Permalink
Commits on Jan 8, 2013
  1. bumping version

    tenderlove committed Jan 8, 2013
  2. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
    tenderlove committed Jan 4, 2013
Commits on Dec 23, 2012
  1. bumping to 3.0.18

    tenderlove committed Dec 23, 2012
  2. updating changelogs

    tenderlove committed Dec 23, 2012
Commits on Aug 28, 2012
Commits on Aug 9, 2012
  1. Merge pull request #7308 from amerine/3-0-stable

    Add html_escape note to CHANGELOG
    spastorino committed Aug 9, 2012
  2. Bump to 3.0.17

    spastorino committed Aug 9, 2012
  3. Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  4. Do not mark strip_tags result as html_safe

    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
    spastorino committed Aug 8, 2012
  5. escape select_tag :prompt values

    CVE-2012-3463
    spastorino committed Aug 8, 2012
Commits on Aug 8, 2012
  1. html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
    spastorino committed with tenderlove Aug 1, 2012
Commits on Aug 4, 2012
  1. Backport of fix from #5173 - fixes #7252

    Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
    datatypes, Active Record migrations use TEXT(n) where n is the limit
    specified by the developer. Unfortunately how MySQL interprets n
    depends on the column's encoding so any limit above 5592405 will be
    interpreted as a LONGTEXT when the encoding is UTF-8.
    
    This commit fixes this by interpreting the limit within the adapter
    and using the specific MySQL datatype as appropriate.
    pixeltrix committed Aug 4, 2012
Commits on Jul 26, 2012
  1. bumping to 3.0.16

    tenderlove committed Jul 26, 2012
  2. updating release date

    tenderlove committed Jul 26, 2012
  3. updating changelog with CVE

    tenderlove committed Jul 26, 2012
Commits on Jul 23, 2012
  1. updating changelogs

    tenderlove committed Jul 23, 2012
Commits on Jun 13, 2012
  1. 3.0.15

    tenderlove committed Jun 13, 2012
Commits on Jun 12, 2012
  1. updating changelogs

    tenderlove committed Jun 12, 2012
Commits on Jun 11, 2012
  1. bumping to 3.0.14

    tenderlove committed Jun 11, 2012
  2. Merge branch '3-0-stable-sec' into 3-0-stable-rel

    * 3-0-stable-sec:
      Array parameters should not contain nil values.
      Additional fix for CVE-2012-2661
    tenderlove committed Jun 11, 2012
  3. Fix GH #3163. Should quote database on mysql/mysql2.

    Conflicts:
    
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
    	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    	activerecord/test/cases/adapters/mysql2/schema_test.rb
    kennyj committed with tenderlove Mar 3, 2012
Commits on Jun 8, 2012
  1. Additional fix for CVE-2012-2661

    While the patched PredicateBuilder in 3.0.13 prevents a user
    from specifying a table name using the `table.column` format,
    it doesn't protect against the nesting of hashes changing the
    table context in the next call to build_from_hash. This fix
    covers this case as well.
    ernie committed with tenderlove Jun 8, 2012
Commits on May 31, 2012
  1. Merge branch '3-0-rel' into 3-0-stable

    * 3-0-rel:
      bumping to 3.0.13
      updating CHANGELOGs
      bumping to 3.0.13.rc1
    tenderlove committed May 31, 2012
  2. Merge branch '3-0-stable-sec' into 3-0-stable

    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
    tenderlove committed May 31, 2012
  3. bumping to 3.0.13

    tenderlove committed May 31, 2012
  4. updating CHANGELOGs

    tenderlove committed May 31, 2012