Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082

CVE-2013-6414

Conflicts:
	actionpack/lib/action_view/lookup_context.rb

Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb

This reverts commit 663c9a63, reversing
changes made to 10513d2e.

This reverts commit 360af4eb, reversing
changes made to f93d0467.

* 3-0-sec:
  fix serialization vulnerability
  Fix issue with attr_protected where malformed input could circumvent protection

fixed failing JSON decoding in rails 3-0-stable

protection

Fixes: CVE-2013-0276

Conflicts:
	activemodel/lib/active_model/attribute_methods.rb
	activerecord/test/cases/mass_assignment_security_test.rb

Fix BigDecimal Typecast on 1.8.7

[3.0] active_record: Quote numeric values compared to string columns.

Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}.

Fixing encoding to UTF-8 for OkJson backend. Closes #9122.

Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.

Rails 3.0.x doesn't have the :prompt option in select_tag, it was
introduced in c5d54be7 that is only
available from 3.1.x on.

The test and related fix were introduced in
c9795871 for Rails 3.0.17, as a fix for
a security vulnerability. The code is completely fine but the test was
using the invalid :prompt option for this version, probably because it
was cherry-picked from other branch which has the option.

Requiring this now raises a RuntimeError, failing the test.
It also seems that the require is unnecessary to pass the test.

Mocha by default does not allow adding expectation to frozen objects,
just applying a workaround to ensure the method is never called, making
the tests pass without enabling this again in mocha.

Fix 3-0-stable to work with Mocha >= v0.13.0

A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
https://github.com/freerange/mocha/commit/f1ff6475ca2871f2977ab84cabbbfe2adadbbee6#diff-5
commit 0591f6d1 1 parent 8b3109a4

3-0-stable: Fix JSON params parsing regression for non-object JSON content.

Backports #8855.

Methods that return nil should not be considered YAML

This is a direct port of @jaw6's pull request
https://github.com/rails/rails/pull/492. His cleanly applied to Rails
v3.1 and v3.2, and this cleanly applies to v3.0.

With yesterday's security patches
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
there is now an issue with Rails v3.0 serving XML to any of the latest
versions of ActiveResource.

Without this, Rails v3.0 can serve XML to ActiveResource consumers that
will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`

Remove test for XML YAML parsing