Permalink
Commits on Jul 13, 2016
  1. Merge branch '4-1-16' into 4-1-stable

    rafaelfranca committed Jul 13, 2016
Commits on Jul 12, 2016
Commits on Jul 2, 2016
Commits on Jul 1, 2016
  1. Do not run `bundle install` when generating a new plugin.

    Since bundler 1.12.0, the gemspec is validated so the `bundle install`
    command will fail just after the gem is created causing confusion to the
    users. This change was a bug fix to correctly validate gemspecs.
    rafaelfranca committed Jul 1, 2016
Commits on Mar 8, 2016
  1. Merge pull request #24098 from kamipo/fix_typo_sslcipher-4-1

    Backport to 4-1-stable "Fix typo `--ssl-cipher`"
    arthurnn committed Mar 8, 2016
Commits on Mar 7, 2016
  1. Fix typo `--ssl-cipher`

    Backport #24082 for #23293.
    kamipo committed Mar 6, 2016
  2. Merge pull request #23293 from drcapulet/alexc-backport-20126-4-1-stable

    Add full set of MySQL CLI options to support SSL authentication when using db:structure dump and load
    rafaelfranca committed Mar 7, 2016
Commits on Mar 5, 2016
  1. Update the rendering guide to match the current behavior

    In the latest security releases render with a trailing slash no more call
    render :file.
    
    Also add a note about the security implications of using it with user
    parameters.
    rafaelfranca committed Mar 5, 2016
Commits on Mar 1, 2016
Commits on Feb 29, 2016
  1. Fix version on changelog

    cc @rafaelfranca
    [skip ci]
    arthurnn committed Feb 29, 2016
  2. Fix ActionView tests

    Reverts some of the changes from #23242.
    maclover7 committed with rafaelfranca Jan 27, 2016
  3. Add outside_app_allowed arg to find_templates

    A backport of #23247 to 4-1-stable.
    maclover7 committed with rafaelfranca Jan 27, 2016
  4. Bundle update

    rafaelfranca committed Jan 29, 2016
  5. Merge pull request #23242 from maclover7/fix-error-sec

    Fix undefined error for `ActionController::Parameters`
    tenderlove committed with rafaelfranca Jan 27, 2016
  6. Don't allow render(params) on views.

    If `render(params)` is called in a view it should be protected the same
     way it is in the controllers. We should raise an error if thats happens.
    
    Fix CVE-2016-2098.
    arthurnn committed with rafaelfranca Feb 25, 2016
  7. Change render "foo" to render a template and not a file.

    Previously, calling `render "foo/bar"` in a controller action is
    equivalent to `render file: "foo/bar"`. This has been changed to
    mean `render template: "foo/bar"` instead. If you need to render a
    file, please change your code to use the explicit form
    (`render file: "foo/bar"`) instead.
    
    Test that we are not allowing you to grab a file with an absolute path
    outside of your application directory. This is dangerous because it
    could be used to retrieve files from the server like `/etc/passwd`.
    
    Fix CVE-2016-2097.
    tenderlove committed with rafaelfranca Jan 27, 2016
Commits on Feb 12, 2016
  1. Use Ruby 1.9 Hash syntax

    rafaelfranca committed Feb 12, 2016
Commits on Feb 2, 2016
  1. Generated engines should protect from forgery

    Generated engines should call `protect_from_forgery`.  If this method
    isn't called, then the Engine could be susceptible to XSS attacks.
    Thanks @tomekr for reporting this to us!
    
    Conflicts:
    	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
    	railties/test/generators/plugin_generator_test.rb
    tenderlove committed Feb 2, 2016
Commits on Jan 29, 2016
  1. Merge pull request #23328 from RickCSong/rickcsong/fix-predicate-builder

    Fix custom primary keys when calling `Relation#where`
    rafaelfranca committed Jan 29, 2016
  2. Makes a minor fix to PredicateBuilder respect custom primary keys when

    calling `Relation#where`
    RickCSong committed Jan 29, 2016
  3. Fix ActionView tests

    Reverts some of the changes from #23242.
    maclover7 committed with rafaelfranca Jan 27, 2016
  4. Add outside_app_allowed arg to find_templates

    A backport of #23247 to 4-1-stable.
    maclover7 committed with rafaelfranca Jan 27, 2016
  5. Bundle update

    rafaelfranca committed Jan 29, 2016
Commits on Jan 28, 2016
  1. Run `file.close` before unlinking for travis

    This works on OSX but for some reason travis is throwing a
    ```
      1) Error:
    ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
    NoMethodError: undefined method `unlink' for nil:NilClass
    ```
    Looking at other tests in Railties the file has a name and we close
    it before unlinking, so I'm going to try that.
    eileencodes committed Jan 28, 2016