- 28 11月, 2018 3 次提交
-
-
由 Rafael Mendonça França 提交于
-
由 Rosa Gutierrez 提交于
* Force content-type to binary on service urls for relevant content types We have a list of content types that must be forcibly served as binary, but in practice this only means to serve them as attachment always. We should also set the Content-Type to the configured binary type. As a bonus: add text/cache-manifest to the list of content types to be served as binary by default. * Store content-disposition and content-type in GCS Forcing these in the service_url when serving the file works fine for S3 and Azure, since these services include params in the signature. However, GCS specifically excludes response-content-disposition and response-content-type from the signature, which means an attacker can modify these and have files that should be served as text/plain attachments served as inline HTML for example. This makes our attempt to force specific files to be served as binary and as attachment can be easily bypassed. The only way this can be forced in GCS is by storing content-disposition and content-type in the object metadata. * Update GCS object metadata after identifying blob In some cases we create the blob and upload the data before identifying the content-type, which means we can't store that in GCS right when uploading. In these, after creating the attachment, we enqueue a job to identify the blob, and set the content-type. In other cases, files are uploaded to the storage service via direct upload link. We create the blob before the direct upload, which happens independently from the blob creation itself. We then mark the blob as identified, but we have already the content-type we need without having put it in the service. In these two cases, then, we need to update the metadata in the GCS service. * Include content-type and disposition in the verified key for disk service This prevents an attacker from modifying these params in the service signed URL, which is particularly important when we want to force them to have specific values for security reasons. * Allow only a list of specific content types to be served inline This is different from the content types that must be served as binary in the sense that any content type not in this list will be always served as attachment but with its original content type. Only types in this list are allowed to be served either inline or as attachment. Apart from forcing this in the service URL, for GCS we need to store the disposition in the metadata. Fix CVE-2018-16477.
-
由 Rafael Mendonça França 提交于
Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
-
- 08 8月, 2018 2 次提交
-
-
由 Rafael Mendonça França 提交于
-
由 Rafael Mendonça França 提交于
This reverts commit 0b29a421. Reason: This introduce a breaking change when you call `update` in a relation or an association proxy passing the id argument. Person.books.update(10, title: 'New title')
-
- 04 8月, 2018 2 次提交
-
-
由 George Claghorn 提交于
-
由 George Claghorn 提交于
Closes #32530.
-
- 01 8月, 2018 2 次提交
-
-
由 Ryuta Kamizono 提交于
Fix typo [ci skip]
-
由 Jason Lee 提交于
-
- 31 7月, 2018 3 次提交
-
-
由 Ryuta Kamizono 提交于
Since 9ac7dd47, class level `update`, `destroy`, and `delete` were placed in the `Persistence` module as class methods. But `Relation#update` without passing ids which was introduced at #11898 is not a class method, and it was caused the extra scoping regression #33470. I moved the relation method back into the `Relation` to fix the regression. Fixes #33470.
-
由 Rafael Mendonça França 提交于
-
由 George Claghorn 提交于
-
- 29 7月, 2018 1 次提交
-
-
由 George Claghorn 提交于
PDFPreviewer became MuPDFPreviewer in 0b717c20.
-
- 27 7月, 2018 7 次提交
-
-
由 George Claghorn 提交于
[ci skip] Use consistent hash syntax in AR docs
-
由 George Claghorn 提交于
[ci skip] fix typo in Active Record Associations guide
-
由 George Claghorn 提交于
[ci skip] Tidy up formatting of (consecutive) examples
-
由 George Claghorn 提交于
AST Guide: install and migrate tasks needed in new app
-
由 George Claghorn 提交于
-
由 Yannick Schutz 提交于
* PostgreSQL 10 new relkind for partitioned tables Starting with PostgreSQL 10, we can now have partitioned tables natively * Add comment * Remove extra space * Add test for partition table in postgreSQL10 * Select 'p' for "BASE TABLE" and add a test case to support PostgreSQL 10 partition tables * Address RuboCop offense * Addressed incorrect `postgresql_version` Fixes #33008. [Yannick Schutz & Yasuo Honda & Ryuta Kamizono]
-
由 George Claghorn 提交于
-
- 25 7月, 2018 1 次提交
-
-
由 Ryuta Kamizono 提交于
Follow up of #33358 for SQLite3.
-
- 23 7月, 2018 2 次提交
-
-
由 George Claghorn 提交于
-
由 George Claghorn 提交于
Sidestep Google Cloud Storage's restrictive per-object rate limit.
-
- 21 7月, 2018 3 次提交
-
-
由 Kasper Timm Hansen 提交于
Merge pull request #33408 from ycherniavskyi/fix_leaking_special_form_with_attributes_into_html_attributes Fix leaking special form_with attributes into html attributes
-
由 Kasper Timm Hansen 提交于
-
由 Kasper Timm Hansen 提交于
Prevent `RequestEncoder#encode_params` to parse falsey params
-
- 19 7月, 2018 5 次提交
-
-
由 Eileen M. Uchitelle 提交于
Avoid extra scoping in delegating to klass methods in the `scope` block
-
由 Ryuta Kamizono 提交于
#33363 has two regressions. First one is that `insert_fixtures_set` is failed if flags is an array. Second one is that connection flags are not restored if `set_server_option` is not supported.
-
由 Rafael França 提交于
use set_server_option if possible
-
由 Rafael França 提交于
Fix issue with `button_to`'s `to_form_params`
-
由 Rafael França 提交于
Normalize the date component to 2000-01-01 automatically
-
- 16 7月, 2018 2 次提交
-
-
由 Ryuta Kamizono 提交于
5-2-stable: Backport #33361
-
由 Eileen M. Uchitelle 提交于
Backport to `5-2-stable` since the bug was introduced in Rails 5.2, see 15cb4efa. Merge pull request #33361 from jhubert/bugfix/fix-added-string-attributes Fix regression in use of string attribute in the added? method cherry-pick 05bef140
-
- 13 7月, 2018 1 次提交
-
-
由 Rafael França 提交于
e4e1b620 broke `to_param` handling:
-
- 09 7月, 2018 2 次提交
-
-
由 Ryuta Kamizono 提交于
Related #31201. If creating custom primary key (like a string) in SQLite, it would also create an internal index implicitly which named begin with "sqlite_". It need to be hidden since the internal object names are reserved and prohibited for public use. See https://www.sqlite.org/fileformat2.html#intschema Fixes #33320.
-
由 Ryuta Kamizono 提交于
Fix default value for mysql time types with specified precision
-
- 05 7月, 2018 3 次提交
-
-
由 George Claghorn 提交于
Remove vestigial require on ActiveStorage GCSService
-
由 Kasper Timm Hansen 提交于
-
由 Kasper Timm Hansen 提交于
new_framework_defaults_5_2.rb is incompatible with load_default "5.2"
-
- 04 7月, 2018 1 次提交
-
-
由 Yoshiyuki Kinjo 提交于
`load_default "5.2"` sets `Rails.application.config.action_view.form_with_generates_ids` to true but new_framework_defaults_5_2.rb does not mention about it. refs 36ac675d
-