Since bundler 1.12.0, the gemspec is validated so the `bundle install`
command will fail just after the gem is created causing confusion to the
users. This change was a bug fix to correctly validate gemspecs.
In the latest security releases render with a trailing slash no more call
render :file.
Also add a note about the security implications of using it with user
parameters.
If `render(params)` is called in a view it should be protected the same
way it is in the controllers. We should raise an error if thats happens.
Fix CVE-2016-2098.
Previously, calling `render "foo/bar"` in a controller action is
equivalent to `render file: "foo/bar"`. This has been changed to
mean `render template: "foo/bar"` instead. If you need to render a
file, please change your code to use the explicit form
(`render file: "foo/bar"`) instead.
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
Fix CVE-2016-2097.
Generated engines should call `protect_from_forgery`. If this method
isn't called, then the Engine could be susceptible to XSS attacks.
Thanks @tomekr for reporting this to us!
Conflicts:
railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
railties/test/generators/plugin_generator_test.rb
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
The cache for `render file:` seems to also be used in the case of
`render(string)`. If one is supposed to be a hit and the other is
supposed to be a miss, and they both reference the same file, then the
cache could return incorrect values. This commit clears the cache
between runs so that we get non-cached behavior.
* 4-1-sec:
bumping version
Remove unnecessary caching
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
`ActiveSupport::Dependencies.constantize(const_name)` calls
`Reference.new` which is defined as
`ActiveSupport::Dependencies.constantize(const_name)` meaning this call
is already cached and we're doing caching that isn't necessary.
Conflicts:
actionpack/lib/action_dispatch/routing/route_set.rb
Conflicts:
actionpack/lib/action_dispatch/routing/route_set.rb
CVE-2015-7581
Instance level writers can have an impact on how the Active Model /
Record objects are saved. Specifically, they can be used to bypass
validations. This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.
Conflicts:
activerecord/lib/active_record/scoping/default.rb
activesupport/lib/active_support/callbacks.rb
CVE-2016-0753
When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.
The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.
CVE-2015-7577
Rafael Mendonça França