Certain groups of web proxies do not set these values properly.  Notably,
proxies for cell phones, which often do not set the remote IP information
correctly (not surprisingly, since the clients do not have an IP address).

Allowing this to be configurable makes it possible for developers to choose
to ignore this simple spoofing check, when a significant amount of their
traffic would result in false positives anyway.
Signed-off-by: NMichael Koziarski <michael@koziarski.com>

[#1200 state:committed]

* Make the old deprecated relative_url_root still set the value as it's still used by mongrel
* Set the default from the ENV value when the file is required, not at runtime.

Added stale?/fresh? and fresh_when methods to provide a layer of abstraction above request.fresh? and friends [DHH]

[#523 state:resolved]
Signed-off-by: NJeremy Kemper <jeremy@bitsweat.net>

Signed-off-by: NJoshua Peek <josh@joshpeek.com>

AbstractRequest.relative_url_root is no longer automatically configured by a HTTP header. It can now be set in your configuration environment with config.action_controller.relative_url_root

The accept header is poorly implemented by browsers and causes strange errors when used on public sites where crawlers make requests too.  You should use formatted urls (e.g. /people/1.xml) to support API clients. Alternatively to re-enable it you need to set:

config.action_controller.use_accept_header = true

A special case remains for ajax requests which will have a javascript format for the base resource (/people/1) if the X-Requested-With header is present.  This lets ajax pages still use format.js despite there being no params[:format]

Use xhr? instead of the expensive trip through Request#accepts.

Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR doesnt match (not just if theyre both present) [Mark Imbriaco, Bradford Folkens]

Signed-off-by: NPratik Naik <pratiknaik@gmail.com>

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9242 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9124 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Fixed that ActionController::Base#read_multipart would fail if boundary was exactly 10240 bytes (closes #10886) [ariejan]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9113 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9020 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9010 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8986 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8811 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Provide a nicer way to access headers.  request.headers["Content-Type"] instead of request.headers["HTTP_CONTENT_TYPE"] [Koz]


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8625 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8492 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8425 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Ignore illegal seeks on body rewind. Catches CGI errors depending on your httpd. Closes #10404 [Curtis Hawthorne]


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8327 5ecf4fe2-1ee6-0310-87b1-e25e094e27de