From ba5d0e0d7fb9df934426c9641afb1ac0f0cda4e2 Mon Sep 17 00:00:00 2001
From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Tue, 15 Apr 2014 22:57:02 +0900
Subject: [PATCH 1/7] fix travis build status image src of release/3.0 branch

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 88c2ecc54133..c64ab48a9ce8 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # OpenProject
 
-[<img src="https://travis-ci.org/opf/openproject.png?branch=stable" alt="Build Status" />](https://travis-ci.org/opf/openproject)
+[<img src="https://travis-ci.org/opf/openproject.png?branch=release/3.0" alt="Build Status" />](https://travis-ci.org/opf/openproject)
 [<img src="https://gemnasium.com/opf/openproject.png" alt="Dependency Status" />](https://gemnasium.com/opf/openproject)
 
 OpenProject is a web-based project management software. Its key features are:

From 9ae0e5f7b9a7cbf76e15a3cebb59e4f81cc12041 Mon Sep 17 00:00:00 2001
From: Martin Linkhorst <m.linkhorst@gmail.com>
Date: Wed, 16 Apr 2014 13:34:59 +0200
Subject: [PATCH 2/7] refactor session store initializer

---
 config/initializers/session_store.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 50e5d61c73c2..f2b5aa513e66 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -29,8 +29,10 @@
 
 # Be sure to restart your server when you modify this file.
 
-if Rails.env.production?
-  OpenProject::Application.config.session_store ActionDispatch::Session::CacheStore
-else
-  OpenProject::Application.config.session_store :cookie_store, :key => '_open_project_session'
-end
+session_store = Rails.env.production? ? :cache_store : :cookie_store
+
+session_options = {
+  :key    => '_open_project_session'
+}
+
+OpenProject::Application.config.session_store session_store, session_options

From afb6292501b0b617879d6cfa47c6be846272ed2e Mon Sep 17 00:00:00 2001
From: Martin Linkhorst <m.linkhorst@gmail.com>
Date: Wed, 16 Apr 2014 13:35:59 +0200
Subject: [PATCH 3/7] set the path attribute of the session cookie when a
 relative url root is set

---
 config/initializers/session_store.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index f2b5aa513e66..79842257e53a 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -31,8 +31,11 @@
 
 session_store = Rails.env.production? ? :cache_store : :cookie_store
 
+relative_url_root = OpenProject::Configuration['rails_relative_url_root'] || '/'
+
 session_options = {
-  :key    => '_open_project_session'
+  :key    => '_open_project_session',
+  :path   => relative_url_root
 }
 
 OpenProject::Application.config.session_store session_store, session_options

From 6adb469477d6e8e70d508213cdf3805a6c19b566 Mon Sep 17 00:00:00 2001
From: Martin Linkhorst <m.linkhorst@gmail.com>
Date: Wed, 16 Apr 2014 15:20:46 +0200
Subject: [PATCH 4/7] config can contain an empty string. use presence to
 convert that to nil. pass it directly to :path. rails handles the nil case
 with its default like before.

---
 config/initializers/session_store.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 79842257e53a..93ed7076d4df 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -31,7 +31,7 @@
 
 session_store = Rails.env.production? ? :cache_store : :cookie_store
 
-relative_url_root = OpenProject::Configuration['rails_relative_url_root'] || '/'
+relative_url_root = OpenProject::Configuration['rails_relative_url_root'].presence
 
 session_options = {
   :key    => '_open_project_session',

From 4775f66e772e59ea2c1f21cd4375afe510aaf225 Mon Sep 17 00:00:00 2001
From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Thu, 17 Apr 2014 18:21:23 +0000
Subject: [PATCH 5/7] fix non-ascii attachment file name get corrupted in IE11
 (#16711)

Contributed by Go MAEDA.

git-svn-id: http://svn.redmine.org/redmine/trunk@13101 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1aaa043f0530..e49097327f55 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -555,7 +555,7 @@ def parse_qvalues(value)
 
   # Returns a string that can be used as filename value in Content-Disposition header
   def filename_for_content_disposition(name)
-    request.env['HTTP_USER_AGENT'] =~ %r{MSIE} ? ERB::Util.url_encode(name) : name
+    request.env['HTTP_USER_AGENT'] =~ %r{(MSIE|Trident)} ? ERB::Util.url_encode(name) : name
   end
 
   def api_request?

From ef0a8b971ba4ff0b9b0e082bea7aea758cbc77d0 Mon Sep 17 00:00:00 2001
From: Michael Frister <michael+git@frister.net>
Date: Thu, 24 Apr 2014 08:58:22 +0200
Subject: [PATCH 6/7] Gemfile.lock: Update nokogiri to fix security issues

See:
* https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
* https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.rdoc#1511--2013-12-14
---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index f638540fa529..ce2c6188e69f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -193,7 +193,7 @@ GEM
     multi_test (0.0.2)
     mysql2 (0.3.11)
     net-ldap (0.2.2)
-    nokogiri (1.5.9)
+    nokogiri (1.5.11)
     object-daddy (1.1.1)
     oj (2.1.6)
     paper_trail (2.7.2)

From ded3d8ea4eda40f4d5b9b973378ad0d07ba29fcd Mon Sep 17 00:00:00 2001
From: Michael Frister <michael+git@frister.net>
Date: Thu, 24 Apr 2014 08:59:11 +0200
Subject: [PATCH 7/7] Gemfile.lock: Update i18n to fix security issue

See
* https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
* https://github.com/svenfuchs/i18n/commits/61f975bd862e2ce3a9f77fb5afdf11831fbcbb22
---
 Gemfile      | 12 ++++++++++++
 Gemfile.lock |  4 +++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Gemfile b/Gemfile
index 84de301d2906..c5263c2282c3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -128,6 +128,18 @@ gem 'jquery-rails', '~> 2.0.3'
 # using the commit before this comment
 gem "i18n-js", :git => "https://github.com/fnando/i18n-js.git", :ref => '8801f8d17ef96c48a7a0269e251fcf1648c8f441'
 
+
+# Security fixes
+# Gems we don't depend directly on, but specify here to make sure we don't use a vulnerable
+# version. Please add a link to a security advisory when adding a Gem here.
+
+gem 'i18n', '>=0.6.8'
+# see https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+
+gem 'nokogiri', '>=1.5.11'
+# see https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
+
+
 group :test do
   gem 'shoulda'
   gem 'object-daddy', '~> 1.1.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index ce2c6188e69f..946b08a9ea15 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -157,7 +157,7 @@ GEM
       test-unit (~> 2.2)
     hike (1.2.3)
     htmldiff (0.0.1)
-    i18n (0.6.5)
+    i18n (0.6.8)
     interception (0.3)
     journey (1.0.4)
     jquery-atwho-rails (0.4.1)
@@ -383,6 +383,7 @@ DEPENDENCIES
   guard-rspec
   guard-test
   htmldiff
+  i18n (>= 0.6.8)
   i18n-js!
   jquery-atwho-rails
   jquery-rails (~> 2.0.3)
@@ -394,6 +395,7 @@ DEPENDENCIES
   multi_json
   mysql2 (~> 0.3.11)
   net-ldap (~> 0.2.2)
+  nokogiri (>= 1.5.11)
   object-daddy (~> 1.1.0)
   oj
   pg (~> 0.17.1)