| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
|
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
Conflicts:
actionpack/lib/action_dispatch/http/request.rb
|
|
|
|
|
| |
Fix ActionDispatch::Request#formats when HTTP_ACCEPT header is an empty
string.
|
|
|
|
| |
dispatch logic
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
|
| |
| |
| |
| | |
dealing with empty hashes. Thanks Damien Mathieu
|
| | |
|
|/
|
|
|
|
| |
Fix rewinding in ActionDispatch::Request#raw_post
Conflicts:
actionpack/CHANGELOG.md
|
|
|
|
| |
behavior added at c53e5def08f7a289a92a8e5f79dcd7caa5c3a2fb
|
| |
|
|
|
|
|
|
| |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.
To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.
Fixes #2510.
(cherry picked from commit 56030506563352944fed12a6bb4793bb2462094b)
|
|
|
|
| |
by googlebot
|
| |
|
| |
|
|
|
|
| |
* e.g. blog_url(subdomain: current_user) instead of blog_url(subdomain: current_user.to_param)
|
|
|
|
| |
Fixes #3957
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The methods, "post?", "put?", "head?", etc. contain an incorrect
explanation. They state that they are equivalent to request_method ==
:type, but this is not accurate because the methods convert the string
to a symbol. They are actually equivalent to:
request_method_symbol == :type
|
|\
| |
| | |
refactor RemoteIp middleware
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- return the last forwarded IP before REMOTE_ADDR to handle proxies
- remove completely superfluous RemoteIpGetter class
- remove duplication of trusted proxies regexp
- remove unused constant from Request
- move comments from Request to where they are actually relevant
- edit comments for clarity of purpose
The original code (confusingly) tried to return REMOTE_ADDR both at the beginning and the end of the chain of options. Since REMOTE_ADDR is _always_ set, this is kind of silly. This change leaves REMOTE_ADDR as the last option, so that proxied requests will be assigned the correct remote IP address.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
numeric addresses.
See-also pull request #3561 from 3-1-stable
Otherwise the following occurs:
TypeError: can't convert nil into String
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:75:in host_or_subdomain_and_domain'
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:37:in url_for'
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/routing/url_for.rb:147:in test_subdomain_may_be_accepted_with_numeric_host'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/testing/setup_and_teardown.rb:67:in run'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:426:in send'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:81:in run'
|
|
|
|
| |
production concerns
|
| |
|
| |
|
|
|
|
| |
for subdomain(s) removal from the host during link generation. Closes #2025
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
requests. Closes #2119
An xhr request must have an "Accept" or "Content-type" header in order to be considered a request with valid_accept_header.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/core_ext/kernel/requires.rb
|
| | |
|
| | |
|
|/ |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionpack/lib/action_view/helpers/date_helper.rb
railties/lib/rails/generators/rails/app/templates/config/initializers/wrap_parameters.rb.tt
|
| | |
|
| |
| |
| |
| | |
deprecated and is going to be removed in future releases.
|
|/
|
|
| |
crap) [DHH]
|