aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-191-3/+84
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-191-2/+2
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | Uppercase HTML in docs.Hendy Tanata2014-08-082-9/+9
| | | | | | | | | | | | [skip ci]
* | | Merge pull request #15889 from carnesmedia/model-nameRafael Mendonça França2014-08-171-1/+1
|\ \ \ | | | | | | | | | | | | Use #model_name on instances instead of classes
| * | | Use #model_name on instances instead of classesAmiel Martin2014-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class. Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
* | | | Merge branch 'master' into loofahRafael Mendonça França2014-08-177-531/+109
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * | | | `responders` 1.x won't do it. Told you to RTFM for details!Godfrey Chan2014-08-171-3/+6
| | | | |
| * | | | The gem is called 'responders'Godfrey Chan2014-08-171-2/+2
| | | | |
| * | | | Raise a more helpful error for people who are using these extracted featuresGodfrey Chan2014-08-171-1/+16
| | | | |
| * | | | Move respond_with to the responders gemJosé Valim2014-08-172-528/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | respond_with (and consequently the class-level respond_to) are being removed from Rails. Instead of moving it to a 3rd library, the functionality will be moved to responders gem (at github.com/plataformatec/responders) which already provides some responders extensions.
| * | | | When your templates change, browser caches bust automatically.Jeremy Kemper2014-08-173-6/+82
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New default: the template digest is automatically included in your ETags. When you call `fresh_when @post`, the digest for `posts/show.html.erb` is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions. If you render a different template, you can now pass the `:template` option to include its digest instead: fresh_when @post, template: 'widgets/show' Pass `template: false` to skip the lookup. To turn this off entirely, set: config.action_controller.etag_with_template_digest = false
| * | | Merge pull request #16027 from tgxworld/template_assertionsYves Senn2014-08-141-0/+9
| |\ \ \ | | | | | | | | | | Fixes to ActionController::TemplateAssertions
| | * | | Fix assert_template for files.Guo Xiang Tan2014-08-141-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | The test was not failing for `assert_template file: nil` when a file has been rendered.
| * | | | [ci skip] correct default cache store classAditya Kapoor2014-08-131-1/+1
| |/ / /
* | | | Merge branch 'master' into loofahRafael Mendonça França2014-08-1210-92/+67
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | | Pass block for logging.Guo Xiang Tan2014-08-091-4/+6
| | | | | | | | | | | | | | | | This follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
| * | | Remove ActionController::RaiseActionExceptions.Guo Xiang Tan2014-08-071-34/+0
| | | | | | | | | | | | | | | | | | | | The latest modification to the code was done in https://github.com/rails/rails/commit/5e3517ea. In Rails 3.2, `ActionController#rescue_action` was deprecated and `rescue_action_without_handler` is no longer being used.
| * | | refactor Redirecting so we do not need a controller instanceAaron Patterson2014-08-061-3/+5
| | | |
| * | | avoid testing only_pathAaron Patterson2014-08-041-2/+1
| | |/ | |/| | | | | | | | | | we know that this call only wants the path returned, so lets call a method that returns the path.
| * | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-021-1/+2
| |\ \ | | | | | | | | | | | | | | | | Conflicts: guides/source/testing.md
| | * | copy edits[ci skip]Vijay Dev2014-08-021-3/+1
| | | |
| | * | Performed Returns true if redirect/render has happenedGaurish Sharma2014-07-191-1/+4
| | | |
| * | | just set the host, no need for another hash allocation / merge!Aaron Patterson2014-08-011-1/+1
| | | |
| * | | Simplify code branch, remove #tapCarlos Antonio da Silva2014-07-311-7/+6
| | | |
| * | | Avoid a new hash objectCarlos Antonio da Silva2014-07-311-1/+1
| | | |
| * | | Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
| | | |
| * | | docs, add ref where to find valid `head` status symbols.Yves Senn2014-07-251-0/+2
| | | | | | | | | | | | | | | | [ci skip]
| * | | Bug fix for assert_template when opening a new session.Guo Xiang Tan2014-07-251-5/+9
| | | | | | | | | | | | | | | | See https://github.com/rails/rails/pull/16234#commitcomment-7115670.
| * | | Fix AC::TemplateAssertions instance variables not resetting.Guo Xiang Tan2014-07-211-5/+7
| | | | | | | | | | | | | | | | Fixes https://github.com/rails/rails/issues/16119.
| * | | Prefer to pass block when logging.Guo Xiang Tan2014-07-181-25/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Logger by default includes a guard which checks for the logging level. By removing the custom logging guards, we can decouple the logging guard from the logging action to be done. This also follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
| * | | Don't accept parameters as argument for redirect to [via @homakov]Santiago Pastorino2014-07-161-0/+1
| |/ / | | | | | | | | | Closes #16170
| * | Removed single space padding from empty response body.Godfrey Chan2014-07-101-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired.
* | | We don't need loofah for the assertionsRafael Mendonça França2014-07-151-1/+0
| | | | | | | | | | | | We can just use nokogiri
* | | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-101-0/+9
|\ \ \ | |/ / |/| | | | | | | | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| * | Moved html_document to ActionDispatch::Assertions. Included the ↵Timm2014-06-161-6/+1
| | | | | | | | | | | | Rails::Dom::Testing::Assertions there as well.
| * | Support for changes in SelectorAssertions.Timm2014-06-161-0/+14
| | |
| * | Moved ActionView::Assertions dependency from Action Pack's lib to ↵Timm2014-06-161-2/+0
| | | | | | | | | | | | abstract_unit.rb.
| * | Require ActionView::Assertions in ActionController test_case.rb.Timm2014-06-161-0/+1
| | |
| * | Moved Dom and Selector assertions from ActionDispatch to ActionView.Timm2014-06-161-0/+1
| | |
* | | Merge branch 'rosetta_flash' of https://github.com/gcampbell/rails into ↵Aaron Patterson2014-07-101-1/+1
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gcampbell-rosetta_flash * 'rosetta_flash' of https://github.com/gcampbell/rails: Address CVE-2014-4671 (JSONP Flash exploit) Conflicts: actionpack/CHANGELOG.md
| * | | Address CVE-2014-4671 (JSONP Flash exploit)Greg Campbell2014-07-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
* | | | Reduce number of subscriptions created.Guo Xiang Tan2014-07-081-17/+13
|/ / /
* | | Merge pull request #16013 from tgxworld/remove_symbolized_path_parametersRafael Mendonça França2014-07-041-1/+0
|\ \ \ | | | | | | | | Remove symbolized_path_parameters.