- 15 9月, 2016 3 次提交
-
-
由 Aaron Patterson 提交于
-
由 Rafael França 提交于
[WIP] Fix tests for 3-2-stable
-
由 Johnny Shields 提交于
- Set sudo: false in .travis.yml which uses latest travis engine and fixes some failing specs - Use older version of gems in Gemfile if RUBY_VERSION < '1.9.3' (no change to .gemspec) - Fix two cases of hash rockets in tests (required for Ruby 1.8.7) - Skip failing test "test_ensure_that_migration_tasks_work_with_mountable_option" which breaks due to Bundler no longer accepting the default generated .gemspec format. - Skip railties specs on Ruby 1.8.7 (mark as an allowed failure.)
-
- 22 8月, 2016 1 次提交
-
-
由 Xavier Noria 提交于
-
- 12 8月, 2016 6 次提交
-
-
由 Rafael França 提交于
Remove dead code and ensure values are strings before calling gsub
-
由 Mike Virata-Stone 提交于
-
由 Aaron Patterson 提交于
* 3-2-22-3: bumping version Include missing module in tag_helper
-
由 Aaron Patterson 提交于
-
由 Carlos Antonio da Silva 提交于
Since 68574151 we are using #safe_join to join the content when an Array is given, so we must include the dependent module here to make sure it's available when this module is used alone. This was making Simple Form tests to fail with current master due to the missing dependency.
-
由 Aaron Patterson 提交于
* 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
-
- 11 8月, 2016 2 次提交
-
-
由 Aaron Patterson 提交于
-
由 Andrew Carpenter 提交于
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
-
- 21 5月, 2016 1 次提交
-
-
由 Rafael França 提交于
Associations do not call `.to_proc` on Hash
-
- 17 5月, 2016 1 次提交
-
-
由 Tyler Distad 提交于
Fixes #25010
-
- 15 3月, 2016 1 次提交
-
-
由 Arthur Neves 提交于
[skip ci]
-
- 09 3月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 02 3月, 2016 2 次提交
-
-
由 Arthur Neves 提交于
-
由 Arthur Neves 提交于
-
- 01 3月, 2016 4 次提交
-
-
由 Rafael Mendonça França 提交于
-
由 Rafael Mendonça França 提交于
-
由 Arthur Neves 提交于
`render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
-
由 Arthur Neves 提交于
Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
-
- 02 2月, 2016 1 次提交
-
-
由 Aaron Patterson 提交于
Generated engines should call `protect_from_forgery`. If this method isn't called, then the Engine could be susceptible to XSS attacks. Thanks @tomekr for reporting this to us! Conflicts: railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt railties/test/generators/plugin_generator_test.rb
-
- 29 1月, 2016 3 次提交
-
-
由 eileencodes 提交于
This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
-
由 eileencodes 提交于
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
-
由 eileencodes 提交于
Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
-
- 26 1月, 2016 7 次提交
-
-
由 Andrew White 提交于
Due to a change in test-unit 3.1.6 that supports yielding from setup to run a test, lock 3-2-stable to 3.0.x releases of test-unit to fix the build.
-
由 Andrew White 提交于
-
由 Aaron Patterson 提交于
Fix 3-2-stable 1.8 compatibility.
-
由 Josef Šimánek 提交于
Use Ruby 1.8 compat syntax in test of security fix in activerecord/test/cases/nested_attributes_test.rb.
-
由 Josef Šimánek 提交于
closes GH-23248
-
由 Aaron Patterson 提交于
* 3-2-sec: bumping version allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
-
由 Aaron Patterson 提交于
-
- 23 1月, 2016 4 次提交
-
-
由 Aaron Patterson 提交于
Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
-
由 Andrew White 提交于
When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577
-
由 Aaron Patterson 提交于
Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
-
由 Aaron Patterson 提交于
this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb Conflicts: actionpack/lib/action_controller/metal/http_authentication.rb CVE-2015-7576
-
- 16 1月, 2016 3 次提交
-
-
由 Arthur Neves 提交于
-
由 Arthur Neves 提交于
-
由 Arthur Neves 提交于
mysql 0.3.x is forced here activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
-