1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Merge pull request #41916 from jbampton/fix-spelling

chore: fix grammar and spelling
This commit is contained in:
Ryuta Kamizono 2021-04-12 07:26:23 +09:00 committed by GitHub
commit 54979ffa25
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 31 additions and 31 deletions

View file

@ -123,7 +123,7 @@
* Allow applications to configure the thread pool for async queries
Some applications may want one thread pool per database whereas others want to use
a single global thread pool for all queries. By default Rails will set `async_query_executor`
a single global thread pool for all queries. By default, Rails will set `async_query_executor`
to `nil` which will not initialize any executor. If `load_async` is called and no executor
has been configured, the query will be executed in the foreground.
@ -212,7 +212,7 @@
present in the simplified query, an ActiveRecord::InvalidStatement
error was raised.
An sample query affected by this problem:
A sample query affected by this problem:
```ruby
Author.select('COUNT(*) as total_posts', 'authors.*')
@ -252,7 +252,7 @@
* `ActiveRecord::Calculations.calculate` called with `:average`
(aliased as `ActiveRecord::Calculations.average`) will now use column based
type casting. This means that floating point number columns will now be
type casting. This means that floating-point number columns will now be
aggregated as `Float` and decimal columns will be aggregated as `BigDecimal`.
Integers are handled as a special case returning `BigDecimal` always
@ -306,7 +306,7 @@
When an application boots it automatically connects to the primary or first database in the
database configuration file. In a multiple database application that then call `connects_to`
needs to know that the default connection is the same as the `ApplicationRecord` connection.
However some applications have a differently named `ApplicationRecord`. This prevents Active
However, some applications have a differently named `ApplicationRecord`. This prevents Active
Record from opening duplicate connections to the same database.
*Eileen M. Uchitelle*, *John Crepezzi*

View file

@ -1062,7 +1062,7 @@ class EagerAssociationTest < ActiveRecord::TestCase
def test_eager_with_floating_point_numbers
assert_queries(2) do
# Before changes, the floating point numbers will be interpreted as table names and will cause this to run in one query
# Before changes, the floating-point numbers will be interpreted as table names and will cause this to run in one query
Comment.all.merge!(where: "123.456 = 123.456", includes: :post).to_a
end
end

View file

@ -446,7 +446,7 @@ module ActiveSupport
[time.sec, time.min, time.hour, time.day, time.mon, time.year, time.wday, time.yday, dst?, zone]
end
# Returns the object's date and time as a floating point number of seconds
# Returns the object's date and time as a floating-point number of seconds
# since the Epoch (January 1, 1970 00:00 UTC).
#
# Time.zone.now.to_f # => 1417709320.285418

View file

@ -19,7 +19,7 @@ class BacktraceCleanerFilterTest < ActiveSupport::TestCase
assert_equal "/my/prefix/my/class.rb", @bc.clean(["/my/prefix/my/class.rb"]).first
end
test "backtrace should contain unaltered lines if they dont match a filter" do
test "backtrace should contain unaltered lines if they don't match a filter" do
assert_equal "/my/other_prefix/my/class.rb", @bc.clean([ "/my/other_prefix/my/class.rb" ]).first
end
end

View file

@ -318,7 +318,7 @@ class DurationTest < ActiveSupport::TestCase
Time.zone = nil
end
def test_before_and_afer
def test_before_and_after
t = Time.local(2000)
assert_equal t + 1, 1.second.after(t)
assert_equal t - 1, 1.second.before(t)

View file

@ -120,9 +120,9 @@ class TimeWithZoneTest < ActiveSupport::TestCase
nsec = ActiveSupport::TimeWithZone.new(nsec, @time_zone)
assert_equal "Fri, 12 Dec 1986 01:23:00.000000001 EST -05:00", nsec.inspect
handred_nsec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(100, 1000))
handred_nsec = ActiveSupport::TimeWithZone.new(handred_nsec, @time_zone)
assert_equal "Fri, 12 Dec 1986 01:23:00.000000100 EST -05:00", handred_nsec.inspect
hundred_nsec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(100, 1000))
hundred_nsec = ActiveSupport::TimeWithZone.new(hundred_nsec, @time_zone)
assert_equal "Fri, 12 Dec 1986 01:23:00.000000100 EST -05:00", hundred_nsec.inspect
one_third_sec = Time.utc(1986, 12, 12, 6, 23, 00, Rational(1000000, 3))
one_third_sec = ActiveSupport::TimeWithZone.new(one_third_sec, @time_zone)

View file

@ -29,11 +29,11 @@ end
# scenarios. Ideally, they should be based on real-world scenarios extracted
# from production applications.
SCENARIOS = {
"Empty" => "",
"Single Space" => " ",
"Two Spaces" => " ",
"Mixed Whitspaces" => " \t\r\n",
"Very Long String" => " " * 100
"Empty" => "",
"Single Space" => " ",
"Two Spaces" => " ",
"Mixed Whitespaces" => " \t\r\n",
"Very Long String" => " " * 100
}
SCENARIOS.each_pair do |name, value|

View file

@ -2216,7 +2216,7 @@ If you want to see the average of a certain number in one of your tables you can
Order.average("subtotal")
```
This will return a number (possibly a floating point number such as 3.14159265) representing the average value in the field.
This will return a number (possibly a floating-point number such as 3.14159265) representing the average value in the field.
For options, please see the parent section, [Calculations](#calculations).

View file

@ -2150,7 +2150,7 @@ Extensions to `BigDecimal`
### `to_s`
The method `to_s` provides a default specifier of "F". This means that a simple call to `to_s` will result in floating point representation instead of engineering notation:
The method `to_s` provides a default specifier of "F". This means that a simple call to `to_s` will result in floating-point representation instead of engineering notation:
```ruby
BigDecimal(5.00, 6).to_s # => "5.0"

View file

@ -9,7 +9,7 @@ Caching means to store content generated during the request-response cycle and
to reuse it when responding to similar requests.
Caching is often the most effective way to boost an application's performance.
Through caching, web sites running on a single server with a single database
Through caching, websites running on a single server with a single database
can sustain a load of thousands of concurrent users.
Rails provides a set of caching features out of the box. This guide will teach

View file

@ -326,7 +326,7 @@ Another class of security vulnerabilities surrounds the use of redirection and f
### Redirection
WARNING: _Redirection in a web application is an underestimated cracker tool: Not only can the attacker forward the user to a trap web site, they may also create a self-contained attack._
WARNING: _Redirection in a web application is an underestimated cracker tool: Not only can the attacker forward the user to a trap website, they may also create a self-contained attack._
Whenever the user is allowed to pass (parts of) the URL for redirection, it is possibly vulnerable. The most obvious attack would be to redirect users to a fake web application which looks and feels exactly as the original one. This so-called phishing attack works by sending an unsuspicious link in an email to the users, injecting the link by XSS in the web application or putting the link into an external site. It is unsuspicious, because the link starts with the URL to the web application and the URL to the malicious site is hidden in the redirection parameter: http://www.example.com/site/redirect?to=www.attacker.com. Here is an example of a legacy action:
@ -381,7 +381,7 @@ The solution to this is best to _process media files asynchronously_: Save the m
WARNING: _Source code in uploaded files may be executed when placed in specific directories. Do not place file uploads in Rails' /public directory if it is Apache's home directory._
The popular Apache web server has an option called DocumentRoot. This is the home directory of the web site, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file.
The popular Apache web server has an option called DocumentRoot. This is the home directory of the website, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file.
_If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level upwards.
@ -412,7 +412,7 @@ Intranet and Admin Security
Intranet and administration interfaces are popular attack targets, because they allow privileged access. Although this would require several extra-security measures, the opposite is the case in the real world.
In 2007 there was the first tailor-made trojan which stole information from an Intranet, namely the "Monster for employers" web site of Monster.com, an online recruitment web application. Tailor-made Trojans are very rare, so far, and the risk is quite low, but it is certainly a possibility and an example of how the security of the client host is important, too. However, the highest threat to Intranet and Admin applications are XSS and CSRF.
In 2007 there was the first tailor-made trojan which stole information from an Intranet, namely the "Monster for employers" website of Monster.com, an online recruitment web application. Tailor-made Trojans are very rare, so far, and the risk is quite low, but it is certainly a possibility and an example of how the security of the client host is important, too. However, the highest threat to Intranet and Admin applications are XSS and CSRF.
**XSS** If your application re-displays malicious user input from the extranet, the application will be vulnerable to XSS. User names, comments, spam reports, order addresses are just a few uncommon examples, where there can be XSS.
@ -422,7 +422,7 @@ Refer to the Injection section for countermeasures against XSS.
**CSRF** Cross-Site Request Forgery (CSRF), also known as Cross-Site Reference Forgery (XSRF), is a gigantic attack method, it allows the attacker to do everything the administrator or Intranet user may do. As you have already seen above how CSRF works, here are a few examples of what attackers can do in the Intranet or admin interface.
A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in an HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake web site and had their credentials stolen.
A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in an HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake website and had their credentials stolen.
Another example changed Google Adsense's e-mail address and password. If the victim was logged into Google Adsense, the administration interface for Google advertisement campaigns, an attacker could change the credentials of the victim.
@ -473,7 +473,7 @@ However, the attacker may also take over the account by changing the e-mail addr
#### Other
Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](https://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a web site controlled by the attacker. On that site is a crafted IMG-tag which results in an HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_.
Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](https://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a website controlled by the attacker. On that site is a crafted IMG-tag which results in an HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_.
### CAPTCHAs
@ -685,9 +685,9 @@ INFO: _The most widespread, and one of the most devastating security vulnerabili
An entry point is a vulnerable URL and its parameters where an attacker can start an attack.
The most common entry points are message posts, user comments, and guest books, but project titles, document names, and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on web sites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements.
The most common entry points are message posts, user comments, and guest books, but project titles, document names, and search result pages have also been vulnerable - just about everywhere where the user can input data. But the input does not necessarily have to come from input boxes on websites, it can be in any URL parameter - obvious, hidden or internal. Remember that the user may intercept any traffic. Applications or client-site proxies make it easy to change requests. There are also other attack vectors like banner advertisements.
XSS attacks work like this: An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the web site to get confidential information or install malicious software through security holes in the web browser.
XSS attacks work like this: An attacker injects some code, the web application saves it and displays it on a page, later presented to a victim. Most XSS examples simply display an alert box, but it is more powerful than that. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisements for the benefit of the attacker, change elements on the website to get confidential information or install malicious software through security holes in the web browser.
During the second half of 2007, there were 88 vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in IE, and 12 in Opera. The Symantec Global Internet Security threat report also documented 239 browser plug-in vulnerabilities in the last six months of 2007. [Mpack](https://www.pandasecurity.com/en/mediacenter/malware/mpack-uncovered/) is a very active and up-to-date attack framework which exploits these vulnerabilities. For criminal hackers, it is very attractive to exploit a SQL-Injection vulnerability in a web application framework and insert malicious code in every textual table column. In April 2008 more than 510,000 sites were hacked like this, among them the British government, United Nations, and many more high profile targets.
@ -732,7 +732,7 @@ You can mitigate these attacks (in the obvious way) by adding the **httpOnly** f
##### Defacement
With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers web site to steal the cookie, login credentials, or other sensitive data. The most popular way is to include code from external sources by iframes:
With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers website to steal the cookie, login credentials, or other sensitive data. The most popular way is to include code from external sources by iframes:
```html
<iframe name="StatPage" src="http://58.xx.xxx.xxx" width=5 height=5 style="display:none"></iframe>
@ -740,7 +740,7 @@ With web page defacement an attacker can do a lot of things, for example, presen
This loads arbitrary HTML and/or JavaScript from an external source and embeds it as part of the site. This `iframe` is taken from an actual attack on legitimate Italian sites using the [Mpack attack framework](https://isc.sans.edu/diary/MPack+Analysis/3015). Mpack tries to install malicious software through security holes in the web browser - very successfully, 50% of the attacks succeed.
A more specialized attack could overlap the entire web site or display a login form, which looks the same as the site's original, but transmits the user name and password to the attacker's site. Or it could use CSS and/or JavaScript to hide a legitimate link in the web application, and display another one at its place which redirects to a fake web site.
A more specialized attack could overlap the entire website or display a login form, which looks the same as the site's original, but transmits the user name and password to the attacker's site. Or it could use CSS and/or JavaScript to hide a legitimate link in the web application, and display another one at its place which redirects to a fake website.
Reflected injection attacks are those where the payload is not stored to present it to the victim later on, but included in the URL. Especially search forms fail to escape the search string. The following link presented a page which stated that "George Bush appointed a 9 year old boy to be the chairperson...":

View file

@ -173,7 +173,7 @@ module ApplicationTests
db_create_and_drop("db/development.sqlite3", environment_loaded: false)
end
test "db:create and db:drop dont raise errors when loading YAML with single-line ERB" do
test "db:create and db:drop don't raise errors when loading YAML with single-line ERB" do
app_file "config/database.yml", <<-YAML
development:
<%= Rails.application.config.database ? 'database: db/development.sqlite3' : 'database: db/development.sqlite3' %>

View file

@ -772,7 +772,7 @@ module ApplicationTests
db_create_and_drop_namespace("primary", "db/development.sqlite3")
end
test "db:create and db:drop dont raise errors when loading YAML with single-line ERB" do
test "db:create and db:drop don't raise errors when loading YAML with single-line ERB" do
app_file "config/database.yml", <<-YAML
development:
primary:

View file

@ -147,7 +147,7 @@ module RailtiesTest
end
end
test "dont reverse default railties order" do
test "don't reverse default railties order" do
@api = engine "api" do |plugin|
plugin.write "lib/api.rb", <<-RUBY
module Api