aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Remove the use of String#% when formatting durations in log messagesMichael Koziarski2013-09-301-6/+5
| | | | | This avoids potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called.
* Merge pull request #10478 from cainlevy/patch-1Rafael Mendonça França2013-05-061-1/+1
| | | | | | use canonical #controller_path logic in controller test cases Conflicts: actionpack/lib/action_controller/test_case.rb
* Fixed test failures on 1.8.7 caused by 74e59eaFred Wu2013-03-271-1/+1
|
* Backport #5808Mack Earnhardt2013-03-241-6/+21
| | | | | | df36c5f - Fix assert_template assertion with :layout option 4bd05a7 - Fix assert_template :layout => nil assertion 0d19a08 - Improve assert_template layout checking
* Merge pull request #9802 from newsline/fix-broken-action-missingRafael Mendonça França2013-03-201-1/+1
| | | | | | | | | | | | Fix missing action_missing Conflicts: actionpack/CHANGELOG.md Conflicts: actionpack/test/controller/base_test.rb Fixes #9799
* fix protocol checking in sanitization [CVE-2013-1857]Aaron Patterson2013-03-151-2/+2
| | | | | Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
* fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]Charlie Somerville2013-03-151-3/+3
|
* Check for `method_missing` in public and protectedPrem Sichanugrist2013-02-241-1/+2
| | | | | | Ruby 2.0 changed the behavior of `respond_to?` without argument to return only search for public method. We actually want to perform the action only if `method_missing` is either in public or protected.
* There is already a Set of non-hidden action_names lying around.thedarkone2013-02-241-8/+2
|
* Remove warning of not used variableCarlos Antonio da Silva2013-01-171-1/+1
|
* Merge pull request #5288 from lest/patch-2José Valim2013-01-171-0/+2
| | | | | | force response body to be read in assert_template Conflicts: actionpack/lib/action_controller/test_case.rb
* Accept symbols as #send_data :disposition valueElia Schito2012-11-271-1/+1
|
* Revert "Merge pull request #7659 from HugoLnx/template_error_no_matches_rebased"Rafael Mendonça França2012-10-311-13/+6
| | | | | | | | | | | | | This reverts commit 7d17cd2cbfc086f5aa9dd636e1207eb130150428. Conflicts: actionpack/CHANGELOG.md Reason: This added a regression since people were relying on this buggy behavior. This will introduce back #3849 but we will be backward compatible in stable release. Fixes #8068.
* Revert "Merge pull request #7797 from ↵Rafael Mendonça França2012-10-301-20/+20
| | | | | | | | | | | | | | | | | senny/7459_prefix_tempalte_assertion_variables" This reverts commit 2bad605873b5b720d77ae6388a995827ab7fe705. Conflicts: actionpack/CHANGELOG.md Reason: This added a regression related with shoulda-matchers, since it is expecting the instance variable @layouts See https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74 This will introduce back #7459 but this stable release will be backward compatible. Related with #8068.
* Merge pull request #7848 from senny/3415_assert_template_has_nil_variableRafael Mendonça França2012-10-061-3/+7
| | | | | | can't pass :locals to #assert_template without a view test case (#3415) Conflicts: actionpack/CHANGELOG.md
* Merge pull request #7797 from senny/7459_prefix_tempalte_assertion_variablesRafael Mendonça França2012-10-011-20/+20
| | | | | | | | | prefix TemplateAssertions ivars. Closes #7459 Conflicts: actionpack/lib/action_controller/test_case.rb actionpack/lib/action_view/test_case.rb
* Merge pull request #7659 from HugoLnx/template_error_no_matches_rebasedRafael Mendonça França2012-09-301-6/+13
| | | | | | | REBASED: fixing assert_template bug when template matches expected, but not ends with Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_controller/test_case.rb
* Don't paramify ActionDispatch::Http::UploadedFile in testsTim Vandecasteele2012-09-291-1/+1
| | | | | | | | | | To test uploading a file without using fixture_file_upload, a posted ActionDispatch::Http::UploadedFile should not be paramified (just like Rack::Test::UploadedFile). (Rack::Test::UploadedFile and ActionDispatch::Http::UploadedFile don't share the same API, tempfile is not accessible on Rack::Test::UploadedFile as discussed in https://github.com/brynary/rack-test/issues/30)
* log 404 status when ActiveRecord::RecordNotFound was raised (#7646)Yves Senn2012-09-171-1/+2
| | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_controller/log_subscriber.rb
* Backport 5c51cd0: #send_file leans on Rack::Sendfile to X-Accel-Redirect the ↵Jeremy Kemper2012-08-151-2/+22
| | | | file's path, so opening the file to set the response body is wasteful. Set a FileBody wrapper instead that responds to to_path and streams the file if needed.
* * Do not convert digest auth strings to symbols. CVE-2012-3424Aaron Patterson2012-07-261-2/+2
|
* Show in log correct wrapped keysDmitry Vorotilin2012-07-051-1/+2
|
* ActionController::Caching depends on RackDelegation and ↵Santiago Pastorino2012-06-131-0/+3
| | | | AbstractController::Callbacks
* Revert "fix the Flash middleware loading the session on every request (very ↵Rafael Mendonça França2012-06-051-0/+1
| | | | | | | | | dangerous especially with Rack::Cache), it should only be loaded when the flash method is called" This reverts commits e3069c64b2c5ddc7a5789b55b8efd4902d9e9729 and 2b2983d76fd11efc219273036a612f47cfaa5bfa. Reason: This add a non-backward compatible change in the way that flash works now (swept in every request).
* If content_type is explicitly passed to the :head method use the value or ↵Kunal Shah2012-05-071-1/+2
| | | | fallback
* Add a role option to wrap_parameters.Nick Ragaz2012-05-041-2/+3
| | | | The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
* fix the Flash middleware loading the session on every request (very ↵Will Bryant2012-04-301-1/+0
| | | | dangerous especially with Rack::Cache), it should only be loaded when the flash method is called
* Add note about using 303 See Other for XHR requests other than GET/POSTAndrew White2012-04-301-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IE since version 6 and recently Chrome and Firefox have started following 302 redirects from XHR requests other than GET/POST using the original request method. This can lead to DELETE requests being redirected amongst other things. Although it doesn't directly affect the Rails framework since it doesn't return a 302 redirect to any non-GET/POST request a note has been added to raise awareness of the issue. Some references: Original article from @technoweenie: http://techno-weenie.net/2011/8/19/ie9-deletes-stuff/ Hacker News discussion of the article: http://news.ycombinator.com/item?id=2903493 WebKit bug report: https://bugs.webkit.org/show_bug.cgi?id=46183 Firefox bug report and changeset: https://bugzilla.mozilla.org/show_bug.cgi?id=598304 https://hg.mozilla.org/mozilla-central/rev/9525d7e2d20d Chrome bug report: http://code.google.com/p/chromium/issues/detail?id=56373 HTTPbis bug report and changeset: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160 http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1428 Roy T. Fielding's history of the issue: http://ftp.ics.uci.edu/pub/ietf/http/hypermail/1997q3/0611.html Automated browser tests for the issue: http://www.mnot.net/javascript/xmlhttprequest/ Fixes #4144 (cherry picked from commit 24f143789a8989f3bccde14ff28067de25cafd87)
* Don't convert params if the request isn't HTML - fixes #5341Andrew White2012-04-291-6/+18
| | | | | | | | (cherry picked from commit 7a80b69e00f68e673c6ceb5cc684aa9196ed3d9f) Conflicts: actionpack/test/controller/test_test.rb
* We dont need to merge in the parameters as thats all being reset by the rack ↵David Heinemeier Hansson2012-03-201-1/+0
| | | | headers (and its causing problems for Strong Parameters attempt of wrapping request.parameters because it will change in testing)
* Merge pull request #5456 from brianmario/redirect-sanitizationAaron Patterson2012-03-151-1/+1
| | | | Strip null bytes from Location header
* Remove ActionController::TestCase#rescue_action_in_public!Piotr Sarnacki2012-03-151-5/+0
| | | | | | This method has no effect since exception handling was moved to middlewares and ActionController tests do not use any middlewares.
* Remove usage of deprecated module.José Valim2012-03-071-1/+0
|
* Set the rendered_format on respond_to.José Valim2012-03-071-0/+1
|
* Deprecate ActionController::SessionManagementSantiago Pastorino2012-03-061-0/+5
|
* Always passing a respond block from to responderPrem Sichanugrist2012-03-052-12/+13
| | | | | | | We should let the responder to decide what to do with the given overridden response block, and not short circuit it. Fixes #5280
* format lookup for partials is derived from the format in which the template ↵Santiago Pastorino2012-02-222-2/+2
| | | | | | is being rendered Closes #5025 part 2
* search private / protected methods in trunk rubyAaron Patterson2012-02-201-1/+1
|
* Rack body respond to each and not to joinSantiago Pastorino2012-02-141-2/+4
| | | | | | | This fixes undef `to_str' for Rack::Chunked::Body when using caches_action + streaming on an action Closes #5027
* Fixed force_ssl redirects to include original query paramsRyan McGeary2012-02-061-0/+1
| | | | | | `ActionController.force_ssl` redirects http URLs to their https equivalent; however, when a URL contains a query string, the resulting redirect lacked the original query string.
* Clean up a bit default_response handling and cache format negotiation.José Valim2012-02-042-19/+17
|
* Fix override API response bug in respond_withPrem Sichanugrist2012-02-031-8/+23
| | | | | | | | | | Default responder was only using the given respond block when user requested for HTML format, or JSON/XML format with valid resource. This fix the responder so that it will use the given block regardless of the validity of the resource. Note that in this case you'll have to check for object's validity by yourself in the controller. Fixes #4796
* example bracket errorDamian Le Nouaille2012-01-261-1/+1
|
* Do not deprecate performed?José Valim2012-01-192-6/+4
|
* Remove duplicated constant definitionCarlos Antonio da Silva2012-01-171-3/+0
| | | | | ActionController::ActionControllerError is already defined in action_controller/metal/exceptions.
* Deprecate AC::UnknownError and AC::DoubleRenderErrorCarlos Antonio da Silva2012-01-171-2/+2
| | | | | Use the constants AbstractController::ActionNotFound and AbstractController::DoubleRenderError respectively instead.
* Deprecate default_charset= at controller levelCarlos Antonio da Silva2012-01-171-2/+4
|
* Add some deprecations for logic being removed in 4.0Carlos Antonio da Silva2012-01-171-2/+15
|
* Made an example a little more realisticcodesnik2012-01-111-1/+1
|
* Rails initialization with initialize_on_precompile = false should set assets_dirSantiago Pastorino2012-01-101-1/+4
|