提交 · v5.2.4.4 · 张重言 / rails

10 9月, 2020 2 次提交

G

v5.2.4.4 · 404ad9e8
由 George Claghorn 提交于 9月 09, 2020

404ad9e8

Fix XSS vulnerability in `translate` helper · aaa7ab13

由 Jonathan Hefner 提交于 9月 08, 2020

Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

aaa7ab13

18 5月, 2020 3 次提交
- A
  
  Preparing for 5.2.4.3 release · 7b5cc5a5
  由 Aaron Patterson 提交于 5月 18, 2020
  
  7b5cc5a5
- A
  
  updating changelog · 559cce2e
  由 Aaron Patterson 提交于 5月 18, 2020
  
  559cce2e
- A
  
  bumping version · 3c806b98
  由 Aaron Patterson 提交于 5月 18, 2020
  
  3c806b98
16 5月, 2020 6 次提交
- A
  
  update changelog · 9cb66f6d
  由 Aaron Patterson 提交于 5月 15, 2020
  
  9cb66f6d
- J
  Check that request is same-origin prior to including CSRF token in XHRs · fbc7bec0
  由 Jack McCracken 提交于 5月 06, 2020
```
[CVE-2020-8167]
```
  fbc7bec0
- J
  HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token · d124f192
  由 Jack McCracken 提交于 5月 13, 2020
```
[CVE-2020-8166]
```
  d124f192
- D
  activesupport: Deprecate Marshal.load on raw cache read in RedisCacheStore · 467e3399
  由 Dylan Thacker-Smith 提交于 9月 22, 2018
```
The same value for the `raw` option should be provided for both reading and
writing to avoid Marshal.load being called on untrusted data.

[CVE-2020-8165]
```
  467e3399
- D
  activesupport: Avoid Marshal.load on raw cache value in MemCacheStore · f7e077f8
  由 Dylan Thacker-Smith 提交于 9月 22, 2018
```
Dalli is already being used for marshalling, so we should also rely
on it for unmarshalling. Since Dalli tags the cache value as marshalled
it can avoid unmarshalling a raw string which might have come from
an untrusted source.

[CVE-2020-8165]
```
  f7e077f8
- J
  Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash · 7a3ee4fe
  由 Jack McCracken 提交于 5月 13, 2020
```
[CVE-2020-8164]
```
  7a3ee4fe
15 5月, 2020 1 次提交
- T
  Include Content-Length in signature for ActiveStorage direct upload · e8df5648
  由 Travis Pew 提交于 5月 14, 2020
```
[CVE-2020-8162]
```
  e8df5648
20 3月, 2020 2 次提交
- A
  
  update version · 4dcc5435
  由 Aaron Patterson 提交于 3月 19, 2020
  
  4dcc5435
- A
  Fix possible XSS vector in JS escape helper · b5aeef57
  由 Aaron Patterson 提交于 3月 12, 2020
```
This commit escapes dollar signs and backticks to prevent JS XSS issues
when using the `j` or `javascript_escape` helper

CVE-2020-5267
```
  b5aeef57
19 12月, 2019 2 次提交
- R
  
  Preparing for 5.2.4.1 release · ac30e389
  由 Rafael Mendonça França 提交于 12月 18, 2019
  
  ac30e389
- R
  Fix possible information leak / session hijacking vulnerability. · 2a52a38c
  由 Rafael Mendonça França 提交于 12月 17, 2019
```
The `ActionDispatch::Session::MemcacheStore` is still vulnerable
given it requires the gem dalli to be updated as well.

CVE-2019-16782
```
  2a52a38c
27 11月, 2019 1 次提交
- R
  
  Preparing for 5.2.4 release · 8bec77cc
  由 Rafael Mendonça França 提交于 11月 27, 2019
  
  8bec77cc
23 11月, 2019 12 次提交
- R
  
  Preparing for 5.2.4.rc1 release · 9e2a3412
  由 Rafael Mendonça França 提交于 11月 22, 2019
  
  9e2a3412
- R
  
  Work with old versions of sidekiq · c192bc30
  由 Rafael Mendonça França 提交于 11月 22, 2019
  
  c192bc30
- R
  
  Support Ruby 2.2 · 21cdceb7
  由 Rafael Mendonça França 提交于 11月 22, 2019
  
  21cdceb7
- R
  
  Make the tests pass in versions of ruby that don't support sprockets 4 · 0e54ed1f
  由 Rafael Mendonça França 提交于 11月 22, 2019
  
  0e54ed1f
- J
  
  Use rails() instead of system() · c11581e3
  由 John Hawthorn 提交于 11月 14, 2019
  
  c11581e3
- J
  
  Sprockets uses debug. not self. now · 606cd4f8
  由 John Hawthorn 提交于 10月 09, 2019
  
  606cd4f8
- J
  Link .js from manifest.js in assets_test · f3993f9d
  由 John Hawthorn 提交于 10月 09, 2019
```
We no longer link JS by default, we need to modify manifest.js for that
now.
```
  f3993f9d
- J
  
  Remove a javascript from test · c2abbce9
  由 John Hawthorn 提交于 10月 09, 2019
  
  c2abbce9
- J
  Use a stylesheet instead of a javascript in test · aeadae2a
  由 John Hawthorn 提交于 10月 09, 2019
```
We no longer link all js by default, so we should do this test with a
css instead (we don't care about that specifics of the dir just that its
in the manifest and in this dir).
```
  aeadae2a
- J
  
  Maybe we understand index.js better now? · 0a746967
  由 John Hawthorn 提交于 10月 09, 2019
  
  0a746967
- J
  
  Add a few more assertions · 1b37b736
  由 John Hawthorn 提交于 10月 09, 2019
  
  1b37b736
- J
  
  Fix Sprockets::DoubleLinkError in test · b40705fa
  由 John Hawthorn 提交于 10月 09, 2019
  
  b40705fa
20 11月, 2019 11 次提交
- R
  Merge pull request #37101 from eugeneius/active_job_sidekiq_integration_tests · 10c99d98
  由 Ryuta Kamizono 提交于 9月 02, 2019
```
Fix Active Job Sidekiq integration tests
```
  10c99d98
- R
  Merge pull request #37747 from bradleyprice/check-association-loaded-across-collection-on-preload · 1c070a5e
  由 Ryuta Kamizono 提交于 11月 20, 2019
```
Check that entire collection has been loaded before short circuiting
```
  1c070a5e
- R
  Merge pull request #36526 from yahonda/test_statement_cache_with_in_clause_pg · 4074c06c
  由 Ryuta Kamizono 提交于 6月 21, 2019
```
Address test_statement_cache_with_in_clause failure
```
  4074c06c
- R
  
  Fix random CI failure due to non-deterministic sorting order · fde44014
  由 Ryuta Kamizono 提交于 10月 10, 2019
  
  fde44014
- R
  Fix "NameError: undefined local variable or method `primary' for... · b9c5c1e2
  由 Ryuta Kamizono 提交于 11月 20, 2019
```
Fix "NameError: undefined local variable or method `primary' for #<ApplicationTests::ServerTest:0x000055df43b391d8>"
```
  b9c5c1e2
- R
  Merge pull request #37489 from... · 94b68877
  由 Ryuta Kamizono 提交于 10月 17, 2019
```
Merge pull request #37489 from giraffate/fix_random_ci_failure_due_to_non-deterministic_sorting_order

Fix random CI failure due to non-deterministic sorting order
```
  94b68877
- R
  Fix random CI failure due to non-deterministic sorting order · 3fff87dd
  由 Ryuta Kamizono 提交于 2月 10, 2019
```
https://travis-ci.org/rails/rails/jobs/491045821#L1528-L1531
```
  3fff87dd
- R
  Merge pull request #36378 from yahonda/test_pluck_columns_with_same_name · bef8abaf
  由 Ryuta Kamizono 提交于 6月 02, 2019
```
Address occasional test_pluck_columns_with_same_name failure
```
  bef8abaf
- R
  Fix random CI failure due to non-deterministic sorting order · e06b6571
  由 Ryuta Kamizono 提交于 10月 11, 2019
```
https://buildkite.com/rails/rails/builds/64281#b6f8859b-ee39-40d7-8f0a-d0ba78efbf03/1001-1012
```
  e06b6571
- R
  Address CI failure due to non-deterministic query result · 53fc206d
  由 Ryuta Kamizono 提交于 5月 06, 2018
```
https://travis-ci.org/rails/rails/jobs/375326992#L1160-L1166
```
  53fc206d
- R
  Merge pull request #36675 from kamipo/fix_activestorage_failure · f8202549
  由 Ryuta Kamizono 提交于 7月 14, 2019
```
Fix activestorage CI failure due to ffprove version differece
```
  f8202549