提交 · 3-1-stable · 张重言 / rails

17 11月, 2014 1 次提交

correctly escape backslashes in request path globs · 4dacedf9

由 Aaron Patterson 提交于 11月 05, 2014

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb

make sure that unreadable files are also not leaked

CVE-2014-7829

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb

4dacedf9

11 10月, 2014 1 次提交

FileHandler should not be called for files outside the root · 9c37d8eb

由 Aaron Patterson 提交于 10月 10, 2014

FileHandler#matches? should return false for files that are outside the
"root" path.

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb
	actionpack/test/dispatch/static_test.rb

9c37d8eb

19 2月, 2014 1 次提交

Use the reference for the mime type to get the format · 06cbb8a1

由 Rafael Mendonça França 提交于 2月 11, 2014

Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082

06cbb8a1

04 12月, 2013 4 次提交

A
Merge pull request #13151 from hone/3-1-stable · ace03228
由 Aaron Patterson 提交于 12月 03, 2013
```
Backport Rails 3.2.16 Security Fixes to Rails 3.1.x
```
ace03228

Deep Munge the parameters for GET and POST · 1c00768c

由 Michael Koziarski 提交于 11月 30, 2013

The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417

Conflicts:
	actionpack/lib/action_dispatch/http/request.rb

1c00768c

Stop using i18n's built in HTML error handling. · 31cfb3c7

由 Michael Koziarski 提交于 11月 01, 2013

i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0

31cfb3c7

M
Escape the unit value provided to number_to_currency · 6db26233
由 Michael Koziarski 提交于 11月 13, 2013
```
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
```
6db26233

01 12月, 2013 1 次提交
- A
  Only use valid mime type symbols as cache keys · e97530f1
  由 Aaron Patterson 提交于 11月 30, 2013
```
CVE-2013-6414

Conflicts:
	actionpack/lib/action_view/lookup_context.rb
```
  e97530f1
10 4月, 2013 1 次提交
- A
  Merge branch '3-1-later' into 3-1-stable · 46c26e84
  由 Aaron Patterson 提交于 4月 09, 2013
```
* 3-1-later:
  adding test for CVE
```
  46c26e84
19 3月, 2013 2 次提交
- P
  
  Add in missing requires · bd34e5cf
  由 Prem Sichanugrist 提交于 2月 21, 2013
  
  bd34e5cf
- A
  
  bumping to 3.1.12 · 0c510c79
  由 Aaron Patterson 提交于 3月 18, 2013
  
  0c510c79
16 3月, 2013 4 次提交
- A
  fix protocol checking in sanitization [CVE-2013-1857] · 735bb985
  由 Aaron Patterson 提交于 3月 15, 2013
```
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
```
  735bb985
- B
  JDOM XXE Protection [CVE-2013-1856] · a7d252bb
  由 Ben Murphy 提交于 2月 08, 2013
```
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
```
  a7d252bb
- C
  
  fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] · 36bcc93d
  由 Charlie Somerville 提交于 2月 13, 2013
  
  36bcc93d
- A
  
  stop calling to_sym when building arel nodes [CVE-2013-1854] · 5ff6012d
  由 Aaron Patterson 提交于 3月 05, 2013
  
  5ff6012d
28 2月, 2013 3 次提交
- G
  Merge pull request #9475 from queso/update-mail · 3f8eb4ea
  由 Guillermo Iguaran 提交于 2月 27, 2013
```
Update gemspec to get mail 2.4 as the main version, 2.3.3 has security i...
```
  3f8eb4ea
- J
  
  Update gemspec to get mail 2.4 as the main version, 2.3.3 has security issues. · d3dc2a7a
  由 Josh Owens 提交于 2月 27, 2013
  
  d3dc2a7a
- S
  Revert "Merge pull request #9208 from dylanahsmith/3-2-mysql-quote-numeric" · 2821f953
  由 Steve Klabnik 提交于 2月 26, 2013
```
This reverts commit 921a296a.
```
  2821f953
17 2月, 2013 2 次提交
- X
  Merge pull request #9309 from joernchen/patch-2 · 7e90a8e2
  由 Xavier Noria 提交于 2月 16, 2013
```
Update activemodel/CHANGELOG.md
```
  7e90a8e2
- J
  Update activemodel/CHANGELOG.md · b7ee5caf
  由 joernchen of Phenoelit 提交于 2月 16, 2013
```
Fixed a typo ;)
```
  b7ee5caf
14 2月, 2013 1 次提交
- C
  Fix changelog typos [ci skip] · 967591bd
  由 Carlos Antonio da Silva 提交于 2月 14, 2013
```
Thanks to @jmccartie.
```
  967591bd
12 2月, 2013 1 次提交
- C
  Update changelogs with version/release dates [ci skip] · 16ed3d52
  由 Carlos Antonio da Silva 提交于 2月 11, 2013
```
Also add note about attr_protected change.
```
  16ed3d52
11 2月, 2013 1 次提交
- A
  
  bumping to 3.1.11 · 415bf3d1
  由 Aaron Patterson 提交于 2月 10, 2013
  
  415bf3d1
10 2月, 2013 2 次提交
- A
  
  adding test for CVE · b0bf30c1
  由 Aaron Patterson 提交于 2月 09, 2013
  
  b0bf30c1
- J
  Fix issue with attr_protected where malformed input could circumvent · 647afdb5
  由 joernchen of Phenoelit 提交于 2月 09, 2013
```
protection

Fixes: CVE-2013-0276
```
  647afdb5
09 2月, 2013 1 次提交
- G
  Merge pull request #9226 from robertomiranda/fix-bigdecimal-test · c470941a
  由 Guillermo Iguaran 提交于 2月 08, 2013
```
[3.1] Fix test failure for ruby 1.8
```
  c470941a
08 2月, 2013 2 次提交
- R
  
  Fix test failure for ruby 1.8 · 2372a1fb
  由 robertomiranda 提交于 2月 08, 2013
  
  2372a1fb
- G
  Merge pull request #9209 from dylanahsmith/3-1-mysql-quote-numeric · ecfc26dc
  由 Guillermo Iguaran 提交于 2月 07, 2013
```
[3.1] active_record: Quote numeric values compared to string columns.
```
  ecfc26dc
07 2月, 2013 1 次提交
- D
  
  active_record: Quote numeric values compared to string columns. · 26e13c3c
  由 Dylan Smith 提交于 2月 06, 2013
  
  26e13c3c
27 1月, 2013 2 次提交
- K
  
  Fix build. It seems that the Mocha's behavior were changed. · 4ebe1012
  由 kennyj 提交于 4月 25, 2012
  
  4ebe1012
- D
  
  remove the warning when testing whiny_nil · d72c25e5
  由 dmathieu 提交于 5月 30, 2011
  
  d72c25e5
16 1月, 2013 3 次提交

C
Update mocha version to 0.13.0 and change requires · ae6864e9
由 Carlos Antonio da Silva 提交于 11月 12, 2012
```
Conflicts:
	Gemfile
	railties/test/application/route_inspect_test.rb
	railties/test/generators_test.rb
```
ae6864e9
R
Merge pull request #8871 from freerange/3-1-stable-with-mocha-fixes · b0a2c67f
由 Rafael Mendonça França 提交于 1月 16, 2013
```
Fix 3-1-stable to work with Mocha >= v0.13.0
```
b0a2c67f

Fix 3-1-stable to work with Mocha >= v0.13.0 · 0591f6d1

由 James Mead 提交于 8月 26, 2012

A) Update code in ActiveSupport which monkey-patches Test::Unit to
include Mocha bug fix.

A bug was fixed [1] in Mocha's integration with Test::Unit, but this
monkey-patching code was copied before the fix. We need to copy the
fixed version.

The bug meant that an unexpected invocation against a mock within the
teardown method caused a test *error* and not a test *failure*.

B) Fix for Test::Unit/Mocha compatibility.

Mocha is now using a single AssertionCounter which needs a reference to
the testcase as opposed to the result.

This change is an unfortunate consequence of the copying of a chunk of
Mocha's internal code in order to monkey-patch Test::Unit.

C) Avoid a Mocha deprecation warning.

[1]
https://github.com/freerange/mocha/commit/f1ff6475ca2871f2977ab84cabbbfe2adadbbee6#diff-5

0591f6d1

12 1月, 2013 1 次提交
- A
  
  Remove unnecessary caching of ParameterFilter · 8b3109a4
  由 Andrew White 提交于 1月 12, 2013
  
  8b3109a4
11 1月, 2013 2 次提交
- J
  Merge pull request #8889 from dylanahsmith/3-1-parse-non-object-json-params · 18b8f900
  由 Jeremy Kemper 提交于 1月 10, 2013
```
3-1-stable: Fix JSON params parsing regression for non-object JSON content.
```
  18b8f900
- D
  Fix JSON params parsing regression for non-object JSON content. · c669a9c0
  由 Dylan Smith 提交于 1月 09, 2013
```
Backports #8855.
```
  c669a9c0
10 1月, 2013 3 次提交
- C
  
  Update changelogs with release dates and minor improvements [ci skip] · 1b35a852
  由 Carlos Antonio da Silva 提交于 1月 09, 2013
  
  1b35a852
- R
  Merge pull request #8846 from AlexRiedler/revert_5861 · b816e8e7
  由 Rafael Mendonça França 提交于 1月 09, 2013
```
Backport multi_json dependency revert of #5861 to 3-1-stable
```
  b816e8e7
- J
  Merge pull request #5896 from sferik/revert_5861 · 7b9bab6a
  由 Jeremy Kemper 提交于 4月 21, 2012
```
Revert #5861. Feature-detect which MultiJson API to use.
Conflicts:
	activesupport/activesupport.gemspec

This backports multi_json version depedency changes as applied.

Rationale: #5861

Patch by sferik
```
  7b9bab6a