| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
|
| |
| |
| |
| | |
dealing with empty hashes. Thanks Damien Mathieu
|
|/
|
|
|
|
| |
Fix rewinding in ActionDispatch::Request#raw_post
Conflicts:
actionpack/CHANGELOG.md
|
| |
|
|
|
|
|
|
| |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The methods, "post?", "put?", "head?", etc. contain an incorrect
explanation. They state that they are equivalent to request_method ==
:type, but this is not accurate because the methods convert the string
to a symbol. They are actually equivalent to:
request_method_symbol == :type
|
|
|
|
|
|
|
|
|
|
|
| |
- return the last forwarded IP before REMOTE_ADDR to handle proxies
- remove completely superfluous RemoteIpGetter class
- remove duplication of trusted proxies regexp
- remove unused constant from Request
- move comments from Request to where they are actually relevant
- edit comments for clarity of purpose
The original code (confusingly) tried to return REMOTE_ADDR both at the beginning and the end of the chain of options. Since REMOTE_ADDR is _always_ set, this is kind of silly. This change leaves REMOTE_ADDR as the last option, so that proxied requests will be assigned the correct remote IP address.
|
|
|
|
| |
production concerns
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/core_ext/kernel/requires.rb
|
| | |
|
|/ |
|
|
|
|
| |
crap) [DHH]
|
|
|
|
| |
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
|
|
| |
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Hypertext Transfer Protocol -- HTTP/1.1
http://www.ietf.org/rfc/rfc2616.txt)
* HTTP Extensions for Distributed Authoring -- WEBDAV
http://www.ietf.org/rfc/rfc2518.txt
* Versioning Extensions to WebDAV
http://www.ietf.org/rfc/rfc3253.txt
* Ordered Collections Protocol (WebDAV)
http://www.ietf.org/rfc/rfc3648.txt
* Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
http://www.ietf.org/rfc/rfc3744.txt
* Web Distributed Authoring and Versioning (WebDAV) SEARCH
http://www.ietf.org/rfc/rfc5323.txt
* PATCH Method for HTTP
http://www.ietf.org/rfc/rfc5789.txt
[#2809 state:resolved] [#5895 state:resolved]
|
|
|
|
|
|
| |
parsing the query string [#3030 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
| |
readability, adds a pointer to a Wikipedia section that documents the matched IPs
|
|
|
|
| |
predicate
|
|
|
|
|
|
|
|
| |
autoloading."
Booting a new Rails application does not work after this commit [#5359 state:open]
This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
|
|
|
|
|
|
| |
autoloading.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
[#5361 state:committed]
|
|
|
|
| |
exist yet.
|
|
|
|
|
|
|
|
| |
destroyed on reset.
[#4938]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ActionDispatch::Request rather than Rack::Request.
* Changed ActionDispatch::Request#method to return a String, to be
compatible with the Rack::Request superclass.
* Changed ActionDispatch::Request#method to return the original
method in the case of methodoverride and #request_method not to,
to be compatible with Rack::Request
|
|
|
|
|
|
| |
Rack::Request expect
it to return a String. Split the Rails API so that Request#content_type returns
a String, and Request#content_mime_type returns a Mime::Type object.
|
| |
|
|
|
|
|
| |
* ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check
* ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
|
| |
|
|
|
|
|
|
| |
ActionDispatch::ParametersFilter to handle parameter filteration instead. This will make filteration not depending on controller anymore.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
authentication header regardless of its proxy hiding [DHH]
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
like constantize.
|
| |
|
| |
|
| |
|