aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-192-8/+71
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-192-8/+71
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Use released rails-deprecated_sanitizerRafael Mendonça França2014-08-191-1/+1
| |
* | Fix the rails-dom-testing dependecyRafael Mendonça França2014-08-191-0/+1
| |
* | Protect against error when parsing parameters with Bad RequestRafael Mendonça França2014-08-192-2/+27
| | | | | | | | Related with #11795.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-195-39/+382
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-183-3/+36
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Seperate Parameters accessors and mutators testsPrem Sichanugrist2014-08-183-57/+215
| | |
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-182-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-183-0/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-193-2/+31
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | | Uppercase HTML in docs.Hendy Tanata2014-08-083-10/+10
| | | | | | | | | | | | | | | | [skip ci]
| * | | [ci skip] Document ActionDispatch::Staticschneems2014-08-051-0/+9
| | | |
| * | | [ci skip] document ActionDispatch::FileHandlerschneems2014-08-051-0/+10
| | | |
| * | | [ci skip] Document PublicExceptions middlewareschneems2014-08-051-0/+10
| | | |
* | | | Add missing requireGodfrey Chan2014-08-181-0/+2
| |/ / |/| |
* | | Deprecate TagAssertion instead of removingRafael Mendonça França2014-08-182-1/+2
| | |
* | | Bump rack dependencySantiago Pastorino2014-08-181-1/+1
| | |
* | | Expectations firstAkira Matsuda2014-08-187-34/+34
| | |
* | | Merge pull request #15889 from carnesmedia/model-nameRafael Mendonça França2014-08-172-6/+6
|\ \ \ | | | | | | | | | | | | Use #model_name on instances instead of classes
| * | | Use #model_name on instances instead of classesAmiel Martin2014-06-242-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class. Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
* | | | Merge branch 'loofah'Rafael Mendonça França2014-08-1714-1772/+37
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile
| * \ \ \ Merge branch 'master' into loofahRafael Mendonça França2014-08-1731-1381/+464
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * | | | | Prepare for partial release.Kasper Timm Hansen2014-08-172-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper. - Add upgrade notes. - Add sanitizer to new applications Gemfiles. - Remove 'rails-dom-testing' as a dependency.
| * | | | | Merge branch 'master' into loofahRafael Mendonça França2014-08-12122-799/+1184
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | | | | | Remove more unneeded includeRafael Mendonça França2014-07-151-3/+0
| | | | | | |
| * | | | | | Defining the right dependenciesRafael Mendonça França2014-07-151-0/+2
| | | | | | |
| * | | | | | We don't need loofah for the assertionsRafael Mendonça França2014-07-153-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We can just use nokogiri
| * | | | | | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-1014-1772/+43
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| | * | | | | | Add document_root_element to ActionDispatch::IntegrationTest so ↵Timm2014-06-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | assert_select can be called without specifying a root.
| | * | | | | | Remove unneeded comment in test.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Remove some whitespace in actionpack.gemspec.Timm2014-06-161-3/+0
| | | | | | | |
| | * | | | | | Moved html_document to ActionDispatch::Assertions. Included the ↵Timm2014-06-162-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails::Dom::Testing::Assertions there as well.
| | * | | | | | Support for changes in SelectorAssertions.Timm2014-06-161-0/+14
| | | | | | | |
| | * | | | | | Changed deprecation message in dom and selector assertions in Action Dispatch.Timm2014-06-162-2/+2
| | | | | | | |
| | * | | | | | Exchanged requiring of action view assertions with rails dom testing assertions.Timm2014-06-161-2/+3
| | | | | | | |
| | * | | | | | Removed tag.rb, since it is actually removed, not just deprecated. [ci skip]Timm2014-06-161-3/+0
| | | | | | | |
| | * | | | | | Moved ActionView::Assertions dependency from Action Pack's lib to ↵Timm2014-06-163-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | abstract_unit.rb.
| | * | | | | | Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will ↵Timm2014-06-161-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | never work. Switched to assert_matching the reponse body.
| | * | | | | | Added deprecation notice to actionpack changelog.Timm2014-06-161-0/+6
| | | | | | | |
| | * | | | | | Removed require's for html-scanner.Timm2014-06-162-2/+0
| | | | | | | |
| | * | | | | | Added deprecation warning to ActionDispatch::Assertions::TagAssertions.Timm2014-06-161-0/+3
| | | | | | | |
| | * | | | | | Trimmed deprecation message for ActionDispatch::Assertions::SelectorAssertions.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Require ActionView::Assertions in ActionController test_case.rb.Timm2014-06-161-0/+1
| | | | | | | |
| | * | | | | | Moved Dom and Selector assertions from ActionDispatch to ActionView.Timm2014-06-166-894/+7
| | | | | | | |
| | * | | | | | Fixed: assert_select_encoded finds the right content. No longer uses a ↵Timm2014-06-162-14/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | <encoded> wrapper. Updated tests to reflect this.
| | * | | | | | Removed mention of css_select supporting substitution values. It is not ↵Timm2014-06-161-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tested anywhere.
| | * | | | | | Updated documentation to state more things about css selectors with ↵Timm2014-06-161-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | substitution values.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 10:52:40 +0000