Andrew White
6520ea5f7e
Deprecate :controller and :action path parameters
...
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
2016-03-01 08:48:53 +00:00
Matthew Draper
6216a092cc
Revert "Update Session to utilize indiffernt access"
...
This reverts commit 45a75a3fcc96b22954caf69be2df4e302b134d7a.
HWIAs are better than silently deeply-stringified hashes... but that's a
reaction to a shortcoming of one particular session store: we should not
break the basic behaviour of other, more featureful, session stores in
the process.
Fixes #23884
2016-02-26 03:06:38 +10:30
Tom Prats
45a75a3fcc
Update Session to utilize indiffernt access
2016-01-30 19:30:32 -05:00
Marcin Olichwirowicz
3a161e65e7
Get rid of mocha tests - part 1
2015-08-24 12:24:07 +02:00
Aaron Patterson
2a3c47ff5d
finish deprecating handling strings and symbols
...
since we only work with instances of classes, it greatly simplifies the
`Middleware` implementation.
2015-08-07 15:37:31 -07:00
Prem Sichanugrist
8cb8ce98d9
Stop using deprecated render :text
in test
...
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
2015-07-17 22:27:33 -04:00
Brian John
82402e6583
Use request.session.id instead of request.session_options[:id]
...
As of the upgrade to Rack 1.5, request.session_options[:id] is no
longer populated. Reflect this change in the tests by using
request.session.id instead.
Related change in Rack:
https://github.com/rack/rack/commit/83a270d6
2015-03-12 09:52:38 -05:00
Rafael Mendonça França
bb6fe7e73a
Consistent usage of spaces in hashes across our codebase
2015-01-29 12:19:41 -02:00
Kir Shatrov
baf14ae513
Switch to kwargs in ActionController::TestCase and ActionDispatch::Integration
...
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
2015-01-29 14:44:46 +02:00
Akira Matsuda
b30b99c615
Expectations first
2014-08-18 15:40:53 +09:00
Trevor Turk
2edf657a64
Remove comments about removing LegacyKeyGenerator in 4.1
2013-04-03 08:28:37 -05:00
Trevor Turk
7c7a427344
Rename DummyKeyGenerator -> LegacyKeyGenerator
2013-04-02 18:41:57 -05:00
Carlos Antonio da Silva
7d624e0e8c
Integrate Action Pack with Rack 1.5
...
All ActionPack and Railties tests are passing. Closes #8891 .
[Carlos Antonio da Silva + Santiago Pastorino]
2013-01-25 17:28:41 -02:00
Santiago Pastorino
60609bb50d
Sign cookies using key deriver
2012-11-03 14:57:53 -02:00
Andreas Loupasakis
e282a0a3b7
Add integration tests for reset_session in cookie store
2012-09-08 11:05:04 +03:00
Jose and Yehuda
56cdc81c08
Remove default match without specified method
...
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
2012-04-24 22:52:26 -05:00
Carlos Antonio da Silva
71566c3573
Remove rescue_action from compatibility module and tests
2012-01-17 10:04:37 -02:00
Vijay Dev
541018a07b
fix deprecation warning in cookie_store_test
...
The options argument to MessageVerifier#initialize should be a hash.
2011-09-25 23:21:37 +05:30
Jon Leighton
d411c85a65
Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required.
2011-05-23 20:25:44 +01:00
José Valim
afc3ccf74c
Fix renew feature on cookies.
2011-05-04 20:12:27 +02:00
Aaron Patterson
ea25224046
cleaning up some warnings on 1.9.3
2011-02-07 16:44:27 -08:00
José Valim
50215f9525
Rely on Rack::Session stores API for more compatibility across the Ruby world.
2010-10-03 21:24:22 +02:00
Emilio Tagua
2d274a5208
Use parentheses when using assert_match followed by a regexp to avoid warnings.
2010-09-27 11:19:19 -03:00
Carlos Antonio da Silva
7fc1edd790
Remove deprecated stuff in ActionController
...
This removes all deprecated classes in ActionController related to
Routing, Abstract Request/Response and Integration/IntegrationTest.
All tests and docs were changed to ActionDispatch instead of ActionController.
2010-09-26 02:13:45 +08:00
W. Andrew Loe III
9cd094b8da
Only send secure cookies over SSL.
2010-09-13 15:11:46 -07:00
Piotr Sarnacki
b3eb26a161
Removed deprecated RouteSet API, still many tests fail
2010-09-05 13:44:36 +02:00
Santiago Pastorino
b451de0d6d
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;)
2010-08-14 04:12:33 -03:00
José Valim
291adcd588
Set session options id to nil is respected and cancels lazy loading.
2010-07-18 12:51:03 +02:00
Aaron Patterson
f8720a04d1
porting session.clear fix to master branch. [ #5030 state:resolved]
...
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
2010-07-01 15:17:19 -07:00
Michael Lovitt
ebee77a28a
Fixed that an ArgumentError is thrown when request.session_options[:id] is read in the following scenario: when the cookie store is used, and the session contains a serialized object of an unloaded class, and no session data accesses have occurred yet. Pushed the stale_session_check responsibility out of the SessionHash and down into the session store, closer to where the deserialization actually occurs. Added some test coverage for this case and others related to deserialization of unloaded types.
...
[#4938 ]
Signed-off-by: José Valim <jose.valim@gmail.com>
2010-06-27 22:39:06 +02:00
José Valim
d69ebb849a
Avoid deserializing cookies too early, which causes session objects to not be available yet. Unfortunately, could not reproduce this in a test case.
2010-06-24 20:03:03 +02:00
Michael Lovitt
49f52c3d91
Sessions should not be created until written to and session data should be destroyed on reset.
...
[#4938 ]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
2010-06-23 11:56:35 -07:00
Rizwan Reza
edbb78d6cc
The previous commit didn't work with complex domains, which is now fixed.
2010-06-11 16:34:52 +02:00
Rizwan Reza
44830ead1c
Add support for multi-subdomain session by setting cookie host in session cookie so you can share session between www.example.com, example.com and user.example.com. [ #4818 state:resolved]
...
This reverts commit 330a89072a493aafef1e07c3558964477f85adf0.
2010-06-11 16:34:52 +02:00
José Valim
c536835957
Cut the fat and make session stores rely on request.cookie_jar and change set_session semantics to return the cookie value instead of a boolean.
2010-05-18 03:18:23 +02:00
José Valim
25f7c030e4
Simplify cookie_store by simply relying on cookies.signed.
2010-05-18 02:05:20 +02:00
Joshua Peek
d2d4acf027
Cookies middleware
2010-01-16 17:22:27 -06:00
Jeremy Kemper
425a02cece
Ruby 1.9: resolve constant lookup issues
2009-11-04 15:41:50 -08:00
Joshua Peek
a5c82a9dfb
Start rewriting some internal tests to use the new routing dsl
2009-10-20 16:03:55 -05:00
Joshua Peek
84e94551f6
Add custom "with_routing" to internal tests to fix reseting session after using
...
with_routing. This only affects our internal AP tests.
2009-10-03 20:45:49 -05:00
Joshua Peek
acfeec5151
Allow integration test rack app to be set with "@app" ivar instead of using open_session
2009-09-26 20:51:05 -05:00
Joshua Peek
1f72700575
Move default middleware stack into initializer
2009-09-26 13:41:32 -05:00
Joshua Peek
0c638b3406
Clean up session integration tests so they don't reference AC::Dispatcher
2009-09-26 12:56:53 -05:00
Jay Pignata
e0f1a7dc19
If session_options[:id] is requested when using CookieStore, unmarshal the session to access it [ #2268 state:resolved]
...
Signed-off-by: Joshua Peek <josh@joshpeek.com>
2009-09-03 11:50:01 -05:00
Joshua Peek
ba5995dcd9
Reset session in integration tests after changing routes to reload the middleware stack
2009-08-27 12:43:26 -05:00
Pratik Naik
9cda410d81
Make cookie store tests pass with the new base
2009-05-25 16:52:44 +02:00
Joshua Peek
0494909679
Inherit TestSession from Session::AbstractStore and add indifferent access to Session::AbstractStore.
2009-04-26 14:33:57 -05:00
Joshua Peek
fc5c1b0e90
Session tests belong under dispatch folder
2009-04-21 19:57:18 -05:00