Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
Checking mergeability… Don't worry, you can still create the pull request.
  • 2 commits
  • 20 files changed
  • 0 commit comments
  • 1 contributor
View
2  RAILS_VERSION
@@ -1 +1 @@
-4.1.2
+4.1.3
View
5 actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* No changes.
View
2  actionmailer/lib/action_mailer/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* Fix URL generation with `:trailing_slash` such that it does not add
View
2  actionpack/lib/action_pack/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 actionview/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* Change `asset_path` to use File.join to create proper paths.
View
2  actionview/lib/action_view/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* No changes.
View
2  activemodel/lib/active_model/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
9 activerecord/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* Fix SQL Injection Vulnerability in 'range' quoting.
+
+ Fixes CVE-2014-3483
+
+ *Rafael Mendonça França*
+
+
## Rails 4.1.2 (June 26, 2014) ##
* Fix regression on eager loading association based on SQL query rather than
View
7 activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
@@ -23,7 +23,8 @@ def quote(value, column = nil) #:nodoc:
case value
when Range
if /range$/ =~ sql_type
- "'#{PostgreSQLColumn.range_to_string(value)}'::#{sql_type}"
+ escaped = quote_string(PostgreSQLColumn.range_to_string(value))
+ "#{escaped}::#{sql_type}"
else
super
end
@@ -70,8 +71,8 @@ def quote(value, column = nil) #:nodoc:
when 'xml' then "xml '#{quote_string(value)}'"
when /^bit/
case value
- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
+ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
+ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
end
else
super
View
2  activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
@@ -819,7 +819,7 @@ def initialize_type_map(type_map)
FEATURE_NOT_SUPPORTED = "0A000" #:nodoc:
def exec_no_cache(sql, name, binds)
- log(sql, name, binds) { @connection.async_exec(sql) }
+ log(sql, name, binds) { @connection.async_exec(sql, []) }
end
def exec_cache(sql, name, binds)
View
2  activerecord/lib/active_record/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
6 activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -57,6 +57,12 @@ def test_quote_time_usec
assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0))
assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0).to_datetime)
end
+
+ def test_quote_range
+ range = "1,2]'; SELECT * FROM users; --".."a"
+ c = PostgreSQLColumn.new(nil, nil, OID::Range.new(:integer), 'int8range')
+ assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
+ end
end
end
end
View
5 activesupport/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* `Hash#deep_transform_keys` and `Hash#deep_transform_keys!` now transform hashes
View
2  activesupport/lib/active_support/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 guides/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* Update all Rails 4.1.0 references to 4.1.1 within the guides and code.
View
5 railties/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.3 (July 2, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.2 (June 26, 2014) ##
* Load database configuration from the first `database.yml` available in paths.
View
2  railties/lib/rails/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
2  version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 2
+ TINY = 3
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

No commit comments for this range

Something went wrong with that request. Please try again.