Skip to content
Commits on Feb 2, 2016
  1. @tenderlove

    Generated engines should protect from forgery

    tenderlove committed
    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
Commits on Jan 28, 2016
  1. @eileencodes

    Run `file.close` before unlinking for travis

    eileencodes committed
    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.
  2. @eileencodes

    Fix hash syntax for 1.8.7

    eileencodes committed
    Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
  3. @eileencodes

    Regression test for rendering file from absolute path

    eileencodes committed
    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
Commits on Jan 26, 2016
  1. @pixeltrix

    Lock test-unit to 3.0.x releases

    pixeltrix committed
    Due to a change in test-unit 3.1.6 that supports yielding from setup to
    run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
Commits on Jan 25, 2016
  1. @pixeltrix

    Use 1.8 compatible hash syntax

    pixeltrix committed
  2. @tenderlove

    Merge pull request #23250 from simi/3-2-stable-1-8

    tenderlove committed
    Fix 3-2-stable 1.8 compatibility.
  3. @simi

    Use Ruby 1.8 compat syntax in test of security fix in activerecord/te…

    simi committed
    …st/cases/nested_attributes_test.rb.
  4. @simi
  5. @tenderlove

    Merge branch '3-2-sec' into 3-2-stable

    tenderlove committed
    * 3-2-sec:
      bumping version
      allow :file to be outside rails root, but anything else must be inside the rails view directory
      Don't short-circuit reject_if proc
      stop caching mime types globally
      use secure string comparisons for basic auth username / password
  6. @tenderlove

    bumping version

    tenderlove committed
Commits on Jan 22, 2016
  1. @tenderlove

    allow :file to be outside rails root, but anything else must be insid…

    tenderlove committed
    …e the rails view directory
    
    Conflicts:
    	actionpack/test/controller/render_test.rb
    	actionview/lib/action_view/template/resolver.rb
    
    CVE-2016-0752
  2. @pixeltrix @tenderlove

    Don't short-circuit reject_if proc

    pixeltrix committed with tenderlove
    When updating an associated record via nested attribute hashes the
    reject_if proc could be bypassed if the _destroy flag was set in the
    attribute hash and allow_destroy was set to false.
    
    The fix is to only short-circuit if the _destroy flag is set and the
    option allow_destroy is set to true. It also fixes an issue where
    a new record wasn't created if _destroy was set and the option
    allow_destroy was set to false.
    
    CVE-2015-7577
  3. @tenderlove

    stop caching mime types globally

    tenderlove committed
    Unknown mime types should not be cached globally.  This global cache
    leads to a memory leak and a denial of service vulnerability.
    
    CVE-2016-0751
  4. @tenderlove

    use secure string comparisons for basic auth username / password

    tenderlove committed
    this will avoid timing attacks against applications that use basic auth.
    
    Conflicts:
    	activesupport/lib/active_support/security_utils.rb
    
    Conflicts:
    	actionpack/lib/action_controller/metal/http_authentication.rb
    
    CVE-2015-7576
Commits on Jan 15, 2016
  1. @arthurnn

    update bundler message

    arthurnn committed
  2. @arthurnn
  3. @arthurnn

    Fix mysql2 build

    arthurnn committed
    mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
Commits on Jan 14, 2016
  1. @arthurnn
Commits on Jun 18, 2015
  1. @rafaelfranca

    Merge pull request #20629 from moklett/patch-1

    rafaelfranca committed
    Fix typo in version number
  2. @moklett

    Fix typo in version number

    moklett committed
    Fixes a simple copy-and-paste mistake by bumping the patch version number in the CHANGELOG.
Commits on Jun 16, 2015
  1. @rafaelfranca
  2. @rafaelfranca
  3. @rafaelfranca
  4. @tenderlove @rafaelfranca

    enforce a depth limit on XML documents

    tenderlove committed with rafaelfranca
    XML documents that are too deep can cause an stack overflow, which in
    turn will cause a potential DoS attack.
    
    CVE-2015-3227
    
    Conflicts:
    	activesupport/lib/active_support/xml_mini.rb
Commits on Jan 29, 2015
  1. @rafaelfranca

    Merge pull request #18718 from jgeiger/fix_ruby_2_2_comparable_warnings

    rafaelfranca committed
    Fix ruby 2.2 comparable warnings
  2. @jgeiger

    Fix ruby 2.2 comparable warnings

    jgeiger committed
    Check for correct value type in activerecord/fixtures.rb
    Check that zone can respond to expected values to make the comparison.
Commits on Jan 7, 2015
  1. @rafaelfranca
  2. @rafaelfranca
  3. @rafaelfranca

    Remove hard dependency on test-unit

    rafaelfranca committed
    Instead show a error message asking users to add the gem to their
    Gemfile if test-unit could not be loaded.
  4. @rafaelfranca

    Merge pull request #18306 from tmm1/rm-3-2-with-ruby-2-1-plus

    rafaelfranca committed
    3-2-stable: ruby 2.2 compatibility
Commits on Jan 5, 2015
  1. @tmm1

    add parens to fix warning

    tmm1 committed
Commits on Jan 3, 2015
  1. @tmm1
  2. @tmm1
  3. @vipulnsward @tmm1

    Fix `singleton_class?`

    vipulnsward committed with tmm1
    Due to changes from http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/39628 current `singleton_class?` implementation fails.
    Changed based on reference from http://bugs.ruby-lang.org/issues/7609
    
    Conflicts:
    	activesupport/lib/active_support/core_ext/class/attribute.rb
Something went wrong with that request. Please try again.