Skip to content
This repository

Jan 17, 2011

  1. Michael Koziarski

    Change the CSRF whitelisting to only apply to get requests

    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
    authored January 13, 2011

Nov 27, 2009

  1. Gabe da Silveira

    Make sure strip_tags removes tags which start with a non-printable ch…

    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 16, 2009 NZKoz committed November 27, 2009

Sep 12, 2009

  1. Michael Koziarski

    Dup the arguments to string compare so we can use force_encoding.

    authored September 13, 2009

Sep 08, 2009

  1. Michael Koziarski

    1.9 compatible secure_compare

    authored September 09, 2009

Aug 23, 2009

  1. Michael Koziarski

    Fix timing attack vulnerability in the Cookie Store

    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
    authored August 23, 2009

Feb 25, 2009

  1. Sam Granieri

    Ruby 1.9 compat: silence a warning about regexp languages

    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    authored February 22, 2009 jeremy committed February 25, 2009

Feb 22, 2009

  1. Andrew White

    Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    …xp requirements with capturing parentheses
    authored February 22, 2009 NZKoz committed February 22, 2009
  2. Andrew White

    Fix requirements regexp for path segments

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored January 16, 2009 NZKoz committed February 22, 2009

Jan 22, 2009

  1. Michael Koziarski

    Bring back relative_url_root but deprecate it

    authored January 22, 2009

Jan 21, 2009

  1. Michael Koziarski

    Rationalise the session options to one hash, prevents rack or integra…

    …tion tests from seeing incorrect defaults
    authored January 21, 2009

Jan 05, 2009

  1. Joshua Peek

    Cache AssetTag timestamps

    authored January 04, 2009 dhh committed January 05, 2009
  2. Joshua Peek

    Revert to the good old days when AssetTag didn't cause anyone problems

    authored January 02, 2009 dhh committed January 05, 2009

Dec 15, 2008

  1. Frederick Cheung

    Fixed session related memory leak [#1558 state:resolved]

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    authored December 11, 2008 josh committed December 15, 2008

Nov 30, 2008

  1. Jeremy Kemper

    Extract named_helper module_eval so it's easier to override

    authored November 29, 2008

Nov 24, 2008

  1. Geoff Garside

    Reorder the way in which map.resource routes are added to the set. Th…

    …is prevents the singular named route from hitting :create instead of :show.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 18, 2008 NZKoz committed November 24, 2008

Nov 19, 2008

  1. Hiroshi Saito

    Let polymorphic_path treat an array contains single name as without a…

    …rray [#1386 state:committed]
    
    Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
    authored November 16, 2008 dhh committed November 19, 2008

Nov 18, 2008

  1. Gabe da Silveira

    Make optimized named routes respect all reserved options and tie it i…

    …nto UrlRewriter::RESERVED_OPTIONS so it's DRY
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 14, 2008 NZKoz committed November 18, 2008

Nov 16, 2008

  1. Michael Koziarski

    Add text/plain to the browser_generated_types array as webkit and gec…

    …ko can submit them.
    
    For more information see:
    
    http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
    authored November 16, 2008

Nov 14, 2008

  1. Pratik

    Merge docrails.

    authored November 14, 2008
  2. Tom Stuart

    Make inheritance of map.resources :only/:except options behave more p…

    …redictably
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 13, 2008 NZKoz committed November 14, 2008
  3. Hiroshi Saito

    Make polymorphic_url compact given array [#1317 state:committed]

    Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
    authored November 03, 2008 dhh committed November 14, 2008

Nov 13, 2008

  1. Tom Stuart

    Fix map.resources to always generate named routes if they're needed

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 13, 2008 NZKoz committed November 13, 2008
  2. Michael Koziarski

    Instead of overriding html_types, base the verification on browser_ge…

    …nerated_types.
    
    Also Deprecate the old unverifiable types.
    
    [#1145 state:committed]
    authored November 13, 2008
  3. risk danger olson

    fix two MimeType failing test cases

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 12, 2008 NZKoz committed November 13, 2008
  4. Jeff Cohen

    Changed request forgery protection to only worry about HTML-formatted…

    … content requests.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored October 31, 2008 NZKoz committed November 13, 2008

Nov 12, 2008

  1. Tom Stuart

    Add :only/:except options to map.resources

    This allows people with huge numbers of resource routes to cut down on the memory consumption caused by the generated code.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    [#1215 state:committed]
    authored November 12, 2008 NZKoz committed November 12, 2008

Nov 11, 2008

  1. Jeremy Kemper

    Eliminate excess Regexp creation due to capture counting

    authored November 10, 2008
  2. Jeremy Kemper

    Pare down object creation during route building

    authored November 10, 2008

Nov 07, 2008

  1. Nick Sieger

    Simplify dispatcher callbacks to eliminate unnecessary stale thread p…

    …urging. [Nick Sieger, Pratik Naik]
    
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
    authored November 08, 2008 lifo committed November 08, 2008

Nov 06, 2008

  1. Aliaksey Kandratsenka (aka Aliaksei Kandratsenka)

    Don't eval recognize_optimized use __FILE__ and __LINE__ in the optim…

    …ised recognition code.
    
    It produces meaningless line numbers.  This also easily produces line numbers greater than recognition_optimization.rb have, which causes rcov to trash memory outside of it's coverage counting arrays.
    
    [#1319 state:committed]
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    authored November 01, 2008 NZKoz committed November 06, 2008
  2. Michael Koziarski

    Fix stupid typo

    authored November 06, 2008
  3. David Heinemeier Hansson

    Fixed the sanitize helper to avoid double escaping already properly e…

    …scaped entities [#683 state:committed]
    authored November 06, 2008
  4. David Heinemeier Hansson

    Dont bother logging the parameters hash if there are no parameters

    authored November 06, 2008

Nov 04, 2008

  1. David Heinemeier Hansson

    Dont log the _method attribute either. Its already available in the h…

    …eader
    authored November 04, 2008
  2. David Heinemeier Hansson

    Dont log the _method attribute either. Its already available in the h…

    …eader
    authored November 04, 2008
Something went wrong with that request. Please try again.