actionpack 3.2.19 → 4.2.11.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/CHANGELOG.md +412 -503
- data/MIT-LICENSE +1 -1
- data/README.rdoc +11 -294
- data/lib/abstract_controller/asset_paths.rb +2 -2
- data/lib/abstract_controller/base.rb +52 -18
- data/lib/abstract_controller/callbacks.rb +87 -89
- data/lib/abstract_controller/collector.rb +17 -3
- data/lib/abstract_controller/helpers.rb +41 -14
- data/lib/abstract_controller/logger.rb +1 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +3 -3
- data/lib/abstract_controller/rendering.rb +65 -118
- data/lib/abstract_controller/translation.rb +16 -1
- data/lib/abstract_controller/url_for.rb +7 -7
- data/lib/abstract_controller.rb +2 -10
- data/lib/action_controller/base.rb +61 -28
- data/lib/action_controller/caching/fragments.rb +30 -54
- data/lib/action_controller/caching.rb +38 -35
- data/lib/action_controller/log_subscriber.rb +35 -18
- data/lib/action_controller/metal/conditional_get.rb +103 -34
- data/lib/action_controller/metal/data_streaming.rb +20 -26
- data/lib/action_controller/metal/etag_with_template_digest.rb +50 -0
- data/lib/action_controller/metal/exceptions.rb +19 -6
- data/lib/action_controller/metal/flash.rb +41 -9
- data/lib/action_controller/metal/force_ssl.rb +70 -12
- data/lib/action_controller/metal/head.rb +30 -7
- data/lib/action_controller/metal/helpers.rb +11 -11
- data/lib/action_controller/metal/hide_actions.rb +0 -1
- data/lib/action_controller/metal/http_authentication.rb +140 -94
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -7
- data/lib/action_controller/metal/live.rb +328 -0
- data/lib/action_controller/metal/mime_responds.rb +161 -152
- data/lib/action_controller/metal/params_wrapper.rb +126 -81
- data/lib/action_controller/metal/rack_delegation.rb +10 -4
- data/lib/action_controller/metal/redirecting.rb +44 -41
- data/lib/action_controller/metal/renderers.rb +48 -19
- data/lib/action_controller/metal/rendering.rb +46 -11
- data/lib/action_controller/metal/request_forgery_protection.rb +250 -29
- data/lib/action_controller/metal/streaming.rb +30 -38
- data/lib/action_controller/metal/strong_parameters.rb +669 -0
- data/lib/action_controller/metal/testing.rb +12 -18
- data/lib/action_controller/metal/url_for.rb +31 -29
- data/lib/action_controller/metal.rb +31 -40
- data/lib/action_controller/model_naming.rb +12 -0
- data/lib/action_controller/railtie.rb +38 -18
- data/lib/action_controller/railties/helpers.rb +22 -0
- data/lib/action_controller/test_case.rb +359 -173
- data/lib/action_controller.rb +9 -16
- data/lib/action_dispatch/http/cache.rb +64 -11
- data/lib/action_dispatch/http/filter_parameters.rb +20 -10
- data/lib/action_dispatch/http/filter_redirect.rb +38 -0
- data/lib/action_dispatch/http/headers.rb +85 -17
- data/lib/action_dispatch/http/mime_negotiation.rb +55 -5
- data/lib/action_dispatch/http/mime_type.rb +167 -114
- data/lib/action_dispatch/http/mime_types.rb +2 -1
- data/lib/action_dispatch/http/parameter_filter.rb +44 -46
- data/lib/action_dispatch/http/parameters.rb +30 -46
- data/lib/action_dispatch/http/rack_cache.rb +2 -3
- data/lib/action_dispatch/http/request.rb +108 -45
- data/lib/action_dispatch/http/response.rb +247 -48
- data/lib/action_dispatch/http/upload.rb +60 -29
- data/lib/action_dispatch/http/url.rb +135 -45
- data/lib/action_dispatch/journey/backwards.rb +5 -0
- data/lib/action_dispatch/journey/formatter.rb +166 -0
- data/lib/action_dispatch/journey/gtg/builder.rb +162 -0
- data/lib/action_dispatch/journey/gtg/simulator.rb +47 -0
- data/lib/action_dispatch/journey/gtg/transition_table.rb +157 -0
- data/lib/action_dispatch/journey/nfa/builder.rb +76 -0
- data/lib/action_dispatch/journey/nfa/dot.rb +36 -0
- data/lib/action_dispatch/journey/nfa/simulator.rb +47 -0
- data/lib/action_dispatch/journey/nfa/transition_table.rb +163 -0
- data/lib/action_dispatch/journey/nodes/node.rb +128 -0
- data/lib/action_dispatch/journey/parser.rb +198 -0
- data/lib/action_dispatch/journey/parser.y +49 -0
- data/lib/action_dispatch/journey/parser_extras.rb +23 -0
- data/lib/action_dispatch/journey/path/pattern.rb +193 -0
- data/lib/action_dispatch/journey/route.rb +125 -0
- data/lib/action_dispatch/journey/router/strexp.rb +27 -0
- data/lib/action_dispatch/journey/router/utils.rb +93 -0
- data/lib/action_dispatch/journey/router.rb +144 -0
- data/lib/action_dispatch/journey/routes.rb +80 -0
- data/lib/action_dispatch/journey/scanner.rb +61 -0
- data/lib/action_dispatch/journey/visitors.rb +221 -0
- data/lib/action_dispatch/journey/visualizer/fsm.css +30 -0
- data/lib/action_dispatch/journey/visualizer/fsm.js +134 -0
- data/lib/action_dispatch/journey/visualizer/index.html.erb +52 -0
- data/lib/action_dispatch/journey.rb +5 -0
- data/lib/action_dispatch/middleware/callbacks.rb +16 -11
- data/lib/action_dispatch/middleware/cookies.rb +346 -125
- data/lib/action_dispatch/middleware/debug_exceptions.rb +52 -24
- data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -9
- data/lib/action_dispatch/middleware/flash.rb +85 -72
- data/lib/action_dispatch/middleware/params_parser.rb +16 -31
- data/lib/action_dispatch/middleware/public_exceptions.rb +39 -14
- data/lib/action_dispatch/middleware/reloader.rb +16 -7
- data/lib/action_dispatch/middleware/remote_ip.rb +132 -40
- data/lib/action_dispatch/middleware/request_id.rb +3 -7
- data/lib/action_dispatch/middleware/session/abstract_store.rb +22 -20
- data/lib/action_dispatch/middleware/session/cache_store.rb +3 -3
- data/lib/action_dispatch/middleware/session/cookie_store.rb +84 -29
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -3
- data/lib/action_dispatch/middleware/show_exceptions.rb +15 -44
- data/lib/action_dispatch/middleware/ssl.rb +72 -0
- data/lib/action_dispatch/middleware/stack.rb +6 -1
- data/lib/action_dispatch/middleware/static.rb +80 -23
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +34 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +23 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.erb +27 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +52 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb +9 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +16 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +9 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +133 -5
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +11 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +32 -0
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.text.erb +11 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +20 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +6 -0
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +16 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +200 -0
- data/lib/action_dispatch/railtie.rb +19 -6
- data/lib/action_dispatch/request/session.rb +193 -0
- data/lib/action_dispatch/request/utils.rb +35 -0
- data/lib/action_dispatch/routing/endpoint.rb +10 -0
- data/lib/action_dispatch/routing/inspector.rb +234 -0
- data/lib/action_dispatch/routing/mapper.rb +897 -436
- data/lib/action_dispatch/routing/polymorphic_routes.rb +213 -92
- data/lib/action_dispatch/routing/redirection.rb +97 -37
- data/lib/action_dispatch/routing/route_set.rb +432 -239
- data/lib/action_dispatch/routing/routes_proxy.rb +7 -4
- data/lib/action_dispatch/routing/url_for.rb +63 -34
- data/lib/action_dispatch/routing.rb +57 -89
- data/lib/action_dispatch/testing/assertions/dom.rb +2 -36
- data/lib/action_dispatch/testing/assertions/response.rb +24 -38
- data/lib/action_dispatch/testing/assertions/routing.rb +55 -54
- data/lib/action_dispatch/testing/assertions/selector.rb +2 -434
- data/lib/action_dispatch/testing/assertions/tag.rb +2 -137
- data/lib/action_dispatch/testing/assertions.rb +11 -7
- data/lib/action_dispatch/testing/integration.rb +88 -72
- data/lib/action_dispatch/testing/test_process.rb +9 -6
- data/lib/action_dispatch/testing/test_request.rb +13 -9
- data/lib/action_dispatch/testing/test_response.rb +1 -5
- data/lib/action_dispatch.rb +24 -21
- data/lib/action_pack/gem_version.rb +15 -0
- data/lib/action_pack/version.rb +5 -7
- data/lib/action_pack.rb +1 -1
- metadata +181 -292
- data/lib/abstract_controller/layouts.rb +0 -423
- data/lib/abstract_controller/view_paths.rb +0 -96
- data/lib/action_controller/caching/actions.rb +0 -185
- data/lib/action_controller/caching/pages.rb +0 -187
- data/lib/action_controller/caching/sweeping.rb +0 -97
- data/lib/action_controller/deprecated/integration_test.rb +0 -2
- data/lib/action_controller/deprecated/performance_test.rb +0 -1
- data/lib/action_controller/deprecated.rb +0 -3
- data/lib/action_controller/metal/compatibility.rb +0 -65
- data/lib/action_controller/metal/responder.rb +0 -286
- data/lib/action_controller/metal/session_management.rb +0 -14
- data/lib/action_controller/railties/paths.rb +0 -25
- data/lib/action_controller/record_identifier.rb +0 -85
- data/lib/action_controller/vendor/html-scanner/html/document.rb +0 -68
- data/lib/action_controller/vendor/html-scanner/html/node.rb +0 -532
- data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +0 -177
- data/lib/action_controller/vendor/html-scanner/html/selector.rb +0 -830
- data/lib/action_controller/vendor/html-scanner/html/tokenizer.rb +0 -107
- data/lib/action_controller/vendor/html-scanner/html/version.rb +0 -11
- data/lib/action_controller/vendor/html-scanner.rb +0 -20
- data/lib/action_dispatch/middleware/best_standards_support.rb +0 -30
- data/lib/action_dispatch/middleware/body_proxy.rb +0 -30
- data/lib/action_dispatch/middleware/head.rb +0 -18
- data/lib/action_dispatch/middleware/rescue.rb +0 -26
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb +0 -31
- data/lib/action_dispatch/middleware/templates/rescues/_trace.erb +0 -26
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb +0 -10
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.erb +0 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.erb +0 -15
- data/lib/action_dispatch/middleware/templates/rescues/template_error.erb +0 -17
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb +0 -2
- data/lib/action_dispatch/testing/performance_test.rb +0 -10
- data/lib/action_view/asset_paths.rb +0 -142
- data/lib/action_view/base.rb +0 -220
- data/lib/action_view/buffers.rb +0 -43
- data/lib/action_view/context.rb +0 -36
- data/lib/action_view/flows.rb +0 -79
- data/lib/action_view/helpers/active_model_helper.rb +0 -50
- data/lib/action_view/helpers/asset_paths.rb +0 -7
- data/lib/action_view/helpers/asset_tag_helper.rb +0 -457
- data/lib/action_view/helpers/asset_tag_helpers/asset_include_tag.rb +0 -146
- data/lib/action_view/helpers/asset_tag_helpers/asset_paths.rb +0 -93
- data/lib/action_view/helpers/asset_tag_helpers/javascript_tag_helpers.rb +0 -193
- data/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb +0 -148
- data/lib/action_view/helpers/atom_feed_helper.rb +0 -200
- data/lib/action_view/helpers/cache_helper.rb +0 -64
- data/lib/action_view/helpers/capture_helper.rb +0 -203
- data/lib/action_view/helpers/controller_helper.rb +0 -25
- data/lib/action_view/helpers/csrf_helper.rb +0 -32
- data/lib/action_view/helpers/date_helper.rb +0 -1062
- data/lib/action_view/helpers/debug_helper.rb +0 -40
- data/lib/action_view/helpers/form_helper.rb +0 -1486
- data/lib/action_view/helpers/form_options_helper.rb +0 -658
- data/lib/action_view/helpers/form_tag_helper.rb +0 -685
- data/lib/action_view/helpers/javascript_helper.rb +0 -110
- data/lib/action_view/helpers/number_helper.rb +0 -622
- data/lib/action_view/helpers/output_safety_helper.rb +0 -38
- data/lib/action_view/helpers/record_tag_helper.rb +0 -111
- data/lib/action_view/helpers/rendering_helper.rb +0 -90
- data/lib/action_view/helpers/sanitize_helper.rb +0 -259
- data/lib/action_view/helpers/tag_helper.rb +0 -160
- data/lib/action_view/helpers/text_helper.rb +0 -426
- data/lib/action_view/helpers/translation_helper.rb +0 -91
- data/lib/action_view/helpers/url_helper.rb +0 -693
- data/lib/action_view/helpers.rb +0 -60
- data/lib/action_view/locale/en.yml +0 -160
- data/lib/action_view/log_subscriber.rb +0 -28
- data/lib/action_view/lookup_context.rb +0 -254
- data/lib/action_view/path_set.rb +0 -89
- data/lib/action_view/railtie.rb +0 -55
- data/lib/action_view/renderer/abstract_renderer.rb +0 -41
- data/lib/action_view/renderer/partial_renderer.rb +0 -415
- data/lib/action_view/renderer/renderer.rb +0 -54
- data/lib/action_view/renderer/streaming_template_renderer.rb +0 -106
- data/lib/action_view/renderer/template_renderer.rb +0 -94
- data/lib/action_view/template/error.rb +0 -128
- data/lib/action_view/template/handlers/builder.rb +0 -26
- data/lib/action_view/template/handlers/erb.rb +0 -125
- data/lib/action_view/template/handlers.rb +0 -50
- data/lib/action_view/template/resolver.rb +0 -272
- data/lib/action_view/template/text.rb +0 -30
- data/lib/action_view/template.rb +0 -337
- data/lib/action_view/test_case.rb +0 -245
- data/lib/action_view/testing/resolvers.rb +0 -50
- data/lib/action_view.rb +0 -84
- data/lib/sprockets/assets.rake +0 -99
- data/lib/sprockets/bootstrap.rb +0 -37
- data/lib/sprockets/compressors.rb +0 -83
- data/lib/sprockets/helpers/isolated_helper.rb +0 -13
- data/lib/sprockets/helpers/rails_helper.rb +0 -182
- data/lib/sprockets/helpers.rb +0 -6
- data/lib/sprockets/railtie.rb +0 -62
- data/lib/sprockets/static_compiler.rb +0 -56
data/CHANGELOG.md
CHANGED
@@ -1,781 +1,690 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 4.2.11.3 (May 15, 2020) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
`options[:raise]`.
|
5
|
-
|
6
|
-
This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
|
7
|
-
|
8
|
-
*Shota Fukumori (sora_h)*
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 3.2.18 (May 6, 2014) ##
|
12
|
-
|
13
|
-
* Only accept actions without File::SEPARATOR in the name.
|
14
|
-
|
15
|
-
This will avoid directory traversal in implicit render.
|
16
|
-
|
17
|
-
Fixes: CVE-2014-0130
|
18
|
-
|
19
|
-
*Rafael Mendonça França*
|
3
|
+
* No changes.
|
20
4
|
|
21
5
|
|
22
|
-
## Rails
|
6
|
+
## Rails 4.2.11.2 (May 15, 2020) ##
|
23
7
|
|
24
|
-
*
|
8
|
+
* No changes.
|
25
9
|
|
26
|
-
Fixes: CVE-2014-0082
|
27
10
|
|
28
|
-
|
11
|
+
## Rails 4.2.11.1 (March 11, 2019) ##
|
29
12
|
|
30
|
-
|
13
|
+
* No changes.
|
31
14
|
|
32
15
|
|
33
|
-
## Rails
|
16
|
+
## Rails 4.2.11 (November 27, 2018) ##
|
34
17
|
|
35
|
-
*
|
18
|
+
* No changes.
|
36
19
|
|
37
|
-
* Stop using i18n's built in HTML error handling. Fixes: CVE-2013-4491
|
38
20
|
|
39
|
-
|
21
|
+
## Rails 4.2.10 (September 27, 2017) ##
|
40
22
|
|
41
|
-
*
|
23
|
+
* Fix regression in behavior of `normalize_path`.
|
42
24
|
|
43
|
-
|
25
|
+
In Rails 5 there was a change to ensure the encoding of the original string
|
26
|
+
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
27
|
+
caused a regression.
|
44
28
|
|
45
|
-
*
|
46
|
-
attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
|
29
|
+
*Eileen M. Uchitelle*
|
47
30
|
|
48
|
-
|
49
|
-
Backports #10844
|
31
|
+
## Rails 4.2.9 (June 26, 2017) ##
|
50
32
|
|
51
|
-
|
33
|
+
* Use more specific check for :format in route path
|
52
34
|
|
53
|
-
|
54
|
-
|
35
|
+
The current check for whether to add an optional format to the path is very lax
|
36
|
+
and will match things like `:format_id` where there are nested resources, e.g:
|
55
37
|
|
56
|
-
|
57
|
-
|
38
|
+
``` ruby
|
39
|
+
resources :formats do
|
40
|
+
resources :items
|
41
|
+
end
|
42
|
+
```
|
58
43
|
|
59
|
-
|
44
|
+
Fix this by using a more restrictive regex pattern that looks for the patterns
|
45
|
+
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
46
|
+
allow for multiple closing parenthesis since the route may be of this form:
|
60
47
|
|
61
|
-
|
48
|
+
``` ruby
|
49
|
+
get "/books(/:action(.:format))", controller: "books"
|
50
|
+
```
|
62
51
|
|
63
|
-
|
52
|
+
This probably isn't what's intended since it means that the default index action
|
53
|
+
route doesn't support a format but we have a test for it so we need to allow it.
|
64
54
|
|
65
|
-
|
66
|
-
does not show user-supplied message.
|
55
|
+
Fixes #28517.
|
67
56
|
|
68
|
-
|
69
|
-
matching the expected redirect the user-supplied message (second parameter)
|
70
|
-
is not shown. This message is only shown if the response is not a redirect.
|
57
|
+
*Andrew White*
|
71
58
|
|
72
|
-
*Alexey Chernenkov*
|
73
59
|
|
60
|
+
## Rails 4.2.8 (February 21, 2017) ##
|
74
61
|
|
75
|
-
|
62
|
+
* No changes.
|
76
63
|
|
77
|
-
* Merge `:action` from routing scope and assign endpoint if both `:controller`
|
78
|
-
and `:action` are present. The endpoint assignment only occurs if there is
|
79
|
-
no `:to` present in the options hash so should only affect routes using the
|
80
|
-
shorthand syntax (i.e. endpoint is inferred from the the path).
|
81
64
|
|
82
|
-
|
65
|
+
## Rails 4.2.7 (July 12, 2016) ##
|
83
66
|
|
84
|
-
|
67
|
+
* No changes.
|
85
68
|
|
86
|
-
* Always escape the result of `link_to_unless` method.
|
87
69
|
|
88
|
-
|
70
|
+
## Rails 4.2.6 (March 07, 2016) ##
|
89
71
|
|
90
|
-
|
91
|
-
# => "<b>Showing</b>"
|
72
|
+
* No changes.
|
92
73
|
|
93
|
-
After:
|
94
74
|
|
95
|
-
|
96
|
-
# => "<b>Showing</b>"
|
75
|
+
## Rails 4.2.5.2 (February 26, 2016) ##
|
97
76
|
|
98
|
-
|
77
|
+
* Do not allow render with unpermitted parameter.
|
99
78
|
|
100
|
-
|
79
|
+
Fixes CVE-2016-2098.
|
101
80
|
|
102
|
-
|
103
|
-
different URIs.
|
81
|
+
*Arthur Neves*
|
104
82
|
|
105
|
-
Before:
|
106
83
|
|
107
|
-
|
108
|
-
# => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
|
109
|
-
image_tag("http://google.com")
|
110
|
-
# => "<img alt=\"Google\" src=\"http://google.com\" />"
|
84
|
+
## Rails 4.2.5.1 (January 25, 2015) ##
|
111
85
|
|
112
|
-
|
86
|
+
* No changes.
|
113
87
|
|
114
|
-
image_tag("HTTP://google.com")
|
115
|
-
# => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
|
116
|
-
image_tag("http://google.com")
|
117
|
-
# => "<img alt=\"Google\" src=\"http://google.com\" />"
|
118
88
|
|
119
|
-
|
89
|
+
## Rails 4.2.5 (November 12, 2015) ##
|
120
90
|
|
121
|
-
*
|
122
|
-
|
123
|
-
but if an explicit name is passed to `file_field` the `[]` is not
|
124
|
-
appended.
|
125
|
-
Fixes #9830.
|
91
|
+
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
92
|
+
early in the `setup` chain.
|
126
93
|
|
127
|
-
*
|
94
|
+
*Yves Senn*
|
128
95
|
|
129
|
-
*
|
96
|
+
* Parse RSS/ATOM responses as XML, not HTML.
|
130
97
|
|
131
|
-
|
132
|
-
for those files their extensions don't need to be rewritten.
|
98
|
+
*Alexander Kaupanin*
|
133
99
|
|
134
|
-
|
100
|
+
* Fix regression in mounted engine named routes generation for app deployed to
|
101
|
+
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
102
|
+
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
135
103
|
|
136
|
-
|
104
|
+
Fixes #20920. Fixes #21459.
|
137
105
|
|
138
|
-
*
|
139
|
-
Fixes #9799.
|
106
|
+
*Matthew Erhard*
|
140
107
|
|
141
|
-
|
108
|
+
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
142
109
|
|
143
|
-
*
|
144
|
-
the units hash does not contain the needed key, e.g. when the number provided is less
|
145
|
-
than the largest key provided.
|
110
|
+
*Bernerd Schaefer*
|
146
111
|
|
147
|
-
|
112
|
+
* Update `ActionController::TestSession#fetch` to behave more like
|
113
|
+
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
148
114
|
|
149
|
-
|
150
|
-
number_to_human(123, units: { thousand: 'k' }) # => 123
|
115
|
+
*Jeremy Friesen*
|
151
116
|
|
152
|
-
Fixes #9269.
|
153
|
-
Backport #9347.
|
154
117
|
|
155
|
-
|
118
|
+
## Rails 4.2.4 (August 24, 2015) ##
|
156
119
|
|
157
|
-
*
|
158
|
-
|
120
|
+
* ActionController::TestSession now accepts a default value as well as
|
121
|
+
a block for generating a default value based off the key provided.
|
159
122
|
|
160
|
-
|
123
|
+
This fixes calls to session#fetch in ApplicationController instances that
|
124
|
+
take more two arguments or a block from raising `ArgumentError: wrong
|
125
|
+
number of arguments (2 for 1)` when performing controller tests.
|
161
126
|
|
162
|
-
*
|
163
|
-
empty string. Fix #7774 [Backport #8977, #9541]
|
127
|
+
*Matthew Gerrior*
|
164
128
|
|
165
|
-
|
129
|
+
* Fix to keep original header instance in `ActionDispatch::SSL`
|
166
130
|
|
131
|
+
`ActionDispatch::SSL` changes headers to `Hash`.
|
132
|
+
So some headers will be broken if there are some middlewares
|
133
|
+
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
167
134
|
|
168
|
-
|
135
|
+
*Fumiaki Matsushima*
|
169
136
|
|
170
|
-
* Fix incorrectly appended square brackets to a multiple select box
|
171
|
-
if an explicit name has been given and it already ends with "[]".
|
172
137
|
|
173
|
-
|
138
|
+
## Rails 4.2.3 (June 25, 2015) ##
|
174
139
|
|
175
|
-
|
176
|
-
|
140
|
+
* Fix rake routes not showing the right format when
|
141
|
+
nesting multiple routes.
|
177
142
|
|
178
|
-
|
143
|
+
See #18373.
|
179
144
|
|
180
|
-
|
181
|
-
# => <select name="post[category][]" ...>
|
145
|
+
*Ravil Bayramgalin*
|
182
146
|
|
183
|
-
|
147
|
+
* Fix regression where a gzip file response would have a Content-type,
|
148
|
+
even when it was a 304 status code.
|
184
149
|
|
185
|
-
|
150
|
+
See #19271.
|
186
151
|
|
187
|
-
*
|
188
|
-
shorthand syntax. Previously the complete path was used, which led
|
189
|
-
to problems with nesting (scopes and namespaces).
|
190
|
-
Fixes #7554.
|
191
|
-
Backport #9361.
|
152
|
+
*Kohei Suzuki*
|
192
153
|
|
193
|
-
|
154
|
+
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
|
194
155
|
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
end
|
156
|
+
Previously, an empty X_FORWARDED_HOST header would cause
|
157
|
+
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
158
|
+
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
199
159
|
|
200
|
-
*
|
160
|
+
*Adam Forsyth*
|
201
161
|
|
202
|
-
*
|
203
|
-
Fix #1743.
|
204
|
-
Backport #5288.
|
162
|
+
* Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
|
205
163
|
|
206
|
-
|
164
|
+
Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
|
165
|
+
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
166
|
+
is set, it takes precedence.
|
207
167
|
|
208
|
-
|
209
|
-
not interfere with use of underscore method ( and we don't need locks )
|
168
|
+
Fixes #5122.
|
210
169
|
|
211
|
-
*
|
170
|
+
*Yasyf Mohamedali*
|
212
171
|
|
213
|
-
*
|
214
|
-
|
172
|
+
* Fix regression in functional tests. Responses should have default headers
|
173
|
+
assigned.
|
215
174
|
|
216
|
-
|
175
|
+
See #18423.
|
217
176
|
|
218
|
-
*
|
177
|
+
*Jeremy Kemper*, *Yves Senn*
|
219
178
|
|
220
|
-
*Dylan Smith*
|
221
179
|
|
222
|
-
|
223
|
-
files with non-standard extensions.
|
180
|
+
## Rails 4.2.2 (June 16, 2015) ##
|
224
181
|
|
225
|
-
|
182
|
+
* No Changes *
|
226
183
|
|
227
|
-
* Fixes issue where duplicate assets can be required with sprockets.
|
228
184
|
|
229
|
-
|
185
|
+
## Rails 4.2.1 (March 19, 2015) ##
|
230
186
|
|
231
|
-
*
|
187
|
+
* Non-string authenticity tokens do not raise NoMethodError when decoding
|
188
|
+
the masked token.
|
232
189
|
|
233
|
-
*
|
190
|
+
*Ville Lautanala*
|
234
191
|
|
235
|
-
*
|
192
|
+
* Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
|
236
193
|
|
237
|
-
|
238
|
-
|
194
|
+
Fixes an issue where a mounted rack app at root would intercept the HEAD
|
195
|
+
request causing an incorrect behavior during the fall back to GET requests.
|
239
196
|
|
240
197
|
Example:
|
241
|
-
|
242
|
-
|
198
|
+
```ruby
|
199
|
+
draw do
|
200
|
+
get '/home' => 'test#index'
|
201
|
+
mount rack_app, at: '/'
|
202
|
+
end
|
203
|
+
head '/home'
|
204
|
+
assert_response :success
|
205
|
+
```
|
206
|
+
In this case, a HEAD request runs through the routes the first time and fails
|
207
|
+
to match anything. Then, it runs through the list with the fallback and matches
|
208
|
+
`get '/home'`. The original behavior would match the rack app in the first pass.
|
243
209
|
|
244
|
-
|
245
|
-
root_url # => http://test.host/
|
210
|
+
*Terence Sun*
|
246
211
|
|
247
|
-
|
212
|
+
* Preserve default format when generating URLs
|
248
213
|
|
249
|
-
|
214
|
+
Fixes an issue that would cause the format set in default_url_options to be
|
215
|
+
lost when generating URLs with fewer positional arguments than parameters in
|
216
|
+
the route definition.
|
250
217
|
|
251
|
-
|
218
|
+
Backport of #18627
|
252
219
|
|
253
|
-
*
|
254
|
-
explicitly rather than just clearing the module because it didn't work
|
255
|
-
properly and could be the source of a memory leak.
|
220
|
+
*Tekin Suleyman*, *Dominic Baggott*
|
256
221
|
|
257
|
-
|
258
|
-
|
259
|
-
* Fix a bug in `ActionDispatch::Request#raw_post` that caused `env['rack.input']`
|
260
|
-
to be read but not rewound.
|
261
|
-
|
262
|
-
*Matt Venables*
|
263
|
-
|
264
|
-
* More descriptive error messages when calling `render :partial` with
|
265
|
-
an invalid `:layout` argument.
|
266
|
-
|
267
|
-
Fixes #8376.
|
268
|
-
|
269
|
-
render :partial => 'partial', :layout => true
|
270
|
-
# results in ActionView::MissingTemplate: Missing partial /true
|
271
|
-
|
272
|
-
*Yves Senn*
|
273
|
-
|
274
|
-
* Accept symbols as `#send_data` :disposition value. [Backport #8329] *Elia Schito*
|
275
|
-
|
276
|
-
* Add i18n scope to `distance_of_time_in_words`. [Backport #7997] *Steve Klabnik*
|
277
|
-
|
278
|
-
* Fix side effect of `url_for` changing the `:controller` string option. [Backport #6003]
|
279
|
-
Before:
|
222
|
+
* Default headers, removed in controller actions, are no longer reapplied on
|
223
|
+
the test response.
|
280
224
|
|
281
|
-
|
282
|
-
url_for :controller => controller, :action => 'status'
|
225
|
+
*Jonas Baumann*
|
283
226
|
|
284
|
-
|
227
|
+
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
285
228
|
|
286
|
-
|
229
|
+
Fixes an issue where when an exception is raised in the request the additonal
|
230
|
+
payload data is not available.
|
287
231
|
|
288
|
-
|
232
|
+
See:
|
233
|
+
* #14903
|
234
|
+
* https://github.com/roidrage/lograge/issues/37
|
289
235
|
|
290
|
-
*
|
236
|
+
*Dieter Komendera*, *Margus Pärt*
|
291
237
|
|
292
|
-
*
|
293
|
-
of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
|
294
|
-
from rendering as `Jack & Joe` for the whitelisted mime types. The default whitelist
|
295
|
-
contains text/plain. Fix #7976 [Backport #8235]
|
238
|
+
* Correctly rely on the response's status code to handle calls to `head`.
|
296
239
|
|
297
|
-
*
|
240
|
+
*Robin Dupret*
|
298
241
|
|
299
|
-
* `
|
300
|
-
|
242
|
+
* Using `head` method returns empty response_body instead
|
243
|
+
of returning a single space " ".
|
301
244
|
|
302
|
-
|
245
|
+
The old behavior was added as a workaround for a bug in an early
|
246
|
+
version of Safari, where the HTTP headers are not returned correctly
|
247
|
+
if the response body has a 0-length. This is been fixed since and
|
248
|
+
the workaround is no longer necessary.
|
303
249
|
|
304
|
-
|
305
|
-
Fix #7842
|
250
|
+
Fixes #18253.
|
306
251
|
|
307
|
-
*
|
252
|
+
*Prathamesh Sonpatki*
|
308
253
|
|
309
|
-
* Fix
|
254
|
+
* Fix how polymorphic routes works with objects that implement `to_model`.
|
310
255
|
|
311
|
-
|
256
|
+
*Travis Grathwell*
|
312
257
|
|
313
|
-
|
314
|
-
#=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
|
258
|
+
* Fixed handling of positional url helper arguments when `format: false`.
|
315
259
|
|
316
|
-
|
260
|
+
Fixes #17819.
|
317
261
|
|
318
|
-
|
319
|
-
#=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
|
262
|
+
*Andrew White*, *Tatiana Soukiassian*
|
320
263
|
|
321
|
-
|
264
|
+
* Fixed usage of optional scopes in URL helpers.
|
322
265
|
|
323
|
-
*
|
266
|
+
*Alex Robbin*
|
324
267
|
|
325
268
|
|
326
|
-
## Rails
|
269
|
+
## Rails 4.2.0 (December 20, 2014) ##
|
327
270
|
|
328
|
-
*
|
271
|
+
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
272
|
+
`Hash` representation of Parameters object. This is now a preferred way to
|
273
|
+
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
274
|
+
object in Rails 5.0.
|
329
275
|
|
276
|
+
*Prem Sichanugrist*
|
330
277
|
|
331
|
-
|
278
|
+
* Restore handling of a bare `Authorization` header, without `token=`
|
279
|
+
prefix.
|
332
280
|
|
333
|
-
|
281
|
+
Fixes #17108.
|
334
282
|
|
283
|
+
*Guo Xiang Tan*
|
335
284
|
|
336
|
-
|
285
|
+
* Deprecate use of string keys in URL helpers.
|
337
286
|
|
338
|
-
|
287
|
+
Use symbols instead.
|
288
|
+
Fixes #16958.
|
339
289
|
|
290
|
+
*Byron Bischoff*, *Melanie Gilman*
|
340
291
|
|
341
|
-
|
292
|
+
* Deprecate the `only_path` option on `*_path` helpers.
|
342
293
|
|
343
|
-
|
294
|
+
In cases where this option is set to `true`, the option is redundant and can
|
295
|
+
be safely removed; otherwise, the corresponding `*_url` helper should be
|
296
|
+
used instead.
|
344
297
|
|
345
|
-
|
298
|
+
Fixes #17294.
|
346
299
|
|
347
|
-
*
|
348
|
-
This added a regression since it is changing the URL mapping.
|
349
|
-
This makes the stable release backward compatible.
|
300
|
+
*Dan Olson*, *Godfrey Chan*
|
350
301
|
|
351
|
-
|
302
|
+
* Improve Journey compliance to RFC 3986.
|
352
303
|
|
353
|
-
|
354
|
-
|
355
|
-
|
356
|
-
Fixes #8068.
|
304
|
+
The scanner in Journey failed to recognize routes that use literals
|
305
|
+
from the sub-delims section of RFC 3986. It's now able to parse those
|
306
|
+
authorized delimiters and route as expected.
|
357
307
|
|
358
|
-
|
308
|
+
Fixes #17212.
|
359
309
|
|
360
|
-
*
|
361
|
-
naming collisions. This added a regression related with shoulda-matchers, since it is
|
362
|
-
expecting the [instance variable @layouts](https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74).
|
363
|
-
This will introduce back #7459 but this stable release will be backward compatible.
|
364
|
-
Fixes #8068.
|
310
|
+
*Nicolas Cavigneaux*
|
365
311
|
|
366
|
-
|
312
|
+
* Deprecate implicit Array conversion for Response objects. It was added
|
313
|
+
(using `#to_ary`) so we could conveniently use implicit splatting:
|
367
314
|
|
368
|
-
|
315
|
+
status, headers, body = response
|
369
316
|
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
*Yves Senn*
|
374
|
-
|
375
|
-
* Rename internal variables on ActionController::TemplateAssertions to prevent
|
376
|
-
naming collisions. @partials, @templates and @layouts are now prefixed with an underscore.
|
377
|
-
Fix #7459
|
378
|
-
|
379
|
-
*Yves Senn*
|
317
|
+
But it also means `response + response` works and `[response].flatten`
|
318
|
+
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
319
|
+
explicit conversion and splatting with `#to_a`:
|
380
320
|
|
381
|
-
|
382
|
-
Fix #7777
|
383
|
-
|
384
|
-
*Yves Senn*
|
385
|
-
|
386
|
-
* Precompiled assets include aliases from foo.js to foo/index.js and vice versa.
|
387
|
-
|
388
|
-
# Precompiles phone-<digest>.css and aliases phone/index.css to phone.css.
|
389
|
-
config.assets.precompile = [ 'phone.css' ]
|
390
|
-
|
391
|
-
# Precompiles phone/index-<digest>.css and aliases phone.css to phone/index.css.
|
392
|
-
config.assets.precompile = [ 'phone/index.css' ]
|
393
|
-
|
394
|
-
# Both of these work with either precompile thanks to their aliases.
|
395
|
-
<%= stylesheet_link_tag 'phone', media: 'all' %>
|
396
|
-
<%= stylesheet_link_tag 'phone/index', media: 'all' %>
|
321
|
+
status, header, body = *response
|
397
322
|
|
398
323
|
*Jeremy Kemper*
|
399
324
|
|
400
|
-
*
|
401
|
-
with the template name.
|
402
|
-
|
403
|
-
Before when we have a template `/layout/hello.html.erb`, `assert_template`
|
404
|
-
was passing with any string that matches. This behavior allowed false
|
405
|
-
positive like:
|
406
|
-
|
407
|
-
assert_template "layout"
|
408
|
-
assert_template "out/hello"
|
409
|
-
|
410
|
-
Now it only passes with:
|
411
|
-
|
412
|
-
assert_template "layout/hello"
|
413
|
-
assert_template "hello"
|
414
|
-
|
415
|
-
Fixes #3849.
|
416
|
-
|
417
|
-
*Hugolnx*
|
418
|
-
|
419
|
-
* Handle `ActionDispatch::Http::UploadedFile` like `Rack::Test::UploadedFile`, don't call to_param on it. Since
|
420
|
-
`Rack::Test::UploadedFile` isn't API compatible this is needed to test file uploads that rely on `tempfile`
|
421
|
-
being available.
|
422
|
-
|
423
|
-
*Tim Vandecasteele*
|
424
|
-
|
425
|
-
* Respect `config.digest = false` for `asset_path`
|
426
|
-
|
427
|
-
Previously, the `asset_path` internals only respected the `:digest`
|
428
|
-
option, but ignored the global config setting. This meant that
|
429
|
-
`config.digest = false` could not be used in conjunction with
|
430
|
-
`config.compile = false` this corrects the behavior.
|
431
|
-
|
432
|
-
*Peter Wagenet*
|
433
|
-
|
434
|
-
* Fix #7646, the log now displays the correct status code when an exception is raised.
|
435
|
-
|
436
|
-
*Yves Senn*
|
437
|
-
|
438
|
-
* Fix handling of date selects when using both disabled and discard options.
|
439
|
-
Fixes #7431.
|
440
|
-
|
441
|
-
*Vasiliy Ermolovich*
|
325
|
+
* Don't rescue `IPAddr::InvalidAddressError`.
|
442
326
|
|
443
|
-
|
444
|
-
|
327
|
+
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
328
|
+
and fails for JRuby in 1.9 mode.
|
445
329
|
|
446
|
-
*
|
330
|
+
*Peter Suschlik*
|
447
331
|
|
448
|
-
*
|
332
|
+
* Fix bug where the router would ignore any constraints added to redirect
|
333
|
+
routes.
|
449
334
|
|
450
|
-
|
451
|
-
Fixes GH#3047, GH#2483.
|
335
|
+
Fixes #16605.
|
452
336
|
|
453
|
-
*
|
454
|
-
|
455
|
-
* Performance Improvement to send_file: Avoid having to pass an open file handle as the response body. Rack::Sendfile
|
456
|
-
will usually intercept the response and just uses the path directly, so no reason to open the file. This performance
|
457
|
-
improvement also resolves an issue with jRuby encodings, and is the reason for the backport, see issue #6844.
|
458
|
-
|
459
|
-
*Jeremy Kemper & Erich Menge*
|
460
|
-
|
461
|
-
|
462
|
-
## Rails 3.2.8 (Aug 9, 2012) ##
|
463
|
-
|
464
|
-
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
|
465
|
-
helper doesn't correctly handle malformed html. As a result an attacker can
|
466
|
-
execute arbitrary javascript through the use of specially crafted malformed
|
467
|
-
html.
|
468
|
-
|
469
|
-
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
|
470
|
-
|
471
|
-
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
|
472
|
-
If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
|
473
|
-
Vulnerable code will look something like this:
|
474
|
-
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
|
475
|
-
|
476
|
-
*Santiago Pastorino*
|
477
|
-
|
478
|
-
* Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
|
479
|
-
|
480
|
-
* Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
|
337
|
+
*Agis Anastasopoulos*
|
481
338
|
|
482
|
-
*
|
483
|
-
|
484
|
-
* Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
|
485
|
-
|
486
|
-
*Rafael Mendonça França*
|
339
|
+
* Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
|
487
340
|
|
341
|
+
Example:
|
488
342
|
|
489
|
-
|
343
|
+
# config/environments/production.rb
|
344
|
+
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
490
345
|
|
491
|
-
*
|
346
|
+
*Sam Aarons*
|
492
347
|
|
493
|
-
*
|
348
|
+
* Avoid duplicating routes for HEAD requests.
|
494
349
|
|
495
|
-
|
350
|
+
Instead of duplicating the routes, we will first match the HEAD request to
|
351
|
+
HEAD routes. If no match is found, we will then map the HEAD request to
|
352
|
+
GET routes.
|
496
353
|
|
497
|
-
*
|
354
|
+
*Guo Xiang Tan*, *Andrew White*
|
498
355
|
|
499
|
-
*
|
356
|
+
* Requests that hit `ActionDispatch::Static` can now take advantage
|
357
|
+
of gzipped assets on disk. By default a gzip asset will be served if
|
358
|
+
the client supports gzip and a compressed file is on disk.
|
500
359
|
|
501
|
-
*
|
360
|
+
*Richard Schneeman*
|
502
361
|
|
503
|
-
* ActionController::
|
362
|
+
* `ActionController::Parameters` will stop inheriting from `Hash` and
|
363
|
+
`HashWithIndifferentAccess` in the next major release. If you use any method
|
364
|
+
that is not available on `ActionController::Parameters` you should consider
|
365
|
+
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
504
366
|
|
505
|
-
*
|
367
|
+
*Prem Sichanugrist*
|
506
368
|
|
369
|
+
* `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
|
370
|
+
keys removed. This change is to reflect on a security concern where some
|
371
|
+
method performed on an `ActionController::Parameters` may yield a `Hash`
|
372
|
+
object which does not maintain `permitted?` status. If you would like to
|
373
|
+
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
374
|
+
before calling `#to_h`.
|
507
375
|
|
508
|
-
|
376
|
+
params = ActionController::Parameters.new({
|
377
|
+
name: 'Senjougahara Hitagi',
|
378
|
+
oddity: 'Heavy stone crab'
|
379
|
+
})
|
380
|
+
params.to_h
|
381
|
+
# => {}
|
509
382
|
|
510
|
-
|
383
|
+
unsafe_params = params.dup.permit!
|
384
|
+
unsafe_params.to_h
|
385
|
+
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
511
386
|
|
512
|
-
|
387
|
+
safe_params = params.permit(:name)
|
388
|
+
safe_params.to_h
|
389
|
+
# => {"name"=>"Senjougahara Hitagi"}
|
513
390
|
|
514
|
-
|
391
|
+
This change is consider a stopgap as we cannot change the code to stop
|
392
|
+
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
393
|
+
in the next minor release.
|
515
394
|
|
516
|
-
*
|
395
|
+
*Prem Sichanugrist*
|
517
396
|
|
518
|
-
*
|
397
|
+
* Deprecated `TagAssertions`.
|
519
398
|
|
520
|
-
*
|
399
|
+
*Kasper Timm Hansen*
|
521
400
|
|
401
|
+
* Use the Active Support JSON encoder for cookie jars using the `:json` or
|
402
|
+
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
403
|
+
cookies by defining the `#as_json` hook on such objects.
|
522
404
|
|
523
|
-
|
405
|
+
Fixes #16520.
|
524
406
|
|
525
|
-
*
|
407
|
+
*Godfrey Chan*
|
526
408
|
|
409
|
+
* Add `config.action_dispatch.cookies_digest` option for setting custom
|
410
|
+
digest. The default remains the same - 'SHA1'.
|
527
411
|
|
528
|
-
|
412
|
+
*Łukasz Strzałkowski*
|
529
413
|
|
530
|
-
*
|
414
|
+
* Move `respond_with` (and the class-level `respond_to`) to
|
415
|
+
the `responders` gem.
|
531
416
|
|
532
|
-
*
|
417
|
+
*José Valim*
|
533
418
|
|
534
|
-
|
419
|
+
* When your templates change, browser caches bust automatically.
|
535
420
|
|
536
|
-
|
421
|
+
New default: the template digest is automatically included in your ETags.
|
422
|
+
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
423
|
+
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
424
|
+
This makes it easy to HTTP-cache many more of your actions.
|
537
425
|
|
538
|
-
|
426
|
+
If you render a different template, you can now pass the `:template`
|
427
|
+
option to include its digest instead:
|
539
428
|
|
540
|
-
|
429
|
+
fresh_when @post, template: 'widgets/show'
|
541
430
|
|
542
|
-
|
431
|
+
Pass `template: false` to skip the lookup. To turn this off entirely, set:
|
543
432
|
|
544
|
-
|
545
|
-
with regression from 16ee611fa
|
433
|
+
config.action_controller.etag_with_template_digest = false
|
546
434
|
|
547
|
-
*
|
435
|
+
*Jeremy Kemper*
|
548
436
|
|
549
|
-
*
|
437
|
+
* Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
|
438
|
+
in favor of `AbstractController::Helpers::MissingHelperError`.
|
550
439
|
|
551
|
-
*
|
552
|
-
reporting this! CVE-2012-2660
|
440
|
+
*Yves Senn*
|
553
441
|
|
442
|
+
* Fix `assert_template` not being able to assert that no files were rendered.
|
554
443
|
|
555
|
-
|
444
|
+
*Guo Xiang Tan*
|
556
445
|
|
557
|
-
*
|
446
|
+
* Extract source code for the entire exception stack trace for
|
447
|
+
better debugging and diagnosis.
|
558
448
|
|
559
|
-
*
|
449
|
+
*Ryan Dao*
|
560
450
|
|
561
|
-
*
|
451
|
+
* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
|
452
|
+
loopback address.
|
562
453
|
|
563
|
-
*
|
454
|
+
*Earl St Sauver*, *Sven Riedel*
|
564
455
|
|
565
|
-
*
|
456
|
+
* Preserve original path in `ShowExceptions` middleware by stashing it as
|
457
|
+
`env["action_dispatch.original_path"]`
|
566
458
|
|
567
|
-
|
459
|
+
`ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
|
460
|
+
for the exception defined in `ExceptionWrapper`, so the path
|
461
|
+
the user was visiting when an exception occurred was not previously
|
462
|
+
available to any custom exceptions_app. The original `PATH_INFO` is now
|
463
|
+
stashed in `env["action_dispatch.original_path"]`.
|
568
464
|
|
569
|
-
*
|
570
|
-
check that info. Closes #5245. *Santiago Pastorino*
|
465
|
+
*Grey Baker*
|
571
466
|
|
572
|
-
*
|
467
|
+
* Use `String#bytesize` instead of `String#size` when checking for cookie
|
468
|
+
overflow.
|
573
469
|
|
574
|
-
*
|
470
|
+
*Agis Anastasopoulos*
|
575
471
|
|
576
|
-
*
|
472
|
+
* `render nothing: true` or rendering a `nil` body no longer add a single
|
473
|
+
space to the response body.
|
577
474
|
|
578
|
-
|
475
|
+
The old behavior was added as a workaround for a bug in an early version of
|
476
|
+
Safari, where the HTTP headers are not returned correctly if the response
|
477
|
+
body has a 0-length. This is been fixed since and the workaround is no
|
478
|
+
longer necessary.
|
579
479
|
|
580
|
-
|
480
|
+
Use `render body: ' '` if the old behavior is desired.
|
581
481
|
|
582
|
-
|
482
|
+
See #14883 for details.
|
583
483
|
|
584
|
-
*
|
484
|
+
*Godfrey Chan*
|
585
485
|
|
486
|
+
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
|
487
|
+
("Rosetta Flash").
|
586
488
|
|
587
|
-
|
489
|
+
*Greg Campbell*
|
588
490
|
|
589
|
-
*
|
491
|
+
* Because URI paths may contain non US-ASCII characters we need to force
|
492
|
+
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
|
493
|
+
This essentially replicates the functionality of the monkey patch to
|
494
|
+
URI.parser.unescape in active_support/core_ext/uri.rb.
|
590
495
|
|
591
|
-
|
496
|
+
Fixes #16104.
|
592
497
|
|
593
|
-
*
|
498
|
+
*Karl Entwistle*
|
594
499
|
|
595
|
-
*
|
596
|
-
This is a behavior change, previously the hidden tag had a value of the disabled checkbox.
|
597
|
-
*Tadas Tamosauskas*
|
500
|
+
* Generate shallow paths for all children of shallow resources.
|
598
501
|
|
502
|
+
Fixes #15783.
|
599
503
|
|
600
|
-
|
504
|
+
*Seb Jacobs*
|
601
505
|
|
602
|
-
*
|
506
|
+
* JSONP responses are now rendered with the `text/javascript` content type
|
507
|
+
when rendering through a `respond_to` block.
|
603
508
|
|
604
|
-
|
509
|
+
Fixes #15081.
|
605
510
|
|
606
|
-
*
|
511
|
+
*Lucas Mazza*
|
607
512
|
|
513
|
+
* Add `config.action_controller.always_permitted_parameters` to configure which
|
514
|
+
parameters are permitted globally. The default value of this configuration is
|
515
|
+
`['controller', 'action']`.
|
608
516
|
|
609
|
-
|
517
|
+
*Gary S. Weaver*, *Rafael Chacon*
|
610
518
|
|
611
|
-
*
|
519
|
+
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
|
612
520
|
|
613
|
-
|
521
|
+
Fixes #15511.
|
614
522
|
|
615
|
-
*
|
523
|
+
*Larry Lv*
|
616
524
|
|
617
|
-
*
|
525
|
+
* ActionController::Parameters#require now accepts `false` values.
|
618
526
|
|
619
|
-
|
527
|
+
Fixes #15685.
|
620
528
|
|
621
|
-
*
|
529
|
+
*Sergio Romano*
|
622
530
|
|
623
|
-
*
|
624
|
-
|
531
|
+
* With authorization header `Authorization: Token token=`, `authenticate` now
|
532
|
+
recognize token as nil, instead of "token".
|
625
533
|
|
626
|
-
|
534
|
+
Fixes #14846.
|
627
535
|
|
628
|
-
*
|
629
|
-
close. Closes #4441 if Active Record is disabled assets are delivered
|
630
|
-
correctly *Santiago Pastorino*
|
536
|
+
*Larry Lv*
|
631
537
|
|
632
|
-
*
|
538
|
+
* Ensure the controller is always notified as soon as the client disconnects
|
539
|
+
during live streaming, even when the controller is blocked on a write.
|
633
540
|
|
634
|
-
*
|
541
|
+
*Nicholas Jakobsen*, *Matthew Draper*
|
635
542
|
|
636
|
-
*
|
543
|
+
* Routes specifying 'to:' must be a string that contains a "#" or a rack
|
544
|
+
application. Use of a symbol should be replaced with `action: symbol`.
|
545
|
+
Use of a string without a "#" should be replaced with `controller: string`.
|
637
546
|
|
638
|
-
*
|
547
|
+
*Aaron Patterson*
|
639
548
|
|
640
|
-
*
|
549
|
+
* Fix URL generation with `:trailing_slash` such that it does not add
|
550
|
+
a trailing slash after `.:format`
|
641
551
|
|
642
|
-
*
|
552
|
+
*Dan Langevin*
|
643
553
|
|
644
|
-
|
554
|
+
* Build full URI as string when processing path in integration tests for
|
555
|
+
performance reasons. One consequence of this is that the leading slash
|
556
|
+
is now required in integration test `process` helpers, whereas previously
|
557
|
+
it could be omitted. The fact that this worked was a unintended consequence
|
558
|
+
of the implementation and was never an intentional feature.
|
645
559
|
|
646
|
-
|
560
|
+
*Guo Xiang Tan*
|
647
561
|
|
648
|
-
|
649
|
-
|
650
|
-
<% end %>
|
562
|
+
* Fix `'Stack level too deep'` when rendering `head :ok` in an action method
|
563
|
+
called 'status' in a controller.
|
651
564
|
|
652
|
-
|
653
|
-
For example, this is useful for displaying ISO8601-style dates such as '2011-08-01'. *Lennart Fridén and Kim Persson*
|
565
|
+
Fixes #13905.
|
654
566
|
|
655
|
-
*
|
567
|
+
*Christiaan Van den Poel*
|
656
568
|
|
657
|
-
*
|
569
|
+
* Add MKCALENDAR HTTP method (RFC 4791).
|
658
570
|
|
659
|
-
|
660
|
-
layout "application"
|
661
|
-
end
|
571
|
+
*Sergey Karpesh*
|
662
572
|
|
663
|
-
|
664
|
-
end
|
573
|
+
* Instrument fragment cache metrics.
|
665
574
|
|
666
|
-
|
575
|
+
Adds `:controller`: and `:action` keys to the instrumentation payload
|
576
|
+
for the `*_fragment.action_controller` notifications. This allows tracking
|
577
|
+
e.g. the fragment cache hit rates for each controller action.
|
667
578
|
|
668
|
-
|
579
|
+
*Daniel Schierbeck*
|
669
580
|
|
670
|
-
*
|
581
|
+
* Always use the provided port if the protocol is relative.
|
671
582
|
|
672
|
-
|
583
|
+
Fixes #15043.
|
673
584
|
|
674
|
-
|
675
|
-
layout 'single_car', :only => :show
|
676
|
-
end
|
585
|
+
*Guilherme Cavalcanti*, *Andrew White*
|
677
586
|
|
678
|
-
|
587
|
+
* Moved `params[request_forgery_protection_token]` into its own method
|
588
|
+
and improved tests.
|
679
589
|
|
680
|
-
|
590
|
+
Fixes #11316.
|
681
591
|
|
682
|
-
|
592
|
+
*Tom Kadwill*
|
683
593
|
|
684
|
-
|
594
|
+
* Added verification of route constraints given as a Proc or an object responding
|
595
|
+
to `:matches?`. Previously, when given an non-complying object, it would just
|
596
|
+
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
597
|
+
when setting up the routes.
|
685
598
|
|
686
|
-
|
599
|
+
*Xavier Defrang*
|
687
600
|
|
688
|
-
|
601
|
+
* Properly treat the entire IPv6 User Local Address space as private for
|
602
|
+
purposes of remote IP detection. Also handle uppercase private IPv6
|
603
|
+
addresses.
|
689
604
|
|
690
|
-
|
605
|
+
Fixes #12638.
|
691
606
|
|
692
|
-
*
|
607
|
+
*Caleb Spare*
|
693
608
|
|
694
|
-
*
|
609
|
+
* Fixed an issue with migrating legacy json cookies.
|
695
610
|
|
696
|
-
|
611
|
+
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
|
612
|
+
cookies are marshal-encoded. This is not the case when `secret_token` is
|
613
|
+
used in conjunction with the `:json` or `:hybrid` serializer.
|
697
614
|
|
698
|
-
|
615
|
+
In those case, when upgrading to use `secret_key_base`, this would cause a
|
616
|
+
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
699
617
|
|
700
|
-
|
701
|
-
The namespace attribute will be prefixed with underscore on the generate HTML id. *Vasiliy Ermolovich*
|
618
|
+
Fixes #14774.
|
702
619
|
|
703
|
-
|
620
|
+
*Godfrey Chan*
|
704
621
|
|
705
|
-
|
706
|
-
<%= f.label :version, 'Version' %>:
|
707
|
-
<%= f.text_field :version %>
|
708
|
-
<% end %>
|
622
|
+
* Make URL escaping more consistent:
|
709
623
|
|
710
|
-
|
624
|
+
1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
|
625
|
+
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
626
|
+
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
627
|
+
4. Use `escape_segment` rather than `escape_path` in URL generation
|
711
628
|
|
712
|
-
|
629
|
+
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
|
630
|
+
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
|
631
|
+
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
|
632
|
+
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
713
633
|
|
714
|
-
|
634
|
+
Fixes #14629, #14636 and #14070.
|
715
635
|
|
716
|
-
*
|
636
|
+
*Andrew White*, *Edho Arief*
|
717
637
|
|
718
|
-
*
|
638
|
+
* Add alias `ActionDispatch::Http::UploadedFile#to_io` to
|
639
|
+
`ActionDispatch::Http::UploadedFile#tempfile`.
|
719
640
|
|
720
|
-
|
641
|
+
*Tim Linquist*
|
721
642
|
|
722
|
-
|
643
|
+
* Returns null type format when format is not know and controller is using `any`
|
644
|
+
format block.
|
723
645
|
|
724
|
-
|
646
|
+
Fixes #14462.
|
725
647
|
|
726
|
-
|
648
|
+
*Rafael Mendonça França*
|
727
649
|
|
728
|
-
|
729
|
-
render :template => "foo", :formats => [:html, :js], :handlers => :erb
|
650
|
+
* Improve routing error page with fuzzy matching search.
|
730
651
|
|
731
|
-
*
|
652
|
+
*Winston*
|
732
653
|
|
733
|
-
*
|
654
|
+
* Only make deeply nested routes shallow when parent is shallow.
|
734
655
|
|
735
|
-
|
656
|
+
Fixes #14684.
|
736
657
|
|
737
|
-
|
738
|
-
content_tag_for(:li, item) do
|
739
|
-
Title: <%= item.title %>
|
740
|
-
end
|
741
|
-
end
|
658
|
+
*Andrew White*, *James Coglan*
|
742
659
|
|
743
|
-
|
660
|
+
* Append link to bad code to backtrace when exception is `SyntaxError`.
|
744
661
|
|
745
|
-
|
746
|
-
Title: <%= item.title %>
|
747
|
-
end
|
662
|
+
*Boris Kuznetsov*
|
748
663
|
|
749
|
-
*
|
664
|
+
* Swapped the parameters of assert_equal in `assert_select` so that the
|
665
|
+
proper values were printed correctly.
|
750
666
|
|
751
|
-
|
667
|
+
Fixes #14422.
|
752
668
|
|
753
|
-
*
|
754
|
-
This is useful when you rely on the fact that when no options is set,
|
755
|
-
the state of select will be sent to rails application. Without hidden field
|
756
|
-
nothing is sent according to HTML spec *Bogdan Gusiev*
|
669
|
+
*Vishal Lal*
|
757
670
|
|
758
|
-
*
|
671
|
+
* The method `shallow?` returns false if the parent resource is a singleton so
|
672
|
+
we need to check if we're not inside a nested scope before copying the :path
|
673
|
+
and :as options to their shallow equivalents.
|
759
674
|
|
760
|
-
|
675
|
+
Fixes #14388.
|
761
676
|
|
762
|
-
|
763
|
-
get :index
|
764
|
-
assert_equal 'user@example.com', cookies[:email]
|
677
|
+
*Andrew White*
|
765
678
|
|
766
|
-
|
679
|
+
* Make logging of CSRF failures optional (but on by default) with the
|
680
|
+
`log_warning_on_csrf_failure` configuration setting in
|
681
|
+
`ActionController::RequestForgeryProtection`.
|
767
682
|
|
768
|
-
|
769
|
-
get :index
|
770
|
-
assert_nil cookies[:email]
|
683
|
+
*John Barton*
|
771
684
|
|
772
|
-
|
773
|
-
|
774
|
-
for your test you need to do it before the cookie jar is created.
|
685
|
+
* Fix URL generation in controller tests with request-dependent
|
686
|
+
`default_url_options` methods.
|
775
687
|
|
776
|
-
*
|
777
|
-
attr_accessible attributes if they were set, if not, only the attributes
|
778
|
-
returned by the class method attribute_names will be wrapped. This fixes
|
779
|
-
the wrapping of nested attributes by adding them to attr_accessible.
|
688
|
+
*Tony Wooster*
|
780
689
|
|
781
|
-
Please check [
|
690
|
+
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
|