Commits on May 21, 2016
  1. @rafaelfranca

    Merge pull request #25043 from tlrdstd/support_ruby_2_3

    Associations do not call `.to_proc` on Hash
    rafaelfranca committed May 20, 2016
Commits on May 16, 2016
  1. @tlrdstd
Commits on Mar 14, 2016
  1. @arthurnn

    update rendering comment

    [skip ci]
    arthurnn committed Mar 14, 2016
Commits on Mar 8, 2016
  1. @rafaelfranca
Commits on Mar 2, 2016
  1. @arthurnn

    fix 1.8 hash syntax

    arthurnn committed Mar 1, 2016
  2. @arthurnn

    Add missing require to file

    arthurnn committed Mar 1, 2016
Commits on Feb 29, 2016
  1. @rafaelfranca
  2. @rafaelfranca
  3. @arthurnn @rafaelfranca

    Don't allow render(params) in view/controller

    `render(params)` is dangerous and could be a vector for attackers.
    
    Don't allow calls to render passing params on views or controllers.
    
    On a controller or view, we should not allow something like `render
    params[:id]` or `render params`.
    That could be problematic, because an attacker could pass input that
    could lead to a remote code execution attack.
    
    This patch is also compatible when using strong parameters.
    
    CVE-2016-2098
    arthurnn committed with rafaelfranca Feb 2, 2016
  4. @arthurnn @rafaelfranca

    Complete work on 3.2 for render_data_leak patch.

    Render could leak access to external files before this patch.
    A previous patch(CVE-2016-0752), attempted to fix this. However the tests
    were miss-placed outside the TestCase subclass, so they were not running.
    
    We should allow :file to be outside rails root, but anything else must
    be inside the rails view directory.
    
    The implementation has changed a bit though. Now the patch is more
    similar with the 4.x series patches.
    Now `render 'foo/bar'`, will add a special key in the options
    hash, and not use the :file one, so when we look up that file, we
    don't set the fallbacks, and only lookup a template, to constraint the
    folders that can be accessed.
    
    CVE-2016-2097
    arthurnn committed with rafaelfranca Feb 2, 2016
Commits on Feb 2, 2016
  1. @tenderlove

    Generated engines should protect from forgery

    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
    tenderlove committed Feb 1, 2016
Commits on Jan 28, 2016
  1. @eileencodes

    Run `file.close` before unlinking for travis

    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.
    eileencodes committed Jan 28, 2016
  2. @eileencodes

    Fix hash syntax for 1.8.7

    Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
    eileencodes committed Jan 28, 2016
  3. @eileencodes

    Regression test for rendering file from absolute path

    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
    eileencodes committed Jan 28, 2016
Commits on Jan 26, 2016
  1. @pixeltrix

    Lock test-unit to 3.0.x releases

    Due to a change in test-unit 3.1.6 that supports yielding from setup to
    run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
    pixeltrix committed Jan 26, 2016
Commits on Jan 25, 2016
  1. @pixeltrix

    Use 1.8 compatible hash syntax

    pixeltrix committed Jan 25, 2016
  2. @tenderlove

    Merge pull request #23250 from simi/3-2-stable-1-8

    Fix 3-2-stable 1.8 compatibility.
    tenderlove committed Jan 25, 2016
  3. @simi

    Use Ruby 1.8 compat syntax in test of security fix in activerecord/te…

    …st/cases/nested_attributes_test.rb.
    simi committed Jan 26, 2016
  4. @simi
  5. @tenderlove

    Merge branch '3-2-sec' into 3-2-stable

    * 3-2-sec:
      bumping version
      allow :file to be outside rails root, but anything else must be inside the rails view directory
      Don't short-circuit reject_if proc
      stop caching mime types globally
      use secure string comparisons for basic auth username / password
    tenderlove committed Jan 25, 2016
  6. @tenderlove

    bumping version

    tenderlove committed Jan 25, 2016
Commits on Jan 22, 2016
  1. @tenderlove

    allow :file to be outside rails root, but anything else must be insid…

    …e the rails view directory
    
    Conflicts:
    	actionpack/test/controller/render_test.rb
    	actionview/lib/action_view/template/resolver.rb
    
    CVE-2016-0752
    tenderlove committed Jan 20, 2016
  2. @pixeltrix @tenderlove

    Don't short-circuit reject_if proc

    When updating an associated record via nested attribute hashes the
    reject_if proc could be bypassed if the _destroy flag was set in the
    attribute hash and allow_destroy was set to false.
    
    The fix is to only short-circuit if the _destroy flag is set and the
    option allow_destroy is set to true. It also fixes an issue where
    a new record wasn't created if _destroy was set and the option
    allow_destroy was set to false.
    
    CVE-2015-7577
    pixeltrix committed with tenderlove Nov 27, 2015
  3. @tenderlove

    stop caching mime types globally

    Unknown mime types should not be cached globally.  This global cache
    leads to a memory leak and a denial of service vulnerability.
    
    CVE-2016-0751
    tenderlove committed Jan 11, 2016
  4. @tenderlove

    use secure string comparisons for basic auth username / password

    this will avoid timing attacks against applications that use basic auth.
    
    Conflicts:
    	activesupport/lib/active_support/security_utils.rb
    
    Conflicts:
    	actionpack/lib/action_controller/metal/http_authentication.rb
    
    CVE-2015-7576
    tenderlove committed Oct 29, 2015
Commits on Jan 15, 2016
  1. @arthurnn

    update bundler message

    arthurnn committed Jan 15, 2016
  2. @arthurnn
  3. @arthurnn

    Fix mysql2 build

    mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
    arthurnn committed Jan 15, 2016
Commits on Jan 14, 2016
  1. @arthurnn
Commits on Jun 18, 2015
  1. @rafaelfranca

    Merge pull request #20629 from moklett/patch-1

    Fix typo in version number
    rafaelfranca committed Jun 18, 2015
  2. @moklett

    Fix typo in version number

    Fixes a simple copy-and-paste mistake by bumping the patch version number in the CHANGELOG.
    moklett committed Jun 18, 2015
Commits on Jun 16, 2015
  1. @rafaelfranca
  2. @rafaelfranca
  3. @rafaelfranca
  4. @tenderlove @rafaelfranca

    enforce a depth limit on XML documents

    XML documents that are too deep can cause an stack overflow, which in
    turn will cause a potential DoS attack.
    
    CVE-2015-3227
    
    Conflicts:
    	activesupport/lib/active_support/xml_mini.rb
    tenderlove committed with rafaelfranca Jun 9, 2015