-
Notifications
You must be signed in to change notification settings - Fork 21.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate :controller and :action path parameters #23980
Conversation
Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
👍 |
1 similar comment
👍 |
|
…ents Deprecate :controller and :action path parameters
Follow-up to rails#23980. - Fix grammar: "be remove" -> "be removed". - Wrap lines at 80 chars. Lurvely ;-)
This was deprecated on rails/rails#23980. We now generate scope and provider specific routes, like `user_facebook_omniauth_callback` or `user_github_omniauth_callback`. We could deprecate the `omniauth_authorize_path` in favor of the generated routes, but the `shared/links.html.erb` depends on it to generate all omniauth links at once. Closes #3983.
…ion View test Follow up to rails#23980.
Using dynamic :controller or :action segments in routes has been a source of a number of security issues in production and is deprecated in Rails 5.0 since this [pull request] and is planned to be removed in Rails 5.1. Ransack is still maintaining compatibility with legacy Rails 3 and 4 versions, so this commit silences the deprecation messages for now while running the test suite. [pull request]: rails/rails#23980
"Using a dynamic :controller (or :action) segment in a route is deprecated" by 6520ea5 (rails#23980).
hallelujah! |
add #23980 to release notes [ci skip]
Is there some other way to draw dynamic routes in Rails 5.1? I'm maintaining an enormous Rails app that was built on Rails 1 and almost every |
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so I've added a new route for that here as well.
Passing in a dynamic action is deprecated in Rails 5.1 (for security reasons) and will be removed in 5.2.: rails/rails#23980 (We're seeing the deprecation notice in the latest build of 5.0.) As we would like to keep this functionality, I've adopted a version of the fix suggested - by the author of the code that introduced the deprecation - in this issue thread in the Rails repo: rails/rails#27231 (comment) Essentially, this adds a filter to the allowable action name for safety and uses :template as a proxy for :action. The main downside is that themes that call `help_general_url` will need to pass in :template instead of :action. Also this caused (revealed?) a glitch which wasn't `/help/unhappy` route - on its own without the optional `:url_title` part - wasn't being recognised so that has also been updated to make :url_title optional
Ran into this updating an old app. This was our workaround: - get "/:action", controller: "sections", constraints: ->(request) {
- action = request.path_parameters[:action]
- AdminCompanySection::ALL.include?(action)
- }, as: :section
+ # Also see `Admin::BaseController.admin_company_section_path`.
+ AdminCompanySection::ALL.each do |section|
+ get section, controller: "sections", action: section, as: "#{section}_section"
+ end And in helper_method \
def admin_company_section_path(company, section, **args)
public_send("admin_company_#{section}_section_path", company, **args)
end |
DEPRECATION WARNING: Using a dynamic :action segment in a route is deprecated and will be removed in Rails 6.0. (called from instance_eval at /home/redmine/4.11/config/routes.rb:370)
|
@ashrafalzyoud Are you asking for help with solving this issue? Please use Stack Overflow for that, referencing this issue, and including the specific part of your routes that the deprecation warning points to – I don't believe it's included in the code you pasted here :) |
@henrik
this code in redmine |
@ashrafalzyoud Hi! Sorry, I probably wasn't clear – please use https://stackoverflow.com/questions/ask to ask your question. There will be a lot more people available to help you there than in this issue :) |
Using dynamic :controller or :action segments in routes has been a source of a number of security issues in production and is deprecated in Rails 5.0 since this [pull request] and is planned to be removed in Rails 5.1. Ransack is still maintaining compatibility with legacy Rails 3 and 4 versions, so this commit silences the deprecation messages for now while running the test suite. [pull request]: rails/rails#23980
Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
WDYT? @dhh @rafaelfranca @tenderlove