Permalink
Switch branches/tags
Commits on Jul 13, 2016
  1. Merge branch '4-1-16' into 4-1-stable

    rafaelfranca committed Jul 13, 2016
Commits on Jul 12, 2016
Commits on Jul 2, 2016
Commits on Jul 1, 2016
  1. Do not run `bundle install` when generating a new plugin.

    rafaelfranca committed Jul 1, 2016
    Since bundler 1.12.0, the gemspec is validated so the `bundle install`
    command will fail just after the gem is created causing confusion to the
    users. This change was a bug fix to correctly validate gemspecs.
Commits on Mar 8, 2016
  1. Merge pull request #24098 from kamipo/fix_typo_sslcipher-4-1

    Arthur Nogueira Neves
    Arthur Nogueira Neves committed Mar 8, 2016
    Backport to 4-1-stable "Fix typo `--ssl-cipher`"
Commits on Mar 7, 2016
  1. Fix typo `--ssl-cipher`

    kamipo committed Mar 6, 2016
    Backport #24082 for #23293.
  2. Merge pull request #23293 from drcapulet/alexc-backport-20126-4-1-stable

    rafaelfranca committed Mar 7, 2016
    Add full set of MySQL CLI options to support SSL authentication when using db:structure dump and load
Commits on Mar 5, 2016
  1. Update the rendering guide to match the current behavior

    rafaelfranca committed Mar 5, 2016
    In the latest security releases render with a trailing slash no more call
    render :file.
    
    Also add a note about the security implications of using it with user
    parameters.
Commits on Mar 1, 2016
Commits on Feb 29, 2016
  1. Fix version on changelog

    arthurnn committed Feb 29, 2016
    cc @rafaelfranca
    [skip ci]
  2. Fix ActionView tests

    maclover7 authored and rafaelfranca committed Jan 27, 2016
    Reverts some of the changes from #23242.
  3. Add outside_app_allowed arg to find_templates

    maclover7 authored and rafaelfranca committed Jan 27, 2016
    A backport of #23247 to 4-1-stable.
  4. Bundle update

    rafaelfranca committed Jan 29, 2016
  5. Merge pull request #23242 from maclover7/fix-error-sec

    tenderlove authored and rafaelfranca committed Jan 27, 2016
    Fix undefined error for `ActionController::Parameters`
  6. Don't allow render(params) on views.

    arthurnn authored and rafaelfranca committed Feb 25, 2016
    If `render(params)` is called in a view it should be protected the same
     way it is in the controllers. We should raise an error if thats happens.
    
    Fix CVE-2016-2098.
  7. Change render "foo" to render a template and not a file.

    tenderlove authored and rafaelfranca committed Jan 27, 2016
    Previously, calling `render "foo/bar"` in a controller action is
    equivalent to `render file: "foo/bar"`. This has been changed to
    mean `render template: "foo/bar"` instead. If you need to render a
    file, please change your code to use the explicit form
    (`render file: "foo/bar"`) instead.
    
    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
    
    Fix CVE-2016-2097.
Commits on Feb 12, 2016
Commits on Feb 2, 2016
  1. Generated engines should protect from forgery

    tenderlove committed Feb 2, 2016
    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
Commits on Jan 29, 2016
  1. Merge pull request #23328 from RickCSong/rickcsong/fix-predicate-builder

    rafaelfranca committed Jan 29, 2016
    Fix custom primary keys when calling `Relation#where`
  2. Fix ActionView tests

    maclover7 authored and rafaelfranca committed Jan 27, 2016
    Reverts some of the changes from #23242.
  3. Add outside_app_allowed arg to find_templates

    maclover7 authored and rafaelfranca committed Jan 27, 2016
    A backport of #23247 to 4-1-stable.
  4. Bundle update

    rafaelfranca committed Jan 29, 2016
Commits on Jan 28, 2016
  1. Run `file.close` before unlinking for travis

    eileencodes committed Jan 28, 2016
    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.