github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-21 20:37:54 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,111 Commits 34 Branches 105 Tags
2.3.14.github2
Commit Graph

1251 Commits

Author SHA1 Message Date
Aaron Patterson
60f783d9ce fixing strip tags vulnerability 2011-08-16 14:58:13 -07:00
Aaron Patterson
11dafeaa75 fixing response splitting problem 2011-08-16 14:25:45 -07:00
José Valim
d793a56121 Merged pull request #198 from robdimarco/2-3-stable. 
Patch for issue 6440 - Session Reset undefined method `destroy' for {}:Hash
 2011-04-28 00:37:53 -07:00
gmarik
b0be721dd9 respect :expire_after option 
- it was broken after
[commit](e0eb8e9c65)
- there's also
[issue](https://rails.lighthouseapp.com/projects/8994/tickets/6634-railsrack-inconsistency-about-expires_afterexpires-cookie-option)

- also: maybe it worth making Rack understand :expire_after as we
duplicate same logic in [cookie_store](https://github.com/gmarik/rails/blob/v2.3.11/actionpack/lib/action_controller/session/cookie_store.rb#L114)

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-04-14 13:48:35 +02:00
Rob Di Marco
589ce09564 Unit test that shows calling reset session twice results in an exception 2011-02-28 22:53:36 -05:00
Michael Koziarski
7e86f9b4d2 Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-09 09:20:17 +13:00
Michael Koziarski
6d916329b8 Require thread explicitly rather than relying on rubygems to do it. 2010-12-20 11:16:55 +13:00
Pascal Friederich
e0eb8e9c65 Let Rack::Utils.set_cookie_header! create the Set-Cookie header instead of manually fiddling with the response headers [#4941 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-01 11:58:45 +01:00
Andrew White
25139ac92c Don't write out secure cookies unless the request is secure 2010-10-27 15:04:29 +01:00
Andrew White
0e52a609fd Don't create a deprecation proxy object if the variable was passed in local_assigns [#1671 state:resolved] 2010-10-26 12:57:21 +01:00
W. Andrew Loe III
17f2fb44c0 Only send secure cookies over SSL. 2010-09-14 11:52:40 -07:00
Andrew Kaspick
a159fd0b8c Fix fixtures in integration test sessions 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2010-09-10 10:45:23 +12:00
Jon Yurek
fb615cd7fd Fix for integration tests not serializing arrays in multipart forms correctly. 
Signed-off-by: wycats <wycats@gmail.com>
 2010-07-17 13:01:50 -05:00
Michael Lovitt
257a29d3cc Sessions should not be created until written to and session data should be destroyed on reset. [#4938 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-07-14 08:04:37 +02:00
Aaron Patterson
67e18c523c fisting Session::AbstractStore#clear to actually clear the session. [#5030 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-07-01 14:47:28 -07:00
Jan Berkel
f8f4872fcc Backported patch from [#4762] 
URL fragments should not have safe characters escaped. Ref: Appendix A,
  http://tools.ietf.org/rfc/rfc3986.txt

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-30 13:27:28 +02:00
Prem Sichanugrist
f8f365346e Make sure that Rails doesn't resent session_id cookie over and over again if it's already there [#2485 state:resolved] 
This apply to only Active Record store and Memcached store, as they both store only the session_id, which will be unchanged, in the cookie.

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-25 09:47:56 +02:00
Jesse Storimer
85b6d79d8a CookieStore should preserve the Set-Cookie header Array [#4743 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-06-22 11:25:32 -07:00
Prem Sichanugrist
0f44d37d04 Make sure that rails recognized the full notation of IPv6 loopback address, and recognize 127.0.0.0/8 in IPv4 
[#3257 state:resolved]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-08 19:47:18 +02:00
Santiago Pastorino
a9032c885f Error messages for asserts 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-24 16:05:39 -07:00
Jeremy Kemper
c66013e2c5 Fix that captured content (e.g. with form_for or div_for) would be HTML-escaped even without the rails_xss plugin installed. Rails 2.3.7, we barely knew ya... 2010-05-24 09:12:00 -07:00
Jeff Kreeftmeijer
2de364636c partial counters with :as [#2804 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-15 10:32:45 -07:00
Cezary Baginski
ec7716abcd actionpack: added missing encoding comments [#4466 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-04-24 17:30:59 -07:00
Jeremy Kemper
2cd29f4297 Only set response etag if body is not blank 2010-04-09 20:19:03 -07:00
Jeremy Kemper
d91d6fe15f CI: show all headers for diagnosis 2010-04-09 20:06:35 -07:00
Jeremy Kemper
56c5290fce CI: message for some outstanding failures 2010-04-09 19:32:47 -07:00
José Valim
f87a518f81 Fix tests broken in 0653a6d30e 2010-04-09 09:23:09 +02:00
David Heinemeier Hansson
0653a6d30e Fixed that default locale templates should be used if the current locale template is missing [DHH] 2010-04-08 17:15:11 -07:00
Jeremy Kemper
9b209e8cb8 read_ and write_fragment cache preserve html safety yet cache strings only 2010-03-14 18:55:13 -07:00
Sam Ruby
cbc0201a3e Add deprecation warning for overwrite_params and remove rdoc 
[#4073 state:committed]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-03-10 16:26:04 -08:00
Jeremy Kemper
3969148a13 Deprecate omitting the leading slash on a path arg to assert_redirected_to 2010-03-02 14:14:37 -08:00
Jeremy Kemper
f85ab90e4f Ruby 1.9: cookie header parser works with either newline-delimited strings or arrays 2010-02-06 19:57:06 -08:00
Santiago Pastorino and José Ignacio Costa
9ca6df83f6 Backport html_safe. Use latest rails_xss plugin for forward-compatibility with Rails 3. 2010-02-05 11:07:56 -08:00
Joshua Peek
0c0da1a6e0 Fix empty Set-Cookie headers [#3811 state:resolved] 2010-02-02 08:53:16 -06:00
Prem Sichanugrist
6012e575bb Make local_request? to returns true when facing ::1 IPv6 address [#3257 status:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-01-18 08:29:53 +01:00
David Heinemeier Hansson
e6cadd422b Added :alert, :notice, and :flash as options to ActionController::Base#redirect_to that'll automatically set the proper flash before the redirection [DHH] Added ActionController::Base#notice/= and ActionController::Base#alert/= as a convenience accessors in both the controller and the view for flash[:notice]/= and flash[:alert]/= [DHH] 2009-12-17 11:34:47 -08:00
David Heinemeier Hansson
1229ef7bf3 Accessing nonexistant cookies through the signed jar should not raise an exception 2009-12-15 21:27:38 -08:00
David Heinemeier Hansson
0200e20f14 Added cookies.permanent, cookies.signed, and cookies.permanent.signed accessor for common cookie actions [DHH] 2009-12-15 20:01:48 -08:00
Gabe da Silveira
bfe0328580 Make sure strip_tags removes tags which start with a non-printable character 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2009-11-27 10:04:22 +13:00
Joshua Peek
0f0f977625 Revert "Prefix Internet Explorer's accepted mime types with sensible defaults." 
IE XHR requests are misinterpreted as HTML instead of JS.

This reverts commit c680f2372e.
 2009-11-23 11:19:39 -06:00
Jeremy Kemper
a942d66597 Extract form_authenticity_param instance method so it's overridable in subclasses 2009-11-17 23:36:48 -08:00
Jeremy Kemper
c27cb5e1d4 Ruby 1.9: remove dep on T::U::AssertionFailedError 2009-11-13 18:05:14 -08:00
Bryan Helmkamp
b45d44cff0 Silence warning: ambiguous first argument; put parentheses or even spaces 2009-11-09 17:24:13 -05:00
Bryan Helmkamp
40f0ef7a37 Silence warning: instance variable @segment not initialized 2009-11-09 17:24:09 -05:00
José Valim
7ba80252a5 Make polymorphic_url work with symbols again and refactor it [#1384 status:resolved] 
Signed-off-by: Joshua Peek <josh@joshpeek.com>
 2009-10-28 14:15:16 -05:00
Yehuda Katz
fdf356d74b Fixed HTTP digest to properly return 401 when the Authorization header has no nonce specified, or the Authorization header specifies Basic auth [#2968 state:resolved] 2009-10-21 12:04:59 -07:00
George Ogata
e10b0ddc7b Make IntegrationTest::Runner propagate method_missing to ancestors. 
Fixes RSpec integration example groups, which mixes its Matchers
module into ActiveSupport::TestCase.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2009-10-15 11:02:02 +13:00
Jeffrey Hardy
bbaf3a04f5 CookieJar#delete should return the key's value, consistent with a Hash 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2009-10-14 11:51:11 -07:00
Pratik Naik
91b61a8d16 Monkey patch Rack::Lint to allow string subclass body 2009-10-06 15:55:56 +01:00
Gaspard Bucher
8371d6f0c1 Fixes a bug where layouts provided with an absolute path would not be found because they were prefixed by 'layouts'. This bug only appears if the path does not contain the word 'layouts'. 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3207 state:committed]
 2009-09-28 14:40:21 +13:00