Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Redis cache store is now compatible with redis-rb 5.0.
Jean Boussier
Fix NoMethodError on custom ActiveSupport::Deprecation behavior.
ActiveSupport::Deprecation.behavior= was supposed to accept any object
that responds to call, but in fact its internal implementation assumed that
this object could respond to arity, so it was restricted to only Proc objects.
This change removes this arity restriction of custom behaviors.
Ryo Nakamura
Rails 7.0.3.1 (July 12, 2022)
No changes.
Rails 7.0.3 (May 09, 2022)
No changes.
Rails 7.0.2.4 (April 26, 2022)
Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
Ignore the SECURITY file from Arch Linux's tzdata package. #134.
Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.
Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.
Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.
to_local and period_for instance methods have been added to TZInfo::Timezone. These are similar to utc_to_local and period_for_utc, but take the UTC offset of the given time into account.
abbreviation, dst?, base_utc_offset and observed_utc_offset instance methods have been added to TZInfo::Timezone, returning the abbreviation, whether daylight savings time is in effect and the UTC offset of the time zone at a specified time.
A TZInfo::Timestamp class has been added. It can be used with TZInfo::Timezone in place of a Time or DateTime.
local_time, local_datetime and local_timestamp instance methods have been added to TZInfo::Timezone. These methods construct local Time, DateTime and TZInfo::Timestamp instances with the correct UTC offset and abbreviation for the time zone.
Support for a (yet to be released) version 2 of tzinfo-data has been added, in addition to support for version 1. The new version will remove the (no longer needed) DateTime parameters from transition times, reduce memory consumption and improve the efficiency of loading timezone and country indexes.
A TZInfo::VERSION constant has been added, indicating the TZInfo version number.
Changed
The minimum supported Ruby versions are now Ruby MRI 1.9.3, JRuby 1.7 (in 1.9 or later mode) and Rubinius 3.
Local times are now returned using the correct UTC offset (instead of using UTC). #49 and #52.
Local times are returned as instances of TimeWithOffset, DateTimeWithOffset or TZInfo::TimestampWithOffset. These classes subclass Time, DateTime and TZInfo::Timestamp respectively. They override the default behaviour of the base classes to return information about the observed offset at the indicated time. For example, the zone abbreviation is returned when using the %Z directive with strftime.
The transitions_up_to, offsets_up_to and strftime instance methods of TZInfo::Timezone now take the UTC offsets of given times into account (instead of ignoring them as was previously the case).
The TZInfo::TimezonePeriod class has been split into two subclasses: TZInfo::OffsetTimezonePeriod and TZInfo::TransitionsTimezonePeriod. TZInfo::OffsetTimezonePeriod is returned for time zones that only have a single offset. TZInfo::TransitionsTimezonePeriod is returned for periods that start or end with a transition.
Changed DateTime results to always use the proleptic Gregorian calendar.
This affects DateTime results prior to 1582-10-15 and any arithmetic
performed on the results that would produce a secondary result prior to
1582-10-15.
Added support for eager loading all the time zone and country data by calling
either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible
with Ruby On Rails' eager_load_namespaces. #129.
Ignore the SECURITY file from Arch Linux's tzdata package. #134.
Version 2.0.4 - 16-Dec-2020
Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a
zoneinfo file that includes rules specifying an additional transition to the
final defined offset (for example, Africa/Casablanca in version 2018e of the
Time Zone Database). #123.
Version 2.0.3 - 8-Nov-2020
Added support for handling "slim" format zoneinfo files that are produced by
default by zic version 2020b and later. The POSIX-style TZ string is now used
calculate DST transition times after the final defined transition in the file.
#120.
Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the
timezone_offset still assigned when called with an offset argument on JRuby
9.3.
Rubinius is no longer supported.
Version 2.0.2 - 2-Apr-2020
Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Guard against ActionView::Helpers::FormTagHelper#field_name calls with nil
object_name arguments. For example:
<%= fields do |f| %>
<%= f.field_name :body %>
<% end %>
Sean Doyle
Strings returned from strip_tags are correctly tagged html_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
entities when being concatenated to a SafeBuffer during rendering.
Ensure models passed to form_for attempt to call to_model.
Sean Doyle
Rails 7.0.2.4 (April 26, 2022)
Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/storily/rogare/network/alerts).
Bumps activesupport, graphql-client, tzinfo and actionview. These dependencies needed to be updated together. Updates
activesupport
from 5.2.6 to 7.0.4.1Release notes
Sourced from activesupport's releases.
... (truncated)
Changelog
Sourced from activesupport's changelog.
... (truncated)
Commits
23e0345
Version 7.0.4.12164d4f
Avoid regex backtracking in Inflector.underscore8015c2c
Version 7.0.4ff27758
Revert "Merge pull request #44695 from Edouard-chin/ec-tagger-logger-broadcast"4a1f224
Merge pull request #45882 from rails/short-inspect-on-test-casea3bd3b5
Backport Redis 5.0 compatibility67f37ac
Fix flaky tests for RedisCacheStorec520e38
Document AS::Cache::MemCacheStore#write options [ci-skip]a74b650
Document AS::Cache::Store#initialize options [ci-skip]f7a82bf
Document AS::Cache::Store#read options [ci-skip]Updates
graphql-client
from 0.12.3 to 0.18.0Release notes
Sourced from graphql-client's releases.
Commits
2c61176
0.18.058e1c7f
Merge pull request #286 from figs-engineering/fix/graphql-dependency18dbbc2
fix: update graphql dependencyd19333d
0.17.0655e249
Merge pull request #269 from Shopify/dedup-schemasb57ba65
Deduplicate JSON schemase974ea5
Merge pull request #274 from chrisbloom7/unloadabled1f45ab
Limit rubocop-github max version due to mismaches with rubocop version84198f1
Don't call unloadable for zeitwerk mode8fb3a8a
Merge pull request #267 from github/cache-possible-typesUpdates
tzinfo
from 1.2.9 to 2.0.5Release notes
Sourced from tzinfo's releases.
... (truncated)
Changelog
Sourced from tzinfo's changelog.
... (truncated)
Commits
d9b289e
Preparing v2.0.5.264c763
Add v0.3.61 and v1.2.10 from the 0.3 and 1.2 branches.ca29f34
Fix relative path loading tests.c4f177c
Add a top level eager_load! method for Rails compatibility.94be919
Support preloading all data from a DataSource.fe7ad26
Clarify that both files and directories are excluded.d2883cf
Tidy up of security file ignoring.6a4766e
Merge pull request #133.5d53b59
Workaround for 'Permission denied - NUL' errors with JRuby on Windows.83450a1
ignore SECURITY file for Arch tzdata packageUpdates
actionview
from 5.2.6 to 7.0.4.1Release notes
Sourced from actionview's releases.
... (truncated)
Changelog
Sourced from actionview's changelog.
... (truncated)
Commits
23e0345
Version 7.0.4.18015c2c
Version 7.0.4deb8087
Standardize format of "Options" subsections [ci-skip]c5a407d
Linkify code references [ci-skip]e874cf5
Fix typos [ci-skip]b3e79be
Merge pull request #45675 from hirotaka/fix_date_select_with_locale196e0f7
Merge pull request #45572 from fatkodima/fix-cached-missing-translations0f4be71
Merge pull request #45563 from diegomichel/fixes-rubydoc-info-linksa730810
Merge branch '7-0-sec' into 7-0-stable04972d9
Preparing for 7.0.3.1 releaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/storily/rogare/network/alerts).