Permalink
Switch branches/tags
Commits on Aug 28, 2012
Commits on Aug 9, 2012
  1. Merge pull request #7308 from amerine/3-0-stable

    spastorino committed Aug 9, 2012
    Add html_escape note to CHANGELOG
  2. Bump to 3.0.17

    spastorino committed Aug 9, 2012
  3. Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  4. Do not mark strip_tags result as html_safe

    spastorino committed Aug 8, 2012
    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
  5. escape select_tag :prompt values

    spastorino committed Aug 8, 2012
    CVE-2012-3463
Commits on Aug 8, 2012
  1. html_escape should escape single quotes

    spastorino committed with tenderlove Aug 1, 2012
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Commits on Aug 4, 2012
  1. Backport of fix from #5173 - fixes #7252

    pixeltrix committed Aug 4, 2012
    Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
    datatypes, Active Record migrations use TEXT(n) where n is the limit
    specified by the developer. Unfortunately how MySQL interprets n
    depends on the column's encoding so any limit above 5592405 will be
    interpreted as a LONGTEXT when the encoding is UTF-8.
    
    This commit fixes this by interpreting the limit within the adapter
    and using the specific MySQL datatype as appropriate.
Commits on Jul 26, 2012
  1. bumping to 3.0.16

    tenderlove committed Jul 26, 2012
  2. updating release date

    tenderlove committed Jul 26, 2012
  3. updating changelog with CVE

    tenderlove committed Jul 26, 2012
Commits on Jul 23, 2012
  1. updating changelogs

    tenderlove committed Jul 23, 2012
Commits on Jun 13, 2012
  1. 3.0.15

    tenderlove committed Jun 13, 2012
Commits on Jun 12, 2012
  1. updating changelogs

    tenderlove committed Jun 12, 2012
Commits on Jun 11, 2012
  1. bumping to 3.0.14

    tenderlove committed Jun 11, 2012
  2. Merge branch '3-0-stable-sec' into 3-0-stable-rel

    tenderlove committed Jun 11, 2012
    * 3-0-stable-sec:
      Array parameters should not contain nil values.
      Additional fix for CVE-2012-2661
  3. Fix GH #3163. Should quote database on mysql/mysql2.

    kennyj committed with tenderlove Mar 3, 2012
    Conflicts:
    
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
    	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    	activerecord/test/cases/adapters/mysql2/schema_test.rb
Commits on Jun 8, 2012
  1. Additional fix for CVE-2012-2661

    ernie committed with tenderlove Jun 8, 2012
    While the patched PredicateBuilder in 3.0.13 prevents a user
    from specifying a table name using the `table.column` format,
    it doesn't protect against the nesting of hashes changing the
    table context in the next call to build_from_hash. This fix
    covers this case as well.
Commits on May 31, 2012
  1. Merge branch '3-0-rel' into 3-0-stable

    tenderlove committed May 31, 2012
    * 3-0-rel:
      bumping to 3.0.13
      updating CHANGELOGs
      bumping to 3.0.13.rc1
  2. Merge branch '3-0-stable-sec' into 3-0-stable

    tenderlove committed May 31, 2012
    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
  3. bumping to 3.0.13

    tenderlove committed May 31, 2012
  4. updating CHANGELOGs

    tenderlove committed May 31, 2012
  5. Merge branch '3-0-stable-sec' into 3-0-rel

    tenderlove committed May 31, 2012
    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
Commits on May 30, 2012
  1. Strip [nil] from parameters hash.

    tenderlove committed May 30, 2012
    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
    
    Conflicts:
    
    	actionpack/lib/action_dispatch/http/request.rb
  2. predicate builder should not recurse for determining where columns.

    tenderlove committed May 30, 2012
    Thanks to Ben Murphy for reporting this
    
    CVE-2012-2661
Commits on May 28, 2012
  1. bumping to 3.0.13.rc1

    tenderlove committed May 28, 2012
Commits on May 27, 2012
Commits on May 26, 2012
  1. Merge pull request #6495 from homakov/3-0-stable

    rafaelfranca committed May 26, 2012
    auto_link shouldn't always sanitize