authored dhh committed
    Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
  8. @lukemelia @josh

    Prevent assert_template failures when a render :inline is called befo…

    lukemelia authored josh committed
    …re rendering a file-based template [#1383 state:resolved]
    
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
Something went wrong with that request. Please try again.