Sync CHANGELOGs [ci skip]

2022-11-09 12:12:34 -05:00 · 2012-08-11 13:11:01 -03:00 · 2012-08-11 13:11:01 -03:00 · 8781b266b9
commit 8781b266b9
parent 347f8c5325
5 changed files with 231 additions and 33 deletions
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@ -6,6 +6,22 @@

 * Asynchronously send messages via the Rails Queue *Brian Cardarella*

+
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   No changes.
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+*   No changes.
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+*   No changes.
+
+
 ## Rails 3.2.5 (Jun 1, 2012) ##

 *   No changes.
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -330,6 +330,67 @@
    HTML5 `mark` element. *Brian Cardarella*


+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+    helper doesn't correctly handle malformed html.  As a result an attacker can
+    execute arbitrary javascript through the use of specially crafted malformed
+    html.
+
+    *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+*   When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
+    If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+    Vulnerable code will look something like this:
+    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+    *Santiago Pastorino*
+
+*   Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
+
+*   Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
+
+*   Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França*
+
+*   Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
+
+    *Rafael Mendonça França*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+*   Do not convert digest auth strings to symbols. CVE-2012-3424
+
+*   Bump Journey requirements to 1.0.4
+
+*   Add support for optional root segments containing slashes
+
+*   Fixed bug creating invalid HTML in select options
+
+*   Show in log correct wrapped keys
+
+*   Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
+
+*   ActionController::Metal doesn't have logger method, check it and then delegate
+
+*   ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+*   nil is removed from array parameter values
+
+    CVE-2012-2694
+
+*   Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
+
+    *Carlos Galdino*
+
+*   Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
+
+*   Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+
+
 ## Rails 3.2.5 (Jun 1, 2012) ##

 *   No changes.
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@ -39,10 +39,24 @@

 *   When `^` or `$` are used in the regular expression provided to `validates_format_of` and the :multiline option is not set to true, an exception will be raised. This is to prevent security vulnerabilities when using `validates_format_of`. The problem is described in detail in the Rails security guide.

+
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   No changes.
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* `validates_inclusion_of` and `validates_exclusion_of` now accept `:within` option as alias of `:in` as documented.
+
+* Fix the the backport of the object dup with the ruby 1.9.3p194.
+
+
 ## Rails 3.2.6 (Jun 12, 2012) ##

 *   No changes.

+
 ## Rails 3.2.5 (Jun 1, 2012) ##

 *   No changes.
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@ -582,6 +582,86 @@
 *   PostgreSQL hstore types are automatically deserialized from the database.


+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   Do not consider the numeric attribute as changed if the old value is zero and the new value
+    is not a string.
+    Fixes #7237.
+
+    *Rafael Mendonça França*
+
+*   Do not consider the numeric attribute as changed if the old value is zero and the new value
+    is not a string.
+    Fixes #7237.
+
+    *Rafael Mendonça França*
+
+*   Removes the deprecation of `update_attribute`. *fxn*
+
+*   Reverted the deprecation of `composed_of`. *Rafael Mendonça França*
+
+*   Reverted the deprecation of `*_sql` association options. They will
+    be deprecated in 4.0 instead. *Jon Leighton*
+
+*   Do not eager load AR session store. ActiveRecord::SessionStore depends on the abstract store
+    in Action Pack. Eager loading this class would break client code that eager loads Active Record
+    standalone.
+    Fixes #7160
+
+    *Xavier Noria*
+
+*   Do not set RAILS_ENV to "development" when using `db:test:prepare` and related rake tasks.
+    This was causing the truncation of the development database data when using RSpec.
+    Fixes #7175.
+
+    *Rafael Mendonça França*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+*   `:finder_sql` and `:counter_sql` options on collection associations
+    are deprecated. Please transition to using scopes.
+
+    *Jon Leighton*
+
+*   `:insert_sql` and `:delete_sql` options on `has_and_belongs_to_many`
+    associations are deprecated. Please transition to using `has_many
+    :through`
+
+    *Jon Leighton*
+
+*   `composed_of` has been deprecated. You'll have to write your own accessor
+    and mutator methods if you'd like to use value objects to represent some
+    portion of your models.
+
+    *Steve Klabnik*
+
+*   `update_attribute` has been deprecated. Use `update_column` if
+    you want to bypass mass-assignment protection, validations, callbacks,
+    and touching of updated_at. Otherwise please use `update_attributes`.
+
+    *Steve Klabnik*
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+*   protect against the nesting of hashes changing the
+    table context in the next call to build_from_hash. This fix
+    covers this case as well.
+
+    CVE-2012-2695
+
+*   Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). This
+    change introduced a regression (GH #6609). assoc.clear and
+    assoc.delete_all have loaded the association before doing the delete
+    since at least Rails 2.3. Doing the delete without loading the
+    records means that the `before_remove` and `after_remove` callbacks do
+    not get invoked. Therefore, this change was less a fix a more an
+    optimisation, which should only have gone into master.
+
+    *Jon Leighton*
+
+
 ## Rails 3.2.5 (Jun 1, 2012) ##

 *   Restore behavior of Active Record 3.2.3 scopes.
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@ -105,6 +105,33 @@
 *   Remove deprecated ActiveSupport::JSON::Variable. *Erich Menge*


+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   Fix ActiveSupport integration with Mocha > 0.12.1. *Mike Gunderloy*
+
+*   Reverted the deprecation of ActiveSupport::JSON::Variable. *Rafael Mendonça França*
+
+*   ERB::Util.html_escape now escapes single quotes. *Santiago Pastorino*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+*   Hash#fetch(fetch) is not the same as doing hash[key]
+
+*   adds a missing require [fixes #6896]
+
+*   make sure the inflection rules are loaded when cherry-picking active_support/core_ext/string/inflections.rb [fixes #6884]
+
+*   Merge pull request #6857 from rsutphin/as_core_ext_time_missing_require
+
+*   bump AS deprecation_horizon to 4.0
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+*   No changes.
+
+
 ## Rails 3.2.5 (Jun 1, 2012) ##

 *   ActiveSupport::JSON::Variable is deprecated. Define your own #as_json and #encode_json methods