The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
Conflicts:
actionpack/lib/action_dispatch/http/request.rb
Issue: when `assert_redirected_to` fails due to the response redirect not
matching the expected redirect the user-supplied message (second parameter)
is not shown. This message is only shown if the response is not a redirect.
Merge `:action` from routing scope and assign endpoint if both `:controller`
and `:action` are present. The endpoint assignment only occurs if there is
no `:to` present in the options hash so should only affect routes using the
shorthand syntax (i.e. endpoint is inferred from the the path).
Fixes#9856
Backport of 37b4276
Backport #9361.
Closes#7554.
This patch determines the `controller#action` directly
in the `match` method when the shorthand syntax is used.
this prevents problems with namespaces and scopes.
Ruby 1.9 freezes Hash string keys by default so where a route is
defined like this:
get 'search' => 'search'
then the Mapper will derive the action from the key. This blows up
later when the action is added to the parameters hash and the
encoding is forced.
Closes#3429
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
Clear url helper methods when routes are reloaded by removing the
methods explicitly rather than just clearing the module because it
didn't work properly and could be the source of a memory leak.
Closes#8488.
Optional segments with a root scope need to have the leading slash
outside of the parentheses, otherwise the generated url will be empty.
However if the route has non-optional elements then the leading slash
needs to remain inside the parentheses otherwise the generated url
will have two leading slashes, e.g:
Blog::Application.routes.draw do
get '/(:category)', :to => 'posts#index', :as => :root
get '/(:category)/author/:name', :to => 'posts#author', :as => :author
end
$ rake routes
root GET /(:category)(.:format) posts#index
author GET (/:category)/author/:name(.:format) posts#author
This change adds support for optional segments that contain a slash,
allowing support for urls like /page/2 for the root path, e.g:
Blog::Application.routes.draw do
get '/(page/:page)', :to => 'posts#index', :as => :root
end
$ rake routes
root GET /(page/:page)(.:format) posts#index
Fixes#7073
(cherry picked from commit d8745decaf59aad32aa2f09abdba99b8d0e48b31)
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.
To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.
Fixes#2510.
(cherry picked from commit 56030506563352944fed12a6bb4793bb2462094b)
Windows doesn't allow `\ / : * ? " < > |` in filenames so create
the fixture files at runtime and ignore the incompatible ones when
running on Windows.
RFC 3986[1] allows sub-delim characters in path segments unencoded,
however Rack::File requires them to be encoded so we use URI's
unescape method to leave them alone and then escape them again.
Also since the path gets passed to Dir[] we need to escape any glob
characters in the path.
[1]: http://www.ietf.org/rfc/rfc3986.txt
