Skip to content
This repository

Feb 18, 2014

  1. Rafael Mendonça França

    Use the reference for the mime type to get the format

    Before we were calling to_sym in the mime type, even when it is unknown
    what can cause denial of service since symbols are not removed by the
    garbage collector.
    
    Fixes: CVE-2014-0082
    authored February 11, 2014

Dec 04, 2013

  1. Michael Koziarski

    Deep Munge the parameters for GET and POST

    The previous implementation of this functionality could be accidentally
    subverted by instantiating a raw Rack::Request before the first Rails::Request
    was constructed.
    
    Fixes CVE-2013-6417
    
    Conflicts:
    	actionpack/lib/action_dispatch/http/request.rb
    authored November 30, 2013 hone committed December 03, 2013
  2. Michael Koziarski

    Stop using i18n's built in HTML error handling.

    i18n doesn't depend on active support which means it can't use our html_safe
    code to do its escaping when generating the spans.  Rather than try to sanitize
    the output from i18n, just revert to our old behaviour of rescuing the error
    and constructing the tag ourselves.
    
    Fixes: CVE-2013-4491
    
    Conflicts:
    	actionpack/lib/action_view/helpers/translation_helper.rb
    
    Backport: 50afd8e
    authored November 01, 2013 hone committed December 03, 2013
  3. Michael Koziarski

    Escape the unit value provided to number_to_currency

    Fixes CVE-2013-6415
    
    Previously the values were trusted blindly allowing for potential XSS attacks.
    authored November 13, 2013 hone committed December 03, 2013

Dec 01, 2013

  1. Aaron Patterson

    Only use valid mime type symbols as cache keys

    CVE-2013-6414
    
    Conflicts:
    	actionpack/lib/action_view/lookup_context.rb
    authored November 30, 2013

Mar 18, 2013

  1. Aaron Patterson

    bumping to 3.1.12

    authored March 18, 2013

Mar 16, 2013

  1. Aaron Patterson

    fix protocol checking in sanitization [CVE-2013-1857]

    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
    authored March 15, 2013
  2. Charlie Somerville

    fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]

    authored February 13, 2013 tenderlove committed March 15, 2013

Feb 11, 2013

  1. Aaron Patterson

    bumping to 3.1.11

    authored February 10, 2013

Jan 12, 2013

  1. Andrew White

    Remove unnecessary caching of ParameterFilter

    authored January 12, 2013

Jan 11, 2013

  1. Dylan Thacker-Smith

    Fix JSON params parsing regression for non-object JSON content.

    Backports #8855.
    authored January 09, 2013

Jan 09, 2013

  1. Carlos Antonio da Silva

    Fix a few warnings of unused variables

Jan 08, 2013

  1. Aaron Patterson

    bumping version

    authored January 07, 2013
  2. Aaron Patterson

    * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    authored January 04, 2013
  3. Santiago Pastorino

    Avoid Rack security warning no secret provided

    This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
    authored January 08, 2013

Dec 23, 2012

  1. Aaron Patterson

    bumping version to 3.1.9

    authored December 23, 2012

Aug 09, 2012

  1. Santiago Pastorino

    Bump to 3.1.8

    authored August 09, 2012
  2. Santiago Pastorino

    Do not mark strip_tags result as html_safe

    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
    authored August 08, 2012
  3. Santiago Pastorino

    escape select_tag :prompt values

    CVE-2012-3463
    authored August 08, 2012

Jul 26, 2012

  1. Aaron Patterson

    bumping to 3.1.7

    authored July 26, 2012
  2. Aaron Patterson

    * Do not convert digest auth strings to symbols. CVE-2012-3424

    authored July 26, 2012

Jun 11, 2012

  1. Aaron Patterson

    bumping version numbers

    authored June 11, 2012
  2. Aaron Patterson

    Array parameters should not contain nil values.

    authored June 10, 2012

May 31, 2012

  1. Aaron Patterson

    bumping to 3.1.5

    authored May 31, 2012
  2. Aaron Patterson

    Merge branch '3-1-stable-sec' into 3-1-rel

    * 3-1-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
    authored May 31, 2012

May 30, 2012

  1. Aaron Patterson

    Strip [nil] from parameters hash.

    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
    authored May 30, 2012

May 28, 2012

  1. Aaron Patterson

    bumping to 3.1.5.rc1

    authored May 28, 2012

May 13, 2012

  1. Rafael Mendonça França

    Merge pull request #3237 from sakuro/data-url-scheme

    Support data: url scheme

May 10, 2012

  1. Andrew White

    Don't ignore nil positional arguments for url helpers - fixes #6196.

    authored May 10, 2012
  2. Andrew White

    Refactor the handling of default_url_options in integration tests

    This commit improves the handling of default_url_options in integration
    tests by making behave closer to how a real application operates.
    
    Specifically the following issues have been addressed:
    
    * Options specified in routes.rb are used (fixes #546)
    * Options specified in controllers are used
    * Request parameters are recalled correctly
    * Tests can override default_url_options directly
    authored May 10, 2012

May 04, 2012

  1. Dmitry Vorotilin

    Fix #3993 assets:precompile task does not detect index files

    authored May 01, 2012

May 02, 2012

  1. Andrew White

    Reset the request parameters after a constraints check

    A callable object passed as a constraint for a route may access the request
    parameters as part of its check. This causes the combined parameters hash
    to be cached in the environment hash. If the constraint fails then any subsequent
    access of the request parameters will be against that stale hash.
    
    To fix this we delete the cache after every call to `matches?`. This may have a
    negative performance impact if the contraint wraps a large number of routes as the
    parameters hash is built by merging GET, POST and path parameters.
    
    Fixes #2510.
    (cherry picked from commit 5603050)
    authored May 02, 2012

Apr 30, 2012

  1. Will Bryant

    fix the Flash middleware loading the session on every request (very d…

    …angerous especially with Rack::Cache), it should only be loaded when the flash method is called
    authored January 24, 2012 drogus committed April 30, 2012

Apr 29, 2012

  1. Andrew White

    Escape interpolated params when redirecting - fixes #5688

    authored April 29, 2012
  2. Andrew White

    Don't convert params if the request isn't HTML - fixes #5341

    (cherry picked from commit d6bbd33)
    authored April 29, 2012
Something went wrong with that request. Please try again.