aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller
Commit message (Collapse)AuthorAgeFilesLines
* fix 1.8 hash syntaxArthur Neves2016-03-011-1/+1
|
* Don't allow render(params) in view/controllerArthur Neves2016-02-291-6/+47
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-292-76/+29
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Fix hash syntax for 1.8.7eileencodes2016-01-281-1/+1
| | | | Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* Use 1.8 compatible hash syntaxAndrew White2016-01-251-4/+4
|
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-222-4/+45
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* restore I18n.locale after testAman Gupta2015-01-021-0/+8
|
* Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-051-1/+16
| | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* Backport #5808Mack Earnhardt2013-03-241-0/+37
| | | | | | df36c5f - Fix assert_template assertion with :layout option 4bd05a7 - Fix assert_template :layout => nil assertion 0d19a08 - Improve assert_template layout checking
* Merge pull request #9802 from newsline/fix-broken-action-missingRafael Mendonça França2013-03-201-0/+12
| | | | | | | | | | | | Fix missing action_missing Conflicts: actionpack/CHANGELOG.md Conflicts: actionpack/test/controller/base_test.rb Fixes #9799
* Extract hardcoded lists to Redo::RestaurantsListJuan Barreneche2013-03-141-0/+9
|
* Do not run this streaming test in Ruby 1.8, fix syntax errorCarlos Antonio da Silva2013-01-171-5/+8
|
* Merge pull request #5288 from lest/patch-2José Valim2013-01-171-0/+13
| | | | | | force response body to be read in assert_template Conflicts: actionpack/lib/action_controller/test_case.rb
* Merge branch '3-2-sec' into 3-2-secmergeAaron Patterson2013-01-081-0/+13
|\ | | | | | | | | | | | | | | | | | | | | | | | | * 3-2-sec: bumping version CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu Avoid Rack security warning no secret provided Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md activesupport/CHANGELOG.md
| * CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.Jeremy Kemper2013-01-081-0/+13
| |
* | backport #4f0f1b5 into 3-2-stable. because 1.9.3-p362 warned unused variables.SHIBATA Hiroshi2013-01-051-1/+2
| | | | | | | | | | Conflicts: actionpack/test/controller/render_test.rb
* | Use Ruby 1.8 syntaxRafael Mendonça França2013-01-021-2/+2
| |
* | Backport #8701, do not append a second slash with `trailing_slash: true`Yves Senn2013-01-021-5/+15
| |
* | Use 1.8 hash styleCarlos Antonio da Silva2012-12-031-1/+1
| |
* | Override <%== to always behave as literal text rather than toggling based on ↵Jeremy Kemper2012-12-031-2/+8
| | | | | | | | | | | | | | whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. Conflicts: actionpack/test/template/template_test.rb
* | Accept symbols as #send_data :disposition valueElia Schito2012-11-271-1/+13
|/
* Revert "Merge pull request #7659 from HugoLnx/template_error_no_matches_rebased"Rafael Mendonça França2012-10-311-22/+0
| | | | | | | | | | | | | This reverts commit 7d17cd2cbfc086f5aa9dd636e1207eb130150428. Conflicts: actionpack/CHANGELOG.md Reason: This added a regression since people were relying on this buggy behavior. This will introduce back #3849 but we will be backward compatible in stable release. Fixes #8068.
* Use the Ruby 1.8 hash syntaxRafael Mendonça França2012-10-061-1/+1
|
* Merge pull request #7848 from senny/3415_assert_template_has_nil_variableRafael Mendonça França2012-10-061-0/+11
| | | | | | can't pass :locals to #assert_template without a view test case (#3415) Conflicts: actionpack/CHANGELOG.md
* Since File instance doesn't respond to #open use a double to test theRafael Mendonça França2012-09-301-3/+2
| | | | behavior added at c53e5def08f7a289a92a8e5f79dcd7caa5c3a2fb
* Merge pull request #7659 from HugoLnx/template_error_no_matches_rebasedRafael Mendonça França2012-09-301-0/+22
| | | | | | | REBASED: fixing assert_template bug when template matches expected, but not ends with Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_controller/test_case.rb
* Don't paramify ActionDispatch::Http::UploadedFile in testsTim Vandecasteele2012-09-291-0/+7
| | | | | | | | | | To test uploading a file without using fixture_file_upload, a posted ActionDispatch::Http::UploadedFile should not be paramified (just like Rack::Test::UploadedFile). (Rack::Test::UploadedFile and ActionDispatch::Http::UploadedFile don't share the same API, tempfile is not accessible on Rack::Test::UploadedFile as discussed in https://github.com/brynary/rack-test/issues/30)
* log 404 status when ActiveRecord::RecordNotFound was raised (#7646)Yves Senn2012-09-171-0/+15
| | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_controller/log_subscriber.rb
* html_escape should escape single quotesSantiago Pastorino2012-08-022-3/+3
| | | | | | | | | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/template/erb_util_test.rb actionpack/test/template/form_tag_helper_test.rb actionpack/test/template/text_helper_test.rb actionpack/test/template/url_helper_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb
* Show in log correct wrapped keysDmitry Vorotilin2012-07-051-0/+8
|
* Added test for case when view doesn't have logger method when using ↵Dmitry Vorotilin2012-06-161-0/+17
| | | | ActionController::Metal controller.
* adding a test for #6459Aaron Patterson2012-06-141-0/+10
|
* Add test to flash sweep after two redirectsRafael Mendonça França2012-06-051-0/+20
| | | | | This test is needed to avoid regressions in the way that flash works now (swept in every request).
* Include routes.mounted_helpers into integration testsPiotr Sarnacki2012-06-011-0/+19
| | | | | | | | | | | | | | | In integration tests, you might want to use helpers from engines that you mounted in your application. It's not hard to add it by yourself, but it's unneeded boilerplate. mounted_helpers are now included by default. That means that given engine mounted like: mount Foo::Engine => "/foo", :as => "foo" you will be able to use paths from this engine in tests this way: foo.root_path #=> "/foo" (closes #6573)
* Refactor the handling of default_url_options in integration testsAndrew White2012-05-101-0/+80
| | | | | | | | | | | | This commit improves the handling of default_url_options in integration tests by making behave closer to how a real application operates. Specifically the following issues have been addressed: * Options specified in routes.rb are used (fixes #546) * Options specified in controllers are used * Request parameters are recalled correctly * Tests can override default_url_options directly
* Add failing test re #3436 which demonstrates content_type is not respected ↵Kunal Shah2012-05-071-0/+21
| | | | when using the :head method/shortcut
* Add a role option to wrap_parameters.Nick Ragaz2012-05-041-2/+15
| | | | The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
* Don't convert params if the request isn't HTML - fixes #5341Andrew White2012-04-291-2/+40
| | | | | | | | (cherry picked from commit 7a80b69e00f68e673c6ceb5cc684aa9196ed3d9f) Conflicts: actionpack/test/controller/test_test.rb
* default_url_options does not receive one argument anymoreRafael Mendonça França2012-04-081-1/+1
|
* Remove the leading \n added by textarea on assert_selectSantiago Pastorino2012-03-301-0/+7
|
* Set proper rendered_format when doing render :inlineSantiago Pastorino2012-03-281-0/+1
| | | | Closes #5632
* Cover one more case in auth_token and remote formsPiotr Sarnacki2012-03-281-16/+22
| | | | | If embedding auth_token in remote forms is off and we pass a value for auth_token it should respect it.
* Added config.action_view.embed_authenticity_token_in_remote_formsPiotr Sarnacki2012-03-281-6/+48
| | | | | | | | There is a regression introduced in 16ee611fa, which breaks remote forms that should also work without javascript. This commit introduces config option that allows to configure this behavior defaulting to the old behavior (ie. include authenticity token in remote forms by default)
* If partial is rendered in controller, grab format from templatePiotr Sarnacki2012-03-271-0/+13
| | | | | | | | | Previously `rendered_format` was set only based on mime types passed in Accept header, which was wrong if first type from Accept was different than rendered partial. The fix is to simply move setting rendered_format to the place where template is available and grab format from the template. If it fails we can fallback to formats passed by Accept header.
* Build fix for ruby1.8.7-358Arun Agrawal2012-03-191-1/+1
|
* Add missing test for #5308Piotr Sarnacki2012-03-171-0/+13
|
* Fix #5440 - multiple render_to_string breaks partials formatsPiotr Sarnacki2012-03-171-0/+26
| | | | | | | | | This fixes situation where rendering template to string sets `rendered_format` to the format rendered there. This is ok to have consistent formats rendered in partials, but it breaks on next renders if format is explicitly set or on last render where default format does not necessarily need to be the format of first rendered template.
* Merge pull request #5457 from brianmario/typo-fixAaron Patterson2012-03-151-1/+1
| | | | Fix typo in redirect test
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 06:26:23 +0000