| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
| | |
| |
| |
| | |
[Godfrey Chan, Genadi Samokovarov]
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously setting simple values to the config.x object resulted in the
following:
config.x.super_debugger = true
config.x.super_debugger #=> {}
Which was against the examples showed in the changelog/release notes.
|
| | | |
|
| | |
| |
| |
| | |
Godfrey Chan, Genadi Samokovarov
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit de4891344ccc074f6d5693f4fac6ad610584e336.
Conflicts:
railties/lib/rails/railtie/configuration.rb
It added regression. Will be back after the beta
|
| | | |
|
| |\ \
| | |
| | | |
Mention web-console in 4.2 release notes
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mention the web-console inclusion in the default Gemfile in the Release
notes and the railties changelog. We can eventually mention it in the
upgrade guide, if needed.
[ci skip]
|
| |\ \ \
| | | |
| | | | |
[ci skip] Added documentation for belongs_to scope parameter
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'abstract_unit'.
cc #16564
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
Move TimeHelperTest to TimeTravelTest from `as/test_test.rb`
|
| | | | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Add default .raise_in_transactional_callbacks option to template
|
| | | | | | | |
|
| | | | | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Correctly determine if migration is needed.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This method would assume that if last migration in the migrations
directory matched the current schema version, that the database was up
to date, but this does not account for new migrations with older
timestamps that may be pending.
|
| |\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Improve custom configuration
|
| | | |_|_|_|/ /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
1. Hashes can be assigned
2. We don't need a special level anymore
The method chain only works in the top level.
If users need a second level they need to assign a OrderedOptions to the
key:
config.resque.server = ActiveSupport::OrderedOptions.new
config.resque.server.url = "http://localhost"
config.resque.server.port = 3000
[Rafael Mendonça França + Carlos Antonio da Silva]
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Related with #11795.
|
| |\ \ \ \ \ \ \
| |_|_|_|/ / /
|/| | | | | | |
Update `ActionController::Parameters` to be more secure on parameters handling
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
| |\ \ \ \ \ \ \
| |_|_|_|/ / /
|/| | | | | | |
Add missing AS require
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
`strip_heredoc` method is defined on active_support/core_ext/string
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Conflicts:
actionpack/lib/action_controller/metal/mime_responds.rb
actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
activerecord/lib/active_record/type/value.rb
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
[skip ci]
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
