| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| | |
fatal multiple times. Expose tags_text from TaggedLogging to be used for log formatting
Fixes #26134
|
|\ \
| |/
|/| |
Add missing `+` around a some literals.
|
| |
| |
| |
| |
| |
| | |
Mainly around `nil`
[ci skip]
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have been seeing people setting `Logger` instances for `config.logger`
and it blowing up on `rails/web-console` usage.
Now, I doubt many folks are manually setting `ActionView::Base.logger`,
but given that `DebugExceptions` is running in a pretty fragile
environment already, having it crash (and being silent) in those cases
can be pretty tricky to trace down.
I'm proposing we verify whether the `ActionView::Base.logger` supports
silencing before we try to do it, to save us the headache of tracing it
down.
|
|
|
| |
- Followup of fda5afeb
|
|
|
|
| |
`ActionDispatch::Static#initialize`
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
ActionDispatch::ParamsParser class was removed in favor of
ActionDispatch::Http::Parameters so it is better to move the error
constant to the new class.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772.
But heredocs was still kept absolute position. This commit aligns
heredocs indentation for consistency.
|
| |
|
|
|
|
| |
key length
|
|
|
|
|
|
|
|
|
| |
Since keys are truncated, ruby 2.4 doesn't accept keys greater than their lenghts.
keys of same value but different lenght and greater than key size of cipher, produce the same results
as reproduced at https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9
Since our default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the length of key being passed to Encryptor to 32 bytes.
This continues to support backwards compat with any existing signed data, already encrupted and signed with 32+ byte keys.
Also fixes the passing of this value in multiple tests.
|
|
|
|
|
|
|
|
|
|
|
| |
When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status.
However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller.
Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method.
`rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54
This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.
|
|
|
|
|
|
|
|
| |
Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces
Fix all violations in the repository.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `ActionDispatch::Static` middleware is used low down in the stack to serve
static assets before doing much processing. Since it's called from so low in
the stack, we don't have access to the request ID at this point, and generally
won't have any exception handling defined (by default `ShowExceptions` is added
to the stack quite a bit higher and relies on logging and request ID).
Before https://github.com/rails/rails/commit/8f27d6036a2ddc3cb7a7ad98afa2666ec163c2c3
this middleware would ignore unknown HTTP methods, and an exception about these
would be raised higher in the stack. After that commit, however, that exception
will be raised here.
If we want to keep `ActionDispatch::Static` so low in the stack (I think we do)
we should suppress the `ActionController::UnknownHttpMethod` exception here,
and instead let it be raised higher up the stack, once we've had a chance to
define exception handling behaviour.
This PR updates `ActionDispatch::Static` so it passes `Rack::Request` objects to
`ActionDispatch::FileHandler`, which won't raise an
`ActionController::UnknownHttpMethod` error. If an unknown method is
passed, it should exception higher in the stack instead, once we've had a
chance to define exception handling behaviour.`
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rack [recently](https://github.com/rack/rack/commit/7e7a3890449b5cf5b86929c79373506e5f1909fb)
moved the namespace of its `ParameterTypeError` and `InvalidParameterError`
errors. Whilst an alias for the old name was added, the logic in
`ActionDispatch::ExceptionWrapper` was still broken by this change, since it
relies on the class name.
This PR updates `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0
namespaced errors correctly. We no longer need to worry about the old names,
since Rails specifies Rack ~> 2.0.
|
|
|
|
| |
it false
|
|
|
|
| |
`config.ssl_options` permits configuring various options for the middleware. Default options for HSTS (specified with the `:hsts` key in the options hash) are specified in `.default_hsts_options`. The documentation did not make clear these defaults, and in one case was wrong.
|
|\
| |
| | |
ActionDispatch::DebugLocks
|
| |
| |
| |
| |
| | |
Only intended to be enabled when in use; by necessity, it sits above any
reasonable access control.
|
|/
|
|
|
|
|
|
|
|
|
|
| |
When an exception is raised, those Action View rendering logs are just
noise for the end developer. I recently silenced those from Web Console,
as we do use Action View rendering in it as well. It used created a half
a screen of rendering logs. I think we can save those in this recent
push for cleaner development logs.
Now, the silencing is a bit hacky and we have a bunch of it now, so we
can also invest in turning off the logs directly from Action View
objects instead of silencing off the logging stream.
|
|\
| |
| | |
API only apps: Preserve request format for HTML requests too
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Earlier we were responding with JSON format for HTML requests in a API
app.
- Now we will respond with HTML format for such requests in API apps.
- Also earlier we were not testing the API app's JSON requests
properly. We were actually sending HTML requests. Now we send correct
JSON requests. Also added more test coverage.
- Based on the discussion from this commit -
https://github.com/rails/rails/commit/05d89410bf97d0778e78558db3c9fed275f8a614.
[Prathamesh Sonpatki, Jorge Bejar]
|
| |
| |
| |
| | |
This commit uses the new method in Rack to check if a path is valid.
|
|/
|
|
|
|
|
|
| |
In #18721 we removed the discard key from the session hash used to flash
messages and that broke compatibility with Rails 4 applications because they
try to map in the discarded flash messages and it returns nil.
Fixes #24726.
|
| |
|
|
|
|
|
|
| |
Related with 38d2bf5fd1f3e014f2397898d371c339baa627b1.
cc @tenderlove
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.
Fixes #24222
|
|
|
|
|
| |
Forgot to update the documentation on the line just above the one
I was changing in 4933132. Well done, Kasper :+1:
|
|
|
|
|
|
|
|
|
| |
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.
Renaming to `exclude` matches this intent more closely.
|
| |
|
|
|
|
|
|
| |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only reference the Action Controller error classes by name in
ActionDispatch::ExceptionWrapper, so there is no need to explicitly
require them.
It drops a tiny coupling between Action Dispatch and Action Controller,
so it makes me feel warm inside. We still have a lot of others AC
requires in the AD code base, but here, we can save it.
[ci skip]
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
|
|
|
|
|
|
|
| |
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
|
|
|
|
|
| |
This will keep our current API working without having the users to
change their codebases.
|
|
|
|
| |
This change was added in #23203 and it was not conforming our code style.
|