actionpack 3.2.19 → 4.2.11.3

data/CHANGELOG.md

@@ -1,781 +1,690 @@
-## Rails 3.2.19 (Jul 2, 2014) ##
+## Rails 4.2.11.3 (May 15, 2020) ##
 
-*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
-    `options[:raise]`.
-
-    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
-
-    *Shota Fukumori (sora_h)*
-
-
-## Rails 3.2.18 (May 6, 2014) ##
-
-*   Only accept actions without File::SEPARATOR in the name.
-
-    This will avoid directory traversal in implicit render.
-
-    Fixes: CVE-2014-0130
-
-    *Rafael Mendonça França*
+*   No changes.
 
 
-## Rails 3.2.17 (Feb 18, 2014) ##
+## Rails 4.2.11.2 (May 15, 2020) ##
 
-*   Use the reference for the mime type to get the format
+*   No changes.
 
-    Fixes: CVE-2014-0082
 
-*   Escape format, negative_format and units options of number helpers
+## Rails 4.2.11.1 (March 11, 2019) ##
 
-    Fixes: CVE-2014-0081
+*   No changes.
 
 
-## Rails 3.2.16 (Dec 12, 2013) ##
+## Rails 4.2.11 (November 27, 2018) ##
 
-*   Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
+*   No changes.
 
-*   Stop using i18n's built in HTML error handling.  Fixes: CVE-2013-4491
 
-*   Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
+## Rails 4.2.10 (September 27, 2017) ##
 
-*   Only use valid mime type symbols as cache keys CVE-2013-6414
+*   Fix regression in behavior of `normalize_path`.
 
-## Rails 3.2.15 (Oct 16, 2013) ##
+    In Rails 5 there was a change to ensure the encoding of the original string
+    in a path was maintained. This was incorrectly backported to Rails 4.2 which
+    caused a regression.
 
-*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
-    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+    *Eileen M. Uchitelle*
 
-    Fixes #12410
-    Backports #10844
+## Rails 4.2.9 (June 26, 2017) ##
 
-    *Tamir Duberstein*
+*   Use more specific check for :format in route path
 
-*   Fix the assert_recognizes test method so that it works when there are
-    constraints on the querystring.
+    The current check for whether to add an optional format to the path is very lax
+    and will match things like `:format_id` where there are nested resources, e.g:
 
-    Issue/Pull Request #9368
-    Backport #5219
+    ``` ruby
+    resources :formats do
+      resources :items
+    end
+    ```
 
-    *Brian Hahn*
+    Fix this by using a more restrictive regex pattern that looks for the patterns
+    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
+    allow for multiple closing parenthesis since the route may be of this form:
 
-*   Fix to render partial by context(#11605).
+    ``` ruby
+    get "/books(/:action(.:format))", controller: "books"
+    ```
 
-    *Kassio Borges*
+    This probably isn't what's intended since it means that the default index action
+    route doesn't support a format but we have a test for it so we need to allow it.
 
-*   Fix `ActionDispatch::Assertions::ResponseAssertions#assert_redirected_to`
-    does not show user-supplied message.
+    Fixes #28517.
 
-    Issue: when `assert_redirected_to` fails due to the response redirect not
-    matching the expected redirect the user-supplied message (second parameter)
-    is not shown. This message is only shown if the response is not a redirect.
+    *Andrew White*
 
-    *Alexey Chernenkov*
 
+## Rails 4.2.8 (February 21, 2017) ##
 
-## Rails 3.2.14 (Jul 22, 2013) ##
+*   No changes.
 
-*   Merge `:action` from routing scope and assign endpoint if both `:controller`
-    and `:action` are present. The endpoint assignment only occurs if there is
-    no `:to` present in the options hash so should only affect routes using the
-    shorthand syntax (i.e. endpoint is inferred from the the path).
 
-    Fixes #9856
+## Rails 4.2.7 (July 12, 2016) ##
 
-    *Yves Senn*, *Andrew White*
+*   No changes.
 
-*   Always escape the result of `link_to_unless` method.
 
-    Before:
+## Rails 4.2.6 (March 07, 2016) ##
 
-        link_to_unless(true, '<b>Showing</b>', 'github.com')
-        # => "<b>Showing</b>"
+*   No changes.
 
-    After:
 
-        link_to_unless(true, '<b>Showing</b>', 'github.com')
-        # => "&lt;b&gt;Showing&lt;/b&gt;"
+## Rails 4.2.5.2 (February 26, 2016) ##
 
-    *dtaniwaki*
+*   Do not allow render with unpermitted parameter.
 
-*   Use a case insensitive URI Regexp for #asset_path.
+    Fixes CVE-2016-2098.
 
-    This fix a problem where the same asset path using different case are generating
-    different URIs.
+    *Arthur Neves*
 
-    Before:
 
-        image_tag("HTTP://google.com")
-        # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
-        image_tag("http://google.com")
-        # => "<img alt=\"Google\" src=\"http://google.com\" />"
+## Rails 4.2.5.1 (January 25, 2015) ##
 
-    After:
+*   No changes.
 
-        image_tag("HTTP://google.com")
-        # => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
-        image_tag("http://google.com")
-        # => "<img alt=\"Google\" src=\"http://google.com\" />"
 
-    *David Celis + Rafael Mendonça França*
+## Rails 4.2.5 (November 12, 2015) ##
 
-*   Fix explicit names on multiple file fields. If a file field tag has
-    the multiple option, it is turned into an array field (appending `[]`),
-    but if an explicit name is passed to `file_field` the `[]` is not
-    appended.
-    Fixes #9830.
+*   `ActionController::TestCase` can teardown gracefully if an error is raised
+    early in the `setup` chain.
 
-    *Ryan McGeary*
+    *Yves Senn*
 
-*   Fix assets loading performance in 3.2.13.
+*   Parse RSS/ATOM responses as XML, not HTML.
 
-    Issue #8756 uses Sprockets for resolving files that already exist on disk,
-    for those files their extensions don't need to be rewritten.
+    *Alexander Kaupanin*
 
-    Fixes #9803.
+*   Fix regression in mounted engine named routes generation for app deployed to
+    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
+    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
 
-    *Fred Wu*
+    Fixes #20920. Fixes #21459.
 
-*   Fix `ActionController#action_missing` not being called.
-    Fixes #9799.
+    *Matthew Erhard*
 
-    *Janko Luin*
+*   `url_for` does not modify its arguments when generating polymorphic URLs.
 
-*   `ActionView::Helpers::NumberHelper#number_to_human` returns the number unaltered when
-    the units hash does not contain the needed key, e.g. when the number provided is less
-    than the largest key provided.
+    *Bernerd Schaefer*
 
-    Examples:
+*   Update `ActionController::TestSession#fetch` to behave more like
+    `ActionDispatch::Request::Session#fetch` when using non-string keys.
 
-        number_to_human(123, units: {})                # => 123
-        number_to_human(123, units: { thousand: 'k' }) # => 123
+    *Jeremy Friesen*
 
-    Fixes #9269.
-    Backport #9347.
 
-    *Michael Hoffman*
+## Rails 4.2.4 (August 24, 2015) ##
 
-*   Include I18n locale fallbacks in view lookup.
-    Fixes GH#3512.
+*   ActionController::TestSession now accepts a default value as well as
+    a block for generating a default value based off the key provided.
 
-    *Juan Barreneche*
+    This fixes calls to session#fetch in ApplicationController instances that
+    take more two arguments or a block from raising `ArgumentError: wrong
+    number of arguments (2 for 1)` when performing controller tests.
 
-*   Fix `ActionDispatch::Request#formats` when the Accept request-header is an
-    empty string. Fix #7774 [Backport #8977, #9541]
+    *Matthew Gerrior*
 
-    *Soylent + Maxime Réty*
+*   Fix to keep original header instance in `ActionDispatch::SSL`
 
+    `ActionDispatch::SSL` changes headers to `Hash`.
+    So some headers will be broken if there are some middlewares
+    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
 
-## Rails 3.2.13 (Mar 18, 2013) ##
+    *Fumiaki Matsushima*
 
-*   Fix incorrectly appended square brackets to a multiple select box
-    if an explicit name has been given and it already ends with "[]".
 
-    Before:
+## Rails 4.2.3 (June 25, 2015) ##
 
-        select(:category, [], {}, multiple: true, name: "post[category][]")
-        # => <select name="post[category][][]" ...>
+*   Fix rake routes not showing the right format when
+    nesting multiple routes.
 
-    After:
+    See #18373.
 
-        select(:category, [], {}, multiple: true, name: "post[category][]")
-        # => <select name="post[category][]" ...>
+    *Ravil Bayramgalin*
 
-    Backport #9616.
+*   Fix regression where a gzip file response would have a Content-type,
+    even when it was a 304 status code.
 
-    *Olek Janiszewski*
+    See #19271.
 
-*   Determine the controller#action from only the matched path when using the
-    shorthand syntax. Previously the complete path was used, which led
-    to problems with nesting (scopes and namespaces).
-    Fixes #7554.
-    Backport #9361.
+    *Kohei Suzuki*
 
-    Example:
+*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
 
-        # this will route to questions#new
-        scope ':locale' do
-          get 'questions/new'
-        end
+    Previously, an empty X_FORWARDED_HOST header would cause
+    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
+    Actiondispatch::Http:URL.host to raise a NoMethodError.
 
-    *Yves Senn*
+    *Adam Forsyth*
 
-*   Fix `assert_template` with `render :stream => true`.
-    Fix #1743.
-    Backport #5288.
+*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
 
-    *Sergey Nartimov*
+    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
+    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
+    is set, it takes precedence.
 
-*   Eagerly populate the http method lookup cache so local project inflections do
-    not interfere with use of underscore method ( and we don't need locks )
+    Fixes #5122.
 
-    *Aditya Sanghi*
+    *Yasyf Mohamedali*
 
-*   `BestStandardsSupport` no longer duplicates `X-UA-Compatible` values on
-    each request to prevent header size from blowing up.
+*   Fix regression in functional tests. Responses should have default headers
+    assigned.
 
-    *Edward Anderson*
+    See #18423.
 
-*   Fixed JSON params parsing regression for non-object JSON content.
+    *Jeremy Kemper*, *Yves Senn*
 
-    *Dylan Smith*
 
-*   Prevent unnecessary asset compilation when using `javascript_include_tag` on
-    files with non-standard extensions.
+## Rails 4.2.2 (June 16, 2015) ##
 
-    *Noah Silas*
+* No Changes *
 
-*   Fixes issue where duplicate assets can be required with sprockets.
 
-    *Jeremy Jackson*
+## Rails 4.2.1 (March 19, 2015) ##
 
-*   Bump `rack` dependency to 1.4.3, eliminate `Rack::File` headers deprecation warning.
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
 
-    *Sam Ruby + Carlos Antonio da Silva*
+    *Ville Lautanala*
 
-*   Do not append second slash to `root_url` when using `trailing_slash: true`
+*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
 
-    Fix #8700.
-    Backport #8701.
+    Fixes an issue where a mounted rack app at root would intercept the HEAD
+    request causing an incorrect behavior during the fall back to GET requests.
 
     Example:
-        # before
-        root_url # => http://test.host//
+    ```ruby
+    draw do
+        get '/home' => 'test#index'
+        mount rack_app, at: '/'
+    end
+    head '/home'
+    assert_response :success
+    ```
+    In this case, a HEAD request runs through the routes the first time and fails
+    to match anything. Then, it runs through the list with the fallback and matches
+    `get '/home'`. The original behavior would match the rack app in the first pass.
 
-        # after
-        root_url # => http://test.host/
+    *Terence Sun*
 
-    *Yves Senn*
+*   Preserve default format when generating URLs
 
-*   Fix a bug in `content_tag_for` that prevents it for work without a block.
+    Fixes an issue that would cause the format set in default_url_options to be
+    lost when generating URLs with fewer positional arguments than parameters in
+    the route definition.
 
-    *Jasl*
+    Backport of #18627
 
-*   Clear url helper methods when routes are reloaded by removing the methods
-    explicitly rather than just clearing the module because it didn't work
-    properly and could be the source of a memory leak.
+    *Tekin Suleyman*, *Dominic Baggott*
 
-    *Andrew White*
-
-*   Fix a bug in `ActionDispatch::Request#raw_post` that caused `env['rack.input']`
-    to be read but not rewound.
-
-    *Matt Venables*
-
-*   More descriptive error messages when calling `render :partial` with
-    an invalid `:layout` argument.
-
-    Fixes #8376.
-
-        render :partial => 'partial', :layout => true
-        # results in ActionView::MissingTemplate: Missing partial /true
-
-    *Yves Senn*
-
-*   Accept symbols as `#send_data` :disposition value. [Backport #8329] *Elia Schito*
-
-*   Add i18n scope to `distance_of_time_in_words`. [Backport #7997] *Steve Klabnik*
-
-*   Fix side effect of `url_for` changing the `:controller` string option. [Backport #6003]
-    Before:
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
 
-        controller = '/projects'
-        url_for :controller => controller, :action => 'status'
+    *Jonas Baumann*
 
-        puts controller #=> 'projects'
+*   Ensure `append_info_to_payload` is called even if an exception is raised.
 
-    After
+    Fixes an issue where when an exception is raised in the request the additonal
+    payload data is not available.
 
-        puts controller #=> '/projects'
+    See:
+    * #14903
+    * https://github.com/roidrage/lograge/issues/37
 
-    *Nikita Beloglazov + Andrew White*
+    *Dieter Komendera*, *Margus Pärt*
 
-*   Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list
-    of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
-    from rendering as `Jack &amp; Joe` for the whitelisted mime types. The default whitelist
-    contains text/plain. Fix #7976 [Backport #8235]
+*   Correctly rely on the response's status code to handle calls to `head`.
 
-    *Joost Baaij*
+    *Robin Dupret*
 
-*   `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's
-    returned value if any. Fix #8086 [Backport #8093]
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
 
-    *Nikita Afanasenko*
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-*   prevent double slashes in engine urls when `Rails.application.default_url_options[:trailing_slash] = true` is set
-    Fix #7842
+    Fixes #18253.
 
-    *Yves Senn*
+    *Prathamesh Sonpatki*
 
-*   Fix input name when `:multiple => true` and `:index` are set.
+*   Fix how polymorphic routes works with objects that implement `to_model`.
 
-    Before:
+    *Travis Grathwell*
 
-        check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
-        #=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
+*   Fixed handling of positional url helper arguments when `format: false`.
 
-    After:
+    Fixes #17819.
 
-        check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
-        #=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
+    *Andrew White*, *Tatiana Soukiassian*
 
-    Fix #8108
+*   Fixed usage of optional scopes in URL helpers.
 
-    *Daniel Fox, Grant Hutchins & Trace Wax*
+    *Alex Robbin*
 
 
-## Rails 3.2.12 (Feb 11, 2013) ##
+## Rails 4.2.0 (December 20, 2014) ##
 
-*   No changes.
+*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
+    `Hash` representation of Parameters object. This is now a preferred way to
+    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
+    object in Rails 5.0.
 
+    *Prem Sichanugrist*
 
-## Rails 3.2.11 (Jan 8, 2013) ##
+*   Restore handling of a bare `Authorization` header, without `token=`
+    prefix.
 
-*   Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+    Fixes #17108.
 
+    *Guo Xiang Tan*
 
-## Rails 3.2.10 (Jan 2, 2013) ##
+*   Deprecate use of string keys in URL helpers.
 
-*   No changes.
+    Use symbols instead.
+    Fixes #16958.
 
+    *Byron Bischoff*, *Melanie Gilman*
 
-## Rails 3.2.9 (Nov 12, 2012) ##
+*   Deprecate the `only_path` option on `*_path` helpers.
 
-*   Clear url helpers when reloading routes.
+    In cases where this option is set to `true`, the option is redundant and can
+    be safely removed; otherwise, the corresponding `*_url` helper should be
+    used instead.
 
-    *Santiago Pastorino*
+    Fixes #17294.
 
-*   Revert the shorthand routes scoped with `:module` option fix
-    This added a regression since it is changing the URL mapping.
-    This makes the stable release backward compatible.
+    *Dan Olson*, *Godfrey Chan*
 
-    *Rafael Mendonça França*
+*   Improve Journey compliance to RFC 3986.
 
-*   Revert the `assert_template` fix to not pass with ever string that matches the template name.
-    This added a regression since people were relying on this buggy behavior.
-    This will introduce back #3849 but this stable release will be backward compatible.
-    Fixes #8068.
+    The scanner in Journey failed to recognize routes that use literals
+    from the sub-delims section of RFC 3986. It's now able to parse those
+    authorized delimiters and route as expected.
 
-    *Rafael Mendonça França*
+    Fixes #17212.
 
-*   Revert the rename of internal variable on ActionController::TemplateAssertions to prevent
-    naming collisions. This added a regression related with shoulda-matchers, since it is
-    expecting the [instance variable @layouts](https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74).
-    This will introduce back #7459 but this stable release will be backward compatible.
-    Fixes #8068.
+    *Nicolas Cavigneaux*
 
-    *Rafael Mendonça França*
+*   Deprecate implicit Array conversion for Response objects. It was added
+    (using `#to_ary`) so we could conveniently use implicit splatting:
 
-*   Accept :remote as symbolic option for `link_to` helper. *Riley Lynch*
+        status, headers, body = response
 
-*   Warn when the `:locals` option is passed to `assert_template` outside of a view test case
-    Fix #3415
-
-    *Yves Senn*
-
-*   Rename internal variables on ActionController::TemplateAssertions to prevent
-    naming collisions. @partials, @templates and @layouts are now prefixed with an underscore.
-    Fix #7459
-
-    *Yves Senn*
+    But it also means `response + response` works and `[response].flatten`
+    cascades down to the Rack body. Nonsense behavior. Instead, rely on
+    explicit conversion and splatting with `#to_a`:
 
-*   `resource` and `resources` don't modify the passed options hash
-    Fix #7777
-
-    *Yves Senn*
-
-*   Precompiled assets include aliases from foo.js to foo/index.js and vice versa.
-
-        # Precompiles phone-<digest>.css and aliases phone/index.css to phone.css.
-        config.assets.precompile = [ 'phone.css' ]
-
-        # Precompiles phone/index-<digest>.css and aliases phone.css to phone/index.css.
-        config.assets.precompile = [ 'phone/index.css' ]
-
-        # Both of these work with either precompile thanks to their aliases.
-        <%= stylesheet_link_tag 'phone', media: 'all' %>
-        <%= stylesheet_link_tag 'phone/index', media: 'all' %>
+        status, header, body = *response
 
     *Jeremy Kemper*
 
-*   `assert_template` is no more passing with what ever string that matches
-    with the template name.
-
-    Before when we have a template `/layout/hello.html.erb`, `assert_template`
-    was passing with any string that matches. This behavior allowed false
-    positive like:
-
-        assert_template "layout"
-        assert_template "out/hello"
-
-    Now it only passes with:
-
-        assert_template "layout/hello"
-        assert_template "hello"
-
-    Fixes #3849.
-
-    *Hugolnx*
-
-*   Handle `ActionDispatch::Http::UploadedFile` like `Rack::Test::UploadedFile`, don't call to_param on it. Since
-    `Rack::Test::UploadedFile` isn't API compatible this is needed to test file uploads that rely on `tempfile`
-    being available.
-
-    *Tim Vandecasteele*
-
-*   Respect `config.digest = false` for `asset_path`
-
-    Previously, the `asset_path` internals only respected the `:digest`
-    option, but ignored the global config setting. This meant that
-    `config.digest = false` could not be used in conjunction with
-    `config.compile = false` this corrects the behavior.
-
-    *Peter Wagenet*
-
-*   Fix #7646, the log now displays the correct status code when an exception is raised.
-
-    *Yves Senn*
-
-*   Fix handling of date selects when using both disabled and discard options.
-    Fixes #7431.
-
-    *Vasiliy Ermolovich*
+*   Don't rescue `IPAddr::InvalidAddressError`.
 
-*   Fix select_tag when option_tags is nil.
-    Fixes #7404.
+    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
+    and fails for JRuby in 1.9 mode.
 
-    *Sandeep Ravichandran*
+    *Peter Suschlik*
 
-*   `javascript_include_tag :all` will now not include `application.js` if the file does not exists. *Prem Sichanugrist*
+*   Fix bug where the router would ignore any constraints added to redirect
+    routes.
 
-*   Support cookie jar options (e.g., domain :all) for all session stores.
-    Fixes GH#3047, GH#2483.
+    Fixes #16605.
 
-    *Ravil Bayramgalin*
-
-*   Performance Improvement to send_file: Avoid having to pass an open file handle as the response body. Rack::Sendfile
-    will usually intercept the response and just uses the path directly, so no reason to open the file. This performance
-    improvement also resolves an issue with jRuby encodings, and is the reason for the backport, see issue #6844.
-
-    *Jeremy Kemper & Erich Menge*
-
-
-## Rails 3.2.8 (Aug 9, 2012) ##
-
-*   There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
-    helper doesn't correctly handle malformed html.  As a result an attacker can
-    execute arbitrary javascript through the use of specially crafted malformed
-    html.
-
-    *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
-
-*   When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
-    If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
-    Vulnerable code will look something like this:
-    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
-
-    *Santiago Pastorino*
-
-*   Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
-
-*   Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
+    *Agis Anastasopoulos*
 
-*   Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França*
-
-*   Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
-
-    *Rafael Mendonça França*
+*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
 
+    Example:
 
-## Rails 3.2.7 (Jul 26, 2012) ##
+        # config/environments/production.rb
+        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
 
-*   Do not convert digest auth strings to symbols. CVE-2012-3424
+    *Sam Aarons*
 
-*   Bump Journey requirements to 1.0.4
+*   Avoid duplicating routes for HEAD requests.
 
-*   Add support for optional root segments containing slashes
+    Instead of duplicating the routes, we will first match the HEAD request to
+    HEAD routes. If no match is found, we will then map the HEAD request to
+    GET routes.
 
-*   Fixed bug creating invalid HTML in select options
+    *Guo Xiang Tan*, *Andrew White*
 
-*   Show in log correct wrapped keys
+*   Requests that hit `ActionDispatch::Static` can now take advantage
+    of gzipped assets on disk. By default a gzip asset will be served if
+    the client supports gzip and a compressed file is on disk.
 
-*   Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
+    *Richard Schneeman*
 
-*   ActionController::Metal doesn't have logger method, check it and then delegate
+*   `ActionController::Parameters` will stop inheriting from `Hash` and
+    `HashWithIndifferentAccess` in the next major release. If you use any method
+    that is not available on `ActionController::Parameters` you should consider
+    calling `#to_h` to convert it to a `Hash` first before calling that method.
 
-*   ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
+    *Prem Sichanugrist*
 
+*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
+    keys removed. This change is to reflect on a security concern where some
+    method performed on an `ActionController::Parameters` may yield a `Hash`
+    object which does not maintain `permitted?` status. If you would like to
+    get a `Hash` with all the keys intact, duplicate and mark it as permitted
+    before calling `#to_h`.
 
-## Rails 3.2.6 (Jun 12, 2012) ##
+        params = ActionController::Parameters.new({
+          name: 'Senjougahara Hitagi',
+          oddity: 'Heavy stone crab'
+        })
+        params.to_h
+        # => {}
 
-*   nil is removed from array parameter values
+        unsafe_params = params.dup.permit!
+        unsafe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
 
-    CVE-2012-2694
+        safe_params = params.permit(:name)
+        safe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi"}
 
-*   Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
+    This change is consider a stopgap as we cannot change the code to stop
+    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
+    in the next minor release.
 
-    *Carlos Galdino*
+    *Prem Sichanugrist*
 
-*   Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
+*   Deprecated `TagAssertions`.
 
-*   Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+    *Kasper Timm Hansen*
 
+*   Use the Active Support JSON encoder for cookie jars using the `:json` or
+    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
+    cookies by defining the `#as_json` hook on such objects.
 
-## Rails 3.2.5 (Jun 1, 2012) ##
+    Fixes #16520.
 
-*   No changes.
+    *Godfrey Chan*
 
+*   Add `config.action_dispatch.cookies_digest` option for setting custom
+    digest. The default remains the same - 'SHA1'.
 
-## Rails 3.2.4 (May 31, 2012) ##
+    *Łukasz Strzałkowski*
 
-*   Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy Walker*
+*   Move `respond_with` (and the class-level `respond_to`) to
+    the `responders` gem.
 
-*   Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to`, `button_tag` and `submit_tag` helpers.
+    *José Valim*
 
-    *Carlos Galdino + Rafael Mendonça França*
+*   When your templates change, browser caches bust automatically.
 
-*   Deprecate `:mouseover` option for `image_tag` helper. *Rafael Mendonça França*
+    New default: the template digest is automatically included in your ETags.
+    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
+    is mixed in so future changes to the HTML will blow HTTP caches for you.
+    This makes it easy to HTTP-cache many more of your actions.
 
-*   Deprecate `button_to_function` and `link_to_function` helpers. *Rafael Mendonça França*
+    If you render a different template, you can now pass the `:template`
+    option to include its digest instead:
 
-*   Don't break Haml with textarea newline fix.  GH #393, #4000, #5190, #5191
+        fresh_when @post, template: 'widgets/show'
 
-*   Fix options handling on labels. GH #2492, #5614
+    Pass `template: false` to skip the lookup. To turn this off entirely, set:
 
-*   Added config.action_view.embed_authenticity_token_in_remote_forms to deal
-    with regression from 16ee611fa
+        config.action_controller.etag_with_template_digest = false
 
-*   Set rendered_format when doing render :inline. GH #5632
+    *Jeremy Kemper*
 
-*   Fix the redirect when it receive blocks with arity of 1. Closes #5677
+*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
+    in favor of `AbstractController::Helpers::MissingHelperError`.
 
-*   Strip [nil] from parameters hash. Thanks to Ben Murphy for
-    reporting this! CVE-2012-2660
+    *Yves Senn*
 
+*   Fix `assert_template` not being able to assert that no files were rendered.
 
-## Rails 3.2.3 (March 30, 2012) ##
+    *Guo Xiang Tan*
 
-*   Allow to lazy load `default_form_builder` by passing a `String` instead of a constant. *Piotr Sarnacki*
+*   Extract source code for the entire exception stack trace for
+    better debugging and diagnosis.
 
-*   Fix #5632, render :inline set the proper rendered format. *Santiago Pastorino*
+    *Ryan Dao*
 
-*   Fix textarea rendering when using plugins like HAML. Such plugins encode the first newline character in the content. This issue was introduced in https://github.com/rails/rails/pull/5191 *James Coleman*
+*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
+    loopback address.
 
-*   Remove the leading \n added by textarea on assert_select. *Santiago Pastorino*
+    *Earl St Sauver*, *Sven Riedel*
 
-*   Add `config.action_view.embed_authenticity_token_in_remote_forms` (defaults to true) which allows to set if authenticity token will be included by default in remote forms. If you change it to false, you can still force authenticity token by passing `:authenticity_token => true` in form options *Piotr Sarnacki*
+*   Preserve original path in `ShowExceptions` middleware by stashing it as
+    `env["action_dispatch.original_path"]`
 
-*   Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value *DHH*
+    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
+    for the exception defined in `ExceptionWrapper`, so the path
+    the user was visiting when an exception occurred was not previously
+    available to any custom exceptions_app. The original `PATH_INFO` is now
+    stashed in `env["action_dispatch.original_path"]`.
 
-*   Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
-    check that info. Closes #5245. *Santiago Pastorino*
+    *Grey Baker*
 
-*   Fix #5238, rendered_format is not set when template is not rendered. *Piotr Sarnacki*
+*   Use `String#bytesize` instead of `String#size` when checking for cookie
+    overflow.
 
-*   Upgrade rack-cache to 1.2. *José Valim*
+    *Agis Anastasopoulos*
 
-*   ActionController::SessionManagement is deprecated. *Santiago Pastorino*
+*   `render nothing: true` or rendering a `nil` body no longer add a single
+    space to the response body.
 
-*   Since the router holds references to many parts of the system like engines, controllers and the application itself, inspecting the route set can actually be really slow, therefore we default alias inspect to to_s. *José Valim*
+    The old behavior was added as a workaround for a bug in an early version of
+    Safari, where the HTTP headers are not returned correctly if the response
+    body has a 0-length. This is been fixed since and the workaround is no
+    longer necessary.
 
-*   Add a new line after the textarea opening tag. Closes #393 *Rafael Mendonça França*
+    Use `render body: ' '` if the old behavior is desired.
 
-*   Always pass a respond block from to responder. We should let the responder to decide what to do with the given overridden response block, and not short circuit it. *sikachu*
+    See #14883 for details.
 
-*   Fixes layout rendering regression from 3.2.2. *José Valim*
+    *Godfrey Chan*
 
+*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
+    ("Rosetta Flash").
 
-## Rails 3.2.2 (March 1, 2012) ##
+    *Greg Campbell*
 
-*   Format lookup for partials is derived from the format in which the template is being rendered. Closes #5025 part 2 *Santiago Pastorino*
+*   Because URI paths may contain non US-ASCII characters we need to force
+    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
+    This essentially replicates the functionality of the monkey patch to
+    URI.parser.unescape in active_support/core_ext/uri.rb.
 
-*   Use the right format when a partial is missing. Closes #5025. *Santiago Pastorino*
+    Fixes #16104.
 
-*   Default responder will now always use your overridden block in `respond_with` to render your response. *Prem Sichanugrist*
+    *Karl Entwistle*
 
-*   check_box helper with :disabled => true will generate a disabled hidden field to conform with the HTML convention where disabled fields are not submitted with the form.
-    This is a behavior change, previously the hidden tag had a value of the disabled checkbox.
-    *Tadas Tamosauskas*
+*   Generate shallow paths for all children of shallow resources.
 
+    Fixes #15783.
 
-## Rails 3.2.1 (January 26, 2012) ##
+    *Seb Jacobs*
 
-*   Documentation improvements.
+*   JSONP responses are now rendered with the `text/javascript` content type
+    when rendering through a `respond_to` block.
 
-*   Allow `form.select` to accept ranges (regression). *Jeremy Walker*
+    Fixes #15081.
 
-*   `datetime_select` works with -/+ infinity dates. *Joe Van Dyk*
+    *Lucas Mazza*
 
+*   Add `config.action_controller.always_permitted_parameters` to configure which
+    parameters are permitted globally. The default value of this configuration is
+    `['controller', 'action']`.
 
-## Rails 3.2.0 (January 20, 2012) ##
+    *Gary S. Weaver*, *Rafael Chacon*
 
-*   Setting config.assets.logger to false turn off Sprockets logger *Guillermo Iguaran*
+*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
 
-*   Add `config.action_dispatch.default_charset` to configure default charset for ActionDispatch::Response. *Carlos Antonio da Silva*
+    Fixes #15511.
 
-*   Deprecate setting default charset at controller level, use the new `config.action_dispatch.default_charset` instead. *Carlos Antonio da Silva*
+    *Larry Lv*
 
-*   Deprecate ActionController::UnknownAction in favour of AbstractController::ActionNotFound. *Carlos Antonio da Silva*
+*   ActionController::Parameters#require now accepts `false` values.
 
-*   Deprecate ActionController::DoubleRenderError in favour of AbstractController::DoubleRenderError. *Carlos Antonio da Silva*
+    Fixes #15685.
 
-*   Deprecate method_missing handling for not found actions, use action_missing instead. *Carlos Antonio da Silva*
+    *Sergio Romano*
 
-*   Deprecate ActionController#rescue_action, ActionController#initialize_template_class, and ActionController#assign_shortcuts.
-    These methods were not being used internally anymore and are going to be removed in Rails 4. *Carlos Antonio da Silva*
+*   With authorization header `Authorization: Token token=`, `authenticate` now
+    recognize token as nil, instead of "token".
 
-*   Add config.assets.logger to configure Sprockets logger *Rafael França*
+    Fixes #14846.
 
-*   Use a BodyProxy instead of including a Module that responds to
-    close. Closes #4441 if Active Record is disabled assets are delivered
-    correctly *Santiago Pastorino*
+    *Larry Lv*
 
-*   Rails initialization with initialize_on_precompile = false should set assets_dir *Santiago Pastorino*
+*   Ensure the controller is always notified as soon as the client disconnects
+    during live streaming, even when the controller is blocked on a write.
 
-*   Add font_path helper method *Santiago Pastorino*
+    *Nicholas Jakobsen*, *Matthew Draper*
 
-*   Depends on rack ~> 1.4.0 *Santiago Pastorino*
+*   Routes specifying 'to:' must be a string that contains a "#" or a rack
+    application.  Use of a symbol should be replaced with `action: symbol`.
+    Use of a string without a "#" should be replaced with `controller: string`.
 
-*   Add :gzip option to `caches_page`. The default option can be configured globally using `page_cache_compression` *Andrey Sitnik*
+    *Aaron Patterson*
 
-*   The ShowExceptions middleware now accepts a exceptions application that is responsible to render an exception when the application fails. The application is invoked with a copy of the exception in `env["action_dispatch.exception"]` and with the PATH_INFO rewritten to the status code. *José Valim*
+*   Fix URL generation with `:trailing_slash` such that it does not add
+    a trailing slash after `.:format`
 
-*   Add `button_tag` support to ActionView::Helpers::FormBuilder.
+    *Dan Langevin*
 
-    This support mimics the default behavior of `submit_tag`.
+*   Build full URI as string when processing path in integration tests for
+    performance reasons. One consequence of this is that the leading slash
+    is now required in integration test `process` helpers, whereas previously
+    it could be omitted. The fact that this worked was a unintended consequence
+    of the implementation and was never an intentional feature.
 
-    Example:
+    *Guo Xiang Tan*
 
-        <%= form_for @post do |f| %>
-          <%= f.button %>
-        <% end %>
+*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
+    called 'status' in a controller.
 
-*   Date helpers accept a new option, `:use_two_digit_numbers = true`, that renders select boxes for months and days with a leading zero without changing the respective values.
-    For example, this is useful for displaying ISO8601-style dates such as '2011-08-01'. *Lennart Fridén and Kim Persson*
+    Fixes #13905.
 
-*   Make ActiveSupport::Benchmarkable a default module for ActionController::Base, so the #benchmark method is once again available in the controller context like it used to be *DHH*
+    *Christiaan Van den Poel*
 
-*   Deprecated implied layout lookup in controllers whose parent had a explicit layout set:
+*   Add MKCALENDAR HTTP method (RFC 4791).
 
-        class ApplicationController
-          layout "application"
-        end
+    *Sergey Karpesh*
 
-        class PostsController < ApplicationController
-        end
+*   Instrument fragment cache metrics.
 
-    In the example above, Posts controller will no longer automatically look up for a posts layout.
+    Adds `:controller`: and `:action` keys to the instrumentation payload
+    for the `*_fragment.action_controller` notifications. This allows tracking
+    e.g. the fragment cache hit rates for each controller action.
 
-    If you need this functionality you could either remove `layout "application"` from ApplicationController or explicitly set it to nil in PostsController. *José Valim*
+    *Daniel Schierbeck*
 
-*   Rails will now use your default layout (such as "layouts/application") when you specify a layout with `:only` and `:except` condition, and those conditions fail. *Prem Sichanugrist*
+*   Always use the provided port if the protocol is relative.
 
-    For example, consider this snippet:
+    Fixes #15043.
 
-        class CarsController
-          layout 'single_car', :only => :show
-        end
+    *Guilherme Cavalcanti*, *Andrew White*
 
-    Rails will use 'layouts/single_car' when a request comes in `:show` action, and use 'layouts/application' (or 'layouts/cars', if exists) when a request comes in for any other actions.
+*   Moved `params[request_forgery_protection_token]` into its own method
+    and improved tests.
 
-*   form_for with +:as+ option uses "#{action}_#{as}" as css class and id:
+    Fixes #11316.
 
-    Before:
+    *Tom Kadwill*
 
-        form_for(@user, :as => 'client') # => "<form class="client_new">..."
+*   Added verification of route constraints given as a Proc or an object responding
+    to `:matches?`. Previously, when given an non-complying object, it would just
+    silently fail to enforce the constraint. It will now raise an `ArgumentError`
+    when setting up the routes.
 
-    Now:
+    *Xavier Defrang*
 
-        form_for(@user, :as => 'client') # => "<form class="new_client">..."
+*   Properly treat the entire IPv6 User Local Address space as private for
+    purposes of remote IP detection. Also handle uppercase private IPv6
+    addresses.
 
-    *Vasiliy Ermolovich*
+    Fixes #12638.
 
-*   Allow rescue responses to be configured through a railtie as in `config.action_dispatch.rescue_responses`. Please look at ActiveRecord::Railtie for an example *José Valim*
+    *Caleb Spare*
 
-*   Allow fresh_when/stale? to take a record instead of an options hash *DHH*
+*   Fixed an issue with migrating legacy json cookies.
 
-*   Assets should use the request protocol by default or default to relative if no request is available *Jonathan del Strother*
+    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
+    cookies are marshal-encoded. This is not the case when `secret_token` is
+    used in conjunction with the `:json` or `:hybrid` serializer.
 
-*   Log "Filter chain halted as CALLBACKNAME rendered or redirected" every time a before callback halts *José Valim*
+    In those case, when upgrading to use `secret_key_base`, this would cause a
+    `TypeError: incompatible marshal file format` and a 500 error for the user.
 
-*   You can provide a namespace for your form to ensure uniqueness of id attributes on form elements.
-    The namespace attribute will be prefixed with underscore on the generate HTML id. *Vasiliy Ermolovich*
+    Fixes #14774.
 
-    Example:
+    *Godfrey Chan*
 
-        <%= form_for(@offer, :namespace => 'namespace') do |f| %>
-          <%= f.label :version, 'Version' %>:
-          <%= f.text_field :version %>
-        <% end %>
+*   Make URL escaping more consistent:
 
-*   Refactor ActionDispatch::ShowExceptions. The controller is responsible for choosing to show exceptions when `consider_all_requests_local` is false.
+    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
+    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
+    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
+    4. Use `escape_segment` rather than `escape_path` in URL generation
 
-    It's possible to override `show_detailed_exceptions?` in controllers to specify which requests should provide debugging information on errors. The default value is now false, meaning local requests in production will no longer show the detailed exceptions page unless `show_detailed_exceptions?` is overridden and set to `request.local?`.
+    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
+    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
+    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
+    is used in the path then this uses `escape_path` as the controller may be namespaced.
 
-*   Responders now return 204 No Content for API requests without a response body (as in the new scaffold) *José Valim*
+    Fixes #14629, #14636 and #14070.
 
-*   Added ActionDispatch::RequestId middleware that'll make a unique X-Request-Id header available to the response and enables the ActionDispatch::Request#uuid method. This makes it easy to trace requests from end-to-end in the stack and to identify individual requests in mixed logs like Syslog *DHH*
+    *Andrew White*, *Edho Arief*
 
-*   Limit the number of options for select_year to 1000.
+*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
+    `ActionDispatch::Http::UploadedFile#tempfile`.
 
-    Pass the :max_years_allowed option to set your own limit.
+    *Tim Linquist*
 
-    *Libo Cannici*
+*   Returns null type format when format is not know and controller is using `any`
+    format block.
 
-*   Passing formats or handlers to render :template and friends is deprecated. For example: *Nick Sutterer & José Valim*
+    Fixes #14462.
 
-        render :template => "foo.html.erb"
+    *Rafael Mendonça França*
 
-    Instead, you can provide :handlers and :formats directly as option:
-             render :template => "foo", :formats => [:html, :js], :handlers => :erb
+*   Improve routing error page with fuzzy matching search.
 
-*   Changed log level of warning for missing CSRF token from :debug to :warn. *Mike Dillon*
+    *Winston*
 
-*   content_tag_for and div_for can now take the collection of records. It will also yield the record as the first argument if you set a receiving argument in your block *Prem Sichanugrist*
+*   Only make deeply nested routes shallow when parent is shallow.
 
-    So instead of having to do this:
+    Fixes #14684.
 
-        @items.each do |item|
-          content_tag_for(:li, item) do
-             Title: <%= item.title %>
-          end
-        end
+    *Andrew White*, *James Coglan*
 
-    You can now do this:
+*   Append link to bad code to backtrace when exception is `SyntaxError`.
 
-        content_tag_for(:li, @items) do |item|
-          Title: <%= item.title %>
-        end
+    *Boris Kuznetsov*
 
-*   send_file now guess the mime type *Esad Hajdarevic*
+*   Swapped the parameters of assert_equal in `assert_select` so that the
+    proper values were printed correctly.
 
-*   Mime type entries for PDF, ZIP and other formats were added *Esad Hajdarevic*
+    Fixes #14422.
 
-*   Generate hidden input before select with :multiple option set to true.
-    This is useful when you rely on the fact that when no options is set,
-    the state of select will be sent to rails application. Without hidden field
-    nothing is sent according to HTML spec *Bogdan Gusiev*
+    *Vishal Lal*
 
-*   Refactor ActionController::TestCase cookies *Andrew White*
+*   The method `shallow?` returns false if the parent resource is a singleton so
+    we need to check if we're not inside a nested scope before copying the :path
+    and :as options to their shallow equivalents.
 
-    Assigning cookies for test cases should now use cookies[], e.g:
+    Fixes #14388.
 
-        cookies[:email] = 'user@example.com'
-        get :index
-        assert_equal 'user@example.com', cookies[:email]
+    *Andrew White*
 
-    To clear the cookies, use clear, e.g:
+*   Make logging of CSRF failures optional (but on by default) with the
+    `log_warning_on_csrf_failure` configuration setting in
+    `ActionController::RequestForgeryProtection`.
 
-        cookies.clear
-        get :index
-        assert_nil cookies[:email]
+    *John Barton*
 
-    We now no longer write out HTTP_COOKIE and the cookie jar is
-    persistent between requests so if you need to manipulate the environment
-    for your test you need to do it before the cookie jar is created.
+*   Fix URL generation in controller tests with request-dependent
+    `default_url_options` methods.
 
-*   ActionController::ParamsWrapper on ActiveRecord models now only wrap
-    attr_accessible attributes if they were set, if not, only the attributes
-    returned by the class method attribute_names will be wrapped. This fixes
-    the wrapping of nested attributes by adding them to attr_accessible.
+    *Tony Wooster*
 
-Please check [3-1-stable](https://github.com/rails/rails/blob/3-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.