|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| |\  
| | 
| | 
| | 
| | 
| | 
| | 
| | | Loofah-integration
Conflicts:
	actionpack/CHANGELOG.md
	actionview/CHANGELOG.md | 
| | | 
| | 
| | 
| | | Rails::Dom::Testing::Assertions there as well. | 
| | | |  | 
| | | 
| | 
| | 
| | | abstract_unit.rb. | 
| | | |  | 
| | | |  | 
| |\ \  
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | | gcampbell-rosetta_flash
* 'rosetta_flash' of https://github.com/gcampbell/rails:
  Address CVE-2014-4671 (JSONP Flash exploit)
Conflicts:
	actionpack/CHANGELOG.md | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | | Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question. | 
| |/ / |  | 
| |\ \  
| | | 
| | | | Remove symbolized_path_parameters. | 
| | | | 
| | | 
| | | 
| | | | This pull request is a continuation of https://github.com/rails/rails/commit/925bd975 and https://github.com/rails/rails/commit/8d8ebe3d. | 
| |\ \ \  
| | | | 
| | | | | Improve token_and_options regex and test | 
| | |/ /  
| | |   
| | |   
| | | | add a test case to test the regex for the helper method raw_params | 
| |/ /  
| |   
| |   
| |   
| |   
| |   
| | | The controller can set the response format as 'JSON' before the renderer code be
evaluated, so we must replace it when necessary.
Fixes #15081 | 
| |\ \  
| | | 
| | | 
| | | 
| | | 
| | | | Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver] | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | | * General style fixes.
* Add changes to configuration guide.
* Add missing tests. | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | | * This commit adds back the always_permitted_parameters
  configuration option to strong paramaters.
* The initial pull requests where this feature was added
  are the following:
  - https://github.com/rails/rails/pull/12682
  - https://github.com/rails/strong_parameters/pull/174 | 
| | | | 
| | | 
| | | 
| | | 
| | | | Need to add individual `:nodoc:` for nested classes / modules to completely
remove the constants from the API. | 
| |\ \ \  
| | | | 
| | | | | Fix state leak. | 
| | | | | |  | 
| | | | | |  | 
| |\ \ \ \  
| | | | | 
| | | | | 
| | | | | | ActionController::Parameters#require now accepts FalseClass values | 
| |/ / / /  
| | | |   
| | | |   
| | | | | Fixes #15685. | 
| |\ \ \ \  
| | | | | 
| | | | | | Set flash in test session when necessary. | 
| | | |_|/  
| |/| |   
| | | |   
| | | | | `to_session_value` returns nil when empty. | 
| | | | | |  | 
| |/ / /  
| | |   
| | |   
| | |   
| | |   
| | |   
| | | | The 401 status should be set first because setting the response body in
a live controller also closes the response to further changes.
Fixes #14229. | 
| | | | 
| | | 
| | | 
| | | | .. even when the producer is blocked for a write. | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | | We cannot cache keys because arrays are mutable. We rather want to cache
the arrays. This behaviour is tailor-made for the usage pattern strongs
params is designed for.
In a forthcoming commit I am going to add a test that covers why we need
to cache by value.
Every strong params instance has a live span of a request, the cache goes
away with the object. Since strong params have such a concrete intention,
it would be interesting to see if there are actually any real-world use
cases that are an actual leak, one that practically may matter.
I am not convinced that the theoretical leak has any practical consequences,
but if it can be shown there are, then I believe we should either get rid of
the cache (which is an optimization), or else wipe it in the mutating API.
This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b. | 
| | | | |  | 
| |/ / |  | 
| | | 
| | 
| | | Per convention, underscore-only argument names should be used for unused parameters. | 
| | | 
| | 
| | 
| | 
| | 
| | | memory leak demonstrated on @tenderlove's latest blog post:
http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html | 
| |\ \  
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | | * constraints:
  rm reset_parameters because we automatically do it from 9ca4839a
  move path_parameter encoding check to the request object
  dispatcher doesn't need `call` anymore
  call `serve` with the request on dispatchers
  constraints class does not need the request class anymore
  give all endpoints a superclass
  skip the build business if the stack is empty
  stop hardcoding path_parameters and get it from the request
  we do not need to cache rack_app
  a redirect is not a dispatcher by definition, so eliminate test
  push is_a check up to where the Constraints object is allocated
  pass the request object to the application
  pass a request to `matches?` so we can avoid creating excess requests
  nothing is passed to `rack_app` anymore, so rm the params
  one fewer is_a check
  Constraints#app should never return another Constraints object, so switch to if statement
  eliminate dispatcher is_a checks
  push is_a?(Dispatcher) check in to one place
  Always construct route objects with Constraint objects
Conflicts:
	actionpack/lib/action_controller/metal.rb | 
| | | | |  | 
| | | | |  | 
| |\ \ \  
| | | | 
| | | | | Remove duplicated to_s method call. | 
| | |/ / |  | 
| |/ / |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| |\ \  
| | | 
| | | | Check authentication scheme in Basic auth | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | 
| | | | `authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257. | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | | 'head :ok' | 
| |\ \ \  
| | | | 
| | | | 
| | | | 
| | | | 
| | | | 
| | | | | Add controller and action name to the fragment caching instrumentation payload
Conflicts:
	actionpack/CHANGELOG.md |