github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity
22,664 Commits 34 Branches 105 Tags
9d8e2fb5e21da725755366ae2b7affe83ce1b6b0
Commit Graph

60 Commits

Author SHA1 Message Date
David Heinemeier Hansson
5b8801442e Only show dump of regular env methods on exception screen (not all the rack crap) [DHH] 2011-05-04 19:56:56 -05:00
Carlos Antonio da Silva
f23bf7dbdb Add missing deprecation require 
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-11 13:29:23 -02:00
Michael Koziarski
ae19e4141f Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-08 14:57:08 -08:00
Andrew White
d446392f76 Add additional HTTP request methods from the following RFCs: 
* Hypertext Transfer Protocol -- HTTP/1.1
  http://www.ietf.org/rfc/rfc2616.txt)

* HTTP Extensions for Distributed Authoring -- WEBDAV
  http://www.ietf.org/rfc/rfc2518.txt

* Versioning Extensions to WebDAV
  http://www.ietf.org/rfc/rfc3253.txt

* Ordered Collections Protocol (WebDAV)
  http://www.ietf.org/rfc/rfc3648.txt

* Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
  http://www.ietf.org/rfc/rfc3744.txt

* Web Distributed Authoring and Versioning (WebDAV) SEARCH
  http://www.ietf.org/rfc/rfc5323.txt

* PATCH Method for HTTP
  http://www.ietf.org/rfc/rfc5789.txt

[#2809 state:resolved] [#5895 state:resolved]
 2010-11-02 10:56:14 +00:00
Miles Egan
3eff729079 make sure request parameters are accessible after rack throws an exception parsing the query string [#3030 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-10-12 00:56:07 +02:00
José Valim
653acac069 Solve some warnings and a failing test. 2010-10-03 21:45:30 +02:00
Aaron Patterson
78ac9c2be7 dry up method checking in the request object 2010-09-29 16:09:58 -07:00
Xavier Noria
9a8861f2e4 removes /i from the TRUSTED_PROXIES regexp, adds /x and comments for readability, adds a pointer to a Wikipedia section that documents the matched IPs 2010-09-12 01:37:07 +02:00
Xavier Noria
0aa66f04e4 gets rid of a double negation, no need to force exactly true/false in a predicate 2010-09-12 00:58:29 +02:00
José Valim
599e46bf24 Revert "Setup explicit requires for files with exceptions. Removed them from autoloading." 
Booting a new Rails application does not work after this commit [#5359 state:open]

This reverts commit 38a421b34d.
 2010-09-02 21:11:03 +02:00
Łukasz Strzałkowski
38a421b34d Setup explicit requires for files with exceptions. Removed them from autoloading. 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-09-02 11:54:04 +02:00
Santiago Pastorino
919888503d Moves local_request? to require.local? 
[#5361 state:committed]
 2010-08-13 17:35:52 -03:00
José Valim
a12b76b09e Just reading flash messages should not create a session if one does not exist yet. 2010-06-25 09:36:26 +02:00
Michael Lovitt
49f52c3d91 Sessions should not be created until written to and session data should be destroyed on reset. 
[#4938]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-06-23 11:56:35 -07:00
rohit
95a8f252c0 remove executable permission from files that don't need it. [#4802 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-20 00:50:48 +02:00
wycats
ab1407cc5b Improve performance of commonly used request methods 2010-06-04 20:11:04 -07:00
wycats
ab8bf9e152 * Change the object used in routing constraints to be an instance of 
ActionDispatch::Request rather than Rack::Request.

* Changed ActionDispatch::Request#method to return a String, to be
  compatible with the Rack::Request superclass.

* Changed ActionDispatch::Request#method to return the original
  method in the case of methodoverride and #request_method not to,
  to be compatible with Rack::Request
 2010-04-03 20:24:30 -07:00
wycats
77a2a3d9b3 Request#content_type exists in Rack::Request, and other parts of Rack::Request expect 
it to return a String. Split the Rails API so that Request#content_type returns
a String, and Request#content_mime_type returns a Mime::Type object.
 2010-03-28 13:40:38 -07:00
Carlhuda
146a5305d5 Add memoizing to AD::Request 2010-03-08 16:50:00 -08:00
Carlhuda
93422af5d5 Move remote_ip to a middleware: 
* ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check
  * ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
 2010-03-03 21:24:00 -08:00
José Valim
31fddf2ace Tidy up new filter_parameters implementation. 2010-01-21 11:57:24 +01:00
Prem Sichanugrist
bd4f21fbac Move filter_parameter_logging logic out of the controller and create ActionDispatch::ParametersFilter to handle parameter filteration instead. This will make filteration not depending on controller anymore. 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-01-21 10:08:26 +01:00
José Valim
92f49b5f1e Split ActionDispatch http in smaller chunks. 2010-01-16 15:45:07 +01:00
Joshua Peek
ead93c5be5 Move Flash into middleware 2010-01-15 14:55:13 -06:00
Joshua Peek
3eaf525213 Make HEAD method masquerade as GET so requests are routed correctly 2010-01-15 12:38:50 -06:00
Joshua Peek
df7faef68e Referer and user agent are in Rack::Request 2009-12-22 16:09:41 -06:00
David Heinemeier Hansson
cf9d6a95e8 Added ActionDispatch::Request#authorization to access the http authentication header regardless of its proxy hiding [DHH] 2009-12-20 18:30:50 -08:00
Joshua Peek
018dafe574 Allow autoloads to opt out of eager loading 2009-12-12 18:41:26 -06:00
Jeremy Kemper
3f54f3100b Ruby 1.9.2: StringIO no longer has #path 2009-11-13 13:10:28 -08:00
Xavier Noria
f8e713f488 Object#tap is not needed for Ruby >= 1.8.7 2009-11-09 22:16:51 +01:00
Jeremy Kemper
a595abff21 Unknown :format param should result in empty request.formats 2009-11-08 12:12:58 -08:00
Yehuda Katz
e1b5e3cc70 Break up inflector to reduce the dependency burden on dependency-les methods like constantize. 2009-11-07 11:23:21 -08:00
Yehuda Katz
51c24ae3e3 Caching refactoring 2009-10-29 00:44:12 -04:00
Yehuda Katz
0b2dd7afd9 Reorganize CSRF a bit 2009-10-28 00:12:35 -07:00
Yehuda Katz
e1786ee6eb Fixes expires_now and cleans things up a bit 2009-10-26 17:32:42 -07:00
Yehuda Katz
1310231c15 Got tests to pass with some more changes. 
* request.formats is much simpler now
    * For XHRs or Accept headers with a single item, we use the Accept header
    * For other requests, we use params[:format] or fallback to HTML
    * This is primarily to work around the fact that browsers provide completely
      broken Accept headers, so we have to whitelist the few cases we can
      specifically isolate and treat other requests as coming from the browser
    * For APIs, we can support single-item Accept headers, which disambiguates
      from the browsers
  * Requests to an action that only has an XML template from the browser will
    no longer find the template. This worked previously because most browsers
    provide a catch-all */*, but this was mostly accidental behavior. If you
    want to serve XML, either use the :xml format in links, or explicitly
    specify the XML template: render "template.xml".
 2009-08-15 12:32:02 -07:00
Yehuda Katz
4bf516e072 More perf work: 
* Move #set_cookie and #delete_cookie inline to optimize. These optimizations should
    almost certainly be sent back upstream to Rack. The optimization involves using
    an ivar for cookies instead of indexing into the headers each time.
  * Was able to use a bare Hash for headers now that cookies have their own joining
    semantics (some code assumed that the raw cookies were an Array).
  * Cache blankness of body on body=
  * Improve expand_cache_key for Arrays of a single element (common in our case)
  * Use a simple layout condition check unless conditions are used
  * Cache visible actions
  * Lazily load the UrlRewriter
  * Make etag an ivar that is set on prepare!
 2009-08-11 15:03:53 -07:00
Yehuda Katz
04d4537cd4 This change causes some failing tests, but it should be possible to make them pass with minimal performance impact. 2009-08-11 15:03:52 -07:00
Felipe Talavera
654568e71b Allow to configure trusted proxies via ActionController::Base.trusted_proxies [#2126 state:resolved] 
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
 2009-08-09 16:56:18 +01:00
José Valim
3e8ba616ef Refactor even more Responder. Move mime negotiation to request and added respond_to class method. 
Signed-off-by: Yehuda Katz <wycats@gmail.com>
 2009-07-29 12:06:02 -07:00
Yehuda Katz + Carl Lerche
4fad953f90 Fixing pending tests and fixed some formats / partial rendering semantics 2009-06-17 12:54:19 -07:00
Jeremy Kemper
6e039e863a Speed up Request#formats 2009-05-23 19:30:23 -07:00
Yehuda Katz
e22a3d893e Slightly modify things to get content type matching working without breaking other code 2009-05-23 00:39:32 -07:00
Yehuda Katz + Carl Lerche
e693f45e15 Remove some response content type concepts from ActionView 2009-05-21 14:34:56 -07:00
Jeremy Kemper
e8550ee032 Cherry-pick core extensions 2009-05-13 12:00:15 -07:00
Joshua Peek
1fcc7dbcc8 Move TestRequest#query_parameters into AD TestRequest 2009-04-30 23:46:34 -05:00
Joshua Peek
00d1a57e9f Start moving TestRequest and TestResponse into ActionDispatch 2009-04-30 17:26:03 -05:00
Joshua Peek
ba9887c9c0 Switch to action_dispatch rack namespace 2009-04-30 13:45:12 -05:00
Joshua Peek
21aa32692c Delegate controller.session to request.session and deprecate response session 2009-04-27 13:11:17 -05:00
Jeremy Kemper
1850aea7fc Not sure why Request#session is missing 2009-04-26 18:26:06 -07:00