Permalink
Commits on Aug 21, 2016
  1. @fxn

    adds a couple of missing requires

    fxn committed Aug 21, 2016
Commits on Aug 12, 2016
  1. @rafaelfranca

    Merge pull request #26131 from smellsblue/dont-fail-on-non-string

    Remove dead code and ensure values are strings before calling gsub
    rafaelfranca committed on GitHub Aug 12, 2016
  2. @smellsblue
Commits on Aug 11, 2016
  1. @tenderlove

    Merge branch '3-2-22-3' into 3-2-stable

    * 3-2-22-3:
      bumping version
      Include missing module in tag_helper
    tenderlove committed Aug 11, 2016
  2. @tenderlove

    bumping version

    tenderlove committed Aug 11, 2016
  3. @carlosantoniodasilva @tenderlove

    Include missing module in tag_helper

    Since 6857415 we are using #safe_join to
    join the content when an Array is given, so we must include the dependent
    module here to make sure it's available when this module is used alone.
    
    This was making Simple Form tests to fail with current master due to the
    missing dependency.
    carlosantoniodasilva committed with tenderlove Jul 9, 2014
  4. @tenderlove

    Merge branch '3-2-22-3' into 3-2-stable

    * 3-2-22-3:
      bumping version
      ensure tag/content_tag escapes " in attribute vals
    tenderlove committed Aug 11, 2016
Commits on Aug 10, 2016
  1. @tenderlove

    bumping version

    tenderlove committed Aug 10, 2016
  2. @andrewcarpenter @tenderlove

    ensure tag/content_tag escapes " in attribute vals

    Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
    
    CVE-2016-6316
    andrewcarpenter committed with tenderlove Jul 28, 2016
Commits on May 21, 2016
  1. @rafaelfranca

    Merge pull request #25043 from tlrdstd/support_ruby_2_3

    Associations do not call `.to_proc` on Hash
    rafaelfranca committed May 21, 2016
Commits on May 16, 2016
  1. @tlrdstd
Commits on Mar 14, 2016
  1. @arthurnn

    update rendering comment

    [skip ci]
    arthurnn committed Mar 14, 2016
Commits on Mar 8, 2016
  1. @rafaelfranca
Commits on Mar 2, 2016
  1. @arthurnn

    fix 1.8 hash syntax

    arthurnn committed Mar 2, 2016
  2. @arthurnn

    Add missing require to file

    arthurnn committed Mar 2, 2016
Commits on Feb 29, 2016
  1. @rafaelfranca
  2. @rafaelfranca
  3. @arthurnn @rafaelfranca

    Don't allow render(params) in view/controller

    `render(params)` is dangerous and could be a vector for attackers.
    
    Don't allow calls to render passing params on views or controllers.
    
    On a controller or view, we should not allow something like `render
    params[:id]` or `render params`.
    That could be problematic, because an attacker could pass input that
    could lead to a remote code execution attack.
    
    This patch is also compatible when using strong parameters.
    
    CVE-2016-2098
    arthurnn committed with rafaelfranca Feb 2, 2016
  4. @arthurnn @rafaelfranca

    Complete work on 3.2 for render_data_leak patch.

    Render could leak access to external files before this patch.
    A previous patch(CVE-2016-0752), attempted to fix this. However the tests
    were miss-placed outside the TestCase subclass, so they were not running.
    
    We should allow :file to be outside rails root, but anything else must
    be inside the rails view directory.
    
    The implementation has changed a bit though. Now the patch is more
    similar with the 4.x series patches.
    Now `render 'foo/bar'`, will add a special key in the options
    hash, and not use the :file one, so when we look up that file, we
    don't set the fallbacks, and only lookup a template, to constraint the
    folders that can be accessed.
    
    CVE-2016-2097
    arthurnn committed with rafaelfranca Feb 2, 2016
Commits on Feb 2, 2016
  1. @tenderlove

    Generated engines should protect from forgery

    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
    tenderlove committed Feb 2, 2016
Commits on Jan 28, 2016
  1. @eileencodes

    Run `file.close` before unlinking for travis

    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.
    eileencodes committed Jan 28, 2016
  2. @eileencodes

    Fix hash syntax for 1.8.7

    Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
    eileencodes committed Jan 28, 2016
  3. @eileencodes

    Regression test for rendering file from absolute path

    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
    eileencodes committed Jan 28, 2016
Commits on Jan 26, 2016
  1. @pixeltrix

    Lock test-unit to 3.0.x releases

    Due to a change in test-unit 3.1.6 that supports yielding from setup to
    run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
    pixeltrix committed Jan 26, 2016
Commits on Jan 25, 2016
  1. @pixeltrix
  2. @tenderlove

    Merge pull request #23250 from simi/3-2-stable-1-8

    Fix 3-2-stable 1.8 compatibility.
    tenderlove committed Jan 25, 2016
  3. @simi

    Use Ruby 1.8 compat syntax in test of security fix in activerecord/te…

    …st/cases/nested_attributes_test.rb.
    simi committed Jan 25, 2016
  4. @simi
  5. @tenderlove

    Merge branch '3-2-sec' into 3-2-stable

    * 3-2-sec:
      bumping version
      allow :file to be outside rails root, but anything else must be inside the rails view directory
      Don't short-circuit reject_if proc
      stop caching mime types globally
      use secure string comparisons for basic auth username / password
    tenderlove committed Jan 25, 2016
  6. @tenderlove

    bumping version

    tenderlove committed Jan 25, 2016
Commits on Jan 22, 2016
  1. @tenderlove

    allow :file to be outside rails root, but anything else must be insid…

    …e the rails view directory
    
    Conflicts:
    	actionpack/test/controller/render_test.rb
    	actionview/lib/action_view/template/resolver.rb
    
    CVE-2016-0752
    tenderlove committed Jan 20, 2016
  2. @pixeltrix @tenderlove

    Don't short-circuit reject_if proc

    When updating an associated record via nested attribute hashes the
    reject_if proc could be bypassed if the _destroy flag was set in the
    attribute hash and allow_destroy was set to false.
    
    The fix is to only short-circuit if the _destroy flag is set and the
    option allow_destroy is set to true. It also fixes an issue where
    a new record wasn't created if _destroy was set and the option
    allow_destroy was set to false.
    
    CVE-2015-7577
    pixeltrix committed with tenderlove Nov 27, 2015
  3. @tenderlove

    stop caching mime types globally

    Unknown mime types should not be cached globally.  This global cache
    leads to a memory leak and a denial of service vulnerability.
    
    CVE-2016-0751
    tenderlove committed Jan 11, 2016
  4. @tenderlove

    use secure string comparisons for basic auth username / password

    this will avoid timing attacks against applications that use basic auth.
    
    Conflicts:
    	activesupport/lib/active_support/security_utils.rb
    
    Conflicts:
    	actionpack/lib/action_controller/metal/http_authentication.rb
    
    CVE-2015-7576
    tenderlove committed Oct 29, 2015
Commits on Jan 15, 2016
  1. @arthurnn

    update bundler message

    arthurnn committed Jan 15, 2016