diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
commit | 3b4398bb605cc7b6f475bf76c19aa0702700a199 (patch) | |
tree | 13285c577d9b6aff2fde072a2030b0468a775423 /actionpack/test/controller/render_test.rb | |
parent | d25e79fba6090d56769da6f0fbb401bb1afdb28a (diff) | |
parent | 8d86637fb64ae8ae81ab71a286ddba02cc3144a4 (diff) | |
download | rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.gz rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.bz2 rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.zip |
Merge branch '3-2-sec' into 3-2-stable
* 3-2-sec:
bumping version
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
Diffstat (limited to 'actionpack/test/controller/render_test.rb')
-rw-r--r-- | actionpack/test/controller/render_test.rb | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index 3964540def..6210524cef 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -60,6 +60,16 @@ class TestController < ActionController::Base end end + def dynamic_render + render params[:id] # => String, Hash + end + + def dynamic_render_with_file + # This is extremely bad, but should be possible to do. + file = params[:id] # => String, Hash + render file: file + end + def conditional_hello_with_public_header if stale?(:last_modified => Time.now.utc.beginning_of_day, :etag => [:foo, 123], :public => true) render :action => 'hello_world' @@ -235,6 +245,27 @@ class TestController < ActionController::Base render :inline => "<%= action_name %>" end + def test_dynamic_render_with_file + # This is extremely bad, but should be possible to do. + assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) + response = get :dynamic_render_with_file, { id: '../\\../test/abstract_unit.rb' } + assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')), + response.body + end + + def test_dynamic_render + assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) + assert_raises ActionView::MissingTemplate do + get :dynamic_render, { id: '../\\../test/abstract_unit.rb' } + end + end + + def test_dynamic_render_file_hash + assert_raises ArgumentError do + get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } } + end + end + def accessing_controller_name_in_template render :inline => "<%= controller_name %>" end |