aboutsummaryrefslogtreecommitdiffstats
path: root/actionmailbox/db
diff options
context:
space:
mode:
authorJohn Hawthorn <john@hawthorn.email>2019-03-18 17:17:11 -0700
committerJohn Hawthorn <john@hawthorn.email>2019-03-27 15:51:25 -0700
commitc7820d8124c854760a4d288334f185de2fb99446 (patch)
tree08b50d4f926f0fb19e4b7d8c45f963ce6a84546c /actionmailbox/db
parent93dbbe3a81bee6da2f1e88ca6971299b462cad93 (diff)
downloadrails-c7820d8124c854760a4d288334f185de2fb99446.tar.gz
rails-c7820d8124c854760a4d288334f185de2fb99446.tar.bz2
rails-c7820d8124c854760a4d288334f185de2fb99446.zip
Introduce Template::File as new render file:
The previous behaviour of render file: was essentially the same as render template:, except that templates can be specified as an absolute path on the filesystem. This makes sense for historic reasons, but now render file: is almost exclusively used to render raw files (not .erb) like public/404.html. In addition to complicating the code in template/resolver.rb, I think the current behaviour is surprising to developers. This commit deprecates the existing "lookup a template from anywhere" behaviour and replaces it with "render this file exactly as it is on disk". Handlers will no longer be used (it will render the same as if the :raw handler was used), but formats (.html, .xml, etc) will still be detected (and will default to :plain). The existing render file: behaviour was the path through which Rails apps were vulnerable in the recent CVE-2019-5418. Although the vulnerability has been patched in a fully backwards-compatible way, I think it's a strong hint that we should drop the existing previously-vulnerable behaviour if it isn't a benefit to developers.
Diffstat (limited to 'actionmailbox/db')
0 files changed, 0 insertions, 0 deletions