| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
|
|
|
|
|
|
|
|
| |
There are some cases when the `body` in `response_body=` can be set to
nil. One of those cases is in `actionpack-action_caching` which I found
while upgrading it for Rails 5.
It's not possible to run `body.each` on a `nil` body so we have to
return after we run `response.reset_body!`.
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the `Live::Response` so we are consolidating methods
from `Live::Response` and `Response` by merging them together.
This adds an `#empty` method to the request so we don't need to
hard-code the empty array each time we call an empty
`ActionDispatch::Request`.
The work here is a continuation on combining controller and integration
test code bases into one.
|
|
|
|
|
| |
When `require 'active_support/rails'`, 'active_support/deprecation'
is automatically loaded.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
|
|
|
|
| |
We should be asking the mime type method for the mime objects rather
than via const lookup
|
|
|
|
|
|
| |
In this commit, we set the content-type to `text/html` in AbstractController if the `options[:html]` is true so that we don't include ActionView::Rendering into ActionController::Metal to set it properly.
I removed the if `options[:plain]` statement because `AbstractController#rendered_format` returns `Mime::TEXT` by default.
|
|
|
|
|
|
| |
Since all controller instances are required to have a request and
response object, RackDelegation is no longer needed (we always have to
delegate to the response)
|
|
|
|
| |
without this module, the content type is not set correctly
|
|
|
|
|
|
|
|
|
|
| |
Controllers should always have a request and response when responding.
Since we make this The Rule(tm), then controllers don't need to be
somewhere in limbo between "asking a response object for a rack
response" or "I, myself contain a rack response". This duality leads to
conditionals spread through the codebase that we can delete:
* https://github.com/rails/rails/blob/85a78d9358aa728298cd020cdc842b55c16f9549/actionpack/lib/action_controller/metal.rb#L221-L223
|
| |
|
|
|
|
| |
collect the body and make assert against the collected body
|
|
|
|
|
| |
Looks like this was left over from converting Rails to Rack. I think
it's safe to remove now.
|
|
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
|
|
|
|
|
| |
We've started on discouraging the usage of `render :text` in #12374.
This is a follow-up commit to make sure that we print out the
deprecation warning.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
|
|
|
|
| |
Add `ActionController::Metal#set_request!` to set a request
on controller instance without calling dispatch.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
Conflicts:
actionpack/lib/abstract_controller/base.rb
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render :body` should just not set the `Content-Type` header. By
removing the header, it breaks the compatibility with other parts.
After this commit, `render :body` will returns `text/html` content type,
sets by default from `ActionDispatch::Response`, and it will preserve
the overridden content type if you override it.
Fixes #14197, #14238
This partially reverts commit 3047376870d4a7adc7ff15c3cb4852e073c8f1da.
|
|
|
|
|
|
|
|
|
| |
This is an option for to HTML content with a content type of
`text/html`. This rendering option calls `ERB::Util.html_escape`
internally to escape unsafe HTML string, so you will have to mark your
string as html safe if you have any HTML tag in it.
Please see #12374 for more detail.
|
|
|
|
|
|
|
|
| |
This is as an option to render content with a content type of
`text/plain`. This is the preferred option if you are planning to render
a plain text content.
Please see #12374 for more detail.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an option for sending a raw content back to browser. Note that
this rendering option will unset the default content type and does not
include "Content-Type" header back in the response.
You should only use this option if you are expecting the "Content-Type"
header to not be set. More information on "Content-Type" header can be
found on RFC 2616, section 7.2.1.
Please see #12374 for more detail.
|
|
|
|
|
|
| |
Previous behaviour was MRI-dependent, now we're making sure the message
is correctly shown: something that can be relyied upon across every
Ruby implementation.
|
|
|
|
| |
see: 9b0ac0bc74569db460f87ea6888b3847be0ff5be
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 70d6e16fbad75b89dd1798ed697e7732b8606fa3, reversing
changes made to ea4db3bc078fb3093ecdddffdf4f2f4ff3e1e8f9.
Seems to be a code merge done by mistake.
|
|
|
|
| |
see: 9b0ac0bc74569db460f87ea6888b3847be0ff5be
|
| |
|
| |
|
|
|
|
| |
whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
single check.
Rails includes a single character body to a head(:no_content) response to work around an old Safari bug where headers were ignored if no body sent.
This patch brings the behavior slightly closer to spec if :no_content/204 is explicity requested via a head only response.
Status comparison done on symbolic and numeric values
Not returning any content when responding with head and limited to a status code that explicitly states no content will be returned - 100..199, 204, 205, 304.
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
|
|
|
|
| |
minitest/spec provides `describe`, so deprecate the rails version and
have people use the superclass version
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
|
|
|
| |
minor
|