Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 12 commits
- 44 files changed
- 5 contributors
Commits on Mar 19, 2020
-
Fix possible XSS vector in JS escape helper
This commit escapes dollar signs and backticks to prevent JS XSS issues when using the `j` or `javascript_escape` helper CVE-2020-5267
-
Commits on May 14, 2020
Commits on May 15, 2020
-
Return self when calling #each, #each_pair, and #each_value instead o…
…f the raw @parameters hash [CVE-2020-8164]
-
activesupport: Avoid Marshal.load on raw cache value in MemCacheStore
Dalli is already being used for marshalling, so we should also rely on it for unmarshalling. Since Dalli tags the cache value as marshalled it can avoid unmarshalling a raw string which might have come from an untrusted source. [CVE-2020-8165]
-
activesupport: Deprecate Marshal.load on raw cache read in RedisCache…
…Store The same value for the `raw` option should be provided for both reading and writing to avoid Marshal.load being called on untrusted data. [CVE-2020-8165]
-
HMAC raw CSRF token before masking it, so it cannot be used to recons…
…truct a per-form token [CVE-2020-8166]
-
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v5.2.4.1...v5.2.4.3