Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
Commits on Aug 04, 2012
@pixeltrix pixeltrix Backport of fix from #5173 - fixes #7252
Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
datatypes, Active Record migrations use TEXT(n) where n is the limit
specified by the developer. Unfortunately how MySQL interprets n
depends on the column's encoding so any limit above 5592405 will be
interpreted as a LONGTEXT when the encoding is UTF-8.

This commit fixes this by interpreting the limit within the adapter
and using the specific MySQL datatype as appropriate.
f07c708
Commits on Aug 08, 2012
@spastorino spastorino html_escape should escape single quotes
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

Conflicts:
	actionpack/test/controller/new_base/render_template_test.rb
	actionpack/test/template/asset_tag_helper_test.rb
	actionpack/test/template/erb_util_test.rb
	actionpack/test/template/javascript_helper_test.rb
	actionpack/test/template/template_test.rb
	activesupport/lib/active_support/core_ext/string/output_safety.rb
	activesupport/test/core_ext/string_ext_test.rb
	railties/test/application/assets_test.rb
780a718
@rafaelfranca rafaelfranca Fix tests about single quote escaping 9ef905f
Commits on Aug 09, 2012
@spastorino spastorino escape select_tag :prompt values
CVE-2012-3463
c979587
@spastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
1151959
@spastorino spastorino Add CHANGELOG entries 6eda26a
@spastorino spastorino Bump to 3.0.17 77977f3
@amerine amerine Add html_escape note to CHANGELOG cf6bb2a
@spastorino spastorino Merge pull request #7308 from amerine/3-0-stable
Add html_escape note to CHANGELOG
954e262
Commits on Aug 28, 2012
@rafaelfranca rafaelfranca Remove warning when using html_escape with Ruby 1.9.
Closes #7430
f93e3f0
Commits on Dec 23, 2012
@tenderlove tenderlove updating changelogs 826548b
@tenderlove tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
3542641
@tenderlove tenderlove bumping to 3.0.18 fb06fe4
Commits on Jan 08, 2013
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activerecord/lib/active_record/relation/predicate_builder.rb
97b3b68
@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. a494824
@tenderlove tenderlove bumping version 7909e7f
Commits on Jan 09, 2013
@sikachu sikachu Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See a494824 for more detail.
f252755
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8836 from sikachu/3-0-stable-fix-ars
Remove test for XML YAML parsing
ca8b0bd
@zmoazeni zmoazeni Methods that return nil should not be considered YAML
This is a direct port of @jaw6's pull request
#492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
477f0e7
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix
Methods that return nil should not be considered YAML
583e5fd
Commits on Jan 10, 2013
@carlosantoniodasilva carlosantoniodasilva Update changelogs with release dates and minor improvements [ci skip] e5f4a39
Commits on Jan 11, 2013
@dylanahsmith dylanahsmith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
eede4ab
@jeremy jeremy Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…
…params

3-0-stable: Fix JSON params parsing regression for non-object JSON content.
9bc2b09
Commits on Jan 12, 2013
@pixeltrix pixeltrix Remove unnecessary caching of ParameterFilter 4c525b2
Commits on Jan 16, 2013
@floehopper floehopper Fix 3-0-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
freerange/mocha@f1ff647#diff-5
commit 0591f6d 1 parent 8b3109a
bf91545
@rafaelfranca rafaelfranca Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes
Fix 3-0-stable to work with Mocha >= v0.13.0
d116e90
Commits on Jan 26, 2013
@carlosantoniodasilva carlosantoniodasilva Update mocha version to 0.13.0 and change requires 871a7db
@carlosantoniodasilva carlosantoniodasilva Remove not used variable warning ba6b243
@carlosantoniodasilva carlosantoniodasilva Fix indentation to remove warning dd3caf6
@dmathieu dmathieu remove the warning when testing whiny_nil 18bce29
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. bb80a87
@carlosantoniodasilva carlosantoniodasilva Update failing tests overriding destroy method instead of using mocha…
… expectation

Mocha by default does not allow adding expectation to frozen objects,
just applying a workaround to ensure the method is never called, making
the tests pass without enabling this again in mocha.
597a700
@carlosantoniodasilva carlosantoniodasilva Remove obsolete rake/rdoctask require
Requiring this now raises a RuntimeError, failing the test.
It also seems that the require is unnecessary to pass the test.
e8ac985
Commits on Jan 27, 2013
@carlosantoniodasilva carlosantoniodasilva Fix failing test related to escaping include_blank in select_tag
Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be that is only
available from 3.1.x on.

The test and related fix were introduced in
c979587 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.
709fbd3
Commits on Jan 28, 2013
@NZKoz NZKoz Add an OkJson backend and remove the YAML backend
Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
5375dce
@tenderlove tenderlove bumping to 3.0.20 b875be0
Commits on Jan 29, 2013
@ndbroadbent ndbroadbent Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}. f20b598
Commits on Jan 30, 2013
@renatosnrg renatosnrg Fixing encoding to UTF-8 for OkJson backend d46c6aa
@carlosantoniodasilva carlosantoniodasilva Merge pull request #9123 from renatosnrg/3-0-stable
Fixing encoding to UTF-8 for OkJson backend. Closes #9122.
20c3b4b
@tenderlove tenderlove Merge pull request #9111 from jsomara/3-0-json-fix
Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}.
10513d2
Michel Barbosa fixed failing JSON decoding in rails 3-0-stable fdc42ad
Commits on Feb 07, 2013
@dylanahsmith dylanahsmith active_record: Quote numeric values compared to string columns. 0fc58ca
@dylanahsmith dylanahsmith mysql2 adapter fixed upstream to delegate quoting of BigDecimal. b4be619
Commits on Feb 08, 2013
@guilleiguaran guilleiguaran Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-numeric
[3.0] active_record: Quote numeric values compared to string columns.
663c9a6
@robertomiranda robertomiranda Fix BigDecimal Typecast on 1.8.7 a316c09
@guilleiguaran guilleiguaran Merge pull request #9223 from robertomiranda/fix-bigdecimal-typecast
Fix BigDecimal Typecast on 1.8.7
f93d046
Commits on Feb 09, 2013
@joernchen joernchen Fix issue with attr_protected where malformed input could circumvent
protection

Fixes: CVE-2013-0276

Conflicts:
	activemodel/lib/active_model/attribute_methods.rb
	activerecord/test/cases/mass_assignment_security_test.rb
2dfd512
Commits on Feb 11, 2013
@kratob kratob fix serialization vulnerability 073d5a6
@tenderlove tenderlove Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-in-rails-…
…3-0-stable

fixed failing JSON decoding in rails 3-0-stable
360af4e
@tenderlove tenderlove Merge branch '3-0-sec' into 3-0-stable
* 3-0-sec:
  fix serialization vulnerability
  Fix issue with attr_protected where malformed input could circumvent protection
182d4e3
@tenderlove tenderlove Revert "Merge pull request #9126 from mbarb0sa/bugfix/json-decoding-i…
…n-rails-3-0-stable"

This reverts commit 360af4e, reversing
changes made to f93d046.
f2839f1
Commits on Feb 27, 2013
@steveklabnik steveklabnik Revert "Merge pull request #9210 from dylanahsmith/3-0-mysql-quote-nu…
…meric"

This reverts commit 663c9a6, reversing
changes made to 10513d2.
9fdd56c
Commits on Mar 16, 2013
@charliesome charliesome fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] 0075f36
@benmmurphy benmmurphy JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
fa5bafc
@tenderlove tenderlove fix protocol checking in sanitization [CVE-2013-1857]
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
77403a9
Commits on Dec 01, 2013
@tenderlove tenderlove Only use valid mime type symbols as cache keys
CVE-2013-6414

Conflicts:
	actionpack/lib/action_view/lookup_context.rb
5aeb472
Commits on Feb 18, 2014
@rafaelfranca rafaelfranca Use the reference for the mime type to get the format
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
857c6ee