| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sikachu/permit_all_parameters-thread-safety"
This reverts commit da5cc10e945552da54234f858470238a3fc36767.
Fixes #18091
See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
jethroo/fix/assert_template_with_unsupported_layout_type
assert template should raise ArgumentError for unsupported layout types
|
| |/
| |
| |
| | |
unknown layout type
|
| | |
|
|\ \
| | |
| | | |
Add AC::Parameters#to_unsafe_h
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested in #16299([1]), this method should be a new public API for
retrieving unfiltered parameters from `ActionController::Parameters`
object, given that `Parameters#to_hash` will no longer work in Rails
5.0+ as we stop inheriting `Parameters` from `Hash`.
[1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
|
|/
|
|
|
|
|
| |
As discussed in #16299[1], this attribute is not thread safe and could
potentially create a security issue.
[1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
|
|
|
|
|
|
|
|
|
| |
The method was added in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-5055d9f16b442adb1d2f0f65903a196bR141.
With the method call in https://github.com/rails/rails/commit/30d21dfcb7fafe49b3805b8249454485a90097b6#diff-cc7bb557df2247c0a42bc180fdb6eb05R47.
Later one more method call was added in https://github.com/rails/rails/commit/401787db4bc428dce88b04e343a64c6a6c3b681c#diff-cc7bb557df2247c0a42bc180fdb6eb05R183.
And both method calls were deleted in https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L47 and https://github.com/rails/rails/commit/3df07d093a1e4207caa63fd2e3b67599211f5800#diff-cc7bb557df2247c0a42bc180fdb6eb05L189.
Just do `grep -nr 'await_close' .`.
|
| |
|
|\
| |
| |
| | |
Allow authentication header to not have to specify 'token=' key.
|
| |
| |
| |
| | |
Fixes: https://github.com/rails/rails/issues/17108.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Reference #17453
|
| |
| |
| |
| |
| |
| |
| |
| | |
I grepped the source code for code snippets wrapped in backticks in the comments
and replaced the backticks with plus signs so they are correctly displayed in
the Rails documentation.
[ci skip]
|
| |
| |
| |
| | |
of ActionDispatch::Request#method to pick up overrides by the middleware
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit f93df52845766216f0fe36a4586f8abad505cac4, reversing
changes made to a455e3f4e9dbfb9630d47878e1239bc424fb7d13.
Conflicts:
actionpack/lib/action_controller/test_case.rb
actionview/lib/action_view/test_case.rb
|
| | |
|
| |
| |
| |
| |
| |
| | |
Follow up to 212057b9. Since that commit, we need to pass the `route_name`
explicitly. This is one of the left-over cases that was not handled in that
commit, which was causing `use_route` to be ignored in functional tests.
|
| |
| |
| |
| |
| | |
of respond_to. respond_with was moved into the responders gem and deprecated
inside rails, so there is no need to mention it within rails itself.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The current style for warning messages without newlines uses
concatenation of string literals with manual trailing spaces
where needed.
Heredocs have better readability, and with `squish` we can still
produce a single line.
This is a similar use case to the one that motivated defining
`strip_heredoc`, heredocs are super clean.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
- Also one minor change for documenting url_for method in ActionController::Metal.
[ci skip]
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Performance optimization: `yield` with an implicit `block` is faster than `block.call`.
See http://youtu.be/fGFM_UrSp70?t=10m35s and the following benchmark:
```ruby
require 'benchmark/ips'
def fast
yield
end
def slow(&block)
block.call
end
Benchmark.ips do |x|
x.report('fast') { fast{} }
x.report('slow') { slow{} }
end
# => fast 154095 i/100ms
# => slow 71454 i/100ms
# =>
# => fast 7511067.8 (±5.0%) i/s - 37445085 in 4.999660s
# => slow 1227576.9 (±6.8%) i/s - 6145044 in 5.028356s
```
|
| |
|
|
|
|
| |
This is to match the changes in Rails Dom Testing rails/rails-dom-testing#20.
|
|\ |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Renames _handle_render_options to _render_to_body_with_renderer, which is more
intention-revealing.
* The name of the dynamically generated method for a renderer with key :js was
"_render_option_js".
That name is too weak. :js is an option if you see the render argument as just
a generic options hash, but in the context of renderers that's the renderer
key, is what identifies the renderer.
Now "_render_with_renderer_js" is generated instead, which is crystal clear.
* The name of the dynamically generated method for the renderer was constructed
using string literals in a few places. That is now encapsulated in a method.
* Since we were on it, also removed a couple of redundant selfs.
|
|\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
|\ \
| | |
| | | |
Update `ActionController::Parameters` to be more secure on parameters handling
|
| | |
| | |
| | |
| | | |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Conflicts:
actionpack/lib/action_controller/metal/mime_responds.rb
actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
activerecord/lib/active_record/type/value.rb
|
| | |
| | |
| | |
| | | |
[skip ci]
|
|\ \ \
| | | |
| | | |
| | | | |
Use #model_name on instances instead of classes
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class.
Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Conflicts:
actionpack/CHANGELOG.md
|
| | | | | |
|
| | | | | |
|