Skip to content
This repository
  • 30 commits
  • 42 files changed
  • 6 comments
  • 7 contributors
May 31, 2012
Aaron Patterson tenderlove Merge branch '3-0-stable-sec' into 3-0-stable
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
33f8e4b
Aaron Patterson tenderlove Merge branch '3-0-rel' into 3-0-stable
* 3-0-rel:
  bumping to 3.0.13
  updating CHANGELOGs
  bumping to 3.0.13.rc1
b2feff2
Jun 08, 2012
Ernie Miller ernie Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.0.13 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
176af7e
Jun 10, 2012
Aaron Patterson tenderlove Array parameters should not contain nil values. 2f3bc04
Jun 11, 2012
Toshinori Kajihara kennyj Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
6c0c40b
Aaron Patterson tenderlove Merge branch '3-0-stable-sec' into 3-0-stable-rel
* 3-0-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
b9e048c
Aaron Patterson tenderlove bumping versions in the CHANGELOG 2c95963
Aaron Patterson tenderlove updating changelogs with security fixes 8cecac7
Aaron Patterson tenderlove bumping to 3.0.14 3fb762a
Jun 12, 2012
Aaron Patterson tenderlove updating changelogs 4be9dbf
Aaron Patterson tenderlove we haven't monkey patched the Result class, so use each a5a0338
Aaron Patterson tenderlove 3.0.15 def7543
Jul 23, 2012
Aaron Patterson tenderlove updating changelogs 32b4cbc
Jul 26, 2012
Aaron Patterson tenderlove * Do not convert digest auth strings to symbols. CVE-2012-3424 b88cc8a
Aaron Patterson tenderlove updating changelog with CVE fe48ad3
Aaron Patterson tenderlove updating release date 4a0370b
Aaron Patterson tenderlove bumping to 3.0.16 3166606
Aug 04, 2012
Andrew White pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Aug 07, 2012
Santiago Pastorino spastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
Rafael Mendonça França rafaelfranca Fix tests about single quote escaping 9ef905f
Aug 09, 2012
Santiago Pastorino spastorino escape select_tag :prompt values
CVE-2012-3463
c979587
Santiago Pastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
Santiago Pastorino spastorino Add CHANGELOG entries 6eda26a
Santiago Pastorino spastorino Bump to 3.0.17 77977f3
Mark Turner amerine Add html_escape note to CHANGELOG cf6bb2a
Santiago Pastorino spastorino Merge pull request #7308 from amerine/3-0-stable
Add html_escape note to CHANGELOG
954e262
Aug 28, 2012
Rafael Mendonça França rafaelfranca Remove warning when using html_escape with Ruby 1.9.
Closes #7430
f93e3f0
Dec 23, 2012
Aaron Patterson tenderlove updating changelogs 826548b
Aaron Patterson tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
3542641
Aaron Patterson tenderlove bumping to 3.0.18 fb06fe4
Something went wrong with that request. Please try again.