Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
Commits on Feb 15, 2012
@AntiTyping AntiTyping Bugfix circular reference while saving has_one relationship a97cf75
Commits on Feb 16, 2012
@AntiTyping AntiTyping Test for circular reference while saving has_one relationship 389d1c5
Commits on Feb 25, 2012
@noahhendrix noahhendrix Fixed typo in composed_of example with Money#<=>, was comparing amoun…
…t itself instead of other_money.amount
c4f9264
Commits on Mar 01, 2012
@tenderlove tenderlove Merge branch '3-0-12' into 3-0-stable
* 3-0-12:
  bumping to 3.0.12
  Ensure [] respects the status of the buffer.
  updating RAILS_VERSION
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
eeb715a
Commits on Mar 02, 2012
@carlosantoniodasilva carlosantoniodasilva Stop SafeBuffer#clone_empty from issuing warnings
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
139963c

This was issuing a "not initialized variable" warning - related to:
#5237

The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
f1c6037
Commits on Mar 07, 2012
@arunagw arunagw fixed test when running with latest 1.8.7-p357 and ree f8f873a
@spastorino spastorino Merge pull request #5319 from arunagw/fix_test_ree
Fix test ree 3-0-stable
61335d6
Commits on Mar 15, 2012
@tenderlove tenderlove Merge pull request #5456 from brianmario/redirect-sanitization
Strip null bytes from Location header
Conflicts:

	actionpack/test/controller/redirect_test.rb
d14319c
@tenderlove tenderlove Merge pull request #5457 from brianmario/typo-fix
Fix typo in redirect test
8645745
Commits on Mar 23, 2012
@carlosantoniodasilva carlosantoniodasilva Add order to tests that rely on db ordering, to fix failing tests on pg
Also skip persistente tests related to UPDATE + ORDER BY for postgresql

PostgreSQL does not support updates with order by, and these tests are
failing randomly depending on the fixture loading order now.

Conflicts:

	activerecord/test/cases/associations/join_model_test.rb
	activerecord/test/cases/associations/nested_through_associations_test.rb
	activerecord/test/cases/clone_test.rb
	activerecord/test/cases/dup_test.rb
	activerecord/test/cases/relations_test.rb
	activerecord/test/cases/yaml_serialization_test.rb
a9fdefd
@carlosantoniodasilva carlosantoniodasilva Fix more failing tests related to ruby 1.8.7 p358 version change f748d36
@josevalim josevalim Merge pull request #5565 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable
728a65d
Commits on Mar 24, 2012
@arunagw arunagw Build fix for form_options_helper_test.rb ruby-1.8.7 00726ea
Commits on Mar 26, 2012
@carlosantoniodasilva carlosantoniodasilva Fix AV::FixtureResolver and rjs tests with random order errors
Due to the hash ordering changes on Ruby 1.8.7-p358.
9698312
Commits on Mar 27, 2012
@tenderlove tenderlove Merge pull request #2621 from icco/master
Issue with schema dump
3627cfa
@josevalim josevalim Merge pull request #5600 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable - failing in ruby 1.8.8-p358
5790269
@miloops miloops Silence warnings here, only setting Encoding.default_external for tes…
…ting.
923ba31
@miloops miloops Use helper method here. caebe85
@tenderlove tenderlove load the encoding converter to work around [ruby-core:41556] when swi…
…tching encodings
289fe76
@arunagw arunagw Fix broken encoding test 4c9dec4
@josevalim josevalim Avoid inspecting the whole route set, closes #1525 e0362f7
@tenderlove tenderlove Merge pull request #5613 from carlosantoniodasilva/fix-build-3-0-193
Fix build for branch 3-0-stable - Ruby 1.9.3
29320dc
Commits on Mar 29, 2012
@yahonda yahonda Address an error for test_has_many_through_polymorphic_has_one
with Oracle for the 3-0-stable branch
60272ae
@spastorino spastorino Merge pull request #5655 from yahonda/address_ora_00918_with_oracle_f…
…or_3_0

Address an error for test_has_many_through_polymorphic_has_one with Oracle
72dc7ae
@carlosantoniodasilva carlosantoniodasilva Fix failing ARes test due to hash keys ordering d44ffb2
@jeremy jeremy Merge pull request #5659 from carlosantoniodasilva/fix-build-3-0
Fix build for branch 3-0-stable - ARes and ordered hash keys
f47a303
Commits on Apr 30, 2012
@wycats wycats Merge pull request #5044 from dracco/3-0-stable
Backport Bugfix: Stack Overflow (3-0-stable)
51582fe
@pixeltrix pixeltrix Lock mocha gem to fix the build
New versions of mocha don't allow nil.stubs
e74e479
Commits on May 25, 2012
@homakov homakov auto_link final sanitize 3af3385
@tenderlove tenderlove Merge pull request #6485 from homakov/3-0-stable
auto_link sanitize output
f7cf745
Commits on May 26, 2012
@homakov homakov do not force sanitize and whitelist protocols for auto_link
sanitize is not always required so we cannot make it. let's just
whitelist protocols
f35c93f
@rafaelfranca rafaelfranca Merge pull request #6495 from homakov/3-0-stable
auto_link shouldn't always sanitize
5989ffb
Commits on May 27, 2012
@rafaelfranca rafaelfranca Remove test for not accepted protocols to auto_link 349fce2
Commits on May 28, 2012
@tenderlove tenderlove bumping to 3.0.13.rc1 88e7f51
Commits on May 30, 2012
@tenderlove tenderlove predicate builder should not recurse for determining where columns.
Thanks to Ben Murphy for reporting this

CVE-2012-2661
99f0309
@tenderlove tenderlove Strip [nil] from parameters hash.
Thanks to Ben Murphy for reporting this!

CVE-2012-2660

Conflicts:

	actionpack/lib/action_dispatch/http/request.rb
c202638
Commits on May 31, 2012
@tenderlove tenderlove Merge branch '3-0-stable-sec' into 3-0-rel
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
c8af45e
@tenderlove tenderlove updating CHANGELOGs 86c97e1
@tenderlove tenderlove bumping to 3.0.13 7102fe8
@tenderlove tenderlove Merge branch '3-0-stable-sec' into 3-0-stable
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
33f8e4b
@tenderlove tenderlove Merge branch '3-0-rel' into 3-0-stable
* 3-0-rel:
  bumping to 3.0.13
  updating CHANGELOGs
  bumping to 3.0.13.rc1
b2feff2
Commits on Jun 08, 2012
@ernie ernie Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.0.13 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
176af7e
Commits on Jun 11, 2012
@tenderlove tenderlove Array parameters should not contain nil values. 2f3bc04
@kennyj kennyj Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
6c0c40b
@tenderlove tenderlove Merge branch '3-0-stable-sec' into 3-0-stable-rel
* 3-0-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
b9e048c
@tenderlove tenderlove bumping versions in the CHANGELOG 2c95963
@tenderlove tenderlove updating changelogs with security fixes 8cecac7
@tenderlove tenderlove bumping to 3.0.14 3fb762a
Commits on Jun 12, 2012
@tenderlove tenderlove updating changelogs 4be9dbf
Commits on Jun 13, 2012
@tenderlove tenderlove we haven't monkey patched the Result class, so use each a5a0338
@tenderlove tenderlove 3.0.15 def7543
Commits on Jul 23, 2012
@tenderlove tenderlove updating changelogs 32b4cbc
Commits on Jul 26, 2012
@tenderlove tenderlove * Do not convert digest auth strings to symbols. CVE-2012-3424 b88cc8a
@tenderlove tenderlove updating changelog with CVE fe48ad3
@tenderlove tenderlove updating release date 4a0370b
@tenderlove tenderlove bumping to 3.0.16 3166606
Commits on Aug 04, 2012
@pixeltrix pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Commits on Aug 08, 2012
@spastorino spastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
@rafaelfranca rafaelfranca Fix tests about single quote escaping 9ef905f
Commits on Aug 09, 2012
@spastorino spastorino escape select_tag :prompt values
CVE-2012-3463
c979587
@spastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
@spastorino spastorino Add CHANGELOG entries 6eda26a
@spastorino spastorino Bump to 3.0.17 77977f3
@amerine amerine Add html_escape note to CHANGELOG cf6bb2a
@spastorino spastorino Merge pull request #7308 from amerine/3-0-stable
Add html_escape note to CHANGELOG
954e262
Commits on Aug 28, 2012
@rafaelfranca rafaelfranca Remove warning when using html_escape with Ruby 1.9.
Closes #7430
f93e3f0
Commits on Dec 23, 2012
@tenderlove tenderlove updating changelogs 826548b
@tenderlove tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
3542641
@tenderlove tenderlove bumping to 3.0.18 fb06fe4
Commits on Jan 08, 2013
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/predicate_builder.rb
97b3b68
@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. a494824
@tenderlove tenderlove bumping version 7909e7f
Commits on Jan 09, 2013
@sikachu sikachu Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See a494824 for more detail.
f252755
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8836 from sikachu/3-0-stable-fix-ars
Remove test for XML YAML parsing
ca8b0bd
@zmoazeni zmoazeni Methods that return nil should not be considered YAML
This is a direct port of @jaw6's pull request
#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
477f0e7
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix
Methods that return nil should not be considered YAML
583e5fd
Commits on Jan 10, 2013
@carlosantoniodasilva carlosantoniodasilva Update changelogs with release dates and minor improvements [ci skip] e5f4a39
Commits on Jan 11, 2013
@dylanahsmith dylanahsmith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
eede4ab
@jeremy jeremy Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…
…params

3-0-stable: Fix JSON params parsing regression for non-object JSON content.
9bc2b09
Commits on Jan 12, 2013
@pixeltrix pixeltrix Remove unnecessary caching of ParameterFilter 4c525b2
Commits on Jan 16, 2013
@floehopper floehopper Fix 3-0-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
freerange/mocha@f1ff647#diff-5
commit 0591f6d 1 parent 8b3109a
bf91545
@rafaelfranca rafaelfranca Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes
Fix 3-0-stable to work with Mocha >= v0.13.0
d116e90
Commits on Jan 26, 2013
@carlosantoniodasilva carlosantoniodasilva Update mocha version to 0.13.0 and change requires 871a7db
@carlosantoniodasilva carlosantoniodasilva Remove not used variable warning ba6b243
@carlosantoniodasilva carlosantoniodasilva Fix indentation to remove warning dd3caf6
@dmathieu dmathieu remove the warning when testing whiny_nil 18bce29
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. bb80a87
@carlosantoniodasilva carlosantoniodasilva Update failing tests overriding destroy method instead of using mocha…
… expectation

Mocha by default does not allow adding expectation to frozen objects,
just applying a workaround to ensure the method is never called, making
the tests pass without enabling this again in mocha.
597a700
@carlosantoniodasilva carlosantoniodasilva Remove obsolete rake/rdoctask require
Requiring this now raises a RuntimeError, failing the test.
It also seems that the require is unnecessary to pass the test.
e8ac985
Commits on Jan 27, 2013
@carlosantoniodasilva carlosantoniodasilva Fix failing test related to escaping include_blank in select_tag
Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be that is only
available from 3.1.x on.

The test and related fix were introduced in
c979587 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
709fbd3
Commits on Jan 28, 2013
@NZKoz NZKoz Add an OkJson backend and remove the YAML backend
Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
5375dce
@tenderlove tenderlove bumping to 3.0.20 b875be0