Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rails/rails
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v6.1.7.3
Choose a base ref
...
head repository: rails/rails
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v6.1.7.6
Choose a head ref
  • 8 commits
  • 38 files changed
  • 2 contributors

Commits on Jun 26, 2023

  1. Added check for illegal HTTP header value in redirect_to 

    The set of legal characters for an HTTP header value is described
in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.

This commit adds a check to redirect_to that ensures the
provided URL does not contain any of the illegal characters.

Downstream consumers of the resulting Location response header
may remove the header if it does not comply with the RFC.
This can result in a cross site scripting (XSS) vector by
allowing for the redirection page to sit idle waiting
for user interaction with the provided malicious link.

[CVE-2023-28362]
    @fresh-eggs @tenderlove
    fresh-eggs authored and tenderlove committed Jun 26, 2023
    Configuration menu
    Copy the full SHA
    1c3f93d View commit details
    Browse the repository at this point in the history

  2. update changelog

    @tenderlove
    tenderlove committed Jun 26, 2023
    Configuration menu
    Copy the full SHA
    11d5de1 View commit details
    Browse the repository at this point in the history

  3. Preparing for 6.1.7.4 release

    @tenderlove
    tenderlove committed Jun 26, 2023
    Configuration menu
    Copy the full SHA
    7d949d7 View commit details
    Browse the repository at this point in the history

Commits on Aug 22, 2023

  1. Use a temporary file for storing unencrypted files while editing 

    When we're editing the contents of encrypted files, we should use the
`Tempfile` class because it creates temporary files with restrictive
permissions.  This prevents other users on the same system from reading
the contents of those files while the user is editing them.

[CVE-2023-38037]
    @tenderlove
    tenderlove committed Aug 22, 2023
    Configuration menu
    Copy the full SHA
    c85cc66 View commit details
    Browse the repository at this point in the history

  2. bumping version / changelog

    @tenderlove
    tenderlove committed Aug 22, 2023
    Configuration menu
    Copy the full SHA
    c2af578 View commit details
    Browse the repository at this point in the history

  3. Preparing for 6.1.7.5 release

    @tenderlove
    tenderlove committed Aug 22, 2023
    1 Configuration menu
    Copy the full SHA
    3a1b615 View commit details
    Browse the repository at this point in the history

  4. Bumping version for new release 

    I accidentally made it so files have read-only permissions.  Making a
new release to fix it
    @tenderlove
    tenderlove committed Aug 22, 2023
    Configuration menu
    Copy the full SHA
    1f03e9d View commit details
    Browse the repository at this point in the history

  5. Preparing for 6.1.7.6 release

    @tenderlove
    tenderlove committed Aug 22, 2023
    Configuration menu
    Copy the full SHA
    56bcc0a View commit details
    Browse the repository at this point in the history
Loading