Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Redis cache store is now compatible with redis-rb 5.0.
Jean Boussier
Fix NoMethodError on custom ActiveSupport::Deprecation behavior.
ActiveSupport::Deprecation.behavior= was supposed to accept any object
that responds to call, but in fact its internal implementation assumed that
this object could respond to arity, so it was restricted to only Proc objects.
This change removes this arity restriction of custom behaviors.
Ryo Nakamura
Rails 7.0.3.1 (July 12, 2022)
No changes.
Rails 7.0.3 (May 09, 2022)
No changes.
Rails 7.0.2.4 (April 26, 2022)
Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.
Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
Ignore the SECURITY file from Arch Linux's tzdata package. #134.
Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.
Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.
Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.
to_local and period_for instance methods have been added to TZInfo::Timezone. These are similar to utc_to_local and period_for_utc, but take the UTC offset of the given time into account.
abbreviation, dst?, base_utc_offset and observed_utc_offset instance methods have been added to TZInfo::Timezone, returning the abbreviation, whether daylight savings time is in effect and the UTC offset of the time zone at a specified time.
A TZInfo::Timestamp class has been added. It can be used with TZInfo::Timezone in place of a Time or DateTime.
local_time, local_datetime and local_timestamp instance methods have been added to TZInfo::Timezone. These methods construct local Time, DateTime and TZInfo::Timestamp instances with the correct UTC offset and abbreviation for the time zone.
Support for a (yet to be released) version 2 of tzinfo-data has been added, in addition to support for version 1. The new version will remove the (no longer needed) DateTime parameters from transition times, reduce memory consumption and improve the efficiency of loading timezone and country indexes.
A TZInfo::VERSION constant has been added, indicating the TZInfo version number.
Changed
The minimum supported Ruby versions are now Ruby MRI 1.9.3, JRuby 1.7 (in 1.9 or later mode) and Rubinius 3.
Local times are now returned using the correct UTC offset (instead of using UTC). #49 and #52.
Local times are returned as instances of TimeWithOffset, DateTimeWithOffset or TZInfo::TimestampWithOffset. These classes subclass Time, DateTime and TZInfo::Timestamp respectively. They override the default behaviour of the base classes to return information about the observed offset at the indicated time. For example, the zone abbreviation is returned when using the %Z directive with strftime.
The transitions_up_to, offsets_up_to and strftime instance methods of TZInfo::Timezone now take the UTC offsets of given times into account (instead of ignoring them as was previously the case).
The TZInfo::TimezonePeriod class has been split into two subclasses: TZInfo::OffsetTimezonePeriod and TZInfo::TransitionsTimezonePeriod. TZInfo::OffsetTimezonePeriod is returned for time zones that only have a single offset. TZInfo::TransitionsTimezonePeriod is returned for periods that start or end with a transition.
Changed DateTime results to always use the proleptic Gregorian calendar.
This affects DateTime results prior to 1582-10-15 and any arithmetic
performed on the results that would produce a secondary result prior to
1582-10-15.
Added support for eager loading all the time zone and country data by calling
either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible
with Ruby On Rails' eager_load_namespaces. #129.
Ignore the SECURITY file from Arch Linux's tzdata package. #134.
Version 2.0.4 - 16-Dec-2020
Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a
zoneinfo file that includes rules specifying an additional transition to the
final defined offset (for example, Africa/Casablanca in version 2018e of the
Time Zone Database). #123.
Version 2.0.3 - 8-Nov-2020
Added support for handling "slim" format zoneinfo files that are produced by
default by zic version 2020b and later. The POSIX-style TZ string is now used
calculate DST transition times after the final defined transition in the file.
#120.
Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the
timezone_offset still assigned when called with an offset argument on JRuby
9.3.
Rubinius is no longer supported.
Version 2.0.2 - 2-Apr-2020
Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Guard against ActionView::Helpers::FormTagHelper#field_name calls with nil
object_name arguments. For example:
<%= fields do |f| %>
<%= f.field_name :body %>
<% end %>
Sean Doyle
Strings returned from strip_tags are correctly tagged html_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
entities when being concatenated to a SafeBuffer during rendering.
Ensure models passed to form_for attempt to call to_model.
Sean Doyle
Rails 7.0.2.4 (April 26, 2022)
Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/storily/rogare/network/alerts).
dependabot[bot]
commented
1 year ago
Bumps activesupport, graphql-client, tzinfo and actionview. These dependencies needed to be updated together. Updates
activesupportfrom 5.2.6 to 7.0.4.1Release notes
Sourced from activesupport's releases.
... (truncated)
Changelog
Sourced from activesupport's changelog.
... (truncated)
Commits
23e0345Version 7.0.4.12164d4fAvoid regex backtracking in Inflector.underscore8015c2cVersion 7.0.4ff27758Revert "Merge pull request #44695 from Edouard-chin/ec-tagger-logger-broadcast"4a1f224Merge pull request #45882 from rails/short-inspect-on-test-casea3bd3b5Backport Redis 5.0 compatibility67f37acFix flaky tests for RedisCacheStorec520e38Document AS::Cache::MemCacheStore#write options [ci-skip]a74b650Document AS::Cache::Store#initialize options [ci-skip]f7a82bfDocument AS::Cache::Store#read options [ci-skip]Updates
graphql-clientfrom 0.12.3 to 0.18.0Release notes
Sourced from graphql-client's releases.
Commits
2c611760.18.058e1c7fMerge pull request #286 from figs-engineering/fix/graphql-dependency18dbbc2fix: update graphql dependencyd19333d0.17.0655e249Merge pull request #269 from Shopify/dedup-schemasb57ba65Deduplicate JSON schemase974ea5Merge pull request #274 from chrisbloom7/unloadabled1f45abLimit rubocop-github max version due to mismaches with rubocop version84198f1Don't call unloadable for zeitwerk mode8fb3a8aMerge pull request #267 from github/cache-possible-typesUpdates
tzinfofrom 1.2.9 to 2.0.5Release notes
Sourced from tzinfo's releases.
... (truncated)
Changelog
Sourced from tzinfo's changelog.
... (truncated)
Commits
d9b289ePreparing v2.0.5.264c763Add v0.3.61 and v1.2.10 from the 0.3 and 1.2 branches.ca29f34Fix relative path loading tests.c4f177cAdd a top level eager_load! method for Rails compatibility.94be919Support preloading all data from a DataSource.fe7ad26Clarify that both files and directories are excluded.d2883cfTidy up of security file ignoring.6a4766eMerge pull request #133.5d53b59Workaround for 'Permission denied - NUL' errors with JRuby on Windows.83450a1ignore SECURITY file for Arch tzdata packageUpdates
actionviewfrom 5.2.6 to 7.0.4.1Release notes
Sourced from actionview's releases.
... (truncated)
Changelog
Sourced from actionview's changelog.
... (truncated)
Commits
23e0345Version 7.0.4.18015c2cVersion 7.0.4deb8087Standardize format of "Options" subsections [ci-skip]c5a407dLinkify code references [ci-skip]e874cf5Fix typos [ci-skip]b3e79beMerge pull request #45675 from hirotaka/fix_date_select_with_locale196e0f7Merge pull request #45572 from fatkodima/fix-cached-missing-translations0f4be71Merge pull request #45563 from diegomichel/fixes-rubydoc-info-linksa730810Merge branch '7-0-sec' into 7-0-stable04972d9Preparing for 7.0.3.1 releaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/storily/rogare/network/alerts).