Permalink
Commits on Sep 14, 2016
  1. bumping version

    tenderlove committed Sep 14, 2016
  2. Merge pull request #26495 from johnnyshields/fix-3-2-specs

    [WIP] Fix tests for 3-2-stable
    rafaelfranca committed on GitHub Sep 14, 2016
  3. Fix failing tests on 3-2-stable branch:

    - Set sudo: false in .travis.yml which uses latest travis engine and fixes some failing specs
    - Use older version of gems in Gemfile if RUBY_VERSION < '1.9.3' (no change to .gemspec)
    - Fix two cases of hash rockets in tests (required for Ruby 1.8.7)
    - Skip failing test "test_ensure_that_migration_tasks_work_with_mountable_option" which breaks due to Bundler no longer accepting the default generated .gemspec format.
    - Skip railties specs on Ruby 1.8.7 (mark as an allowed failure.)
    johnnyshields committed Sep 14, 2016
Commits on Aug 21, 2016
  1. adds a couple of missing requires

    fxn committed Aug 21, 2016
Commits on Aug 12, 2016
  1. Merge pull request #26131 from smellsblue/dont-fail-on-non-string

    Remove dead code and ensure values are strings before calling gsub
    rafaelfranca committed on GitHub Aug 12, 2016
Commits on Aug 11, 2016
  1. Merge branch '3-2-22-3' into 3-2-stable

    * 3-2-22-3:
      bumping version
      Include missing module in tag_helper
    tenderlove committed Aug 11, 2016
  2. bumping version

    tenderlove committed Aug 11, 2016
  3. Include missing module in tag_helper

    Since 6857415 we are using #safe_join to
    join the content when an Array is given, so we must include the dependent
    module here to make sure it's available when this module is used alone.
    
    This was making Simple Form tests to fail with current master due to the
    missing dependency.
    carlosantoniodasilva committed with tenderlove Jul 9, 2014
  4. Merge branch '3-2-22-3' into 3-2-stable

    * 3-2-22-3:
      bumping version
      ensure tag/content_tag escapes " in attribute vals
    tenderlove committed Aug 11, 2016
Commits on Aug 10, 2016
  1. bumping version

    tenderlove committed Aug 10, 2016
  2. ensure tag/content_tag escapes " in attribute vals

    Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
    
    CVE-2016-6316
    andrewcarpenter committed with tenderlove Jul 28, 2016
Commits on May 21, 2016
  1. Merge pull request #25043 from tlrdstd/support_ruby_2_3

    Associations do not call `.to_proc` on Hash
    rafaelfranca committed May 21, 2016
Commits on May 16, 2016
Commits on Mar 14, 2016
  1. update rendering comment

    [skip ci]
    arthurnn committed Mar 14, 2016
Commits on Mar 8, 2016
Commits on Mar 2, 2016
  1. fix 1.8 hash syntax

    arthurnn committed Mar 2, 2016
  2. Add missing require to file

    arthurnn committed Mar 2, 2016
Commits on Feb 29, 2016
  1. Don't allow render(params) in view/controller

    `render(params)` is dangerous and could be a vector for attackers.
    
    Don't allow calls to render passing params on views or controllers.
    
    On a controller or view, we should not allow something like `render
    params[:id]` or `render params`.
    That could be problematic, because an attacker could pass input that
    could lead to a remote code execution attack.
    
    This patch is also compatible when using strong parameters.
    
    CVE-2016-2098
    arthurnn committed with rafaelfranca Feb 2, 2016
  2. Complete work on 3.2 for render_data_leak patch.

    Render could leak access to external files before this patch.
    A previous patch(CVE-2016-0752), attempted to fix this. However the tests
    were miss-placed outside the TestCase subclass, so they were not running.
    
    We should allow :file to be outside rails root, but anything else must
    be inside the rails view directory.
    
    The implementation has changed a bit though. Now the patch is more
    similar with the 4.x series patches.
    Now `render 'foo/bar'`, will add a special key in the options
    hash, and not use the :file one, so when we look up that file, we
    don't set the fallbacks, and only lookup a template, to constraint the
    folders that can be accessed.
    
    CVE-2016-2097
    arthurnn committed with rafaelfranca Feb 2, 2016
Commits on Feb 2, 2016
  1. Generated engines should protect from forgery

    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
    tenderlove committed Feb 2, 2016
Commits on Jan 28, 2016
  1. Run `file.close` before unlinking for travis

    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.
    eileencodes committed Jan 28, 2016
  2. Fix hash syntax for 1.8.7

    Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
    eileencodes committed Jan 28, 2016
  3. Regression test for rendering file from absolute path

    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
    eileencodes committed Jan 28, 2016
Commits on Jan 26, 2016
  1. Lock test-unit to 3.0.x releases

    Due to a change in test-unit 3.1.6 that supports yielding from setup to
    run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
    pixeltrix committed Jan 26, 2016
Commits on Jan 25, 2016
  1. Merge pull request #23250 from simi/3-2-stable-1-8

    Fix 3-2-stable 1.8 compatibility.
    tenderlove committed Jan 25, 2016
  2. Use Ruby 1.8 compat syntax in test of security fix in activerecord/te…

    …st/cases/nested_attributes_test.rb.
    simi committed Jan 25, 2016
  3. Merge branch '3-2-sec' into 3-2-stable

    * 3-2-sec:
      bumping version
      allow :file to be outside rails root, but anything else must be inside the rails view directory
      Don't short-circuit reject_if proc
      stop caching mime types globally
      use secure string comparisons for basic auth username / password
    tenderlove committed Jan 25, 2016
  4. bumping version

    tenderlove committed Jan 25, 2016
Commits on Jan 22, 2016
  1. allow :file to be outside rails root, but anything else must be insid…

    …e the rails view directory
    
    Conflicts:
    	actionpack/test/controller/render_test.rb
    	actionview/lib/action_view/template/resolver.rb
    
    CVE-2016-0752
    tenderlove committed Jan 20, 2016
  2. Don't short-circuit reject_if proc

    When updating an associated record via nested attribute hashes the
    reject_if proc could be bypassed if the _destroy flag was set in the
    attribute hash and allow_destroy was set to false.
    
    The fix is to only short-circuit if the _destroy flag is set and the
    option allow_destroy is set to true. It also fixes an issue where
    a new record wasn't created if _destroy was set and the option
    allow_destroy was set to false.
    
    CVE-2015-7577
    pixeltrix committed with tenderlove Nov 27, 2015