Skip to content


Subversion checkout URL

You can clone with
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
Commits on May 31, 2012
@tenderlove tenderlove Merge branch '3-0-stable-sec' into 3-0-stable
* 3-0-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
@tenderlove tenderlove Merge branch '3-0-rel' into 3-0-stable
* 3-0-rel:
  bumping to 3.0.13
  updating CHANGELOGs
  bumping to 3.0.13.rc1
Commits on Jun 08, 2012
@ernie ernie Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.0.13 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
Commits on Jun 11, 2012
@tenderlove tenderlove Array parameters should not contain nil values. 2f3bc04
@kennyj kennyj Fix GH #3163. Should quote database on mysql/mysql2.





@tenderlove tenderlove Merge branch '3-0-stable-sec' into 3-0-stable-rel
* 3-0-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
@tenderlove tenderlove bumping versions in the CHANGELOG 2c95963
@tenderlove tenderlove updating changelogs with security fixes 8cecac7
@tenderlove tenderlove bumping to 3.0.14 3fb762a
Commits on Jun 12, 2012
@tenderlove tenderlove updating changelogs 4be9dbf
Commits on Jun 13, 2012
@tenderlove tenderlove we haven't monkey patched the Result class, so use each a5a0338
@tenderlove tenderlove 3.0.15 def7543
Commits on Jul 23, 2012
@tenderlove tenderlove updating changelogs 32b4cbc
Commits on Jul 26, 2012
@tenderlove tenderlove * Do not convert digest auth strings to symbols. CVE-2012-3424 b88cc8a
@tenderlove tenderlove updating changelog with CVE fe48ad3
@tenderlove tenderlove updating release date 4a0370b
@tenderlove tenderlove bumping to 3.0.16 3166606
Commits on Aug 04, 2012
@pixeltrix pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
Commits on Aug 08, 2012
@spastorino spastorino html_escape should escape single quotes
Closes #7215

@rafaelfranca rafaelfranca Fix tests about single quote escaping 9ef905f
Commits on Aug 09, 2012
@spastorino spastorino escape select_tag :prompt values
@spastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

@spastorino spastorino Add CHANGELOG entries 6eda26a
@spastorino spastorino Bump to 3.0.17 77977f3
@amerine amerine Add html_escape note to CHANGELOG cf6bb2a
@spastorino spastorino Merge pull request #7308 from amerine/3-0-stable
Add html_escape note to CHANGELOG
Commits on Aug 28, 2012
@rafaelfranca rafaelfranca Remove warning when using html_escape with Ruby 1.9.
Closes #7430
Commits on Dec 23, 2012
@tenderlove tenderlove updating changelogs 826548b
@tenderlove tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
@tenderlove tenderlove bumping to 3.0.18 fb06fe4
Commits on Jan 08, 2013
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu


@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. a494824
@tenderlove tenderlove bumping version 7909e7f
Commits on Jan 09, 2013
@sikachu sikachu Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See a494824 for more detail.
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8836 from sikachu/3-0-stable-fix-ars
Remove test for XML YAML parsing
@zmoazeni zmoazeni Methods that return nil should not be considered YAML
This is a direct port of @jaw6's pull request
#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix
Methods that return nil should not be considered YAML
Commits on Jan 10, 2013
@carlosantoniodasilva carlosantoniodasilva Update changelogs with release dates and minor improvements [ci skip] e5f4a39
Commits on Jan 11, 2013
@dylanahsmith dylanahsmith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
@jeremy jeremy Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…

3-0-stable: Fix JSON params parsing regression for non-object JSON content.
Commits on Jan 12, 2013
@pixeltrix pixeltrix Remove unnecessary caching of ParameterFilter 4c525b2
Commits on Jan 16, 2013
@floehopper floehopper Fix 3-0-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

commit 0591f6d 1 parent 8b3109a
@rafaelfranca rafaelfranca Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes
Fix 3-0-stable to work with Mocha >= v0.13.0
Commits on Jan 26, 2013
@carlosantoniodasilva carlosantoniodasilva Update mocha version to 0.13.0 and change requires 871a7db
@carlosantoniodasilva carlosantoniodasilva Remove not used variable warning ba6b243
@carlosantoniodasilva carlosantoniodasilva Fix indentation to remove warning dd3caf6
@dmathieu dmathieu remove the warning when testing whiny_nil 18bce29
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. bb80a87
@carlosantoniodasilva carlosantoniodasilva Update failing tests overriding destroy method instead of using mocha…
… expectation

Mocha by default does not allow adding expectation to frozen objects,
just applying a workaround to ensure the method is never called, making
the tests pass without enabling this again in mocha.
@carlosantoniodasilva carlosantoniodasilva Remove obsolete rake/rdoctask require
Requiring this now raises a RuntimeError, failing the test.
It also seems that the require is unnecessary to pass the test.
Commits on Jan 27, 2013
@carlosantoniodasilva carlosantoniodasilva Fix failing test related to escaping include_blank in select_tag
Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be that is only
available from 3.1.x on.

The test and related fix were introduced in
c979587 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
Commits on Jan 28, 2013
@NZKoz NZKoz Add an OkJson backend and remove the YAML backend
Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
@tenderlove tenderlove bumping to 3.0.20 b875be0