Skip to content
This repository
branch: 3-2-stable

Feb 18, 2014

  1. Rafael Mendonça França

    Merge branch '3-2-17' into 3-2-stable

    Conflicts:
    	actionpack/CHANGELOG.md
    authored February 18, 2014
  2. Rafael Mendonça França

    Preparing for 3.2.17 release

    authored February 18, 2014
  3. Rafael Mendonça França

    Use the reference for the mime type to get the format

    Before we were calling to_sym in the mime type, even when it is unknown
    what can cause denial of service since symbols are not removed by the
    garbage collector.
    
    Fixes: CVE-2014-0082
    authored February 11, 2014
  4. Rafael Mendonça França

    Escape format, negative_format and units options of number helpers

    Previously the values of these options were trusted leading to
    potential XSS vulnerabilities.
    
    Fixes: CVE-2014-0081
    authored February 11, 2014

Jan 06, 2014

  1. Damien Mathieu

    Merge pull request #13613 from simi/patch-1

    Fix force_ssl.rb documentation. Close tt tag.
    authored January 06, 2014
  2. Josef Šimánek

    Fix force_ssl.rb documentation. Close tt tag.

    [ci skip]
    authored January 06, 2014

Dec 14, 2013

  1. Rafael Mendonça França

    Merge pull request #13315 from tyre/patch-1

    Update Session Store Documentation
    authored December 13, 2013
  2. Chris Maddox

    Update Session Store Documentation

    session_id doesn't need to be a text column, just string (VARCHAR)
    authored December 13, 2013

Dec 05, 2013

  1. Carlos Antonio da Silva

    Merge pull request #13183 from sorah/never_ignore_i18n_translate_rais…

    …e_option
    
    Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.
    
    Conflicts:
    	actionpack/CHANGELOG.md

Dec 04, 2013

  1. Rafael Mendonça França

    Fix documentation of number_to_currency helper

    Now users have to explicit mark the unit as safe if they trust it.
    
    Closes #13161
    authored December 04, 2013
  2. Rafael Mendonça França

    Merge pull request #13162 from makandra/3-2-stable

    Repair a test broken by the number_to_currency XSS fix
    authored December 04, 2013
  3. Tobias Kraze

    repair a test broken by the number_to_currency XSS fix

    authored December 04, 2013

Dec 03, 2013

  1. Aaron Patterson

    updating the changelog

    authored December 02, 2013

Dec 02, 2013

  1. Michael Koziarski

    Deep Munge the parameters for GET and POST

    The previous implementation of this functionality could be accidentally
    subverted by instantiating a raw Rack::Request before the first Rails::Request
    was constructed.
    
    Fixes CVE-2013-6417
    
    Conflicts:
    	actionpack/lib/action_dispatch/http/request.rb
    authored November 30, 2013 tenderlove committed December 02, 2013
  2. Michael Koziarski

    Stop using i18n's built in HTML error handling.

    i18n doesn't depend on active support which means it can't use our html_safe
    code to do its escaping when generating the spans.  Rather than try to sanitize
    the output from i18n, just revert to our old behaviour of rescuing the error
    and constructing the tag ourselves.
    
    Fixes: CVE-2013-4491
    
    Conflicts:
    	actionpack/lib/action_view/helpers/translation_helper.rb
    
    Backport: 50afd8e
    authored November 01, 2013 tenderlove committed December 02, 2013
  3. Michael Koziarski

    Escape the unit value provided to number_to_currency

    Fixes CVE-2013-6415
    
    Previously the values were trusted blindly allowing for potential XSS attacks.
    authored November 13, 2013 tenderlove committed December 02, 2013

Dec 01, 2013

  1. Aaron Patterson

    Only use valid mime type symbols as cache keys

    CVE-2013-6414
    authored November 30, 2013

Oct 16, 2013

  1. Aaron Patterson

    Merge branch '3-2-sec' into 3-2-stable

    * 3-2-sec:
      updating changelogs
      bumping to 3.2.15
      bumping to rc3
      Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
      Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
      bumping to rc2
      Merge pull request #12443 from arthurnn/add_inverse_of_add_target
      bumping version to 3.2.15.rc1
      Remove the use of String#% when formatting durations in log messages
    
    Conflicts:
    	activerecord/CHANGELOG.md
    authored October 16, 2013
  2. Aaron Patterson

    updating changelogs

    authored October 16, 2013

Oct 15, 2013

  1. Aaron Patterson

    bumping to 3.2.15

    authored October 15, 2013
  2. Aaron Patterson

    Merge branch '3-2-15' into 3-2-sec

    * 3-2-15:
      bumping to rc3
      Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
      Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
      bumping to rc2
      Merge pull request #12443 from arthurnn/add_inverse_of_add_target
      bumping version to 3.2.15.rc1
      Fix STI scopes using benolee's suggestion. Fixes #11939
    authored October 15, 2013

Oct 11, 2013

  1. Aaron Patterson

    bumping to rc3

    authored October 11, 2013

Oct 10, 2013

  1. Rafael Mendonça França

    Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"

    This reverts commit ccd11d5, reversing
    changes made to 54c05ac.
    
    Reason: This caused a regression when the associated record is created
    in a before_create callback. See
    #12413 (comment)
    authored October 10, 2013
  2. Rafael Mendonça França

    Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_ta…

    …rget"
    
    This reverts commit 7ed5bdc, reversing
    changes made to 31c79e2.
    
    Reason: this caused a regression when the associated record is creted in
    a before_create callback.
    
    See #12413 (comment)
    authored October 10, 2013
  3. Rafael Mendonça França

    Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"

    This reverts commit ccd11d5, reversing
    changes made to 54c05ac.
    
    Reason: This caused a regression when the associated record is created
    in a before_create callback. See
    #12413 (comment)
    authored October 10, 2013
  4. Rafael Mendonça França

    Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_ta…

    …rget"
    
    This reverts commit 7ed5bdc, reversing
    changes made to 31c79e2.
    
    Reason: this caused a regression when the associated record is creted in
    a before_create callback.
    
    See #12413 (comment)
    authored October 10, 2013

Oct 04, 2013

  1. Aaron Patterson

    bumping to rc2

    authored October 04, 2013
  2. Rafael Mendonça França

    Merge pull request #12443 from arthurnn/add_inverse_of_add_target

    Add inverse of add target
    authored October 04, 2013
  3. Rafael Mendonça França

    Merge pull request #12443 from arthurnn/add_inverse_of_add_target

    Add inverse of add target
    authored October 04, 2013
  4. Arthur Nogueira Neves

    add regression test for set_inverse_instance on add_to_target

    authored October 04, 2013
  5. Arthur Nogueira Neves

    Add back set_inverse_instance on .add_to_target

    We must have it in there too, so when an existent record is being concat to another,
    we will have the inverse relation.
    authored October 04, 2013

Oct 03, 2013

  1. Aaron Patterson

    bumping version to 3.2.15.rc1

    authored October 03, 2013
  2. Aaron Patterson

    Merge pull request #12084 from Ben-M/3-2-stable

    Fix STI scopes using benolee's suggestion. Fixes #11939
    authored October 03, 2013
  3. Aaron Patterson

    Merge branch '3-2-stable' into 3-2-sec

    * 3-2-stable:
      make sure both headers are set before checking for ip spoofing
      Move set_inverse_instance to association.build_record
    authored October 03, 2013

Oct 01, 2013

  1. Andrew White

    Merge pull request #12410 from tamird/fix-ip-spoof-errors

    Fix ip spoof errors
    authored October 01, 2013
Something went wrong with that request. Please try again.