| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
If env['RAW_POST_DATA'] is nil, #raw_post will attempt to set it to
the result of #body (which will return env['rack.input'] if
env['RAW_POST_DATA'] is nil). #raw_post will then attempt to rewind
the result of another call to #body. Since env['RAW_POST_DATA'] has
already been set, the result of #body is not env['rack.input'] anymore.
This causes env['rack.input'] to never be rewound.
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes #7478
|
| |
|
|
|
|
| |
Closes #7110 there's more work to do on rack-cache issue 69
|
|
|
|
|
|
| |
them [nil] turns into [] and that is quite innocent.
generated SQL - `IN (NULL)`
compact! did all the job.
|
| |
|
|
|
|
|
|
| |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently Rack raises a TypeError when it encounters a malformed or
ambiguous hash like `foo[]=bar&foo[4]=bar`. Rather than pass this
through to the application this commit captures the exception and
re-raises it using a new ActionController::BadRequest exception.
The new ActionController::BadRequest exception returns a 400 error
instead of the 500 error that would've been returned by the original
TypeError. This allows exception notification libraries to ignore
these errors if so desired.
Closes #3051
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reason: This commit changes code that was committed some year
and a half ago. The original code is an ordinary predicate
that delegates straight to a boolean operator with no further
unnecessaru adorments, as clearly explained in #5329.
This change also may confuse users who may now believe they can
rely now on singletons, while predicates in Rails rely on
standard Ruby semantics for boolean values and guarantee no
singletons whatsover.
This reverts commit 6349791d5aaf652631b29f1371701fc2985fda83.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PATCH is the correct HTML verb to map to the #update action. The
semantics for PATCH allows for partial updates, whereas PUT requires a
complete replacement.
Changes:
* adds config.default_method_for_update you can set to :patch
* optionally use PATCH instead of PUT in resource routes and forms
* adds the #patch verb to routes to detect PATCH requests
* adds #patch? to Request
* changes documentation and comments to indicate support for PATCH
This change maintains complete backwards compatibility by keeping :put
as the default for config.default_method_for_update.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The methods, "post?", "put?", "head?", etc. contain an incorrect
explanation. They state that they are equivalent to request_method ==
:type, but this is not accurate because the methods convert the string
to a symbol. They are actually equivalent to:
request_method_symbol == :type
|
|
|
|
|
|
|
|
|
|
|
| |
- return the last forwarded IP before REMOTE_ADDR to handle proxies
- remove completely superfluous RemoteIpGetter class
- remove duplication of trusted proxies regexp
- remove unused constant from Request
- move comments from Request to where they are actually relevant
- edit comments for clarity of purpose
The original code (confusingly) tried to return REMOTE_ADDR both at the beginning and the end of the chain of options. Since REMOTE_ADDR is _always_ set, this is kind of silly. This change leaves REMOTE_ADDR as the last option, so that proxied requests will be assigned the correct remote IP address.
|
|
|
|
| |
production concerns
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/core_ext/kernel/requires.rb
|
| | |
|
|/ |
|
|
|
|
| |
crap) [DHH]
|
|
|
|
| |
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
|
|
| |
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Hypertext Transfer Protocol -- HTTP/1.1
http://www.ietf.org/rfc/rfc2616.txt)
* HTTP Extensions for Distributed Authoring -- WEBDAV
http://www.ietf.org/rfc/rfc2518.txt
* Versioning Extensions to WebDAV
http://www.ietf.org/rfc/rfc3253.txt
* Ordered Collections Protocol (WebDAV)
http://www.ietf.org/rfc/rfc3648.txt
* Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
http://www.ietf.org/rfc/rfc3744.txt
* Web Distributed Authoring and Versioning (WebDAV) SEARCH
http://www.ietf.org/rfc/rfc5323.txt
* PATCH Method for HTTP
http://www.ietf.org/rfc/rfc5789.txt
[#2809 state:resolved] [#5895 state:resolved]
|
|
|
|
|
|
| |
parsing the query string [#3030 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
| |
readability, adds a pointer to a Wikipedia section that documents the matched IPs
|
|
|
|
| |
predicate
|
|
|
|
|
|
|
|
| |
autoloading."
Booting a new Rails application does not work after this commit [#5359 state:open]
This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
|
|
|
|
|
|
| |
autoloading.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
[#5361 state:committed]
|
|
|
|
| |
exist yet.
|
|
|
|
|
|
|
|
| |
destroyed on reset.
[#4938]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ActionDispatch::Request rather than Rack::Request.
* Changed ActionDispatch::Request#method to return a String, to be
compatible with the Rack::Request superclass.
* Changed ActionDispatch::Request#method to return the original
method in the case of methodoverride and #request_method not to,
to be compatible with Rack::Request
|
|
|
|
|
|
| |
Rack::Request expect
it to return a String. Split the Rails API so that Request#content_type returns
a String, and Request#content_mime_type returns a Mime::Type object.
|
| |
|
|
|
|
|
| |
* ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check
* ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
|
| |
|
|
|
|
|
|
| |
ActionDispatch::ParametersFilter to handle parameter filteration instead. This will make filteration not depending on controller anymore.
Signed-off-by: José Valim <jose.valim@gmail.com>
|