File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 66
77* Skip blank attribute names in tag helpers to avoid generating invalid HTML.
88
9+ [ CVE-2026 -33168]
10+
911 * Mike Dalessio*
1012
1113
Original file line number Diff line number Diff line change 1+ * Filter user supplied metadata in DirectUploadController
2+
3+ [ CVE-2026 -33173]
4+
5+ * Jean Boussier*
6+
17* Configurable maxmimum streaming chunk size
28
39 Makes sure that byte ranges for blobs don't exceed 100mb by default.
410 Content ranges that are too big can result in denial of service.
511
12+ [ CVE-2026 -33174]
13+
614 * Gannon McGibbon*
715
16+ * Limit range requests to a single range
17+
18+ [ CVE-2026 -33658]
19+
20+ * Jean Boussier*
21+
822
923* Prevent path traversal in ` DiskService ` .
1024
1731
1832 ` DiskController ` now explicitly rescues ` InvalidKeyError ` with appropriate HTTP status codes.
1933
34+ [ CVE-2026 -33195]
35+
2036 * Mike Dalessio*
2137
2238* Prevent glob injection in ` DiskService#delete_prefixed ` .
2743 glob metacharacters. This change presumes that is unintended behavior (as other storage services
2844 do not respect these metacharacters).
2945
46+ [ CVE-2026 -33202]
47+
3048 * Mike Dalessio*
3149
3250
Original file line number Diff line number Diff line change 1+ * Reject scientific notation in NumberConverter
2+
3+ [ CVE-2026 -33176]
4+
5+ * Jean Boussier*
6+
7+ * Fix ` SafeBuffer#% ` to preserve unsafe status
8+
9+ [ CVE-2026 -33170]
10+
11+ * Jean Boussier*
12+
13+ * Improve performance of NumberToDelimitedConverter
14+
15+ [ CVE-2026 -33169]
16+
17+ * Jean Boussier*
18+
19+
120## Rails 8.1.2 (January 08, 2026) ##
221
322* Make ` delegate ` and ` delegate_missing_to ` work in BasicObject subclasses.
You can’t perform that action at this time.
0 commit comments