In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes#5964
* In Rails 2.3 apps being upgraded, you will need to add the deprecation
configuration to each of your environments. Failing to do so will
result in the same behavior as Rails 2.3, but with an outputted warning
to provide information on how to set up the setting.
* New Rails 3 applications generate the setting
* The notification style will send deprecation notices using
ActiveSupport::Notifications. Third-party tools can listen in to
these notifications to provide a streamlined view of the
deprecation notices occurring in your app.
* The payload in the notification is the deprecation warning itself
as well as the callstack from the point that triggered the
notification.