John Hawthorn eb52904eb5 Always reject files external to app ... Previously, when using `render file:`, it was possible to render files not only at an absolute path or relative to the current directory, but relative to ANY view paths. This was probably done for absolutely maximum compatibility when addressing CVE-2016-0752, but I think is unlikely to be used in practice. Tihs commit removes the ability to `render file:` with a path relative to a non-fallback view path. Make FallbackResolver.new private To ensure nobody is making FallbackResolvers other than "/" and "". Make reject_files_external_... no-op for fallbacks Because there are only two values used for path: "" and "/", and File.join("", "") == File.join("/", "") == "/", this method was only testing that the absolute paths started at "/" (which of course all do). This commit doesn't change any behaviour, but it makes it explicit that the FallbackFileSystemResolver works this way. Remove outside_app_allowed argument Deprecate find_all_anywhere This is now equivalent to find_all Remove outside_app argument Deprecate find_file for find Both LookupContext#find_file and PathSet#find_file are now equivalent to their respective #find methods.		2019-04-03 09:02:28 -07:00
..
api	Deprecate controller level force_ssl	2018-03-30 09:58:28 -04:00
controller_fixtures
metal	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
mime	Remove :all symbol from Mime::ALL	2019-03-27 16:47:48 -07:00
new_base	Always reject files external to app	2019-04-03 09:02:28 -07:00
parameters	Enable Style/RedundantBegin cop to avoid newly adding redundant begin block	2018-12-21 06:12:42 +09:00
request	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
action_pack_assertions_test.rb	url -> URL where apt inside actionpack/	2019-04-01 22:58:02 +05:30
base_test.rb	Revert "Don't handle params option in a special way in url_for helper"	2019-01-16 11:12:49 -05:00
caching_test.rb	Pass the template format to the digestor	2019-02-15 17:27:33 -08:00
content_type_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
default_url_options_with_before_action_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
filters_test.rb	Enable Lint/UselessAssignment cop to avoid unused variable warnings (#34904)	2019-01-09 18:09:01 +09:00
flash_hash_test.rb	Replace assert ! with assert_not	2018-04-19 08:11:33 -04:00
flash_test.rb	Remove secret_token rack env and cookie upgrade code	2019-01-17 16:08:34 -05:00
force_ssl_test.rb	Deprecate controller level force_ssl	2018-03-30 09:58:28 -04:00
form_builder_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
helper_test.rb	Make actionpack frozen string friendly	2017-07-24 23:38:04 +03:00
http_basic_authentication_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
http_digest_authentication_test.rb	Remove secret_token rack env and cookie upgrade code	2019-01-17 16:08:34 -05:00
http_token_authentication_test.rb	Enable Performance/UnfreezeString cop	2018-09-23 08:56:55 +09:00
integration_test.rb	url -> URL where apt inside actionpack/	2019-04-01 22:58:02 +05:30
live_stream_test.rb	Change the empty block style to have space inside of the block	2018-09-25 13:19:35 -04:00
localized_templates_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
log_subscriber_test.rb	Revert ensure external redirects are explicitly allowed	2019-01-22 11:40:13 -05:00
metal_test.rb	Change the empty block style to have space inside of the block	2018-09-25 13:19:35 -04:00
output_escaping_test.rb	Use assert_predicate and assert_not_predicate	2018-01-25 23:32:59 -05:00
parameter_encoding_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
params_parse_test.rb	Allow rescue from parameter parse errors	2018-11-13 18:05:05 -05:00
params_wrapper_test.rb	Merge pull request #31005 from shuheiktgw/remove_unnecessary_semicolons	2017-10-28 22:55:34 +10:30
permitted_params_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
redirect_test.rb	Ensure that redirect_back with fallback_location to another host is allowed	2019-01-25 15:59:31 +00:00
render_js_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
render_json_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
render_test.rb	Always reject files external to app	2019-04-03 09:02:28 -07:00
render_xml_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
renderer_test.rb	url -> URL where apt inside actionpack/	2019-04-01 22:58:02 +05:30
renderers_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
request_forgery_protection_test.rb	Include application/javascript when checking content_type	2018-05-27 16:17:53 +02:00
required_params_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
rescue_test.rb	Remove unused methods	2018-12-23 21:33:29 +09:00
resources_test.rb	Merge pull request #20865 from colavitam/only-except-behavior	2018-11-19 19:06:40 -05:00
routing_test.rb	Make Rails Facebook-free	2018-12-24 13:54:30 +05:30
runner_test.rb	Use respond_to test helpers	2018-01-25 23:32:58 -05:00
send_file_test.rb	Encode Content-Disposition filenames on send_data and send_file	2018-09-13 21:38:46 +09:00
show_exceptions_test.rb	Fix test broken by 04ae0b0b5e	2019-03-19 18:42:37 -04:00
streaming_test.rb	Use frozen string literal in actionpack/	2017-07-29 14:02:40 +03:00
test_case_test.rb	url -> URL where apt inside actionpack/	2019-04-01 22:58:02 +05:30
url_for_integration_test.rb	Enable Layout/LeadingCommentSpace to not allow cosmetic changes in the future	2017-12-14 17:30:54 +09:00
url_for_test.rb	Revert "Don't handle params option in a special way in url_for helper"	2019-01-16 11:12:49 -05:00
url_rewriter_test.rb	Enable Layout/LeadingCommentSpace to not allow cosmetic changes in the future	2017-12-14 17:30:54 +09:00
webservice_test.rb	Enable Lint/UselessAssignment cop to avoid unused variable warnings (#34904)	2019-01-09 18:09:01 +09:00