Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
    
     X-CSRF-Token: ...
    
    This fixes CVE-2011-0447
    NZKoz committed Jan 13, 2011
Commits on Nov 27, 2009
  1. @gtd @NZKoz

    Make sure strip_tags removes tags which start with a non-printable ch…

    …aracter
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    gtd committed with NZKoz Nov 16, 2009
Commits on Sep 13, 2009
  1. @jeremy
  2. @jeremy
  3. @jeremy
  4. @jeremy
Commits on Sep 12, 2009
  1. @NZKoz
Commits on Sep 11, 2009
  1. @bohford @jeremy

    Remove redundant checks for valid character regexp in ActiveSupport::…

    …Multibyte#clean and #verify.
    
    [#3181 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    bohford committed with jeremy Sep 9, 2009
Commits on Sep 8, 2009
  1. @NZKoz

    1.9 compatible secure_compare

    NZKoz committed Sep 9, 2009
  2. @NZKoz

    Revert "Ruby 1.9: fix MessageVerifier#secure_compare"

    This reverts commit 91f65b7.
    
    MessageVerifier was never in 2.2
    NZKoz committed Sep 9, 2009
  3. @jeremy
  4. @jeremy

    Fix AS test breakage

    jeremy committed Sep 8, 2009
Commits on Sep 4, 2009
  1. @technoweenie
Commits on Aug 31, 2009
  1. @NZKoz

    Clean tag attributes before passing through the escape_once logic.

    Addresses CVE-2009-3009
    NZKoz committed Aug 31, 2009
  2. @NZKoz

    Add verify and clean methods to ActiveSupport::Multibyte.

    When accepting character input from outside of your application you can't
    blindly trust that all strings are properly encoded. With these methods
    you can check incoming strings and clean them up if necessary.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    
    Conflicts:
    
    	activesupport/lib/active_support/multibyte/chars.rb
    NZKoz committed Aug 31, 2009
Commits on Aug 23, 2009
  1. @NZKoz

    Fix timing attack vulnerability in the Cookie Store

    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
    NZKoz committed Aug 23, 2009
Commits on Apr 20, 2009
  1. @lifo

    Ensure JoinAssociation uses aliased table name when multiple associat…

    …ions have hash conditions on the same table
    lifo committed Apr 20, 2009
Commits on Apr 1, 2009
  1. @fcheung @lifo

    Don't use the transaction instance method so that people with has_one…

    …/belongs_to :transaction aren't fubared
    
    [#1551 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    fcheung committed with lifo Dec 10, 2008
Commits on Mar 11, 2009
  1. @jeremy
Commits on Feb 25, 2009
  1. @samgranieri @jeremy

    Ruby 1.9 compat: silence a warning about regexp languages

    [#2050 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    samgranieri committed with jeremy Feb 22, 2009
  2. @technoweenie
  3. @oboxodo @technoweenie

    Fixed bug that makes named_scopes _forgot_ current scope

    Signed-off-by: rick <technoweenie@gmail.com>
    [#1960 #1677 state:resolved]
    oboxodo committed with technoweenie Feb 13, 2009
Commits on Feb 22, 2009
  1. @pixeltrix @NZKoz

    Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    …xp requirements with capturing parentheses
    pixeltrix committed with NZKoz Feb 22, 2009
  2. @pixeltrix @NZKoz

    Fix requirements regexp for path segments

    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    pixeltrix committed with NZKoz Jan 16, 2009
Commits on Feb 21, 2009
  1. @jeremy

    Update changelog for URI.unescape fix

    [#2033 state:committed]
    jeremy committed Feb 20, 2009
  2. @jeremy

    Broaden URI.unescape fix to all affected 1.9.x by checking for broken…

    … behavior instead of specific patchlevel
    jeremy committed Feb 20, 2009
  3. @moro @jeremy

    fix test data, should specify encoding to use multibyte chars on Ruby…

    … 1.9
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    moro committed with jeremy Feb 15, 2009
  4. @jeremy
  5. @moro @jeremy

    Ruby 1.9.1p0's URI.decode() bug fix

    backport to fix Ruby 1.9.1p0 bug on [ruby-dev:38005].
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    moro committed with jeremy Feb 15, 2009
Commits on Feb 20, 2009
  1. @brunetton @josh

    Make atomic_write() puts the check_file in the cache dir, not in appl…

    …ication
    
    root [#1962 state:resolved]
    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    brunetton committed with josh Feb 19, 2009
Commits on Feb 17, 2009
  1. @amatsuda @jeremy

    Ruby 1.9 compat: fix JSON decoding to work properly with multibyte va…

    …lues
    
    [#1969 state:committed]
    
    Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
    amatsuda committed with jeremy Feb 15, 2009
Commits on Feb 12, 2009
  1. @josh

    Allow memcache-client versions > 1.5.x to override bundled version

    Signed-off-by: Joshua Peek <josh@joshpeek.com>
    Joshua Sierles committed with josh Feb 12, 2009
Commits on Feb 10, 2009
  1. @jeremy
Commits on Feb 6, 2009
  1. @dhh
  2. @NZKoz

    Handle every error that can come out of the Iconv branch by rescuing …

    …and returning nil
    
    [#1195 state:committed]
    
    Conflicts:
    
    	activesupport/lib/active_support/inflector.rb
    NZKoz committed Feb 6, 2009