aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/debug_view.rb
Commit message (Collapse)AuthorAgeFilesLines
* Pull generated methods up in to the anonymous subclassAaron Patterson2019-02-061-6/+1
| | | | Then we don't need the extra module.
* Move templates to an anonymous subclass of AV::BaseAaron Patterson2019-02-061-0/+9
| | | | | Now we can throw away the subclass and the generated methods will get GC'd too
* Tighten up the AV::Base constructorAaron Patterson2019-01-291-1/+3
| | | | | | | | | | | | | | | The AV::Base constructor was too complicated, and this commit tightens up the parameters it will take. At runtime, AV::Base is most commonly constructed here: https://github.com/rails/rails/blob/94d54fa4ab641a0ddeb173409cb41cc5becc02a9/actionview/lib/action_view/rendering.rb#L72-L74 This provides an AV::Renderer instance, a hash of assignments, and a controller instance. Since this is the common case for construction, we should remove logic from the constructor that handles other cases. This commit introduces special constructors for those other cases. Interestingly, most code paths that construct AV::Base "strangely" are tests.
* Introduce a guard against DNS rebinding attacksGenadi Samokovarov2018-12-151-0/+50
The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 08:39:58 +0000