aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
Commit message (Collapse)AuthorAgeFilesLines
* Rescue Rack::Utils::ParameterTypeError instead of TypeErrorYuki Nishijima2014-09-132-5/+5
| | | | | | | | As of rack/rack@167b6480235ff00ed5f355698bf00ec2f250f72e, Rack raises Rack::Utils::ParameterTypeError which inherits TypeError. In terms of the behavior, Rescuing TypeError still works but this method shouldn't rescue if TypeError is raised for other reasons.
* Merge pull request #16839 from chancancode/default_test_orderRafael Mendonça França2014-09-101-1/+1
|\ | | | | | | Default to sorting user's test cases for now
| * Default to sorting user's test cases for nowGodfrey Chan2014-09-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | Goals: 1. Default to :random for newly generated applications 2. Default to :sorted for existing applications with a warning 3. Only show the warning once 4. Only show the warning if the app actually uses AS::TestCase Fixes #16769
* | [ci skip]Correct variables in the sample codesuginoy2014-09-101-2/+2
| |
* | Remove extra 'has been' from deprecation warning about asserting selectorsPrathamesh Sonpatki2014-09-091-1/+1
| | | | | | | | [ci skip]
* | Remove extra 'has been' from the deprecation messagePrathamesh Sonpatki2014-09-091-1/+1
|/ | | | - [ci skip]
* Removing unused fake modelsThiago Pradi2014-09-071-45/+0
|
* Add support for Rack::ContentLength middelwareJavan Makhmali2014-09-062-0/+18
|
* Deprecate implicit AD::Response splatting and Array conversionJeremy Kemper2014-09-063-5/+43
|
* :scissors:Rafael Mendonça França2014-09-051-1/+1
|
* Add test to assert_recognizes with custom messageRafael Mendonça França2014-09-051-1/+9
|
* Message doesn't need to be optionalRafael Mendonça França2014-09-051-2/+2
|
* Merge pull request #14911 from estsauver/14908Rafael Mendonça França2014-09-052-7/+15
|\ | | | | | | Propagate test messages through assert_routing helper, Fixes #14908
| * Propagate test messages through assert_routing helper, Fixes #14908Earl St Sauver2014-04-292-7/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | assert_routing was not raising the message passed into the assertion violation that it raised. This change propagates messages through the on_fail error. This fixes this error: https://github.com/rails/rails/issues/14908 A test case for this issue is located here. https://github.com/estsauver/test14908 To see that test case fail in the example app, just run ruby -Itest test/controllers/guests_controller_test.rb
* | For now, we will keep sorting the tests.Matthew Draper2014-09-051-1/+4
| | | | | | | | | | This reverts commits e969c928463e329fd6529ac59cad96385c538ffb and bd2b3fbe54e750ba97469a7896e8d143d6dfd465.
* | code gardening in ActionController::RenderersXavier Noria2014-09-041-7/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Renames _handle_render_options to _render_to_body_with_renderer, which is more intention-revealing. * The name of the dynamically generated method for a renderer with key :js was "_render_option_js". That name is too weak. :js is an option if you see the render argument as just a generic options hash, but in the context of renderers that's the renderer key, is what identifies the renderer. Now "_render_with_renderer_js" is generated instead, which is crystal clear. * The name of the dynamically generated method for the renderer was constructed using string literals in a few places. That is now encapsulated in a method. * Since we were on it, also removed a couple of redundant selfs.
* | Ship with rails-html-sanitizer instead.Kasper Timm Hansen2014-09-031-1/+1
| |
* | Leave all our tests as order_dependent! for nowMatthew Draper2014-09-021-0/+5
| | | | | | | | | | | | | | | | | | We're seeing too many failures to believe otherwise. This reverts commits bc116a55ca3dd9f63a1f1ca7ade3623885adcc57, cbde413df3839e06dd14e3c220e9800af91e83ab, bf0a67931dd8e58f6f878b9510ae818ae1f29a3a, and 2440933fe2c27b27bcafcd9019717800db2641aa.
* | Allow polymorphic routes with nil when a route can still be drawnSammy Larbi2014-08-311-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Suppose you have two resources routed in the following manner: ```ruby resources :blogs do resources :posts end resources :posts ``` When using polymorphic resource routing like `url_for([@blog, @post])`, and `@blog` is `nil` Rails should still try to match the route to the top-level posts resource. Fixes #16754
* | Refer to the library name instead of the constantRobin Dupret2014-08-301-1/+1
| | | | | | | | | | | | | | | | | | When we are loading a component and we want to know its version, we are actually not speaking about the constant but the library itself. [ci skip] [Godfrey Chan & Xavier Noria]
* | Merge pull request #16644 from Agis-/drb-tests-actionpack-vagrantXavier Noria2014-08-301-3/+1
|\ \ | | | | | | Use system /tmp for temp files when testing actionpack
| * | Use system /tmp when testing actionpackAgis-2014-08-221-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/rails/rails/commit/c64bff2c87ebf363703c63ecd4a96d56a1a78364 added support and enabled parallel execution of the actionpack tests. However it introduced https://github.com/rails/rails/commit/c64bff2c87ebf363703c63ecd4a96d56a1a78364 since one cannot connect to a socket file that's inside a Vagrant synced folder due to security restrictions, and DRb tries to. Also rename the temporary files to make it obvious that they're rails-related, since now they're placed outside the project's directory. Fixes https://github.com/rails/rails/commit/c64bff2c87ebf363703c63ecd4a96d56a1a78364
* | | Merge branch 'master' of github.com:rails/railsDavid Heinemeier Hansson2014-08-2924-112/+288
|\ \ \
| * | | Don't rescue IPAddr::InvalidAddressErrorPeter Suschlik2014-08-292-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPAddr::InvalidAddressError does not exist in Ruby 1.9.3 and fails for JRuby in 1.9 mode. As IPAddr::InvalidAddressError is a subclass of ArgumentError (via IPAddr::Error) just rescuing ArgumentError is fine.
| * | | Merge pull request #16637 from Agis-/redirect-with-constraint-routeAaron Patterson2014-08-283-2/+31
| |\ \ \ | | | | | | | | | | Fix the router ignoring constraints when used together with a redirect route
| | * | | Don't ignore constraints in redirect routesAgis-2014-08-253-2/+31
| | |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/rails/rails/commit/402c2af55053c2f29319091ad21fd6fa6b90ee89 introduced a regression that caused any constraints added to redirect routes to be ignored. Fixes #16605
| * | | Test everythingAkira Matsuda2014-08-281-1/+1
| | | | | | | | | | | | | | | | This actually was testing test everything, so why not do it simpler?
| * | | AP test files does no more need to be alphabetically sorted hereAkira Matsuda2014-08-281-4/+1
| | | |
| * | | Refactor out Dir.glob from ActionDispatch::Staticschneems2014-08-276-20/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dir.glob can be a security concern. The original use was to provide logic of fallback files. Example a request to `/` should render the file from `/public/index.html`. We can replace the dir glob with the specific logic it represents. The glob {,index,index.html} will look for the current path, then in the directory of the path with index file and then in the directory of the path with index.html. This PR replaces the glob logic by manually checking each potential match. Best case scenario this results in one less file API request, worst case, this has one more file API request. Related to #16464 Update: added a test for when a file of a given name (`public/bar.html` and a directory `public/bar` both exist in the same root directory. Changed logic to accommodate this scenario.
| * | | Merge pull request #16717 from splattael/keygeneratorSantiago Pastorino2014-08-271-1/+1
| |\ \ \ | | | | | | | | | | Use less iterations for KeyGenerator in tests
| | * | | Use less iterations for KeyGenerator in testsPeter Suschlik2014-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit improves performance of cookie tests: Ruby | After | Before ----- | --------:| --------: MRI | 5.03s | 9.28s JRuby | 25.45s | 1648.23s Please note the improvement for JRuby.
| * | | | minor changelog formatting changes.Yves Senn2014-08-271-4/+5
| |/ / /
| * / / Address comments on Gzip implementationschneems2014-08-246-12/+51
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - don't mutate PATH_INFO in env, test - test fallback content type matches Rack::File - change assertion style - make HTTP_ACCEPT_ENCODING comparison case insensitive - return gzip path from method instead of true/false so we don't have to assume later - don't allocate un-needed hash. Original comments: https://github.com/rails/rails/commit/ cfaaacd9763642e91761de54c90669a88d772e5a#commitcomment-7468728 cc @jeremy
| * | Refactor ActionDispatch::RemoteIpSam Aarons2014-08-212-52/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactored IP address checking in ActionDispatch::RemoteIp to rely on the IPAddr class instead of the unwieldly regular expression to match IP addresses. This commit keeps the same api but allows users to pass IPAddr objects to config.action_dispatch.trusted_proxies in addition to passing strings and regular expressions. Example: # config/environments/production.rb config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
| * | Improve router test.Guo Xiang Tan2014-08-211-6/+11
| | | | | | | | | | | | | | | We should assert that routes will not be recognized if the verbs do not match.
| * | Avoid duplicating routes for HEAD requests.Guo Xiang Tan2014-08-215-18/+69
| | | | | | | | | | | | | | | | | | | | | | | | Follow up to rails#15321 Instead of duplicating the routes, we will first match the HEAD request to HEAD routes. If no match is found, we will then map the HEAD request to GET routes.
| * | Enable gzip compression by defaultschneems2014-08-207-16/+76
| | | | | | | | | | | | | | | | | | If someone is using ActionDispatch::Static to serve assets and makes it past the `match?` then the file exists on disk and it will be served. This PR adds in logic that checks to see if the file being served is already compressed (via gzip) and on disk, if it is it will be served as long as the client can handle gzip encoding. If not, then a non gzip file will be served. This additional logic slows down an individual asset request but should speed up the consumer experience as compressed files are served and production applications should be delivered with a CDN. This PR allows a CDN to cache a gzip file by setting the `Vary` header appropriately. In net this should speed up a production application that are using Rails as an origin for a CDN. Non-asset request speed is not affected in this PR.
* | | Preparing for 4.2.0.beta1 releaseDavid Heinemeier Hansson2014-08-191-1/+1
|/ /
* | Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-192-8/+71
|\ \ | | | | | | CSRF token mask from breach-mitigation-rails gem
| * | Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-192-8/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | | Use released rails-deprecated_sanitizerRafael Mendonça França2014-08-191-1/+1
| | |
* | | Fix the rails-dom-testing dependecyRafael Mendonça França2014-08-191-0/+1
| | |
* | | Protect against error when parsing parameters with Bad RequestRafael Mendonça França2014-08-192-2/+27
| | | | | | | | | | | | Related with #11795.
* | | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-195-39/+382
|\ \ \ | | | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-183-3/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | | Seperate Parameters accessors and mutators testsPrem Sichanugrist2014-08-183-57/+215
| | | |
| * | | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | | |
| * | | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-182-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-183-0/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.