- 08 3月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 02 3月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 01 3月, 2016 10 次提交
-
-
由 Arthur Neves 提交于
cc @rafaelfranca [skip ci]
-
由 Rafael Mendonça França 提交于
-
由 Rafael Mendonça França 提交于
-
由 Jon Moss 提交于
Reverts some of the changes from #23242.
-
由 Jon Moss 提交于
A backport of #23247 to 4-1-stable.
-
由 Rafael Mendonça França 提交于
-
由 Aaron Patterson 提交于
-
由 Aaron Patterson 提交于
Fix undefined error for `ActionController::Parameters`
-
由 Arthur Neves 提交于
If `render(params)` is called in a view it should be protected the same way it is in the controllers. We should raise an error if thats happens. Fix CVE-2016-2098.
-
由 Aaron Patterson 提交于
Previously, calling `render "foo/bar"` in a controller action is equivalent to `render file: "foo/bar"`. This has been changed to mean `render template: "foo/bar"` instead. If you need to render a file, please change your code to use the explicit form (`render file: "foo/bar"`) instead. Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`. Fix CVE-2016-2097.
-
- 13 2月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
-
- 02 2月, 2016 1 次提交
-
-
由 Aaron Patterson 提交于
Generated engines should call `protect_from_forgery`. If this method isn't called, then the Engine could be susceptible to XSS attacks. Thanks @tomekr for reporting this to us! Conflicts: railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt railties/test/generators/plugin_generator_test.rb
-
- 29 1月, 2016 10 次提交
-
-
由 Rafael França 提交于
Fix custom primary keys when calling `Relation#where`
-
由 Rick Song 提交于
calling `Relation#where`
-
由 Jon Moss 提交于
Reverts some of the changes from #23242.
-
由 Jon Moss 提交于
A backport of #23247 to 4-1-stable.
-
由 Rafael Mendonça França 提交于
-
由 eileencodes 提交于
This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
-
由 eileencodes 提交于
Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
-
由 Godfrey Chan 提交于
-
由 Godfrey Chan 提交于
This reverts commit 585e7569. Conflicts: actionview/CHANGELOG.md guides/source/4_2_release_notes.md
-
由 Aaron Patterson 提交于
The cache for `render file:` seems to also be used in the case of `render(string)`. If one is supposed to be a hit and the other is supposed to be a miss, and they both reference the same file, then the cache could return incorrect values. This commit clears the cache between runs so that we get non-cached behavior.
-
- 28 1月, 2016 1 次提交
-
-
由 Rafael França 提交于
Fix img alt attribute generation when using Sprockets >= 3.0
-
- 27 1月, 2016 2 次提交
-
-
由 Aaron Patterson 提交于
-
由 Aaron Patterson 提交于
Fix undefined error for `ActionController::Parameters`
-
- 26 1月, 2016 2 次提交
-
-
由 Aaron Patterson 提交于
* 4-1-sec: bumping version Remove unnecessary caching Eliminate instance level writers for class accessors allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
-
由 Aaron Patterson 提交于
-
- 23 1月, 2016 6 次提交
-
-
由 eileencodes 提交于
`ActiveSupport::Dependencies.constantize(const_name)` calls `Reference.new` which is defined as `ActiveSupport::Dependencies.constantize(const_name)` meaning this call is already cached and we're doing caching that isn't necessary. Conflicts: actionpack/lib/action_dispatch/routing/route_set.rb Conflicts: actionpack/lib/action_dispatch/routing/route_set.rb CVE-2015-7581
-
由 Aaron Patterson 提交于
Instance level writers can have an impact on how the Active Model / Record objects are saved. Specifically, they can be used to bypass validations. This is a problem if mass assignment protection is disabled and specific attributes are passed to the constructor. Conflicts: activerecord/lib/active_record/scoping/default.rb activesupport/lib/active_support/callbacks.rb CVE-2016-0753
-
由 Aaron Patterson 提交于
Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
-
由 Andrew White 提交于
When updating an associated record via nested attribute hashes the reject_if proc could be bypassed if the _destroy flag was set in the attribute hash and allow_destroy was set to false. The fix is to only short-circuit if the _destroy flag is set and the option allow_destroy is set to true. It also fixes an issue where a new record wasn't created if _destroy was set and the option allow_destroy was set to false. CVE-2015-7577
-
由 Aaron Patterson 提交于
Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
-
由 Aaron Patterson 提交于
this will avoid timing attacks against applications that use basic auth. Conflicts: activesupport/lib/active_support/security_utils.rb CVE-2015-7576
-
- 16 1月, 2016 1 次提交
-
-
由 Rafael França 提交于
4.1 Backport of LoggerSilence#silence Threadsafety patch (see: PR #20507)
-
- 08 1月, 2016 1 次提交
-
-
由 Carl P. Corliss 提交于
- Uses Logger instance defined level if no custom local log level defined - Keeps track of local log level per logger instance + thread id - Prevents memory leakage by removing local level hash key/value on #silence method exit - Test case for threadsafety issue added (and passes with these changes), based @rdubya's tests - Fixes #20490 and supersedes https://github.com/rails/rails/pull/16885
-
- 26 12月, 2015 3 次提交
-
-
由 Robin Dupret 提交于
When we are rescuing from an error, it's a brittle approach to do checks with regular expressions on the raised message because it may change in in the future and error messages are different across implementations. The NameError API could be improved at the MRI level but for now we need to rely on its #name. A #== check will only pass for top level constants or only when the last constant of the path is missing so we need to rely on #include? instead. For instance: begin Namespace::Foo rescue NameError => e e.name # => :Namespace end However, if the name-space already exists, only the name of the first missing constant in the path is returned (e.g. for Math::PHI, the name would be :PHI). JRuby will return a fully qualified name (:"Math::PHI"). We need to keep the == check for 1.9 compatibility since const_get will raise a NameError with a name attribute set to the given string if it's one of "::" or "". See http://git.io/jnSN7g for further information.
-
由 Arthur Neves 提交于
-
由 Rafael Mendonça França 提交于
-