Permalink
Commits on Feb 18, 2014
  1. Use the reference for the mime type to get the format

    Before we were calling to_sym in the mime type, even when it is unknown
    what can cause denial of service since symbols are not removed by the
    garbage collector.
    
    Fixes: CVE-2014-0082
    rafaelfranca committed Feb 12, 2014
Commits on Dec 1, 2013
  1. Only use valid mime type symbols as cache keys

    CVE-2013-6414
    
    Conflicts:
    	actionpack/lib/action_view/lookup_context.rb
    tenderlove committed Dec 1, 2013
Commits on Mar 16, 2013
  1. fix protocol checking in sanitization [CVE-2013-1857]

    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
    tenderlove committed Mar 15, 2013
  2. JDOM XXE Protection [CVE-2013-1856]

    Conflicts:
    	activesupport/test/xml_mini/jdom_engine_test.rb
    benmmurphy committed with tenderlove Feb 8, 2013
Commits on Feb 27, 2013
  1. Revert "Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-nu…

    …meric"
    
    This reverts commit 663c9a6, reversing
    changes made to 10513d2.
    steveklabnik committed Feb 27, 2013
Commits on Feb 11, 2013
  1. Revert "Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-i…

    …n-rails-3-0-stable"
    
    This reverts commit 360af4e, reversing
    changes made to f93d046.
    tenderlove committed Feb 11, 2013
  2. Merge branch '3-0-sec' into 3-0-stable

    * 3-0-sec:
      fix serialization vulnerability
      Fix issue with attr_protected where malformed input could circumvent protection
    tenderlove committed Feb 11, 2013
  3. Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-in-rails-…

    …3-0-stable
    
    fixed failing JSON decoding in rails 3-0-stable
    tenderlove committed Feb 11, 2013
Commits on Feb 9, 2013
  1. Fix issue with attr_protected where malformed input could circumvent

    protection
    
    Fixes: CVE-2013-0276
    
    Conflicts:
    	activemodel/lib/active_model/attribute_methods.rb
    	activerecord/test/cases/mass_assignment_security_test.rb
    joernchen committed with tenderlove Feb 9, 2013
Commits on Feb 8, 2013
  1. Merge pull request #9223 from robertomiranda/fix-bigdecimal-typecast

    Fix BigDecimal Typecast on 1.8.7
    guilleiguaran committed Feb 8, 2013
  2. Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-numeric

    [3.0] active_record: Quote numeric values compared to string columns.
    guilleiguaran committed Feb 8, 2013
Commits on Feb 7, 2013
Commits on Jan 30, 2013
  1. fixed failing JSON decoding in rails 3-0-stable

    Michel Barbosa committed Jan 30, 2013
  2. Merge pull request #9111 from jsomara/3-0-json-fix

    Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}.
    tenderlove committed Jan 30, 2013
  3. Merge pull request #9123 from renatosnrg/3-0-stable

    Fixing encoding to UTF-8 for OkJson backend. Closes #9122.
    carlosantoniodasilva committed Jan 30, 2013
Commits on Jan 29, 2013
Commits on Jan 28, 2013
  1. bumping to 3.0.20

    tenderlove committed Jan 28, 2013
  2. Add an OkJson backend and remove the YAML backend

    Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
    NZKoz committed with tenderlove Jan 23, 2013
Commits on Jan 27, 2013
  1. Fix failing test related to escaping include_blank in select_tag

    Rails 3.0.x doesn't have the :prompt option in select_tag, it was
    introduced in c5d54be that is only
    available from 3.1.x on.
    
    The test and related fix were introduced in
    c979587 for Rails 3.0.17, as a fix for
    a security vulnerability. The code is completely fine but the test was
    using the invalid :prompt option for this version, probably because it
    was cherry-picked from other branch which has the option.
    carlosantoniodasilva committed Jan 27, 2013
Commits on Jan 26, 2013
  1. Remove obsolete rake/rdoctask require

    Requiring this now raises a RuntimeError, failing the test.
    It also seems that the require is unnecessary to pass the test.
    carlosantoniodasilva committed Jan 26, 2013
  2. Update failing tests overriding destroy method instead of using mocha…

    … expectation
    
    Mocha by default does not allow adding expectation to frozen objects,
    just applying a workaround to ensure the method is never called, making
    the tests pass without enabling this again in mocha.
    carlosantoniodasilva committed Jan 26, 2013
Commits on Jan 16, 2013
  1. Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes

    Fix 3-0-stable to work with Mocha >= v0.13.0
    rafaelfranca committed Jan 16, 2013
  2. Fix 3-0-stable to work with Mocha >= v0.13.0

    A) Update code in ActiveSupport which monkey-patches Test::Unit to
    include Mocha bug fix.
    
    A bug was fixed [1] in Mocha's integration with Test::Unit, but this
    monkey-patching code was copied before the fix. We need to copy the
    fixed version.
    
    The bug meant that an unexpected invocation against a mock within the
    teardown method caused a test *error* and not a test *failure*.
    
    B) Fix for Test::Unit/Mocha compatibility.
    
    Mocha is now using a single AssertionCounter which needs a reference to
    the testcase as opposed to the result.
    
    This change is an unfortunate consequence of the copying of a chunk of
    Mocha's internal code in order to monkey-patch Test::Unit.
    
    C) Avoid a Mocha deprecation warning.
    
    [1]
    freerange/mocha@f1ff647#diff-5
    commit 0591f6d 1 parent 8b3109a
    floehopper committed Aug 26, 2012
Commits on Jan 12, 2013
Commits on Jan 11, 2013
  1. Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…

    …params
    
    3-0-stable: Fix JSON params parsing regression for non-object JSON content.
    jeremy committed Jan 11, 2013