| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the string version of the class reference is now deprecated when
referencing middleware. This should be written as a class not as a string.
Deprecation warning that this change fixes:
```
DEPRECATION WARNING: Passing strings or symbols to the middleware
builder is deprecated, please change
them to actual class references. For example:
"ActionDispatch::ShowExceptions" => ActionDispatch::ShowExceptions
```
|
|
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
|
|
|
|
|
|
|
|
| |
As of the upgrade to Rack 1.5, request.session_options[:id] is no
longer populated. Reflect this change in the tests by using
request.session.id instead.
Related change in Rack:
https://github.com/rack/rack/commit/83a270d6
|
|
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
|
|
|
|
|
|
| |
Unlike the outer `rescue`, this one is much more precise about what we
want to handle: a connection failure (`Dalli::RingError`) is not
relevant to what we're testing here. But other Dalli errors may well be
indicating an actual problem.
|
|
|
|
| |
than assume SecureRandom is available
|
| |
|
| |
|
|
|
|
| |
There is no memcache gem left in repo.
|
|
|
|
|
|
|
| |
This reverts commit 7256cb53e0c34e510a4d59a50d120c0358cf1d99, reversing
changes made to 6ebe22c3ae716d089af1e5090ddb0d12b31af8ac.
Reason: A test was failing.
|
|
|
|
|
|
| |
This reverts commit e4b33b08d6d2b88b627b1e52c4f349e57c5b89fc.
https://github.com/rails/rails/pull/7452#issuecomment-8094302
|
| |
|
|
|
| |
There is no memcache gem left in repo.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
|
|
|
|
|
| |
This removes all deprecated classes in ActionController related to
Routing, Abstract Request/Response and Integration/IntegrationTest.
All tests and docs were changed to ActionDispatch instead of ActionController.
|
| |
|
|
|
|
| |
's/[ \t]*$//' -i {} \;)
|
|
|
|
|
|
|
|
| |
read in the following scenario: when the cookie store is used, and the session contains a serialized object of an unloaded class, and no session data accesses have occurred yet. Pushed the stale_session_check responsibility out of the SessionHash and down into the session store, closer to where the deserialization actually occurs. Added some test coverage for this case and others related to deserialization of unloaded types.
[#4938]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
|
| |
it's already there [#2485 state:resolved]
This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
|
| |
destroyed on reset.
[#4938]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
set_session semantics to return the cookie value instead of a boolean.
|
| |
|
| |
|
|
|
|
| |
with_routing. This only affects our internal AP tests.
|
|
|
|
| |
open_session
|
| |
|
| |
|
|
|
|
| |
middleware stack
|
|
|
|
|
|
| |
state:resolved]"
This reverts commit dd98280e38d640f5724887cf8a715b79f0439d2d.
|
|
|
|
| |
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|