actionpack 6.0.0.beta1 → 6.0.1.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +125 -13
- data/README.rdoc +2 -1
- data/lib/abstract_controller/caching/fragments.rb +0 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +4 -1
- data/lib/action_controller/metal.rb +3 -3
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +2 -2
- data/lib/action_controller/metal/force_ssl.rb +1 -2
- data/lib/action_controller/metal/helpers.rb +2 -2
- data/lib/action_controller/metal/implicit_render.rb +2 -2
- data/lib/action_controller/metal/live.rb +2 -2
- data/lib/action_controller/metal/mime_responds.rb +1 -1
- data/lib/action_controller/metal/params_wrapper.rb +2 -2
- data/lib/action_controller/metal/redirecting.rb +6 -27
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +2 -2
- data/lib/action_controller/metal/strong_parameters.rb +6 -12
- data/lib/action_controller/renderer.rb +2 -2
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +3 -2
- data/lib/action_dispatch.rb +1 -1
- data/lib/action_dispatch/http/content_security_policy.rb +20 -9
- data/lib/action_dispatch/http/mime_negotiation.rb +5 -0
- data/lib/action_dispatch/http/mime_type.rb +13 -1
- data/lib/action_dispatch/http/response.rb +27 -7
- data/lib/action_dispatch/http/upload.rb +4 -1
- data/lib/action_dispatch/journey/formatter.rb +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +6 -1
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/cookies.rb +9 -10
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -2
- data/lib/action_dispatch/middleware/debug_view.rb +19 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +15 -10
- data/lib/action_dispatch/middleware/host_authorization.rb +2 -2
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +3 -3
- data/lib/action_dispatch/middleware/session/cookie_store.rb +4 -3
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/stack.rb +34 -2
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +6 -2
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/railtie.rb +6 -2
- data/lib/action_dispatch/routing.rb +18 -18
- data/lib/action_dispatch/routing/mapper.rb +26 -11
- data/lib/action_dispatch/routing/route_set.rb +13 -15
- data/lib/action_dispatch/system_test_case.rb +43 -5
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -2
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -6
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/routing.rb +8 -1
- data/lib/action_dispatch/testing/integration.rb +2 -2
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +20 -15
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 712053e56e990a145430653396c17ec95d5e838da7243b209cb340426c00e949
|
4
|
+
data.tar.gz: f6fc9d43ab2813011edd135cdb4d21dae7499fe66cef41e146c17c941d93edbe
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1a5e6e7326f7d15187bcfcaebe72e02182ee7ee8454a5b2aac54adc9a8017dd80eebd4152d74f7ee6c5c0861f8ce87a1254f342bdea6b2760a66aab50ffdc639
|
7
|
+
data.tar.gz: 8b907a4c8c860951d3a7b04a3c353e05601c8d996f3d7448aaec30ba82c83c48595a752381eef44a1ed559c975835eb9557fe97c0c8e89f942d897afa3062680
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,121 @@
|
|
1
|
+
## Rails 6.0.1.rc1 (October 31, 2019) ##
|
2
|
+
|
3
|
+
* `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
|
4
|
+
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
5
|
+
system tests.
|
6
|
+
|
7
|
+
*George Claghorn*, *Edouard Chin*
|
8
|
+
|
9
|
+
* Registered MIME types may contain extra flags:
|
10
|
+
|
11
|
+
```ruby
|
12
|
+
Mime::Type.register "text/html; fragment", :html_fragment
|
13
|
+
```
|
14
|
+
|
15
|
+
*Aaron Patterson*
|
16
|
+
|
17
|
+
|
18
|
+
## Rails 6.0.0 (August 16, 2019) ##
|
19
|
+
|
20
|
+
* No changes.
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
24
|
+
|
25
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
26
|
+
|
27
|
+
Fixes #35137.
|
28
|
+
|
29
|
+
*Yuji Yaginuma*
|
30
|
+
|
31
|
+
* Keep part when scope option has value.
|
32
|
+
|
33
|
+
When a route was defined within an optional scope, if that route didn't
|
34
|
+
take parameters the scope was lost when using path helpers. This commit
|
35
|
+
ensures scope is kept both when the route takes parameters or when it
|
36
|
+
doesn't.
|
37
|
+
|
38
|
+
Fixes #33219
|
39
|
+
|
40
|
+
*Alberto Almagro*
|
41
|
+
|
42
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
43
|
+
|
44
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
45
|
+
contain charset part. This behavior changed to returned Content-Type header
|
46
|
+
containing charset part as it is.
|
47
|
+
|
48
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
49
|
+
instead.
|
50
|
+
|
51
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
52
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
53
|
+
value as before version, but its behavior is deprecate.
|
54
|
+
|
55
|
+
*Yuji Yaginuma*
|
56
|
+
|
57
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
58
|
+
an enumerator for the parameters instead of the underlying hash.
|
59
|
+
|
60
|
+
*Eugene Kenny*
|
61
|
+
|
62
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
63
|
+
|
64
|
+
*Yuki Nishijima*, *Stan Lo*
|
65
|
+
|
66
|
+
|
67
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
68
|
+
|
69
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
70
|
+
rather than an `after_teardown` hook.
|
71
|
+
|
72
|
+
This helps minimize the time gap between when an assertion fails and when
|
73
|
+
the screenshot is taken (reducing the time in which the page could have
|
74
|
+
been dynamically updated after the assertion failed).
|
75
|
+
|
76
|
+
*Richard Macklin*
|
77
|
+
|
78
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
79
|
+
|
80
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
81
|
+
from `ActiveSupport::ActionableError` descendants.
|
82
|
+
|
83
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
84
|
+
|
85
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
86
|
+
|
87
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
88
|
+
|
89
|
+
After this change it's not possible anymore to configure routes like this:
|
90
|
+
|
91
|
+
```
|
92
|
+
routes.draw do
|
93
|
+
resources :users, param: 'name/:sneaky'
|
94
|
+
end
|
95
|
+
```
|
96
|
+
|
97
|
+
Fixes #30467.
|
98
|
+
|
99
|
+
*Josua Schmid*
|
100
|
+
|
101
|
+
|
102
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
103
|
+
|
104
|
+
* No changes.
|
105
|
+
|
106
|
+
|
107
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
108
|
+
|
109
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
110
|
+
|
111
|
+
*Tomoyuki Kurosawa*
|
112
|
+
|
113
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
114
|
+
to define specific browser capabilities.
|
115
|
+
|
116
|
+
*Edouard Chin*
|
117
|
+
|
118
|
+
|
1
119
|
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
2
120
|
|
3
121
|
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
@@ -11,18 +129,12 @@
|
|
11
129
|
|
12
130
|
*Rafael Mendonça França*
|
13
131
|
|
14
|
-
*
|
15
|
-
|
16
|
-
Add `fallback_location` and `allow_other_host` options to `redirect_to`.
|
17
|
-
|
18
|
-
*Gannon McGibbon*
|
19
|
-
|
20
|
-
* Introduce ActionDispatch::HostAuthorization
|
132
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
21
133
|
|
22
134
|
This is a new middleware that guards against DNS rebinding attacks by
|
23
|
-
|
135
|
+
explicitly permitting the hosts a request can be made to.
|
24
136
|
|
25
|
-
Each host is checked with the case operator (`#===`) to support `
|
137
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
26
138
|
`Proc`, `IPAddr` and custom objects as host allowances.
|
27
139
|
|
28
140
|
*Genadi Samokovarov*
|
@@ -47,7 +159,7 @@
|
|
47
159
|
|
48
160
|
* Raise an error on root route naming conflicts.
|
49
161
|
|
50
|
-
Raises an ArgumentError when multiple root routes are defined in the
|
162
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
51
163
|
same context instead of assigning nil names to subsequent roots.
|
52
164
|
|
53
165
|
*Gannon McGibbon*
|
@@ -82,7 +194,7 @@
|
|
82
194
|
* Apply mapping to symbols returned from dynamic CSP sources
|
83
195
|
|
84
196
|
Previously if a dynamic source returned a symbol such as :self it
|
85
|
-
would be converted to a string
|
197
|
+
would be converted to a string implicitly, e.g:
|
86
198
|
|
87
199
|
policy.default_src -> { :self }
|
88
200
|
|
@@ -135,7 +247,7 @@
|
|
135
247
|
|
136
248
|
*Assain Jaleel*
|
137
249
|
|
138
|
-
* Raises `ActionController::RespondToMismatchError` with
|
250
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
139
251
|
|
140
252
|
`respond_to` can match multiple types and lead to undefined behavior when
|
141
253
|
multiple invocations are made and the types do not match:
|
@@ -160,7 +272,7 @@
|
|
160
272
|
|
161
273
|
*Aaron Kromer*
|
162
274
|
|
163
|
-
* Pass along arguments to underlying `get` method in `follow_redirect
|
275
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
164
276
|
|
165
277
|
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
166
278
|
`get` method. This for example allows to set custom headers for the
|
data/README.rdoc
CHANGED
@@ -23,6 +23,7 @@ by default and Action View rendering is implicitly triggered by Action
|
|
23
23
|
Controller. However, these modules are designed to function on their own and
|
24
24
|
can be used outside of Rails.
|
25
25
|
|
26
|
+
You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.
|
26
27
|
|
27
28
|
== Download and installation
|
28
29
|
|
@@ -46,7 +47,7 @@ Action Pack is released under the MIT license:
|
|
46
47
|
|
47
48
|
API documentation is at:
|
48
49
|
|
49
|
-
*
|
50
|
+
* https://api.rubyonrails.org
|
50
51
|
|
51
52
|
Bug reports for the Ruby on Rails project can be filed here:
|
52
53
|
|
@@ -11,6 +11,7 @@ module AbstractController
|
|
11
11
|
# to translate many keys within the same controller / action and gives you a
|
12
12
|
# simple framework for scoping them consistently.
|
13
13
|
def translate(key, options = {})
|
14
|
+
options = options.dup
|
14
15
|
if key.to_s.first == "."
|
15
16
|
path = controller_path.tr("/", ".")
|
16
17
|
defaults = [:"#{path}#{key}"]
|
data/lib/action_controller.rb
CHANGED
@@ -3,7 +3,6 @@
|
|
3
3
|
require "active_support/rails"
|
4
4
|
require "abstract_controller"
|
5
5
|
require "action_dispatch"
|
6
|
-
require "action_controller/metal/live"
|
7
6
|
require "action_controller/metal/strong_parameters"
|
8
7
|
|
9
8
|
module ActionController
|
@@ -21,6 +20,10 @@ module ActionController
|
|
21
20
|
end
|
22
21
|
|
23
22
|
autoload_under "metal" do
|
23
|
+
eager_autoload do
|
24
|
+
autoload :Live
|
25
|
+
end
|
26
|
+
|
24
27
|
autoload :ConditionalGet
|
25
28
|
autoload :ContentSecurityPolicy
|
26
29
|
autoload :Cookies
|
@@ -26,10 +26,10 @@ module ActionController
|
|
26
26
|
end
|
27
27
|
end
|
28
28
|
|
29
|
-
def build(action, app =
|
29
|
+
def build(action, app = nil, &block)
|
30
30
|
action = action.to_s
|
31
31
|
|
32
|
-
middlewares.reverse.inject(app) do |a, middleware|
|
32
|
+
middlewares.reverse.inject(app || block) do |a, middleware|
|
33
33
|
middleware.valid?(action) ? middleware.build(a) : a
|
34
34
|
end
|
35
35
|
end
|
@@ -148,7 +148,7 @@ module ActionController
|
|
148
148
|
attr_internal :response, :request
|
149
149
|
delegate :session, to: "@_request"
|
150
150
|
delegate :headers, :status=, :location=, :content_type=,
|
151
|
-
:status, :location, :content_type, to: "@_response"
|
151
|
+
:status, :location, :content_type, :media_type, to: "@_response"
|
152
152
|
|
153
153
|
def initialize
|
154
154
|
@_request = nil
|
@@ -27,7 +27,7 @@ module ActionController
|
|
27
27
|
|
28
28
|
class MethodNotAllowed < ActionControllerError #:nodoc:
|
29
29
|
def initialize(*allowed_methods)
|
30
|
-
super("Only #{allowed_methods.to_sentence
|
30
|
+
super("Only #{allowed_methods.to_sentence} requests are allowed.")
|
31
31
|
end
|
32
32
|
end
|
33
33
|
|
@@ -52,7 +52,7 @@ module ActionController
|
|
52
52
|
end
|
53
53
|
|
54
54
|
# Raised when a nested respond_to is triggered and the content types of each
|
55
|
-
# are incompatible. For
|
55
|
+
# are incompatible. For example:
|
56
56
|
#
|
57
57
|
# respond_to do |outer_type|
|
58
58
|
# outer_type.js do
|
@@ -13,7 +13,7 @@ module ActionController
|
|
13
13
|
|
14
14
|
ACTION_OPTIONS = [:only, :except, :if, :unless]
|
15
15
|
URL_OPTIONS = [:protocol, :host, :domain, :subdomain, :port, :path]
|
16
|
-
REDIRECT_OPTIONS = [:status, :flash, :alert, :notice
|
16
|
+
REDIRECT_OPTIONS = [:status, :flash, :alert, :notice]
|
17
17
|
|
18
18
|
module ClassMethods # :nodoc:
|
19
19
|
def force_ssl(options = {})
|
@@ -41,7 +41,6 @@ module ActionController
|
|
41
41
|
host: request.host,
|
42
42
|
path: request.fullpath,
|
43
43
|
status: :moved_permanently,
|
44
|
-
allow_other_host: true,
|
45
44
|
}
|
46
45
|
|
47
46
|
if host_or_options.is_a?(Hash)
|
@@ -34,7 +34,7 @@ module ActionController
|
|
34
34
|
# end
|
35
35
|
# end
|
36
36
|
#
|
37
|
-
# Then, in any view rendered by <tt>
|
37
|
+
# Then, in any view rendered by <tt>EventsController</tt>, the <tt>format_time</tt> method can be called:
|
38
38
|
#
|
39
39
|
# <% @events.each do |event| -%>
|
40
40
|
# <p>
|
@@ -75,7 +75,7 @@ module ActionController
|
|
75
75
|
# Provides a proxy to access helper methods from outside the view.
|
76
76
|
def helpers
|
77
77
|
@helper_proxy ||= begin
|
78
|
-
proxy = ActionView::Base.
|
78
|
+
proxy = ActionView::Base.empty
|
79
79
|
proxy.config = config.inheritable_copy
|
80
80
|
proxy.extend(_helpers)
|
81
81
|
end
|
@@ -30,9 +30,9 @@ module ActionController
|
|
30
30
|
# :stopdoc:
|
31
31
|
include BasicImplicitRender
|
32
32
|
|
33
|
-
def default_render
|
33
|
+
def default_render
|
34
34
|
if template_exists?(action_name.to_s, _prefixes, variants: request.variant)
|
35
|
-
render
|
35
|
+
render
|
36
36
|
elsif any_templates?(action_name.to_s, _prefixes)
|
37
37
|
message = "#{self.class.name}\##{action_name} is missing a template " \
|
38
38
|
"for this request format and variant.\n" \
|
@@ -146,7 +146,7 @@ module ActionController
|
|
146
146
|
|
147
147
|
def write(string)
|
148
148
|
unless @response.committed?
|
149
|
-
@response.
|
149
|
+
@response.headers["Cache-Control"] ||= "no-cache"
|
150
150
|
@response.delete_header "Content-Length"
|
151
151
|
end
|
152
152
|
|
@@ -305,7 +305,7 @@ module ActionController
|
|
305
305
|
|
306
306
|
logger.fatal do
|
307
307
|
message = +"\n#{exception.class} (#{exception.message}):\n"
|
308
|
-
message << exception.
|
308
|
+
message << exception.annotated_source_code.to_s if exception.respond_to?(:annotated_source_code)
|
309
309
|
message << " " << exception.backtrace.join("\n ")
|
310
310
|
"#{message}\n\n"
|
311
311
|
end
|
@@ -205,7 +205,7 @@ module ActionController #:nodoc:
|
|
205
205
|
yield collector if block_given?
|
206
206
|
|
207
207
|
if format = collector.negotiate_format(request)
|
208
|
-
if
|
208
|
+
if media_type && media_type != format
|
209
209
|
raise ActionController::RespondToMismatchError
|
210
210
|
end
|
211
211
|
_process_format(format)
|
@@ -93,7 +93,7 @@ module ActionController
|
|
93
93
|
end
|
94
94
|
|
95
95
|
def model
|
96
|
-
super ||
|
96
|
+
super || self.model = _default_wrap_model
|
97
97
|
end
|
98
98
|
|
99
99
|
def include
|
@@ -115,7 +115,7 @@ module ActionController
|
|
115
115
|
|
116
116
|
if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
|
117
117
|
self.include += m.nested_attributes_options.keys.map do |key|
|
118
|
-
key.to_s.concat("_attributes")
|
118
|
+
(+key.to_s).concat("_attributes")
|
119
119
|
end
|
120
120
|
end
|
121
121
|
|
@@ -60,7 +60,7 @@ module ActionController
|
|
60
60
|
raise AbstractController::DoubleRenderError if response_body
|
61
61
|
|
62
62
|
self.status = _extract_redirect_to_status(options, response_options)
|
63
|
-
self.location =
|
63
|
+
self.location = _compute_redirect_to_location(request, options)
|
64
64
|
self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
|
65
65
|
end
|
66
66
|
|
@@ -88,13 +88,9 @@ module ActionController
|
|
88
88
|
# All other options that can be passed to <tt>redirect_to</tt> are accepted as
|
89
89
|
# options and the behavior is identical.
|
90
90
|
def redirect_back(fallback_location:, allow_other_host: true, **args)
|
91
|
-
referer = request.headers
|
92
|
-
|
93
|
-
|
94
|
-
allow_other_host: allow_other_host,
|
95
|
-
**args,
|
96
|
-
}
|
97
|
-
redirect_to referer, response_options
|
91
|
+
referer = request.headers["Referer"]
|
92
|
+
redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
|
93
|
+
redirect_to redirect_to_referer ? referer : fallback_location, **args
|
98
94
|
end
|
99
95
|
|
100
96
|
def _compute_redirect_to_location(request, options) #:nodoc:
|
@@ -118,23 +114,6 @@ module ActionController
|
|
118
114
|
public :_compute_redirect_to_location
|
119
115
|
|
120
116
|
private
|
121
|
-
def _compute_safe_redirect_to_location(request, options, response_options)
|
122
|
-
location = _compute_redirect_to_location(request, options)
|
123
|
-
location_options = options.is_a?(Hash) ? options : {}
|
124
|
-
if response_options[:allow_other_host] || _url_host_allowed?(location, location_options)
|
125
|
-
location
|
126
|
-
else
|
127
|
-
fallback_location = response_options.fetch(:fallback_location) do
|
128
|
-
raise ArgumentError, <<~MSG.squish
|
129
|
-
Unsafe redirect #{location.inspect},
|
130
|
-
use :fallback_location to specify a fallback
|
131
|
-
or :allow_other_host to redirect anyway.
|
132
|
-
MSG
|
133
|
-
end
|
134
|
-
_compute_redirect_to_location(request, fallback_location)
|
135
|
-
end
|
136
|
-
end
|
137
|
-
|
138
117
|
def _extract_redirect_to_status(options, response_options)
|
139
118
|
if options.is_a?(Hash) && options.key?(:status)
|
140
119
|
Rack::Utils.status_code(options.delete(:status))
|
@@ -145,8 +124,8 @@ module ActionController
|
|
145
124
|
end
|
146
125
|
end
|
147
126
|
|
148
|
-
def _url_host_allowed?(url
|
149
|
-
URI(url.to_s).host
|
127
|
+
def _url_host_allowed?(url)
|
128
|
+
URI(url.to_s).host == request.host
|
150
129
|
rescue ArgumentError, URI::Error
|
151
130
|
false
|
152
131
|
end
|