提交 · 070d4afacd3e9721b7e3a4634e4d026b5fa2c32c · 张重言 / rails

10 9月, 2020 2 次提交

G

v6.0.3.3 · 070d4afa
由 George Claghorn 提交于 9月 09, 2020

070d4afa

Fix XSS vulnerability in `translate` helper · 4ca2027d

由 Jonathan Hefner 提交于 9月 08, 2020

Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

4ca2027d

17 6月, 2020 3 次提交
- A
  
  Preparing for 6.0.3.2 release · fbe2433b
  由 Aaron Patterson 提交于 6月 17, 2020
  
  fbe2433b
- A
  
  Update changelog · 11052e00
  由 Aaron Patterson 提交于 6月 16, 2020
  
  11052e00
- R
  Only allow ActionableErrors if show_detailed_exceptions is enabled · 2121b9d2
  由 Rafael Mendonça França 提交于 6月 11, 2020
```
[CVE-2020-8185]
```
  2121b9d2
18 5月, 2020 2 次提交
- A
  
  Preparing for 6.0.3.1 release · 34991a6a
  由 Aaron Patterson 提交于 5月 18, 2020
  
  34991a6a
- A
  
  bumping version, updating changelog · 2c8fe2ac
  由 Aaron Patterson 提交于 5月 18, 2020
  
  2c8fe2ac
16 5月, 2020 6 次提交
- A
  
  update changelog · 0ad524ab
  由 Aaron Patterson 提交于 5月 15, 2020
  
  0ad524ab
- J
  Check that request is same-origin prior to including CSRF token in XHRs · 47a8dc34
  由 Jack McCracken 提交于 5月 06, 2020
```
[CVE-2020-8167]
```
  47a8dc34
- J
  HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token · 29aa538a
  由 Jack McCracken 提交于 5月 13, 2020
```
[CVE-2020-8166]
```
  29aa538a
- D
  activesupport: Deprecate Marshal.load on raw cache read in RedisCacheStore · bd39a13c
  由 Dylan Thacker-Smith 提交于 9月 22, 2018
```
The same value for the `raw` option should be provided for both reading and
writing to avoid Marshal.load being called on untrusted data.

[CVE-2020-8165]
```
  bd39a13c
- D
  activesupport: Avoid Marshal.load on raw cache value in MemCacheStore · 0a7ce524
  由 Dylan Thacker-Smith 提交于 9月 22, 2018
```
Dalli is already being used for marshalling, so we should also rely
on it for unmarshalling. Since Dalli tags the cache value as marshalled
it can avoid unmarshalling a raw string which might have come from
an untrusted source.

[CVE-2020-8165]
```
  0a7ce524
- J
  Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash · b3230c50
  由 Jack McCracken 提交于 5月 13, 2020
```
[CVE-2020-8164]
```
  b3230c50
15 5月, 2020 1 次提交
- T
  Include Content-Length in signature for ActiveStorage direct upload · 17507e8b
  由 Travis Pew 提交于 5月 14, 2020
```
[CVE-2020-8162]
```
  17507e8b
07 5月, 2020 1 次提交
- R
  
  Preparing for 6.0.3 release · b738f193
  由 Rafael Mendonça França 提交于 5月 06, 2020
  
  b738f193
03 5月, 2020 1 次提交
- E
  Merge pull request #39124 from eugeneius/autosave_multiple_times · 701a0786
  由 Eugene Kenny 提交于 5月 03, 2020
```
Allow associations to be autosaved multiple times
```
  701a0786
02 5月, 2020 2 次提交
- R
  
  Preparing for 6.0.3.rc1 release · 509b9da2
  由 Rafael Mendonça França 提交于 5月 01, 2020
  
  509b9da2
- R
  
  Add back the support to pass `at` as a proc in the job assertions · e9075d59
  由 Rafael Mendonça França 提交于 5月 01, 2020
  
  e9075d59
01 5月, 2020 1 次提交

Should not rely on the global `Arel::Table.engine` in the framework · 18534291

由 Ryuta Kamizono 提交于 5月 01, 2020

Relying on the `Arel::Table.engine` is convenient if an app have only a
single kind of database, but if not so, the global state is not always
the same with the current connection.

18534291

29 4月, 2020 1 次提交
- X
  
  Backports improved warning in zeitwerk:check · c549fb46
  由 Xavier Noria 提交于 4月 29, 2020
  
  c549fb46
27 4月, 2020 1 次提交
- A
  
  Verify FFmpeg presence before attempting to preview videos · 7aea2130
  由 Abhay Nikam 提交于 4月 27, 2020
  
  7aea2130
25 4月, 2020 2 次提交
- X
  
  adds missing require [Fixes #39042] · 02d07ccc
  由 Xavier Noria 提交于 4月 25, 2020
  
  02d07ccc
- W
  Fix autosave association bug with ActiveStorage::Attachments · 88c97f87
  由 William Carey 提交于 4月 24, 2020
```
Closes #37701.
```
  88c97f87
23 4月, 2020 1 次提交
- E
  Merge pull request #39014 from nimish-mehta/handle-signed-hexadecimal-literals · cbfbb2c9
  由 Eugene Kenny 提交于 4月 22, 2020
```
Reject hexadecimal numbers with signs while validating numericality
```
  cbfbb2c9
21 4月, 2020 1 次提交
- E
  Merge pull request #38990 from eugeneius/transaction_callbacks_object_id · e09df779
  由 Eugene Kenny 提交于 4月 20, 2020
```
Use __id__ to dedup records for transactional callbacks
```
  e09df779
19 4月, 2020 1 次提交
- E
  Merge pull request #38891 from jonathanhefner/fix-activejob-delay-test · 1077089e
  由 Eugene Kenny 提交于 4月 18, 2020
```
Fix random CI fail due to cross-second time delay
```
  1077089e
17 4月, 2020 4 次提交
- E
  Sort results to fix nondeterministic test failures · 91a848f0
  由 Eugene Kenny 提交于 3月 29, 2020
```
https://buildkite.com/rails/rails/builds/67891#867b2766-7984-4280-90d6-7f0412e2d239/1015-1026
```
  91a848f0
- R
  touch_attributes_with_time takes keyword arguments · fadff1f4
  由 Ryuta Kamizono 提交于 4月 17, 2020
```
Follow up to 404e1a0a.
```
  fadff1f4
- R
  Merge pull request #37170 from eugeneius/insert_all_query_cache_test · 45a398cf
  由 Ryuta Kamizono 提交于 9月 11, 2019
```
Skip insert all tests when features are unavailable
```
  45a398cf
- E
  Merge pull request #38970 from eugeneius/tmp_pids_keepfile · e29372ac
  由 Eugene Kenny 提交于 4月 17, 2020
```
Don't gitignore tmp/pids/.keep
```
  e29372ac
16 4月, 2020 1 次提交
- R
  Merge pull request #38929 from kamipo/fix_unscoping_association_scope · 2c81e32a
  由 Ryuta Kamizono 提交于 4月 16, 2020
```
Fix unscoping association scope on joins not to raise an error
```
  2c81e32a
14 4月, 2020 3 次提交
- E
  Fix Builder::XmlMarkup lazy load in Array#to_xml · f2f7bcc0
  由 Eugene Kenny 提交于 4月 13, 2020
```
Followup to e7514dc6.
```
  f2f7bcc0
- R
  Merge pull request #36941 from ts-3156/master · 320734ea
  由 Rafael França 提交于 4月 13, 2020
```
Ignore Errno::ENOTEMPTY when calling AS::Cache::FileStore#clear with race conditions
```
  320734ea
- R
  Merge pull request #38939 from hammerdr/38937 · da8f6318
  由 Rafael França 提交于 4月 13, 2020
```
Load XML Builder if it is not available
```
  da8f6318
13 4月, 2020 2 次提交
- E
  Test queries with leading comments on all adapters · a479c88f
  由 Eugene Kenny 提交于 4月 13, 2020
```
Followup to b94efe9f.
```
  a479c88f
- R
  Merge pull request #37184 from dylanahsmith/read-query-comment-prefix · 290e4859
  由 Rafael França 提交于 9月 12, 2019
```
activerecord: Allow comment prefix in queries when preventing writes
```
  290e4859
12 4月, 2020 1 次提交
- R
  Merge pull request #38916 from kamipo/fix_scoping_when_create_on_association_relation · 370188ae
  由 Ryuta Kamizono 提交于 4月 12, 2020
```
Allow extra scoping in callbacks when create on association relation
```
  370188ae
11 4月, 2020 1 次提交

Soft deprecate the `database` kwarg in 6.0 · 83eb3599

由 eileencodes 提交于 4月 11, 2020

The database kwarg is deprecated in 6.1 and will be removed in 6.2. It
has caused a lot of confusion and is dangerous to use in requests. Even
though docs recommended against use in requests, the majority of bug
reports to Rails regarding `connected_to` are related to this feature.
Since it's not an adequate replacement for sharding support we're
removing it. If you need shard support please use Rails 6.1 and the
shard kwarg.

83eb3599

09 4月, 2020 1 次提交
- R
  Merge pull request #38605 from dmitry/issue-38584 · b8fcd146
  由 Rafael Mendonça França 提交于 4月 08, 2020
```
While using perform_enqueued_jobs enqueued jobs must be stored as well
```
  b8fcd146
08 4月, 2020 1 次提交
- E
  Merge pull request #38794 from cromulus/mandrill-ingress-tokenfix · 5bf69b4b
  由 Eugene Kenny 提交于 4月 07, 2020
```
Adding a route for Mandrill's url check.
```
  5bf69b4b