aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-5/+6
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-182-2/+11
| | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
* | Seperate Parameters accessors and mutators testsPrem Sichanugrist2014-08-183-57/+215
| |
* | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
* | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | Expectations firstAkira Matsuda2014-08-183-23/+23
| |
* | Merge branch 'master' into loofahRafael Mendonça França2014-08-175-740/+90
|\ \ | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * | `responders` 1.x won't do it. Told you to RTFM for details!Godfrey Chan2014-08-171-0/+2
| | |
| * | The gem is called 'responders'Godfrey Chan2014-08-171-2/+2
| | |
| * | Raise a more helpful error for people who are using these extracted featuresGodfrey Chan2014-08-171-0/+30
| | |
| * | Move respond_with to the responders gemJosé Valim2014-08-171-737/+0
| | | | | | | | | | | | | | | | | | | | | | | | respond_with (and consequently the class-level respond_to) are being removed from Rails. Instead of moving it to a 3rd library, the functionality will be moved to responders gem (at github.com/plataformatec/responders) which already provides some responders extensions.
| * | When your templates change, browser caches bust automatically.Jeremy Kemper2014-08-172-3/+35
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New default: the template digest is automatically included in your ETags. When you call `fresh_when @post`, the digest for `posts/show.html.erb` is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions. If you render a different template, you can now pass the `:template` option to include its digest instead: fresh_when @post, template: 'widgets/show' Pass `template: false` to skip the lookup. To turn this off entirely, set: config.action_controller.etag_with_template_digest = false
| * Fix assert_template for files.Guo Xiang Tan2014-08-141-0/+23
| | | | | | | | | | The test was not failing for `assert_template file: nil` when a file has been rendered.
* | Merge branch 'master' into loofahRafael Mendonça França2014-08-1213-165/+273
|\| | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * Fixes to TestCaseTest.Guo Xiang Tan2014-08-081-4/+5
| |
| * Fix spelling.Guo Xiang Tan2014-08-071-1/+1
| |
| * LOCALHOST definition should match any 127.0.0.0/8 addressEarl J St Sauver2014-07-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The entire 127.0.0.0/8 range is assigned to the loopback address, not only 127.0.0.0/24. This patch allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8 loopback address. The only place that the #local? method was previously under test was in the show_expectations_test.rb file. I don't particularly like that that's implicitly where this code is under test, and I feel like I should move some of that testing code into the test/dispatch/request_test.rb file, but I wanted some feedback first. Credit goes to @sriedel for discovering the issue and adding the patch.
| * fix filesystem race conditionAaron Patterson2014-07-171-1/+1
| |
| * helper methods are public, so we can just call themAaron Patterson2014-07-171-4/+4
| | | | | | | | | | also if you want a path from a named helper, you should call helper_path, not helper_url(:only_path => true).
| * Rails-ish apps should descend from Rails::RailtieAaron Patterson2014-07-161-1/+2
| | | | | | | | | | Use an is_a check to ensure it's a Railsish app so we can avoid respond_to calls everywhere.
| * Don't accept parameters as argument for redirect to [via @homakov]Santiago Pastorino2014-07-161-0/+10
| | | | | | | | Closes #16170
| * stop passing recall to url_forAaron Patterson2014-07-151-35/+46
| |
| * stop calling url_for with recall parameters and actually use a requestAaron Patterson2014-07-151-82/+123
| |
| * execute a request and check the path_parametersAaron Patterson2014-07-151-17/+59
| | | | | | | | | | | | | | | | This actually runs a request through the system, using the actual routing methods as we would use in production, then tests the path_parameters set on the request object. The `recognize_path` method isn't actually used in production, so testing what it returns isn't useful.
| * set `set` in the setup methodAaron Patterson2014-07-151-2/+5
| |
| * remove useless ivar setAaron Patterson2014-07-151-1/+0
| |
| * Fix typos like `a html` to `an html` and 'an mail' to 'an email'. [ci skip]Santosh Wadghule2014-07-141-2/+2
| |
| * Removed single space padding from empty response body.Godfrey Chan2014-07-104-16/+16
| | | | | | | | | | | | | | | | | | | | | | | | `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired.
* | We don't need loofah for the assertionsRafael Mendonça França2014-07-151-3/+3
| | | | | | | | We can just use nokogiri
* | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-106-1175/+5
|\ \ | |/ |/| | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| * Remove unneeded comment in test.Timm2014-06-161-1/+1
| |
| * Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will ↵Timm2014-06-161-2/+3
| | | | | | | | never work. Switched to assert_matching the reponse body.
| * Removed require's for html-scanner.Timm2014-06-162-2/+0
| |
| * Moved Dom and Selector assertions from ActionDispatch to ActionView.Timm2014-06-161-350/+0
| |
| * Fixed: assert_select_encoded finds the right content. No longer uses a ↵Timm2014-06-161-9/+2
| | | | | | | | <encoded> wrapper. Updated tests to reflect this.
| * Fixed: test_nested_assert_select selects from elements instead of ↵Timm2014-06-161-2/+2
| | | | | | | | elements[0] and elements[1].
| * Changed xml_namespace test to correct syntax. However, Nokogiri won't ↵Timm2014-06-161-2/+3
| | | | | | | | recognize the namespace.
| * Changed test methods to use new substitution syntax more in line with css ↵Timm2014-06-161-3/+3
| | | | | | | | selectors.
| * Fixed typo in method name. Fixed Nokogiri::CSS::SyntaxError.Timm2014-06-151-2/+2
| |
| * Changed tests to assert_kind_of Loofah::HTML::Document.Timm2014-06-151-3/+3
| |
| * Removed selector_test.rb since HTML::Selector will be removed. Soon.Timm2014-06-151-629/+0
| |
| * Fixed Nokogiri::CSS::SyntaxErrors.Timm2014-06-151-2/+2
| | | | | | | | Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.
| * Removed tag.rb since it has been deprecated.Timm2014-06-152-184/+0
| |
* | Address CVE-2014-4671 (JSONP Flash exploit)Greg Campbell2014-07-092-2/+2
| | | | | | | | | | | | Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
* | Merge pull request #16013 from tgxworld/remove_symbolized_path_parametersRafael Mendonça França2014-07-041-3/+3
|\ \ | | | | | | Remove symbolized_path_parameters.
| * | Remove symbolized_path_parameters.Guo Xiang Tan2014-07-021-3/+3
| | | | | | | | | | | | This pull request is a continuation of https://github.com/rails/rails/commit/925bd975 and https://github.com/rails/rails/commit/8d8ebe3d.
* | | Merge pull request #16011 from xjlu/token_and_optionsRafael Mendonça França2014-07-041-2/+22
|\ \ \ | | | | | | | | Improve token_and_options regex and test
| * | | Improve token_and_options regex and testXinjiang Lu2014-07-011-2/+22
| |/ / | | | | | | | | | add a test case to test the regex for the helper method raw_params
* / / Change the JSON renderer to enforce the 'JS' Content TypeLucas Mazza2014-07-021-0/+13
|/ / | | | | | | | | | | | | The controller can set the response format as 'JSON' before the renderer code be evaluated, so we must replace it when necessary. Fixes #15081
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-14 17:25:51 +0000