* 3-2-sec: bumping version CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu Avoid Rack security warning no secret provided Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md activesupport/CHANGELOG.md
* 3-2-sec: CVE-2012-5664 options hashes should only be extracted if there are extra parameters updating changelog updating the changelogs updating the changelog for the CVE Add release date of Rails 3.2.9 to documentation Conflicts: actionmailer/CHANGELOG.md actionpack/CHANGELOG.md activemodel/CHANGELOG.md activerecord/CHANGELOG.md activeresource/CHANGELOG.md activesupport/CHANGELOG.md railties/CHANGELOG.md
The encoding scheme (e.g. ☠ -> "\u2620") was broken for characters not in the Basic Multilingual Plane. It is possible to escape them for json using the weird encoding scheme of a twelve-character sequence representing the UTF-16 surrogate pair (e.g. '𠜎' -> "\u270e\u263a") but this wasn't properly handled in the escaping code. Since raw UTF-8 is allowed in json, it was decided to simply pass through the raw bytes rather than attempt to escape them. Backport of zbskii@9ace3a8 Conflicts: activesupport/CHANGELOG.md activesupport/lib/active_support/json/encoding.rb activesupport/test/json/encoding_test.rb
This reverts commit c3e186e. Reason: too many incompatibilities make a lot of Rails tests fail in 1.9. Might need more work to get this done properly in 3-2 if necessary.
Setting options in a custom `#as_json` method had side effects. Modifications of the `options` hash leaked outside and influenced the conversion of other objects contained in the hash. Conflicts: activesupport/CHANGELOG.md
Avoid memory leak from unflushed logs on other threads leaving tags behind. Conflicts: activesupport/CHANGELOG.md activesupport/lib/active_support/tagged_logging.rb activesupport/test/tagged_logging_test.rb
…%::z format strings.