aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
Commit message (Collapse)AuthorAgeFilesLines
* Refactor out Dir.glob from ActionDispatch::Staticschneems2014-08-271-20/+5
| | | | | | | | Dir.glob can be a security concern. The original use was to provide logic of fallback files. Example a request to `/` should render the file from `/public/index.html`. We can replace the dir glob with the specific logic it represents. The glob {,index,index.html} will look for the current path, then in the directory of the path with index file and then in the directory of the path with index.html. This PR replaces the glob logic by manually checking each potential match. Best case scenario this results in one less file API request, worst case, this has one more file API request. Related to #16464 Update: added a test for when a file of a given name (`public/bar.html` and a directory `public/bar` both exist in the same root directory. Changed logic to accommodate this scenario.
* Address comments on Gzip implementationschneems2014-08-241-10/+19
| | | | | | | | | | | | | | | - don't mutate PATH_INFO in env, test - test fallback content type matches Rack::File - change assertion style - make HTTP_ACCEPT_ENCODING comparison case insensitive - return gzip path from method instead of true/false so we don't have to assume later - don't allocate un-needed hash. Original comments: https://github.com/rails/rails/commit/ cfaaacd9763642e91761de54c90669a88d772e5a#commitcomment-7468728 cc @jeremy
* Refactor ActionDispatch::RemoteIpSam Aarons2014-08-211-52/+38
| | | | | | | | | | | | | Refactored IP address checking in ActionDispatch::RemoteIp to rely on the IPAddr class instead of the unwieldly regular expression to match IP addresses. This commit keeps the same api but allows users to pass IPAddr objects to config.action_dispatch.trusted_proxies in addition to passing strings and regular expressions. Example: # config/environments/production.rb config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
* Avoid duplicating routes for HEAD requests.Guo Xiang Tan2014-08-212-17/+29
| | | | | | | | Follow up to rails#15321 Instead of duplicating the routes, we will first match the HEAD request to HEAD routes. If no match is found, we will then map the HEAD request to GET routes.
* Enable gzip compression by defaultschneems2014-08-201-14/+40
| | | | | | If someone is using ActionDispatch::Static to serve assets and makes it past the `match?` then the file exists on disk and it will be served. This PR adds in logic that checks to see if the file being served is already compressed (via gzip) and on disk, if it is it will be served as long as the client can handle gzip encoding. If not, then a non gzip file will be served. This additional logic slows down an individual asset request but should speed up the consumer experience as compressed files are served and production applications should be delivered with a CDN. This PR allows a CDN to cache a gzip file by setting the `Vary` header appropriately. In net this should speed up a production application that are using Rails as an origin for a CDN. Non-asset request speed is not affected in this PR.
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Protect against error when parsing parameters with Bad RequestRafael Mendonça França2014-08-191-2/+2
| | | | | | | | Related with #11795.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-191-3/+84
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-193-2/+31
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | | Uppercase HTML in docs.Hendy Tanata2014-08-083-10/+10
| | | | | | | | | | | | | | | | [skip ci]
| * | | [ci skip] Document ActionDispatch::Staticschneems2014-08-051-0/+9
| | | |
| * | | [ci skip] document ActionDispatch::FileHandlerschneems2014-08-051-0/+10
| | | |
| * | | [ci skip] Document PublicExceptions middlewareschneems2014-08-051-0/+10
| | | |
* | | | Add missing requireGodfrey Chan2014-08-181-0/+2
| |/ / |/| |
* | | Deprecate TagAssertion instead of removingRafael Mendonça França2014-08-181-0/+1
| | |
* | | Merge pull request #15889 from carnesmedia/model-nameRafael Mendonça França2014-08-172-6/+6
|\ \ \ | | | | | | | | | | | | Use #model_name on instances instead of classes
| * | | Use #model_name on instances instead of classesAmiel Martin2014-06-242-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class. Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
* | | | Merge branch 'loofah'Rafael Mendonça França2014-08-176-597/+27
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile
| * \ \ \ Merge branch 'master' into loofahRafael Mendonça França2014-08-1713-607/+218
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * \ \ \ \ Merge branch 'master' into loofahRafael Mendonça França2014-08-1236-402/+512
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | | | | | We don't need loofah for the assertionsRafael Mendonça França2014-07-152-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We can just use nokogiri
| * | | | | | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-106-597/+29
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| | * | | | | | Add document_root_element to ActionDispatch::IntegrationTest so ↵Timm2014-06-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | assert_select can be called without specifying a root.
| | * | | | | | Moved html_document to ActionDispatch::Assertions. Included the ↵Timm2014-06-162-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails::Dom::Testing::Assertions there as well.
| | * | | | | | Support for changes in SelectorAssertions.Timm2014-06-161-0/+14
| | | | | | | |
| | * | | | | | Changed deprecation message in dom and selector assertions in Action Dispatch.Timm2014-06-162-2/+2
| | | | | | | |
| | * | | | | | Removed tag.rb, since it is actually removed, not just deprecated. [ci skip]Timm2014-06-161-3/+0
| | | | | | | |
| | * | | | | | Moved ActionView::Assertions dependency from Action Pack's lib to ↵Timm2014-06-162-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | abstract_unit.rb.
| | * | | | | | Added deprecation warning to ActionDispatch::Assertions::TagAssertions.Timm2014-06-161-0/+3
| | | | | | | |
| | * | | | | | Trimmed deprecation message for ActionDispatch::Assertions::SelectorAssertions.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Require ActionView::Assertions in ActionController test_case.rb.Timm2014-06-161-0/+1
| | | | | | | |
| | * | | | | | Moved Dom and Selector assertions from ActionDispatch to ActionView.Timm2014-06-165-544/+7
| | | | | | | |
| | * | | | | | Fixed: assert_select_encoded finds the right content. No longer uses a ↵Timm2014-06-161-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | <encoded> wrapper. Updated tests to reflect this.
| | * | | | | | Removed mention of css_select supporting substitution values. It is not ↵Timm2014-06-161-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tested anywhere.
| | * | | | | | Updated documentation to state more things about css selectors with ↵Timm2014-06-161-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | substitution values.
| | * | | | | | Reworked the wrapping root in NodeSet implementation in css_select.Timm2014-06-161-3/+5
| | | | | | | |
| | * | | | | | Wrapped element to search in NodeSet. Changed selectors to selector.Timm2014-06-161-3/+5
| | | | | | | |
| | * | | | | | Moved around alias line.Timm2014-06-161-2/+2
| | | | | | | |
| | * | | | | | Returning from filter if matches are empty.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Fixed: no longer wrapped @selected in fragment, since .css works fine ↵Timm2014-06-161-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | without it.
| | * | | | | | Reverted to using documents instead of document fragments, since searching ↵Timm2014-06-161-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | via default xml namespaces didn't work.
| | * | | | | | add_regex returns inspected value for non Regexp objects. Workaround, so ↵Timm2014-06-161-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | users don't have to care about enclosing values in double quotes.
| | * | | | | | Fixed: inadvertently called message method in MiniTest instead of ↵Timm2014-06-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | selector.message.
| | * | | | | | Cleaned up SubstitutionContext class.Timm2014-06-161-10/+8
| | | | | | | |