| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| |
|
|\
| |
| | |
Prevent ActionController::Parameters in url_for
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Applications that use `redirect_to :back` can be forced to 500 by
clients that do not send the HTTP `Referer` (sic) header.
`redirect_back` requires the user to consider this possibility up front
and avoids this trivially-caused application error.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`redirect_to :back` is a somewhat common pattern in Rails apps, but it
is not completely safe. There are a number of circumstances where HTTP
referrer information is not available on the request. This happens often
with bot traffic and occasionally to user traffic depending on browser
security settings.
When there is no referrer available on the request, `redirect_to :back`
will raise `ActionController::RedirectBackError`, usually resulting in
an application error.
`redirect_back` takes a required `fallback_location` keyword argument
that specifies the redirect when the referrer information is not
available. This prevents 500 errors caused by
`ActionController::RedirectBackError`.
|
|
|
| |
As both `redirect_to_nil` and `redirect_to_params` are raising same `ActionController::ActionControllerError` so it’s good to assert error messages as well
|
|
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
|
| |
|
| |
|
|
|
|
| |
Closes #16170
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
|
|
|
| |
add tests for stripping \r\n chars since that's already happening
|
| |
|
|
|
|
| |
"//asset.host.com/resources/1235" see issue #3856
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
autoloading."
Booting a new Rails application does not work after this commit [#5359 state:open]
This reverts commit 38a421b34d0b414564e919f67d339fac067a56e6.
|
|
|
|
|
|
| |
autoloading.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
destroyed? methods. ActionPack does not care if the resource is new or if it was destroyed, it cares only if it's persisted somewhere or not.
|
| |
|
|
|
|
| |
ActionController::Routing::Routes directly
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
| |
|
|
|
|
|
|
| |
- Define to_model on AR
- Define to_model on ActiveModel::APICompliant
- Update test fixtures to be API Compliant
- Start using to_model in AP
|
| |
|
|
|
|
| |
7f1f16c01
|
| |
|
|
|
|
| |
[#1617 state:resolved]
|
| |
|
|
|
|
| |
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
|
|
|
|
| |
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
| |
HTTP header. It can now be set in your configuration environment with config.action_controller.relative_url_root
|
|
|
|
| |
If both the actual redirection and the asserted redirection are hashes, succeed if the asserted redirection is a strict subset of the actual redirection.
|
|
|
|
|
|
| |
before comparing. Also allows for a simpler implementation of redirect_to without most of the recursion.
Also allows for assert_redirected_to @some_record
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9212 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8633 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
sandofsky]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7934 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
without manually setting headers. Closes #8297 [codahale, chasgrundy]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7820 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
before named routes) [DHH] Added record identification with polymorphic routes for ActionController::Base#url_for and ActionView::Base#url_for [DHH]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6729 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6435 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
parameters. Closes #7837.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6430 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
|
|
| |
redirect_to(:symbol, *args) controller methods. Use named routes instead.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6412 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4971 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
|
|
| |
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4248 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|