| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | Seperate Parameters accessors and mutators tests | Prem Sichanugrist | 2014-08-18 | 1 | -57/+0 |
| | | |||||
| * | Add missing `Hash` methods to `AC::Parameters` | Prem Sichanugrist | 2014-08-18 | 1 | -0/+21 |
| | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values | ||||
| * | Make `AC::Params#to_h` return Hash with safe keys | Prem Sichanugrist | 2014-08-18 | 1 | -0/+39 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version. | ||||
| * | adds some details to the rationale of converted_arrays [ci skip] | Xavier Noria | 2014-06-07 | 1 | -1/+1 |
| | | |||||
| * | adds a regression test for the strong params converted arrays cache | Xavier Noria | 2014-06-07 | 1 | -1/+18 |
| | | | | | This is a regression test for 29844dd. | ||||
| * | Revert "Convert StrongParameters cache to a hash. This fixes an unbounded" | Xavier Noria | 2014-06-07 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | | | | We cannot cache keys because arrays are mutable. We rather want to cache the arrays. This behaviour is tailor-made for the usage pattern strongs params is designed for. In a forthcoming commit I am going to add a test that covers why we need to cache by value. Every strong params instance has a live span of a request, the cache goes away with the object. Since strong params have such a concrete intention, it would be interesting to see if there are actually any real-world use cases that are an actual leak, one that practically may matter. I am not convinced that the theoretical leak has any practical consequences, but if it can be shown there are, then I believe we should either get rid of the cache (which is an optimization), or else wipe it in the mutating API. This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b. | ||||
| * | Convert StrongParameters cache to a hash. This fixes an unbounded | Ryan Davis | 2014-06-03 | 1 | -1/+1 |
| | | | | | | | memory leak demonstrated on @tenderlove's latest blog post: http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html | ||||
| * | AC::Parameters#permit! permits hashes in array values | Xavier Noria | 2013-12-23 | 1 | -3/+11 |
| | | |||||
| * | optimizes array conversion in AC::Parameters | Xavier Noria | 2013-12-21 | 1 | -0/+5 |
| | | |||||
| * | converts hashes in arrays of unfiltered params to unpermitted params [fixes ↵ | Xavier Noria | 2013-12-21 | 1 | -0/+7 |
| | | | | | #13382] | ||||
| * | don't mutate hash with fetch | Doug Cole | 2013-10-26 | 1 | -0/+6 |
| | | |||||
| * | do not break params filtering on nil values | Vasiliy Ermolovich | 2013-09-07 | 1 | -0/+9 |
| | | | | | closes #12149 | ||||
| * | Rack::Test::UploadedFile is a permitted scalar | Fabio Kreusch | 2013-02-21 | 1 | -1/+2 |
| | | |||||
| * | ActionDispatch::Http::UploadedFile is a permitted scalar [Closes #9051] | Xavier Noria | 2013-01-23 | 1 | -1/+2 |
| | | |||||
| * | Lets kepp using Ruby 1.9 syntax | Rafael Mendonça França | 2013-01-22 | 1 | -17/+17 |
| | | |||||
| * | Add missing assert calls | Carlos Antonio da Silva | 2013-01-20 | 1 | -2/+2 |
| | | |||||
| * | strong parameters filters permitted scalars | Xavier Noria | 2013-01-20 | 1 | -4/+121 |
| | | |||||
| * | Test that permitted? is sticky on accessors, mutators, and merges | Benjamin Quorning | 2012-11-06 | 1 | -0/+24 |
| | | |||||
| * | Test that not permitted is sticky on #except | Benjamin Quorning | 2012-11-06 | 1 | -0/+1 |
| | | |||||
| * | Current tests are testing stickiness of non-permitted parameters | Benjamin Quorning | 2012-11-06 | 1 | -3/+3 |
| | | |||||
| * | Fix buggy tests | Benjamin Quorning | 2012-11-06 | 1 | -4/+4 |
| | | |||||
| * | No need for the debugger | David Heinemeier Hansson | 2012-10-31 | 1 | -1/+0 |
| | | |||||
| * | Allow #permit to take its list of permitted parameters as an array | David Heinemeier Hansson | 2012-10-31 | 1 | -0/+5 |
| | | |||||
| * | Cleanup trailing whitespaces | dfens | 2012-10-12 | 1 | -1/+1 |
| | | |||||
| * | ActionController::Parameters#permit! is recursive | Brendan Loudermilk | 2012-10-04 | 1 | -0/+7 |
| | | |||||
| * | Add config.action_controller.permit_all_attributes to bypass ↵ | Guillermo Iguaran | 2012-09-16 | 1 | -0/+14 |
| | | | | | StrongParameters protection | ||||
| * | Change tainted/untainted wording to permitted/forbidden | Guillermo Iguaran | 2012-09-16 | 1 | -0/+59 |
 |
index : rails.git | |
| Mirror of official rails repo with custom fixes. | Harald Eilertsen |
| aboutsummaryrefslogtreecommitdiffstats |