aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/http/request.rb
Commit message (Collapse)AuthorAgeFilesLines
* adding missing requiresAaron Patterson2013-01-091-0/+8
|
* * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * ↵Aaron Patterson2013-01-081-3/+4
| | | | | | | | | | | | dealing with empty hashes. Thanks Damien Mathieu Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_dispatch/http/request.rb actionpack/lib/action_dispatch/middleware/params_parser.rb activerecord/CHANGELOG.md activerecord/lib/active_record/relation/predicate_builder.rb activerecord/test/cases/relation/where_test.rb
* Revert "Merge branch 'master-sec'"Jeremy Kemper2013-01-081-4/+3
| | | | | This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing changes made to f049016cd348627bf8db0d72382d7580bf802a79.
* * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * ↵Aaron Patterson2013-01-071-3/+4
| | | | | | | | | | | | dealing with empty hashes. Thanks Damien Mathieu Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_dispatch/http/request.rb actionpack/lib/action_dispatch/middleware/params_parser.rb activerecord/CHANGELOG.md activerecord/lib/active_record/relation/predicate_builder.rb activerecord/test/cases/relation/where_test.rb
* Needless requiresAkira Matsuda2013-01-061-4/+0
|
* Fix rewinding in ActionDispatch::Request#raw_postMatt Venables2012-12-111-2/+3
| | | | | | | | | If env['RAW_POST_DATA'] is nil, #raw_post will attempt to set it to the result of #body (which will return env['rack.input'] if env['RAW_POST_DATA'] is nil). #raw_post will then attempt to rewind the result of another call to #body. Since env['RAW_POST_DATA'] has already been set, the result of #body is not env['rack.input'] anymore. This causes env['rack.input'] to never be rewound.
* give access to the original exception raised in case of a parse errorAaron Patterson2012-10-251-2/+2
|
* do not lose backtrace information from the raised exceptionAaron Patterson2012-10-251-10/+6
|
* eagerly populate the http method loookup cache so we don't need locksAaron Patterson2012-10-181-1/+7
|
* Properly reset the session on reset_sessionSteve Klabnik2012-08-311-2/+5
| | | | Fixes #7478
* initialize instance variablesAaron Patterson2012-08-091-0/+11
|
* Remove ActionDispatch::Head middleware in favor of Rack::HeadSantiago Pastorino2012-07-231-2/+2
| | | | Closes #7110 there's more work to do on rack-cache issue 69
* These lines don't help to mitigate CVE. They only turn [nil] into nil, w/o ↵Egor Homakov2012-06-131-3/+0
| | | | | | them [nil] turns into [] and that is quite innocent. generated SQL - `IN (NULL)` compact! did all the job.
* Array parameters should not contain nil values.Aaron Patterson2012-06-121-2/+4
|
* Strip [nil] from parameters hash.Aaron Patterson2012-05-301-0/+22
| | | | | | Thanks to Ben Murphy for reporting this! CVE-2012-2660
* Raise ActionController::BadRequest for malformed parameter hashes.Andrew White2012-05-201-3/+10
| | | | | | | | | | | | | | Currently Rack raises a TypeError when it encounters a malformed or ambiguous hash like `foo[]=bar&foo[4]=bar`. Rather than pass this through to the application this commit captures the exception and re-raises it using a new ActionController::BadRequest exception. The new ActionController::BadRequest exception returns a 400 error instead of the 500 error that would've been returned by the original TypeError. This allows exception notification libraries to ignore these errors if so desired. Closes #3051
* Autoload ActionDispatch::Request::Session to avoid circular require.Andrew White2012-05-131-1/+2
|
* bread AD::Request::Session to it's own file, consolidate HASH OF DOOM lookupsAaron Patterson2012-05-031-2/+3
|
* Revert "Return an actual boolean from xml_http_request?"Xavier Noria2012-03-251-1/+1
| | | | | | | | | | | | | | Reason: This commit changes code that was committed some year and a half ago. The original code is an ordinary predicate that delegates straight to a boolean operator with no further unnecessaru adorments, as clearly explained in #5329. This change also may confuse users who may now believe they can rely now on singletons, while predicates in Rails rely on standard Ruby semantics for boolean values and guarantee no singletons whatsover. This reverts commit 6349791d5aaf652631b29f1371701fc2985fda83.
* Return an actual boolean from xml_http_request?Tim Pope2012-03-231-1/+1
|
* reduced localhost check to two method callsAaron Patterson2012-02-281-2/+3
|
* Add config.default_method_for_update to support PATCHDavid Lee2012-02-221-0/+6
| | | | | | | | | | | | | | | | PATCH is the correct HTML verb to map to the #update action. The semantics for PATCH allows for partial updates, whereas PUT requires a complete replacement. Changes: * adds config.default_method_for_update you can set to :patch * optionally use PATCH instead of PUT in resource routes and forms * adds the #patch verb to routes to detect PATCH requests * adds #patch? to Request * changes documentation and comments to indicate support for PATCH This change maintains complete backwards compatibility by keeping :put as the default for config.default_method_for_update.
* remove checks for encodings availabilitySergey Nartimov2011-12-251-1/+1
|
* Add original_fullpath and original_url methods to RequestPiotr Sarnacki2011-12-211-0/+8
|
* Remove dead broken code from AD::RequestJosé Valim2011-12-081-8/+0
|
* Fix ActionDispatch::Request method explanationsTravis Pew2011-11-281-5/+5
| | | | | | | | The methods, "post?", "put?", "head?", etc. contain an incorrect explanation. They state that they are equivalent to request_method == :type, but this is not accurate because the methods convert the string to a symbol. They are actually equivalent to: request_method_symbol == :type
* refactor RemoteIp middlewareAndre Arko2011-11-111-18/+1
| | | | | | | | | | | - return the last forwarded IP before REMOTE_ADDR to handle proxies - remove completely superfluous RemoteIpGetter class - remove duplication of trusted proxies regexp - remove unused constant from Request - move comments from Request to where they are actually relevant - edit comments for clarity of purpose The original code (confusingly) tried to return REMOTE_ADDR both at the beginning and the end of the chain of options. Since REMOTE_ADDR is _always_ set, this is kind of silly. This change leaves REMOTE_ADDR as the last option, so that proxied requests will be assigned the correct remote IP address.
* Added X-Request-Id tracking and TaggedLogging to easily log that and other ↵David Heinemeier Hansson2011-10-191-0/+10
| | | | production concerns
* document meta methodVijay Dev2011-08-041-3/+3
|
* TODO fix explicitly loading exceptations, autoload removedVishnu Atrai2011-07-111-0/+1
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-05-251-3/+3
|\ | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb
| * Remove extra white spaces on ActionPack docs.Sebastian Martinez2011-05-231-3/+3
| |
* | removed deprecated methods, and related tests, from ActionPackJosh Kalderimis2011-05-241-7/+1
|/
* Only show dump of regular env methods on exception screen (not all the rack ↵David Heinemeier Hansson2011-05-041-4/+5
| | | | crap) [DHH]
* Add missing deprecation requireCarlos Antonio da Silva2011-02-111-0/+1
| | | | Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Change the CSRF whitelisting to only apply to get requestsMichael Koziarski2011-02-081-1/+2
| | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
* Add additional HTTP request methods from the following RFCs:Andrew White2010-11-021-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | * Hypertext Transfer Protocol -- HTTP/1.1 http://www.ietf.org/rfc/rfc2616.txt) * HTTP Extensions for Distributed Authoring -- WEBDAV http://www.ietf.org/rfc/rfc2518.txt * Versioning Extensions to WebDAV http://www.ietf.org/rfc/rfc3253.txt * Ordered Collections Protocol (WebDAV) http://www.ietf.org/rfc/rfc3648.txt * Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol http://www.ietf.org/rfc/rfc3744.txt * Web Distributed Authoring and Versioning (WebDAV) SEARCH http://www.ietf.org/rfc/rfc5323.txt * PATCH Method for HTTP http://www.ietf.org/rfc/rfc5789.txt [#2809 state:resolved] [#5895 state:resolved]
* make sure request parameters are accessible after rack throws an exception ↵Miles Egan2010-10-121-2/+2
| | | | | | parsing the query string [#3030 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
* Solve some warnings and a failing test.José Valim2010-10-031-1/+1
|
* dry up method checking in the request objectAaron Patterson2010-09-291-10/+9
|
* removes /i from the TRUSTED_PROXIES regexp, adds /x and comments for ↵Xavier Noria2010-09-121-2/+10
| | | | readability, adds a pointer to a Wikipedia section that documents the matched IPs
* gets rid of a double negation, no need to force exactly true/false in a ↵Xavier Noria2010-09-121-4/+4
| | | | predicate
* Revert "Setup explicit requires for files with exceptions. Removed them from ↵José Valim2010-09-021-1/+0
| | | | | | | | autoloading." Booting a new Rails application does not work after this commit [#5359 state:open] This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
* Setup explicit requires for files with exceptions. Removed them from ↵Łukasz Strzałkowski2010-09-021-0/+1
| | | | | | autoloading. Signed-off-by: José Valim <jose.valim@gmail.com>
* Moves local_request? to require.local?Santiago Pastorino2010-08-131-0/+7
| | | | [#5361 state:committed]
* Just reading flash messages should not create a session if one does not ↵José Valim2010-06-251-0/+3
| | | | exist yet.
* Sessions should not be created until written to and session data should be ↵Michael Lovitt2010-06-231-1/+1
| | | | | | | | destroyed on reset. [#4938] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* remove executable permission from files that don't need it. [#4802 ↵rohit2010-06-201-0/+0
| | | | | | state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
* Improve performance of commonly used request methodswycats2010-06-041-7/+19
|
* * Change the object used in routing constraints to be an instance ofwycats2010-04-031-21/+39
| | | | | | | | | | | ActionDispatch::Request rather than Rack::Request. * Changed ActionDispatch::Request#method to return a String, to be compatible with the Rack::Request superclass. * Changed ActionDispatch::Request#method to return the original method in the case of methodoverride and #request_method not to, to be compatible with Rack::Request