| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
There may be situations where you need to tunnel SSL connections over
port 80 so we shouldn't remove it if it has been explicitly provided.
|
|
|
|
| |
relative URL.
|
|
|
|
| |
do not test internals
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously if you were looking for a given key, the header may incorrectly tell you that it did not exist even though it would return a valid value:
```ruby
env = { "CONTENT_TYPE" => "text/plain" }
headers = ActionDispatch::Http::Headers.new(env)
headers["Content-Type"]
# => "text/plain"
headers.key?("Content-Type")
# => false
```
This PR fixes that behavior by converting the key before checking for presence
|
|\
| |
| | |
Moved 'params[request_forgery_protection_token]' into its own method and...
|
| |
| |
| |
| | |
improved tests.
|
|/
|
|
|
|
|
|
|
| |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
Conflicts:
actionpack/lib/abstract_controller/base.rb
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Callable route constraint verification
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| | |
silently failing to enforce the constraint
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Make remote_ip detection properly handle private IPv6 addresses
Conflicts:
actionpack/CHANGELOG.md
|
| | |
| | |
| | |
| | | |
Fixes #12638.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
cookies are marshal-encoded. This is not the case when `secret_token` is
used in conjunction with the `:json` or `:hybrid` serializer.
In those case, when upgrading to use `secret_key_base`, this would cause a
`TypeError: incompatible marshal file format` and a 500 error for the user.
Fixes #14774.
*Godfrey Chan*
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
1. Escape '%' characters in URLs - only unescaped data
should be passed to URL helpers
2. Add an `escape_segment` helper to `Router::Utils`
that escapes '/' characters
3. Use `escape_segment` rather than `escape_fragment`
in optimized URL generation
4. Use `escape_segment` rather than `escape_path`
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard
segments (e.g. *foo) then we use `escape_path` as the value may contain '/'
characters. This means that wildcard routes can't be optimized. Secondly,
if a `:controller` segment is used in the path then this uses `escape_path`
as the controller may be namespaced.
Fixes #14629, #14636 and #14070.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Makes it clear that anything passed with the helper must not be percent encoded.
Fixes previous behavior which tricks people into believing passing
non-percent-encoded will generate a proper percent-encoded path while in
reality it doesn't ('%' isn't escaped).
The intention is nice but the heuristic is broken.
|
| | |
| | |
| | |
| | | |
Related with cbb917455f306cf5818644b162f22be09f77d4b2
|
| | |
| | |
| | |
| | | |
This was changed at cbb917455f306cf5818644b162f22be09f77d4b2
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | | |
Use common to_io so users can access the underlying IO object
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In some cases users may need to work with/manipulate more of the
Tempfile api than provided by Upload. Allow users to get at the
underlying io via the common to_io method of IO/IO-like objects
|
|\ \ \ \
| | | | |
| | | | | |
Display diagnostics in text format for xhr request
|
| | | | | |
|
|\ \ \ \ \
| |_|/ / /
|/| | | | |
Remove surplus period from assertion messages
|
| |/ / / |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When requesting a controller with the following code with a unknown format:
def my_action
respond_to do |format|
format.json { head :ok }
format.any { render text: 'Default response' }
end
end
we should render the default response instead of raising ActionController::UnknownFormat
Fixes #14462
Conflicts:
actionpack/CHANGELOG.md
actionpack/test/controller/mime/respond_with_test.rb
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This parsing is unecessary once the Request object already has the
needed information.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adding flash types to a controller within any of the tests will result
in a global state change of the controller under test.
This patch will prevent state leaks and allow us to run the test in random order.
|
| | | |
|
| | | |
|
| | |
| | |
| | | |
Adding tests for Session `destroy`, `update` and `delete` methods. No changes for code under test.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fortisque/kevin/stream_error_in_main_thread_if_not_committed
re-raise error if error occurs before committing in streaming
|
| | | |
| | | |
| | | |
| | | | |
update the tests, using an if-else
|
| | | |
| | | |
| | | |
| | | | |
than assume SecureRandom is available
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The method `shallow?` returns false if the parent resource is a singleton so
we need to check if we're not inside a nested scope before copying the :path
and :as options to their shallow equivalents.
Fixes #14388.
|
|\ \ \ \
| |/ / /
|/| | |
| | | | |
Ensure LookupContext in Digestor selects correct variant
|
| | | |
| | | |
| | | |
| | | | |
We're setting variant above, in request object directly
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Related to: #14242 #14243 14293
Variants passed to LookupContext#find() seem to be ignored, so
I've used the setter instead: `finder.variants = [ variant ]`.
I've also added some more test cases for variants. Hopefully this
time passing tests will mean it actually works.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
avoid freezing the headers until the web server has actually read data
from the body proxy. Once the webserver has read data, then we should
throw an error if someone tries to set a header
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when streaming responses, we need to make sure the cookie jar is written
to the headers before returning up the stack. This commit introduces a
new method on the response object that writes the cookie jar to the
headers as the response is committed. The middleware and test framework
will not write the cookie headers if the response has already been
committed.
fixes #14352
|
| | |
| | |
| | |
| | |
| | |
| | | |
If the options :shallow_prefix and :shallow_path are not set in the
scope options then copy them from the normal :as and :path options
if they are set.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If a developer has specified either :path or :as in the options hash then
these should be used as the defaults for :shallow_path and :shallow_prefix.
Fixes #14241.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
By tracking the depth of resource nesting we can push the need for nested
shallow scoping to only those routes that are nested more than one deep.
This allows us to keep the fix for #12498 and fix the regression in #14224.
Fixes #14224.
|
|\ \ \
| | | |
| | | | |
Make CSRF failure logging optional/configurable.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`render :body` should just not set the `Content-Type` header. By
removing the header, it breaks the compatibility with other parts.
After this commit, `render :body` will returns `text/html` content type,
sets by default from `ActionDispatch::Response`, and it will preserve
the overridden content type if you override it.
Fixes #14197, #14238
This partially reverts commit 3047376870d4a7adc7ff15c3cb4852e073c8f1da.
|