Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Remove comments about removing LegacyKeyGenerator in 4.1 | Trevor Turk | 2013-04-03 | 1 | -1/+0 | |
| | ||||||
* | Rename DummyKeyGenerator -> LegacyKeyGenerator | Trevor Turk | 2013-04-02 | 1 | -2/+2 | |
| | ||||||
* | Allow transparent upgrading of legacy signed cookies to encrypted cookies; ↵ | Trevor Turk | 2013-03-28 | 1 | -8/+60 | |
| | | | | Automatically configure cookie-based sessions to use the best cookie jar given the app's config | |||||
* | Fix some typos | Vipul A M | 2013-03-24 | 1 | -1/+1 | |
| | ||||||
* | Remove BestStandardsSupport middleware | Guillermo Iguaran | 2013-01-29 | 1 | -30/+0 | |
| | ||||||
* | Account for ignored cookie set by turbolinks | Nick Reed | 2013-01-14 | 1 | -6/+6 | |
| | ||||||
* | Add regression test to #8907 | Rafael Mendonça França | 2013-01-14 | 1 | -0/+31 | |
| | ||||||
* | Restore original remote_ip algorithm. | Andre Arko | 2013-01-02 | 1 | -1/+1 | |
| | | | | | | | | | | | Proxy servers add X-Forwarded-For headers, resulting in a list of IPs. We remove trusted IP values, and then take the last given value, assuming that it is the most likely to be the correct, unfaked value. See [1] for a very thorough discussion of why that is the best option we have at the moment. [1]: http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/ Fixes #7979 | |||||
* | Add UpgradeSignatureToEncryptionCookieStore | Santiago Pastorino | 2012-11-16 | 1 | -0/+110 | |
| | | | | | | This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation | |||||
* | Remove duplicated get /foo/write_session | Santiago Pastorino | 2012-11-16 | 1 | -1/+0 | |
| | ||||||
* | Remove unused config option | Santiago Pastorino | 2012-11-16 | 1 | -1/+0 | |
| | ||||||
* | Use derived keys everywhere, http_authentication was missing it | Santiago Pastorino | 2012-11-03 | 1 | -1/+3 | |
| | ||||||
* | Add encrypted cookie store | Santiago Pastorino | 2012-11-03 | 1 | -0/+51 | |
| | ||||||
* | Don't use action_controller.perform_caching to enable rack-rack. | Rafael Mendonça França | 2012-10-18 | 1 | -2/+12 | |
| | | | | | Setting the action_dispatch.rack_cache options to true or a hash should be the way to enable it. | |||||
* | Use Ruby 1.9 Hash syntax in railties | Robin Dupret | 2012-10-14 | 2 | -13/+13 | |
| | ||||||
* | Fix middleware cache tests enabling rack_cache | Guillermo Iguaran | 2012-10-05 | 1 | -0/+2 | |
| | ||||||
* | Implement :null_session CSRF protection method | Sergey Nartimov | 2012-09-13 | 1 | -0/+82 | |
| | | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). | |||||
* | Fixes wrong test class names. | kennyj | 2012-08-29 | 1 | -1/+1 | |
| | ||||||
* | Fix failure on middleware/exceptions_test | José Valim | 2012-08-23 | 1 | -10/+4 | |
| | | | | | | | The reason the test was failing was because when the test invokes `app.config`, the app is loaded and, as `eager_load` is set to true, it disables the dependency loading mechanism, so controllers that are later defined are not loaded. | |||||
* | Remove app building setup/teardown for remote ip railtie tests | Carlos Antonio da Silva | 2012-08-21 | 1 | -14/+0 | |
| | | | | | These tests rely on "make_basic_app", which is a faster version that does not need to create the whole app directory structure. | |||||
* | Failing test for #6034 | Piotr Sarnacki | 2012-04-30 | 1 | -0/+20 | |
| | ||||||
* | Remove default match without specified method | Jose and Yehuda | 2012-04-24 | 2 | -2/+2 | |
| | | | | | | | | | | | | | | | | In the current router DSL, using the +match+ DSL method will match all verbs for the path to the specified endpoint. In the vast majority of cases, people are currently using +match+ when they actually mean +get+. This introduces security implications. This commit disallows calling +match+ without an HTTP verb constraint by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. Closes #5964 | |||||
* | Freeze the middleware stack after it's built | Jeremy Kemper | 2012-04-20 | 1 | -17/+18 | |
| | | | | | | So apps that accidentally add middlewares later aren't unwittingly dumping them in a black hole. Closes #5911 | |||||
* | Handle files from ActionDispatch::Static with Rack::Sendfile (fixes #5225) | Piotr Sarnacki | 2012-03-03 | 1 | -0/+13 | |
| | | | | | | | | This makes rails behave properly when you serve static assets and you have X-Sendfile headers enabled. Nevertheless in most cases you should not rely on that and serve static assets with a webserver like Apache or Nginx (as you already have it in place anyway if you use X-Sendfile) | |||||
* | config.force_ssl should mark the session as secure. | José Valim | 2012-01-13 | 1 | -0/+30 | |
| | ||||||
* | convert railties to use AS::TestCase | Aaron Patterson | 2012-01-05 | 6 | -6/+6 | |
| | ||||||
* | don't encode an UTF-8 encoded template | Xu Pan | 2011-12-20 | 1 | -1/+2 | |
| | ||||||
* | Show detailed exceptions no longer returns true if the request is local in ↵ | José Valim | 2011-12-16 | 1 | -0/+1 | |
| | | | | production. | |||||
* | Improve the specs on exceptions app. | José Valim | 2011-12-16 | 1 | -1/+1 | |
| | ||||||
* | Allow a custom exceptions app to set. | José Valim | 2011-12-16 | 1 | -0/+14 | |
| | ||||||
* | Fix diagnostics page for routing errors. | José Valim | 2011-12-15 | 1 | -2/+13 | |
| | ||||||
* | Add ActiveSupport::Cache::NullStore to expose caching interface without ↵ | Brian Durand | 2011-12-12 | 1 | -2/+2 | |
| | | | | actually caching for development and test environments. | |||||
* | Split ShowExceptions responsibilities in two middlewares. | José Valim | 2011-12-01 | 1 | -1/+1 | |
| | ||||||
* | Allow rescue responses to be configured through a railtie. | José Valim | 2011-12-01 | 1 | -0/+29 | |
| | ||||||
* | fix exception page when template contains utf-8 and parameters contain utf-8 | lest | 2011-11-30 | 1 | -11/+30 | |
| | ||||||
* | configuration option to always write cookie | lest | 2011-11-23 | 1 | -0/+47 | |
| | ||||||
* | Test demonstrating #3053: If-Modified-Since gets swallowed up by rack-cache. | Brendan Ribera | 2011-10-03 | 1 | -0/+14 | |
| | ||||||
* | x_sendfile_header now defaults to nil and production.rb env file doesn't | Santiago Pastorino | 2011-08-07 | 1 | -1/+2 | |
| | | | | | | | set a particular value for it. This allows servers to set it through X-Sendfile-Type, read https://github.com/rack/rack/blob/master/lib/rack/sendfile.rb for more info. Anyways you can force this value in your production.rb | |||||
* | Solve the RAILS_ENV problem in the railties tests in a more generic way | Jon Leighton | 2011-06-06 | 5 | -0/+20 | |
| | ||||||
* | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵ | Jon Leighton | 2011-05-23 | 1 | -2/+2 | |
| | | | | and require 'securerandom' from the stdlib when active support is required. | |||||
* | Always use ActionDispatch::ShowExceptions middleware [#6462 state:resolved] | Prem Sichanugrist | 2011-02-25 | 1 | -0/+37 | |
| | | | | This will make sure the application will raise `ActionController::RoutingError` in case "X-Cascade: pass" header was set, usually when there's no route match. | |||||
* | Fix a routing test. Reorganize middleware tests. | José Valim | 2010-10-02 | 4 | -12/+145 | |
| | ||||||
* | Only add Rack::Cache to the middleware stack if ↵ | Sparky | 2010-09-15 | 1 | -1/+15 | |
| | | | | config.action_controller.perform_caching is set. | |||||
* | Add tests for Rack::Cache | Carlhuda | 2010-09-13 | 1 | -0/+148 | |