| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Add nodoc to some constants [skip ci]
|
|
|
|
|
|
|
|
|
|
| |
sikachu/permit_all_parameters-thread-safety"
This reverts commit da5cc10e945552da54234f858470238a3fc36767.
Fixes #18091
See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
|
| |
|
|\
| |
| | |
Add AC::Parameters#to_unsafe_h
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested in #16299([1]), this method should be a new public API for
retrieving unfiltered parameters from `ActionController::Parameters`
object, given that `Parameters#to_hash` will no longer work in Rails
5.0+ as we stop inheriting `Parameters` from `Hash`.
[1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
|
|/
|
|
|
|
|
| |
As discussed in #16299[1], this attribute is not thread safe and could
potentially create a security issue.
[1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
|
|
|
|
|
|
|
|
|
| |
The method was added in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-5055d9f16b442adb1d2f0f65903a196bR141.
With the method call in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-cc7bb557df2247c0a42bc180fdb6eb05R47.
Later one more method call was added in https://github.com/rails/rails/commit/401787db4bc428dce88b04e343a64c6a6c3b681c#diff-cc7bb557df2247c0a42bc180fdb6eb05R183.
And both method calls were deleted in https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L47 and https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L189.
Just do `grep -nr 'await_close' .`.
|
| |
|
|\
| |
| |
| | |
Allow authentication header to not have to specify 'token=' key.
|
| |
| |
| |
| | |
Fixes: https://github.com/rails/rails/issues/17108.
|
| |
| |
| |
| |
| |
| |
| |
| | |
I grepped the source code for code snippets wrapped in backticks in the comments
and replaced the backticks with plus signs so they are correctly displayed in
the Rails documentation.
[ci skip]
|
| |
| |
| |
| | |
of ActionDispatch::Request#method to pick up overrides by the middleware
|
| |
| |
| |
| |
| | |
of respond_to. respond_with was moved into the responders gem and deprecated
inside rails, so there is no need to mention it within rails itself.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The current style for warning messages without newlines uses
concatenation of string literals with manual trailing spaces
where needed.
Heredocs have better readability, and with `squish` we can still
produce a single line.
This is a similar use case to the one that motivated defining
`strip_heredoc`, heredocs are super clean.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
claudiob/replace-slower-block-call-with-faster-yield
Replace (slower) block.call with (faster) yield
|
| |
| |
| |
| | |
This reverts commit 0ab075e75f58bf403f7ebe20546c7005f35db1f6.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Performance optimization: `yield` with an implicit `block` is faster than `block.call`.
See http://youtu.be/fGFM_UrSp70?t=10m35s and the following benchmark:
```ruby
require 'benchmark/ips'
def fast
yield
end
def slow(&block)
block.call
end
Benchmark.ips do |x|
x.report('fast') { fast{} }
x.report('slow') { slow{} }
end
# => fast 154095 i/100ms
# => slow 71454 i/100ms
# =>
# => fast 7511067.8 (±5.0%) i/s - 37445085 in 4.999660s
# => slow 1227576.9 (±6.8%) i/s - 6145044 in 5.028356s
```
|
| |
|
|\ |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Renames _handle_render_options to _render_to_body_with_renderer, which is more
intention-revealing.
* The name of the dynamically generated method for a renderer with key :js was
"_render_option_js".
That name is too weak. :js is an option if you see the render argument as just
a generic options hash, but in the context of renderers that's the renderer
key, is what identifies the renderer.
Now "_render_with_renderer_js" is generated instead, which is crystal clear.
* The name of the dynamically generated method for the renderer was constructed
using string literals in a few places. That is now encapsulated in a method.
* Since we were on it, also removed a couple of redundant selfs.
|
|\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
|\ \
| | |
| | | |
Update `ActionController::Parameters` to be more secure on parameters handling
|
| | |
| | |
| | |
| | | |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Conflicts:
actionpack/lib/action_controller/metal/mime_responds.rb
actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
activerecord/lib/active_record/type/value.rb
|
| | |
| | |
| | |
| | | |
[skip ci]
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
respond_with (and consequently the class-level respond_to)
are being removed from Rails. Instead of moving it to a 3rd
library, the functionality will be moved to responders gem
(at github.com/plataformatec/responders) which already provides
some responders extensions.
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
New default: the template digest is automatically included in your ETags.
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
is mixed in so future changes to the HTML will blow HTTP caches for you.
This makes it easy to HTTP-cache many more of your actions.
If you render a different template, you can now pass the `:template`
option to include its digest instead:
fresh_when @post, template: 'widgets/show'
Pass `template: false` to skip the lookup. To turn this off entirely, set:
config.action_controller.etag_with_template_digest = false
|
| |
| |
| |
| | |
This follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
Closes #16170
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
|