aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/http
Commit message (Collapse)AuthorAgeFilesLines
...
* change `@text_xml_idx` to an lvar and cache it on the stackAaron Patterson2016-01-271-13/+11
| | | | | this eliminates the ivar lookup and also eliminates the `||=` conditional that happens every time we called the `text_xml_idx` method.
* Merge branch '5-0-beta-sec'Aaron Patterson2016-01-251-2/+16
|\ | | | | | | | | | | | | | | | | | | | | * 5-0-beta-sec: bumping version fix version update task to deal with .beta1.1 Eliminate instance level writers for class accessors allow :file to be outside rails root, but anything else must be inside the rails view directory Don't short-circuit reject_if proc stop caching mime types globally use secure string comparisons for basic auth username / password
| * stop caching mime types globallyAaron Patterson2016-01-221-2/+16
| | | | | | | | | | | | | | Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
* | Response etags to always be weak: Prefixed W/ to value returned by ↵abhishek2016-01-201-1/+1
| | | | | | | | ActionDispatch::Http::Cache::Response#etag= such that etags set in fresh_when and stale? are weak. For #17556.
* | Space OddityAkira Matsuda2016-01-142-2/+2
| | | | | | | | | | Converting nbsp(\u{00A0}) to the normal ASCII space(\u{0020}) [ci skip]
* | Commit before freezing the headersMatthew Draper2016-01-122-1/+8
| | | | | | | | | | This shouldn't generally come up: under a standard flow, we don't start sending until after the commit. But application code always finds a way.
* | Format from Accept headers have higher precedence than path extension formatJorge Bejar2015-12-291-2/+2
| |
* | Rely on default Mime format when MimeNegotiation#format_from_path_extension ↵Jorge Bejar2015-12-291-3/+3
| | | | | | | | | | | | is not a valid type Closes #22747
* | Remember the parameter hash we returnMatthew Draper2015-12-221-1/+1
|/ | | | Callers expect to be able to manipulate it.
* Avoid calling AD::MimeNegotiation#format_from_path_extension method twiceJorge Bejar2015-12-091-2/+2
|
* Do not add format key to request_paramsJorge Bejar2015-12-092-17/+11
| | | | | | | | | I did this change but it is affecting how the request params end up after being processed by the router. To be in the safe side, I just take the format from the extension in the URL when is not present in those params and it's being used only for the `Request#formats` method
* Improve regexp in AC::Http::ParametersJorge Bejar2015-12-091-1/+1
|
* Response when error should be formatted properly in Rails API if local requestJorge Bejar2015-12-091-3/+3
|
* Use URL path extension as format in bad params exception handlingJorge Bejar2015-12-081-2/+17
|
* Only commit the cookie jar if it hasn't been committedeileencodes2015-12-061-1/+1
| | | | | | | We don't want to commit the cookie jar more than once because then we will be attempting to modify a frozen hash. Fixes Railties test failure caused by 492b134.
* Stop violating law of demeter in response cookie_jareileencodes2015-12-062-1/+4
| | | | | | | | | | | This adds a new method to request and response so we don't need to violate the law of demeter. We are changing `Request` and `Response` so that they always have a `cookie_jar` This is a continuation on work to combine integration and controller test code bases in Rails.
* Push `before_sending` to super classeileencodes2015-12-062-0/+6
| | | | | | | | | | | | We want to get rid of the `Live::Response` so we are consolidating methods from `Live::Response` and `Response` by merging them together. This adds an `#empty` method to the request so we don't need to hard-code the empty array each time we call an empty `ActionDispatch::Request`. The work here is a continuation on combining controller and integration test code bases into one.
* Shrink a couple of deprecation warnings to one-linersMatthew Draper2015-12-061-18/+8
| | | | | The previous spelling seemed a bit too generous with the whitespace, and looked out of place when amongst others.
* Merge pull request #21241 from pdg137/masterArthur Nogueira Neves2015-11-261-1/+2
|\ | | | | In url_for, never append ? when the query string is empty anyway.
| * In url_for, never append ? when the query string is empty anyway.Paul Grayson2015-10-291-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It used to behave like this: url_for(controller: 'x', action: 'y', q: {}) # -> "/x/y?" We previously avoided empty query strings in most cases by removing nil values, then checking whether params was empty. But as you can see above, even non-empty params can yield an empty query string. So I changed the code to just directly check whether the query string ended up empty. (To make everything more consistent, the "removing nil values" functionality should probably move to ActionPack's Hash#to_query, the place where empty hashes and arrays get removed. However, this would change a lot more behavior.)
* | Merge pull request #22263 from mastahyeti/csrf-origin-checkRafael França2015-11-261-2/+2
|\ \ | | | | | | | | | | | | Add option to verify Origin header in CSRF checks [Jeremy Daer + Rafael Mendonça França]
| * | Add option to verify Origin header in CSRF checksBen Toews2015-11-251-2/+2
| | |
* | | Merge pull request #17928 from sergey-alekseev/remove-unused-form-data-methodSean Griffin2015-11-231-3/+9
|\ \ \ | |/ / |/| |
| * | write a test for `#form_data?`Sergey Alekseev2015-03-311-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | The initial attempt was to remove the method at all in https://github.com/sergey-alekseev/rails/commit/4926aa68c98673e7be88a2d2b57d72dc490bc71c. The method overrides Rack's `#form_data?` https://github.com/rack/rack/blob/6f8808d4201e68e4bd780441b3b7bb3ee6d1f43e/lib/rack/request.rb#L172-L184. Which may have some incorrect implementation actually. `type.nil?` isn't possible I suppose. I'll check.
* | | Deprecate exception#original_exception in favor of exception#causeYuki Nishijima2015-11-032-4/+4
| |/ |/|
* | Remove dead codeRafael Mendonça França2015-10-281-5/+0
| | | | | | | | This is leftover from when `render nothing: true` rendered blank string.
* | Catch invalid UTF-8 querystring values and respond with BadRequestGrey Baker2015-10-231-1/+4
| |
* | Merge pull request #22003 from yui-knk/remove_needless_require_asYves Senn2015-10-201-1/+0
|\ \ | | | | | | Delete needless `require 'active_support/deprecation'`
| * | Delete needless `require 'active_support/deprecation'`yui-knk2015-10-201-1/+0
| | | | | | | | | | | | | | | When `require 'active_support/rails'`, 'active_support/deprecation' is automatically loaded.
* | | Show helpful messages on invalid param. encodingsAgis Anastasopoulos2015-10-191-3/+3
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prior to this change, given a route: # config/routes.rb get ':a' => "foo#bar" If one pointed to http://example.com/%BE (param `a` has invalid encoding), a `BadRequest` would be raised with the following non-informative message: ActionController::BadRequest From now on the message displayed is: Invalid parameter encoding: hi => "\xBE" Fixes #21923.
* | use methods for accessing the cache control headersAaron Patterson2015-10-062-6/+9
| | | | | | | | | | Use the methods rack provides so we don't have to worry about the exact header key.
* | etag header is in Rack, so use it's response methodsAaron Patterson2015-10-061-6/+2
| | | | | | | | | | Rack implements the Etag header manipulation methods, so we can use those instead of ours.
* | Use `Mime[:foo]` instead of `Mime::Type[:FOO]` for back compatJeremy Daer2015-10-065-51/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries that support multiple Rails versions would've had to feature-detect whether to use `Mime::Type[:FOO]` or `Mime::FOO`. `Mime[:foo]` has been around for ages to look up registered MIME types by symbol / extension, though, so libraries and plugins can safely switch to that without breaking backward- or forward-compatibility. Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup by type or extension, so it's not available as `Mime[:all]`. We use it internally as a wildcard for `respond_to` negotiation. If you use this internal constant, continue to reference it with `Mime::ALL`. Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
* | move file sending to the response objectAaron Patterson2015-10-051-1/+39
| | | | | | | | | | | | | | Just a slight refactor that delegates file sending to the response object. This gives us the advantage that if a webserver (in the future) provides a response object that knows how to do accelerated file serving, it can implement this method.
* | Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-10-041-2/+2
|\ \
| * | Revert "proper raise ArgumentError, divided large text new line"Rafael Mendonça França2015-09-281-3/+3
| | | | | | | | | | | | This reverts commit 4147ab730e807f622e5260a5f876749ff41fef26.
| * | proper raise ArgumentError, divided large text new lineGaurav Sharma2015-09-291-3/+3
| | |
| * | Renamed ‘Return’ to ‘Returns’ [ci skip]Ronak Jangir2015-09-281-2/+2
| | |
* | | Introduce `Headers#add`. Move `Response#add_header` upstream.Jeremy Daer2015-10-033-23/+8
| | | | | | | | | | | | | | | | | | | | | * Introduce `ActionDispatch::Http::Headers#add` to add a value to a multivalued header. * Move `Response#add_header` upstream: https://github.com/rack/rack/pull/957 * Match upstream `Response#have_header?` -> `#has_header?` name change.
* | | Response#add_header for adding to multi-valued headers like VaryJeremy Daer2015-10-011-0/+20
| | |
* | | Merge pull request #21768 from Gaurav2728/gaurav-doc_fix_for_mimeRafael Mendonça França2015-09-251-1/+1
|\ \ \ | | | | | | | | fix Mime type in doc since mime types via constants is deprecated [ci…
| * | | fix Mime type in doc since mime types via constants is deprecated [ci skip]Gaurav Sharma2015-09-261-1/+1
| | | |
* | | | pull the flash methods in to their own moduleAaron Patterson2015-09-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | We only want to activate flash when the user has enabled it. Api servers don't use flash, so add an empty implementation to the base Request object.
* | | | commit the flash after the controller finishes being servicedAaron Patterson2015-09-251-15/+0
| | | | | | | | | | | | | | | | | | | | Committing the flash needs to happen in order for the session to be written correctly, so lets guarantee that it actually does happen.
* | | | move flash committing to the request object.Aaron Patterson2015-09-251-0/+15
|/ / / | | | | | | | | | | | | I'm doing this so that we can commit the flash to the session object Out of Band of the flash middleware
* | | Fix deprecated mime types via constantsamitkumarsuroliya2015-09-251-5/+5
| | | | | | | | | Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`
* | | move the Header hash to the super classAaron Patterson2015-09-241-1/+24
| | | | | | | | | | | | | | | | | | | | | I want to move the header hash to the super request object in order to consolidate behavior. We should be switching out buffering strategies rather than header strategies since things like "mutating headers after send" is an error in both cases (buffering vs streaming).
* | | mutate headers before committing the responseAaron Patterson2015-09-241-2/+8
| | | | | | | | | | | | We should not mutate headers after the response has been committed.
* | | stop applying default headers in ActionDispatch::ResponseAaron Patterson2015-09-231-6/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'm making this change so that I can construct response objects that *don't* have the default headers applied. For example, I would like to construct a response object from the return value of a controller. If you need to construct a response object with the default headers, then please use the alternate constructor: `ActionDispatch::Response.create`
* | | Updated Mime Negotiations docs [ci skip]amitkumarsuroliya2015-09-231-4/+4
| | | | | | | | | As we all know that Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`