Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Changes default render behavior from file to template. #16888
Currently the default behavior of
That means that the file being looked up is not restricted to the view paths, or the rails root path, and can lead to potentially vulnerable leaks from the filesystem.
This pull request changes the default behavior to
This may result in a more secure system without having to know the low level underpinnings of the ActionView::Rendering implementation, and I'm submitting this to open a conversation about it. When I first came across this it appeared to be a security issue, and reached out to the security team before looking into it and realizing it was the behavior as designed.
referenced this pull request
Sep 12, 2014
@rafaelfranca, the change is only to change the default from
To clarify, most people who are using this are probably assuming it defaulted to template, and not to file, and so are unlikely to experience issues. It's likely only the cases where someone in fact knew that not supplying an options hash defaulted to
That being said, I'm happy to follow instructions, and just need guidance on what should happen where, and when.
I know, I just pointing if we are going to add deprecation message the only way of people remove the message from their logs is changing the code to explicitly use
For example if we add deprecation message to:
And we show the message:
What would the users will have to do to remove this deprecation warning?