Permalink
Commits on Dec 3, 2013
  1. updating the changelog

    tenderlove committed Dec 3, 2013
Commits on Dec 2, 2013
  1. Deep Munge the parameters for GET and POST

    NZKoz committed with tenderlove Nov 30, 2013
    The previous implementation of this functionality could be accidentally
    subverted by instantiating a raw Rack::Request before the first Rails::Request
    was constructed.
    
    Fixes CVE-2013-6417
    
    Conflicts:
    	actionpack/lib/action_dispatch/http/request.rb
  2. Stop using i18n's built in HTML error handling.

    NZKoz committed with tenderlove Oct 31, 2013
    i18n doesn't depend on active support which means it can't use our html_safe
    code to do its escaping when generating the spans.  Rather than try to sanitize
    the output from i18n, just revert to our old behaviour of rescuing the error
    and constructing the tag ourselves.
    
    Fixes: CVE-2013-4491
    
    Conflicts:
    	actionpack/lib/action_view/helpers/translation_helper.rb
    
    Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
  3. Escape the unit value provided to number_to_currency

    NZKoz committed with tenderlove Nov 13, 2013
    Fixes CVE-2013-6415
    
    Previously the values were trusted blindly allowing for potential XSS attacks.
Commits on Dec 1, 2013
  1. Only use valid mime type symbols as cache keys

    tenderlove committed Dec 1, 2013
    CVE-2013-6414
Commits on Oct 16, 2013
  1. Merge branch '3-2-sec' into 3-2-stable

    tenderlove committed Oct 16, 2013
    * 3-2-sec:
      updating changelogs
      bumping to 3.2.15
      bumping to rc3
      Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
      Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
      bumping to rc2
      Merge pull request #12443 from arthurnn/add_inverse_of_add_target
      bumping version to 3.2.15.rc1
      Remove the use of String#% when formatting durations in log messages
    
    Conflicts:
    	activerecord/CHANGELOG.md
  2. updating changelogs

    tenderlove committed Oct 16, 2013
Commits on Oct 15, 2013
  1. bumping to 3.2.15

    tenderlove committed Oct 15, 2013
  2. Merge branch '3-2-15' into 3-2-sec

    tenderlove committed Oct 15, 2013
    * 3-2-15:
      bumping to rc3
      Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"
      Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_target"
      bumping to rc2
      Merge pull request #12443 from arthurnn/add_inverse_of_add_target
      bumping version to 3.2.15.rc1
      Fix STI scopes using benolee's suggestion. Fixes #11939
Commits on Oct 11, 2013
  1. bumping to rc3

    tenderlove committed Oct 11, 2013
Commits on Oct 10, 2013
  1. Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"

    rafaelfranca committed Oct 10, 2013
    This reverts commit ccd11d5, reversing
    changes made to 54c05ac.
    
    Reason: This caused a regression when the associated record is created
    in a before_create callback. See
    #12413 (comment)
  2. Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_ta…

    rafaelfranca committed Oct 10, 2013
    …rget"
    
    This reverts commit 7ed5bdc, reversing
    changes made to 31c79e2.
    
    Reason: this caused a regression when the associated record is creted in
    a before_create callback.
    
    See #12413 (comment)
  3. Revert "Merge pull request #12413 from arthurnn/inverse_of_on_build"

    rafaelfranca committed Oct 10, 2013
    This reverts commit ccd11d5, reversing
    changes made to 54c05ac.
    
    Reason: This caused a regression when the associated record is created
    in a before_create callback. See
    #12413 (comment)
  4. Revert "Merge pull request #12443 from arthurnn/add_inverse_of_add_ta…

    rafaelfranca committed Oct 10, 2013
    …rget"
    
    This reverts commit 7ed5bdc, reversing
    changes made to 31c79e2.
    
    Reason: this caused a regression when the associated record is creted in
    a before_create callback.
    
    See #12413 (comment)
Commits on Oct 4, 2013
  1. bumping to rc2

    tenderlove committed Oct 4, 2013
  2. Merge pull request #12443 from arthurnn/add_inverse_of_add_target

    rafaelfranca committed Oct 4, 2013
    Add inverse of add target
  3. Merge pull request #12443 from arthurnn/add_inverse_of_add_target

    rafaelfranca committed Oct 4, 2013
    Add inverse of add target
  4. Add back set_inverse_instance on .add_to_target

    arthurnn committed Oct 4, 2013
    We must have it in there too, so when an existent record is being concat to another,
    we will have the inverse relation.
Commits on Oct 3, 2013
  1. Merge pull request #12084 from Ben-M/3-2-stable

    tenderlove committed Oct 3, 2013
    Fix STI scopes using benolee's suggestion. Fixes #11939
  2. Merge branch '3-2-stable' into 3-2-sec

    tenderlove committed Oct 3, 2013
    * 3-2-stable:
      make sure both headers are set before checking for ip spoofing
      Move set_inverse_instance to association.build_record
Commits on Oct 1, 2013
  1. Merge pull request #12410 from tamird/fix-ip-spoof-errors

    pixeltrix committed Oct 1, 2013
    Fix ip spoof errors
Commits on Sep 30, 2013
  1. Remove the use of String#% when formatting durations in log messages

    NZKoz committed with tenderlove Sep 22, 2013
    This avoids potential format string vulnerabilities where user-provided
    data is interpolated into the log message before String#% is called.
  2. Merge pull request #12413 from arthurnn/inverse_of_on_build

    rafaelfranca committed Sep 30, 2013
    Inverse of on build
Commits on Sep 29, 2013
  1. Merge pull request #12375 from arthurnn/inverse_after_find_or_initialize

    rafaelfranca committed Sep 29, 2013
    Inverse after find or initialize
Commits on Sep 28, 2013
  1. Use Ruby 1.8 hash syntax

    rafaelfranca committed Sep 28, 2013
Commits on Sep 26, 2013
  1. fix inverse_of when find_or_initialize_by_*

    arthurnn committed Sep 26, 2013
    inverse_of relation was not being set when calling find_or_initialize_by_ and the entry was
    found on the db.
  2. Merge pull request #12364 from arthurnn/test_fix_validate

    rafaelfranca committed Sep 26, 2013
    Fix query counters when testing with IdentityMap on 3.2
Commits on Sep 25, 2013
  1. Merge pull request #12359 from arthurnn/inverse_on_callbacks

    rafaelfranca committed Sep 25, 2013
    Make sure inverse_of is visible on the has_many callbacks
    Conflicts:
    	activerecord/CHANGELOG.md
    	activerecord/test/models/company.rb
Commits on Sep 12, 2013
  1. Merge pull request #12196 from h-lame/fix-activesupport-cache-filesto…

    rafaelfranca committed Sep 12, 2013
    …re-cleanup
    
    Fix FileStore#cleanup to no longer rely on missing each_key method
    Conflicts:
    	activesupport/CHANGELOG.md
    	activesupport/test/caching_test.rb
  2. Fix FinderMethods#last unscoped primary key

    Eugene Kalenkovich committed with rafaelfranca Aug 21, 2013
    Fixes table.joins(:relation).last(N) breaking on sqlite
    
    Conflicts:
    	activerecord/CHANGELOG.md
    	activerecord/test/cases/finder_test.rb