Permalink
Commits on Nov 16, 2014
  1. correctly escape backslashes in request path globs

    Conflicts:
    	actionpack/lib/action_dispatch/middleware/static.rb
    
    make sure that unreadable files are also not leaked
    
    CVE-2014-7829
    
    Conflicts:
    	actionpack/lib/action_dispatch/middleware/static.rb
    tenderlove committed Nov 5, 2014
Commits on Oct 10, 2014
  1. FileHandler should not be called for files outside the root

    FileHandler#matches? should return false for files that are outside the
    "root" path.
    
    Conflicts:
    	actionpack/lib/action_dispatch/middleware/static.rb
    
    Conflicts:
    	actionpack/lib/action_dispatch/middleware/static.rb
    	actionpack/test/dispatch/static_test.rb
    tenderlove committed Oct 10, 2014
Commits on Feb 18, 2014
  1. Use the reference for the mime type to get the format

    Before we were calling to_sym in the mime type, even when it is unknown
    what can cause denial of service since symbols are not removed by the
    garbage collector.
    
    Fixes: CVE-2014-0082
    rafaelfranca committed Feb 12, 2014
Commits on Dec 4, 2013
  1. Merge pull request #13151 from hone/3-1-stable

    Backport Rails 3.2.16 Security Fixes to Rails 3.1.x
    tenderlove committed Dec 4, 2013
  2. Deep Munge the parameters for GET and POST

    The previous implementation of this functionality could be accidentally
    subverted by instantiating a raw Rack::Request before the first Rails::Request
    was constructed.
    
    Fixes CVE-2013-6417
    
    Conflicts:
    	actionpack/lib/action_dispatch/http/request.rb
    NZKoz committed with hone Nov 30, 2013
  3. Stop using i18n's built in HTML error handling.

    i18n doesn't depend on active support which means it can't use our html_safe
    code to do its escaping when generating the spans.  Rather than try to sanitize
    the output from i18n, just revert to our old behaviour of rescuing the error
    and constructing the tag ourselves.
    
    Fixes: CVE-2013-4491
    
    Conflicts:
    	actionpack/lib/action_view/helpers/translation_helper.rb
    
    Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
    NZKoz committed with hone Oct 31, 2013
  4. Escape the unit value provided to number_to_currency

    Fixes CVE-2013-6415
    
    Previously the values were trusted blindly allowing for potential XSS attacks.
    NZKoz committed with hone Nov 13, 2013
Commits on Dec 1, 2013
  1. Only use valid mime type symbols as cache keys

    CVE-2013-6414
    
    Conflicts:
    	actionpack/lib/action_view/lookup_context.rb
    tenderlove committed Dec 1, 2013
Commits on Apr 9, 2013
  1. Merge branch '3-1-later' into 3-1-stable

    * 3-1-later:
      adding test for CVE
    tenderlove committed Apr 9, 2013
Commits on Mar 18, 2013
  1. bumping to 3.1.12

    tenderlove committed Mar 18, 2013
Commits on Mar 16, 2013
  1. fix protocol checking in sanitization [CVE-2013-1857]

    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
    tenderlove committed Mar 15, 2013
  2. JDOM XXE Protection [CVE-2013-1856]

    Conflicts:
    	activesupport/test/xml_mini/jdom_engine_test.rb
    benmmurphy committed with tenderlove Feb 8, 2013
Commits on Feb 28, 2013
  1. Merge pull request #9475 from queso/update-mail

    Update gemspec to get mail 2.4 as the main version, 2.3.3 has security i...
    guilleiguaran committed Feb 28, 2013
Commits on Feb 27, 2013
  1. Revert "Merge pull request #9208 from dylanahsmith/3-2-mysql-quote-nu…

    …meric"
    
    This reverts commit 921a296.
    steveklabnik committed Feb 27, 2013
Commits on Feb 16, 2013
  1. Merge pull request #9309 from joernchen/patch-2

    Update activemodel/CHANGELOG.md
    fxn committed Feb 16, 2013
  2. Update activemodel/CHANGELOG.md

    Fixed a typo ;)
    joernchen committed Feb 16, 2013
Commits on Feb 14, 2013
  1. Fix changelog typos [ci skip]

    Thanks to @jmccartie.
    carlosantoniodasilva committed Feb 14, 2013
Commits on Feb 12, 2013
  1. Update changelogs with version/release dates [ci skip]

    Also add note about attr_protected change.
    carlosantoniodasilva committed Feb 12, 2013
Commits on Feb 11, 2013
  1. bumping to 3.1.11

    tenderlove committed Feb 11, 2013
Commits on Feb 10, 2013
  1. adding test for CVE

    tenderlove committed Feb 10, 2013
  2. Fix issue with attr_protected where malformed input could circumvent

    protection
    
    Fixes: CVE-2013-0276
    joernchen committed with tenderlove Feb 9, 2013
Commits on Feb 8, 2013
  1. Merge pull request #9226 from robertomiranda/fix-bigdecimal-test

    [3.1] Fix test failure for ruby 1.8
    guilleiguaran committed Feb 8, 2013
  2. Merge pull request #9209 from dylanahsmith/3-1-mysql-quote-numeric

    [3.1] active_record: Quote numeric values compared to string columns.
    guilleiguaran committed Feb 8, 2013
Commits on Feb 7, 2013
Commits on Jan 26, 2013
Commits on Jan 16, 2013
  1. Update mocha version to 0.13.0 and change requires

    Conflicts:
    	Gemfile
    	railties/test/application/route_inspect_test.rb
    	railties/test/generators_test.rb
    carlosantoniodasilva committed Nov 12, 2012
  2. Merge pull request #8871 from freerange/3-1-stable-with-mocha-fixes

    Fix 3-1-stable to work with Mocha >= v0.13.0
    rafaelfranca committed Jan 16, 2013
  3. Fix 3-1-stable to work with Mocha >= v0.13.0

    A) Update code in ActiveSupport which monkey-patches Test::Unit to
    include Mocha bug fix.
    
    A bug was fixed [1] in Mocha's integration with Test::Unit, but this
    monkey-patching code was copied before the fix. We need to copy the
    fixed version.
    
    The bug meant that an unexpected invocation against a mock within the
    teardown method caused a test *error* and not a test *failure*.
    
    B) Fix for Test::Unit/Mocha compatibility.
    
    Mocha is now using a single AssertionCounter which needs a reference to
    the testcase as opposed to the result.
    
    This change is an unfortunate consequence of the copying of a chunk of
    Mocha's internal code in order to monkey-patch Test::Unit.
    
    C) Avoid a Mocha deprecation warning.
    
    [1]
    freerange/mocha@f1ff647#diff-5
    floehopper committed Aug 26, 2012
Commits on Jan 12, 2013