Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate method "match" in routes.rb #5964

Closed
homakov opened this issue Apr 24, 2012 · 4 comments
Closed

Deprecate method "match" in routes.rb #5964

homakov opened this issue Apr 24, 2012 · 4 comments

Comments

@homakov
Copy link
Contributor

@homakov homakov commented Apr 24, 2012

My proposal is to announce 'match' method in routes.rb as deprecated and later(e.g. rails 5.0) put it to "private methods" section.

It will encourage people to use "pure" restful methods-verbs like put post get etc and will raise knowledge of their meaning and goal. (GET for retrieving data, POST for state changing requests)

Why? - my points are described at http://homakov.blogspot.com/2012/04/whitelist-your-routes-match-is-evil.html

I would love to hear your viewpoint or just a few words on the subject, thanks for taking into account!
/cc @dhh @wycats and others

@steveklabnik
Copy link
Member

@steveklabnik steveklabnik commented Apr 24, 2012

👍

@lightcap
Copy link

@lightcap lightcap commented Apr 25, 2012

👍

1 similar comment
@Aupajo
Copy link
Contributor

@Aupajo Aupajo commented Apr 25, 2012

👍

@sh286
Copy link

@sh286 sh286 commented Apr 25, 2012

I agree.

@wycats wycats closed this in 56cdc81 Apr 25, 2012
romanvbabenko added a commit to romanvbabenko/rails that referenced this issue May 2, 2012
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes rails#5964
vosechu referenced this issue in lavapj/commuterapp Apr 17, 2013
Updated .gitignore with more temp files;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.