- 22 9月, 2020 1 次提交
-
-
由 Adrianna Chang 提交于
* Add binary encoding logic into ActionDispatch::Request::Utils Moving the logic to set binary encoding into ActionDispatch::Request::Utils will allow us to encode from GET and POST in ActionDispatch::Request. * Refactor binary encoding logic - Move binary encoding calls into GET, POST and path_parameters - Remove binary encoding from ActionDispatch::Http::Request - This way, we only raise an invalid encoding exception if the controller is not requesting parameters in binary encoding * Check if encoding is valid in ActionDispatch::Request#POST and raise BadRequest if invalid * Fix multipart_params_test that has binary-encoded params containing invalid UTF-8 characters * Address PR comments * Pass action and controller to Request::Utils.set_binary_encoding [Rafael Mendonça França + Adrianna Chang]
-
- 06 9月, 2020 1 次提交
-
-
由 Petrik 提交于
Calling request in an action of a controller generates an endless stream of characters, including the Rack app and middlewares. This can be frustrating when using a debugger in a controller and accidentally calling `request` generates output for a couple of seconds. Inspect on ActionDispatch::Request is shortened to the most relevant attributes and uses the same format as used for request in the logs: "#<ActionDispatch::Request POST "https://example.com/path/of/some/uri?q=1" for 1.2.3.4>"
-
- 14 6月, 2020 1 次提交
-
-
由 Ryuta Kamizono 提交于
Follow up to c07dff72. Actually it is not the cop's fault, but we mistakenly use `^`, `$`, and `\Z` in much places, the cop doesn't correct those conservatively. I've checked all those usage and replaced all safe ones.
-
- 26 5月, 2020 1 次提交
-
-
由 Vinicius Stock 提交于
* Remove dup from post body for forcing encoding * Properly assign raw_post variable to encoded version Co-authored-by: NRyuta Kamizono <kamipo@gmail.com>
-
- 10 3月, 2020 1 次提交
-
-
由 Ryuta Kamizono 提交于
-
- 25 2月, 2020 1 次提交
-
-
由 Rafael Mendonça França 提交于
[ci skip]
-
- 09 12月, 2019 1 次提交
-
-
由 Rafael Mendonça França 提交于
This reverts commit 4e105385, reversing changes made to 62b43839. The change in Ruby that made those changes required was reverted in https://bugs.ruby-lang.org/projects/ruby-trunk/repository/git/revisions/8852fa876039ed177fd5e867f36177d8a9ff411c
-
- 04 12月, 2019 1 次提交
-
-
由 Jean Boussier 提交于
Fix: https://github.com/rails/rails/issues/37650 The classic autoloader used to totally unregister any constant that failed midway. Which mean `"SomeConst".constantize` was idempotent. However Zeitwerk rely on normal `Kernel#require` behavior, which mean that if an exception is raised during a class/module definition, it will be left incompletely defined. For instance: ```ruby class FooController ::DoesNotExist def index end end ``` Will leave `FooController` defined, but without its `index` method. Because of this, when silencing a NameError, it's important to make sure the missing constant is really the one we were trying to load.
-
- 07 11月, 2019 1 次提交
-
-
由 George Claghorn 提交于
-
- 03 11月, 2019 1 次提交
-
-
由 utilum 提交于
Aa of ruby/ruby@2a22a6b2d8465934e75520a7fdcf522d50890caf calling `Regexp#match?(nil)` raises an exception. [utilum, eregon, eugeneius]
-
- 07 10月, 2019 1 次提交
-
-
由 norm 提交于
Updated the setter to clear the value in the `@remote_ip` instance variable before setting the header that the value is derived from in the getter.
-
- 31 7月, 2019 1 次提交
-
-
由 Akira Matsuda 提交于
-
- 29 7月, 2019 1 次提交
-
-
由 Akira Matsuda 提交于
-
- 11 7月, 2019 1 次提交
-
-
由 Jacob Bednarz 提交于
A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
-
- 14 11月, 2018 1 次提交
-
-
由 Gannon McGibbon 提交于
[Gannon McGibbon + Josh Cheek]
-
- 29 9月, 2018 1 次提交
-
-
由 Yasuo Honda 提交于
Since Rails 6.0 will support Ruby 2.4.1 or higher `# frozen_string_literal: true` magic comment is enough to make string object frozen. This magic comment is enabled by `Style/FrozenStringLiteralComment` cop. * Exclude these files not to auto correct false positive `Regexp#freeze` - 'actionpack/lib/action_dispatch/journey/router/utils.rb' - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb' It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333 Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed. * Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required - 'actionpack/test/controller/test_case_test.rb' - 'activemodel/test/cases/type/string_test.rb' - 'activesupport/lib/active_support/core_ext/string/strip.rb' - 'activesupport/test/core_ext/string_ext_test.rb' - 'railties/test/generators/actions_test.rb'
-
- 27 11月, 2017 1 次提交
-
- 02 11月, 2017 1 次提交
-
-
由 haneru 提交于
-
- 21 10月, 2017 1 次提交
-
-
由 Akira Matsuda 提交于
This basically reverts e9fca766, d08da958, d1fe1dcf, and 68eaf7b4
-
- 04 10月, 2017 1 次提交
-
-
由 eileencodes 提交于
When puma/puma#1403 is merged Puma will support the Early Hints status code for sending assets before a request has finished. While the Early Hints spec is still in draft, this PR prepares Rails to allowing this status code. If the proxy server supports Early Hints, it will send H2 pushes to the client. This PR adds a method for setting Early Hints Link headers via Rails, and also automatically sends Early Hints if supported from the `stylesheet_link_tag` and the `javascript_include_tag`. Once puma supports Early Hints the `--early-hints` argument can be passed to the server to enable this or set in the puma config with `early_hints(true)`. Note that for Early Hints to work in the browser the requirements are 1) a proxy that can handle H2, and 2) HTTPS. To start the server with Early Hints enabled pass `--early-hints` to `rails s`. This has been verified to work with h2o, Puma, and Rails with Chrome. The commit adds a new option to the rails server to enable early hints for Puma. Early Hints spec: https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-04 [Eileen M. Uchitelle, Aaron Patterson]
-
- 22 8月, 2017 1 次提交
-
-
由 Yoshiyuki Hirano 提交于
-
- 02 8月, 2017 1 次提交
-
-
由 eileencodes 提交于
This commit changes the behavior such the path_params now default to UTF8 just like regular parameters. This also changes the behavior such that if a path parameter contains invalid UTF8 it returns a 400 bad request. Previously the behavior was to encode the path params as binary but that's not the same as query params. So this commit makes path params behave the same as query params. It's important to test with a path that's encoded as binary because that's how paths are encoded from the socket. The test that was altered was changed to make the behavior for bad encoding the same as query params. We want to treat path params the same as query params. The params in the test are invalid UTF8 so they should return a bad request. Fixes #29669 *Eileen M. Uchitelle, Aaron Patterson, & Tsukuru Tanimichi*
-
- 25 7月, 2017 1 次提交
-
-
由 Kir Shatrov 提交于
-
- 11 7月, 2017 1 次提交
-
-
由 Koichi ITO 提交于
-
- 07 7月, 2017 1 次提交
-
-
由 Kir Shatrov 提交于
-
- 02 7月, 2017 1 次提交
-
-
由 Matthew Draper 提交于
This reverts commit 3420a145, reversing changes made to afb66a5a.
-
- 01 7月, 2017 2 次提交
-
-
由 Akira Matsuda 提交于
-
由 Kir Shatrov 提交于
-
- 14 3月, 2017 1 次提交
-
-
由 Hrvoje Šimić 提交于
-
- 29 12月, 2016 2 次提交
-
-
由 प्रथमेश Sonpatki 提交于
-
由 Shardul Parab 提交于
Documentation for ActionDispatch::Request#key? [ci skip] Update request.rb --ci skip Documentation for ActionDispatch::Request#key? [ci skip] Also made change after the review by @rafaelfranca . Update request.rb --ci skip Documentation for ActionDispatch::Request#key? [ci skip] Also made change after the review by @rafaelfranca . Update request.rb --ci skip
-
- 22 12月, 2016 1 次提交
-
-
由 Aaron Patterson 提交于
This commit changes `parameter_encoding` to `skip_parameter_encoding`. `skip_parameter_encoding` will set encoding on all parameters to ASCII-8BIT for a given action on a particular controller. This allows the controller to handle data when the encoding of that data is unknown, for example file systems or truly binary parameters.
-
- 10 10月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
ActionDispatch::ParamsParser class was removed in favor of ActionDispatch::Http::Parameters so it is better to move the error constant to the new class.
-
- 16 8月, 2016 1 次提交
-
-
由 Rafael Mendonça França 提交于
Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
-
- 10 8月, 2016 1 次提交
-
-
由 Kerri Miller 提交于
At GitHub we need to handle parameter encodings that are not UTF-8. This patch allows us to specify encodings per parameter per action.
-
- 07 8月, 2016 1 次提交
-
-
由 Xavier Noria 提交于
The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
-
- 14 7月, 2016 1 次提交
-
-
由 Grey Baker 提交于
Check for any non-UTF8 characters in path parameters at the point they're set in `env`. Previously they were checked for when used to get a controller class, but this meant routes that went directly to a Rack app, or skipped controller instantiation for some other reason, had to defend against non-UTF8 characters themselves.
-
- 20 3月, 2016 1 次提交
-
-
由 Jon Moss 提交于
Due to that `ActionDispatch::Flash` (the flash API's middleware) is not included for API controllers, the `request.reset_session` method, which relies on there being a `flash=` method which is in fact defined by the middleware, was previously breaking. Similarly to how add46482 created a method to be overridden by the flash middleware in order to ensure non-breakage, this is how flashes are now reset. Fixes #24222
-
- 24 2月, 2016 1 次提交
-
- 14 1月, 2016 1 次提交
-
-
由 Akira Matsuda 提交于
Converting nbsp(\u{00A0}) to the normal ASCII space(\u{0020}) [ci skip]
-