Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Dec 3, 2013
  1. @carlosantoniodasilva
  2. @NZKoz @tenderlove

    Deep Munge the parameters for GET and POST

    NZKoz authored tenderlove committed
    The previous implementation of this functionality could be accidentally
    subverted by instantiating a raw Rack::Request before the first Rails::Request
    was constructed.
    
    Fixes CVE-2013-6417
Commits on Nov 4, 2013
  1. @carlosantoniodasilva

    :scissors: [ci skip]

    carlosantoniodasilva authored
Commits on Nov 3, 2013
  1. @dhh

    Code style for privacy indention

    dhh authored
  2. @dhh
Commits on Aug 15, 2013
  1. @robertomiranda

    Normalize file parameters in same place as other parameters (ActionDi…

    robertomiranda authored
    …spatch::Http::Parameters#normalize_encode_params)
Commits on Jul 7, 2013
  1. @pftg
Commits on May 30, 2013
  1. @gsamokovarov

    Extract ActionDispatch::Request#deep_munge

    gsamokovarov authored
    ActionDispatch::Request#deep_munge was introduced as a private method,
    but was turned into a public one for the use of
    ActionDispatch::ParamsParser.
    
    I have extracted it into ActionDispatch::Request::Utils, so it does not
    get mixed up with the Request public methods.
Commits on Mar 19, 2013
  1. @carlosantoniodasilva
Commits on Mar 15, 2013
  1. @teohm
Commits on Mar 13, 2013
  1. @steveklabnik
  2. @steveklabnik

    Fix docs: response -> request.

    steveklabnik authored
    Even though I read it carefully, my brain tricked me. :cry:
  3. @garethrees
Commits on Jan 9, 2013
  1. @tenderlove

    adding missing requires

    tenderlove authored
Commits on Jan 8, 2013
  1. @tenderlove

    * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    tenderlove authored
    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	actionpack/lib/action_dispatch/http/request.rb
    	actionpack/lib/action_dispatch/middleware/params_parser.rb
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
    	activerecord/test/cases/relation/where_test.rb
  2. @jeremy @tenderlove

    Revert "Merge branch 'master-sec'"

    jeremy authored tenderlove committed
    This reverts commit 88cc168, reversing
    changes made to f049016.
  3. @tenderlove

    * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    tenderlove authored
    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	actionpack/lib/action_dispatch/http/request.rb
    	actionpack/lib/action_dispatch/middleware/params_parser.rb
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
    	activerecord/test/cases/relation/where_test.rb
Commits on Jan 6, 2013
  1. @amatsuda

    Needless requires

    amatsuda authored
Commits on Dec 11, 2012
  1. @venables

    Fix rewinding in ActionDispatch::Request#raw_post

    venables authored
    If env['RAW_POST_DATA'] is nil, #raw_post will attempt to set it to
    the result of #body (which will return env['rack.input'] if
    env['RAW_POST_DATA'] is nil). #raw_post will then attempt to rewind
    the result of another call to #body. Since env['RAW_POST_DATA'] has
    already been set, the result of #body is not env['rack.input'] anymore.
    This causes env['rack.input'] to never be rewound.
Commits on Oct 25, 2012
  1. @tenderlove
  2. @tenderlove
Commits on Oct 18, 2012
  1. @tenderlove
Commits on Aug 31, 2012
  1. @steveklabnik
Commits on Aug 9, 2012
  1. @tenderlove
Commits on Jul 23, 2012
  1. @spastorino

    Remove ActionDispatch::Head middleware in favor of Rack::Head

    spastorino authored
    Closes #7110 there's more work to do on rack-cache issue 69
Commits on Jun 13, 2012
  1. @homakov

    These lines don't help to mitigate CVE. They only turn [nil] into nil…

    homakov authored
    …, w/o them [nil] turns into [] and that is quite innocent.
    
    generated  SQL - `IN (NULL)`
    compact! did all the job.
Commits on Jun 12, 2012
  1. @tenderlove
Commits on May 30, 2012
  1. @tenderlove

    Strip [nil] from parameters hash.

    tenderlove authored
    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
Commits on May 20, 2012
  1. @pixeltrix

    Raise ActionController::BadRequest for malformed parameter hashes.

    pixeltrix authored
    Currently Rack raises a TypeError when it encounters a malformed or
    ambiguous hash like `foo[]=bar&foo[4]=bar`. Rather than pass this
    through to the application this commit captures the exception and
    re-raises it using a new ActionController::BadRequest exception.
    
    The new ActionController::BadRequest exception returns a 400 error
    instead of the 500 error that would've been returned by the original
    TypeError. This allows exception notification libraries to ignore
    these errors if so desired.
    
    Closes #3051
Commits on May 13, 2012
  1. @pixeltrix
Commits on May 3, 2012
  1. @tenderlove
Commits on Mar 24, 2012
  1. @fxn

    Revert "Return an actual boolean from xml_http_request?"

    fxn authored
    Reason: This commit changes code that was committed some year
    and a half ago. The original code is an ordinary predicate
    that delegates straight to a boolean operator with no further
    unnecessaru adorments, as clearly explained in #5329.
    
    This change also may confuse users who may now believe they can
    rely now on singletons, while predicates in Rails rely on
    standard Ruby semantics for boolean values and guarantee no
    singletons whatsover.
    
    This reverts commit 6349791.
  2. @tpope
Commits on Feb 29, 2012
  1. @tenderlove
Commits on Feb 22, 2012
  1. @dlee

    Add config.default_method_for_update to support PATCH

    dlee authored
    PATCH is the correct HTML verb to map to the #update action. The
    semantics for PATCH allows for partial updates, whereas PUT requires a
    complete replacement.
    
    Changes:
    * adds config.default_method_for_update you can set to :patch
    * optionally use PATCH instead of PUT in resource routes and forms
    * adds the #patch verb to routes to detect PATCH requests
    * adds #patch? to Request
    * changes documentation and comments to indicate support for PATCH
    
    This change maintains complete backwards compatibility by keeping :put
    as the default for config.default_method_for_update.
Something went wrong with that request. Please try again.