| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
There is no need to subtract one from the path_params size when there is
no format parameter because it is not present in the path_params array.
Fixes #17819.
|
|
|
|
|
|
|
| |
We will support only Ruby >= 2.1.
But right now we don't accept pull requests with syntax changes to drop
support to Ruby 1.9.
|
|\
| |
| |
| | |
Allow authentication header to not have to specify 'token=' key.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Fixes https://github.com/rails/rails/issues/16958
[Byron Bischoff & Melanie Gilman]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In cases where this option is set to `true`, the option is redundant and can
be safely removed; otherwise, the corresponding `*_url` helper should be
used instead.
Fixes #17294.
See also #17363.
[Dan Olson, Godfrey Chan]
|
| | |
|
|/
|
|
|
|
|
|
|
|
| |
The scanner in Journey fails to recognize routes that use literals
from the sub-delims section of RFC 3986.
This commit enhance the compatibility of Journey with the RFC by
adding support of authorized delimiters to the scanner.
Fix #17212
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
Fixes #17057
|
| |
|
|
|
|
|
|
|
|
| |
IPAddr::InvalidAddressError does not exist in Ruby 1.9.3
and fails for JRuby in 1.9 mode.
As IPAddr::InvalidAddressError is a subclass of ArgumentError
(via IPAddr::Error) just rescuing ArgumentError is fine.
|
|\
| |
| | |
Fix the router ignoring constraints when used together with a redirect route
|
| |
| |
| |
| |
| |
| |
| |
| | |
https://github.com/rails/rails/commit/402c2af55053c2f29319091ad21fd6fa6b90ee89
introduced a regression that caused any constraints added to redirect routes
to be ignored.
Fixes #16605
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactored IP address checking in ActionDispatch::RemoteIp to rely on
the IPAddr class instead of the unwieldly regular expression to match
IP addresses. This commit keeps the same api but allows users to pass
IPAddr objects to config.action_dispatch.trusted_proxies in addition
to passing strings and regular expressions.
Example:
# config/environments/production.rb
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
|
|
|
|
|
|
|
| |
Follow up to rails#15321
Instead of duplicating the routes, we will first match the HEAD request to
HEAD routes. If no match is found, we will then map the HEAD request to
GET routes.
|
|
|
|
|
|
| |
If someone is using ActionDispatch::Static to serve assets and makes it past the `match?` then the file exists on disk and it will be served. This PR adds in logic that checks to see if the file being served is already compressed (via gzip) and on disk, if it is it will be served as long as the client can handle gzip encoding. If not, then a non gzip file will be served.
This additional logic slows down an individual asset request but should speed up the consumer experience as compressed files are served and production applications should be delivered with a CDN. This PR allows a CDN to cache a gzip file by setting the `Vary` header appropriately. In net this should speed up a production application that are using Rails as an origin for a CDN. Non-asset request speed is not affected in this PR.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
| |
|
|\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| |
| |
| | |
Use the Active Support JSON encoder for cookie jars using the `:json` or
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
cookies by defining the `#as_json` hook on such objects.
Fixes #16520.
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Cookies digest config option (pt. 2)
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_dispatch/middleware/cookies.rb
|
| | |
| | |
| | |
| | |
| | |
| | | |
You can now configure custom digest for cookies in the same way as `serializer`:
config.action_dispatch.cookies_digest = 'SHA256'
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
respond_with (and consequently the class-level respond_to)
are being removed from Rails. Instead of moving it to a 3rd
library, the functionality will be moved to responders gem
(at github.com/plataformatec/responders) which already provides
some responders extensions.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
New default: the template digest is automatically included in your ETags.
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
is mixed in so future changes to the HTML will blow HTTP caches for you.
This makes it easy to HTTP-cache many more of your actions.
If you render a different template, you can now pass the `:template`
option to include its digest instead:
fresh_when @post, template: 'widgets/show'
Pass `template: false` to skip the lookup. To turn this off entirely, set:
config.action_controller.etag_with_template_digest = false
|
| | |
| | |
| | |
| | | |
The error was moved outside of the `ClassMethods` module.
|
| | |
| | |
| | |
| | |
| | | |
The test was not failing for `assert_template file: nil` when a file
has been rendered.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper.
- Add upgrade notes.
- Add sanitizer to new applications Gemfiles.
- Remove 'rails-dom-testing' as a dependency.
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/controller/integration_test.rb
actionview/CHANGELOG.md
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 705977620539e2be6548027042f33175ebdc2505, reversing
changes made to dde91e9bf5ab246f0f684b40288b272f4ba9a699.
IT BROKE THE BUILD!!!
|
| |/
| |
| |
| |
| |
| | |
You can now configure custom digest for cookies in the same way as `serializer`:
config.action_dispatch.cookies_digest = \SHA256'
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Also cleanup test a bit
[related #14886]
[related #14743]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
for the exception defined in `ExceptionWrapper`, so the path the user was
visiting when an exception occurred was not previously available to any custom
exceptions_app.
The original `PATH_INFO` is now stashed in
`env["action_dispatch.original_path"]`.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although the cookie values happens to be ASCII strings because they are
Base64 encoded, it is semantically incorrect to check for the number of the
characters in the cookie, when we actually want to check for the number of the
bytes it consists of.
Furthermore it is unecessary coupling with the current implementation that
uses Base64 for encoding the values.
|
| |
| |
| |
| |
| | |
Also reordered some of the items to put newer ones on top (same order as
CHANGELOGs), which makes it easier to diff while we are still working on it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
|
|\ \
| |/
|/|
| |
| |
| |
| |
| | |
Loofah-integration
Conflicts:
actionpack/CHANGELOG.md
actionview/CHANGELOG.md
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
gcampbell-rosetta_flash
* 'rosetta_flash' of https://github.com/gcampbell/rails:
Address CVE-2014-4671 (JSONP Flash exploit)
Conflicts:
actionpack/CHANGELOG.md
|
| | |
| | |
| | |
| | |
| | |
| | | |
Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prior to this commit shallow resources would only generate paths for
non-direct children (with a nested depth greater than 1).
Take the following routes file.
resources :blogs do
resources :posts, shallow: true do
resources :comments do
resources :tags
end
end
end
This would generate shallow paths for `tags` nested under `posts`,
e.g `/posts/:id/tags/`, however it would not generate shallow paths
for `comments` nested under `posts`, e.g `/posts/:id/comments/new`.
This commit changes the behaviour of the route mapper so that it
generate paths for direct children of shallow resources, for example
if you take the previous routes file, this will now generate
shallow paths for `comments` nested under `posts`, .e.g
`posts/:id/comments/new`.
This was the behaviour in Rails `4.0.4` however this was broken in
@jcoglan's fix for another routes related issue[1].
This also fixes an issue[2] reported by @smdern.
[1] https://github.com/rails/rails/commit/d0e5963
[2] https://github.com/rails/rails/issues/15783
|
| |
| |
| |
| |
| |
| |
| | |
The controller can set the response format as 'JSON' before the renderer code be
evaluated, so we must replace it when necessary.
Fixes #15081
|
|\ \
| | |
| | |
| | |
| | |
| | | |
Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver]
|
| | |
| | |
| | |
| | | |
Fixes issue #15511.
|