Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Commits on Jan 08, 2013
@spastorino spastorino Avoid Rack security warning no secret provided
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
4d5f950
@tenderlove tenderlove * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …
…* dealing with empty hashes. Thanks Damien Mathieu

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
7e5cc96
@jeremy jeremy CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. 8133a81
@tenderlove tenderlove bumping version a7dd0bb
Commits on Jan 09, 2013
@carlosantoniodasilva carlosantoniodasilva Fix a few warnings of unused variables 86cf7d3
@sikachu sikachu Remove test for XML YAML parsing
The support for YAML parsing in XML has been removed from Active Support
since it introduced an security risk. See 8133a81 for more detail.
3f3c35b
@carlosantoniodasilva carlosantoniodasilva Merge pull request #8835 from sikachu/3-1-stable-fix-ars
Remove test for XML YAML parsing
a97199d
@jeremy jeremy Merge pull request #5896 from sferik/revert_5861
Revert #5861. Feature-detect which MultiJson API to use.
Conflicts:
	activesupport/activesupport.gemspec

This backports multi_json version depedency changes as applied.

Rationale: #5861

Patch by sferik
7b9bab6
@rafaelfranca rafaelfranca Merge pull request #8846 from AlexRiedler/revert_5861
Backport multi_json dependency revert of #5861 to 3-1-stable
b816e8e
@carlosantoniodasilva carlosantoniodasilva Update changelogs with release dates and minor improvements [ci skip] 1b35a85
Commits on Jan 11, 2013
@dylanahsmith dylanahsmith Fix JSON params parsing regression for non-object JSON content.
Backports #8855.
c669a9c
@jeremy jeremy Merge pull request #8889 from dylanahsmith/3-1-parse-non-object-json-…
…params

3-1-stable: Fix JSON params parsing regression for non-object JSON content.
18b8f90
Commits on Jan 12, 2013
@pixeltrix pixeltrix Remove unnecessary caching of ParameterFilter 8b3109a
Commits on Jan 16, 2013
@floehopper floehopper Fix 3-1-stable to work with Mocha >= v0.13.0
A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
freerange/mocha@f1ff647#diff-5
0591f6d
@rafaelfranca rafaelfranca Merge pull request #8871 from freerange/3-1-stable-with-mocha-fixes
Fix 3-1-stable to work with Mocha >= v0.13.0
b0a2c67
@carlosantoniodasilva carlosantoniodasilva Update mocha version to 0.13.0 and change requires
Conflicts:
	Gemfile
	railties/test/application/route_inspect_test.rb
	railties/test/generators_test.rb
ae6864e
Commits on Jan 26, 2013
@dmathieu dmathieu remove the warning when testing whiny_nil d72c25e
@kennyj kennyj Fix build. It seems that the Mocha's behavior were changed. 4ebe101
Commits on Feb 07, 2013
@dylanahsmith dylanahsmith active_record: Quote numeric values compared to string columns. 26e13c3
Commits on Feb 08, 2013
@guilleiguaran guilleiguaran Merge pull request #9209 from dylanahsmith/3-1-mysql-quote-numeric
[3.1] active_record: Quote numeric values compared to string columns.
ecfc26d
@robertomiranda robertomiranda Fix test failure for ruby 1.8 2372a1f
@guilleiguaran guilleiguaran Merge pull request #9226 from robertomiranda/fix-bigdecimal-test
[3.1] Fix test failure for ruby 1.8
c470941
Commits on Feb 10, 2013
@joernchen joernchen Fix issue with attr_protected where malformed input could circumvent
protection

Fixes: CVE-2013-0276
647afdb
Commits on Feb 11, 2013
@tenderlove tenderlove bumping to 3.1.11 415bf3d
Commits on Feb 12, 2013
@carlosantoniodasilva carlosantoniodasilva Update changelogs with version/release dates [ci skip]
Also add note about attr_protected change.
16ed3d5
Commits on Feb 14, 2013
@carlosantoniodasilva carlosantoniodasilva Fix changelog typos [ci skip]
Thanks to @jmccartie.
967591b
Commits on Feb 16, 2013
@joernchen joernchen Update activemodel/CHANGELOG.md
Fixed a typo ;)
b7ee5ca
@fxn fxn Merge pull request #9309 from joernchen/patch-2
Update activemodel/CHANGELOG.md
7e90a8e
Commits on Feb 27, 2013
@steveklabnik steveklabnik Revert "Merge pull request #9208 from dylanahsmith/3-2-mysql-quote-nu…
…meric"

This reverts commit 921a296.
2821f95
@queso queso Update gemspec to get mail 2.4 as the main version, 2.3.3 has securit…
…y issues.
d3dc2a7
Commits on Feb 28, 2013
@guilleiguaran guilleiguaran Merge pull request #9475 from queso/update-mail
Update gemspec to get mail 2.4 as the main version, 2.3.3 has security i...
3f8eb4e
Commits on Mar 16, 2013
@tenderlove tenderlove stop calling to_sym when building arel nodes [CVE-2013-1854] 5ff6012
@charliesome charliesome fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] 36bcc93
@benmmurphy benmmurphy JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
a7d252b
@tenderlove tenderlove fix protocol checking in sanitization [CVE-2013-1857]
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
735bb98
Commits on Mar 18, 2013
@tenderlove tenderlove bumping to 3.1.12
0c510c7