Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
     X-CSRF-Token: ...
    This fixes CVE-2011-0447
Commits on Nov 27, 2009
  1. @gtd @NZKoz

    Make sure strip_tags removes tags which start with a non-printable ch…

    gtd authored NZKoz committed
    Signed-off-by: Michael Koziarski <>
Commits on Sep 12, 2009
  1. @NZKoz
Commits on Sep 8, 2009
  1. @NZKoz

    1.9 compatible secure_compare

    NZKoz authored
Commits on Sep 4, 2009
  1. @technoweenie
Commits on Aug 31, 2009
  1. @NZKoz

    Clean tag attributes before passing through the escape_once logic.

    NZKoz authored
    Addresses CVE-2009-3009
Commits on Aug 23, 2009
  1. @NZKoz

    Fix timing attack vulnerability in the Cookie Store

    NZKoz authored
    Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
Commits on Feb 25, 2009
  1. @samgranieri @jeremy

    Ruby 1.9 compat: silence a warning about regexp languages

    samgranieri authored jeremy committed
    [#2050 state:committed]
    Signed-off-by: Jeremy Kemper <>
Commits on Feb 22, 2009
  1. @pixeltrix @NZKoz

    Remove hardcoded number_of_capturesin ControllerSegment to allow rege…

    pixeltrix authored NZKoz committed
    …xp requirements with capturing parentheses
  2. @pixeltrix @NZKoz

    Fix requirements regexp for path segments

    pixeltrix authored NZKoz committed
    Signed-off-by: Michael Koziarski <>
Commits on Feb 21, 2009
  1. @moro @jeremy

    fix test data, should specify encoding to use multibyte chars on Ruby…

    moro authored jeremy committed
    … 1.9
    Signed-off-by: Jeremy Kemper <>
Commits on Feb 10, 2009
  1. @jeremy
Commits on Feb 5, 2009
  1. @dguettler @josh

    check for template with specified extension but without template hand…

    dguettler authored josh committed
    …ler extension [#1798 state:resolved]
    Signed-off-by: Joshua Peek <>
Commits on Jan 22, 2009
  1. @NZKoz
Commits on Jan 21, 2009
  1. @NZKoz

    Rationalise the session options to one hash, prevents rack or integra…

    NZKoz authored
    …tion tests from seeing incorrect defaults
Commits on Jan 5, 2009
  1. @josh @dhh

    Cache AssetTag timestamps

    josh authored dhh committed
  2. @josh @dhh
Commits on Jan 2, 2009
  1. @dhh

    Make sure #compute_public_path caching allows to return different res…

    dhh authored
    for different given sources [#1471 state:resolved]
Commits on Jan 1, 2009
  1. @dhh

    Fixed the AssetTagHelper cache to use the computed asset host as part…

    dhh authored
    … of the cache key instead of just assuming the its a string [#1299 state:fixed]
Commits on Dec 15, 2008
  1. @fcheung @josh

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <>
Commits on Nov 30, 2008
  1. @jeremy
Commits on Nov 24, 2008
  1. @geoffgarside @NZKoz

    Test default singleton resource route to ensure it uses GET. This is …

    geoffgarside authored NZKoz committed
    …important if using map.root :resource instead of map.root :resources for some reason.
    Signed-off-by: Michael Koziarski <>
  2. @geoffgarside @NZKoz

    Reorder the way in which map.resource routes are added to the set. Th…

    geoffgarside authored NZKoz committed
    …is prevents the singular named route from hitting :create instead of :show.
    Signed-off-by: Michael Koziarski <>
Commits on Nov 23, 2008
  1. @jeremy
  2. @yaroslav @jeremy

    Add i18n for number_to_human_size() helper storage units. Translation…

    yaroslav authored jeremy committed
    … key is number.human.storage_units.
    [#1448 state:committed]
    Signed-off-by: Jeremy Kemper <>
  3. @josh
Commits on Nov 21, 2008
  1. @dhh

    Prepped for release

    dhh authored
Commits on Nov 20, 2008
  1. @dhh

    Cleaned up deprecation notices

    dhh authored
  2. @dhh
Commits on Nov 19, 2008
  1. @aaronbatalion @jeremy

    need to make sure the asset type is cached with it in Cache.. name is…

    aaronbatalion authored jeremy committed
    … sufficient, not self
    Signed-off-by: Jeremy Kemper <>
  2. @aaronbatalion @josh

    Fixed asset host to not cache objects [#1419 state:resolved]

    aaronbatalion authored josh committed
    Signed-off-by: Joshua Peek <>
  3. @dhh

    Deprecated the :file default for ActionView#render to prepare for 2.3…

    dhh authored
    …'s new :partial default [DHH]
  4. @hiroshi @dhh

    Let polymorphic_path treat an array contains single name as without a…

    hiroshi authored dhh committed
    …rray [#1386 state:committed]
    Signed-off-by: David Heinemeier Hansson <>
Commits on Nov 18, 2008
  1. @gtd @NZKoz

    Make optimized named routes respect all reserved options and tie it i…

    gtd authored NZKoz committed
    …nto UrlRewriter::RESERVED_OPTIONS so it's DRY
    Signed-off-by: Michael Koziarski <>
  2. @lukemelia @josh

    Fix rendering html partial via inline render when with :js format [#1399

    lukemelia authored josh committed
    Signed-off-by: Joshua Peek <>
Something went wrong with that request. Please try again.