TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
56,886 Commits 2 Branches 0 Tags 294 MiB
6520ea5f7e
Commit Graph

48 Commits

Author SHA1 Message Date
Andrew White
6520ea5f7e Deprecate :controller and :action path parameters 
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
 2016-03-01 08:48:53 +00:00
Matthew Draper
6216a092cc Revert "Update Session to utilize indiffernt access" 
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.

HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.

Fixes #23884
 2016-02-26 03:06:38 +10:30
Tom Prats
45a75a3fcc Update Session to utilize indiffernt access 2016-01-30 19:30:32 -05:00
Marcin Olichwirowicz
3a161e65e7 Get rid of mocha tests - part 1 2015-08-24 12:24:07 +02:00
Aaron Patterson
2a3c47ff5d finish deprecating handling strings and symbols 
since we only work with instances of classes, it greatly simplifies the
`Middleware` implementation.
 2015-08-07 15:37:31 -07:00
Prem Sichanugrist
8cb8ce98d9 Stop using deprecated render :text in test 
This will silence deprecation warnings.

Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
 2015-07-17 22:27:33 -04:00
Brian John
82402e6583 Use request.session.id instead of request.session_options[:id] 
As of the upgrade to Rack 1.5, request.session_options[:id] is no
longer populated. Reflect this change in the tests by using
request.session.id instead.

Related change in Rack:
https://github.com/rack/rack/commit/83a270d6
 2015-03-12 09:52:38 -05:00
Rafael Mendonça França
bb6fe7e73a Consistent usage of spaces in hashes across our codebase 2015-01-29 12:19:41 -02:00
Kir Shatrov
baf14ae513 Switch to kwargs in ActionController::TestCase and ActionDispatch::Integration 
Non-kwargs requests are deprecated now.
Guides are updated as well.

`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
 2015-01-29 14:44:46 +02:00
Akira Matsuda
b30b99c615 Expectations first 2014-08-18 15:40:53 +09:00
Trevor Turk
2edf657a64 Remove comments about removing LegacyKeyGenerator in 4.1 2013-04-03 08:28:37 -05:00
Trevor Turk
7c7a427344 Rename DummyKeyGenerator -> LegacyKeyGenerator 2013-04-02 18:41:57 -05:00
Carlos Antonio da Silva
7d624e0e8c Integrate Action Pack with Rack 1.5 
All ActionPack and Railties tests are passing. Closes #8891.

[Carlos Antonio da Silva + Santiago Pastorino]
 2013-01-25 17:28:41 -02:00
Santiago Pastorino
60609bb50d Sign cookies using key deriver 2012-11-03 14:57:53 -02:00
Andreas Loupasakis
e282a0a3b7 Add integration tests for reset_session in cookie store 2012-09-08 11:05:04 +03:00
Jose and Yehuda
56cdc81c08 Remove default match without specified method 
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964
 2012-04-24 22:52:26 -05:00
Carlos Antonio da Silva
71566c3573 Remove rescue_action from compatibility module and tests 2012-01-17 10:04:37 -02:00
Vijay Dev
541018a07b fix deprecation warning in cookie_store_test 
The options argument to MessageVerifier#initialize should be a hash.
 2011-09-25 23:21:37 +05:30
Jon Leighton
d411c85a65 Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required. 2011-05-23 20:25:44 +01:00
José Valim
afc3ccf74c Fix renew feature on cookies. 2011-05-04 20:12:27 +02:00
Aaron Patterson
ea25224046 cleaning up some warnings on 1.9.3 2011-02-07 16:44:27 -08:00
José Valim
50215f9525 Rely on Rack::Session stores API for more compatibility across the Ruby world. 2010-10-03 21:24:22 +02:00
Emilio Tagua
2d274a5208 Use parentheses when using assert_match followed by a regexp to avoid warnings. 2010-09-27 11:19:19 -03:00
Carlos Antonio da Silva
7fc1edd790 Remove deprecated stuff in ActionController 
This removes all deprecated classes in ActionController related to
Routing, Abstract Request/Response and Integration/IntegrationTest.
All tests and docs were changed to ActionDispatch instead of ActionController.
 2010-09-26 02:13:45 +08:00
W. Andrew Loe III
9cd094b8da Only send secure cookies over SSL. 2010-09-13 15:11:46 -07:00
Piotr Sarnacki
b3eb26a161 Removed deprecated RouteSet API, still many tests fail 2010-09-05 13:44:36 +02:00
Santiago Pastorino
b451de0d6d Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 04:12:33 -03:00
José Valim
291adcd588 Set session options id to nil is respected and cancels lazy loading. 2010-07-18 12:51:03 +02:00
Aaron Patterson
f8720a04d1 porting session.clear fix to master branch. [#5030 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-07-01 15:17:19 -07:00
Michael Lovitt
ebee77a28a Fixed that an ArgumentError is thrown when request.session_options[:id] is read in the following scenario: when the cookie store is used, and the session contains a serialized object of an unloaded class, and no session data accesses have occurred yet. Pushed the stale_session_check responsibility out of the SessionHash and down into the session store, closer to where the deserialization actually occurs. Added some test coverage for this case and others related to deserialization of unloaded types. 
[#4938]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-06-27 22:39:06 +02:00
José Valim
d69ebb849a Avoid deserializing cookies too early, which causes session objects to not be available yet. Unfortunately, could not reproduce this in a test case. 2010-06-24 20:03:03 +02:00
Michael Lovitt
49f52c3d91 Sessions should not be created until written to and session data should be destroyed on reset. 
[#4938]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-06-23 11:56:35 -07:00
Rizwan Reza
edbb78d6cc The previous commit didn't work with complex domains, which is now fixed. 2010-06-11 16:34:52 +02:00
Rizwan Reza
44830ead1c Add support for multi-subdomain session by setting cookie host in session cookie so you can share session between www.example.com, example.com and user.example.com. [#4818 state:resolved] 
This reverts commit 330a89072a493aafef1e07c3558964477f85adf0.
 2010-06-11 16:34:52 +02:00
José Valim
c536835957 Cut the fat and make session stores rely on request.cookie_jar and change set_session semantics to return the cookie value instead of a boolean. 2010-05-18 03:18:23 +02:00
José Valim
25f7c030e4 Simplify cookie_store by simply relying on cookies.signed. 2010-05-18 02:05:20 +02:00
Joshua Peek
d2d4acf027 Cookies middleware 2010-01-16 17:22:27 -06:00
Jeremy Kemper
425a02cece Ruby 1.9: resolve constant lookup issues 2009-11-04 15:41:50 -08:00
Joshua Peek
a5c82a9dfb Start rewriting some internal tests to use the new routing dsl 2009-10-20 16:03:55 -05:00
Joshua Peek
84e94551f6 Add custom "with_routing" to internal tests to fix reseting session after using 
with_routing. This only affects our internal AP tests.
 2009-10-03 20:45:49 -05:00
Joshua Peek
acfeec5151 Allow integration test rack app to be set with "@app" ivar instead of using open_session 2009-09-26 20:51:05 -05:00
Joshua Peek
1f72700575 Move default middleware stack into initializer 2009-09-26 13:41:32 -05:00
Joshua Peek
0c638b3406 Clean up session integration tests so they don't reference AC::Dispatcher 2009-09-26 12:56:53 -05:00
Jay Pignata
e0f1a7dc19 If session_options[:id] is requested when using CookieStore, unmarshal the session to access it [#2268 state:resolved] 
Signed-off-by: Joshua Peek <josh@joshpeek.com>
 2009-09-03 11:50:01 -05:00
Joshua Peek
ba5995dcd9 Reset session in integration tests after changing routes to reload the middleware stack 2009-08-27 12:43:26 -05:00
Pratik Naik
9cda410d81 Make cookie store tests pass with the new base 2009-05-25 16:52:44 +02:00
Joshua Peek
0494909679 Inherit TestSession from Session::AbstractStore and add indifferent access to Session::AbstractStore. 2009-04-26 14:33:57 -05:00
Joshua Peek
fc5c1b0e90 Session tests belong under dispatch folder 2009-04-21 19:57:18 -05:00