| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| | |
This commit uses the new method in Rack to check if a path is valid.
|
|/
|
|
|
|
|
|
| |
In #18721 we removed the discard key from the session hash used to flash
messages and that broke compatibility with Rails 4 applications because they
try to map in the discarded flash messages and it returns nil.
Fixes #24726.
|
| |
|
|
|
|
|
|
| |
Related with 38d2bf5fd1f3e014f2397898d371c339baa627b1.
cc @tenderlove
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not
included for API controllers, the `request.reset_session` method, which
relies on there being a `flash=` method which is in fact defined by the
middleware, was previously breaking. Similarly to how
add46482a540b33184f3011c5c307f4b8e90c9cc created a method to be
overridden by the flash middleware in order to ensure non-breakage, this
is how flashes are now reset.
Fixes #24222
|
|
|
|
|
| |
Forgot to update the documentation on the line just above the one
I was changing in 4933132. Well done, Kasper :+1:
|
|
|
|
|
|
|
|
|
| |
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.
Renaming to `exclude` matches this intent more closely.
|
| |
|
|
|
|
|
|
| |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only reference the Action Controller error classes by name in
ActionDispatch::ExceptionWrapper, so there is no need to explicitly
require them.
It drops a tiny coupling between Action Dispatch and Action Controller,
so it makes me feel warm inside. We still have a lot of others AC
requires in the AD code base, but here, we can save it.
[ci skip]
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
|
|
|
|
|
|
|
| |
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
|
|
|
|
|
| |
This will keep our current API working without having the users to
change their codebases.
|
|
|
|
| |
This change was added in #23203 and it was not conforming our code style.
|
|\
| |
| | |
WIP: Errors in logs should show log tags as well.
|
| |
| |
| |
| |
| |
| |
| | |
- Changed formatted_code_for to return array of logs to be tagged for each line
- Changed some render tests to match new behaviour of return
Fixes #22979
|
| |
| |
| |
| |
| |
| |
| | |
Multiple cookie values should be separated by '; ' according
to RFC 6265, section 5.4.4[1].
[1]: https://tools.ietf.org/html/rfc6265#section-5.4
|
| | |
|
|\ \
| | |
| | |
| | | |
into ma2gedev-should-escape-cookie
|
| | |
| | |
| | |
| | |
| | | |
Get an incorrect cookie value in controller action method
if cookie value contains an escapable string.
|
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
gzipped version exists or not. This is helpful for CDN's to later distinguish assets, based on previous, current copies and introduced gzip version if any."
This reverts commit 067c52f608568e35181830a5c1016e382650e655.
Conversation: https://github.com/rails/rails/pull/23120#issuecomment-173007011
|
| |
| |
| |
| |
| |
| |
| |
| | |
version exists or not. This is helpful for CDN's to later distinguish assets, based on previous, current copies and introduced gzip version if any.
For ref: https://www.fastly.com/blog/best-practices-for-using-the-vary-header
This change sets `Vary` header always, to be on safer side
|
| |
| |
| |
| |
| |
| | |
File paths cannot contain null byte characters and methods that do path
operations such as Rack::Utils#clean_path_info will raise unwanted
errors.
|
|/ |
|
| |
|
|
|
|
|
| |
This was causing bug #22738 to occur. Also added extra tests to make
sure everything is A-OK.
|
|
|
|
| |
Still more to do. Please assist!
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new method to request and response so we don't need to
violate the law of demeter.
We are changing `Request` and `Response` so that they always have a
`cookie_jar`
This is a continuation on work to combine integration and controller
test code bases in Rails.
|
|\
| |
| | |
Add text template for source code
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a request is made with AJAX and an error occurs, Rails will render
a text-template for the exception instead of the HTML error page
(#11960).
The `.text.erb` variant of the `_source` template is currently missing,
causing HTML to be rendered in the response. This commit adds the text
template.
To keep the page scannable we only only show the first three source
extracts.
Related to #14745.
Before:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
<div class="source " id="frame-source-0">
<div class="info">
Extracted source (around line <strong>#3</strong>):
</div>
<div class="data">
<table cellpadding="0" cellspacing="0" class="lines">
<tr>
```
After:
```
~/testing-exceptions ᐅ curl 'http://localhost:3000/' -H
'X-Requested-With: XMLHttpRequest'
RuntimeError in PostsController#index
Extracted source (around line #3):
*3 raise
```
|
| | |
|
| | |
|
|\ \
| | |
| | | |
remove unnecessary @compiled_root from static.rb
|
| |/ |
|
|/
|
|
|
|
|
| |
Closes #21230 by following the indication of @rafaelfranca:
> I think the output change would be simpler.
> What is really important to show is the class of the middleware, so we should change the output to show that.
|
| |
|
|
|
|
|
| |
When `require 'active_support/rails'`, 'active_support/deprecation'
is automatically loaded.
|
|\
| |
| |
| | |
Add basic support for access control headers to ActionDispatch::Static
|