aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/http/request.rb
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch '3-2-sec' into 3-2-secmergeAaron Patterson2013-01-081-6/+4
|\ | | | | | | | | | | | | | | | | | | | | | | | | * 3-2-sec: bumping version CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu Avoid Rack security warning no secret provided Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md activesupport/CHANGELOG.md
| * * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * ↵Aaron Patterson2013-01-081-6/+4
| | | | | | | | dealing with empty hashes. Thanks Damien Mathieu
* | Merge pull request #8490 from mattv/fix_request_raw_postRafael Mendonça França2012-12-111-2/+3
|/ | | | | | Fix rewinding in ActionDispatch::Request#raw_post Conflicts: actionpack/CHANGELOG.md
* Array parameters should not contain nil values.Aaron Patterson2012-06-111-2/+4
|
* Strip [nil] from parameters hash.Aaron Patterson2012-05-301-0/+22
| | | | | | Thanks to Ben Murphy for reporting this! CVE-2012-2660
* Add original_fullpath and original_url methods to RequestPiotr Sarnacki2012-01-101-0/+8
|
* Remove dead broken code from AD::RequestJosé Valim2011-12-081-8/+0
|
* Fix ActionDispatch::Request method explanationsTravis Pew2011-11-281-5/+5
| | | | | | | | The methods, "post?", "put?", "head?", etc. contain an incorrect explanation. They state that they are equivalent to request_method == :type, but this is not accurate because the methods convert the string to a symbol. They are actually equivalent to: request_method_symbol == :type
* refactor RemoteIp middlewareAndre Arko2011-11-111-18/+1
| | | | | | | | | | | - return the last forwarded IP before REMOTE_ADDR to handle proxies - remove completely superfluous RemoteIpGetter class - remove duplication of trusted proxies regexp - remove unused constant from Request - move comments from Request to where they are actually relevant - edit comments for clarity of purpose The original code (confusingly) tried to return REMOTE_ADDR both at the beginning and the end of the chain of options. Since REMOTE_ADDR is _always_ set, this is kind of silly. This change leaves REMOTE_ADDR as the last option, so that proxied requests will be assigned the correct remote IP address.
* Added X-Request-Id tracking and TaggedLogging to easily log that and other ↵David Heinemeier Hansson2011-10-191-0/+10
| | | | production concerns
* document meta methodVijay Dev2011-08-041-3/+3
|
* TODO fix explicitly loading exceptations, autoload removedVishnu Atrai2011-07-111-0/+1
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-05-251-3/+3
|\ | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb
| * Remove extra white spaces on ActionPack docs.Sebastian Martinez2011-05-231-3/+3
| |
* | removed deprecated methods, and related tests, from ActionPackJosh Kalderimis2011-05-241-7/+1
|/
* Only show dump of regular env methods on exception screen (not all the rack ↵David Heinemeier Hansson2011-05-041-4/+5
| | | | crap) [DHH]
* Add missing deprecation requireCarlos Antonio da Silva2011-02-111-0/+1
| | | | Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Change the CSRF whitelisting to only apply to get requestsMichael Koziarski2011-02-081-1/+2
| | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
* Add additional HTTP request methods from the following RFCs:Andrew White2010-11-021-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | * Hypertext Transfer Protocol -- HTTP/1.1 http://www.ietf.org/rfc/rfc2616.txt) * HTTP Extensions for Distributed Authoring -- WEBDAV http://www.ietf.org/rfc/rfc2518.txt * Versioning Extensions to WebDAV http://www.ietf.org/rfc/rfc3253.txt * Ordered Collections Protocol (WebDAV) http://www.ietf.org/rfc/rfc3648.txt * Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol http://www.ietf.org/rfc/rfc3744.txt * Web Distributed Authoring and Versioning (WebDAV) SEARCH http://www.ietf.org/rfc/rfc5323.txt * PATCH Method for HTTP http://www.ietf.org/rfc/rfc5789.txt [#2809 state:resolved] [#5895 state:resolved]
* make sure request parameters are accessible after rack throws an exception ↵Miles Egan2010-10-121-2/+2
| | | | | | parsing the query string [#3030 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
* Solve some warnings and a failing test.José Valim2010-10-031-1/+1
|
* dry up method checking in the request objectAaron Patterson2010-09-291-10/+9
|
* removes /i from the TRUSTED_PROXIES regexp, adds /x and comments for ↵Xavier Noria2010-09-121-2/+10
| | | | readability, adds a pointer to a Wikipedia section that documents the matched IPs
* gets rid of a double negation, no need to force exactly true/false in a ↵Xavier Noria2010-09-121-4/+4
| | | | predicate
* Revert "Setup explicit requires for files with exceptions. Removed them from ↵José Valim2010-09-021-1/+0
| | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
* Setup explicit requires for files with exceptions. Removed them from ↵Łukasz Strzałkowski2010-09-021-0/+1
| | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com>
* Moves local_request? to require.local?Santiago Pastorino2010-08-131-0/+7
| | | | [#5361 state:committed]
* Just reading flash messages should not create a session if one does not ↵José Valim2010-06-251-0/+3
| | | | exist yet.
* Sessions should not be created until written to and session data should be ↵Michael Lovitt2010-06-231-1/+1
| | | | | | | | destroyed on reset. [#4938] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* remove executable permission from files that don't need it. [#4802 ↵rohit2010-06-201-0/+0
| | | | | | state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
* Improve performance of commonly used request methodswycats2010-06-041-7/+19
|
* * Change the object used in routing constraints to be an instance ofwycats2010-04-031-21/+39
| | | | | | | | | | | ActionDispatch::Request rather than Rack::Request. * Changed ActionDispatch::Request#method to return a String, to be compatible with the Rack::Request superclass. * Changed ActionDispatch::Request#method to return the original method in the case of methodoverride and #request_method not to, to be compatible with Rack::Request
* Request#content_type exists in Rack::Request, and other parts of ↵wycats2010-03-281-3/+3
| | | | | | Rack::Request expect it to return a String. Split the Rails API so that Request#content_type returns a String, and Request#content_mime_type returns a Mime::Type object.
* Add memoizing to AD::RequestCarlhuda2010-03-081-0/+8
|
* Move remote_ip to a middleware:Carlhuda2010-03-031-30/+1
| | | | | * ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check * ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
* Tidy up new filter_parameters implementation.José Valim2010-01-211-1/+1
|
* Move filter_parameter_logging logic out of the controller and create ↵Prem Sichanugrist2010-01-211-0/+1
| | | | | | ActionDispatch::ParametersFilter to handle parameter filteration instead. This will make filteration not depending on controller anymore. Signed-off-by: José Valim <jose.valim@gmail.com>
* Split ActionDispatch http in smaller chunks.José Valim2010-01-161-352/+27
|
* Move Flash into middlewareJoshua Peek2010-01-151-4/+0
|
* Make HEAD method masquerade as GET so requests are routed correctlyJoshua Peek2010-01-151-5/+7
|
* Referer and user agent are in Rack::RequestJoshua Peek2009-12-221-1/+1
|
* Added ActionDispatch::Request#authorization to access the http ↵David Heinemeier Hansson2009-12-201-0/+9
| | | | authentication header regardless of its proxy hiding [DHH]
* Allow autoloads to opt out of eager loadingJoshua Peek2009-12-121-1/+2
|
* Ruby 1.9.2: StringIO no longer has #pathJeremy Kemper2009-11-131-1/+1
|
* Object#tap is not needed for Ruby >= 1.8.7Xavier Noria2009-11-091-1/+0
|
* Unknown :format param should result in empty request.formatsJeremy Kemper2009-11-081-1/+1
|
* Break up inflector to reduce the dependency burden on dependency-les methods ↵Yehuda Katz2009-11-071-0/+1
| | | | like constantize.
* Caching refactoringYehuda Katz2009-10-291-5/+1
|
* Reorganize CSRF a bitYehuda Katz2009-10-281-0/+4
|
* Fixes expires_now and cleans things up a bitYehuda Katz2009-10-261-12/+9
|