This repository was archived by the owner on Jun 6, 2020. It is now read-only.
🚨 [security] Update all of rails: 5.2.1 → 5.2.4.2 (minor) #64
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your version of actionview has known security vulnerabilities 🚨
Advisory: CVE-2020-5267
Disclosed: March 19, 2020
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Possible XSS vulnerability in ActionView
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (5.2.1 → 5.2.4.2) · Repo
Release Notes
5.2.4.1
5.2.4
5.2.3
5.2.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.1.6 (from changelog)
1.1.5 (from changelog)
1.1.4 (from changelog)
1.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.0.6
1.0.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
Release 1.0.6Limit number values to a sensible rangeUpdate historyAdd project metadata to the gemspecRelease 1.0.5Remove test files and omit themRemove 1.9.3 from the test matrixUpdate Travis test matrixRelease Notes
1.9.0 (from changelog)
1.8.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 18 commits:
Bump version to 1.9.0Change default :bufvar from 'String.new' to '::String.new' to work with BasicObjectTry to get Travis passingUse minitest-global_expecations in tests to avoid deprecation issues with minitest 5.12Test JRuby 9.2 on TravisTest on TruffleRuby on TravisCI: Add Ruby 2.6 to the matrixBump version to 1.8.0Fix and expand on documentation for :yield_returns_bufferRename return_buffer option to yield_returns_bufferModify test to work with new :return_buffer behaviorFlip `result` and `code` for :return_buffer optionDisable minitest plugins when testingModify spec to show how :return_buffer can be used when modifying buffersSimplify test in attempt to get 1.8.7 passingAdd return_buffer option to CaptureEndEngineUpdate the README with an example of how to write a method that works with capture_end (Fixes #15)Remove has_rdoc from gemspec, since it is deprecatedRelease Notes
0.4.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 20 commits:
Ignore pkg directory for releasing.Release 0.4.2Test against latest RubiesMerge pull request #113 from y-yagi/test_against_rails_52Specify Rails env in a test of `secret_key_base is not present`Use `secret_key_base` instead of deprecated `secret_token`Test against Rails 5.2Allow configuration in initializersFix typoMerge pull request #108 from fattymiller/uniq-equalityMerge pull request #109 from bradleybuda/masterRemove memoization of GlobalID::Identification#to_global_idGlobalID::Identification clears memoized to_global_id on dupminitest 5.11 crashes with old versions of railsIgnore .lock files for testsArray#uniq to correctly identify == GlobalIDs[ci skip] Convert all samples back to Ruby.No such thing as labels, all purpose, baby.Merge pull request #106 from ideasasylum/ideasasylum-improved-expiration-readmeImproved documentation clarity around expirationRelease Notes
1.8.2
1.2.0
1.1.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
2.4.0
2.3.1
2.3.0 (from changelog)
2.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 59 commits:
version bump to v2.4.0ci: don't turn on frozen strings until after bundle installupdate CHANGELOGadd magic comment for frozen string literals to all filesadd rubocop as dev dep and configure security and frozen string copstest suite should check compatibility with frozen string literalsMerge pull request #175 from bchaney/allow-css-max-widthMerge pull request #177 from flavorjones/176-allow-rem-css-sizescss sanitizer allows "rem" sizesAllow CSS property: max-widthci: update concourse, add ruby 2.7 jobsversion bump to v2.3.1Merge pull request #172 from flavorjones/171-xss-vulnerabilityupdate CHANGELOGmitigate XSS vulnerability in SVG animate attributesrufo formattingformatting in READMEupdate CHANGELOG with release dateupdate dev gemspecversion bump to v2.3.0update dev depsupdate README to work with modern Hoeupdate ManifestMerge branch 'jf.safelist'formatting CHANGELOGOnly call deprecate_constant if availableUse safelist consistentlyUse safelist(s), allowlist(s) where applicableupdate CHANGELOGci: remove unused code from rake-test/run.shMerge pull request #167 from jobscore/allow-html-property-contenteditableMerge pull request #168 from georgeclaghorn/border-width-keyword-valuesAllow the thin and thick CSS keywordsAllow HTML property: contenteditableupdate to latest concourse-gemupdate dev dependencieschangelog: update for #162Merge pull request #162 from jaredbeck/allow_list-stylechangelog: update for #165Merge pull request #165 from asok/correct-css-keywordish-regexpFix test for style attribute scrubbingAdd a test for testing style attribute scrubbingCorrect the regexp for kewordish css property which hold a hex valueAllow CSS property `list-style`cherry-pick v2.2.3 changelog entryremove the svg animate attribute `from` from the allowlistremove versioneye from readmeMerge branch 'flavorjones-allowlist-changes'update CHANGELOGAllow greater precision in values of shorthand css elementsfailing test for high-precision CSS valuesupdate CHANGELOGexpand allowed protocols to allow `tel:` and `line:`expand set of allowed CSS functionsreformat `whitelist.rb`scripts to inspect and compare DOMPurify metadataadd formatting to CHANGELOGupdated mailing list to a new Google Groupextract msword html data into an asset fileCommits
See the full diff on Github. The new version differs by 20 commits:
2.7.1 releaseadditionally register UnixToUnix encoding as 'x-uue'IMAP: fix `delete_all` against a readonly connectionFormat generated ruby files by ragel using rufo gemSet full path of the ragel source file to rake taskPerform `gem install bundler` to address `LoadError: cannot load suchFix 7bit/base64 content transfer encoding mismatch2.7.1.rc1 release candidateRestore LF line ending parsingFix quote_token with frozen AS::Multibyte charsCI: test against Rails 5.x for Rubies older than 2.4.1 since Rails 6 requires 2.4.1+Fix token quoting with UTF-8 attributesExpose `Mail::Field#unparsed_value` to read raw fieldsCI: track current jruby release (9.1.15.0)CI: test against Ruby 2.5.xFix parsing boundary containing "=" within invalid Content-TypeFix transfer encoding when message encoding is blankrestore LF->CRLF conversion for properly encoded non-binary messagesFix performance downgrade with Mail::Utilities.to_crlf/to_lfStable branch for 2.7.x releasesCommits
See the full diff on Github. The new version differs by 12 commits:
Merge pull request #55 from banister/release-0-9-2Release v0.9.2Merge pull request #54 from banister/52-jruby-patch-removalRevert "method_source: fix broken Procs on JRuby 9.2.0.0"bump version number to 0.9.1Merge pull request #51 from kyrylo/jruby-9200-fixmethod_source: fix broken Procs on JRuby 9.2.0.0Merge pull request #50 from mensfeld/masterremove gemfile locklicense for the gemspectweaks to .travis.ymlRun rake gemspec task to bump gemspec data (incl version number)Release Notes
0.3.4 (from changelog)
0.3.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 31 commits:
v0.3.4Merge pull request #81 from jcoyne/patch-1Remove rubyforge_projectMerge pull request #79 from mathieumahe/frozen_string_literalAdd frozen_string_literalMerge pull request #64 from atambo/openxmlMerge pull request #73 from olleolleolle/patch-1CI: rbx-3 in allow_failures, comment on BundlerMerge pull request #72 from olleolleolle/patch-3Merge pull request #71 from olleolleolle/patch-2Merge pull request #70 from olleolleolle/patch-1Travis: Use Bundler < 2README: Use GitHub Markdown code fencesREADME: Use SVG badgesMerge pull request #68 from viraptor/metadata-urisAdd metadata urisv0.3.3update to shared-mime-info-1.10Handle Office Open XML types for filed generated outside MSOfficeMerge pull request #62 from junaruga/feature/minitestChange testing framework from bacon to minitest.Merge pull request #61 from GBH/patch-2Gratipay is no longer a thingMerge pull request #56 from GBH/patch-1Merge pull request #59 from junaruga/hotfix/travis-rbxSet available rbx name on Travis CI.Merge pull request #58 from junaruga/feature/update-travisUpdate .travis.yml.Fixing API link and adding button to rubygemsMerge pull request #42 from jaredbeck/introduce_changelogDocs: Introduce changelogCommits
See the full diff on Github. The new version differs by 13 commits:
Changelog and prepare for releaseFEATURE: update for latest parity with mime types dataRemove unsupported rubies from travis test matrixrelax bundler versionUpdate benchmark in readmeAdd gems to Gemfile for bench scriptAllow custom db pathsUpdate benchmarkTest on Ruby 2.5 and Ruby 2.6Merge pull request #16 from Aqualon/readme_improvementsFix some typos/whitespaceFix link to bench.rbbump cache on travisCommits
See the full diff on Github. The new version differs by 10 commits:
version bump to v2.4.0update CHANGELOG in preparation for v2.4.0update dev dependenciesMerge pull request #86 from eagletmt/skip-progress-when-chunkedMerge pull request #87 from halfbyte/patch-1Make version in changelog fit release version.Skip progress report when Content-Length is unavailableupdate test:examples to libiconv 1.15concourse: test most-recent two rubiesconvert to using windows-ruby-dev-tools-releaseRelease Notes
5.14.0 (from changelog)
5.13.0 (from changelog)
5.12.2 (from changelog)
5.12.1 (from changelog)
5.12.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 54 commits:
prepped for releaseClosed temporary IOs when exiting capture_subprocess_io. (doudou)- Added example for value wrapper with block to Expectations module. (stomar)Added minitest_log to known modules (BurdetteLamar)+ Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)- Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)+ Changed assert_raises to only catch Assertion since that covers Skip and friends.- Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)prepped for release+ Deprecated Minitest::Guard#maglev?+ Added skip_until(year, month, day, msg) to allow deferring until a deadline.Reworked some of metametameta to be more flexible.+ Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.re-sorted assertions after path additions+ Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)+ Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)- Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)+ Added examples to documentation for assert_raises. (lxxxvi)- Support new Proc#to_s format. (ko1)- Improved documentation for _/value/expect, especially for blocks. (svoop)prepped for release- After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.prepped for release- Fixed broken link to reference on goodness-of-fit testing. (havenwood)Added mini-apivore to readme.- Update requirements in readme and Rakefile/hoe spec.+ Added documentation for Reporter classes. (sshaw)Added minitest-global_expectations to readme. (jeremyevans)- Avoid using 'match?' to support older ruby versions. (y-yagi)Tweaked multithreading section of README. (iHiD)prepped for releaseReworked the \n vs \\n mu_pp_for_diff situation.Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.minor editing to commentTurn off parallelism on stub and spec meta tests because they hit class methods (globals)Added mutant-minitest to readme. (mjb)+ Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)- Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)Added doco for using Rake::TestTask. (schneems)Added minitest-mock_expectations to readme. (bogdanvlviv)- Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)minor rearrangement of requiresAdded tests for message and using message/lambad w/ assertions.+ Changed mu_pp_for_diff to make having both \n and \\n easier to debug.Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.Split tests out into test_minitest_assertions.rb- Fixed Assertions#diff from recalculating if set to nil+ Deprecated $N for specifying number of parallel test runners. Use MT_CPU.+ Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.+ Deprecated use of global expectations. To be removed from MT6.+ Fail gracefully when expectation used outside of `it`.Converted all minitest/spec tests over to use _ to avoid deprecation warnings.Avoid teardown assertion check if test is skippedRelease Notes
2.5.2 (from changelog)
2.4.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 67 commits:
Fix error: use of undeclared identifier 'EV_USE_LINUXAIO'.RuboCop...........Bump version.Replace usage of `long` with `size_t` in memory allocation functions.Fix `ev_backend_poll` so that it doesn't generate warnings.Detect aio_abi.h and define EV_USE_LINUXAIO if present.Add project metadata to the gemspecUpdate README.mdBump version.Add missing closing ')' on assert call in ev_port.cAdd notes about release process.Update license details.Report supported backends and current backend.Bump version.Test empty selector timeout.Update to libev-4.27.Merge pull request #219 from Jesus/masterAdds Puma to the list of projects using nio4rAllow calling `deregister` on closed IO objects (#217)Travis -add testing on OpenSSL 1.0.1 (trusty) & 1.1.1 (bionic & osx) [skip appveyor]Update `CHANGES.md` and `README.md`.Enable KQUEUE on macOS 10.14+.Don't freeze strings in file with `frozen_string_literal`.Bump minimum supported Ruby to 2.3.Update travis config.Set TRUFFLERUBY_RECOMPILE_OPENSSL to workaround OpenSSL issuesmonitor.rb :nodoc => :nodoc: [skip ci]Skip IO.try_convert in ruby code for SSL SocketsSplit some OpenSSL specs into TLSv1.2 and TLSv1.3.gitignore - add .rspec_status [skip ci]appveyor.yml - update with Ruby x64 - 2.5, 2.6, & head/trunkBump version.Restore piratey patches.Use `struct ev_loop` in `selector.c`.Use `struct ev_loop`.Update libev to v4.25.Doesn't seem like gem/bundler update is required.Run truffleruby with NIO4R_PURE.Skip SSL spec on JRuby because the socket isn't readable for some reason.Fix rubocop.Don't invoke `monitor.close` after related IO has already been closed.Prefer generic latest stable jruby in travis config.Java Extension: use at least Java 1.8, avoid warningsTravis: update to jruby-9.2.5.0 (#197)Don't allow 2.6 to fail.Fix trailing whitespace.Increase and embed select precision on a per-test basis.Simplify rubocop usage.Remove Ruby 2.2 since it's no longer supported by bundler.Try reverting select timeout.Try to detect unwritable OpenSSL socket.Fix rubocop.Remove pending check since it appears to be unnecessary.Merge pull request #200 from boutil/patch-1Fix travis os: name.Simplify travis build matrix.Rework port allocation and selector timeouts. Fixes #184.allow failures for Ruby 2.6 for nowMerge pull request #199 from boutil/masterIncrease size of RSA keys to 2048 bitsUpdate travis config, add support for truffleruby.Merge pull request #192 from junaruga/feature/doc-ruby-2.5Merge pull request #191 from junaruga/feature/travis-updateAdd Ruby 2.5 to supported platforms.Update Rubies to the latest version on Travis CI.Merge pull request #190 from olleolleolle/patch-4Travis: jruby-9.2.0.0Release Notes
1.10.9
1.10.8
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.3.0
1.2.0
1.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 30 commits:
v1.3.0Merge pull request #102 from orien/gem-metadataAdd project metadata to the gemspecMatch Loofah's API changes.Prepare 1.2.0Remove needless white list sanitizer deprecationsMerge pull request #96 from olleolleolle/patch-1CI: Drop unused sudo: false Travis directiveMerge pull request #95 from rwojnarowski/patch-1Deprecated warning text, missing spacePrepare version 1.1.0Merge pull request #91 from JuanitoFatas/doc/scrubbersMerge pull request #92 from JuanitoFatas/link-sanitizerImprove LinkSanitizer's documentationhref is not a HTML elementImprove Scrubber documentationsMerge pull request #87 from JuanitoFatas/migrate-to-safelistMigrate to SafeListSanitizerMerge pull request #90 from JuanitoFatas/jf.fix-testsUpdate test behavior for Nokogiri > 1.9.1.Merge pull request #89 from JuanitoFatas/rubiesMerge pull request #88 from JuanitoFatas/jf.relax-bundler-dependencyUpdate Ruby version matrix on CIUse a inclusive Bundler versionMerge pull request #86 from tebs/fix-documentation-linkFix Nokogiri link in documentation[ci skip] Please don't send more PRs trying to bump Loofah.Merge pull request #71 from nicolasleger/patch-1[CI] Allow failure with ruby head[CI] Test against Ruby 2.5Release Notes
5.2.4.1
5.2.4
5.2.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
4.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.0.1 (from changelog)
1.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.2.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Update copyright years.Preparing v1.2.6.Replace expired gem signing certificate.Fix a comment.Ruby Enterprise Edition requires older versions of RubyGems and Bundler.Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."Try and fix an incorrect rake version being picked with JRuby 1.7.Convert to UNIX line endings.Simplify minitest version constraint.Update to Ruby v2.7.0-rc2.Run CI tests on Windows with AppVeyor.Enable verbose test output.Update Travis CI Ruby versions.Prevent bundler from attempting to use version minitest v5.12.0.Allow newer versions of Rake that fix warnings with Ruby 2.7.Eliminate a warning when calling File.open with keyword arguments.Suppress deprecation warnings due to Object#untaint on Ruby 2.7.Fix test failures on Ruby 1.8.7 caused by DateTime issues.Remove the unused REQUIRE_PATH constant from RubyDataSource.Fix SecurityErrors when loading data in safe mode.Test that RUBY_ENGINE is defined.Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.Update to the latest Ruby, JRuby and Rubinius releases.Fix a documentation typo.Return the correct seconds since the epoch value for strftime with %s.Restrictions on timezones only apply to older (pre-1.9) Ruby releases.Release Notes
0.7.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 14 commits:
Bump version to 0.7.1Change markdown formatting of docs.Remove a redundant statement from the Hybi setup code.Fail a draft-76 connection of a header does not contain any digits.Depend on Rake < 12.3 if we're running on Ruby < 2.0.Reformat the C and Java native extension modules.Fix an uninitialised variable warning.Update Travis target versions.Switch license to Apache 2.0.Test on Ruby 2.5.0.I think you have to use jruby-head instead of jruby-9 now.Bump the Ruby versions for Travis.If any header used by Hybi is present, then pick Hybi, and likewise for Draft76. This means the driver is more likely to pick Hybi and report likely combinations of malformed headers as errors to the client.If any driver encounters a validation error in the request headers, it can throw an error and Driver#start will catch that and send a 400 response to the client.Release Notes
0.1.4 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump version to 0.1.4Change markdown formatting of docs.Fix deprecation warning about =~ being called on TrueClass.Fix RSpec warnings about raise_error with no arguments.Update Travis target versions.Switch license to Apache 2.0.Test on Ruby 2.5.0.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands