| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
This is a follow up to #15058.
This exception is regularly raised during development. This means it will enter
the user realm. We should provide an API page to show that this exception is public API.
/cc @schneems
|
| |
|
|
|
|
|
| |
There may be situations where you need to tunnel SSL connections over
port 80 so we shouldn't remove it if it has been explicitly provided.
|
|
|
|
| |
relative URL.
|
|\ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This lets us avoid
1. A slow call to Hash#slice
2. An is_a? test
3. Extra hash allocations (from slice)
4. String allocations
etc.
|
| |
| |
| |
| | |
avoids extra hash allocations on each call
|
| | |
|
| |
| |
| |
| | |
do not test internals
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously if you were looking for a given key, the header may incorrectly tell you that it did not exist even though it would return a valid value:
```ruby
env = { "CONTENT_TYPE" => "text/plain" }
headers = ActionDispatch::Http::Headers.new(env)
headers["Content-Type"]
# => "text/plain"
headers.key?("Content-Type")
# => false
```
This PR fixes that behavior by converting the key before checking for presence
|
|\ \
| | |
| | | |
Moved 'params[request_forgery_protection_token]' into its own method and...
|
| | |
| | |
| | |
| | | |
improved tests.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
Conflicts:
actionpack/lib/abstract_controller/base.rb
|
| |
| |
| |
| | |
There are too many "action name" variables around the process method.
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Callable route constraint verification
Conflicts:
actionpack/CHANGELOG.md
|
| | |
| | |
| | |
| | | |
silently failing to enforce the constraint
|
| | | |
|
| | |
| | |
| | |
| | | |
[ci skip]
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
you call the method
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
I think this is wrong, but it gets the build passing for now. We should
always add options, but we need to make more guarantees about how the
underlying url helper is called
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
if you want options, don't mix them with the first hash, just pass them
all in with the second hash
|
|\ \ \
| | | |
| | | | |
Update mapper.rb
|
| | |/
| |/| |
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Make remote_ip detection properly handle private IPv6 addresses
Conflicts:
actionpack/CHANGELOG.md
|
| | | |
| | | |
| | | |
| | | | |
Fixes #12638.
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
cookies are marshal-encoded. This is not the case when `secret_token` is
used in conjunction with the `:json` or `:hybrid` serializer.
In those case, when upgrading to use `secret_key_base`, this would cause a
`TypeError: incompatible marshal file format` and a 500 error for the user.
Fixes #14774.
*Godfrey Chan*
|
|\ \ \
| | | |
| | | | |
replace class_eval by define_method in abstract_controller/callbacks
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | | |
ActionController::Renderers::RENDERERS is an instance of Set. Docs incorrectly
state that it's a Hash.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
1. Escape '%' characters in URLs - only unescaped data
should be passed to URL helpers
2. Add an `escape_segment` helper to `Router::Utils`
that escapes '/' characters
3. Use `escape_segment` rather than `escape_fragment`
in optimized URL generation
4. Use `escape_segment` rather than `escape_path`
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard
segments (e.g. *foo) then we use `escape_path` as the value may contain '/'
characters. This means that wildcard routes can't be optimized. Secondly,
if a `:controller` segment is used in the path then this uses `escape_path`
as the controller may be namespaced.
Fixes #14629, #14636 and #14070.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The URI::Parser#escape method is a general use method that has to deal
with a variety of input however our use of it is limited in scope so
we can increase the performance by implementing our specific needs
within ActionDispatch::Journey::Router::Utils directly.
If there is no encoding required then there is no change in performance
or number of objects allocated, but for each character that needs to be
encoded we save five object allocations and gain a performance boost.
The performance boost seen varies from 20% when there is one character
to over 50% when encoding ten characters.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Makes it clear that anything passed with the helper must not be percent encoded.
Fixes previous behavior which tricks people into believing passing
non-percent-encoded will generate a proper percent-encoded path while in
reality it doesn't ('%' isn't escaped).
The intention is nice but the heuristic is broken.
|
| | | |
|