| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| | |
* master-sec:
Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
|
| |
| |
| |
| |
| |
| | |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
| | |
|
|/
|
|
| |
ActionDispatch::Request::Session#values
|
| |
|
|
|
|
|
|
|
|
|
| |
Passing path parameters with invalid encoding is likely to trigger errors
further on like `ArgumentError (invalid byte sequence in UTF-8)`. This will
result in a 500 error whereas the better error to return is a 400 error which
allows exception notification libraries to filter it out if they wish.
Closes #4450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently Rack raises a TypeError when it encounters a malformed or
ambiguous hash like `foo[]=bar&foo[4]=bar`. Rather than pass this
through to the application this commit captures the exception and
re-raises it using a new ActionController::BadRequest exception.
The new ActionController::BadRequest exception returns a 400 error
instead of the 500 error that would've been returned by the original
TypeError. This allows exception notification libraries to ignore
these errors if so desired.
Closes #3051
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, assert_recognizes, assert_generates, and
assert_routing raised ActionController::RoutingError when they failed to
recognize the route.
This commit changes them to raise Assertion instead. This aligns with
convention for logical failures, and supports reporting tools that care
about the difference between logical failures and errors e.g. the
summary at the end of a test run.
- Fixes #5899
|
|
|
|
|
|
| |
The docs suggest that the middleware stack is an Array, so I've added
the unshift method to it. Originally I added some more Array methods,
but it was agreed that they lacked usecases.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
url_helpers module
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following scenario:
resources :contacts do
post 'new', action: 'new', on: :collection, as: :new
end
Where the /new path is not generated because it's considered a canonical
action, part of the normal resource actions:
new_contacts POST /contacts(.:format) contacts#new
Fixes #2999
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* master: (55 commits)
extract deprecated dynamic methods
Add some docs and changelog entry
Allow overriding exception handling in threaded consumer
Allow configuring a different queue consumer
actually don't need to expand the aggregates at all
#to_sym is unnecessary
de-globalise method
extract code from AR::Base
clean up implementation of dynamic methods. use method compilation etc.
Fix ActiveModel README example
mention database mapping in getting started guide
Remove vestiges of the http_only! config from configuring guide
Remove content-length as well
Make ActionController#head pass rack-link
RouteSet: optimize routes generation when globbing is used
Allows assert_redirected_to to accept a regular expression
use extract_options!
No need to force conversion to Symbol since case ensures it's already one.
No need to work around 1.8 warnings anymore.
Update command line guide
...
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.
To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.
Fixes #2510.
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Remote ip logic and validation. IPv6 support.
|
| |
| |
| |
| | |
tests.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
|
|
|
|
| |
if you want to read the file you may need to ask if there is something
to read from
|
|
|
|
|
|
|
|
|
|
| |
By default, resources routes are created with :resource/:id. A model
defining to_param can make prettier urls by using something more
readable than an integer ID, but since the route picks it up as :id you
wind up with awkward User.find_by_username(params[:id]) calls.
By overriding the key to be used in @request.params you can be more
obvious in your intent.
|
|
|
|
| |
keyword
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Based on #4918.
Related to #4127.
|
|\
| |
| |
| |
| | |
mattfawcett/2781-fix-querystring-route-constraint-for-testing
Fix for #2781
|
| |
| |
| |
| | |
constraints on the querystring. Issue #2781
|
| | |
|
|/
|
|
| |
the update action of resources
|
|\
| |
| | |
Testcase for GH #5114.
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PATCH is the correct HTML verb to map to the #update action. The
semantics for PATCH allows for partial updates, whereas PUT requires a
complete replacement.
Changes:
* adds config.default_method_for_update you can set to :patch
* optionally use PATCH instead of PUT in resource routes and forms
* adds the #patch verb to routes to detect PATCH requests
* adds #patch? to Request
* changes documentation and comments to indicate support for PATCH
This change maintains complete backwards compatibility by keeping :put
as the default for config.default_method_for_update.
|
|
|
|
|
|
| |
Windows doesn't allow `\ / : * ? " < > |` in filenames so create
the fixture files at runtime and ignore the incompatible ones when
running on Windows.
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 3986[1] allows sub-delim characters in path segments unencoded,
however Rack::File requires them to be encoded so we use URI's
unescape method to leave them alone and then escape them again.
Also since the path gets passed to Dir[] we need to escape any glob
characters in the path.
[1]: http://www.ietf.org/rfc/rfc3986.txt
|
| |
|
| |
|
| |
|