2021-10-07 15:44:44 by Nia Alarie | Files touched by this commit (3017) |
Log message:
devel: Remove SHA1 hashes for distfiles
|
2021-07-04 08:58:38 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails60: update to 6.0.4
Ruby on Rails 6.0.4 (2021-06-15), including security fixes.
Active Support
* Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing
options to read_multi causing fetch_multi to not work properly.
(Rajesh Sharma)
* with_options copies its options hash again to avoid leaking mutations.
Fixes #39343. (Eugene Kenny)
Active Record
* Only warn about negative enums if a positive form that would cause
conflicts exists. Fixes #39065. (Alex Ghiculescu)
* Allow the inverse of a has_one association that was previously
autosaved to be loaded. Fixes #34255. (Steven Weber)
* Reset statement cache for association if table_name is changed.
Fixes #36453. (Ryuta Kamizono)
* Type cast extra select for eager loading. (Ryuta Kamizono)
* Prevent collection associations from being autosaved multiple times.
Fixes #39173. (Eugene Kenny)
* Resolve issue with insert_all unique_by option when used with
expression index.
When the :unique_by option of ActiveRecord::Persistence.insert_all
and ActiveRecord::Persistence.upsert_all was used with the name of
an expression index, an error was raised. Adding a guard around the
formatting behavior for the :unique_by corrects this.
Usage:
create_table :books, id: :integer, force: true do |t|
t.column :name, :string
t.index "lower(name)", unique: true
end
Book.insert_all [{ name: "MyTest" }], unique_by: \
:index_books_on_lower_name
Fixes #39516. (Austen Madden)
* Fix preloading for polymorphic association with custom scope.
(Ryuta Kamizono)
* Allow relations with different SQL comments in the or method.
(Takumi Shotoku)
* Resolve conflict between counter cache and optimistic locking.
Bump an Active Record instance's lock version after updating its
counter cache. This avoids raising an unnecessary
ActiveRecord::StaleObjectError upon subsequent transactions by
maintaining parity with the corresponding database record's
lock_version column. Fixes #16449. (Aaron Lipman)
* Fix through association with source/through scope which has joins.
(Ryuta Kamizono)
* Fix through association to respect source scope for includes/preload.
(Ryuta Kamizono)
* Fix eager load with Arel joins to maintain the original joins order.
(Ryuta Kamizono)
* Fix group by count with eager loading + order + limit/offset.
(Ryuta Kamizono)
* Fix left joins order when merging multiple left joins from different
associations. (Ryuta Kamizono)
* Fix index creation to preserve index comment in bulk change table on
MySQL. (Ryuta Kamizono)
* Change remove_foreign_key to not check :validate option if database
doesn't support the feature. (Ryuta Kamizono)
* Fix the result of aggregations to maintain duplicated "group by"
fields. (Ryuta Kamizono)
* Do not return duplicated records when using preload. (Bogdan Gusiev)
Action View
* SanitizeHelper.sanitized_allowed_attributes and
SanitizeHelper.sanitized_allowed_tags call safe_list_sanitizer's
class method. Fixes #39586. (Taufiq Muhammadi)
Action Pack
* Accept base64_urlsafe CSRF tokens to make forward compatible.
* Base64 strict-encoded CSRF tokens are not inherently websafe, which
makes them difficult to deal with. For example, the common practice
of sending the CSRF token to a browser in a client-readable cookie
does not work properly out of the box: the value has to be
url-encoded and decoded to survive transport.
In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which
are inherently safe to transport. Validation accepts both urlsafe
tokens, and strict-encoded tokens for backwards compatibility.
In Rails 5.2.5, the CSRF token format is accidentally changed to
urlsafe-encoded. If you upgrade apps from 5.2.5, set the config
urlsafe_csrf_tokens = true.
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
(Scott Blum, Étienne Barrié)
* Signed and encrypted cookies can now store false as their value when
action_dispatch.use_cookies_with_metadata is enabled. (Rolandas
Barysas)
Active Storage
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print
margins. This matches the behavior of the MuPDF previewer. (Vincent
Robert)
Railties
* Allow relative paths with trailing slashes to be passed to rails
test. (Eugene Kenny)
* Return a 405 Method Not Allowed response when a request uses an
unknown HTTP method. Fixes #38998. (Loren Norman)
|
2021-05-08 16:02:34 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails60: update to 6.0.3.7
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
|
2021-04-11 15:24:58 by Takahiro Kambe | Files touched by this commit (15) | |
Log message:
www/ruby-rails60: update to 6.0.3.6
Real changes are in devel/ruby-activestorage60 only.
## Rails 6.0.3.6 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
|
2021-02-11 15:30:08 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails60: update to 6.0.3.5
databases/ruby-activerecord60:
## Rails 6.0.3.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
www/ruby-actionpack60
## Rails 6.0.3.5 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
*Aaron Patterson*
|
2020-10-19 16:50:32 by Takahiro Kambe | Files touched by this commit (15) | |
Log message:
www/ruby-rails60: update to 6.0.3.4
Update Ruby on Rails 6.0 related packages to 6.0.3.4.
This is security fix for ruby-actionpack60.
## Rails 6.0.3.4 (October 07, 2020) ##
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
|
2020-09-10 16:30:03 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
www/ruby-rails60: update to 6.0.3.3
Update Ruby on Rails 60 to 6.0.3.3.
Security fix in ruby-actionview60.
## Rails 6.0.3.3 (September 09, 2020) ##
* [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t` helper.
*Jonathan Hefner*
|
2020-06-18 15:38:47 by Takahiro Kambe | Files touched by this commit (14) | |
Log message:
lang/rails60: update to 6.0.3.2
Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
|
2020-05-21 18:04:24 by Takahiro Kambe | Files touched by this commit (25) |
Log message:
Remove RUBY_VERSIONS_INCOMPATIBLE for ruby24.
|
2020-05-19 19:16:26 by Takahiro Kambe | Files touched by this commit (1) | |
Log message:
devel/ruby-activestorage60: update to 6.0.3.1
Update ruby-activestorage60 to 6.0.3.1.
## Rails 6.0.3.1 (May 18, 2020) ##
* [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct \
upload
|