提交 · 2a52a38cb51b65d71cf91fc960777213cf96f962 · 张重言 / rails

19 12月, 2019 1 次提交

Fix possible information leak / session hijacking vulnerability. · 2a52a38c

由 Rafael Mendonça França 提交于 12月 17, 2019

The `ActionDispatch::Session::MemcacheStore` is still vulnerable
given it requires the gem dalli to be updated as well.

CVE-2019-16782

2a52a38c

27 11月, 2019 1 次提交
- R
  
  Preparing for 5.2.4 release · 8bec77cc
  由 Rafael Mendonça França 提交于 11月 27, 2019
  
  8bec77cc
23 11月, 2019 1 次提交
- R
  
  Preparing for 5.2.4.rc1 release · 9e2a3412
  由 Rafael Mendonça França 提交于 11月 22, 2019
  
  9e2a3412
28 3月, 2019 2 次提交
- S
  
  Update CHANGELOG entry for the Cache-Control header change [ci skip] · 6c8de131
  由 Sharang Dashputre 提交于 3月 28, 2019
  
  6c8de131
- R
  
  Preparing for 5.2.3 release · b9ca94ca
  由 Rafael Mendonça França 提交于 3月 27, 2019
  
  b9ca94ca
27 3月, 2019 2 次提交
- A
  
  [ci skip] Fixed changelog typo for fixed controller params · 111ea16f
  由 Abhay Nikam 提交于 3月 27, 2019
  
  111ea16f
- K
  
  Documentation for fixed controller param behaviour (#35764) · cbc09180
  由 Ken Greeff 提交于 3月 27, 2019
  
  cbc09180
22 3月, 2019 1 次提交
- R
  
  Preparing for 5.2.3.rc1 release · 657103b6
  由 Rafael Mendonça França 提交于 3月 21, 2019
  
  657103b6
11 3月, 2019 1 次提交

Prep release · e69ff430

由 eileencodes 提交于 3月 11, 2019

* Bump RAILS_VERSION
* Bundle
* rake update_versions
* rake changelog:header

e69ff430

09 1月, 2019 1 次提交
- Y
  Merge pull request #34885 from y-yagi/fixes_34780 · f32549f4
  由 Yuji Yaginuma 提交于 1月 09, 2019
```
Allow using combine the Cache-Control `public` and `no-cache` headers
```
  f32549f4
02 1月, 2019 1 次提交
- R
  Merge pull request #34836 from kamipo/class_level_update_without_ids · e419a2ad
  由 Ryuta Kamizono 提交于 1月 02, 2019
```
Restore an ability that class level `update` without giving ids
```
  e419a2ad
19 12月, 2018 2 次提交
- K
  
  [ci skip] Fix tabs/spaces. · 8abaeb19
  由 Kasper Timm Hansen 提交于 12月 18, 2018
  
  8abaeb19
- K
  Merge pull request #34737 from r7kamura/feature/test-case-params-nil · cd9380e5
  由 Kasper Timm Hansen 提交于 12月 18, 2018
```
Allow nil params on controller HTTP test methods
```
  cd9380e5
05 12月, 2018 1 次提交
- R
  
  Preparing for 5.2.2 release · 94b5cd3a
  由 Rafael Mendonça França 提交于 12月 04, 2018
  
  94b5cd3a
29 11月, 2018 1 次提交
- R
  
  Preparing for 5.2.2.rc1 release · 73ba3027
  由 Rafael Mendonça França 提交于 11月 28, 2018
  
  73ba3027
28 11月, 2018 1 次提交
- R
  
  Preparing for 5.2.1.1 release · 96dee0e7
  由 Rafael Mendonça França 提交于 11月 27, 2018
  
  96dee0e7
14 11月, 2018 1 次提交
- R
  Merge pull request #34411 from N0xFF/master · 37f1f1a1
  由 Rafael França 提交于 11月 13, 2018
```
Reset Capybara sessions if failed system test screenshot raising an exception
```
  37f1f1a1
01 11月, 2018 1 次提交
- R
  
  Fix broken CHANGELOG markup [ci skip] · 69071c92
  由 Ryuta Kamizono 提交于 11月 01, 2018
  
  69071c92
23 10月, 2018 2 次提交

Use request object for context if there's no controller · 4725b2f0

由 Andrew White 提交于 10月 22, 2018

There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.

(cherry picked from commit a150a026)

4725b2f0

Apply mapping to symbols returned from dynamic CSP sources · cff030af

由 Andrew White 提交于 10月 22, 2018

Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:

  policy.default_src -> { :self }

would generate the header:

  Content-Security-Policy: default-src self

and now it generates:

  Content-Security-Policy: default-src 'self'

(cherry picked from commit ed91b75c)

cff030af

08 8月, 2018 1 次提交
- R
  
  Preparing for 5.2.1 release · fc5dd0b8
  由 Rafael Mendonça França 提交于 8月 07, 2018
  
  fc5dd0b8
31 7月, 2018 1 次提交
- R
  
  Preparing for 5.2.1.rc1 release · 90c03398
  由 Rafael Mendonça França 提交于 7月 30, 2018
  
  90c03398
21 7月, 2018 2 次提交
- K
  
  [ci skip] Move changelog entry up top. Clarify. · b7f7314d
  由 Kasper Timm Hansen 提交于 7月 20, 2018
  
  b7f7314d
- K
  Merge pull request #33392 from azbshiri/actionpack/prevent-request-encoder-to-parse-nil-params · ccfd9272
  由 Kasper Timm Hansen 提交于 7月 20, 2018
```
Prevent `RequestEncoder#encode_params` to parse falsey params
```
  ccfd9272
20 4月, 2018 2 次提交
- B
  Fix changelog added in f1e95f7f · e43f3a69
  由 bogdanvlviv 提交于 4月 20, 2018
```
- Add missing dot.
- warp code example in "```".

[ci skip]
```
  e43f3a69
- R
  Merge pull request #32593 from sdhull/fix-strong-params-permit-bang · f1e95f7f
  由 Rafael Mendonça França 提交于 4月 19, 2018
```
Fixes StrongParameters `permit!` to work with nested arrays
```
  f1e95f7f
19 4月, 2018 1 次提交
- R
  Merge pull request #32633 from bogdanvlviv/fix-ref-in-actionpack-changelog · f2bcfd31
  由 Ryuta Kamizono 提交于 4月 19, 2018
```
Fix reference to fixed issue in actionpack/CHANGELOG.md

[ci skip]
```
  f2bcfd31
18 4月, 2018 1 次提交
- A
  Merge pull request #32602 from Envek/fix/csp-multiple-nonces · 4f8765f7
  由 Andrew White 提交于 4月 18, 2018
```
Output only one nonce in CSP header per request
```
  4f8765f7
10 4月, 2018 2 次提交
- R
  
  Preparing for 5.2.0 release · 375a4143
  由 Rafael Mendonça França 提交于 4月 09, 2018
  
  375a4143
- R
  Merge pull request #32488 from swrobel/patch-4 · 47a7e953
  由 Rafael Mendonça França 提交于 4月 09, 2018
```
Only disable headless chrome gpu on Windows
```
  47a7e953
21 3月, 2018 1 次提交
- R
  
  Preparing for 5.2.0.rc2 release · db7edd81
  由 Rafael Mendonça França 提交于 3月 20, 2018
  
  db7edd81
16 3月, 2018 1 次提交

Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262) · a8b07126

由 Catherine Khuu 提交于 3月 15, 2018

* Check exclude before flagging cookies as secure.

* Update comments in ActionDispatch::SSL.

[Catherine Khuu + Rafael Mendonça França]

a8b07126

12 3月, 2018 1 次提交

Fix 5-2-stable's changelogs [ci skip] · 8fdfd492

由 bogdanvlviv 提交于 3月 11, 2018

- Add missing dots.
- Change example of using `content_security_policy_report_only`
  in controller.
- Remove TODO.

Related to #32222

8fdfd492

08 3月, 2018 2 次提交

Always yield a CSP policy instance · 4ec8bf68

由 Andrew White 提交于 3月 08, 2018

If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.

4ec8bf68

Add the ability to disable the global CSP in a controller · 619b1b63

由 Andrew White 提交于 3月 08, 2018

e.g:

    class LegacyPagesController < ApplicationController
      content_security_policy false, only: :index
    end

619b1b63

28 2月, 2018 1 次提交
- R
  Merge pull request #31844 from igorkasyanchuk/add_to_hash_and_to_h_for_session_and_cookies · 50a62499
  由 Ryuta Kamizono 提交于 2月 01, 2018
```
Consistent behavior for session and cookies with to_h and to_hash method
```
  50a62499
25 2月, 2018 1 次提交

Update default HSTS max-age value to 1 year · 30b5f469

由 Grant Bourque 提交于 1月 16, 2018

- Update the default HSTS max-age value to 31536000 seconds (1 year)
  to meet the minimum max-age requirement for https://hstspreload.org/.

30b5f469

22 2月, 2018 1 次提交
- A
  Merge pull request #32018 from rails/add-nonce-support-to-csp · b2f0a894
  由 Andrew White 提交于 2月 22, 2018
```
Add support for automatic nonce generation for Rails UJS
```
  b2f0a894
15 2月, 2018 1 次提交
- R
  Add CHANGELOG entry for d7a121a0 · b05e4c4e
  由 Rafael Mendonça França 提交于 2月 14, 2018
```
[ci skip]
```
  b05e4c4e
31 1月, 2018 1 次提交
- R
  
  Preparing for 5.2.0.rc1 release · 6a97a17f
  由 Rafael Mendonça França 提交于 1月 30, 2018
  
  6a97a17f