Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Feb 18, 2014
  1. @rafaelfranca

    Use the reference for the mime type to get the format

    rafaelfranca authored
    Before we were calling to_sym in the mime type, even when it is unknown
    what can cause denial of service since symbols are not removed by the
    garbage collector.
    
    Fixes: CVE-2014-0082
Commits on Dec 1, 2013
  1. @tenderlove

    Only use valid mime type symbols as cache keys

    tenderlove authored
    CVE-2013-6414
    
    Conflicts:
    	actionpack/lib/action_view/lookup_context.rb
Commits on Mar 16, 2013
  1. @tenderlove

    fix protocol checking in sanitization [CVE-2013-1857]

    tenderlove authored
    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
  2. @charliesome @tenderlove
Commits on Jan 29, 2013
  1. @ndbroadbent @jsomara
Commits on Jan 28, 2013
  1. @tenderlove

    bumping to 3.0.20

    tenderlove authored
Commits on Jan 27, 2013
  1. @carlosantoniodasilva

    Fix failing test related to escaping include_blank in select_tag

    carlosantoniodasilva authored
    Rails 3.0.x doesn't have the :prompt option in select_tag, it was
    introduced in c5d54be that is only
    available from 3.1.x on.
    
    The test and related fix were introduced in
    c979587 for Rails 3.0.17, as a fix for
    a security vulnerability. The code is completely fine but the test was
    using the invalid :prompt option for this version, probably because it
    was cherry-picked from other branch which has the option.
Commits on Jan 12, 2013
  1. @pixeltrix
Commits on Jan 11, 2013
  1. @dylanahsmith
Commits on Jan 10, 2013
  1. @carlosantoniodasilva
Commits on Jan 8, 2013
  1. @tenderlove

    bumping version

    tenderlove authored
  2. @jeremy @tenderlove
  3. @tenderlove

    * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    tenderlove authored
    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
Commits on Dec 23, 2012
  1. @tenderlove

    bumping to 3.0.18

    tenderlove authored
  2. @tenderlove

    updating changelogs

    tenderlove authored
Commits on Aug 9, 2012
  1. @spastorino

    Bump to 3.0.17

    spastorino authored
  2. @spastorino

    Do not mark strip_tags result as html_safe

    spastorino authored
    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
  3. @spastorino

    escape select_tag :prompt values

    spastorino authored
    CVE-2012-3463
Commits on Aug 8, 2012
  1. @rafaelfranca
  2. @spastorino @tenderlove

    html_escape should escape single quotes

    spastorino authored tenderlove committed
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Commits on Jul 26, 2012
  1. @tenderlove

    bumping to 3.0.16

    tenderlove authored
  2. @tenderlove

    updating release date

    tenderlove authored
  3. @tenderlove

    updating changelog with CVE

    tenderlove authored
  4. @tenderlove
Commits on Jul 23, 2012
  1. @tenderlove

    updating changelogs

    tenderlove authored
Commits on Jun 13, 2012
  1. @tenderlove

    3.0.15

    tenderlove authored
Commits on Jun 12, 2012
  1. @tenderlove

    updating changelogs

    tenderlove authored
Commits on Jun 11, 2012
  1. @tenderlove

    bumping to 3.0.14

    tenderlove authored
  2. @tenderlove
  3. @tenderlove
  4. @tenderlove
Commits on May 31, 2012
  1. @tenderlove

    bumping to 3.0.13

    tenderlove authored
  2. @tenderlove

    updating CHANGELOGs

    tenderlove authored
  3. @tenderlove

    Merge branch '3-0-stable-sec' into 3-0-rel

    tenderlove authored
    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
Commits on May 30, 2012
  1. @tenderlove

    Strip [nil] from parameters hash.

    tenderlove authored
    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
    
    Conflicts:
    
    	actionpack/lib/action_dispatch/http/request.rb
Something went wrong with that request. Please try again.