diff options
| author | Andrew White <andrew.white@unboxedconsulting.com> | 2016-03-01 08:48:53 +0000 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxedconsulting.com> | 2016-03-01 08:48:53 +0000 |
| commit | 6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch) | |
| tree | 4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/lib | |
| parent | 1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff) | |
| download | rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2 rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip | |
Deprecate :controller and :action path parameters
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/route_set.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb index 310e98f584..f807a8fe16 100644 --- a/actionpack/lib/action_dispatch/routing/route_set.rb +++ b/actionpack/lib/action_dispatch/routing/route_set.rb @@ -513,6 +513,15 @@ module ActionDispatch route = @set.add_route(name, mapping) named_routes[name] = route if name + + if route.segment_keys.include?(:controller) + ActiveSupport::Deprecation.warn("Using a dynamic :controller segment in a route is deprecated and will be remove in Rails 5.1") + end + + if route.segment_keys.include?(:action) + ActiveSupport::Deprecation.warn("Using a dynamic :action segment in a route is deprecated and will be remove in Rails 5.1") + end + route end |