| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|/ |
|
|
|
|
| |
crap) [DHH]
|
|
|
|
| |
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
|
|
| |
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
X-CSRF-Token: ...
This fixes CVE-2011-0447
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Hypertext Transfer Protocol -- HTTP/1.1
http://www.ietf.org/rfc/rfc2616.txt)
* HTTP Extensions for Distributed Authoring -- WEBDAV
http://www.ietf.org/rfc/rfc2518.txt
* Versioning Extensions to WebDAV
http://www.ietf.org/rfc/rfc3253.txt
* Ordered Collections Protocol (WebDAV)
http://www.ietf.org/rfc/rfc3648.txt
* Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
http://www.ietf.org/rfc/rfc3744.txt
* Web Distributed Authoring and Versioning (WebDAV) SEARCH
http://www.ietf.org/rfc/rfc5323.txt
* PATCH Method for HTTP
http://www.ietf.org/rfc/rfc5789.txt
[#2809 state:resolved] [#5895 state:resolved]
|
|
|
|
|
|
| |
parsing the query string [#3030 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
| |
readability, adds a pointer to a Wikipedia section that documents the matched IPs
|
|
|
|
| |
predicate
|
|
|
|
|
|
|
|
| |
autoloading."
Booting a new Rails application does not work after this commit [#5359 state:open]
This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
|
|
|
|
|
|
| |
autoloading.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
[#5361 state:committed]
|
|
|
|
| |
exist yet.
|
|
|
|
|
|
|
|
| |
destroyed on reset.
[#4938]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ActionDispatch::Request rather than Rack::Request.
* Changed ActionDispatch::Request#method to return a String, to be
compatible with the Rack::Request superclass.
* Changed ActionDispatch::Request#method to return the original
method in the case of methodoverride and #request_method not to,
to be compatible with Rack::Request
|
|
|
|
|
|
| |
Rack::Request expect
it to return a String. Split the Rails API so that Request#content_type returns
a String, and Request#content_mime_type returns a Mime::Type object.
|
| |
|
|
|
|
|
| |
* ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check
* ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
|
| |
|
|
|
|
|
|
| |
ActionDispatch::ParametersFilter to handle parameter filteration instead. This will make filteration not depending on controller anymore.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
authentication header regardless of its proxy hiding [DHH]
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
like constantize.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* request.formats is much simpler now
* For XHRs or Accept headers with a single item, we use the Accept header
* For other requests, we use params[:format] or fallback to HTML
* This is primarily to work around the fact that browsers provide completely
broken Accept headers, so we have to whitelist the few cases we can
specifically isolate and treat other requests as coming from the browser
* For APIs, we can support single-item Accept headers, which disambiguates
from the browsers
* Requests to an action that only has an XML template from the browser will
no longer find the template. This worked previously because most browsers
provide a catch-all */*, but this was mostly accidental behavior. If you
want to serve XML, either use the :xml format in links, or explicitly
specify the XML template: render "template.xml".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Move #set_cookie and #delete_cookie inline to optimize. These optimizations should
almost certainly be sent back upstream to Rack. The optimization involves using
an ivar for cookies instead of indexing into the headers each time.
* Was able to use a bare Hash for headers now that cookies have their own joining
semantics (some code assumed that the raw cookies were an Array).
* Cache blankness of body on body=
* Improve expand_cache_key for Arrays of a single element (common in our case)
* Use a simple layout condition check unless conditions are used
* Cache visible actions
* Lazily load the UrlRewriter
* Make etag an ivar that is set on prepare!
|
|
|
|
| |
them pass with minimal performance impact.
|
|
|
|
|
|
| |
ActionController::Base.trusted_proxies [#2126 state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
respond_to class method.
Signed-off-by: Yehuda Katz <wycats@gmail.com>
|
| |
|
| |
|
|
|
|
| |
other code
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|