Skip to content
This repository
  • 1,297 commits
  • 301 files changed
  • 45 comments
  • 59 contributors
This comparison is big! We're only showing the most recent 250 commits
Jul 08, 2011
Destroy association habtm record before destroying the record itself.…
… Fixes issue #402.
28f057c
Jul 11, 2011
Jon Leighton Merge pull request #1797 from kuahyeow/3-0-stable
Through association condition clobbers join condition
fc4bce1
Aaron Patterson Merge pull request #1607 from bradrobertson/pg_adapter
fix table_exists? in postgresql adapter to always use current search_path
9a4d2b2
Jul 12, 2011
Thong Kuah Fix for 3-0-stable - Conditions specified on through association shou…
…ldn't clobber asssociation join condition.

This fix refactors processing of association join conditions so that both the join condition and the custom condition will be used when called by query_methods.rb, which expects a 1 or 2-sized array (depending on the type of association). Previously, a custom condition specified would create a 2 or 3-sized array which will clobber the association join condition.
caec639
Jul 15, 2011
Lauri Hahne fixed CacheHelper to properly support html_safe output buffers c476a6b
Jul 16, 2011
Evan Light Fixes #2064
Backport of cache_key fix from master
b1b5d18
Santiago Pastorino Merge pull request #2064 from elight/3-0-stable
Backports cache_key fix from master
247a50b
Daniel Dyba Changed Commands module to RailsCommands.
This is to avoid a conflict that occurs when you add Rake to
your Gemfile. There is a Commands Object in Rake that conflicts
with the Commands module in plugin.rb. See rails issue #1866.
c2d3a43
Jul 17, 2011
Lauri Hahne Added tests for the output_buffer returned by CacheHelper
The output_buffer returned by CacheHelper should be html_safe if the original buffer is html_safe.
bc5ccd0
Lauri Hahne made sure that the possible new output_buffer created by CacheHelper …
…is of the same type as the original
39a4f67
Prem Sichanugrist Fix a wrong assertion on url_helper_test, and refactor `html_safe` te…
…st to be in its method
2cb29fa
Santiago Pastorino Merge pull request #2047 from sikachu/3-0-stable-test_fix
Fix a wrong assertion on url_helper_test, and add missing `#html_safe?` a
1220b16
Daniel Dyba Substituted RailsCommands for Rails::Commands 71c010d
Jul 18, 2011
Jesse Storimer Ensure that status codes are logged properly
Needed to move AC::Metal::Instrumentation before AM::Metal::Rescue
so that status codes rendered from rescue_from blocks are logged
properly.
5e64538
Santiago Pastorino Merge pull request #2134 from jstorimer/ensure-status-codes-are-logge…
…d-properly-3-0-stable

Ensure status codes are logged properly (for 3-0-stable)
a6139b9
Josh Kalderimis This fixes an issue when bundling to a local path (eg. /vendor/bundle).
If you bundle to a local path bundler is not included in it, so
calling "gem 'bundler'" will fail.

Conflicts:

	load_paths.rb
9ade587
Josh Kalderimis Added a .travis.yml config and travis specific ci script.
Don't install ruby-debug if running the test suite on Travis,
linecache19 is the main offender, very very slow.

And do not install pg if Travis is bundling the gems, pg will be setup
on Travis soon.

Conflicts:

	Gemfile
047b979
Jul 21, 2011
Xavier Noria I actually love well-formed Gemfiles 80b1f9e
Jul 22, 2011
Karunakar (Ruby) Duplicate tests removed. bd804d7
Santiago Pastorino Merge pull request #2183 from castlerock/3-0-stable-duplicate_test
3 0 stable duplicate test
c39bd5f
Jul 23, 2011
Arun Agrawal fixed task for rake test:uncommitted b490fd8
Santiago Pastorino Merge pull request #2205 from arunagw/test_un_3_0_stable
rake test:uncommitted for 3-0-stable
19d9689
Santiago Pastorino Merge pull request #2080 from lhahne/3-0-stable
Fix improper detection and handling of html_safe buffer in CacheHelper
eead13f
Jul 25, 2011
Arun Agrawal Fix rake rails:template to tell user to pass LOCATION variable. edfcf47
Santiago Pastorino Merge pull request #2249 from arunagw/rake_template_path_fix
Rake template path fix
56c663b
Jul 26, 2011
Josh Kalderimis enable Travis CI irc notifications to #rails-contrib on irc.freenode.org 64c269a
Santiago Pastorino Merge pull request #2289 from joshk/3-0-stable
More Irc notifications (from Travis with love, again)
e18e896
Santiago Pastorino Remove cruise files 43e6f82
Jul 27, 2011
Xavier Noria contrib app minor tweak e93cff8
Jul 28, 2011
Akira Matsuda callback methods are Class methods a8aa666
Santiago Pastorino Merge pull request #2320 from amatsuda/callback_deprecation_message
callback methods are Class methods
a33fe79
Jul 29, 2011
Aaron Patterson dump IO encoding value along with schema.rb so the file can be reload…
…ed. fixes #1592
6c0beb5
Bhavin fix connection not established error while running rake task
db:schema:dump
5d7ed7a
Aaron Patterson default writing the schema file as utf-8 3676af4
Aaron Patterson updating changelog with schema.rb changes 6631abd
Aaron Patterson delay backtrace scrubbing until we actually raise an exception. fixes #… b9f6798
Aaron Patterson updating the CHANGELOG 553d9ea
Jul 31, 2011
Arun Agrawal skiping magic comment test. checking encoding_aware?
Loading AS encoding.
b0334db
Santiago Pastorino Merge pull request #2374 from arunagw/30_schema_dumper_test_fix
3-0-stable schema dumper test fix
cb36585
Santiago Pastorino Merge pull request #2381 from vijaydev/rakeaboutfix3.0
Fix #2368 (3-0-stable)
564d39e
Aug 01, 2011
Vijay Dev fixes #2368. rake about not showing the middleware, db adapter and db…
… schema version
773d219
Santiago Pastorino Merge pull request #2393 from bdurand/fix_cache_read_multi
Fix ArgumentError in ActiveSupport::Cache::CacheStore.read_multi
a173bb3
Aug 04, 2011
Jon Leighton Quote these dates to prevent intermittent test failure. Suppose local…
… time is 00:50 GMT+1. Without the quoting, the YAML parser would parse this as 00:50 UTC, into the local time of 01:50 GMT+1. Then, it would get written into the database in local time as 01:50. When it came back out the UTC date from the database and the UTC date of two weeks ago would be compared. The former would be 23:50, and the latter would be 00:50, so the two dates would differ, causing the assertion to fail. Quoting it prevents the YAML parser from getting involved.
e42c544
Aaron Patterson we should not ignore all gems in here df6b1e2
Aaron Patterson updating CHANGELOGs f54d0cf
Aaron Patterson more changelog updates 9d17458
Aaron Patterson bumping to 3.0.10.rc1 521c9aa
Aug 05, 2011
Xavier Noria backports doc fix 9f9446f e0b0da2
Aug 06, 2011
Santiago Pastorino Merge pull request #2450 from guilleiguaran/activesupport-gzip-1.8
Fix ActiveSupport::Gzip under Ruby 1.8.7. Closes #2416
65a648b
Aug 07, 2011
Jason Weathered Fix marshal round-tripping of fractional seconds (Time#subsec). 1f63606
Aug 11, 2011
Remove 'parameters_for_url' from 'form_tag' method signature 11f6531
Santiago Pastorino Merge pull request #2494 from grzuy/3-0-stable
Porting changes on form_tag method signature to 3-0-stable
f45c372
Aug 15, 2011
Jon Leighton Update travis config on @joshk's instructions 4c8a211
Aug 16, 2011
Aaron Patterson Properly escape glob characters. e0c03f8
Aaron Patterson prevent sql injection attacks by escaping quotes in column names fb4747b
Aaron Patterson Tags with invalid names should also be stripped in order to prevent
XSS attacks.  Thanks Sascha Depold for the report.
3480d97
Aaron Patterson properly subsituting bad utf8 characters b45dfc7
Aaron Patterson bumping rails to 3.0.10 4f15f39
Aaron Patterson Merge branch '3-0-10' into 3-0-stable
* 3-0-10:
  bumping rails to 3.0.10
  properly subsituting bad utf8 characters
  Tags with invalid names should also be stripped in order to prevent XSS attacks.  Thanks Sascha Depold for the report.
  prevent sql injection attacks by escaping quotes in column names
  Properly escape glob characters.
  bumping to 3.0.10.rc1
  more changelog updates
  updating CHANGELOGs
0b37704
Aug 21, 2011
José Valim Edited .travis.yml via GitHub 0ebdef2
Aug 22, 2011
Santiago Pastorino Merge pull request #2524 from JonathonMA/fix_ecd37084b28a05f05251
Use mysql_creation_options inside rescue block
c8ec8f7
Aaron Patterson Merge pull request #1995 from guilleiguaran/prototype-ujs-fix
Prototype rails.js fixes for 3-0-stable
d7d0c25
Aug 30, 2011
Arun Agrawal MySQL2 Bump to 0.2.13 941a9d0
Aaron Patterson Merge pull request #2744 from arunagw/mysql2_bump
Mysql2 bump
0195846
Aug 31, 2011
Aaron Patterson use String#start_with? rather than creating regexps or comparing char…
…acter values
b550ecc
Sep 01, 2011
Aaron Patterson * Psych errors with poor yaml formatting are proxied. Fixes #2645, #2731 f2aa46b
Sep 04, 2011
Santiago Pastorino * is not allowed in windows file names. Closes #2574 #2847 59a64a8
Sep 07, 2011
Andrew Kaspick fix assert_select_email to work on non-multipart emails as well as co…
…nverting the Mail::Body to a string to prevent errors.
8094d29
Andrew Kaspick assert_select_email entry cf0ea79
Andrew Kaspick fix exists? to return false if passed nil (which may come from a miss…
…ing URL param)
15dcdf6
Andrew Kaspick entry for fixing exists? 3e00e49
Jon Leighton Merge pull request #2919 from akaspick/exists_fix_3_0
fix exists? to return false if passed nil (backport to 3-0-stable)
9ef9f98
Andrew Kaspick more descriptive CHANGELOG entry c7f3429
Jon Leighton Merge pull request #2918 from akaspick/assert_select_email_fix_3_0
assert_select_email fix for 3-0-stable
3a3344a
Dmitriy Kiriyenko Do not use default_scope in ActiveRecord::Persistence#touch. 4364157
Dmitriy Kiriyenko This way asserting that updated_at was changed in touch look more obv…
…ious.
d93213f
Sergio Gil Pérez de la Manga Update changelog for 'Backport "ActiveRecord::Persistence#touch shoul…
…d not use default_scope" (pull request #1519)'
de178df
Sep 08, 2011
Andrew Kaspick when calling url_for with a hash, additional (likely unwanted) values…
… (such as :host) would be returned in the hash... calling #dup on the hash prevents this
45b7731
Andrew Kaspick fix url_for to not add additional unwanted options when called with a…
… hash
a8cfc99
José Valim Merge pull request #2939 from akaspick/url_for_fix_3_0
fix url_for when passing a hash to prevent unwanted additional values being added to the hash (backport to 3-0-stable)
f863af9
Guillermo Iguaran Updating changelogs in 3-0-stable 5c10a53
Vijay Dev Merge pull request #2682 from guilleiguaran/3-0-stable-changelogs
Update changelogs (3-0-stable)
9c2ff32
Sep 09, 2011
Aaron Patterson Exceptions from database adapters should not lose their backtrace. a748c60
Sep 10, 2011
Vijay Dev fix assert message 813e288
Sep 11, 2011
Trent Ogren prevent errors when passing a frozen string as a param to ActionContr…
…oller::TestCase#process

since ActionDispatch::Http::Parameters#encode_params will force encoding on all params strings (when using an encoding aware Ruby), dup all strings passed into process.  This prevents modification of params passed in and, more importantly, doesn't barf when a frozen string is passed
thanks and high fives to kinsteronline
78a4aea
Sep 12, 2011
Pratik Dont use association proxy#reload to load the target for the first time 378ce0e
Sep 27, 2011
Philip Arndt Fixes #3087 by removing autoload for non-existant DeprecatedBlockHelpers 0dd7411
José Valim Merge pull request #3142 from parndt/3-0-stable
Fixes #3087
1000ada
Oct 03, 2011
Jeremy Kemper Merge pull request #2801 from jeremyevans/patch-1
Fix obviously breakage of Time.=== for Time subclasses
87bbf48
Oct 05, 2011
Fix spelling in doc:app rake task 346973e
Akira Matsuda override unsafe methods only if defined on String 984d031
Akira Matsuda ruby193: String#prepend is also unsafe 543b587
Oct 06, 2011
Vijay Dev Merge pull request #3233 from benolee/fix_spelling_in_doc_app_rake_task
Fix spelling in doc:app rake task
e2c03bf
Oct 14, 2011
Arun Agrawal activerecord/sqlnet.log into gitignore when running with oracle. 68ae66d
Oct 17, 2011
Vijay Dev Merge pull request #3330 from arunagw/ignore_sqlnet_3-0-stable
Ignore sqlnet 3 0 stable
fd67735
Nov 01, 2011
Josh Kalderimis Remove a circular require in AS deprecations. This is safe as AS depr…
…ecations is autoloaded as needed.
394dd6f
Nov 15, 2011
Added a missing parameter to relative_url_root= that was causing an A…
…rgumentError: wrong number of arguments (1 for 0) to be thrown at actionpack-3.0.10/lib/action_controller/railtie.rb:54.
328ae5b
Nov 16, 2011
Yehuda Katz Merge pull request #3646 from mhuffnagle/3-0-stable
Fix for relative_url_root= missing parameter (issue 3645)
6122924
Aaron Patterson Merge pull request #2122 from dyba/3-0-stable
Issue #1866: Changed Commands module to RailsCommands.
b81c3f7
Aaron Patterson Revert "Merge pull request #2122 from dyba/3-0-stable"
This reverts commit b81c3f7, reversing
changes made to 6122924.
2ba0309
Nov 17, 2011
Arun Agrawal Mysql2 version bump!
I saw one bug fixed here 

brianmario/mysql2@e60599b
4e72f59
José Valim Merge pull request #3655 from arunagw/mysql_bump_3-0-stable
Mysql bump 3 0 stable
de44773
Jon Leighton Use broken YAML that will fail with Syck as well as Psych. Fixes test…
…_broken_yaml_exception in fixtures_test.rb on Ruby 1.8.7.

Cherry-pick from 3-1-stable: b8d4692

Conflicts:

	activerecord/test/cases/fixtures_test.rb
961b4a0
Jon Leighton Implement a workaround for a bug in ruby-1.9.3p0.
The bug is that an error would be raised while attempting to convert a
template from one encoding to another.

Please see http://redmine.ruby-lang.org/issues/5564 for more details.

The workaround is to load all conversions into memory ahead of time,
and will only happen if the ruby version is *exactly* 1.9.3p0. The
hope is obviously that the underlying problem will be resolved in
the next patchlevel release of 1.9.3.

Conflicts:

	actionpack/CHANGELOG.md
a03f018
Sergey Nartimov _html translation should escape interpolated arguments
Conflicts:

	actionpack/CHANGELOG.md
ba2d850
Aaron Patterson removing stubs. 1.9.3 implements Date.today in C so mocking the retur…
…n value of Time.now does nothing
0e9910e
Aaron Patterson fixing test case test on 1.9.3dev 618300e
Nov 18, 2011
Jon Leighton Preparing for 3.0.11 release 66a4beb
Nov 19, 2011
Jon Leighton Don't html-escape the :count option to translate if it's a Numeric. F…
…ixes #3685.

Conflicts:

	actionpack/CHANGELOG.md

Conflicts:

	actionpack/CHANGELOG.md
13ad879
Nov 30, 2011
Arun Agrawal ActiveModel confirmation validator fix fixes #1152
If you have an ActiveModel class that has a 
method email_address_confirmation. 
This method is being overwritten by the 
method defined in the Confirmation validator.
be8485e
José Valim Merge pull request #3805 from arunagw/active_model_patch_3-0-stable
Active model patch 3 0 stable
9ebacf3
Dec 03, 2011
Sam Umbach Test return value of ActiveSupport::Dependencies::Loadable#require
- Add tests to protect from regressions in require's return value behavior
- See a10606c (require needs to return true or false) for the original bug fix
dea2e9c
Sam Umbach Test return value of ActiveSupport::Dependencies::Loadable#load 9effced
Sam Umbach Test that require and load raise LoadError if file not found 0531e26
Sam Umbach Simplify load and require tests
- These tests don't use autoloading so there's no need to add anything to autoload_paths
289ae94
Aaron Patterson require needs to return true or false. thank you Ryan "zenspider" Davis 8fabf78
Aaron Patterson `load` should also return the value from `super` cc3fb2e
Aaron Patterson Merge pull request #3846 from sumbach/backport-load-and-require-fixes…
…-to-3-0

Backport load and require fixes to 3 0
36b6c52
Jon Leighton Enable postgres on the CI :heart::beer::sparkles:
Conflicts:

	Gemfile
51dcf85
Dec 17, 2011
Santiago Pastorino Sync .travis.yml with master 10c8e8d
José Valim Update .travis.yml ad9a0e3
Dec 18, 2011
Jon Leighton Prefix newly added method to avoid breakings people's apps.
See
378ce0e

Fixes #3921.
b7e45c3
Dec 19, 2011
Jon Leighton Don't notify campfire when the build keeps passing ab05e2b
Dec 20, 2011
Santiago Pastorino Merge pull request #4031 from arunagw/3-0-stable
3 0 stable travis sync
ce650ee
Dec 31, 2011
Akira Matsuda bump up rack version to the one that includes the Hash DoS fix 7e03b9d
José Valim Merge pull request #4246 from amatsuda/hashdos_30
bump up rack version to the one that includes the Hash DoS fix
a048568
Jan 06, 2012
José Valim Merge pull request #4372 from arunagw/fixed_failing_test
Fixed failing test
d4c26c4
Jan 07, 2012
Arun Agrawal Fixed failing test for ruby-1.8.7-p357
See #4292
91a9b24
Jan 24, 2012
Aaron Patterson Merge pull request #4514 from brainopia/update_timezone_offets
Update time zone offset information
c67ff97
Feb 15, 2012
Andy Pliszka Bugfix circular reference while saving has_one relationship a97cf75
Feb 16, 2012
Andy Pliszka Test for circular reference while saving has_one relationship 389d1c5
Feb 20, 2012
Sergey Nartimov fix output safety issue with select options 5b4082f
Akira Matsuda add AS::SafeBuffer#clone_empty e50ee96
Akira Matsuda use AS::SafeBuffer#clone_empty for flushing the output_buffer 6adc417
Feb 22, 2012
Jon Leighton Merge commit 'v3.0.11' into 3-0-stable 67b6847
Aaron Patterson updating RAILS_VERSION 2935435
Feb 25, 2012
Noah Hendrix Fixed typo in composed_of example with Money#<=>, was comparing amoun…
…t itself instead of other_money.amount
c4f9264
Feb 29, 2012
José Valim Ensure [] respects the status of the buffer. 917fd1a
Mar 01, 2012
Aaron Patterson Merge branch '3-0-stable-security' into 3-0-12
* 3-0-stable-security:
  Ensure [] respects the status of the buffer.
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
9435f5a
Aaron Patterson bumping to 3.0.12 9d6377e
Aaron Patterson Merge branch '3-0-12' into 3-0-stable
* 3-0-12:
  bumping to 3.0.12
  Ensure [] respects the status of the buffer.
  updating RAILS_VERSION
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
eeb715a
Mar 02, 2012
Carlos Antonio da Silva Stop SafeBuffer#clone_empty from issuing warnings
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
139963c

This was issuing a "not initialized variable" warning - related to:
#5237

The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
f1c6037
Mar 07, 2012
Arun Agrawal fixed test when running with latest 1.8.7-p357 and ree f8f873a
Santiago Pastorino Merge pull request #5319 from arunagw/fix_test_ree
Fix test ree 3-0-stable
61335d6
Mar 15, 2012
Aaron Patterson Merge pull request #5456 from brianmario/redirect-sanitization
Strip null bytes from Location header
Conflicts:

	actionpack/test/controller/redirect_test.rb
d14319c
Aaron Patterson Merge pull request #5457 from brianmario/typo-fix
Fix typo in redirect test
8645745
Mar 22, 2012
Carlos Antonio da Silva Add order to tests that rely on db ordering, to fix failing tests on pg
Also skip persistente tests related to UPDATE + ORDER BY for postgresql

PostgreSQL does not support updates with order by, and these tests are
failing randomly depending on the fixture loading order now.

Conflicts:

	activerecord/test/cases/associations/join_model_test.rb
	activerecord/test/cases/associations/nested_through_associations_test.rb
	activerecord/test/cases/clone_test.rb
	activerecord/test/cases/dup_test.rb
	activerecord/test/cases/relations_test.rb
	activerecord/test/cases/yaml_serialization_test.rb
a9fdefd
Carlos Antonio da Silva Fix more failing tests related to ruby 1.8.7 p358 version change f748d36
Mar 23, 2012
José Valim Merge pull request #5565 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable
728a65d
Mar 24, 2012
Arun Agrawal Build fix for form_options_helper_test.rb ruby-1.8.7 00726ea
Mar 26, 2012
Carlos Antonio da Silva Fix AV::FixtureResolver and rjs tests with random order errors
Due to the hash ordering changes on Ruby 1.8.7-p358.
9698312
Aaron Patterson Merge pull request #2621 from icco/master
Issue with schema dump
3627cfa
Mar 27, 2012
José Valim Merge pull request #5600 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable - failing in ruby 1.8.8-p358
5790269
Emilio Tagua Silence warnings here, only setting Encoding.default_external for tes…
…ting.
923ba31
Emilio Tagua Use helper method here. caebe85
Aaron Patterson load the encoding converter to work around [ruby-core:41556] when swi…
…tching encodings
289fe76
Arun Agrawal Fix broken encoding test 4c9dec4
José Valim Avoid inspecting the whole route set, closes #1525 e0362f7
Aaron Patterson Merge pull request #5613 from carlosantoniodasilva/fix-build-3-0-193
Fix build for branch 3-0-stable - Ruby 1.9.3
29320dc
Mar 29, 2012
Yasuo Honda Address an error for test_has_many_through_polymorphic_has_one
with Oracle for the 3-0-stable branch
60272ae
Santiago Pastorino Merge pull request #5655 from yahonda/address_ora_00918_with_oracle_f…
…or_3_0

Address an error for test_has_many_through_polymorphic_has_one with Oracle
72dc7ae
Carlos Antonio da Silva Fix failing ARes test due to hash keys ordering d44ffb2
Jeremy Kemper Merge pull request #5659 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable - ARes and ordered hash keys
f47a303
Apr 30, 2012
Yehuda Katz Merge pull request #5044 from dracco/3-0-stable
Backport Bugfix: Stack Overflow (3-0-stable)
51582fe
Andrew White Lock mocha gem to fix the build
New versions of mocha don't allow nil.stubs
e74e479
May 25, 2012
Egor Homakov auto_link final sanitize 3af3385
Aaron Patterson Merge pull request #6485 from homakov/3-0-stable
auto_link sanitize output
f7cf745
May 26, 2012
Egor Homakov do not force sanitize and whitelist protocols for auto_link
sanitize is not always required so we cannot make it. let's just
whitelist protocols
f35c93f
Rafael Mendonça França Merge pull request #6495 from homakov/3-0-stable
auto_link shouldn't always sanitize
5989ffb
Rafael Mendonça França Remove test for not accepted protocols to auto_link 349fce2
May 28, 2012
Aaron Patterson bumping to 3.0.13.rc1 88e7f51
May 30, 2012
Aaron Patterson predicate builder should not recurse for determining where columns.
Thanks to Ben Murphy for reporting this

CVE-2012-2661
99f0309
Aaron Patterson Strip [nil] from parameters hash.
Thanks to Ben Murphy for reporting this!

CVE-2012-2660

Conflicts:

	actionpack/lib/action_dispatch/http/request.rb
c202638
May 31, 2012
Aaron Patterson Merge branch '3-0-stable-sec' into 3-0-rel
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
c8af45e
Aaron Patterson updating CHANGELOGs 86c97e1
Aaron Patterson bumping to 3.0.13 7102fe8
Aaron Patterson Merge branch '3-0-stable-sec' into 3-0-stable
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
33f8e4b
Aaron Patterson Merge branch '3-0-rel' into 3-0-stable
* 3-0-rel:
  bumping to 3.0.13
  updating CHANGELOGs
  bumping to 3.0.13.rc1
b2feff2
Jun 08, 2012
Ernie Miller Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.0.13 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
176af7e
Jun 10, 2012
Aaron Patterson Array parameters should not contain nil values. 2f3bc04
Jun 11, 2012
Toshinori Kajihara Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
6c0c40b
Aaron Patterson Merge branch '3-0-stable-sec' into 3-0-stable-rel
* 3-0-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
b9e048c
Aaron Patterson bumping versions in the CHANGELOG 2c95963
Aaron Patterson updating changelogs with security fixes 8cecac7
Aaron Patterson bumping to 3.0.14 3fb762a
Jun 12, 2012
Aaron Patterson updating changelogs 4be9dbf
Aaron Patterson we haven't monkey patched the Result class, so use each a5a0338
Aaron Patterson 3.0.15 def7543
Jul 23, 2012
Aaron Patterson updating changelogs 32b4cbc
Jul 26, 2012
Aaron Patterson * Do not convert digest auth strings to symbols. CVE-2012-3424 b88cc8a
Aaron Patterson updating changelog with CVE fe48ad3
Aaron Patterson updating release date 4a0370b
Aaron Patterson bumping to 3.0.16 3166606
Aug 04, 2012
Andrew White Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Aug 07, 2012
Santiago Pastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
Rafael Mendonça França Fix tests about single quote escaping 9ef905f
Aug 09, 2012
Santiago Pastorino escape select_tag :prompt values
CVE-2012-3463
c979587
Santiago Pastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
Santiago Pastorino Add CHANGELOG entries 6eda26a
Santiago Pastorino Bump to 3.0.17 77977f3
Mark Turner Add html_escape note to CHANGELOG cf6bb2a
Santiago Pastorino Merge pull request #7308 from amerine/3-0-stable
Add html_escape note to CHANGELOG
954e262
Aug 28, 2012
Rafael Mendonça França Remove warning when using html_escape with Ruby 1.9.
Closes #7430
f93e3f0
Dec 23, 2012
Aaron Patterson updating changelogs 826548b
Aaron Patterson CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
3542641
Aaron Patterson bumping to 3.0.18 fb06fe4
Jan 08, 2013
Aaron Patterson * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/predicate_builder.rb
97b3b68
Jeremy Kemper CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. a494824
Aaron Patterson bumping version 7909e7f
Prem Sichanugrist Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See a494824 for more detail.
f252755
Carlos Antonio da Silva Merge pull request #8836 from sikachu/3-0-stable-fix-ars
Remove test for XML YAML parsing
ca8b0bd
Jan 09, 2013
Zach Moazeni Methods that return nil should not be considered YAML
This is a direct port of @jaw6's pull request
#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
477f0e7
Carlos Antonio da Silva Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix
Methods that return nil should not be considered YAML
583e5fd
Carlos Antonio da Silva Update changelogs with release dates and minor improvements [ci skip] e5f4a39
Jan 10, 2013
Jeremy Kemper Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…
…params

3-0-stable: Fix JSON params parsing regression for non-object JSON content.
9bc2b09
Jan 11, 2013
Dylan Thacker-Smith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
eede4ab
Jan 12, 2013
Andrew White Remove unnecessary caching of ParameterFilter 4c525b2
Jan 16, 2013
James Mead Fix 3-0-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
freerange/mocha@f1ff647#diff-5
commit 0591f6d 1 parent 8b3109a
bf91545
Rafael Mendonça França Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes
Fix 3-0-stable to work with Mocha >= v0.13.0
d116e90
Jan 26, 2013
Carlos Antonio da Silva Update mocha version to 0.13.0 and change requires 871a7db
Carlos Antonio da Silva Remove not used variable warning ba6b243
Carlos Antonio da Silva Fix indentation to remove warning dd3caf6
Damien Mathieu remove the warning when testing whiny_nil 18bce29
Toshinori Kajihara Fix build. It seems that the Mocha's behavior were changed. bb80a87
Carlos Antonio da Silva Update failing tests overriding destroy method instead of using mocha…
… expectation

Mocha by default does not allow adding expectation to frozen objects,
just applying a workaround to ensure the method is never called, making
the tests pass without enabling this again in mocha.
597a700
Carlos Antonio da Silva Remove obsolete rake/rdoctask require
Requiring this now raises a RuntimeError, failing the test.
It also seems that the require is unnecessary to pass the test.
e8ac985
Carlos Antonio da Silva Fix failing test related to escaping include_blank in select_tag
Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be that is only
available from 3.1.x on.

The test and related fix were introduced in
c979587 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
709fbd3
Jan 28, 2013
Michael Koziarski Add an OkJson backend and remove the YAML backend
Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
5375dce
Aaron Patterson bumping to 3.0.20 b875be0
Jan 29, 2013
Nathan Broadbent Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}. f20b598
Jan 30, 2013
Renato Neves Fixing encoding to UTF-8 for OkJson backend d46c6aa
Carlos Antonio da Silva Merge pull request #9123 from renatosnrg/3-0-stable
Fixing encoding to UTF-8 for OkJson backend. Closes #9122.
20c3b4b
Aaron Patterson Merge pull request #9111 from jsomara/3-0-json-fix
Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}.
10513d2
fixed failing JSON decoding in rails 3-0-stable fdc42ad
Feb 07, 2013
Dylan Thacker-Smith active_record: Quote numeric values compared to string columns. 0fc58ca
Dylan Thacker-Smith mysql2 adapter fixed upstream to delegate quoting of BigDecimal. b4be619
Guillermo Iguaran Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-numeric
[3.0] active_record: Quote numeric values compared to string columns.
663c9a6
Feb 08, 2013
Roberto Miranda Fix BigDecimal Typecast on 1.8.7 a316c09
Guillermo Iguaran Merge pull request #9223 from robertomiranda/fix-bigdecimal-typecast
Fix BigDecimal Typecast on 1.8.7
f93d046
Feb 09, 2013
joernchen of Phenoelit Fix issue with attr_protected where malformed input could circumvent
protection

Fixes: CVE-2013-0276

Conflicts:
	activemodel/lib/active_model/attribute_methods.rb
	activerecord/test/cases/mass_assignment_security_test.rb
2dfd512
Feb 10, 2013
Tobias Kraze fix serialization vulnerability 073d5a6
Feb 11, 2013
Aaron Patterson Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-in-rails-…
…3-0-stable

fixed failing JSON decoding in rails 3-0-stable
360af4e
Aaron Patterson Merge branch '3-0-sec' into 3-0-stable
* 3-0-sec:
  fix serialization vulnerability
  Fix issue with attr_protected where malformed input could circumvent protection
182d4e3
Aaron Patterson Revert "Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-i…
…n-rails-3-0-stable"

This reverts commit 360af4e, reversing
changes made to f93d046.
f2839f1
Feb 27, 2013
Steve Klabnik Revert "Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-nu…
…meric"

This reverts commit 663c9a6, reversing
changes made to 10513d2.
9fdd56c
Mar 15, 2013
Charlie Somerville fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] 0075f36
benmmurphy JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
fa5bafc
Aaron Patterson fix protocol checking in sanitization [CVE-2013-1857]
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
77403a9
Nov 30, 2013
Aaron Patterson Only use valid mime type symbols as cache keys
CVE-2013-6414

Conflicts:
	actionpack/lib/action_view/lookup_context.rb
5aeb472
Feb 18, 2014
Rafael Mendonça França Use the reference for the mime type to get the format
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
857c6ee