Permalink
Commits on Jan 11, 2013
Commits on Jan 10, 2013
Commits on Jan 9, 2013
  1. Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix

    carlosantoniodasilva committed Jan 9, 2013
    Methods that return nil should not be considered YAML
  2. Methods that return nil should not be considered YAML

    zmoazeni committed Jan 9, 2013
    This is a direct port of @jaw6's pull request
    #492. His cleanly applied to Rails
    v3.1 and v3.2, and this cleanly applies to v3.0.
    
    With yesterday's security patches
    http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
    there is now an issue with Rails v3.0 serving XML to any of the latest
    versions of ActiveResource.
    
    Without this, Rails v3.0 can serve XML to ActiveResource consumers that
    will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
  3. Merge pull request #8836 from sikachu/3-0-stable-fix-ars

    carlosantoniodasilva committed Jan 9, 2013
    Remove test for XML YAML parsing
  4. Remove test for XML YAML parsing

    sikachu committed Jan 9, 2013
    The support for YAML parsing in XML has been removed from Active Support
    since it introduced an security risk. See a494824 for more detail.
Commits on Jan 8, 2013
  1. bumping version

    tenderlove committed Jan 8, 2013
  2. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    tenderlove committed Jan 4, 2013
    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
Commits on Dec 23, 2012
  1. bumping to 3.0.18

    tenderlove committed Dec 23, 2012
  2. updating changelogs

    tenderlove committed Dec 23, 2012
Commits on Aug 28, 2012
Commits on Aug 9, 2012
  1. Merge pull request #7308 from amerine/3-0-stable

    spastorino committed Aug 9, 2012
    Add html_escape note to CHANGELOG
  2. Bump to 3.0.17

    spastorino committed Aug 9, 2012
  3. Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  4. Do not mark strip_tags result as html_safe

    spastorino committed Aug 8, 2012
    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
  5. escape select_tag :prompt values

    spastorino committed Aug 8, 2012
    CVE-2012-3463
Commits on Aug 8, 2012
  1. html_escape should escape single quotes

    spastorino committed with tenderlove Aug 1, 2012
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Commits on Aug 4, 2012
  1. Backport of fix from #5173 - fixes #7252

    pixeltrix committed Aug 4, 2012
    Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
    datatypes, Active Record migrations use TEXT(n) where n is the limit
    specified by the developer. Unfortunately how MySQL interprets n
    depends on the column's encoding so any limit above 5592405 will be
    interpreted as a LONGTEXT when the encoding is UTF-8.
    
    This commit fixes this by interpreting the limit within the adapter
    and using the specific MySQL datatype as appropriate.
Commits on Jul 26, 2012
  1. bumping to 3.0.16

    tenderlove committed Jul 26, 2012
  2. updating release date

    tenderlove committed Jul 26, 2012
  3. updating changelog with CVE

    tenderlove committed Jul 26, 2012
Commits on Jul 23, 2012
  1. updating changelogs

    tenderlove committed Jul 23, 2012
Commits on Jun 13, 2012
  1. 3.0.15

    tenderlove committed Jun 13, 2012
Commits on Jun 12, 2012
  1. updating changelogs

    tenderlove committed Jun 12, 2012
Commits on Jun 11, 2012
  1. bumping to 3.0.14

    tenderlove committed Jun 11, 2012
  2. Merge branch '3-0-stable-sec' into 3-0-stable-rel

    tenderlove committed Jun 11, 2012
    * 3-0-stable-sec:
      Array parameters should not contain nil values.
      Additional fix for CVE-2012-2661
  3. Fix GH #3163. Should quote database on mysql/mysql2.

    kennyj committed with tenderlove Mar 3, 2012
    Conflicts:
    
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
    	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    	activerecord/test/cases/adapters/mysql2/schema_test.rb