Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default I18n.enforce_available_locales to true #13341

Merged
merged 4 commits into from Dec 17, 2013

Conversation

@carlosantoniodasilva
Copy link
Member

carlosantoniodasilva commented Dec 16, 2013

We will default this option to true from now on to ensure users properly handle their list of available locales whenever necessary. This option was added as a security measure and thus Rails will follow it defaulting to secure option.

Also improve the handling of I18n config options in its railtie, taking the new enforce_available_locales option into account, by setting it as the last one in the process. This ensures no other configuration will trigger a deprecation warning due to that setting.

We will default this option to true from now on to ensure users properly
handle their list of available locales whenever necessary. This option
was added as a security measure and thus Rails will follow it defaulting
to secure option.

Also improve the handling of I18n config options in its railtie, taking
the new enforce_available_locales option into account, by setting it as
the last one in the process. This ensures no other configuration will
trigger a deprecation warning due to that setting.
The option enforce_available_locales is only available on latest
versions, so require the last available one which has the option +
other related fixes and should not have backward compatibility issues.
@rafaelfranca
Copy link
Member

rafaelfranca commented Dec 17, 2013

:shipit:

carlosantoniodasilva added a commit that referenced this pull request Dec 17, 2013
Default I18n.enforce_available_locales to true

We will default this option to true from now on to ensure users properly handle their list of available locales whenever necessary. This option was added as a security measure and thus Rails will follow it defaulting to secure option.

Also improve the handling of I18n config options in its railtie, taking the new enforce_available_locales option into account, by setting it as the last one in the process. This ensures no other configuration will trigger a deprecation warning due to that setting.
@carlosantoniodasilva carlosantoniodasilva merged commit ae196e8 into rails:master Dec 17, 2013
1 check passed
1 check passed
default The Travis CI build passed
Details
@carlosantoniodasilva carlosantoniodasilva deleted the carlosantoniodasilva:ca-i18n branch Dec 17, 2013
carlosantoniodasilva added a commit that referenced this pull request Dec 23, 2013
Default I18n.enforce_available_locales to true

We will default this option to true from now on to ensure users properly handle their list of available locales whenever necessary. This option was added as a security measure and thus Rails will follow it defaulting to secure option.

Also improve the handling of I18n config options in its railtie, taking the new enforce_available_locales option into account, by setting it as the last one in the process. This ensures no other configuration will trigger a deprecation warning due to that setting.

Conflicts:
	actionview/test/abstract_unit.rb
	activesupport/CHANGELOG.md
	activesupport/activesupport.gemspec
	activesupport/lib/active_support/i18n_railtie.rb
	activesupport/test/abstract_unit.rb
	guides/source/upgrading_ruby_on_rails.md
	railties/test/application/initializers/i18n_test.rb
@jordimassaguerpla

This comment has been minimized.

Copy link

jordimassaguerpla commented on c445c6d Jan 14, 2014

Does this mean that if we don't apply this commit and we don't explicitely set any value to I18n.enforce_available_locales, are our applications vulnerable?

thanks.

This comment has been minimized.

Copy link
Member Author

carlosantoniodasilva replied Jan 14, 2014

@jordimassaguerpla your application is likely to be vulnerable if you allow the locale to be set by any user input, and you do not set enforce_available_locales to true. By not setting it, you'll get a warning, and either by not setting or setting it to false, I18n won't check if the locale is known in the available locales list. If you do not allow the locale to be changed through user input you are ok.

This comment has been minimized.

Copy link

jordimassaguerpla replied Jan 14, 2014

@carlosantoniodasilva : thanks a lot for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.