Skip to content
This repository
  • 247 commits
  • 288 files changed
  • 80 contributors
Apr 17, 2010
Mislav Marohnić mislav cleanup `update/reset_counters`; refactor tests ef0591e
Mislav Marohnić mislav fix `reset_counters` to work even with complex class names
e.g. it guesses that a belongs_to association to Namespace::MyModel is
named "my_model", unlike before where it would look up an association
named "namespace::mymodel" and fail.
May 23, 2010
Jeremy Kemper jeremy Bump 2-3-stable to 2.3.7 55e88ee
Nathan Weizenbaum nex3 Mark all raw HTML being concatted as HTML-safe.
Signed-off-by: Jeremy Kemper <>
Nathan Weizenbaum nex3 Don't always mark the argument to #concat as HTML-safe.
Signed-off-by: Jeremy Kemper <>
Nathan Weizenbaum nex3 Don't incompatibly monkeypatch ERB.
Signed-off-by: Jeremy Kemper <>
Jeremy Kemper jeremy Fix test rendering unmarked but safe HTML ca5f5d9
Jeremy Kemper jeremy Use a non-XSS-protected output buffer for view tests ab2d7c8
Jeremy Kemper jeremy Revert "Don't always mark the argument to #concat as HTML-safe."
This reverts commit e53791f.
Santiago Pastorino spastorino Make use of safe_concat on TextHelper concat
Signed-off-by: Jeremy Kemper <>
Jeremy Kemper jeremy rails_xss handles deprecated String html safety, when installed 3ff921a
Jeremy Kemper jeremy Move tests for deprecated String#html_safe! to plugin 60e82a3
May 24, 2010
Jeremy Kemper jeremy 2.3.7 release: fix rails_xss compatibility 326188c
Jeremy Kemper jeremy Bump 2-3-stable to 2.3.8 f97da34
Mislav Marohnić mislav auto_link: support arbitrary URI schemes like "ftp:" and "file:"
recognizes all URI scheme allowed characters, such as colon and period.

[#3494 state:resolved]
Mislav Marohnić mislav avoid auto_linking already linked emails; more robust detection of li…
…nked URLs

References #1523  [#1862 state:resolved]  [#3591 state:resolved]

Add test that shows how link text can contain HTML if needed:
the trick is using block form in combination with `raw`.
Let link text be automatically HTML-escaped

[#2017 state:resolved]
Lance Ivy cainlevy Ensure auto_link does not ignore multiple trailing punctuations
[#2504 state:resolved]
Jeremy Kemper jeremy Fix that captured content (e.g. with form_for or div_for) would be HT…
…ML-escaped even without the rails_xss plugin installed. Rails 2.3.7, we barely knew ya...
Yehuda Katz wycats Give the ERB String the encoding of the original template 50b7c0c
Yehuda Katz wycats Needs to work on 1.8 too 8e6a044
Santiago Pastorino spastorino Revert "translation method of TranslationHelper module returns always…
… SafeBuffer [#4194 status:resolved]"

This reverts commit 2310aef.

Signed-off-by: José Valim <>
Santiago Pastorino spastorino translation method of TranslationHelper module returns a SafeBuffer A…
…rray backport

[#4675 state:committed]

Signed-off-by: José Valim <>
Jeremy Kemper jeremy Work around strange Ruby 1.9 autoload issue by using absolute load pa…
…ths for tests
Jeremy Kemper jeremy Add global gem task e5af56a
Jeremy Kemper jeremy 2.3.7.pre1: fixes HTML escaping when *not* using rails_xss 4fef5af
Santiago Pastorino spastorino translate helper method using an array is deprecated
Signed-off-by: José Valim <>
José Valim josevalim Ensure translations work with symbols. 50f3754
Jeremy Kemper jeremy Work around strange Ruby 1.9 autoload issue by using absolute load pa…
…ths for tests (ditto for other components' tests)
Santiago Pastorino spastorino Error messages for asserts
Signed-off-by: Jeremy Kemper <>
Jeremy Kemper jeremy Work around strange Ruby 1.9 autoload issue by using absolute load pa…
…ths for tests (for Active Model too)
Jeremy Kemper jeremy HTML safety: fix textarea with nil content 6a9e188
Jeremy Kemper jeremy i18n: t() handles single keys returning an Array, also f7e27bd
Santiago Pastorino spastorino SQLite: forward compatibility with future driver releases

Signed-off-by: Jeremy Kemper <>
May 25, 2010
Xavier Noria fxn get railties/README back to the home page of the API 2ed893b
Jeremy Kemper jeremy Bump 2-3-stable to 2.3.9 9da7ff8
Jeremy Kemper jeremy Shift SafeBuffer#concat responsibility over to rails_xss a815f0c
May 26, 2010
Santiago Pastorino spastorino removes an unneeded alias
Signed-off-by: José Valim <>
May 29, 2010
Michael Koziarski NZKoz Merge commit 'mislav/auto_link_2-3-stable' into 2-3-stable 5796a92
Michael Koziarski NZKoz Merge commit 'mislav/counter_cache_2-3-stable' into 2-3-stable b760d69
Andrew Don't rewrap system level exceptions with StatementInvalid
Signed-off-by: Michael Koziarski <>
[#896 state:committed]
Jun 05, 2010
Xavier Noria fxn deprecates Array#random_element in favor of Array#sample, backported …
…from Ruby 1.9, thanks to Marc-Andre Lafortune
Jun 08, 2010
Prem Sichanugrist sikachu Make sure that rails recognized the full notation of IPv6 loopback ad…
…dress, and recognize in IPv4

[#3257 state:resolved]

Signed-off-by: José Valim <>
Jun 09, 2010
James Le Cuirot chewi Don't overwrite unsaved updates when loading an association but prese…
…rve the order of the loaded records. [#4642 state:resolved]

Signed-off-by: Pratik Naik <>
Jun 10, 2010
Pratik lifo Fix AR perf script e4accde
Jun 18, 2010
Alex MasterLambaster Fix test which prevents connection reset on failing and remove hardco…
…ded connection

[#4689 state:committed]

Signed-off-by: Jeremy Kemper <>
Maxime RETY Fix Yajl backend discovery in ActiveSupport::JSON

Signed-off-by: Jeremy Kemper <>
Jun 20, 2010
James Le Cuirot chewi When not overwriting unsaved updates in nested attributes, allow alre…
…ady-saved records to be refreshed.

Signed-off-by: José Valim <>
Jun 21, 2010
Prem Sichanugrist sikachu Update bundled i18n gem to 0.4.1 to make sure every project will be w…
…arn about using deprecated %{..} interpolation.

This will also make sure that by changing {{..}} into %{..} won't break any Rails 2.3.x application, since it would load the vendored version if it's not satisfy the version requirement.

Signed-off-by: José Valim <>
Prem Sichanugrist sikachu Change all i18n interpolations from {{...}} to %{...}
This will silent all warning if there's a i18n version 0.4.x gem install on user's machine.

[#4913 state:resolved]

Signed-off-by: José Valim <>
Jun 22, 2010
Jesse Storimer jstorimer CookieStore should preserve the Set-Cookie header Array [#4743 state:…

Signed-off-by: Jeremy Kemper <>
Jeremy Kemper jeremy CI: add i18n gem e703fc1
Jun 23, 2010
Jeff Dean zilkey remove_column should raise an ArgumentError when no columns are passed [
#4803 state:resolved]

Signed-off-by: Michael Koziarski <>
Michael Koziarski NZKoz make text_field and hidden_field omit the value attribute if the deve…
…loper explicitly passes in :value => nil [#4839 state:resolved]

Signed-off-by: Michael Koziarski <>


Michael Koziarski NZKoz Revert "make text_field and hidden_field omit the value attribute if …
…the developer explicitly passes in :value => nil [#4839 state:reopened]"

This reverts commit 52c922f
Paweł Kondzior STI should identify itself inside named_scope
[#1570 state:resovled]

Signed-off-by: José Valim <>
Neeraj Singh neerajdotname test for #1570
Signed-off-by: José Valim <>
Maxim Chernyak aka hakunin maxim Fix eager loading of polymorphic has_one associations nested-included…
… under polymorphic belongs_to associations. [#3233 state:resolved]

Signed-off-by: José Valim <>
Neeraj Singh neerajdotname Fragment cache not generating the proper cache key in log
[#4827 state:resolved]

Signed-off-by: José Valim <>
George Montana Harkin harking Fixes #2415 by creating a new instance of the Model when saving attri…
…butes to that model and the associated attributes already exist. Tests included. [#2415 state:resolved]

Signed-off-by: José Valim <>
kane quote scoped columns in validates_uniqueness_of [#4909 state:resolved]
Signed-off-by: José Valim <>
Neeraj Singh neerajdotname fixes to the tests for patch #4909
Signed-off-by: José Valim <>
José Valim josevalim Use size for Ruby 1.8.6 compatibility. 68bfd8a
Jun 24, 2010
Xavier Noria fxn deprecates load_(once_)paths in dependencies and app config in favor …
…of autolaod_(once_)paths
Jun 25, 2010
Prem Sichanugrist sikachu Make sure that Rails doesn't resent session_id cookie over and over a…
…gain if it's already there [#2485 state:resolved]

This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim <>
Paul Mucur mudge Alias ActiveSupport::OrderedHash#update to ActiveSupport::OrderedHash…

This ensures that an OrderedHash's keys are set up appropriately when using update.

[#4973 state:committed]

Signed-off-by: Jeremy Kemper <>
Jun 26, 2010
NagaChaitanya Vellanki chaitanyav Add OrderedHash#invert to preserve order in ruby 1.8
Signed-off-by: José Valim <>
José Valim josevalim Tidy up tests in previous commit since they did not assure an Ordered…
…Hash is returned (the test would pass for an array and would pass by chance for hashes).

[#4875 state:resolved]
Jun 27, 2010
Ev Dolzhenko dolzenko Add module_eval missing file_name and line_number args
[#4712 state:resolved]

Signed-off-by: José Valim <>
Jun 28, 2010
Santiago Pastorino spastorino Don't store incorrect values in zones_map backport
[#4942 state:committed]

Signed-off-by: José Valim <>
Leigh Caplan texel test that unknown zones don't store mapping keys

Signed-off-by: Santiago Pastorino <>
Signed-off-by: José Valim <>
Jun 29, 2010
Prem Sichanugrist sikachu Fix [54a5088] where the i18n gem was wrongly updated to 0.4.1.
I've tested and confirm that `2-3-stable` will use the vendored `i18n` gem if there's no `i18n` gem with version >= 0.4.1 installed

Signed-off-by: José Valim <>
David Trasbo dtrasbo Only tell users that the Rails gem is missing if it's actually the ca…
…se [#2901 state:committed]

Signed-off-by: José Valim <>
David Trasbo dtrasbo Deprecate ActiveRecord::Base#class_name [#379 state:committed]
Signed-off-by: José Valim <>
Leigh Caplan texel Rewrite the clause to pluck the existing value from zones_map before …
…performing a lookup. [#4942 state:resolved]

Signed-off-by: José Valim <>
Aaron Patterson tenderlove AssociationCollection#create_by_*, find_or_create_by_* work properly …
…now. [#1108 state:resolved]

Signed-off-by: Jeremy Kemper <>
Jun 30, 2010
Jan Berkel jberkel Backported patch from [#4762]
URL fragments should not have safe characters escaped. Ref: Appendix A,

Signed-off-by: José Valim <>
Jul 01, 2010
James Le Cuirot chewi Don't remove scheduled destroys when loading an association.
Signed-off-by: José Valim <>
Aaron Patterson tenderlove fisting Session::AbstractStore#clear to actually clear the session. [#…
…5030 state:resolved]

Signed-off-by: Jeremy Kemper <>
Jul 04, 2010
José Valim josevalim Use bind instead of instance_exec cause it may be causing memory leak…
…s. Also, provide a simpler and sane implementation for scoped. [#5044 state:resolved]
Jul 08, 2010
Mislav Marohnić mislav add missing require to ActiveRecord "base_test.rb"
Signed-off-by: Jeremy Kemper <>
Mislav Marohnić mislav test that ActiveRecord `destroy` and `destroy_all` return destroyed r…

Signed-off-by: Jeremy Kemper <>
Grant Ammons gammons fixes #2362, eager loading :through associations will join the :sourc…
…e model if there are :conditions

Signed-off-by: José Valim <>
Ken Collins metaskills Fix the #using_limitable_reflections? helper to work correctly by not…
… examining the length of an array which contains false/true, hence always passing.

Signed-off-by: José Valim <>
Mike Breen hardbap A generated plugin's test are not run by 'rake test'
Signed-off-by: José Valim <>
Jul 14, 2010
Jacob Lewallen jlewallen Set destroyed=true in opt locking's destroy [#5058 state:resolved]
Signed-off-by: José Valim <>
Michael Lovitt lovitt Sessions should not be created until written to and session data shou…
…ld be destroyed on reset. [#4938 state:resolved]

Signed-off-by: José Valim <>
Jul 15, 2010
Aaron Patterson tenderlove fixing performance regression from 2.3.5 -> 2.3.8 7b6383f
Jul 16, 2010
Michael Koziarski NZKoz Only skip eager loading the code if dependency_loading is still enabled.
Otherwise rake tasks which depend on environment will get errors about missing constants.
Aaron Patterson tenderlove backporting a couple missing files. sorry folks! 4ae4828
Jul 17, 2010
Jon Yurek jyurek Fix for integration tests not serializing arrays in multipart forms c…

Signed-off-by: wycats <>
Aaron Patterson tenderlove changing fixtures back to superclass_delegating_accessor until we can…
… convert them to class_attributes
Jul 18, 2010
Neeraj Singh neerajdotname update_attribute and updated_attributes! are now wrapped in a transac…

[#922 state:resolved]

Signed-off-by: José Valim <>
Subba Rao Pasupuleti subbarao renaming test name to fix accidently override [#5076 state:resolved]
Signed-off-by: José Valim <>
Jul 25, 2010
Santiago Pastorino spastorino Changes the usage of Object#returning with Object#tap
Signed-off-by: José Valim <>
Santiago Pastorino spastorino Deprecates Object#returning in favor of Object#tap
Signed-off-by: José Valim <>
Santiago Pastorino spastorino Changelog update for Object#responding deprecation
Signed-off-by: José Valim <>
Santiago Pastorino spastorino Changes Object#returning with Object#tap on guides ae63d5c
Jul 26, 2010
Leigh Caplan texel Override new on proxy objects so that they never wrap nil or false. a9ef2fd
Leigh Caplan texel Test to ensure that falsy objects aren't wrapped by deprecation proxies 27651c1
Aug 01, 2010
Santiago Pastorino spastorino Makes form_helper use overriden model accessors backport 8141f08
Aug 03, 2010
Subba Rao Pasupuleti subbarao In nested_attributes when association is not loaded and association r…
…ecord is saved then in memory record attributes should be saved

[#5053 state:resolved]

Signed-off-by: José Valim <>
Aug 05, 2010
Xavier Noria fxn it is no longer true that load_paths are going to be removed in final 15cafbe
Aug 11, 2010
Michael Koziarski NZKoz Revert "Ruby 1.9.2: explicitly raise NoMethodError for attempts at ex…
…plicit coercion"

This reverts commit 64082b3.

This change broke compatibility with 1.8.6 and was only needed for older 1.9.2 versions


Aug 15, 2010
Santiago Pastorino spastorino Making time_zone_options_for_select return a html_safe string master …
Aug 18, 2010
Jeff-Lawson Jeff-Lawson Bug Fix -- clean up connection after stored procedure [#3151 state:re…
…solved] for 2-3-stable
Jeff-Lawson Jeff-Lawson Bug Fix -- clean up connection after stored procedure [#3151 state:re…
…solved] for 2-3-stable
Aug 20, 2010
Xavier Noria fxn revises guides generation add3ccb
Xavier Noria fxn restores railties/README as home page of the API 11361a9
Aug 25, 2010
Mikel Lindsaar mikel Make ActiveResource::InvalidRequestError more user friendly
Signed-off-by: Xavier Noria <>
Aug 29, 2010
Jeremy Kemper jeremy Exclude guides from gem to keep file size small bdace5d
Jeremy Kemper jeremy Prepare for Rails 2.3.9. Release 2.3.9.pre gems. b2c9198
Mikel Lindsaar mikel Updating documentation on ActiveResource HTTP Mock and also adding te…
…st coverage
Mikel Lindsaar mikel Back porting HttpMock test from Rails 3 master 56fdfeb
Mikel Lindsaar mikel Adding option to ActiveResource to allow you to not reset the previou…
…sly stored requests and responses by passing false to respond_to

Backport of commit 2a1b23f on rails/master
Aug 31, 2010
Jeremy Kemper jeremy require 'thread' for Mutex dependency 6f17422
Sep 03, 2010
Ken Collins metaskills Conversion of a two dimensional array that is ruby 1.8.6 safe. Fix pa…
…ren warnings too.

Signed-off-by: Michael Koziarski <>
Sep 04, 2010
Jeremy Kemper jeremy Rails 2.3.9 a61a39e
Sep 08, 2010
Mislav Marohnić mislav fix setting session cookie with activerecord and memcache store
Commit f8f3653 broke setting the session ID cookie for requests without 'HTTP_COOKIE' header
when using activerecord or memcache store. Integration tests didn't catch this because they
always set the HTTP_COOKIE header for mock requests, so now this is changed to only set the
header if there are cookies.

[#5581 state:committed]

Signed-off-by: Santiago Pastorino <>
Sep 09, 2010
Mikel Lindsaar mikel Adding documentation to redirect_to and status code option references 597fb1d
Sep 10, 2010
Erik Michaels-Ober sferik Fix typo in deprecation warning
Object#returning should be Kernel#returning
Erik Michaels-Ober sferik Add support for mysql2 adapter e8b84ab
Andrew Kaspick akaspick Fix fixtures in integration test sessions
Signed-off-by: Michael Koziarski <>
Jeremy Kemper jeremy Ruby 1.9 compat: convert Pathname to string 761c9cd
Emilio Tagua miloops Add more examples in performance script.
[#5610 state:committed]

Signed-off-by: Jeremy Kemper <>
Sep 14, 2010
W. Andrew Loe III loe Only send secure cookies over SSL. 17f2fb4
Sep 24, 2010
Colin Casey colincasey Test for imposed version number as last part of gem directory name fo…
…r frozen gems

[#4295 state:resolved]

Signed-off-by: José Valim <>
Colin Casey colincasey Fix for imposed version number as last part of gem directory name for…
… frozen gems

Signed-off-by: José Valim <>
Sep 27, 2010
Andrew Kaspick akaspick memoized protected methods should remain protected
Signed-off-by: Michael Koziarski <>
Michael Koziarski NZKoz Revert "Makes form_helper use overriden model accessors backport"
This change introduced breakages and test failures.

This reverts commit 8141f08.
Étienne Barrié etiennebarrie Fix add_index with a symbol #4891 bc52d81
Sep 28, 2010
Ryan Wallace rywall Add test to demonstrate failure with eager loading hmt where the asso…
…ciation has an order.
marklazz marklazz Preserving :include options for hmt association with an order but wit…
…hout conditions [#5262 state:resolved]
Sep 30, 2010
Emilio Tagua miloops Use detect instead select to avoid sh [..] command not found. 1851596
Emilio Tagua miloops Add examples to performance script that were included in version 3. 5a63df2
marklazz marklazz Remove duplication of conditions generated for associations when used…
… in conjunction with named_scopes [#4634 state: resolved]
marklazz marklazz AssociationCollection#include? working properly for objects added wit…
…h build method [#3472 state:resolved]
Aaron Patterson tenderlove fixing space errors fb526a0
Oct 04, 2010
Aaron Patterson tenderlove [#5406 state:resolved] calling the correct method on minitest to obta…
…in the test name
Aaron Patterson tenderlove calling correct method on minitest for test name when teardown callba…
…ck fails
Oct 12, 2010
Geoff Buesing gbuesing require 'uri' in action_controller/url_rewriter [#5555 state:resolved]
Signed-off-by: José Valim <>
Oct 15, 2010
Michael Koziarski NZKoz Revert 7d2173e which introduced a security vulnerability.
This addresses  CVE-2010-3933
Michael Koziarski NZKoz Prepare for the 2.3.10 release f5ed5c3
Oct 20, 2010
Toby Cabot ccabot bug 1108: fix a bug with find_or_create_by and additional values
There was a bug with find_or_create_by_x introduced in 2.3.9 - if you
included extra parameters for the create() then those parameters would
confuse the find() so you'd never get to the create().  This patch
filters the parameters so we only pass to find() the subset that it's
interested in.  The code for the filtering was modelled on the code in
base.rb's method_missing().
Toby Cabot ccabot bug 1108: yield to block provided to find_or_create_by_x
Starting in 2.3.8 we stopped yielding to blocks passed in to
find_or_create_by_x methods.  This patch restores that behavior and
adds a case to test it.
Oct 21, 2010
Omar Qureshi omarqureshi Fix AbstractStore so that it preserves Set-Cookie header as an array,…
… rather than as newline separated strings
Aaron Patterson tenderlove removing space errors df78de2
Oct 26, 2010
Andrew White pixeltrix Don't create a deprecation proxy object if the variable was passed in…
… local_assigns [#1671 state:resolved]
Oct 27, 2010
Andrew White pixeltrix Don't write out secure cookies unless the request is secure 25139ac
Nov 03, 2010
Tom Stuart tomstuart Backport BlankSlate removal from ActiveSupport::BasicObject [#5911 st…

This is a backport of dd15a3f.

Signed-off-by: Andrew White <>
Nov 16, 2010
Alexandru Catighera acatighera Fix ActiveRecord calculations when grouped by multiple fields 1681ede
Dec 01, 2010
José Valim josevalim Revert "Fix AbstractStore so that it preserves Set-Cookie header as a…
…n array, rather than as newline separated strings"

This reverts commit 36b91e3.


Pascal Friederich paukul Let Rack::Utils.set_cookie_header! create the Set-Cookie header inste…
…ad of manually fiddling with the response headers [#4941 state:resolved]

Signed-off-by: José Valim <>
Dec 08, 2010
Will Bryant willbryant Don't add non-new records back to the target array after loading targ…
…ets on associations, as that makes destroy_all destroy any created records that don't match the scope destroy_all is called on

Signed-off-by: Michael Koziarski <>
Michael Koziarski NZKoz Revert "In nested_attributes when association is not loaded and assoc…
…iation record is saved then in memory record attributes should be saved"

This reverts commit 12bbc34.

It caused errors when combined with attr_accessible, piggy back attributes fetched by :select, etc.  Leaving it in 3.0, but removing from 2.3
Dec 20, 2010
Michael Koziarski NZKoz Require thread explicitly rather than relying on rubygems to do it. 6d91632
Jan 02, 2011
Mikel Lindsaar mikel Correcting actionmailer guide for Rails 2.3 92fd824
Mikel Lindsaar mikel Updating documentation on ActionMailer base to show a multipart email…
… with attachments
Jan 09, 2011
bluetrans-deploy bluetrans-deploy use Object#class instead of Object#type 08d94d3
Jan 10, 2011
Jeremy Kemper jeremy Revert "use Object#class instead of Object#type"
This reverts commit 08d94d3.
Jan 19, 2011
jrdioko jrdioko Fix doc for #check_box [#6311 state:resolved]
Signed-off-by: Xavier Noria <>
Jamis Buck jamis make TestCaseTest work for pre-1.9 rubies, too 8378a44
Jamis Buck jamis scrub instance variables from test cases on teardown
this prevents test state from accumulating, resulting in leaked
objects and slow tests due to overactive GC.
Jamis Buck jamis rein in GC during tests by making them run (at most) once per second
this can provide a significant performance boost during testing, by
preventing the GC from running too frequently.
Jamis Buck jamis Revert "rein in GC during tests by making them run (at most) once per…
… second"

This reverts commit a0c761d.
Jamis Buck jamis Revert "scrub instance variables from test cases on teardown"
This reverts commit b5cf2b4.
Jamis Buck jamis Revert "make TestCaseTest work for pre-1.9 rubies, too"
This reverts commit 8378a44.
Feb 01, 2011
Aaron Patterson tenderlove fixing invalid yaml [#4418 state:resolved]
Signed-off-by: Jeremy Kemper <>
Feb 09, 2011
Michael Koziarski NZKoz Be sure to javascript_escape the email address to prevent apostrophes…
… inadvertently causing javascript errors.

This fixes CVE-2011-0446
Michael Koziarski NZKoz Change the CSRF whitelisting to only apply to get requests
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
Michael Koziarski NZKoz Prepare for the 2.3.11 release b0c3d45
Aaron Patterson tenderlove rubygems 1.5.0 compatibility. Thanks Tim Serong abc06a2
Feb 20, 2011
Vijay Dev vijaydev fix incorrect version in deprecation message
Signed-off-by: Santiago Pastorino <>
Feb 28, 2011
Rob Di Marco robdimarco Unit test that shows calling reset session twice results in an exception 589ce09
Rob Di Marco robdimarco Fixed bug 6440 by checking that destroy exists on the session 8ca8ac3
Apr 14, 2011
gmarik respect :expire_after option
- it was broken after
- there's also

- also: maybe it worth making Rack understand :expire_after as we
duplicate same logic in [cookie_store](

Signed-off-by: José Valim <>
Apr 27, 2011
Casey Dreier daphonz Fixing dynamic finders on associations to properly send arguments to …
…the find_by_* method. Closes issue #330.

Commit fdfc8e3 introduced a bugfix to prevent additional values passed
to a dynamic find_or_create_by_x methods from confusing the finder.
This patch also broke the essential behavior of this method on an
association by incorrectly sending arguments to the find_by_x methods.
The finder method would always see its inputs as a single array of
values instead of individual arguments, almost guaranteeing that the
finder call would be incorrect, and that we'd always create a new
record instead.

This patch adds a splat operator to the parameter array we send along to
the dynamic finder so that it receives its inputs correctly, and
includes an additional test to ensure that repeated calls to
find_or_create_by_x only creates one new record.
Apr 28, 2011
José Valim josevalim Merged pull request #331 from daphonz/2-3-stable.
Dynamic find_or_create_by_x_and_y always creates new records in Rails 2.3.11
José Valim josevalim Merged pull request #198 from robdimarco/2-3-stable.
Patch for issue 6440 - Session Reset undefined method `destroy' for {}:Hash
May 12, 2011
Ryan Davis zenspider Fix stupid emacsisms. Just makes things more readable. 8d4ca9e
Ryan Davis zenspider Fix broken GemDependency#==. You should ALWAYS check the class! 01a9fbb
Ryan Davis zenspider Removed buggy GemDependency#requirement override. Overrides should NE…
…VER change the semantics of the parent (returning nil if default).
Ryan Davis zenspider Fixed buggy gem activation. Don't pass a dependency to gem, pass the
name and requirement. Better, just activate the spec for the
dependency (1.8 only)
Ryan Davis zenspider Removed the bulk of the deprecations by simply not calling refresh.
This may cause problems. I dunno.
The real solution is to get rid of all of this mess and use gem paths properly.
May 25, 2011
Ryan Davis zenspider + Switched to newer rdoc and gem package tasks (and their requires).
+ Fixed deprecated usage in gemspecs.

Bumped the version to 2.3.12 so I could test locally with actual
installs. If this is bad form for this project, please beat me up and
I'll split them out.
Jun 06, 2011
Aaron Patterson tenderlove find the spec from the source index, then activate it a2a3413
Jun 09, 2011
Brian Cardarella bcardarella Remove deprecation warning for ActiveRecord::Errors#generate_message.…
… This is the same API that ActiveModel ended up using and that won't be changing.
Jun 16, 2011
Andrey Voronkov Antiarchitect Fix OrderedHash merging with block given. b2d4142
Andrey Voronkov Antiarchitect Added tests for OrderedHash merging with block. b1c36b7
Jun 17, 2011
José Valim josevalim Merge pull request #1740 from Antiarchitect/2-3-stable
Fix OrderedHash merging with block given.
Jul 27, 2011
Xavier Noria fxn contrib app minor tweak 78a1fda
Aug 04, 2011
Aaron Patterson tenderlove we should not ignore all gems in here b132992
Aug 16, 2011
Aaron Patterson tenderlove adding notification for rdoc bb99aa1
Aaron Patterson tenderlove fixing response splitting problem 11dafea
Aaron Patterson tenderlove bumping to 2.3.13 dea5a10
Aaron Patterson tenderlove 2.3.14. yay. :'( fb1588c
Aaron Patterson tenderlove fixing sql injection problem 6b46d65
Aaron Patterson tenderlove fixing strip tags vulnerability 60f783d
Aaron Patterson tenderlove fixing utf8 escape vulerability e0774e4
Dec 27, 2011
Daniel Schierbeck dasch Make Request#remote_ip return nil when HTTP_X_FORWARDED_FOR is empty
If HTTP_X_FORWARDED_FOR only contains whitespace, don't try to extract a
list of IP addresses from it.
Dec 29, 2011
Aaron Patterson tenderlove Merge pull request #4202 from dasch/request-remote-ip
Fix bug in `ActionController::Request#remote_ip`
Dec 31, 2011
Akira Matsuda amatsuda bump up rack version to the one that includes the Hash DoS fix 27a508c
José Valim josevalim Merge pull request #4247 from amatsuda/hashdos_23
bump up rack version to the one that includes the Hash DoS fix
Mar 29, 2012
Chris Strom eee-c Better minimum validates_length_of examples (adapted from master). 2229a7e
Xavier Noria fxn Merge pull request #5653 from eee-c/patch-1
Doc fixes in 2.3: validates_length_of
Jun 13, 2012
Justin Collins Fix SQL injection via nested hashes in conditions 62f81f4
Dec 23, 2012
Aaron Patterson tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
Jan 02, 2013
Mina Naguib Merge remote-tracking branch 'rails/2-3-stable' into 2-3-stable 9baab1f
Aaron Patterson tenderlove Merge pull request #6722 from adgear/2-3-stable
Backported rails 2.3 fix for CVE-2012-2695
Jan 08, 2013
Jeremy Kemper jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 70adb96
Aaron Patterson tenderlove bumping to 2.3.15 :cry::gun: 709af05
Jan 17, 2013
Jeremy Kemper jeremy Revert "bump up rack version to the one that includes the Hash DoS fix"
Rack 1.1.3 also changes the Set-Cookie header to expects a
newline-delimited string instead of an Array, which breaks Rails 2.3's
expectations in a variety of ways.

This reverts commit 27a508c.

Jan 20, 2013
Ernie Miller ernie Fix for CVE-2013-0155 7763f39
Jan 22, 2013
John F. Douthat johndouthat Add gemspecs for bundler 06b33a8
Steve Klabnik steveklabnik Merge pull request #9030 from johndouthat/2-3-stable
Add .gemspec files to 2-3-stable to help Bundler
Jan 24, 2013
Aaron Patterson tenderlove fixing load error messages 3dc0cd3
Santiago Pastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba
Aaron Patterson tenderlove Squashed commit of the following:
commit 9ef905f
Author: Rafael Mendonça França <>
Date:   Tue Aug 7 22:38:40 2012 -0300

    Fix tests about single quote escaping

commit 780a718
Author: Santiago Pastorino <>
Date:   Tue Jul 31 22:25:54 2012 -0300

    html_escape should escape single quotes
    Closes #7215

Aaron Patterson tenderlove backporting deep_munge 61eed87
Aaron Patterson tenderlove removing [nil] from the params ac94515
Jan 28, 2013
Michael Koziarski NZKoz Add an OkJson backend and remove the YAML backend
Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
Aaron Patterson tenderlove bumping version 1169552
pietro pietro Bump version on gemspecs too. 40fdc15
Carlos Antonio da Silva carlosantoniodasilva Merge pull request #9099 from pietro/2-3-gemspec-bump
Bump version on 2.3 gemspecs too.
Feb 02, 2013
Morgan Currie morgancurrie use the decimal HTML escape code for single quotes instead of the hex…
… one so webkit-based browsers properly translate the code in form fields
Rafael Mendonça França rafaelfranca Fix the tests related with single quotes being escaped
Closes #9144
Fixes #9145
Feb 05, 2013
Kelly Stannard kwstannard Docs: Fixed bad exists? documentation.
Base#exists? does not actually take options like finder methods. Trying
to use what the documentation suggests will return a PG error because it
will look for a column named 'conditions'.

I changed the documentation to reflect how the exists? method actually
Feb 06, 2013
Xavier Noria fxn Merge pull request #9194 from kwstannard/2-3-stable
Docs: Fixed bad exists? documentation.
Feb 09, 2013
Aaron Patterson tenderlove fixing attr_protected CVE-2013-0276 9a48f4c
Aaron Patterson tenderlove adding test for CVE f8a2ec2
Feb 10, 2013
Tobias Kraze kratob fix serialization vulnerability 5cfe833
Aaron Patterson tenderlove bumping to 2.3.17 02d553d
Feb 11, 2013
David Silva Davidslv Update activesupport/lib/active_support/core_ext/time/calculations.rb
Just maintaining the coherence with other methods, since everything has "at_" as prefix.
Carlos Antonio da Silva carlosantoniodasilva Merge pull request #9251 from Davidslv/patch-1
Add alias to maintain coherence with other methods, in end_of_day
Carlos Antonio da Silva carlosantoniodasilva Revert "Merge pull request #9251 from Davidslv/patch-1"
This reverts commit d6adcb4, reversing
changes made to 2e4aa39.

Reason: merged to unmaintained branch.
Aaron Patterson tenderlove Merge branch '2-3-sec' into 2-3-stable
* 2-3-sec:
  bumping to 2.3.17
  fix serialization vulnerability
  fixing attr_protected CVE-2013-0276
Feb 16, 2013
Xavier Noria fxn Revert "Switched to newer rdoc and gem package tasks (and their requi…

This is a manual revert of commit 79aa54d, since the commit itself touches
in addition some version numbers.

API generation before Rails 3 uses the Jamis template, which requires an
old version of RDoc. To generate the API you need Rake 0.8.x or 0.9.x,
and the RDoc distributed with 1.8.7 (version 1.0.1).
Mar 15, 2013
Aaron Patterson tenderlove stop calling to_sym when building arel nodes [CVE-2013-1854] ef9f053
Charlie Somerville charliesome fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
Aaron Patterson tenderlove fix protocol checking in sanitization [CVE-2013-1857]
Mar 18, 2013
Aaron Patterson tenderlove Revert "Revert "Switched to newer rdoc and gem package tasks (and the…
…ir requires).""

I can't build the gems without reverting this commit.

This reverts commit dad3109.
Aaron Patterson tenderlove bumping to 2.3.18 3773c2f
Apr 04, 2013
Xavier Noria fxn Revert "Revert "Revert "Switched to newer rdoc and gem package tasks …
…(and their requires)."""

We need an old RDoc to be able to generate the API.

This reverts commit af7da4d.
Xavier Noria fxn enforces rake 0.8.0 in the Rakefile 3229a51
Xavier Noria fxn removes the obsolete task pdoc c1def53
Xavier Noria fxn typo 08d83a9
Apr 09, 2013
Aaron Patterson tenderlove Merge branch '2-3-later' into 2-3-stable
* 2-3-later:
  adding test for CVE
Apr 22, 2013
Xavier Noria fxn allow the branch to be managed with a modern rake 89322cd