github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity
21,093 Commits 34 Branches 105 Tags
7112cf5e021d8da7c4e073a4e2d2a4afb10671ec
Commit Graph

1748 Commits

Author SHA1 Message Date
Michael Koziarski
ae19e4141f Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-08 14:57:08 -08:00
José Valim
6b1018526f Use Mime::Type references. 2011-02-08 14:14:26 -08:00
José Valim
b93c590297 Ensure render is case sensitive even on systems with case-insensitive filesystems. 
This fixes CVE-2011-0449
 2011-02-08 14:04:19 -08:00
Aaron Patterson
ea25224046 cleaning up some warnings on 1.9.3 2011-02-07 16:44:27 -08:00
Dan Pickett
3026843dc1 put authenticity_token option in parity w/ remote 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-06 19:04:52 -02:00
Andre Arko
10cab35d3b Allow page_cache_directory to be set as a Pathname 
For example, page_cache_directory = Rails.root.join("public/cache")

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-06 17:55:38 -02:00
Timothy N. Tsvetkov
b9309b47cd Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-05 18:58:32 -02:00
Stephen Celis
a0757e00f3 Protocol-relative URL support. 
[#5774 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-02 19:09:44 -02:00
Neeraj Singh
806e6f80dc render_to_string must ensure that response_body 
is nil

[ #5875 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-25 20:14:03 +01:00
Doug Fales
7927fc2ff7 A patch so that http status codes are still included in logs even during an exception [#6333 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-25 20:12:22 +01:00
Aaron Patterson
3d6e223b84 use spec compliant YAML 2011-01-21 15:43:34 -08:00
Aaron Patterson
36d6678690 removing usesless variable assignments 2011-01-18 15:52:56 -08:00
Christos Trochalakis
7dab186fde Issue one Cache#read command instead of two in the case of a fragment cache hit 2011-01-18 09:52:11 -08:00
Aaron Patterson
990e6a1b3a fixing wrong test 2011-01-17 14:43:29 -08:00
Jakub Kuźma
5106ce88e4 authenticity_token option for form_tag [#2988 state:resolved] 2011-01-09 15:55:26 -08:00
wycats
e03e1fdbc8 Speed up template inheritance and remove template inheritance option 2010-12-26 23:56:09 -08:00
wycats
7c568fda6b A bunch of cleanup on the inherited template patch 2010-12-26 23:44:51 -08:00
artemave
6c5a3bb312 all tests pass 2010-12-26 22:32:15 -08:00
artemave
ce21ea7832 #948 make template inheritance optional 2010-12-26 22:32:15 -08:00
artemave
ddd85ef9c6 #948 template_inheritance 2010-12-26 22:32:15 -08:00
Neeraj Singh
0027b65421 Ensure that while caching a page rails takes into 
account the resolved mime type for the request

[#6110 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-09 16:14:57 +01:00
José Valim
78afe68afb Merge remote branch 'joshk/redirect_routing' 
Conflicts:
	actionpack/CHANGELOG
	actionpack/lib/action_controller/metal/mime_responds.rb

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-03 12:27:50 +01:00
Josh Kalderimis
0bda6f1ec6 The redirect routing method now allows for a hash of options which only changes the relevant parts of the url, or an object which responds to call can be supplied so common redirect rules can be easily reused. This commit includes a change where url generation from parts has been moved to AD::Http::URL as a class method. 2010-11-30 16:36:01 +01:00
José Valim
31906eecdf Fix tests on 1.9.2. 2010-11-28 12:48:50 +01:00
Neeraj Singh
fa2a5ae033 If a user wants json output then try best to render json output. In such cases prefer kind_of(String) over respond_to?(to_str) 
[#5841 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-24 22:08:36 +01:00
Neeraj Singh
b52a6ba169 clean up test by using unregister method 2010-11-25 04:38:50 +08:00
Neeraj Singh
c6030e8562 Remove the not needed setup and teardown 2010-11-25 04:38:45 +08:00
Josh Kalderimis
2fe43b694f :subdomain, :domain and :tld_length options can now be used in url_for, allowing for easy manipulation of the host during link generation. 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-23 09:54:42 +01:00
Aaron Patterson
e83d15376d adding a test for the runner module [#6027 state:resolved] 2010-11-22 15:57:03 -08:00
Neeraj Singh
cdbbf6fd6b move the mime registration code to setup so that 
it could be cleaned up on teardown.

Currently the test code
test/controller/mime_responds_test.rb impacts
test/dispatch/mime_type_test.rb.

dispatch/mime_type_test.rb runs independently fine
but when run as part of rake breaks because of
new mime types registered in
controller/mime_responds_test.rb

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-22 23:06:14 +01:00
Neeraj Singh
eb6ccc9953 do not assume that there is no space between 
leading */* and comma

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-22 23:06:12 +01:00
Neeraj Singh
f5fba917f8 failing test for #6022 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-22 23:06:12 +01:00
Neeraj Singh
61950a4b05 current code ignores http header "Accept" if it 
has ....,*/* .

It is possible to a device to send
request such that */* appear at the beginning of the
"Accept" header. This patch ensures that "Accept" header
is ignored for such cases too.

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-22 23:06:12 +01:00
Xavier Noria
799a6fa047 realigns a series of hash arrows 2010-11-21 10:25:23 +01:00
Santiago Pastorino
52b71c01fd Revert "Quick fix for not escaping []s (not ideal)" 
According to http://www.ietf.org/rfc/rfc2616.txt and
http://tools.ietf.org/rfc/rfc3986.txt [ and ] are reserved characters
and should be escaped using "%" HEX HEX

This reverts commit 856d2fd874 and
1ee9b40b18a0bed5bb10a0785f7e2730bac983f6..
 2010-11-18 23:31:00 -02:00
Neeraj Singh
fe2f168d40 fix warning during test execution 
[#5997 state:resolved]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2010-11-17 20:19:07 -02:00
Carl Lerche
401c1835af Anchors should be allowed on constraints that are not on path segments 2010-11-16 21:46:15 -08:00
Aaron Patterson
0be181bfa0 make sure we are only doing sanity checking against regular expressions 2010-11-15 13:37:27 -08:00
Marcelo Giorgi
2bb1c202b4 Make after_filter halt when before_filter renders or redirects [#5648 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-11-11 17:05:07 +01:00
Jan Maurits Faber
f04ec6a227 Added support for Erubis <%== tag 
<%== x %> is syntactic sugar for <%= raw(x) %>

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#5918 status:committed]
 2010-11-08 09:55:55 +13:00
Santiago Pastorino
2382667955 Fix problems trying to functional test AC::Metal controllers 
[#5393 state:committed]
 2010-11-06 21:15:03 -02:00
Chris Eppstein
b1667c7c2c Correctly handle the case of an API response that returns a hash by treating a single hash argument as the resource instead of as options. 2010-11-06 06:56:36 +08:00
Andrew White
f7573175de Reset assert_template instance variables between requests [#5832 state:resolved] 2010-10-18 09:57:51 +01:00
Xavier Noria
21ff8849bb in regexps, the dot in a character class is not a metacharacter 2010-10-15 16:31:00 +02:00
José Valim
01ab6f961b Remove :cache => true on lookup templates initialization. 2010-10-14 09:47:49 +02:00
José Valim
37d78028b2 render :once should consider the current controller prefix. 2010-10-14 09:27:18 +02:00
Szymon Nowak
0d33332571 Return a valid empty JSON on successful PUT and DELETE requests. [#5199 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-10-12 00:56:07 +02:00
José Valim
682368d4ba Use identifiers for template equality. 2010-10-10 23:12:22 +02:00
José Valim
940b57789f Add support to render :once. 
This will be used internally by sprockets to ensure requires are executed just once.
 2010-10-10 12:43:26 +02:00
wycats
8cb2cfbf71 Fix a few bugs when trying to use Head standalone 2010-10-10 00:54:11 -07:00