* master-sec:
fix protocol checking in sanitization [CVE-2013-1857]
JDOM XXE Protection [CVE-2013-1856]
fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
stop calling to_sym when building arel nodes [CVE-2013-1854]
Closes#9772.
`TimeWithZone` delegates everything to the wrapped `Time` object
using `method_missing`. The result is that `NoMethodError` error
will be raised in the context of `Time` which leads to a misleading
debug output.
This reverts commit 867dc1700f32aae6f98c4651bd501597e6b52bc0, reversing
changes made to 9a421aaa8285cf2a7ecb1af370748b0337818930.
This breaks anyone who's using ForceSSL: https://travis-ci.org/rails-api/rails-api/jobs/5556065
Please see comments on #8156 for some discussion.
1. When comparing the directory to delete against the top level
cache_path, use File.realpath to make sure we aren't comparing two
unequal strings that point to the same path. This occurs, for
example, when cache_path has a trailing slash, which it does in the
default Rails configuration. Since the input to
delete_empty_directories never has a trailing slash, the comparison
will never be true and the top level cache directory (and above) may
be deleted. However…
2. File.delete raises EPERM when trying to delete a directory, so no
directories have ever been deleted. Changing the code to Dir.delete
fixes that.
Use the standard library's `DateTime.parse` because it's marginally
faster and supports partial date/time strings.
Benchmark:
user system total real
old 3.980000 0.000000 3.980000 ( 3.987606)
new 3.640000 0.010000 3.650000 ( 3.641342)
This commit standardises the return value of `to_time` to an instance
of `Time` in the local system timezone, matching the Ruby core and
standard library behavior.
The default form for `String#to_time` has been changed from :utc to
:local but research seems to suggest the latter is the more common form.
Also fix an edge condition with `String#to_time` where the string has
a timezone offset in it and the mode is :local. e.g:
# Before:
>> "2000-01-01 00:00:00 -0500".to_time(:local)
=> 2000-01-01 05:00:00 -0500
# After:
>> "2000-01-01 00:00:00 -0500".to_time(:local)
=> 2000-01-01 00:00:00 -0500
Closes#2453