| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fixes https://github.com/rails/rails/issues/16119.
|
|
|
|
|
|
|
|
| |
The Logger by default includes a guard which checks for the
logging level. By removing the custom logging guards, we can decouple
the logging guard from the logging action to be done.
This also follows the good practice listed on http://guides.rubyonrails.org/debugging_rails_applications.html#impact-of-logs-on-performance.
|
|
|
|
| |
Closes #16170
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
gcampbell-rosetta_flash
* 'rosetta_flash' of https://github.com/gcampbell/rails:
Address CVE-2014-4671 (JSONP Flash exploit)
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
Adds a comment before JSONP callbacks. See
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more
details on the exploit in question.
|
|/ |
|
|\
| |
| | |
Remove symbolized_path_parameters.
|
| |
| |
| |
| | |
This pull request is a continuation of https://github.com/rails/rails/commit/925bd975 and https://github.com/rails/rails/commit/8d8ebe3d.
|
|\ \
| | |
| | | |
Improve token_and_options regex and test
|
| |/
| |
| |
| | |
add a test case to test the regex for the helper method raw_params
|
|/
|
|
|
|
|
| |
The controller can set the response format as 'JSON' before the renderer code be
evaluated, so we must replace it when necessary.
Fixes #15081
|
|\
| |
| |
| |
| |
| | |
Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver]
|
| |
| |
| |
| |
| |
| | |
* General style fixes.
* Add changes to configuration guide.
* Add missing tests.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* This commit adds back the always_permitted_parameters
configuration option to strong paramaters.
* The initial pull requests where this feature was added
are the following:
- https://github.com/rails/rails/pull/12682
- https://github.com/rails/strong_parameters/pull/174
|
| |
| |
| |
| |
| | |
Need to add individual `:nodoc:` for nested classes / modules to completely
remove the constants from the API.
|
|\ \
| | |
| | | |
Fix state leak.
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | | |
ActionController::Parameters#require now accepts FalseClass values
|
|/ / /
| | |
| | |
| | | |
Fixes #15685.
|
|\ \ \
| | | |
| | | | |
Set flash in test session when necessary.
|
| | | |
| | | |
| | | |
| | | | |
`to_session_value` returns nil when empty.
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
The 401 status should be set first because setting the response body in
a live controller also closes the response to further changes.
Fixes #14229.
|
| | |
| | |
| | |
| | | |
.. even when the producer is blocked for a write.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We cannot cache keys because arrays are mutable. We rather want to cache
the arrays. This behaviour is tailor-made for the usage pattern strongs
params is designed for.
In a forthcoming commit I am going to add a test that covers why we need
to cache by value.
Every strong params instance has a live span of a request, the cache goes
away with the object. Since strong params have such a concrete intention,
it would be interesting to see if there are actually any real-world use
cases that are an actual leak, one that practically may matter.
I am not convinced that the theoretical leak has any practical consequences,
but if it can be shown there are, then I believe we should either get rid of
the cache (which is an optimization), or else wipe it in the mutating API.
This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
|
| | | |
|
|/ / |
|
| |
| |
| | |
Per convention, underscore-only argument names should be used for unused parameters.
|
| |
| |
| |
| |
| |
| | |
memory leak demonstrated on @tenderlove's latest blog post:
http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* constraints:
rm reset_parameters because we automatically do it from 9ca4839a
move path_parameter encoding check to the request object
dispatcher doesn't need `call` anymore
call `serve` with the request on dispatchers
constraints class does not need the request class anymore
give all endpoints a superclass
skip the build business if the stack is empty
stop hardcoding path_parameters and get it from the request
we do not need to cache rack_app
a redirect is not a dispatcher by definition, so eliminate test
push is_a check up to where the Constraints object is allocated
pass the request object to the application
pass a request to `matches?` so we can avoid creating excess requests
nothing is passed to `rack_app` anymore, so rm the params
one fewer is_a check
Constraints#app should never return another Constraints object, so switch to if statement
eliminate dispatcher is_a checks
push is_a?(Dispatcher) check in to one place
Always construct route objects with Constraint objects
Conflicts:
actionpack/lib/action_controller/metal.rb
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Remove duplicated to_s method call.
|
| |/ / |
|
|/ / |
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Check authentication scheme in Basic auth
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257.
|
| | | |
|
| | |
| | |
| | |
| | | |
'head :ok'
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add controller and action name to the fragment caching instrumentation payload
Conflicts:
actionpack/CHANGELOG.md
|
| | | | |
|
| | | | |
|