This pull request was created by Dependabot Preview, and you've upgraded to Dependabot. This means it won't respond to dependabot commands nor will it be automatically closed if a new version is found.
If you close this pull request, Dependabot will re-create it the next time it checks for updates and everything will work as expected.
Bumps activesupport from 4.1.9 to 4.1.11. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2015-3227.yml).*
> **Possible Denial of Service attack in Active Support**
> Specially crafted XML documents can cause applications to raise a
> `SystemStackError` and potentially cause a denial of service attack. This
> only impacts applications using REXML or JDOM as their XML processor. Other
> XML processors that Rails supports are not impacted.
>
> All users running an affected release should either upgrade or use one of the work arounds immediately.
>
> Workarounds
> -----------
> Use an XML parser that is not impacted by this problem, such as Nokogiri or
> LibXML. You can change the processor like this:
>
> ActiveSupport::XmlMini.backend = 'Nokogiri'
>
> If you cannot change XML parsers, then adjust
> `RUBY_THREAD_MACHINE_STACK_SIZE`.
>
> Patched versions: >= 4.2.2; \~> 4.1.11; \~> 3.2.22
> Unaffected versions: none
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2015-3226.yml).*
> **XSS Vulnerability in ActiveSupport::JSON.encode**
> When a `Hash` containing user-controlled data is encode as JSON (either through
> `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
> escaping that matches the guarantee implied by the `escape_html_entities_in_json`
> option (which is enabled by default). If this resulting JSON string is subsequently
> inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
>
> For example, the following code snippet is vulnerable to this attack:
>
> <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
>
> Similarly, the following is also vulnerable:
>
>
>
> All applications that renders JSON-encoded strings that contains user-controlled
> data in their views should either upgrade to one of the FIXED versions or use
> the suggested workaround immediately.
>
> ... (truncated)
>
> Patched versions: >= 4.2.2; \~> 4.1.11
> Unaffected versions: < 4.1.0
Commits
- [`260da06`](https://github.com/rails/rails/commit/260da06e6b63f4644fe67e67fbd486585f9d2724) Preparing for 4.1.11 release
- [`12f763c`](https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3) enforce a depth limit on XML documents
- [`bfbf167`](https://github.com/rails/rails/commit/bfbf16749a754ab1fd58274a951d3a013182a635) Escape HTML entities in JSON keys
- [`5496ec8`](https://github.com/rails/rails/commit/5496ec8aac95f728465f218d12733cedef84232a) Preparing for 4.1.10 release
- [`8e50a08`](https://github.com/rails/rails/commit/8e50a087f42f7f0cef201f182dc19d2ae4952613) Merge pull request [#19387](https://github-redirect.dependabot.com/rails/rails/issues/19387) from arthurnn/fix_route_regression
- [`b59bf91`](https://github.com/rails/rails/commit/b59bf91edc031ea370c03680efa5a11024cb0d3c) Merge pull request [#19315](https://github-redirect.dependabot.com/rails/rails/issues/19315) from josh/update-sprockets-links
- [`410f7d2`](https://github.com/rails/rails/commit/410f7d29e998befb27ab0b3dee3bbe83944bdc04) Preparing for 4.1.10.rc4 release
- [`9f2137a`](https://github.com/rails/rails/commit/9f2137aaf7d62d90cfd26e2aef88ec23e0395049) Fix +false+ values when validating uniqueness
- [`553e61a`](https://github.com/rails/rails/commit/553e61af007553788813f81963a7621c82fff65d) Preserve Array#take(n) behaviour of HasManyAssociation
- [`77e324b`](https://github.com/rails/rails/commit/77e324b59ec0e0b09f5c26b035add9de40482470) Preparing for 4.1.10.rc3 release
- Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.1.9...v4.1.11)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
⚠️ Dependabot Preview has been deactivated ⚠️
This pull request was created by Dependabot Preview, and you've upgraded to Dependabot. This means it won't respond to
dependabotcommands nor will it be automatically closed if a new version is found.If you close this pull request, Dependabot will re-create it the next time it checks for updates and everything will work as expected.
Bumps activesupport from 4.1.9 to 4.1.11. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2015-3227.yml).* > **Possible Denial of Service attack in Active Support** > Specially crafted XML documents can cause applications to raise a > `SystemStackError` and potentially cause a denial of service attack. This > only impacts applications using REXML or JDOM as their XML processor. Other > XML processors that Rails supports are not impacted. > > All users running an affected release should either upgrade or use one of the work arounds immediately. > > Workarounds > ----------- > Use an XML parser that is not impacted by this problem, such as Nokogiri or > LibXML. You can change the processor like this: > > ActiveSupport::XmlMini.backend = 'Nokogiri' > > If you cannot change XML parsers, then adjust > `RUBY_THREAD_MACHINE_STACK_SIZE`. > > Patched versions: >= 4.2.2; \~> 4.1.11; \~> 3.2.22 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2015-3226.yml).* > **XSS Vulnerability in ActiveSupport::JSON.encode** > When a `Hash` containing user-controlled data is encode as JSON (either through > `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate > escaping that matches the guarantee implied by the `escape_html_entities_in_json` > option (which is enabled by default). If this resulting JSON string is subsequently > inserted directly into an HTML page, the page will be vulnerable to XSS attacks. > > For example, the following code snippet is vulnerable to this attack: > > <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> > > Similarly, the following is also vulnerable: > > > > All applications that renders JSON-encoded strings that contains user-controlled > data in their views should either upgrade to one of the FIXED versions or use > the suggested workaround immediately. > > ... (truncated) > > Patched versions: >= 4.2.2; \~> 4.1.11 > Unaffected versions: < 4.1.0Commits
- [`260da06`](https://github.com/rails/rails/commit/260da06e6b63f4644fe67e67fbd486585f9d2724) Preparing for 4.1.11 release - [`12f763c`](https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3) enforce a depth limit on XML documents - [`bfbf167`](https://github.com/rails/rails/commit/bfbf16749a754ab1fd58274a951d3a013182a635) Escape HTML entities in JSON keys - [`5496ec8`](https://github.com/rails/rails/commit/5496ec8aac95f728465f218d12733cedef84232a) Preparing for 4.1.10 release - [`8e50a08`](https://github.com/rails/rails/commit/8e50a087f42f7f0cef201f182dc19d2ae4952613) Merge pull request [#19387](https://github-redirect.dependabot.com/rails/rails/issues/19387) from arthurnn/fix_route_regression - [`b59bf91`](https://github.com/rails/rails/commit/b59bf91edc031ea370c03680efa5a11024cb0d3c) Merge pull request [#19315](https://github-redirect.dependabot.com/rails/rails/issues/19315) from josh/update-sprockets-links - [`410f7d2`](https://github.com/rails/rails/commit/410f7d29e998befb27ab0b3dee3bbe83944bdc04) Preparing for 4.1.10.rc4 release - [`9f2137a`](https://github.com/rails/rails/commit/9f2137aaf7d62d90cfd26e2aef88ec23e0395049) Fix +false+ values when validating uniqueness - [`553e61a`](https://github.com/rails/rails/commit/553e61af007553788813f81963a7621c82fff65d) Preserve Array#take(n) behaviour of HasManyAssociation - [`77e324b`](https://github.com/rails/rails/commit/77e324b59ec0e0b09f5c26b035add9de40482470) Preparing for 4.1.10.rc3 release - Additional commits viewable in [compare view](https://github.com/rails/rails/compare/v4.1.9...v4.1.11)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.