| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| | |
Discart the schema and host information when building the per-form token
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.
To fix this we use the same information to generate the token and check
it.
Fix #24257
|
| |\ \
| | |
| | | |
Actionpack documentation typos [ci skip]
|
| | |/ |
|
| |/ |
|
| |
|
| |
Add missing period after sentence.
|
| |
|
|
|
|
| |
This brings the behavior more inline with other similar cases, such as
receiving a hash when an array of scalars was expected. Prior to this
commit, the key would be present, but the value would be `nil`
|
| |\
| |
| | |
Encourage best practice in the HTTP Token authentication example code
|
| | |
| |
| |
| | |
`authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
|
| |/
|
|
|
|
|
|
|
|
| |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
| |
|
|
|
| |
- skip calling helper_method if it's not there: if we don't have helpers, we needn't define one.
- tests that an api controller can include and use ActionController::Cookies
|
| |\ |
|
| | |
| |
| |
| | |
- Added missing `"`.
|
| | |
| |
| |
| | |
[ci-skip]
|
| | |
| |
| |
| | |
[ci skip]
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
Strong ETags are desirable when you're serving byte-for-byte identical
responses that support Range requests, like PDFs or videos (typically
done by reproxying the response from a backend storage service).
Also desirable when fronted by some CDNs that support strong ETags
only, like Akamai.
* No longer strips quotes (`"`) from ETag values before comparing them.
Quotes are significant, part of the ETag. A quoted ETag and an unquoted
one are not the same entity.
* Support `If-None-Match: *`. Rarely useful for GET requests; meant
to provide some optimistic concurrency control for PUT requests.
|
| |\ \
| | |
| | |
| | |
| | | |
jeremy/implicit-render-raises-on-browser-GET-requests-only
Are you missing that template or did you omit it on purpose?
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
purpose?" heuristics
Narrows the "are you in a browser, viewing the page?" check to exclude
non-GET requests. Allows content-less APIs to use implicit responses
without having to set a fake request format.
This will need further attention. If you forget to redirect from a POST
to a GET, you'll get a 204 No Content response that browsers will
typically treat as… do nothing. It'll seem like the form just didn't
work and knowing where to start debugging is non-obvious.
On the flip side, redirecting from POST and others is the default, done
everywhere, so it's less likely to be removed or otherwise missed.
Alternatives are to do more explicit browser sniffing.
Ref #23827.
|
| | | |
| | |
| | |
| | |
| | | |
indetical -> identical
[skip ci]
|
| | | |
| | |
| | |
| | | |
parameters documentation [skip ci]
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There was some subtle breakage caused by #18774, when we removed
`#original_exception` in favor of `#cause`. However, `#cause` is
automatically set by Ruby when raising an exception from a rescue block.
With this change, we will use whichever handler has the highest priority
(whichever call to `rescue_from` came last). In cases where the outer
has lower precidence than the cause, but the outer is what should be
handled, cause will need to be explicitly unset.
Fixes #23925
|
| |\ \ \
| | | |
| | | |
| | | | |
Default rendering behavior if respond_to collector doesn't have a block.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When a `respond_to` collector doesn't have a response, then a
`:no_content` response should be rendered. This brings the default
rendering behavior introduced by
https://github.com/rails/rails/issues/19036 to controller methods
employing `respond_to`
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This method will only be added when used with Ruby 2.3.0 or greater.
This method has the same behavior as `Hash#dig`, except it will convert
hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.
|
| | |_|/
|/| |
| | |
| | | |
Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.
|
| | |/
|/| |
|
| | | |
|
| |/
|
| |
When trying to make a request and the request doesn't have a suitable template, the new error messages are really helpful but there's a small (and I mean, VERY small) typo that has been bugging me for the last few days. This adds the space and restores order to the universe. :heart:
|
| |
|
|
|
| |
* Fixes typos in error message and release notes.
* Removes unused template test file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Conceptually revert #20276
The feature was implemented for the `responders` gem. In the end,
they did not need that feature, and have found a better fix (see
plataformatec/responders#131).
`ImplicitRender` is the place where Rails specifies our default
policies for the case where the user did not explicitly tell us
what to render, essentially describing a set of heuristics. If
the gem (or the user) knows exactly what they want, they could
just perform the correct `render` to avoid falling through to
here, as `responders` did (the user called `respond_with`).
Reverting the patch allows us to avoid exploding the complexity
and defining “the fallback for a fallback” policies.
2. `respond_to` and templates are considered exhaustive enumerations
If the user specified a list of formats/variants in a `respond_to`
block, anything that is not explicitly included should result
in an `UnknownFormat` error (which is then caught upstream to
mean “406 Not Acceptable” by default). This is already how it
works before this commit.
Same goes for templates – if the user defined a set of templates
(usually in the file system), that set is now considered exhaustive,
which means that “missing” templates are considered `UnknownFormat`
errors (406).
3. To keep API endpoints simple, the implicit render behavior for
actions with no templates defined at all (regardless of formats,
locales, variants, etc) are defaulted to “204 No Content”. This
is a strictly narrower version of the feature landed in #19036 and
#19377.
4. To avoid confusion when interacting in the browser, these actions
will raise an `UnknownFormat` error for “interactive” requests
instead. (The precise definition of “interactive” requests might
change – the spirit here is to give helpful messages and avoid
confusions.)
Closes #20666, #23062, #23077, #23564
[Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
|
| |
|
|
| |
- Fixes #23822.
|
| |\
| |
| | |
Improve the performance of string xor operation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use `each_byte` instead of `bytes` to speed up string xor operation and
reduce object allocations.
Inspired by commit 02c3867882d6d23b10df262a6db5f937ca69fb53.
``` ruby
require 'benchmark/ips'
require 'allocation_tracer'
a = 32.times.map { rand(256) }.pack('C*')
b = 32.times.map { rand(256) }.pack('C*')
def xor_byte_strings1(s1, s2)
s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end
def xor_byte_strings2(s1, s2)
s2_bytes = s2.bytes
s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end
def xor_byte_strings3(s1, s2)
s2_bytes = s2.bytes
s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
s2_bytes.pack('C*')
end
fail if xor_byte_strings1(a, b) != xor_byte_strings2(a, b)
fail if xor_byte_strings1(a, b) != xor_byte_strings3(a, b)
Benchmark.ips do |x|
x.report('xor_byte_strings1') { xor_byte_strings1(a, b) }
x.report('xor_byte_strings2') { xor_byte_strings2(a, b) }
x.report('xor_byte_strings3') { xor_byte_strings3(a, b) }
x.compare!
end
Tracer = ObjectSpace::AllocationTracer
Tracer.setup(%i{type})
p xor_byte_strings1: Tracer.trace { xor_byte_strings1(a, b) }
p xor_byte_strings2: Tracer.trace { xor_byte_strings2(a, b) }
p xor_byte_strings3: Tracer.trace { xor_byte_strings3(a, b) }
```
```
Warming up --------------------------------------
xor_byte_strings1 10.668k i/100ms
xor_byte_strings2 11.814k i/100ms
xor_byte_strings3 13.139k i/100ms
Calculating -------------------------------------
xor_byte_strings1 116.667k (± 3.1%) i/s - 586.740k
xor_byte_strings2 129.932k (± 4.3%) i/s - 649.770k
xor_byte_strings3 142.506k (± 4.2%) i/s - 722.645k
Comparison:
xor_byte_strings3: 142506.3 i/s
xor_byte_strings2: 129932.4 i/s - 1.10x slower
xor_byte_strings1: 116666.8 i/s - 1.22x slower
{:xor_byte_strings1=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings3=>{[:T_ARRAY]=>[1, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```
|
| | | |
|
| | |
| |
| |
| | |
Creating a protected getter method for `@parameters`.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While iterating an AC::Parameters object, the object will mutate itself
and stick AC::Parameters objects where there used to be hashes:
https://github.com/rails/rails/blob/f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9/actionpack/lib/action_controller/metal/strong_parameters.rb#L632
If you use `permit` after this iteration, the `fields_for_style` method
wouldn't return true because the child objects are now AC::Parameters
objects rather than Hashes.
fixes #23701
|
| |/
|
|
| |
Now that AC::Parameters is no longer a Hash, it shouldn't look like a hash.
|
| |
|
|
| |
`NEVER_UNPERMITTED_PARAMS` is deprecated in Rails 4.2. See #15933.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
[aaron@TC rails (master)]$ cat xor.rb
a = "\x14b\"\xB4P8\x05\x8D\xC74\xC3\xEC}\xFDf\x8E!h\xCF^\xBF\xA5%\xC6\xF0\xA9\xF9x\x04\xFA\xF1\x82"
b = "O.\xF7\x01\xA9D\xA3\xE1D\x7FU\x85\xFC\x8Ak\e\x04\x8A\x97\x91\xD01\x02\xA4G\x1EIf:Y\x0F@"
def xor_byte_strings(s1, s2)
s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end
def xor_byte_strings2(s1, s2)
s2_bytes = s2.bytes
s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end
require 'benchmark/ips'
require 'allocation_tracer'
Benchmark.ips do |x|
x.report 'xor_byte_strings' do
xor_byte_strings a, b
end
x.report 'xor_byte_strings2' do
xor_byte_strings2 a, b
end
end
ObjectSpace::AllocationTracer.setup(%i{type})
result = ObjectSpace::AllocationTracer.trace do
xor_byte_strings a, b
end
p :xor_byte_strings => result
ObjectSpace::AllocationTracer.clear
result = ObjectSpace::AllocationTracer.trace do
xor_byte_strings2 a, b
end
p :xor_byte_strings2 => result
[aaron@TC rails (master)]$ ruby -I~/git/allocation_tracer/lib xor.rb
Calculating -------------------------------------
xor_byte_strings 10.087k i/100ms
xor_byte_strings2 11.339k i/100ms
-------------------------------------------------
xor_byte_strings 108.386k (± 5.8%) i/s - 544.698k
xor_byte_strings2 122.239k (± 3.0%) i/s - 612.306k
{:xor_byte_strings=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```
|
| |
|
|
|
|
| |
Most importantly, the original request thread must yield its share lock
while waiting for the live thread to commit -- otherwise a request's
base and live threads can deadlock against each other.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tests can (and do) access the database from the main thread. In this
case they were starting a transaction, then making a request. The
request would create a new thread, which would allocate a new database
connection. Since the main thread started a transaction that contains
data that the new thread wants to see, the new thread would not see it
due to data visibility from transactions. Spawning the new thread in
production is fine because middleware should not be doing database
manipulation similar to the test harness. Before 603fe20c it was
possible to set the database connection id based on a thread local, but
603fe20c changes the connection lookup code to never look at the
"connection id" but only at the thread object itself. Without that
indirection, we can't force threads to use the same connection pool as
another thread.
Fixes #23483
|
| |
|
| |
and remove unecessary spaces in string interpolation.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 5-0-beta-sec:
bumping version
fix version update task to deal with .beta1.1
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
|
| | |
| |
| |
| |
| |
| | |
this will avoid timing attacks against applications that use basic auth.
CVE-2015-7576
|
| | |
| |
| |
| |
| |
| |
| | |
[ci skip]
Fixes #20808
[Vipul A M & Julio Lopez]
|
| |\ \
| | |
| | | |
Fix `ActionController::Parameters#==` bug
|
