| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
| |
closes GH-23248
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
|
|
|
|
|
|
| |
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0. Checking for a
case-insensitive FS seems too hard, so just check Ruby version Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
|
| |
|
|
|
|
|
|
| |
this is due to:
https://bugs.ruby-lang.org/issues/5994
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Regexps have a construct to express alternation of characters, which
is character classes. In addition to being the most specific idiom to
write this pattern, it reads better without the backslashes. Also, it
is better not to use a capture if none is needed. As a side-effect of
these changes, the gsub is marginally faster, but speed is not the
point of this commit.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A couple of things worth mentioning here:
- "{" is a metacharacter, should be escaped
if it is meant to match a "{". The code
worked, though, because the regexp engine
is tolerant to this, but issued warnings.
- gsub accepts a string as first argument.
That's the best idiom to use when your
pattern has no metacharacters, since gsub
interprets the string as an exact substring
to look for, rather than a regexp. The
benefit is that your pattern is crystal
clear and needs no backslashes.
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
| |
|
|
|
|
|
|
| |
filesystems.
This fixes CVE-2011-0449
|
| |
|
| |
|
| |
|
|
|
|
| |
object, not necessarily a class.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch, every request in development caused the template
to be compiled, regardless if it was updated in the filesystem or not.
This patch now checks the timestamp and only compiles it again if
any change was done.
While this probably won't show any difference for current setups,
but it will be useful for asset template handlers (like SASS), as
compiling their templates is slower than ERb, Haml, etc.
|
|
|
|
|
|
| |
This means that templates does not need to store its source anymore, allowing us to reduce the ammount of memory taken by our Rails processes. Naively speaking, if your app/views contains 2MB of files, each of your processes (after being hit by a bunch of requests) will take 2MB less of memory after this commit.
This is extremely important for the upcoming features. Since Rails will also render CSS and JS files, their source won't be stored as well allowing us to decrease the ammount of memory taken.
|
|
|
|
| |
class.
|
| |
|
|
|
|
|
|
|
|
| |
autoloading."
Booting a new Rails application does not work after this commit [#5359 state:open]
This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
|
|
|
|
|
|
| |
autoloading.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
| |
This reverts commit ade756fe42423033bae8e5aea8f58782f7a6c517.
|
|
|
|
| |
This reverts commits af0d1a88157942c6e6398dbf73891cff1e152405 and 64d109e3539ad600f58536d3ecabd2f87b67fd1c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Default Encoding.default_internal to UTF-8
* Eliminated the use of file-wide magic comments to coerce code evaluated inside the file
* Read templates as BINARY, use default_external or template-wide magic comments
inside the Template to set the initial encoding
* This means that template handlers in Ruby 1.9 will receive Strings encoded
in default_internal (UTF-8 by default)
* Create a better Exception for encoding issues, and use it when the template
source has bytes that are not compatible with the specified encoding
* Allow template handlers to opt-into handling BINARY. If they do so, they
need to do some of their own manual encoding work
* Added a "Configuration Gotchas" section to the intro Rails Guide instructing
users to use UTF-8 for everything
* Use config.encoding= in Ruby 1.8, and raise if a value that is an invalid
$KCODE value is used
Also:
* Fixed a few tests that were assert() rather than assert_equal() and
were caught by Minitest requiring a String for the message
* Fixed a test where an assert_select was misformed, also caught by
Minitest being more restrictive
* Fixed a test where a Rack response was returning a String rather
than an Enumerable
|
| |
|
|
|
|
| |
that they shouldn't be further modified.
|
| |
|
|
|
|
| |
repeat in every resolver.
|