This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
The cache for `render file:` seems to also be used in the case of
`render(string)`. If one is supposed to be a hit and the other is
supposed to be a miss, and they both reference the same file, then the
cache could return incorrect values. This commit clears the cache
between runs so that we get non-cached behavior.
* 4-1-sec:
bumping version
Remove unnecessary caching
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
`ActiveSupport::Dependencies.constantize(const_name)` calls
`Reference.new` which is defined as
`ActiveSupport::Dependencies.constantize(const_name)` meaning this call
is already cached and we're doing caching that isn't necessary.
Conflicts:
actionpack/lib/action_dispatch/routing/route_set.rb
Conflicts:
actionpack/lib/action_dispatch/routing/route_set.rb
CVE-2015-7581
Instance level writers can have an impact on how the Active Model /
Record objects are saved. Specifically, they can be used to bypass
validations. This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.
Conflicts:
activerecord/lib/active_record/scoping/default.rb
activesupport/lib/active_support/callbacks.rb
CVE-2016-0753
When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.
The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.
CVE-2015-7577
- Uses Logger instance defined level if no custom local log level defined
- Keeps track of local log level per logger instance + thread id
- Prevents memory leakage by removing local level hash key/value on #silence method exit
- Test case for threadsafety issue added (and passes with these changes), based @rdubya's tests
- Fixes#20490 and supersedes https://github.com/rails/rails/pull/16885
When we are rescuing from an error, it's a brittle approach to do checks
with regular expressions on the raised message because it may change in
in the future and error messages are different across implementations.
The NameError API could be improved at the MRI level but for now we need
to rely on its #name. A #== check will only pass for top level constants
or only when the last constant of the path is missing so we need to rely
on #include? instead. For instance:
begin
Namespace::Foo
rescue NameError => e
e.name # => :Namespace
end
However, if the name-space already exists, only the name of the first
missing constant in the path is returned (e.g. for Math::PHI, the name
would be :PHI). JRuby will return a fully qualified name (:"Math::PHI").
We need to keep the == check for 1.9 compatibility since const_get will
raise a NameError with a name attribute set to the given string if it's
one of "::" or "".
See http://git.io/jnSN7g for further information.
From Ruby ( 2.3.0dev trunk 52520), `Hash#to_proc` is defined
(fbe967ec02),
and many tests have been failed with
`ArgumentError: wrong number of arguments (given 0, expected 1)`.
Because we call `Hash#to_proc` with no args in `#merge!`.
This commit changes order of conditionals to not call `Hash#to_proc`.
(cherry picked from commit a98475c2df)
We are using the same version constraint in the database adapters so
when a new version of the adapter that doesn't work with the version of
rails is released we don't break new applications.
This is follow up to #6643.
In #6643, the controller generator only had been fixed, in this commit to fix the scaffold generator.
(cherry picked from commit 2e8146909a)
Jon Moss