| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:
Rails.application.config.hosts = [
IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
IPAddr.new("::/0"), # All IPv6 addresses.
"localhost" # The localhost reserved domain.
]
In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:
Rails.application.config.hosts << "product.com"
The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << /.*\.product\.com/
A special case is supported that allows you to permit all sub-domains:
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << ".product.com"
|
| |
|
|
|
|
| |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
| |
|
|
|
|
|
| |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Move system tests back into Action Pack
* Rename `ActionSystemTest` to `ActionDispatch::SystemTestCase`
* Remove private base module and only make file for public
`SystemTestCase` class, name private module `SystemTesting`
* Rename `ActionSystemTestCase` to `ApplicationSystemTestCase`
* Update corresponding documentation and guides
* Delete old `ActionSystemTest` files
|
|
|
|
|
|
|
|
| |
Per https://www.timeanddate.com/counters/firstnewyear.html, it's already
2017 in a lot of places, so we should bump the Rails license years to
2017.
[ci skip]
|
|
|
|
|
|
| |
ActionDispatch::ParamsParser class was removed in favor of
ActionDispatch::Http::Parameters so it is better to move the error
constant to the new class.
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|
|
|
|
| |
Only intended to be enabled when in use; by necessity, it sits above any
reasonable access control.
|
|
|
|
|
|
| |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|
|
|
|
| |
Also, refactor logic to convert between symbol and response code,
via the AssertionResponse class
|
| |
|
|
|
|
|
| |
We don't need to fully disable concurrent requests: just ensure that
loads are performed in isolation.
|
| |
|
|
|
|
| |
See 449039a86d802871b707dfb51ac1ed96d53526f9 for the original commit.
|
| |
|
|
|
|
|
| |
Since it's already required in the file, we don't need to use autoload
too. This commit is symmetrical change to 0b10180 for Response.
|
|
|
|
|
| |
We can just require the file rather than going through the autoload
indirection
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MessageEncryptor has :serializer option, where any serializer object can
be passed. This commit make it possible to set this serializer from configuration
level.
There are predefined serializers (:marshal_serializer, :json_serialzier)
and custom serializer can be passed as String, Symbol (camelized and
constantized in ActionDispatch::Session namepspace) or serializer object.
Default :json_serializer was also added to generators to provide secure
defalt.
|
| |
|
| |
|
|
|
|
| |
Automatically configure cookie-based sessions to use the best cookie jar given the app's config
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Move the Journey code underneath the ActionDispatch namespace so
that we don't pollute the global namespace with names that may
be used for models.
Fixes rails/journey#49.
|
| |
|
|
|
|
|
|
| |
This allows easy upgrading from the old signed Cookie Store <= 3.2
or the deprecated one in 4.0 (the ones that doesn't use key derivation)
to the new one that signs using key derivation
|
| |
|
|
|
|
|
|
| |
AV::Template::Types is a small abstraction to allow to specify template types
that can be used in ActionView. When Action Pack is loaded it's replaced with
Mime::Type.
|
|
|
|
|
|
|
|
| |
default_formats array is used by LookupContext in order to allow
rendering templates when :formats option is not passed. Previously it
was always set to Mime::SET, which created dependency on Action Pack. In
order to remove this dependency, Mime::SET is used only if
ActionController is loaded.
|
|
|
|
|
|
|
| |
The new option allows any Ruby namespace to be registered and set
up for eager load. We are effectively exposing the structure existing
in Rails since v3.0 for all developers in order to make their applications
thread-safe and CoW friendly.
|
|
|
|
|
|
|
|
| |
Since we removed the ActiveModel dependenxy from ActionPack at
166dbaa7526a96fdf046f093f25b0a134b277a68 we don't need to require it
anymore.
Closes #7370
|
| |
|
|
|
|
|
|
|
|
| |
This is a private place to put those AS features that are used
by every component. Nowadays we cherry-pick individual files
wherever they are used, but that it is not worth the effort
for stuff that is going to be loaded for sure sooner or later,
like blank?, autoload, concern, etc.
|
| |
|
| |
|
| |
|
|\
| |
| | |
Updated copyright notices for 2012
|
| | |
|
| | |
|
| |
| |
| |
| | |
set AD::IntegrationTest.app in railtie initializer
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
in a cache.
|