Deprecate :controller and :action path parameters

Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
author: Andrew White <andrew.white@unboxedconsulting.com> 2016-03-01 08:48:53 +0000
committer: Andrew White <andrew.white@unboxedconsulting.com> 2016-03-01 08:48:53 +0000
commit: 6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch)
tree: 4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/test/dispatch/routing
parent: 1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff)
download: rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz
rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2
rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/actionpack/test/dispatch/routing/inspector_test.rb b/actionpack/test/dispatch/routing/inspector_test.rb
index fd85cc6e9f..d8cffa425f 100644
--- a/actionpack/test/dispatch/routing/inspector_test.rb
+++ b/actionpack/test/dispatch/routing/inspector_test.rb
@@ -133,7 +133,9 @@ module ActionDispatch
 
       def test_inspect_routes_shows_dynamic_action_route
         output = draw do
-          get 'api/:action' => 'api'
+          ActiveSupport::Deprecation.silence do
+            get 'api/:action' => 'api'
+          end
         end
 
         assert_equal [
@@ -144,7 +146,9 @@ module ActionDispatch
 
       def test_inspect_routes_shows_controller_and_action_only_route
         output = draw do
-          get ':controller/:action'
+          ActiveSupport::Deprecation.silence do
+            get ':controller/:action'
+          end
         end
 
         assert_equal [
@@ -155,7 +159,9 @@ module ActionDispatch
 
       def test_inspect_routes_shows_controller_and_action_route_with_constraints
         output = draw do
-          get ':controller(/:action(/:id))', :id => /\d+/
+          ActiveSupport::Deprecation.silence do
+            get ':controller(/:action(/:id))', :id => /\d+/
+          end
         end
 
         assert_equal [
@@ -335,7 +341,9 @@ module ActionDispatch
 
       def test_regression_route_with_controller_regexp
         output = draw do
-          get ':controller(/:action)', controller: /api\/[^\/]+/, format: false
+          ActiveSupport::Deprecation.silence do
+            get ':controller(/:action)', controller: /api\/[^\/]+/, format: false
+          end
         end
 
         assert_equal ["Prefix Verb URI Pattern            Controller#Action",
author	Andrew White <andrew.white@unboxedconsulting.com>	2016-03-01 08:48:53 +0000
committer	Andrew White <andrew.white@unboxedconsulting.com>	2016-03-01 08:48:53 +0000
commit	6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch)
tree	4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/test/dispatch/routing
parent	1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff)
download	rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2 rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip