aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test
Commit message (Collapse)AuthorAgeFilesLines
* FileHandler should not be called for files outside the rootAaron Patterson2014-10-291-0/+18
| | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-061-1/+16
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-061-5/+5
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-051-1/+16
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-182-0/+68
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-0/+17
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-0/+51
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-0/+6
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-1/+1
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* Deep Munge the parameters for GET and POSTMichael Koziarski2013-12-021-0/+15
| | | | | | | | | | | The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-1/+1
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-3/+4
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* pass the extra params to the rack test environment so that routes with block ↵Brian Hahn2013-09-061-0/+12
| | | | constraints have access
* fix issue #11605Kassio Borges2013-08-247-15/+7
|
* Fix `assert_redirected_to` does not show user-supplied message.Alexey Chernenkov2013-07-181-1/+1
| | | | | | Issue: when `assert_redirected_to` fails due to the response redirect not matching the expected redirect the user-supplied message (second parameter) is not shown. This message is only shown if the response is not a redirect.
* Removed unused test fileArun Agrawal2013-07-171-32/+0
| | | | This test file is not be running from a long time This test is already covered in controller/caching_test.rb
* Use old style hash syntax for 3-2-stableAndrew White2013-06-251-2/+2
|
* Fix shorthand routes where controller and action are in the scopeAndrew White2013-06-251-0/+13
| | | | | | | | | | | Merge `:action` from routing scope and assign endpoint if both `:controller` and `:action` are present. The endpoint assignment only occurs if there is no `:to` present in the options hash so should only affect routes using the shorthand syntax (i.e. endpoint is inferred from the the path). Fixes #9856 Backport of 37b4276
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-0/+5
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-161-10/+30
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* So not make Fixnum#/ private on Ruby verions less than 1.9.3Rafael Mendonça França2013-05-101-4/+3
| | | | In those version to_date call Fixnum#/, what will cause a failure
* Merging in fix from #8222Ben Tucker2013-05-061-0/+5
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-0/+10
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Fix typo in view nameCarlos Antonio da Silva2013-04-032-1/+1
| | | | Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
* Use 1.8 hash style in test viewsCarlos Antonio da Silva2013-04-032-2/+2
| | | | Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
* Common behavior with adding formats to lookup_context for TemplateRenderer ↵Dmitry Vorotilin2013-04-028-0/+17
| | | | and PartialRenderer
* Backport #5808Mack Earnhardt2013-03-242-0/+39
| | | | | | df36c5f - Fix assert_template assertion with :layout option 4bd05a7 - Fix assert_template :layout => nil assertion 0d19a08 - Improve assert_template layout checking
* Fix test to Ruby 1.8Rafael Mendonça França2013-03-211-1/+1
| | | | Pathname doesn't respond to to_path
* Merge branch '3-2-stable' into fredwu-slow_view_loading_fixAaron Patterson2013-03-201-0/+12
|\ | | | | | | | | | | | | | | | | | | | | * 3-2-stable: Merge pull request #9802 from newsline/fix-broken-action-missing Remove bad changelog entry from AR [ci skip] Wrong exception is occured when raising no translatable exception Don't crash exception translation w/ nil result attribute. Conflicts: actionpack/CHANGELOG.md
| * Merge pull request #9802 from newsline/fix-broken-action-missingRafael Mendonça França2013-03-201-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | Fix missing action_missing Conflicts: actionpack/CHANGELOG.md Conflicts: actionpack/test/controller/base_test.rb Fixes #9799
* | Fixed assets loading performance in 3.2.13Fred Wu2013-03-201-0/+9
|/ | | | | The PR #8756 uses Sprockets for resolving files that already exists on disk, for those files their extensions don't need to be rewritten. Fixes #9803
* Backport #9347 to rails 3.2hoffm2013-03-191-0/+5
|
* Merge branch '3-2-13' into 3-2-stableAaron Patterson2013-03-181-0/+15
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 3-2-13: bumping to 3.2.13 fix protocol checking in sanitization [CVE-2013-1857] JDOM XXE Protection [CVE-2013-1856] fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855] stop calling to_sym when building arel nodes [CVE-2013-1854] Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets bumping to rc2 Revert "Merge pull request #8209 from senny/backport_8176" Freeze columns only once per Result Preparing for 3.2.13.rc1 release Update CHANGELOGs for 3.2.13 release. Conflicts: actionmailer/CHANGELOG.md actionpack/CHANGELOG.md activemodel/CHANGELOG.md activeresource/CHANGELOG.md activesupport/CHANGELOG.md railties/CHANGELOG.md
| * fix protocol checking in sanitization [CVE-2013-1857]Aaron Patterson2013-03-151-0/+10
| | | | | | | | | | Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
| * fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]Charlie Somerville2013-03-151-0/+5
| |
| * Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-121-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* | Extract hardcoded lists to Redo::RestaurantsListJuan Barreneche2013-03-141-0/+9
| |
* | Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-091-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* | Backport fixes about #7774 to 3-2-stablemaximerety2013-03-051-0/+9
|/ | | | | Fix ActionDispatch::Request#formats when HTTP_ACCEPT header is an empty string.
* Ruby 2 compat. CGI.escapeHTML has changed the way it escapes apostrophes a ↵Jeremy Kemper2013-02-241-1/+1
| | | | few times, so fix up the test to work with however it chooses to escape.
* Ruby 2.0.0 defaults source encoding to utf-8 so we need to specifically tag ↵Aaron Patterson2013-02-241-0/+1
| | | | this file with us-ascii
* Use 1.8 hash styleCarlos Antonio da Silva2013-02-221-1/+1
|
* determine the match shorthand target early.Yves Senn2013-02-221-0/+27
| | | | | | | | | Backport #9361. Closes #7554. This patch determines the `controller#action` directly in the `match` method when the shorthand syntax is used. this prevents problems with namespaces and scopes.
* Duplicate possible frozen string from routeAndrew White2013-01-211-0/+7
| | | | | | | | | | | | | Ruby 1.9 freezes Hash string keys by default so where a route is defined like this: get 'search' => 'search' then the Mapper will derive the action from the key. This blows up later when the action is added to the parameters hash and the encoding is forced. Closes #3429
* Do not run this streaming test in Ruby 1.8, fix syntax errorCarlos Antonio da Silva2013-01-171-5/+8
|
* Merge pull request #5288 from lest/patch-2José Valim2013-01-171-0/+13
| | | | | | force response body to be read in assert_template Conflicts: actionpack/lib/action_controller/test_case.rb
* fixes #8631 local inflections from interfereing with HTTP_METHOD_LOOKUP ↵Aditya Sanghi2013-01-161-0/+21
| | | | dispatch logic
* Merge pull request #8914 from nilbus/fix-header-bloatRafael Mendonça França2013-01-151-1/+2
| | | | | | Remove header bloat introduced by BestStandardsSupport middleware Conflicts: actionpack/CHANGELOG.md
* Fix JSON params parsing regression for non-object JSON content.Dylan Smith2013-01-111-0/+7
| | | | Backports #8855.