| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\
| |
| | |
Remove load_paths file
|
| | |
|
|\ \
| | |
| | | |
Deprecate :controller and :action path parameters
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| | | |
|
|/ /
| |
| |
| |
| |
| | |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|\ \
| | |
| | | |
Drop Action Controller require in ActionDispatch::ExceptionWrapper
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We only reference the Action Controller error classes by name in
ActionDispatch::ExceptionWrapper, so there is no need to explicitly
require them.
It drops a tiny coupling between Action Dispatch and Action Controller,
so it makes me feel warm inside. We still have a lot of others AC
requires in the AD code base, but here, we can save it.
[ci skip]
|
|/ / |
|
|/ |
|
| |
|
|\
| |
| | |
Enable HSTS with IncludeSubdomains header by default for new apps
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
- For old apps which are not setting any value for hsts[:subdomains],
a deprecation warning will be shown saying that hsts[:subdomains] will
be turned on by default in Rails 5.1. Currently it will be set to
false for backward compatibility.
- Adjusted tests to reflect this change.
|
| |
| |
| |
| |
| |
| |
| |
| | |
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.
That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true by default, believe me :)
|
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 22db455dbe9c26fe6d723cac0758705d9943ea4b, reversing
changes made to 40be61dfda1e04c3f306022a40370862e3a2ce39.
This finishes off what I meant to do in 6216a092ccfe6422f113db906a52fe8ffdafdbe6.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
|
| |
| |
| |
| |
| | |
* Fixes typos in error message and release notes.
* Removes unused template test file.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Conceptually revert #20276
The feature was implemented for the `responders` gem. In the end,
they did not need that feature, and have found a better fix (see
plataformatec/responders#131).
`ImplicitRender` is the place where Rails specifies our default
policies for the case where the user did not explicitly tell us
what to render, essentially describing a set of heuristics. If
the gem (or the user) knows exactly what they want, they could
just perform the correct `render` to avoid falling through to
here, as `responders` did (the user called `respond_with`).
Reverting the patch allows us to avoid exploding the complexity
and defining “the fallback for a fallback” policies.
2. `respond_to` and templates are considered exhaustive enumerations
If the user specified a list of formats/variants in a `respond_to`
block, anything that is not explicitly included should result
in an `UnknownFormat` error (which is then caught upstream to
mean “406 Not Acceptable” by default). This is already how it
works before this commit.
Same goes for templates – if the user defined a set of templates
(usually in the file system), that set is now considered exhaustive,
which means that “missing” templates are considered `UnknownFormat`
errors (406).
3. To keep API endpoints simple, the implicit render behavior for
actions with no templates defined at all (regardless of formats,
locales, variants, etc) are defaulted to “204 No Content”. This
is a strictly narrower version of the feature landed in #19036 and
#19377.
4. To avoid confusion when interacting in the browser, these actions
will raise an `UnknownFormat` error for “interactive” requests
instead. (The precise definition of “interactive” requests might
change – the spirit here is to give helpful messages and avoid
confusions.)
Closes #20666, #23062, #23077, #23564
[Godfrey Chan, Jon Moss, Kasper Timm Hansen, Mike Clark, Matthew Draper]
|
|\
| |
| | |
Added a test for generating Strong ETag
|
| | |
|
|/ |
|
|
|
|
| |
Adds changelog headers for beta3 release
|
| |
|
|
|
|
|
|
|
| |
It is not a released feature so we don't need to add changelogs to
changes on it.
[ci skip]
|
|
|
|
| |
- Fixes #23822.
|
|\
| |
| |
| | |
Give Sessions Indifferent Access
|
| | |
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | | |
This is a rebased version of #22825.
Closes #22825.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Abstract Controller is the common component between Action Mailer and
Action Controller so if we need to share the caching component it need
to be there.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
including it
Remove useless helper in ActionDispatch::Caching and fix indentation
|
| | | |
|
| | |
| | |
| | |
| | | |
and ActionController to include it
|
| | |
| | |
| | |
| | | |
action_dispatch/caching/fragments
|
|/ /
| |
| |
| |
| | |
This bug affects `wss://` requests when running Action Cable in-app.
Fixes #23620.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is meant to provide a way for Action Cable, Sprockets, and possibly
other Rack applications to mark themselves as internal, and to exclude
themselves from the routing inspector, and thus `rails routes` / `rake
routes`.
I think this is the only way to have mounted Rack apps be marked as
internal, within AD/Journey. Another option would be to create an array
of regexes for internal apps, and then to iterate over that everytime a
request comes through. Also, I only had the first `add_route` method set
`internal`'s default to false, to avoid littering it all over the
codebase.
|
| |
| |
| |
| | |
Also make sure we don't change the global state of our test suite.
|
| |
| |
| |
| |
| | |
This will keep our current API working without having the users to
change their codebases.
|
| |
| |
| |
| |
| |
| | |
After registering new `:json` mime type `parsers.fetch` can't find the mime type because new mime type is not equal to old one. Using symbol of the mime type as key on parsers hash solves the problem.
Closes #23766
|
| |
| |
| |
| |
| |
| | |
When `button_to 'Botton', url` form was being used the per form token
was not correct because the method that is was being used to generate it
was an empty string.
|
|\ \
| | |
| | |
| | | |
Fixed passing of delete method on button_to tag, creating wrong form csrf token
|
| | |
| | |
| | |
| | | |
them up.
|
| | |
| | |
| | |
| | | |
Fixes #23524
|
| | | |
|
|\ \ \
| | | |
| | | | |
Improve the performance of string xor operation
|