rails.git - Mirror of official rails repo with custom fixes.

	Commit message (Collapse)	Author	Age	Files	Lines
*	Deprecate :controller and :action path parameters	Andrew White	2016-03-01	1	-1/+3
\| \| \| \| \| \| \| \|	Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
*	Revert "Update Session to utilize indiffernt access"	Matthew Draper	2016-02-26	1	-29/+0
\| \| \| \| \| \| \| \| \| \| \|	This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a. HWIAs are better than silently deeply-stringified hashes... but that's a reaction to a shortcoming of one particular session store: we should not break the basic behaviour of other, more featureful, session stores in the process. Fixes #23884
*	Update Session to utilize indiffernt access	Tom Prats	2016-01-30	1	-0/+29
\|
*	finish deprecating handling strings and symbols	Aaron Patterson	2015-08-07	1	-1/+1
\| \| \| \| \|	since we only work with instances of classes, it greatly simplifies the `Middleware` implementation.
*	Stop using deprecated `render :text` in test	Prem Sichanugrist	2015-07-17	1	-2/+2
\| \| \| \| \| \| \| \| \|	This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
*	Use request.session.id instead of request.session_options[:id]	Brian John	2015-03-12	1	-1/+1
\| \| \| \| \| \| \| \| \|	As of the upgrade to Rack 1.5, request.session_options[:id] is no longer populated. Reflect this change in the tests by using request.session.id instead. Related change in Rack: https://github.com/rack/rack/commit/83a270d6
*	Regenerate sid when sbdy tries to fixate the session	Santiago Pastorino	2014-08-04	1	-9/+8
\| \| \| \| \| \|	Fixed broken test. Thanks Stephen Richards for reporting.
*	fix cache store test	Steve Klabnik	2012-09-30	1	-0/+1
\| \| \| \|	Pull #7800 broke the build, this should fix it.
*	Remove default match without specified method	Jose and Yehuda	2012-04-24	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	In the current router DSL, using the +match+ DSL method will match all verbs for the path to the specified endpoint. In the vast majority of cases, people are currently using +match+ when they actually mean +get+. This introduces security implications. This commit disallows calling +match+ without an HTTP verb constraint by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. Closes #5964
*	Remove rescue_action from compatibility module and tests	Carlos Antonio da Silva	2012-01-17	1	-2/+0
\|
*	Add ActionDispatch::Session::CacheStore as a generic way of storing sessions ↵	Brian Durand	2011-10-21	1	-0/+181
	in a cache.