| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
|
|
|
|
|
|
|
|
|
|
|
| |
This works on OSX but for some reason travis is throwing a
```
1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.
|
|
|
|
| |
Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
|
|
|
|
|
|
| |
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
|
| |
|
|
|
|
|
|
| |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
|
|
|
|
|
|
| |
df36c5f - Fix assert_template assertion with :layout option
4bd05a7 - Fix assert_template :layout => nil assertion
0d19a08 - Improve assert_template layout checking
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix missing action_missing
Conflicts:
actionpack/CHANGELOG.md
Conflicts:
actionpack/test/controller/base_test.rb
Fixes #9799
|
| |
|
| |
|
|
|
|
|
|
| |
force response body to be read in assert_template
Conflicts:
actionpack/lib/action_controller/test_case.rb
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
|
| | |
|
| |
| |
| |
| |
| | |
Conflicts:
actionpack/test/controller/render_test.rb
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
Conflicts:
actionpack/test/template/template_test.rb
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 7d17cd2cbfc086f5aa9dd636e1207eb130150428.
Conflicts:
actionpack/CHANGELOG.md
Reason: This added a regression since people were relying on this buggy behavior.
This will introduce back #3849 but we will be backward compatible in
stable release.
Fixes #8068.
|
| |
|
|
|
|
|
|
| |
can't pass :locals to #assert_template without a view test case (#3415)
Conflicts:
actionpack/CHANGELOG.md
|
|
|
|
| |
behavior added at c53e5def08f7a289a92a8e5f79dcd7caa5c3a2fb
|
|
|
|
|
|
|
| |
REBASED: fixing assert_template bug when template matches expected, but not ends with
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_controller/test_case.rb
|
|
|
|
|
|
|
|
|
|
| |
To test uploading a file without using fixture_file_upload, a posted
ActionDispatch::Http::UploadedFile should not be paramified (just like
Rack::Test::UploadedFile).
(Rack::Test::UploadedFile and ActionDispatch::Http::UploadedFile don't
share the same API, tempfile is not accessible on
Rack::Test::UploadedFile as discussed in
https://github.com/brynary/rack-test/issues/30)
|
|
|
|
|
|
| |
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_controller/log_subscriber.rb
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
| |
|
|
|
|
| |
ActionController::Metal controller.
|
| |
|
|
|
|
|
| |
This test is needed to avoid regressions in the way that flash works
now (swept in every request).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In integration tests, you might want to use helpers from engines that
you mounted in your application. It's not hard to add it by yourself,
but it's unneeded boilerplate. mounted_helpers are now included by
default. That means that given engine mounted like:
mount Foo::Engine => "/foo", :as => "foo"
you will be able to use paths from this engine in tests this way:
foo.root_path #=> "/foo"
(closes #6573)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit improves the handling of default_url_options in integration
tests by making behave closer to how a real application operates.
Specifically the following issues have been addressed:
* Options specified in routes.rb are used (fixes #546)
* Options specified in controllers are used
* Request parameters are recalled correctly
* Tests can override default_url_options directly
|
|
|
|
| |
when using the :head method/shortcut
|
|
|
|
| |
The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
|
|
|
|
|
|
|
|
| |
(cherry picked from commit 7a80b69e00f68e673c6ceb5cc684aa9196ed3d9f)
Conflicts:
actionpack/test/controller/test_test.rb
|
| |
|
| |
|
|
|
|
| |
Closes #5632
|
|
|
|
|
| |
If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.
|
|
|
|
|
|
|
|
| |
There is a regression introduced in 16ee611fa, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)
|
|
|
|
|
|
|
|
|
| |
Previously `rendered_format` was set only based on mime types
passed in Accept header, which was wrong if first type from
Accept was different than rendered partial. The fix is to simply
move setting rendered_format to the place where template
is available and grab format from the template. If it fails
we can fallback to formats passed by Accept header.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes situation where rendering template to string
sets `rendered_format` to the format rendered there.
This is ok to have consistent formats rendered in partials,
but it breaks on next renders if format is explicitly set
or on last render where default format does not necessarily
need to be the format of first rendered template.
|
|
|
|
| |
Fix typo in redirect test
|