aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller
Commit message (Collapse)AuthorAgeFilesLines
* Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* Merge pull request #16027 from tgxworld/template_assertionsYves Senn2014-08-141-0/+9
|\ | | | | Fixes to ActionController::TemplateAssertions
| * Fix assert_template for files.Guo Xiang Tan2014-08-141-0/+9
| | | | | | | | | | The test was not failing for `assert_template file: nil` when a file has been rendered.
* | [ci skip] correct default cache store classAditya Kapoor2014-08-131-1/+1
|/
* Pass block for logging.Guo Xiang Tan2014-08-091-4/+6
| | | | This follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
* Remove ActionController::RaiseActionExceptions.Guo Xiang Tan2014-08-071-34/+0
| | | | | The latest modification to the code was done in https://github.com/rails/rails/commit/5e3517ea. In Rails 3.2, `ActionController#rescue_action` was deprecated and `rescue_action_without_handler` is no longer being used.
* refactor Redirecting so we do not need a controller instanceAaron Patterson2014-08-061-3/+5
|
* avoid testing only_pathAaron Patterson2014-08-041-2/+1
| | | | | we know that this call only wants the path returned, so lets call a method that returns the path.
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-021-1/+2
|\ | | | | | | | | Conflicts: guides/source/testing.md
| * copy edits[ci skip]Vijay Dev2014-08-021-3/+1
| |
| * Performed Returns true if redirect/render has happenedGaurish Sharma2014-07-191-1/+4
| |
* | just set the host, no need for another hash allocation / merge!Aaron Patterson2014-08-011-1/+1
| |
* | Simplify code branch, remove #tapCarlos Antonio da Silva2014-07-311-7/+6
| |
* | Avoid a new hash objectCarlos Antonio da Silva2014-07-311-1/+1
| |
* | Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
| |
* | docs, add ref where to find valid `head` status symbols.Yves Senn2014-07-251-0/+2
| | | | | | | | [ci skip]
* | Bug fix for assert_template when opening a new session.Guo Xiang Tan2014-07-251-5/+9
| | | | | | | | See https://github.com/rails/rails/pull/16234#commitcomment-7115670.
* | Fix AC::TemplateAssertions instance variables not resetting.Guo Xiang Tan2014-07-211-5/+7
| | | | | | | | Fixes https://github.com/rails/rails/issues/16119.
* | Prefer to pass block when logging.Guo Xiang Tan2014-07-181-25/+26
| | | | | | | | | | | | | | | | The Logger by default includes a guard which checks for the logging level. By removing the custom logging guards, we can decouple the logging guard from the logging action to be done. This also follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
* | Don't accept parameters as argument for redirect to [via @homakov]Santiago Pastorino2014-07-161-0/+1
|/ | | | Closes #16170
* Removed single space padding from empty response body.Godfrey Chan2014-07-101-6/+2
| | | | | | | | | | | | `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired.
* Merge branch 'rosetta_flash' of https://github.com/gcampbell/rails into ↵Aaron Patterson2014-07-101-1/+1
|\ | | | | | | | | | | | | | | | | | | gcampbell-rosetta_flash * 'rosetta_flash' of https://github.com/gcampbell/rails: Address CVE-2014-4671 (JSONP Flash exploit) Conflicts: actionpack/CHANGELOG.md
| * Address CVE-2014-4671 (JSONP Flash exploit)Greg Campbell2014-07-091-1/+1
| | | | | | | | | | | | Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
* | Reduce number of subscriptions created.Guo Xiang Tan2014-07-081-17/+13
|/
* Merge pull request #16013 from tgxworld/remove_symbolized_path_parametersRafael Mendonça França2014-07-041-1/+0
|\ | | | | Remove symbolized_path_parameters.
| * Remove symbolized_path_parameters.Guo Xiang Tan2014-07-021-1/+0
| | | | | | | | This pull request is a continuation of https://github.com/rails/rails/commit/925bd975 and https://github.com/rails/rails/commit/8d8ebe3d.
* | Merge pull request #16011 from xjlu/token_and_optionsRafael Mendonça França2014-07-041-1/+1
|\ \ | | | | | | Improve token_and_options regex and test
| * | Improve token_and_options regex and testXinjiang Lu2014-07-011-1/+1
| |/ | | | | | | add a test case to test the regex for the helper method raw_params
* / Change the JSON renderer to enforce the 'JS' Content TypeLucas Mazza2014-07-021-1/+4
|/ | | | | | | The controller can set the response format as 'JSON' before the renderer code be evaluated, so we must replace it when necessary. Fixes #15081
* Merge pull request #15933 from rafael/masterRafael Mendonça França2014-06-272-5/+24
|\ | | | | | | | | | | Add always permitted parameters as a configurable option. [Rafael Mendonça França + Gary S. Weaver]
| * Improvements per code review.Rafael Chacón2014-06-271-4/+3
| | | | | | | | | | | | * General style fixes. * Add changes to configuration guide. * Add missing tests.
| * Add always_permitted_parameters as an option.Rafael Chacón2014-06-262-5/+25
| | | | | | | | | | | | | | | | | | * This commit adds back the always_permitted_parameters configuration option to strong paramaters. * The initial pull requests where this feature was added are the following: - https://github.com/rails/rails/pull/12682 - https://github.com/rails/strong_parameters/pull/174
* | `:nodoc: all` does not remove the constants from the API. [ci skip]Yves Senn2014-06-241-1/+1
| | | | | | | | | | Need to add individual `:nodoc:` for nested classes / modules to completely remove the constants from the API.
* | Merge pull request #15537 from tgxworld/fix_state_leakMatthew Draper2014-06-201-1/+0
|\ \ | | | | | | Fix state leak.
| * | Prevent state leak.Guo Xiang Tan2014-06-051-1/+0
| | |
* | | [ci skip] /javascript/ ~> JavaScriptAditya Kapoor2014-06-171-3/+3
| | |
* | | Merge pull request #15692 from sromano/falseClassMatthew Draper2014-06-141-1/+6
|\ \ \ | | | | | | | | | | | | ActionController::Parameters#require now accepts FalseClass values
| * | | ActionController::Parameters#require now accepts FalseClass valuesSergio Romano2014-06-131-0/+1
|/ / / | | | | | | | | | Fixes #15685.
* | | Merge pull request #15682 from tgxworld/controller_test_processRafael Mendonça França2014-06-131-2/+5
|\ \ \ | | | | | | | | Set flash in test session when necessary.
| * | | Set flash in test session when necessary.Guo Xiang Tan2014-06-121-2/+5
| | | | | | | | | | | | | | | | `to_session_value` returns nil when empty.
* | | | Fix parsed token value with header `Authorization token=`.Larry Lv2014-06-131-2/+2
| | | |
* | | | Set the status before of setting the response bodyGuillermo Iguaran2014-06-131-2/+2
|/ / / | | | | | | | | | | | | | | | | | | The 401 status should be set first because setting the response body in a live controller also closes the response to further changes. Fixes #14229.
* | | Handle client disconnect during live streamingMatthew Draper2014-06-081-0/+48
| | | | | | | | | | | | .. even when the producer is blocked for a write.
* | | adds some details to the rationale of converted_arrays [ci skip]Xavier Noria2014-06-071-0/+4
| | |
* | | Revert "Convert StrongParameters cache to a hash. This fixes an unbounded"Xavier Noria2014-06-071-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We cannot cache keys because arrays are mutable. We rather want to cache the arrays. This behaviour is tailor-made for the usage pattern strongs params is designed for. In a forthcoming commit I am going to add a test that covers why we need to cache by value. Every strong params instance has a live span of a request, the cache goes away with the object. Since strong params have such a concrete intention, it would be interesting to see if there are actually any real-world use cases that are an actual leak, one that practically may matter. I am not convinced that the theoretical leak has any practical consequences, but if it can be shown there are, then I believe we should either get rid of the cache (which is an optimization), or else wipe it in the mutating API. This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
* | | [ci skip] Fix capitalizationAkshay Vishnoi2014-06-071-1/+1
| | |
* | | eliminate wasteful AS::SafeBuffer allocationAaron Patterson2014-06-061-1/+1
|/ /
* | Avoid misuse of underscore argumentCorey Ward2014-06-051-2/+2
| | | | | | Per convention, underscore-only argument names should be used for unused parameters.
* | Convert StrongParameters cache to a hash. This fixes an unboundedRyan Davis2014-06-031-6/+6
| | | | | | | | | | | | memory leak demonstrated on @tenderlove's latest blog post: http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
* | Merge branch 'constraints'Aaron Patterson2014-05-271-3/+8
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * constraints: rm reset_parameters because we automatically do it from 9ca4839a move path_parameter encoding check to the request object dispatcher doesn't need `call` anymore call `serve` with the request on dispatchers constraints class does not need the request class anymore give all endpoints a superclass skip the build business if the stack is empty stop hardcoding path_parameters and get it from the request we do not need to cache rack_app a redirect is not a dispatcher by definition, so eliminate test push is_a check up to where the Constraints object is allocated pass the request object to the application pass a request to `matches?` so we can avoid creating excess requests nothing is passed to `rack_app` anymore, so rm the params one fewer is_a check Constraints#app should never return another Constraints object, so switch to if statement eliminate dispatcher is_a checks push is_a?(Dispatcher) check in to one place Always construct route objects with Constraint objects Conflicts: actionpack/lib/action_controller/metal.rb
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 06:29:15 +0000