github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity
20,747 Commits 34 Branches 105 Tags
d729e5f97e116a52ccd60232b728308cd08a367f
Commit Graph

3292 Commits

Author SHA1 Message Date
Michael Koziarski
ae19e4141f Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-08 14:57:08 -08:00
José Valim
6b1018526f Use Mime::Type references. 2011-02-08 14:14:26 -08:00
José Valim
b93c590297 Ensure render is case sensitive even on systems with case-insensitive filesystems. 
This fixes CVE-2011-0449
 2011-02-08 14:04:19 -08:00
Michael Koziarski
3ddd7f7ec9 Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. 
This fixes CVE-2011-0446
 2011-02-08 13:56:08 -08:00
Carlos Antonio da Silva
631e23ec6c Add tests showing the LH issue #6381: fields_for with inline blocks and nested attributes already persisted 
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-08 18:04:12 -02:00
Aaron Patterson
ea25224046 cleaning up some warnings on 1.9.3 2011-02-07 16:44:27 -08:00
Dan Pickett
3026843dc1 put authenticity_token option in parity w/ remote 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-06 19:04:52 -02:00
Andre Arko
10cab35d3b Allow page_cache_directory to be set as a Pathname 
For example, page_cache_directory = Rails.root.join("public/cache")

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-06 17:55:38 -02:00
Timothy N. Tsvetkov
b9309b47cd Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. 
[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-05 18:58:32 -02:00
german
adbae9aab8 fixed bug with nested resources within shallow scope 
[#6372 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-04 17:07:51 -02:00
Franco Brusatti
d3cfee1182 removing generation of id in submit helper 
[#6369 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-03 20:24:14 -02:00
Anton Astashov
c1c6f29214 Add a test for 'render :layout' 
To make sure it will show block contents if it is placed after 'render
:partial'

[#5557 state:resolved]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-03 12:55:32 -02:00
Stephen Celis
a0757e00f3 Protocol-relative URL support. 
[#5774 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-02 19:09:44 -02:00
Santiago Pastorino
86dc5987b2 add test to check class is being escaped in form_class 2011-02-01 19:17:31 -02:00
Andrei Bocan
15ad707852 Allow customization of form class for button_to 
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-01 19:09:00 -02:00
Akira Matsuda
cb9fa52832 auto_link: avoid recognizing full width chars as a part of URI scheme 
fixes regression by 133ada6ab0

[#5503 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-01 14:04:42 -02:00
Akira Matsuda
5dd803e9b1 Accept String value for render_partial :as option 
[#6222 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2011-02-01 13:01:54 -02:00
Neeraj Singh
806e6f80dc render_to_string must ensure that response_body 
is nil

[ #5875 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-25 20:14:03 +01:00
Doug Fales
7927fc2ff7 A patch so that http status codes are still included in logs even during an exception [#6333 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-25 20:12:22 +01:00
Aaron Patterson
3d6e223b84 use spec compliant YAML 2011-01-21 15:43:34 -08:00
brainopia
8491f16e12 Add tld_length option when using domain :all in cookies 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-21 13:13:51 +01:00
brainopia
91a4193ee0 Support list of possible domains for cookies 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-01-21 13:13:43 +01:00
José Valim
262b2ea8cd Solve SystemStackError when changing locale inside ActionMailer [#5329 state:resolved] 2011-01-19 23:42:10 +01:00
Aaron Patterson
36d6678690 removing usesless variable assignments 2011-01-18 15:52:56 -08:00
Aaron Patterson
54de7048a5 Merge branch 'template_error' into merge 
* template_error:
  Ensure original exception message is present in both Template::Error#message and Template::Error#inspect.
  ActiveSupport::Deprecation.silence no longer needed.
 2011-01-18 10:52:37 -08:00
Christos Trochalakis
7dab186fde Issue one Cache#read command instead of two in the case of a fragment cache hit 2011-01-18 09:52:11 -08:00
Aaron Patterson
1333020448 fixing space errors 2011-01-17 14:45:24 -08:00
Aaron Patterson
990e6a1b3a fixing wrong test 2011-01-17 14:43:29 -08:00
Santiago Pastorino
1de47a0d56 button_tag should escape it content 2011-01-12 22:05:52 -02:00
Santiago Pastorino
6062d434f1 Allow view in AV::TestCase to access it's controller helpers methods 2011-01-12 12:14:00 -02:00
Jakub Kuźma
5106ce88e4 authenticity_token option for form_tag [#2988 state:resolved] 2011-01-09 15:55:26 -08:00
John Allison
5d1d9bfb05 Improve select helpers by allowing a selected value of false. This is useful when using a select helper with a boolean attribute, and the attribute is false. (e.g. f.select :allow_comments) 2011-01-09 15:45:55 -08:00
Rizwan Reza
18605adec3 HTML5 button_tag helper 
This tag is similar in nature to submit_tag, but allows more control.
It also doesn't submit if submit type isn't used, allowing JavaScript to
control the flow where required.

For more information: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-button-element.html#the-button-element
 2011-01-09 15:22:23 -08:00
Piotr Sarnacki
27ea0481bb Recreate symlink in layouts for tests 2010-12-31 14:22:27 +01:00
Piotr Sarnacki
8e5d91062f Don't be so picky on MissingTemplate error details, this fails randomly on 1.8.7 because of not ordered hash 2010-12-31 11:17:37 +01:00
Nick Sutterer
4c44f0468a added tests for the MissingTemplate exception message. 2010-12-31 10:41:19 +01:00
Timothy N. Tsvetkov
e5b84fd723 ActionController::Base.helpers.sanitize ignores case in protocol 
[#6044 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2010-12-30 22:43:43 -02:00
Nick Sutterer
db24701abe process_action accepts multiple args, even with Callbacks. 2010-12-29 16:37:10 -08:00
wycats
e03e1fdbc8 Speed up template inheritance and remove template inheritance option 2010-12-26 23:56:09 -08:00
wycats
7c568fda6b A bunch of cleanup on the inherited template patch 2010-12-26 23:44:51 -08:00
artemave
6c5a3bb312 all tests pass 2010-12-26 22:32:15 -08:00
artemave
ce21ea7832 #948 make template inheritance optional 2010-12-26 22:32:15 -08:00
artemave
ddd85ef9c6 #948 template_inheritance 2010-12-26 22:32:15 -08:00
José Valim
d6efd3cfc2 Don't deprecate to_prepare. 2010-12-23 19:21:14 +01:00
José Valim
819b8cae40 Clean up callbacks should also be called on exceptions. 2010-12-23 19:17:02 +01:00
Santiago Pastorino
5853583f9b Allow registering javascript/stylesheet_expansions to existing symbols 2010-12-22 21:53:24 -02:00
Piotr Sarnacki
09195f10bd Do not use the same hash instance for expansions [#6114 state:resolved] 
Using the same hash instance makes using the same expansions for
both javascripts and stylesheets.
 2010-12-22 09:44:46 +01:00
José Valim
0cbfd6c28d Small changes on AD::Reloader. 2010-12-20 12:43:02 +01:00
John Firebaugh
435bccda93 Replace AD::Callbacks.to_prepare with AD::Reloader.to_prepare 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-20 12:43:02 +01:00
John Firebaugh
0f7c970e4f Introduce ActionDispatch::Reloader 
Based on the implementation on the 2-3-stable branch, patches by Hongli
Lai <hongli@phusion.nl>, and helpful suggestions from José Valim.

Hongli Lai's patches included locking around the request cycle; this is
now handled by Rack::Lock (https://github.com/rack/rack/issues/issue/87/).

[#2873]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-20 12:43:02 +01:00