A previous commit swapped out a call to select for a call to grep in
time_zone_options_for_select. This behavior actually causes the
regexp priority option to stop working.
ActiveSupport::TimeZone overrides the =~ operator which is what the
select block was using previously. Enumerable#grep
checks pattern === element and in this case that would be /US/ ===
ActiveSupport::TimeZone which does not work because
ActiveSupport::TimeZone does not supply an implicit converting to_str
method, only an explicit to_s method.
It would be impossible to provide a to_str method that behaves
identically to the =~ method provided on ActiveSupport::TimeZone
so the only option is to revert back to using select with =~.
When setting the layout either by referencing a method or supplying a
Proc there is no way to fall back to the default lookup behavior if
desired. This patch allows fallback to the layout lookup behavior when
returning nil from the proc or method.
if the given key is not found then verifier does raise
`ActiveSupport::MessageVerifier::InvalidSignature` exception
but this exception is resuced and finally nil is returned.
If the host in `default_url_options` is accidentally set with a protocol such as
```
host: "http://example.com"
```
then the generated url will have the protocol twice `http://http://example.com` which is not what the user intended. Likely they wanted to define a host `host: "example.com"` and a `protocol: "http://"` but did not know the convention.
This may not the most common problem, but when it happens it can go undetected for a while. I accidentally added `http://` out of habit recently only to find all the links in my emails were broken after deploying a demo site to production. Rather than allow this accident go undetected, we can fix the problem in line by properly setting the protocol and host.
I was able to find this related question on stack overflow: http://stackoverflow.com/questions/5878329/rails-3-devise-how-do-i-make-the-email-confirmation-links-use-secure-https-n where the answer was highly upvoted.
This is based off of work in #7415 cc/ @pixeltrix
ATP Action Mailer and Action Pack
* master-sec:
fix protocol checking in sanitization [CVE-2013-1857]
JDOM XXE Protection [CVE-2013-1856]
fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
stop calling to_sym when building arel nodes [CVE-2013-1854]