| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `url_for` methods in `actionpack` and `actionview`
now make a copy of the provided options
before generating polymorphic paths or URLs.
The bug in the previous behavior
is most noticeable in a case like:
url_options = [:new, :post, param: 'value']
if current_page?(url_options)
css_class = "active"
end
link_to "New Post", url_options, class: css_class
|
|
|
|
|
| |
This way we can get the relative_url_root from the application without
setting another global value
|
|
|
|
|
|
| |
Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment
variable is not prepended to the path when `url_for` is called.
If `SCRIPT_NAME` (used by Rack) is set, it takes precedence.
|
|\ |
|
|/
|
|
| |
url_for
|
|
|
|
| |
Fixes https://github.com/rails/rails/issues/17714.
|
|
|
|
|
|
| |
We added a deprecation warning for these cases in aa1fadd, so these are now
causing deprecation warnings in the test output. AFAICT, in these two cases, the
option is not integral to the purpose of the test, so they can be safely removed
|
| |
|
|
|
|
|
| |
also if you want a path from a named helper, you should call
helper_path, not helper_url(:only_path => true).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5c224de9e110763ec7a0f01f5b604bcf81f40bfb.
Conflicts:
actionpack/lib/action_dispatch/journey/visitors.rb
5c224de9e110763ec7a0f01f5b604bcf81f40bfb introduced a bug in the
formatter. This commit includes a regression test.
|
|
|
|
| |
relative URL.
|
| |
|
| |
|
|
|
|
|
|
| |
leading .)
Adding a boolean route constraint checks for presence/absence of request property
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
|
|
|
|
|
|
| |
This reverts commit 174cf8b22064c3999dfa685014d5b31ac993bb54, reversing
changes made to 7ecd6a731bd60665bc6de94095137f0b2c4ada2a.
The reverted commit improved the performance in the wrong place, now we
have added this 6ddbd1844a6fd6aca2992f5f75c9f605cf89808f improvement.
|
|
|
|
| |
stringified keys
|
| |
|
| |
|
|
|
|
| |
* e.g. blog_url(subdomain: current_user) instead of blog_url(subdomain: current_user.to_param)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
numeric addresses.
See-also pull request #3561 from 3-1-stable
Otherwise the following occurs:
TypeError: can't convert nil into String
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:75:in host_or_subdomain_and_domain'
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:37:in url_for'
/Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/routing/url_for.rb:147:in test_subdomain_may_be_accepted_with_numeric_host'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/testing/setup_and_teardown.rb:67:in run'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:426:in send'
/Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:81:in run'
|
|
|
|
| |
for subdomain(s) removal from the host during link generation. Closes #2025
|
| |
|
| |
|
|
|
|
|
|
| |
[#5774 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
| |
allowing for easy manipulation of the host during link generation.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
| |
Added route which matches all: controller, action, id and format
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
|
| |
http://tools.ietf.org/rfc/rfc3986.txt
[#4762 state:resolved]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
a way to specify a default SCRIPT_NAME when generating URLs out of the context of a request.
|
| |
|
| |
|
| |
|
|
|