diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 2798bec49f..86efe316e6 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -123,7 +123,7 @@ * Allow applications to configure the thread pool for async queries Some applications may want one thread pool per database whereas others want to use - a single global thread pool for all queries. By default Rails will set `async_query_executor` + a single global thread pool for all queries. By default, Rails will set `async_query_executor` to `nil` which will not initialize any executor. If `load_async` is called and no executor has been configured, the query will be executed in the foreground. @@ -212,7 +212,7 @@ present in the simplified query, an ActiveRecord::InvalidStatement error was raised. - An sample query affected by this problem: + A sample query affected by this problem: ```ruby Author.select('COUNT(*) as total_posts', 'authors.*') @@ -252,7 +252,7 @@ * `ActiveRecord::Calculations.calculate` called with `:average` (aliased as `ActiveRecord::Calculations.average`) will now use column based - type casting. This means that floating point number columns will now be + type casting. This means that floating-point number columns will now be aggregated as `Float` and decimal columns will be aggregated as `BigDecimal`. Integers are handled as a special case returning `BigDecimal` always @@ -306,7 +306,7 @@ When an application boots it automatically connects to the primary or first database in the database configuration file. In a multiple database application that then call `connects_to` needs to know that the default connection is the same as the `ApplicationRecord` connection. - However some applications have a differently named `ApplicationRecord`. This prevents Active + However, some applications have a differently named `ApplicationRecord`. This prevents Active Record from opening duplicate connections to the same database. *Eileen M. Uchitelle*, *John Crepezzi* diff --git a/activerecord/test/cases/associations/eager_test.rb b/activerecord/test/cases/associations/eager_test.rb index 19c4c1f4ae..be723cd684 100644 --- a/activerecord/test/cases/associations/eager_test.rb +++ b/activerecord/test/cases/associations/eager_test.rb @@ -1062,7 +1062,7 @@ class EagerAssociationTest < ActiveRecord::TestCase def test_eager_with_floating_point_numbers assert_queries(2) do - # Before changes, the floating point numbers will be interpreted as table names and will cause this to run in one query + # Before changes, the floating-point numbers will be interpreted as table names and will cause this to run in one query Comment.all.merge!(where: "123.456 = 123.456", includes: :post).to_a end end diff --git a/activesupport/lib/active_support/time_with_zone.rb b/activesupport/lib/active_support/time_with_zone.rb index 1093efaf38..c9b5d0d3fc 100644 --- a/activesupport/lib/active_support/time_with_zone.rb +++ b/activesupport/lib/active_support/time_with_zone.rb @@ -446,7 +446,7 @@ module ActiveSupport [time.sec, time.min, time.hour, time.day, time.mon, time.year, time.wday, time.yday, dst?, zone] end - # Returns the object's date and time as a floating point number of seconds + # Returns the object's date and time as a floating-point number of seconds # since the Epoch (January 1, 1970 00:00 UTC). # # Time.zone.now.to_f # => 1417709320.285418 diff --git a/activesupport/test/clean_backtrace_test.rb b/activesupport/test/clean_backtrace_test.rb index b351130dfb..6524a5ec77 100644 --- a/activesupport/test/clean_backtrace_test.rb +++ b/activesupport/test/clean_backtrace_test.rb @@ -19,7 +19,7 @@ class BacktraceCleanerFilterTest < ActiveSupport::TestCase assert_equal "/my/prefix/my/class.rb", @bc.clean(["/my/prefix/my/class.rb"]).first end - test "backtrace should contain unaltered lines if they dont match a filter" do + test "backtrace should contain unaltered lines if they don't match a filter" do assert_equal "/my/other_prefix/my/class.rb", @bc.clean([ "/my/other_prefix/my/class.rb" ]).first end end diff --git a/activesupport/test/core_ext/duration_test.rb b/activesupport/test/core_ext/duration_test.rb index cb92781680..29a2108d66 100644 --- a/activesupport/test/core_ext/duration_test.rb +++ b/activesupport/test/core_ext/duration_test.rb @@ -318,7 +318,7 @@ class DurationTest < ActiveSupport::TestCase Time.zone = nil end - def test_before_and_afer + def test_before_and_after t = Time.local(2000) assert_equal t + 1, 1.second.after(t) assert_equal t - 1, 1.second.before(t) diff --git a/activesupport/test/core_ext/time_with_zone_test.rb b/activesupport/test/core_ext/time_with_zone_test.rb index 7b1a19f68f..5e58ce60c0 100644 --- a/activesupport/test/core_ext/time_with_zone_test.rb +++ b/activesupport/test/core_ext/time_with_zone_test.rb @@ -120,9 +120,9 @@ class TimeWithZoneTest < ActiveSupport::TestCase nsec = ActiveSupport::TimeWithZone.new(nsec, @time_zone) assert_equal "Fri, 12 Dec 1986 01:23:00.000000001 EST -05:00", nsec.inspect - handred_nsec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(100, 1000)) - handred_nsec = ActiveSupport::TimeWithZone.new(handred_nsec, @time_zone) - assert_equal "Fri, 12 Dec 1986 01:23:00.000000100 EST -05:00", handred_nsec.inspect + hundred_nsec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(100, 1000)) + hundred_nsec = ActiveSupport::TimeWithZone.new(hundred_nsec, @time_zone) + assert_equal "Fri, 12 Dec 1986 01:23:00.000000100 EST -05:00", hundred_nsec.inspect one_third_sec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(1000000, 3)) one_third_sec = ActiveSupport::TimeWithZone.new(one_third_sec, @time_zone) diff --git a/guides/bug_report_templates/benchmark.rb b/guides/bug_report_templates/benchmark.rb index c32c01a226..f00a7de5f5 100644 --- a/guides/bug_report_templates/benchmark.rb +++ b/guides/bug_report_templates/benchmark.rb @@ -29,11 +29,11 @@ end # scenarios. Ideally, they should be based on real-world scenarios extracted # from production applications. SCENARIOS = { - "Empty" => "", - "Single Space" => " ", - "Two Spaces" => " ", - "Mixed Whitspaces" => " \t\r\n", - "Very Long String" => " " * 100 + "Empty" => "", + "Single Space" => " ", + "Two Spaces" => " ", + "Mixed Whitespaces" => " \t\r\n", + "Very Long String" => " " * 100 } SCENARIOS.each_pair do |name, value| diff --git a/guides/source/active_record_querying.md b/guides/source/active_record_querying.md index 0f407553c4..464d0b2b62 100644 --- a/guides/source/active_record_querying.md +++ b/guides/source/active_record_querying.md @@ -2216,7 +2216,7 @@ If you want to see the average of a certain number in one of your tables you can Order.average("subtotal") ``` -This will return a number (possibly a floating point number such as 3.14159265) representing the average value in the field. +This will return a number (possibly a floating-point number such as 3.14159265) representing the average value in the field. For options, please see the parent section, [Calculations](#calculations). diff --git a/guides/source/active_support_core_extensions.md b/guides/source/active_support_core_extensions.md index 9ab9fba318..e058fd6ef7 100644 --- a/guides/source/active_support_core_extensions.md +++ b/guides/source/active_support_core_extensions.md @@ -2150,7 +2150,7 @@ Extensions to `BigDecimal` ### `to_s` -The method `to_s` provides a default specifier of "F". This means that a simple call to `to_s` will result in floating point representation instead of engineering notation: +The method `to_s` provides a default specifier of "F". This means that a simple call to `to_s` will result in floating-point representation instead of engineering notation: ```ruby BigDecimal(5.00, 6).to_s # => "5.0" diff --git a/guides/source/caching_with_rails.md b/guides/source/caching_with_rails.md index 89aaea03d9..4a069e2c65 100644 --- a/guides/source/caching_with_rails.md +++ b/guides/source/caching_with_rails.md @@ -9,7 +9,7 @@ Caching means to store content generated during the request-response cycle and to reuse it when responding to similar requests. Caching is often the most effective way to boost an application's performance. -Through caching, web sites running on a single server with a single database +Through caching, websites running on a single server with a single database can sustain a load of thousands of concurrent users. Rails provides a set of caching features out of the box. This guide will teach diff --git a/guides/source/security.md b/guides/source/security.md index 4421599000..9f157937dd 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -326,7 +326,7 @@ Another class of security vulnerabilities surrounds the use of redirection and f ### Redirection -WARNING: _Redirection in a web application is an underestimated cracker tool: Not only can the attacker forward the user to a trap web site, they may also create a self-contained attack._ +WARNING: _Redirection in a web application is an underestimated cracker tool: Not only can the attacker forward the user to a trap website, they may also create a self-contained attack._ Whenever the user is allowed to pass (parts of) the URL for redirection, it is possibly vulnerable. The most obvious attack would be to redirect users to a fake web application which looks and feels exactly as the original one. This so-called phishing attack works by sending an unsuspicious link in an email to the users, injecting the link by XSS in the web application or putting the link into an external site. It is unsuspicious, because the link starts with the URL to the web application and the URL to the malicious site is hidden in the redirection parameter: http://www.example.com/site/redirect?to=www.attacker.com. Here is an example of a legacy action: @@ -381,7 +381,7 @@ The solution to this is best to _process media files asynchronously_: Save the m WARNING: _Source code in uploaded files may be executed when placed in specific directories. Do not place file uploads in Rails' /public directory if it is Apache's home directory._ -The popular Apache web server has an option called DocumentRoot. This is the home directory of the web site, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file. +The popular Apache web server has an option called DocumentRoot. This is the home directory of the website, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file. _If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level upwards. @@ -412,7 +412,7 @@ Intranet and Admin Security Intranet and administration interfaces are popular attack targets, because they allow privileged access. Although this would require several extra-security measures, the opposite is the case in the real world. -In 2007 there was the first tailor-made trojan which stole information from an Intranet, namely the "Monster for employers" web site of Monster.com, an online recruitment web application. Tailor-made Trojans are very rare, so far, and the risk is quite low, but it is certainly a possibility and an example of how the security of the client host is important, too. However, the highest threat to Intranet and Admin applications are XSS and CSRF. +In 2007 there was the first tailor-made trojan which stole information from an Intranet, namely the "Monster for employers" website of Monster.com, an online recruitment web application. Tailor-made Trojans are very rare, so far, and the risk is quite low, but it is certainly a possibility and an example of how the security of the client host is important, too. However, the highest threat to Intranet and Admin applications are XSS and CSRF. **XSS** If your application re-displays malicious user input from the extranet, the application will be vulnerable to XSS. User names, comments, spam reports, order addresses are just a few uncommon examples, where there can be XSS. @@ -422,7 +422,7 @@ Refer to the Injection section for countermeasures against XSS. **CSRF** Cross-Site Request Forgery (CSRF), also known as Cross-Site Reference Forgery (XSRF), is a gigantic attack method, it allows the attacker to do everything the administrator or Intranet user may do. As you have already seen above how CSRF works, here are a few examples of what attackers can do in the Intranet or admin interface. -A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in an HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake web site and had their credentials stolen. +A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in an HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake website and had their credentials stolen. Another example changed Google Adsense's e-mail address and password. If the victim was logged into Google Adsense, the administration interface for Google advertisement campaigns, an attacker could change the credentials of the victim. @@ -473,7 +473,7 @@ However, the attacker may also take over the account by changing the e-mail addr #### Other -Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](https://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a web site controlled by the attacker. On that site is a crafted IMG-tag which results in an HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_. +Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](https://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a website controlled by the attacker. On that site is a crafted IMG-tag which results in an HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_. ### CAPTCHAs @@ -685,9 +685,9 @@ INFO: _The most widespread, and one of the most devastating security vulnerabili An entry point is a vulnerable URL and its parameters where an attacker can start an attack. -The most common entry points are message posts, user comments, and guest books, but project titles, document names, and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on web sites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements. +The most common entry points are message posts, user comments, and guest books, but project titles, document names, and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on websites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements. -XSS attacks work like this: An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the web site to get confidential information or install malicious software through security holes in the web browser. +XSS attacks work like this: An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the website to get confidential information or install malicious software through security holes in the web browser. During the second half of 2007, there were 88 vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in IE, and 12 in Opera. The Symantec Global Internet Security threat report also documented 239 browser plug-in vulnerabilities in the last six months of 2007. [Mpack](https://www.pandasecurity.com/en/mediacenter/malware/mpack-uncovered/) is a very active and up-to-date attack framework which exploits these vulnerabilities. For criminal hackers, it is very attractive to exploit a SQL-Injection vulnerability in a web application framework and insert malicious code in every textual table column. In April 2008 more than 510,000 sites were hacked like this, among them the British government, United Nations, and many more high profile targets. @@ -732,7 +732,7 @@ You can mitigate these attacks (in the obvious way) by adding the **httpOnly** f ##### Defacement -With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers web site to steal the cookie, login credentials, or other sensitive data. The most popular way is to include code from external sources by iframes: +With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers website to steal the cookie, login credentials, or other sensitive data. The most popular way is to include code from external sources by iframes: ```html @@ -740,7 +740,7 @@ With web page defacement an attacker can do a lot of things, for example, presen This loads arbitrary HTML and/or JavaScript from an external source and embeds it as part of the site. This `iframe` is taken from an actual attack on legitimate Italian sites using the [Mpack attack framework](https://isc.sans.edu/diary/MPack+Analysis/3015). Mpack tries to install malicious software through security holes in the web browser - very successfully, 50% of the attacks succeed. -A more specialized attack could overlap the entire web site or display a login form, which looks the same as the site's original, but transmits the user name and password to the attacker's site. Or it could use CSS and/or JavaScript to hide a legitimate link in the web application, and display another one at its place which redirects to a fake web site. +A more specialized attack could overlap the entire website or display a login form, which looks the same as the site's original, but transmits the user name and password to the attacker's site. Or it could use CSS and/or JavaScript to hide a legitimate link in the web application, and display another one at its place which redirects to a fake website. Reflected injection attacks are those where the payload is not stored to present it to the victim later on, but included in the URL. Especially search forms fail to escape the search string. The following link presented a page which stated that "George Bush appointed a 9 year old boy to be the chairperson...": diff --git a/railties/test/application/rake/dbs_test.rb b/railties/test/application/rake/dbs_test.rb index 935613e84c..b59cf65cc0 100644 --- a/railties/test/application/rake/dbs_test.rb +++ b/railties/test/application/rake/dbs_test.rb @@ -173,7 +173,7 @@ module ApplicationTests db_create_and_drop("db/development.sqlite3", environment_loaded: false) end - test "db:create and db:drop dont raise errors when loading YAML with single-line ERB" do + test "db:create and db:drop don't raise errors when loading YAML with single-line ERB" do app_file "config/database.yml", <<-YAML development: <%= Rails.application.config.database ? 'database: db/development.sqlite3' : 'database: db/development.sqlite3' %> diff --git a/railties/test/application/rake/multi_dbs_test.rb b/railties/test/application/rake/multi_dbs_test.rb index ad16f413be..3187e1b035 100644 --- a/railties/test/application/rake/multi_dbs_test.rb +++ b/railties/test/application/rake/multi_dbs_test.rb @@ -772,7 +772,7 @@ module ApplicationTests db_create_and_drop_namespace("primary", "db/development.sqlite3") end - test "db:create and db:drop dont raise errors when loading YAML with single-line ERB" do + test "db:create and db:drop don't raise errors when loading YAML with single-line ERB" do app_file "config/database.yml", <<-YAML development: primary: diff --git a/railties/test/railties/engine_test.rb b/railties/test/railties/engine_test.rb index f397070e24..7933480a93 100644 --- a/railties/test/railties/engine_test.rb +++ b/railties/test/railties/engine_test.rb @@ -147,7 +147,7 @@ module RailtiesTest end end - test "dont reverse default railties order" do + test "don't reverse default railties order" do @api = engine "api" do |plugin| plugin.write "lib/api.rb", <<-RUBY module Api