diff options
author | Andrew White <andrew.white@unboxedconsulting.com> | 2016-03-01 08:48:53 +0000 |
---|---|---|
committer | Andrew White <andrew.white@unboxedconsulting.com> | 2016-03-01 08:48:53 +0000 |
commit | 6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch) | |
tree | 4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/test/dispatch/routing | |
parent | 1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff) | |
download | rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2 rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip |
Deprecate :controller and :action path parameters
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
Diffstat (limited to 'actionpack/test/dispatch/routing')
-rw-r--r-- | actionpack/test/dispatch/routing/inspector_test.rb | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/actionpack/test/dispatch/routing/inspector_test.rb b/actionpack/test/dispatch/routing/inspector_test.rb index fd85cc6e9f..d8cffa425f 100644 --- a/actionpack/test/dispatch/routing/inspector_test.rb +++ b/actionpack/test/dispatch/routing/inspector_test.rb @@ -133,7 +133,9 @@ module ActionDispatch def test_inspect_routes_shows_dynamic_action_route output = draw do - get 'api/:action' => 'api' + ActiveSupport::Deprecation.silence do + get 'api/:action' => 'api' + end end assert_equal [ @@ -144,7 +146,9 @@ module ActionDispatch def test_inspect_routes_shows_controller_and_action_only_route output = draw do - get ':controller/:action' + ActiveSupport::Deprecation.silence do + get ':controller/:action' + end end assert_equal [ @@ -155,7 +159,9 @@ module ActionDispatch def test_inspect_routes_shows_controller_and_action_route_with_constraints output = draw do - get ':controller(/:action(/:id))', :id => /\d+/ + ActiveSupport::Deprecation.silence do + get ':controller(/:action(/:id))', :id => /\d+/ + end end assert_equal [ @@ -335,7 +341,9 @@ module ActionDispatch def test_regression_route_with_controller_regexp output = draw do - get ':controller(/:action)', controller: /api\/[^\/]+/, format: false + ActiveSupport::Deprecation.silence do + get ':controller(/:action)', controller: /api\/[^\/]+/, format: false + end end assert_equal ["Prefix Verb URI Pattern Controller#Action", |