| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| |
|
|
|
|
|
| |
This reverts commit 22db455dbe9c26fe6d723cac0758705d9943ea4b, reversing
changes made to 40be61dfda1e04c3f306022a40370862e3a2ce39.
This finishes off what I meant to do in 6216a092ccfe6422f113db906a52fe8ffdafdbe6.
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
|
| |\
| |
| |
| | |
Give Sessions Indifferent Access
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Also make sure we don't change the global state of our test suite.
|
| | |
| |
| |
| |
| |
| | |
After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem.
Closes #23766
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Since the media type 'application/vnd.api+json' is a spec,
it is inappropriate to handle it with the JSON renderer.
This PR removes support for a JSON API media type.
I would recommend the media type be registered on its own as `jsonapi`
when a jsonapi Renderer and deserializer (Http::Parameters::DEFAULT_PARSERS) are added.
Is related to work in https://github.com/rails/rails/pull/21496
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the `Live::Response` so we are consolidating methods
from `Live::Response` and `Response` by merging them together.
This adds an `#empty` method to the request so we don't need to
hard-code the empty array each time we call an empty
`ActionDispatch::Request`.
The work here is a continuation on combining controller and integration
test code bases into one.
|
| | |
|
| |\
| |
| | |
Add test for parsing application/vnd.api+json
|
| | | |
|
| | |
| |
| |
| | |
converts old ID methods to the new abstract store methods in Rack
|
| |/
|
|
|
| |
This commit allows us to use one request object rather than allocating
multiple request objects to deal with the session.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
|
|
|
|
|
|
| |
This is another take at #14384 as we decided to wait until `master` is
targeting Rails 5.0. This commit is implementation-complete, as it
guarantees that all the public methods on the hash-inherited Parameters
are still working (based on test case). We can decide to follow-up later
if we want to remove some methods out from Parameters.
|
| |
|
|
| |
onwards.
|
| | |
|
| |
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
| | |
|
| |\
| |
| | |
This updates rails to use edge rack
|
| | |
| |
| |
| |
| |
| |
| |
| | |
As Rack has some non backwards compatible changes added required
modifications to keep behaviour in rails close to same as before.
Also modified generators to include rack/rack for not yet released
version of rack
|
| | | |
|
| |\ \
| | |
| | | |
Remove duplicated HashWithIndifferentAccess#with_indifferent_access.
|
| | |/ |
|
| |/
|
|
|
| |
application. Use of a symbol should be replaced with `action: symbol`.
Use of a string without a "#" should be replaced with `controller: string`.
|
| |
|
| |
Adding tests for Session `destroy`, `update` and `delete` methods. No changes for code under test.
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
Add configuration option to optionally disable deep_munge
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
|
| |/
|
|
|
|
| |
Session#fetch was mutating the session when given a default argument
and/or a block. Since Session duck-types as a Hash, it should behave
like one in these cases.
|
| |
|
|
|
|
|
|
| |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
|
| |
|
|
|
|
|
|
|
| |
Mention it in the changelog and add a test checking for regressions.
Hash#fetch isn't adding the defaultly returned value.
However, in the session, saving it is the behavior we should expect.
See discussion in #12692
|
| | |
|
| |
|
|
|
|
|
|
| |
In order to get raw_post to be not empty after
ParamsParser#parse_formatted_parameters,
added rewinding of body stream input on parsing json params.
Closes #11345
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
If you want an ability to parse XML parameters, please install
`actionpack-xml_parser` gem.
|
| |
|
|
| |
Fixes #8845.
|
| |
|
|
| |
All Action Pack tests are green.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
dealing with empty hashes. Thanks Damien Mathieu
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_dispatch/http/request.rb
actionpack/lib/action_dispatch/middleware/params_parser.rb
activerecord/CHANGELOG.md
activerecord/lib/active_record/relation/predicate_builder.rb
activerecord/test/cases/relation/where_test.rb
|
| |
|
|
|
| |
This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing
changes made to f049016cd348627bf8db0d72382d7580bf802a79.
|
