New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate :controller and :action path parameters #23980

Merged
merged 1 commit into from Mar 1, 2016

Conversation

Projects
None yet
7 participants
@pixeltrix
Member

pixeltrix commented Mar 1, 2016

Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.

WDYT? @dhh @rafaelfranca @tenderlove

Deprecate :controller and :action path parameters
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
@dhh

This comment has been minimized.

Show comment
Hide comment
@dhh

dhh Mar 1, 2016

Member

👍

Member

dhh commented Mar 1, 2016

👍

@fxn

This comment has been minimized.

Show comment
Hide comment
@fxn

fxn Mar 1, 2016

Member

👍

Member

fxn commented Mar 1, 2016

👍

@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca
Member

rafaelfranca commented Mar 1, 2016

:shipit:

pixeltrix added a commit that referenced this pull request Mar 1, 2016

Merge pull request #23980 from rails/deprecate-controller-action-segm…
…ents

Deprecate :controller and :action path parameters

@pixeltrix pixeltrix merged commit f2c707a into master Mar 1, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@pixeltrix pixeltrix deleted the deprecate-controller-action-segments branch Mar 1, 2016

jonatack added a commit to jonatack/rails that referenced this pull request Mar 3, 2016

Niceify the dynamic routes deprecation messages
Follow-up to #23980.

- Fix grammar: "be remove" -> "be removed".

- Wrap lines at 80 chars.

Lurvely ;-)

lucasmazza added a commit to plataformatec/devise that referenced this pull request Mar 7, 2016

Do not use the dynamic `:action` segment on Omniauth routes.
This was deprecated on rails/rails#23980.

We now generate scope and provider specific routes, like `user_facebook_omniauth_callback`
or `user_github_omniauth_callback`.

We could deprecate the `omniauth_authorize_path` in favor of the generated routes, but
the `shared/links.html.erb` depends on it to generate all omniauth links at once.

Closes #3983.

y-yagi added a commit to y-yagi/rails that referenced this pull request Mar 13, 2016

jonatack added a commit to activerecord-hackery/ransack that referenced this pull request Mar 14, 2016

Silence dynamic route deprecation messages in Ransack specs
Using dynamic :controller or :action segments in routes has been a
source of a number of security issues in production and is deprecated
in Rails 5.0 since this [pull request] and is planned to be removed in
Rails 5.1.

Ransack is still maintaining compatibility with legacy Rails 3 and 4
versions, so this commit silences the deprecation messages for now
while running the test suite.

[pull request]: rails/rails#23980

yui-knk added a commit to yui-knk/rails that referenced this pull request Mar 30, 2016

Suppress warnings
"Using a dynamic :controller (or :action) segment in a route is deprecated"
by 6520ea5 (#23980).

@yui-knk yui-knk referenced this pull request Mar 30, 2016

Merged

Suppress warnings #24370

@bogdan

This comment has been minimized.

Show comment
Hide comment
@bogdan

bogdan Mar 30, 2016

Contributor

hallelujah!

Contributor

bogdan commented Mar 30, 2016

hallelujah!

y-yagi added a commit to y-yagi/rails that referenced this pull request May 21, 2016

prathamesh-sonpatki added a commit that referenced this pull request May 21, 2016

maclover7 added a commit to maclover7/rails that referenced this pull request Jun 6, 2016

maclover7 added a commit to maclover7/rails that referenced this pull request Jun 6, 2016

@elliotwesoff

This comment has been minimized.

Show comment
Hide comment
@elliotwesoff

elliotwesoff Sep 6, 2016

Is there some other way to draw dynamic routes in Rails 5.1? I'm maintaining an enormous Rails app that was built on Rails 1 and almost every link_to uses this convention. Adding the standard resources definitions to the routes file for every controller and changing every link_to is simply out of the question. Are there any other options?

elliotwesoff commented Sep 6, 2016

Is there some other way to draw dynamic routes in Rails 5.1? I'm maintaining an enormous Rails app that was built on Rails 1 and almost every link_to uses this convention. Adding the standard resources definitions to the routes file for every controller and changing every link_to is simply out of the question. Are there any other options?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment