Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Commits on May 29, 2012
@floehopper floehopper Exceptions like Interrupt should not be rescued in tests.
This is a back-port of rails/rails#6525. See the commit notes there for
details.
4cd3285
@rafaelfranca rafaelfranca Merge pull request #6532 from freerange/3-1-stable-minitest-passthrou…
…gh-exceptions

Exceptions like Interrupt should not be rescued in tests.
2f42815
Commits on May 31, 2012
@tenderlove tenderlove Merge branch '3-1-stable-sec' into 3-1-stable
* 3-1-stable-sec:
  Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
  predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
aa6e56b
@tenderlove tenderlove Merge branch '3-1-rel' into 3-1-stable
* 3-1-rel:
  bumping to 3.1.5
  updating the CHANGELOG
  bumping to 3.1.5.rc1
a1a71ab
Commits on Jun 08, 2012
@ernie ernie Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
8355abf
Commits on Jun 11, 2012
@tenderlove tenderlove Array parameters should not contain nil values. f4174ad
@kennyj kennyj Fix GH #3163. Should quote database on mysql/mysql2.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb

Conflicts:

	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
023eaf8
@kennyj kennyj Change the string to use in test case.
Conflicts:

	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
	activerecord/test/cases/adapters/mysql2/schema_test.rb
8e6ed58
@rafaelfranca rafaelfranca Mysql and Mysql2 adapters accepts only two arguments in the tables 3e2c00a
@tenderlove tenderlove Merge branch '3-1-stable-sec' into 3-1-stable-rel
* 3-1-stable-sec:
  Array parameters should not contain nil values.
  Additional fix for CVE-2012-2661
64e30e8
@tenderlove tenderlove adding version number to changelogs 75d039f
@tenderlove tenderlove updating changelogs with security fixes bee42f3
@tenderlove tenderlove bumping version numbers 4e7d571
Commits on Jun 12, 2012
@tenderlove tenderlove updating changelogs 63dce16
Commits on Jun 14, 2012
@fxn fxn removes item in the Active Record CHANGELOG
That change to update_attribute was considered
to be too subtle and was reverted in 30ea923
just before Rails 3 shipped. Later we introduced
update_column (Rails 3.1).
666a48a
@tenderlove tenderlove adding a test for #6459 28e744d
Commits on Jul 23, 2012
@tenderlove tenderlove updating changelog a4b8a7e
Commits on Jul 26, 2012
@tenderlove tenderlove * Do not convert digest auth strings to symbols. CVE-2012-3424 eb69ad2
@tenderlove tenderlove updating changelog with CVE 140a70a
@tenderlove tenderlove updating rails release date 6cf68d7
@tenderlove tenderlove bumping to 3.1.7 d314a48
Commits on Aug 07, 2012
@spastorino spastorino html_escape should escape single quotes d0c9759
Commits on Aug 09, 2012
@spastorino spastorino escape select_tag :prompt values
CVE-2012-3463
b6a0a11
@spastorino spastorino Do not mark strip_tags result as html_safe
Thanks to Marek Labos & Nethemba

CVE-2012-3465
63e67ea
@spastorino spastorino Add CHANGELOG entries e8d78e7
@spastorino spastorino Bump to 3.1.8 38bf9cf
Commits on Aug 15, 2012
@carlosantoniodasilva carlosantoniodasilva Add html_escape note to CHANGELOG
This was added to all other branches, but 3-1 missed the entry.

3-0-stable: 954e262
3-2-stable: ae2383d
master: 5c07be5
8181b72
@rafaelfranca rafaelfranca Remove warning when using html_escape with Ruby 1.9.
Closes #7323
4f12e3a
Commits on Aug 17, 2012
@jonleighton jonleighton Use benchmark/ips to measure AR performance
This means we can more easily compare numbers, and we don't have to
specify a single N for all reports, which previously meant that some
tests were running many more/fewer iterations than necessary.

Conflicts:
	Gemfile
	activerecord/examples/performance.rb
20d6f70
@jonleighton jonleighton Increase benchmark time to 20 seconds.
I think that 5 seconds was a bit low for our purposes.

Also enable it to be configured via env vars.

We also need to scale the number of records up/down depending on how
long we're running the benchmark for.

Conflicts:
	activerecord/examples/performance.rb
e08268b
Commits on Aug 28, 2012
@fxn fxn CHANGELOGs are now per branch
Check 810a50d for the rationale.
e6e9e56
@lifo lifo Ensure association preloading properly merges default scope and assoc…
…iation conditions
2d6d8a7
Commits on Oct 18, 2012
@rafaelfranca rafaelfranca Require ActionController::Railtie in the default middleware stack.
This will make possible to do a frameworkless initialization since the
the default middleware stack is self contained.
144d747
Commits on Dec 14, 2012
@tenderlove tenderlove test for 8018 92118e7
Commits on Dec 15, 2012
@tenderlove tenderlove do not install ruby-prof on Ruby 2.0 61776f5
@carlosantoniodasilva carlosantoniodasilva Update xml serialization tests to reflect a change in builder
Due to a change in builder, nil values now generates closed tags,
so instead of this:

    <pseudonyms nil=\"true\"></pseudonyms>

It generates this:

    <pseudonyms nil=\"true\"/>

Document this change in Rails so that people can track it down easily if
necessary.

Changes in Active Model, Active Record and Active Support tests.

Cherry-pick of d65adc7, 77dd3be and 146eaf3. Fix build.
9fc6c31
@carlosantoniodasilva carlosantoniodasilva Be a bit less conservative with mysql in adapter
This will allow the new mysql 2.9.0 to be used, fixing our test issues.
64e6e6a
Commits on Dec 23, 2012
@tenderlove tenderlove updating changelogs fbe436b
@tenderlove tenderlove CVE-2012-5664 options hashes should only be extracted if there are ex…
…tra parameters
c42f548
@tenderlove tenderlove bumping version to 3.1.9 f1e977c
Commits on Jan 08, 2013
@spastorino spastorino Avoid Rack security warning no secret provided
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
4d5f950
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
7e5cc96
@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 8133a81
@tenderlove tenderlove bumping version a7dd0bb
Commits on Jan 09, 2013
@carlosantoniodasilva carlosantoniodasilva Fix a few warnings of unused variables 86cf7d3
@sikachu sikachu Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See 8133a81 for more detail.
3f3c35b
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8835 from sikachu/3-1-stable-fix-ars
Remove test for XML YAML parsing
a97199d
@jeremy jeremy Merge pull request #5896 from sferik/revert_5861
Revert #5861. Feature-detect which MultiJson API to use.
Conflicts:
	activesupport/activesupport.gemspec

This backports multi_json version depedency changes as applied.

Rationale: #5861

Patch by sferik
7b9bab6
@rafaelfranca rafaelfranca Merge pull request #8846 from AlexRiedler/revert_5861
Backport multi_json dependency revert of #5861 to 3-1-stable
b816e8e
@carlosantoniodasilva carlosantoniodasilva Update changelogs with release dates and minor improvements [ci skip] 1b35a85
Commits on Jan 11, 2013
@dylanahsmith dylanahsmith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
c669a9c
@jeremy jeremy Merge pull request #8889 from dylanahsmith/3-1-parse-non-object-json-…
…params

3-1-stable: Fix JSON params parsing regression for non-object JSON content.
18b8f90
Commits on Jan 12, 2013
@pixeltrix pixeltrix Remove unnecessary caching of ParameterFilter 8b3109a
Commits on Jan 16, 2013
@floehopper floehopper Fix 3-1-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
freerange/mocha@f1ff647#diff-5
0591f6d
@rafaelfranca rafaelfranca Merge pull request #8871 from freerange/3-1-stable-with-mocha-fixes
Fix 3-1-stable to work with Mocha >= v0.13.0
b0a2c67
@carlosantoniodasilva carlosantoniodasilva Update mocha version to 0.13.0 and change requires
Conflicts:
	Gemfile
	railties/test/application/route_inspect_test.rb
	railties/test/generators_test.rb
ae6864e
Commits on Jan 26, 2013
@dmathieu dmathieu remove the warning when testing whiny_nil d72c25e
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. 4ebe101
Commits on Feb 07, 2013
@dylanahsmith dylanahsmith active_record: Quote numeric values compared to string columns. 26e13c3
Commits on Feb 08, 2013
@guilleiguaran guilleiguaran Merge pull request #9209 from dylanahsmith/3-1-mysql-quote-numeric
[3.1] active_record: Quote numeric values compared to string columns.
ecfc26d
@robertomiranda robertomiranda Fix test failure for ruby 1.8 2372a1f
@guilleiguaran guilleiguaran Merge pull request #9226 from robertomiranda/fix-bigdecimal-test
[3.1] Fix test failure for ruby 1.8
c470941
Commits on Feb 10, 2013
@joernchen joernchen Fix issue with attr_protected where malformed input could circumvent
protection

Fixes: CVE-2013-0276
647afdb
Commits on Feb 11, 2013
@tenderlove tenderlove bumping to 3.1.11 415bf3d
Commits on Feb 12, 2013
@carlosantoniodasilva carlosantoniodasilva Update changelogs with version/release dates [ci skip]
Also add note about attr_protected change.
16ed3d5
Commits on Feb 14, 2013
@carlosantoniodasilva carlosantoniodasilva Fix changelog typos [ci skip]
Thanks to @jmccartie.
967591b
Commits on Feb 16, 2013
@joernchen joernchen Update activemodel/CHANGELOG.md
Fixed a typo ;)
b7ee5ca
@fxn fxn Merge pull request #9309 from joernchen/patch-2
Update activemodel/CHANGELOG.md
7e90a8e
Commits on Feb 27, 2013
@steveklabnik steveklabnik Revert "Merge pull request #9208 from dylanahsmith/3-2-mysql-quote-nu…
…meric"

This reverts commit 921a296.
2821f95
@queso queso Update gemspec to get mail 2.4 as the main version, 2.3.3 has securit…
…y issues.
d3dc2a7
Commits on Feb 28, 2013
@guilleiguaran guilleiguaran Merge pull request #9475 from queso/update-mail
Update gemspec to get mail 2.4 as the main version, 2.3.3 has security i...
3f8eb4e
Commits on Mar 16, 2013
@tenderlove tenderlove stop calling to_sym when building arel nodes [CVE-2013-1854] 5ff6012
@charliesome charliesome fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] 36bcc93
@benmmurphy benmmurphy JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
a7d252b
@tenderlove tenderlove fix protocol checking in sanitization [CVE-2013-1857]
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
735bb98
Commits on Mar 18, 2013
@tenderlove tenderlove bumping to 3.1.12
0c510c7