Commits

Show all
Author Commit Message Labels Comments Date
Michael Koziarski
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
Gabe da Silveira
Make sure strip_tags removes tags which start with a non-printable character Signed-off-by: Michael Koziarski <michael@koziarski.com>
Jeremy Kemper
Ruby 1.9: fix Time#beginning_of_day inaccuracy due to subtracting a Float
Jeremy Kemper
Ruby 1.9 compat: no . in load path
Jeremy Kemper
Silence warning for Encoding.default_external=
Jeremy Kemper
Use Encoding.default_external, not _internal
Michael Koziarski
Dup the arguments to string compare so we can use force_encoding.
Beau Harrington
Remove redundant checks for valid character regexp in ActiveSupport::Multibyte#clean and #verify. [#3181 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Michael Koziarski
1.9 compatible secure_compare
Michael Koziarski
Revert "Ruby 1.9: fix MessageVerifier#secure_compare" This reverts commit 91f65b714b7018a74402ee02a000b19a090ad556. MessageVerifier was never in 2.2
Jeremy Kemper
Ruby 1.9: fix MessageVerifier#secure_compare
Jeremy Kemper
Fix AS test breakage
rick
Prepare for Rails 2.2.3 release.
Michael Koziarski
Clean tag attributes before passing through the escape_once logic. Addresses CVE-2009-3009
Michael Koziarski
Add verify and clean methods to ActiveSupport::Multibyte. When accepting character input from outside of your application you can't blindly trust that all strings are properly encoded. With these methods you can check incoming strings and clean them up if necessary. Signed-off-by: Michael Koziarski <michael@koziarski.com> Conflicts: activesupport/lib/active_support/multibyte/chars.rb
Michael Koziarski
Fix timing attack vulnerability in the Cookie Store Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC
Pratik Naik
Ensure JoinAssociation uses aliased table name when multiple associations have hash conditions on the same table
Frederick Cheung
Don't use the transaction instance method so that people with has_one/belongs_to :transaction aren't fubared [#1551 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Jeremy Kemper
Don't duplicate :order from scope and options, it makes mysql do extra work
Sam Granieri
Ruby 1.9 compat: silence a warning about regexp languages [#2050 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
rick
Merge branch '2-2-stable' of git@github.com:rails/rails into 2-2-stable
Diego Algorta
Fixed bug that makes named_scopes _forgot_ current scope Signed-off-by: rick <technoweenie@gmail.com> [#1960 #1677 state:resolved]
Andrew White
Remove hardcoded number_of_capturesin ControllerSegment to allow regexp requirements with capturing parentheses
Andrew White
Fix requirements regexp for path segments Signed-off-by: Michael Koziarski <michael@koziarski.com>
Jeremy Kemper
Update changelog for URI.unescape fix [#2033 state:committed]
Jeremy Kemper
Broaden URI.unescape fix to all affected 1.9.x by checking for broken behavior instead of specific patchlevel
moro
fix test data, should specify encoding to use multibyte chars on Ruby 1.9 Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Jeremy Kemper
URI.unescape fix removes the old unescape method
moro
Ruby 1.9.1p0's URI.decode() bug fix backport to fix Ruby 1.9.1p0 bug on [ruby-dev:38005]. Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
Bruno Duyé
Make atomic_write() puts the check_file in the cache dir, not in application root [#1962 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com>
  1. Prev
  2. Next