Skip to content

Stability & Security updates #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
danielpclark wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Stability & Security updates #85

danielpclark wants to merge 4 commits into from

Conversation

@danielpclark
Copy link
Collaborator

@danielpclark danielpclark commented Apr 25, 2017

This is similar to PR #79 .

UPDATES:

  • Ruby updated to 2.3.4
  • Rails updated to 4.2.8
  • ActiveAdmin updated to 1.0.0 stable
  • And other stable updates

Security updates for Rails includes previously mentioned:

  • CVE-2016-6317 5/10 Threat
    Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does
    not properly consider differences in parameter handling
    between the Active Record component and the JSON
    implementation, which allows remote attackers to bypass
    intended database-query restrictions and perform NULL
    checks or trigger missing WHERE clauses via a crafted
    request, as demonstrated by certain "[nil]" values, a
    related issue to CVE-2012-2660, CVE-2012-2694, and
    CVE-2013-0155.

  • CVE-2016-6316 4.3/10 Threat
    Cross-site scripting (XSS) vulnerability in Action View
    in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1,
    and 5.x before 5.0.0.1 might allow remote attackers to
    inject arbitrary web script or HTML via text declared as
    "HTML safe" and used as attribute values in tag handlers.

Server was complaining about backbone-min.map and
underscore-min.map missing so I added those in.

ActiveAdmin pages when first visited from the main site
would falsely include the application template. A
Javascript fix was implemented for this.

ActiveAdmin logout would previously exit to the admin
login page. This has been fixed.

Navbar had a drop down menu with no useful links. This
has been removed.

A few links were painfully huge at header 1 size. I've
reduced those to header 3 size.

@danielpclark
stable deps & assets
8b6062f
@danielpclark
Ruby 2.3.4 & Rails 4.2.8
bfa7ce0
@danielpclark
Merge branch 'master' into update_deps_jan2017
6ebf38c
@danielpclark
ActiveAdmin update with Login & Logout fixes
1a8ef17 
**UPDATES:**

* Ruby updated to 2.3.4
* Rails updated to 4.2.8
* ActiveAdmin updated to 1.0.0 stable
* And other stable updates

---
Security updates for Rails includes previously mentioned:

* CVE-2016-6317 5/10 Threat
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does
not properly consider differences in parameter handling
between the Active Record component and the JSON
implementation, which allows remote attackers to bypass
intended database-query restrictions and perform NULL
checks or trigger missing WHERE clauses via a crafted
request, as demonstrated by certain "[nil]" values, a
related issue to CVE-2012-2660, CVE-2012-2694, and
CVE-2013-0155.

* CVE-2016-6316 4.3/10 Threat
Cross-site scripting (XSS) vulnerability in Action View
in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1,
and 5.x before 5.0.0.1 might allow remote attackers to
inject arbitrary web script or HTML via text declared as
"HTML safe" and used as attribute values in tag handlers.
---

Server was complaining about `backbone-min.map` and
`underscore-min.map` missing so I added those in.

ActiveAdmin pages when first gone to from regular site
would falsely include the application template.  A
javascript fix was implemented for this.

ActiveAdmin logout would previously exit to the admin
login page.  This has been fixed.

Navbar had a dropdown menu with no useful links.  This
has been removed.

A few links were painfully huge at header 1 size.  I've
reduced those to header 3 size.
@danielpclark
Copy link
Collaborator Author

danielpclark commented Apr 25, 2017

If you find these changes acceptable I would really appreciate having them merged in.

@danielpclark danielpclark requested a review from h-m-m April 25, 2017 21:39
@danielpclark
Copy link
Collaborator Author

danielpclark commented May 12, 2017

@h-m-m Should I ask some one else to review?

For any changes, please create a feature branch and open a PR for it when you feel it's ready to merge. Even if there's no real disagreement about a PR, at least one other person on the team needs to look over a PR before merging. The purpose of this review requirement is to ensure shared knowledge of the app and its changes and to take advantage of the benefits of working together changes without any single person being a bottleneck to making progress.

@kalimar
Copy link

kalimar commented May 12, 2017

I'd feel best if someone on the project looked since I don't have much context. That said, I don't see anything glaring there. Pretty straightforward changes that don't involve any business logic of sorts. 👍 Thanks for putting in the work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h-m-m h-m-m Awaiting requested review from h-m-m

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danielpclark @kalimar