aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test
Commit message (Collapse)AuthorAgeFilesLines
* Remove duplicate prompt key from optionsAndrew White2016-11-021-1/+1
|
* Fix inconsistencies in path with missing helpersAndrew White2016-11-021-1/+4
| | | | | | Ruby 2.0 and later demonstrate some inconsistencies when a helper file is not found with the path method on LoadError. By creating a subclass of LoadError we can cater for the inconsistencies.
* Fix warning about unset I18n.enforce_available_localesAndrew White2016-11-021-0/+3
|
* Fix failing tests on 3-2-stable branch:Johnny Shields2016-09-151-2/+2
| | | | | | | | - Set sudo: false in .travis.yml which uses latest travis engine and fixes some failing specs - Use older version of gems in Gemfile if RUBY_VERSION < '1.9.3' (no change to .gemspec) - Fix two cases of hash rockets in tests (required for Ruby 1.8.7) - Skip failing test "test_ensure_that_migration_tasks_work_with_mountable_option" which breaks due to Bundler no longer accepting the default generated .gemspec format. - Skip railties specs on Ruby 1.8.7 (mark as an allowed failure.)
* Remove dead code and ensure values are strings before calling gsubMike Virata-Stone2016-08-111-0/+8
|
* Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-111-0/+10
|\ | | | | | | | | | | * 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
| * ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-101-0/+10
| | | | | | | | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* | fix 1.8 hash syntaxArthur Neves2016-03-011-1/+1
|/
* Don't allow render(params) in view/controllerArthur Neves2016-02-292-6/+74
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-292-76/+29
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Run `file.close` before unlinking for traviseileencodes2016-01-281-1/+2
| | | | | | | | | | | This works on OSX but for some reason travis is throwing a ``` 1) Error: ExpiresInRenderTest#test_dynamic_render_with_absolute_path: NoMethodError: undefined method `unlink' for nil:NilClass ``` Looking at other tests in Railties the file has a name and we close it before unlinking, so I'm going to try that.
* Fix hash syntax for 1.8.7eileencodes2016-01-281-1/+1
| | | | Rails 3.2 supports 1.8.7 but 1.8.7 does not support the new hash syntax.
* Regression test for rendering file from absolute patheileencodes2016-01-281-0/+11
| | | | | | Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
* Use 1.8 compatible hash syntaxAndrew White2016-01-251-4/+4
|
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-223-4/+52
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* add parens to fix warningAman Gupta2015-01-051-1/+1
|
* parse stringified mime typeAman Gupta2015-01-021-1/+1
|
* fix regex caseAman Gupta2015-01-021-1/+1
|
* restore I18n.locale after testAman Gupta2015-01-021-0/+8
|
* convert another incompatible assert_raise invocationAman Gupta2015-01-021-1/+2
|
* switch to minitest and test-unit compatible assert_raise syntaxKouhei Sutou2015-01-021-1/+2
|
* correctly escape backslashes in request path globsAaron Patterson2014-11-161-0/+41
| | | | | | | | | Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829
* Merge branch '3.2.20' into 3-2-stableAaron Patterson2014-10-301-0/+18
|\ | | | | | | | | | | * 3.2.20: bumping version to 3.2.20 FileHandler should not be called for files outside the root
| * FileHandler should not be called for files outside the rootAaron Patterson2014-10-291-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | FileHandler#matches? should return false for files that are outside the "root" path. Conflicts: actionpack/lib/action_dispatch/middleware/static.rb Conflicts: actionpack/lib/action_dispatch/middleware/static.rb actionpack/test/dispatch/static_test.rb
* | Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-041-9/+8
|/ | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* Merge branch '3-2-sec' into 3-2-stableRafael Mendonça França2014-05-061-1/+16
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Fix broken tests of the previous releaseRafael Mendonça França2014-05-061-5/+5
| |
| * Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-051-1/+16
| | | | | | | | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* | Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-182-0/+68
|\| | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-0/+17
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-0/+51
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-0/+6
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-1/+1
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* Deep Munge the parameters for GET and POSTMichael Koziarski2013-12-021-0/+15
| | | | | | | | | | | The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-1/+1
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-3/+4
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* pass the extra params to the rack test environment so that routes with block ↵Brian Hahn2013-09-061-0/+12
| | | | constraints have access
* fix issue #11605Kassio Borges2013-08-247-15/+7
|
* Fix `assert_redirected_to` does not show user-supplied message.Alexey Chernenkov2013-07-181-1/+1
| | | | | | Issue: when `assert_redirected_to` fails due to the response redirect not matching the expected redirect the user-supplied message (second parameter) is not shown. This message is only shown if the response is not a redirect.
* Removed unused test fileArun Agrawal2013-07-171-32/+0
| | | | This test file is not be running from a long time This test is already covered in controller/caching_test.rb
* Use old style hash syntax for 3-2-stableAndrew White2013-06-251-2/+2
|
* Fix shorthand routes where controller and action are in the scopeAndrew White2013-06-251-0/+13
| | | | | | | | | | | Merge `:action` from routing scope and assign endpoint if both `:controller` and `:action` are present. The endpoint assignment only occurs if there is no `:to` present in the options hash so should only affect routes using the shorthand syntax (i.e. endpoint is inferred from the the path). Fixes #9856 Backport of 37b4276
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-0/+5
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-161-10/+30
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* So not make Fixnum#/ private on Ruby verions less than 1.9.3Rafael Mendonça França2013-05-101-4/+3
| | | | In those version to_date call Fixnum#/, what will cause a failure
* Merging in fix from #8222Ben Tucker2013-05-061-0/+5
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-0/+10
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Fix typo in view nameCarlos Antonio da Silva2013-04-032-1/+1
| | | | Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
* Use 1.8 hash style in test viewsCarlos Antonio da Silva2013-04-032-2/+2
| | | | Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 04:20:22 +0000