| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
[Gannon McGibbon + Josh Cheek]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Rails 6.0 will support Ruby 2.4.1 or higher
`# frozen_string_literal: true` magic comment is enough to make string object frozen.
This magic comment is enabled by `Style/FrozenStringLiteralComment` cop.
* Exclude these files not to auto correct false positive `Regexp#freeze`
- 'actionpack/lib/action_dispatch/journey/router/utils.rb'
- 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb'
It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333
Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed.
* Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required
- 'actionpack/test/controller/test_case_test.rb'
- 'activemodel/test/cases/type/string_test.rb'
- 'activesupport/lib/active_support/core_ext/string/strip.rb'
- 'activesupport/test/core_ext/string_ext_test.rb'
- 'railties/test/generators/actions_test.rb'
|
| |
|
|
| |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
| | |
|
| |
|
|
|
| |
This basically reverts e9fca7668b9eba82bcc832cb0061459703368397, d08da958b9ae17d4bbe4c9d7db497ece2450db5f,
d1fe1dcf8ab1c0210a37c2a78c1ee52cf199a66d, and 68eaf7b4d5f2bb56d939f71c5ece2d61cf6680a3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When puma/puma#1403 is merged Puma will support the Early Hints status
code for sending assets before a request has finished.
While the Early Hints spec is still in draft, this PR prepares Rails to
allowing this status code.
If the proxy server supports Early Hints, it will send H2 pushes to the
client.
This PR adds a method for setting Early Hints Link headers via Rails,
and also automatically sends Early Hints if supported from the
`stylesheet_link_tag` and the `javascript_include_tag`.
Once puma supports Early Hints the `--early-hints` argument can be
passed to the server to enable this or set in the puma config with
`early_hints(true)`. Note that for Early Hints to work
in the browser the requirements are 1) a proxy that can handle H2,
and 2) HTTPS.
To start the server with Early Hints enabled pass `--early-hints` to
`rails s`.
This has been verified to work with h2o, Puma, and Rails with Chrome.
The commit adds a new option to the rails server to enable early hints
for Puma.
Early Hints spec:
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04
[Eileen M. Uchitelle, Aaron Patterson]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the behavior such the path_params now default to
UTF8 just like regular parameters. This also changes the behavior such
that if a path parameter contains invalid UTF8 it returns a 400 bad
request. Previously the behavior was to encode the path params as binary
but that's not the same as query params.
So this commit makes path params behave the same as query params.
It's important to test with a path that's encoded as binary because
that's how paths are encoded from the socket. The test that was altered
was changed to make the behavior for bad encoding the same as query
params. We want to treat path params the same as query params. The params
in the test are invalid UTF8 so they should return a bad request.
Fixes #29669
*Eileen M. Uchitelle, Aaron Patterson, & Tsukuru Tanimichi*
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation for ActionDispatch::Request#key? [ci skip]
Update request.rb --ci skip
Documentation for ActionDispatch::Request#key? [ci skip]
Also made change after the review by @rafaelfranca .
Update request.rb --ci skip
Documentation for ActionDispatch::Request#key? [ci skip]
Also made change after the review by @rafaelfranca .
Update request.rb --ci skip
|
| |
|
|
|
|
|
|
| |
This commit changes `parameter_encoding` to `skip_parameter_encoding`.
`skip_parameter_encoding` will set encoding on all parameters to
ASCII-8BIT for a given action on a particular controller. This allows
the controller to handle data when the encoding of that data is unknown,
for example file systems or truly binary parameters.
|
| |
|
|
|
|
| |
ActionDispatch::ParamsParser class was removed in favor of
ActionDispatch::Http::Parameters so it is better to move the error
constant to the new class.
|
| |
|
|
|
|
|
|
| |
Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces
Fix all violations in the repository.
|
| |
|
|
|
| |
At GitHub we need to handle parameter encodings that are not UTF-8. This
patch allows us to specify encodings per parameter per action.
|
| |
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
|
|
|
| |
Check for any non-UTF8 characters in path parameters at the point they're
set in `env`. Previously they were checked for when used to get a controller
class, but this meant routes that went directly to a Rack app, or skipped
controller instantiation for some other reason, had to defend against
non-UTF8 characters themselves.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.
Fixes #24222
|
| |
|
|
|
| |
This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.
|
| |
|
|
|
| |
Converting nbsp(\u{00A0}) to the normal ASCII space(\u{0020})
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new method to request and response so we don't need to
violate the law of demeter.
We are changing `Request` and `Response` so that they always have a
`cookie_jar`
This is a continuation on work to combine integration and controller
test code bases in Rails.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the `Live::Response` so we are consolidating methods
from `Live::Response` and `Response` by merging them together.
This adds an `#empty` method to the request so we don't need to
hard-code the empty array each time we call an empty
`ActionDispatch::Request`.
The work here is a continuation on combining controller and integration
test code bases into one.
|
| |\
| |
| |
| |
| | |
Add option to verify Origin header in CSRF checks
[Jeremy Daer + Rafael Mendonça França]
|
| | | |
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The initial attempt was to remove the method at all in
https://github.com/sergey-alekseev/rails/commit/4926aa68c98673e7be88a2d2b57d72dc490bc71c.
The method overrides Rack's `#form_data?`
https://github.com/rack/rack/blob/6f8808d4201e68e4bd780441b3b7bb3ee6d1f43e/lib/rack/request.rb#L172-L184.
Which may have some incorrect implementation actually. `type.nil?` isn't possible I suppose. I'll check.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prior to this change, given a route:
# config/routes.rb
get ':a' => "foo#bar"
If one pointed to http://example.com/%BE (param `a` has invalid encoding),
a `BadRequest` would be raised with the following non-informative message:
ActionController::BadRequest
From now on the message displayed is:
Invalid parameter encoding: hi => "\xBE"
Fixes #21923.
|
| | |
| |
| |
| |
| |
| | |
We only want to activate flash when the user has enabled it. Api
servers don't use flash, so add an empty implementation to the base
Request object.
|
| | |
| |
| |
| |
| | |
Committing the flash needs to happen in order for the session to be
written correctly, so lets guarantee that it actually does happen.
|
| | |
| |
| |
| |
| | |
I'm doing this so that we can commit the flash to the session object Out
of Band of the flash middleware
|
| | |
| |
| |
| |
| | |
This is an instance method on the request object now so we don't need it
anymore
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The middleware stack is a singleton in the application (one instance is
shared for the entire application) which means that there was only one
opportunity to set the parameter parsers. Since there is only one set
of parameter parsers in an app, lets just configure them on the request
class (since that is where they are used).
|
| | |
| |
| |
| |
| |
| | |
we need to be more specific about exception handling when dealing with
the parse strategies. The calls to `return yield` can also raise an
exception, but we don't want to handle that in *this* code.
|
| | |
| |
| |
| |
| | |
`normalize_encode_params` is common to all parser code paths, so we can
pull that up and always apply it before assigning the request parameters
|
| | |
| |
| |
| |
| | |
since there is only one "default" strategy now, we can just use the
block parameter for that.
|
| | |
| |
| |
| |
| | |
All parameter parsing should be on the request object because the
request object is the object that we ask for parameters.
|
| | |
| |
| |
| | |
this commit removes some direct access to `env`.
|
| | |
| |
| |
| |
| |
| | |
Just include the modules necessary in the Request object to implement
the things we need. This should make it easier to build delegate
request objects because the API is smaller
|
| |\ \
| | |
| | | |
[ci skip] Added localhost IPv6
|
| | | | |
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Cleanup for `ActionDispatch::Http::Parameters` - no need for required libraries
and remove not used private method.
Apparently this method was used in `ActionDispatch::Http::Request` - fixed
by calling `Request::Utils` explicitly (as was done in other parts of the codebase)
|
| | |
| |
| |
| |
| | |
now the caller can just treat it like a regular controller even though
it will return a 404
|
| | | |
|
