1. mirror
  2. rails

Commits

Show all
Author Commit Message Date Builds
tenderlove
bumping version
Tags
v3.0.19
Jeremy Kemper
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
tenderlove
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md activerecord/lib/active_record/relation/predicate_builder.rb
tenderlove
bumping to 3.0.18
Tags
v3.0.18
tenderlove
CVE-2012-5664 options hashes should only be extracted if there are extra parameters
tenderlove
updating changelogs
Rafael Mendonça França
Remove warning when using html_escape with Ruby 1.9. Closes #7430
Santiago Pastorino
Merge pull request #7308 from amerine/3-0-stable Add html_escape note to CHANGELOG
Mark Turner
Add html_escape note to CHANGELOG
Santiago Pastorino
Bump to 3.0.17
Tags
v3.0.17
Santiago Pastorino
Add CHANGELOG entries
Santiago Pastorino
Do not mark strip_tags result as html_safe Thanks to Marek Labos & Nethemba CVE-2012-3465
Santiago Pastorino
escape select_tag :prompt values CVE-2012-3463
Rafael Mendonça França
Fix tests about single quote escaping
Santiago Pastorino
html_escape should escape single quotes https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/controller/new_base/render_template_test.rb actionpack/test/template/asset_tag_helper_test.rb actionpack/test/template/erb_util_test.rb actionpack/test/template/javascript_helper_test.rb …
Andrew White
Backport of fix from #5173 - fixes #7252 Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT datatypes, Active Record migrations use TEXT(n) where n is the limit specified by the developer. Unfortunately how MySQL interprets n depends on the column's encoding so any limit above 5592405 will be interpreted as a LONGTEXT when the encoding is UTF-8. This commit fixes this by interpreting the limit within the adapter and us…
tenderlove
bumping to 3.0.16
Tags
v3.0.16
tenderlove
updating release date
tenderlove
updating changelog with CVE
tenderlove
* Do not convert digest auth strings to symbols. CVE-2012-3424
tenderlove
updating changelogs
tenderlove
3.0.15
Tags
v3.0.15
tenderlove
we haven't monkey patched the Result class, so use each
tenderlove
updating changelogs
Tags
v3.0.14
tenderlove
bumping to 3.0.14
tenderlove
updating changelogs with security fixes
tenderlove
bumping versions in the CHANGELOG
tenderlove
Merge branch '3-0-stable-sec' into 3-0-stable-rel * 3-0-stable-sec: Array parameters should not contain nil values. Additional fix for CVE-2012-2661
kennyj
Fix GH #3163. Should quote database on mysql/mysql2. Conflicts: activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb Conflicts: activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb Conflicts: activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb activerecord/lib/active_record/connection_adapters/mysql_adapter.rb activerecord/test/ca…
tenderlove
Array parameters should not contain nil values.
  1. Prev
  2. Next