| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
I always appreciate having a bit more information as to why something is
now an error. We can use this error to tell people why what they were
previously doing is insecure and give them hints on how to fix it.
Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
|
| |\
| |
| |
| | |
Discart the schema and host information when building the per-form token
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.
To fix this we use the same information to generate the token and check
it.
Fix #24257
|
| |\ \
| | |
| | |
| | | |
Refactor handling of :action default in routing
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The longstanding convention in Rails is that if the :action parameter
is missing or nil then it defaults to 'index'. Up until Rails 5.0.0.beta1
this was handled slightly differently than other routing defaults by
deleting it from the route options and adding it to the recall parameters.
With the recent focus of removing unnecessary duplications this has
exposed a problem in this strategy - we are now mutating the request's
path parameters and causing problems for later url generation. This will
typically affect url_for rather a named url helper since the latter
explicitly pass :controller, :action, etc.
The fix is to add a default for :action in the route class if the path
contains an :action segment and no default is passed. This change also
revealed an issue with the parameterized part expiry in that it doesn't
follow a right to left order - as soon as a dynamic segment is required
then all other segments become required.
Fixes #23019.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Followup of https://github.com/rails/rails/issues/18693.
- I think we missed deprecating `request_via_redirect` in that pull
request.
- Originally requested by DHH here
https://github.com/rails/rails/issues/18333.
|
| | |/
|/|
| |
| |
| |
| |
| | |
Previously, users were trying to modify a frozen Hash. Includes a
regression test :)
Fixes #22975
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
samphilipd/sam/do_not_clobber_options_in_route_definitions
Do not destructively mutate passed options hash in route definitions
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixes #24030
An example scope might be specified as such:
```ruby
HTML = { constraints: { format: :html } }.freeze
scope HTML do
get 'x'
end
```
This currently raises an error because the mapper attempts to
destructively modify the passed options hash. This is dangerous because
this options hash might even be shared with other scopes.
We should instead always instantiate a new object instead of modifying
the passed options.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This brings the behavior more inline with other similar cases, such as
receiving a hash when an array of scalars was expected. Prior to this
commit, the key would be present, but the value would be `nil`
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
| | | |
| | |
| | |
| | |
| | | |
- skip calling helper_method if it's not there: if we don't have helpers, we needn't define one.
- tests that an api controller can include and use ActionController::Cookies
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Introduce `Response#strong_etag=` and `#weak_etag=` and analogous options
for `fresh_when` and `stale?`. `Response#etag=` sets a weak ETag.
Strong ETags are desirable when you're serving byte-for-byte identical
responses that support Range requests, like PDFs or videos (typically
done by reproxying the response from a backend storage service).
Also desirable when fronted by some CDNs that support strong ETags
only, like Akamai.
* No longer strips quotes (`"`) from ETag values before comparing them.
Quotes are significant, part of the ETag. A quoted ETag and an unquoted
one are not the same entity.
* Support `If-None-Match: *`. Rarely useful for GET requests; meant
to provide some optimistic concurrency control for PUT requests.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There was some subtle breakage caused by #18774, when we removed
`#original_exception` in favor of `#cause`. However, `#cause` is
automatically set by Ruby when raising an exception from a rescue block.
With this change, we will use whichever handler has the highest priority
(whichever call to `rescue_from` came last). In cases where the outer
has lower precidence than the cause, but the outer is what should be
handled, cause will need to be explicitly unset.
Fixes #23925
|
| |\ \ \
| | | |
| | | |
| | | | |
Default rendering behavior if respond_to collector doesn't have a block.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When a `respond_to` collector doesn't have a response, then a
`:no_content` response should be rendered. This brings the default
rendering behavior introduced by
https://github.com/rails/rails/issues/19036 to controller methods
employing `respond_to`
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This method will only be added when used with Ruby 2.3.0 or greater.
This method has the same behavior as `Hash#dig`, except it will convert
hashes to `ActionController::Parameters`, similar to `#[]` and `#fetch`.
|
| | | | |
| | | |
| | | |
| | | | |
Make request headers available in the event payload so that it is available to attached ActionController::LogSubscribers.
|
| | | | | |
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some.
The `constrain_to` option inverts this, so it sounds like the middleware
only handles a few requests, rather than the majority with a few routes to
opt out of the redirect.
Renaming to `exclude` matches this intent more closely.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Remove load_paths file
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
Deprecate :controller and :action path parameters
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | | |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
| |/ / / |
|
| |\ \ \
| | | |
| | | | |
Enable HSTS with IncludeSubdomains header by default for new apps
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit 22db455dbe9c26fe6d723cac0758705d9943ea4b, reversing
changes made to 40be61dfda1e04c3f306022a40370862e3a2ce39.
This finishes off what I meant to do in 6216a092ccfe6422f113db906a52fe8ffdafdbe6.
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
|
| | | |
| | |
| | |
| | |
| | | |
* Fixes typos in error message and release notes.
* Removes unused template test file.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1. Conceptually revert #20276
The feature was implemented for the `responders` gem. In the end,
they did not need that feature, and have found a better fix (see
plataformatec/responders#131).
`ImplicitRender` is the place where Rails specifies our default
policies for the case where the user did not explicitly tell us
what to render, essentially describing a set of heuristics. If
the gem (or the user) knows exactly what they want, they could
just perform the correct `render` to avoid falling through to
here, as `responders` did (the user called `respond_with`).
Reverting the patch allows us to avoid exploding the complexity
and defining “the fallback for a fallback” policies.
2. `respond_to` and templates are considered exhaustive enumerations
If the user specified a list of formats/variants in a `respond_to`
block, anything that is not explicitly included should result
in an `UnknownFormat` error (which is then caught upstream to
mean “406 Not Acceptable” by default). This is already how it
works before this commit.
Same goes for templates – if the user defined a set of templates
(usually in the file system), that set is now considered exhaustive,
which means that “missing” templates are considered `UnknownFormat`
errors (406).
3. To keep API endpoints simple, the implicit render behavior for
actions with no templates defined at all (regardless of formats,
locales, variants, etc) are defaulted to “204 No Content”. This
is a strictly narrower version of the feature landed in #19036 and
#19377.
4. To avoid confusion when interacting in the browser, these actions
will raise an `UnknownFormat` error for “interactive” requests
instead. (The precise definition of “interactive” requests might
change – the spirit here is to give helpful messages and avoid
confusions.)
Closes #20666, #23062, #23077, #23564
[Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
|
| | | |
|
| | |
| |
| |
| | |
- Fixes #23822.
|
| |\ \
| | |
| | |
| | | |
Give Sessions Indifferent Access
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is meant to provide a way for Action Cable, Sprockets, and possibly
other Rack applications to mark themselves as internal, and to exclude
themselves from the routing inspector, and thus `rails routes` / `rake
routes`.
I think this is the only way to have mounted Rack apps be marked as
internal, within AD/Journey. Another option would be to create an array
of regexes for internal apps, and then to iterate over that everytime a
request comes through. Also, I only had the first `add_route` method set
`internal`'s default to false, to avoid littering it all over the
codebase.
|
| | | |
| | |
| | |
| | | |
Also make sure we don't change the global state of our test suite.
|
| | | |
| | |
| | |
| | |
| | | |
This will keep our current API working without having the users to
change their codebases.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem.
Closes #23766
|
| | | |
| | |
| | |
| | |
| | |
| | | |
When `button_to 'Botton', url` form was being used the per form token
was not correct because the method that is was being used to generate it
was an empty string.
|
| |\ \ \
| | | |
| | | |
| | | | |
Fixed passing of delete method on button_to tag, creating wrong form csrf token
|
| | | | |
| | | |
| | | |
| | | | |
them up.
|
| | | | |
| | | |
| | | |
| | | | |
Fixes #23524
|
| |\ \ \ \
| |/ / /
|/| | | |
Make collection caching explicit.
|
