actionpack 3.2.22.5 → 5.2.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +279 -603
- data/MIT-LICENSE +1 -1
- data/README.rdoc +13 -297
- data/lib/abstract_controller/asset_paths.rb +4 -2
- data/lib/abstract_controller/base.rb +82 -52
- data/lib/abstract_controller/caching/fragments.rb +166 -0
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +117 -103
- data/lib/abstract_controller/collector.rb +18 -7
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +65 -38
- data/lib/abstract_controller/logger.rb +3 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +5 -3
- data/lib/abstract_controller/rendering.rb +77 -129
- data/lib/abstract_controller/translation.rb +21 -3
- data/lib/abstract_controller/url_for.rb +9 -7
- data/lib/abstract_controller.rb +12 -13
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/base.rb +81 -40
- data/lib/action_controller/caching.rb +22 -62
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +30 -18
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +190 -47
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +40 -65
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +57 -0
- data/lib/action_controller/metal/exceptions.rb +19 -12
- data/lib/action_controller/metal/flash.rb +42 -9
- data/lib/action_controller/metal/force_ssl.rb +79 -19
- data/lib/action_controller/metal/head.rb +35 -10
- data/lib/action_controller/metal/helpers.rb +31 -21
- data/lib/action_controller/metal/http_authentication.rb +182 -134
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +28 -26
- data/lib/action_controller/metal/live.rb +312 -0
- data/lib/action_controller/metal/mime_responds.rb +159 -163
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +146 -93
- data/lib/action_controller/metal/redirecting.rb +80 -56
- data/lib/action_controller/metal/renderers.rb +119 -47
- data/lib/action_controller/metal/rendering.rb +89 -32
- data/lib/action_controller/metal/request_forgery_protection.rb +373 -41
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +39 -45
- data/lib/action_controller/metal/strong_parameters.rb +1086 -0
- data/lib/action_controller/metal/testing.rb +8 -29
- data/lib/action_controller/metal/url_for.rb +43 -32
- data/lib/action_controller/metal.rb +112 -106
- data/lib/action_controller/railtie.rb +56 -18
- data/lib/action_controller/railties/helpers.rb +24 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +402 -347
- data/lib/action_controller.rb +31 -30
- data/lib/action_dispatch/http/cache.rb +133 -34
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +40 -24
- data/lib/action_dispatch/http/filter_redirect.rb +37 -0
- data/lib/action_dispatch/http/headers.rb +117 -16
- data/lib/action_dispatch/http/mime_negotiation.rb +98 -33
- data/lib/action_dispatch/http/mime_type.rb +198 -146
- data/lib/action_dispatch/http/mime_types.rb +22 -7
- data/lib/action_dispatch/http/parameter_filter.rb +61 -49
- data/lib/action_dispatch/http/parameters.rb +94 -51
- data/lib/action_dispatch/http/rack_cache.rb +4 -3
- data/lib/action_dispatch/http/request.rb +262 -117
- data/lib/action_dispatch/http/response.rb +400 -86
- data/lib/action_dispatch/http/upload.rb +66 -29
- data/lib/action_dispatch/http/url.rb +232 -60
- data/lib/action_dispatch/journey/formatter.rb +189 -0
- data/lib/action_dispatch/journey/gtg/builder.rb +164 -0
- data/lib/action_dispatch/journey/gtg/simulator.rb +41 -0
- data/lib/action_dispatch/journey/gtg/transition_table.rb +158 -0
- data/lib/action_dispatch/journey/nfa/builder.rb +78 -0
- data/lib/action_dispatch/journey/nfa/dot.rb +36 -0
- data/lib/action_dispatch/journey/nfa/simulator.rb +49 -0
- data/lib/action_dispatch/journey/nfa/transition_table.rb +120 -0
- data/lib/action_dispatch/journey/nodes/node.rb +140 -0
- data/lib/action_dispatch/journey/parser.rb +199 -0
- data/lib/action_dispatch/journey/parser.y +50 -0
- data/lib/action_dispatch/journey/parser_extras.rb +31 -0
- data/lib/action_dispatch/journey/path/pattern.rb +199 -0
- data/lib/action_dispatch/journey/route.rb +203 -0
- data/lib/action_dispatch/journey/router/utils.rb +102 -0
- data/lib/action_dispatch/journey/router.rb +156 -0
- data/lib/action_dispatch/journey/routes.rb +82 -0
- data/lib/action_dispatch/journey/scanner.rb +64 -0
- data/lib/action_dispatch/journey/visitors.rb +268 -0
- data/lib/action_dispatch/journey/visualizer/fsm.css +30 -0
- data/lib/action_dispatch/journey/visualizer/fsm.js +134 -0
- data/lib/action_dispatch/journey/visualizer/index.html.erb +52 -0
- data/lib/action_dispatch/journey.rb +7 -0
- data/lib/action_dispatch/middleware/callbacks.rb +17 -13
- data/lib/action_dispatch/middleware/cookies.rb +494 -162
- data/lib/action_dispatch/middleware/debug_exceptions.rb +176 -53
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +103 -38
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +128 -91
- data/lib/action_dispatch/middleware/public_exceptions.rb +43 -16
- data/lib/action_dispatch/middleware/reloader.rb +6 -83
- data/lib/action_dispatch/middleware/remote_ip.rb +151 -49
- data/lib/action_dispatch/middleware/request_id.rb +19 -15
- data/lib/action_dispatch/middleware/session/abstract_store.rb +38 -34
- data/lib/action_dispatch/middleware/session/cache_store.rb +14 -9
- data/lib/action_dispatch/middleware/session/cookie_store.rb +94 -44
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +15 -4
- data/lib/action_dispatch/middleware/show_exceptions.rb +36 -61
- data/lib/action_dispatch/middleware/ssl.rb +150 -0
- data/lib/action_dispatch/middleware/stack.rb +33 -41
- data/lib/action_dispatch/middleware/static.rb +92 -48
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +23 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +27 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +52 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb +9 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +16 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +9 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +134 -5
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +11 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +32 -0
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.text.erb +11 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +20 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +6 -0
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +16 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +200 -0
- data/lib/action_dispatch/railtie.rb +29 -8
- data/lib/action_dispatch/request/session.rb +234 -0
- data/lib/action_dispatch/request/utils.rb +78 -0
- data/lib/action_dispatch/routing/endpoint.rb +17 -0
- data/lib/action_dispatch/routing/inspector.rb +225 -0
- data/lib/action_dispatch/routing/mapper.rb +1329 -582
- data/lib/action_dispatch/routing/polymorphic_routes.rb +237 -94
- data/lib/action_dispatch/routing/redirection.rb +120 -50
- data/lib/action_dispatch/routing/route_set.rb +545 -322
- data/lib/action_dispatch/routing/routes_proxy.rb +37 -7
- data/lib/action_dispatch/routing/url_for.rb +103 -34
- data/lib/action_dispatch/routing.rb +66 -99
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions/response.rb +53 -42
- data/lib/action_dispatch/testing/assertions/routing.rb +79 -74
- data/lib/action_dispatch/testing/assertions.rb +15 -9
- data/lib/action_dispatch/testing/integration.rb +361 -207
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -19
- data/lib/action_dispatch/testing/test_request.rb +30 -33
- data/lib/action_dispatch/testing/test_response.rb +35 -11
- data/lib/action_dispatch.rb +42 -32
- data/lib/action_pack/gem_version.rb +17 -0
- data/lib/action_pack/version.rb +7 -7
- data/lib/action_pack.rb +4 -2
- metadata +116 -175
- data/lib/abstract_controller/layouts.rb +0 -423
- data/lib/abstract_controller/view_paths.rb +0 -96
- data/lib/action_controller/caching/actions.rb +0 -185
- data/lib/action_controller/caching/fragments.rb +0 -127
- data/lib/action_controller/caching/pages.rb +0 -187
- data/lib/action_controller/caching/sweeping.rb +0 -97
- data/lib/action_controller/deprecated/integration_test.rb +0 -2
- data/lib/action_controller/deprecated/performance_test.rb +0 -1
- data/lib/action_controller/deprecated.rb +0 -3
- data/lib/action_controller/metal/compatibility.rb +0 -65
- data/lib/action_controller/metal/hide_actions.rb +0 -41
- data/lib/action_controller/metal/rack_delegation.rb +0 -26
- data/lib/action_controller/metal/responder.rb +0 -286
- data/lib/action_controller/metal/session_management.rb +0 -14
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/railties/paths.rb +0 -25
- data/lib/action_controller/record_identifier.rb +0 -85
- data/lib/action_controller/vendor/html-scanner/html/document.rb +0 -68
- data/lib/action_controller/vendor/html-scanner/html/node.rb +0 -532
- data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +0 -177
- data/lib/action_controller/vendor/html-scanner/html/selector.rb +0 -830
- data/lib/action_controller/vendor/html-scanner/html/tokenizer.rb +0 -107
- data/lib/action_controller/vendor/html-scanner/html/version.rb +0 -11
- data/lib/action_controller/vendor/html-scanner.rb +0 -20
- data/lib/action_dispatch/middleware/best_standards_support.rb +0 -30
- data/lib/action_dispatch/middleware/body_proxy.rb +0 -30
- data/lib/action_dispatch/middleware/head.rb +0 -18
- data/lib/action_dispatch/middleware/params_parser.rb +0 -75
- data/lib/action_dispatch/middleware/rescue.rb +0 -26
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb +0 -31
- data/lib/action_dispatch/middleware/templates/rescues/_trace.erb +0 -26
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb +0 -10
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.erb +0 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.erb +0 -15
- data/lib/action_dispatch/middleware/templates/rescues/template_error.erb +0 -17
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb +0 -2
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -37
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -435
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -138
- data/lib/action_dispatch/testing/performance_test.rb +0 -10
- data/lib/action_view/asset_paths.rb +0 -142
- data/lib/action_view/base.rb +0 -220
- data/lib/action_view/buffers.rb +0 -43
- data/lib/action_view/context.rb +0 -36
- data/lib/action_view/flows.rb +0 -79
- data/lib/action_view/helpers/active_model_helper.rb +0 -50
- data/lib/action_view/helpers/asset_paths.rb +0 -7
- data/lib/action_view/helpers/asset_tag_helper.rb +0 -457
- data/lib/action_view/helpers/asset_tag_helpers/asset_include_tag.rb +0 -146
- data/lib/action_view/helpers/asset_tag_helpers/asset_paths.rb +0 -93
- data/lib/action_view/helpers/asset_tag_helpers/javascript_tag_helpers.rb +0 -193
- data/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb +0 -148
- data/lib/action_view/helpers/atom_feed_helper.rb +0 -200
- data/lib/action_view/helpers/cache_helper.rb +0 -64
- data/lib/action_view/helpers/capture_helper.rb +0 -203
- data/lib/action_view/helpers/controller_helper.rb +0 -25
- data/lib/action_view/helpers/csrf_helper.rb +0 -32
- data/lib/action_view/helpers/date_helper.rb +0 -1062
- data/lib/action_view/helpers/debug_helper.rb +0 -40
- data/lib/action_view/helpers/form_helper.rb +0 -1486
- data/lib/action_view/helpers/form_options_helper.rb +0 -658
- data/lib/action_view/helpers/form_tag_helper.rb +0 -685
- data/lib/action_view/helpers/javascript_helper.rb +0 -110
- data/lib/action_view/helpers/number_helper.rb +0 -622
- data/lib/action_view/helpers/output_safety_helper.rb +0 -38
- data/lib/action_view/helpers/record_tag_helper.rb +0 -111
- data/lib/action_view/helpers/rendering_helper.rb +0 -92
- data/lib/action_view/helpers/sanitize_helper.rb +0 -259
- data/lib/action_view/helpers/tag_helper.rb +0 -167
- data/lib/action_view/helpers/text_helper.rb +0 -426
- data/lib/action_view/helpers/translation_helper.rb +0 -91
- data/lib/action_view/helpers/url_helper.rb +0 -693
- data/lib/action_view/helpers.rb +0 -60
- data/lib/action_view/locale/en.yml +0 -160
- data/lib/action_view/log_subscriber.rb +0 -28
- data/lib/action_view/lookup_context.rb +0 -258
- data/lib/action_view/path_set.rb +0 -101
- data/lib/action_view/railtie.rb +0 -55
- data/lib/action_view/renderer/abstract_renderer.rb +0 -41
- data/lib/action_view/renderer/partial_renderer.rb +0 -415
- data/lib/action_view/renderer/renderer.rb +0 -61
- data/lib/action_view/renderer/streaming_template_renderer.rb +0 -106
- data/lib/action_view/renderer/template_renderer.rb +0 -95
- data/lib/action_view/template/error.rb +0 -128
- data/lib/action_view/template/handlers/builder.rb +0 -26
- data/lib/action_view/template/handlers/erb.rb +0 -125
- data/lib/action_view/template/handlers.rb +0 -50
- data/lib/action_view/template/resolver.rb +0 -298
- data/lib/action_view/template/text.rb +0 -30
- data/lib/action_view/template.rb +0 -337
- data/lib/action_view/test_case.rb +0 -246
- data/lib/action_view/testing/resolvers.rb +0 -49
- data/lib/action_view.rb +0 -84
- data/lib/sprockets/assets.rake +0 -99
- data/lib/sprockets/bootstrap.rb +0 -37
- data/lib/sprockets/compressors.rb +0 -83
- data/lib/sprockets/helpers/isolated_helper.rb +0 -13
- data/lib/sprockets/helpers/rails_helper.rb +0 -182
- data/lib/sprockets/helpers.rb +0 -6
- data/lib/sprockets/railtie.rb +0 -62
- data/lib/sprockets/static_compiler.rb +0 -56
data/CHANGELOG.md
CHANGED
@@ -1,786 +1,462 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 3.2.19 (Jul 2, 2014) ##
|
7
|
-
|
8
|
-
* Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
|
9
|
-
`options[:raise]`.
|
10
|
-
|
11
|
-
This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
|
12
|
-
|
13
|
-
*Shota Fukumori (sora_h)*
|
14
|
-
|
15
|
-
|
16
|
-
## Rails 3.2.18 (May 6, 2014) ##
|
17
|
-
|
18
|
-
* Only accept actions without File::SEPARATOR in the name.
|
19
|
-
|
20
|
-
This will avoid directory traversal in implicit render.
|
21
|
-
|
22
|
-
Fixes: CVE-2014-0130
|
23
|
-
|
24
|
-
*Rafael Mendonça França*
|
25
|
-
|
26
|
-
|
27
|
-
## Rails 3.2.17 (Feb 18, 2014) ##
|
28
|
-
|
29
|
-
* Use the reference for the mime type to get the format
|
3
|
+
* No changes.
|
30
4
|
|
31
|
-
Fixes: CVE-2014-0082
|
32
5
|
|
33
|
-
|
6
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
34
7
|
|
35
|
-
|
8
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
36
9
|
|
10
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
11
|
+
it was excluded when `no-cache` was included. This change preserves the
|
12
|
+
`public` value as is.
|
37
13
|
|
38
|
-
|
14
|
+
Fixes #34780.
|
39
15
|
|
40
|
-
*
|
16
|
+
*Yuji Yaginuma*
|
41
17
|
|
42
|
-
*
|
18
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
43
19
|
|
44
|
-
*
|
20
|
+
*Ryo Nakamura*
|
45
21
|
|
46
|
-
* Only use valid mime type symbols as cache keys CVE-2013-6414
|
47
22
|
|
48
|
-
## Rails
|
23
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
49
24
|
|
50
|
-
*
|
51
|
-
attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
|
25
|
+
* No changes.
|
52
26
|
|
53
|
-
Fixes #12410
|
54
|
-
Backports #10844
|
55
27
|
|
56
|
-
|
28
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
57
29
|
|
58
|
-
*
|
59
|
-
constraints on the querystring.
|
30
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
60
31
|
|
61
|
-
|
62
|
-
|
32
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
33
|
+
in system test `after_teardown`.
|
63
34
|
|
64
|
-
*
|
35
|
+
*Maxim Perepelitsa*
|
65
36
|
|
66
|
-
*
|
37
|
+
* Use request object for context if there's no controller
|
67
38
|
|
68
|
-
|
39
|
+
There is no controller instance when using a redirect route or a
|
40
|
+
mounted rack application so pass the request object as the context
|
41
|
+
when resolving dynamic CSP sources in this scenario.
|
69
42
|
|
70
|
-
|
71
|
-
does not show user-supplied message.
|
43
|
+
Fixes #34200.
|
72
44
|
|
73
|
-
|
74
|
-
matching the expected redirect the user-supplied message (second parameter)
|
75
|
-
is not shown. This message is only shown if the response is not a redirect.
|
45
|
+
*Andrew White*
|
76
46
|
|
77
|
-
|
47
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
78
48
|
|
49
|
+
Previously if a dynamic source returned a symbol such as :self it
|
50
|
+
would be converted to a string implicity, e.g:
|
79
51
|
|
80
|
-
|
52
|
+
policy.default_src -> { :self }
|
81
53
|
|
82
|
-
|
83
|
-
and `:action` are present. The endpoint assignment only occurs if there is
|
84
|
-
no `:to` present in the options hash so should only affect routes using the
|
85
|
-
shorthand syntax (i.e. endpoint is inferred from the the path).
|
54
|
+
would generate the header:
|
86
55
|
|
87
|
-
|
56
|
+
Content-Security-Policy: default-src self
|
88
57
|
|
89
|
-
|
58
|
+
and now it generates:
|
90
59
|
|
91
|
-
|
60
|
+
Content-Security-Policy: default-src 'self'
|
92
61
|
|
93
|
-
|
62
|
+
*Andrew White*
|
94
63
|
|
95
|
-
|
96
|
-
# => "<b>Showing</b>"
|
64
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
97
65
|
|
98
|
-
|
66
|
+
*Yoshiyuki Kinjo*
|
99
67
|
|
100
|
-
|
101
|
-
# => "<b>Showing</b>"
|
68
|
+
* Call the `#redirect_to` block in controller context.
|
102
69
|
|
103
|
-
*
|
70
|
+
*Steven Peckins*
|
104
71
|
|
105
|
-
* Use a case insensitive URI Regexp for #asset_path.
|
106
72
|
|
107
|
-
|
108
|
-
different URIs.
|
73
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
109
74
|
|
110
|
-
|
75
|
+
* No changes.
|
111
76
|
|
112
|
-
image_tag("HTTP://google.com")
|
113
|
-
# => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
|
114
|
-
image_tag("http://google.com")
|
115
|
-
# => "<img alt=\"Google\" src=\"http://google.com\" />"
|
116
77
|
|
117
|
-
|
78
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
118
79
|
|
119
|
-
|
120
|
-
# => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
|
121
|
-
image_tag("http://google.com")
|
122
|
-
# => "<img alt=\"Google\" src=\"http://google.com\" />"
|
80
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
123
81
|
|
124
|
-
|
82
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
83
|
+
there are none.
|
125
84
|
|
126
|
-
|
127
|
-
the multiple option, it is turned into an array field (appending `[]`),
|
128
|
-
but if an explicit name is passed to `file_field` the `[]` is not
|
129
|
-
appended.
|
130
|
-
Fixes #9830.
|
85
|
+
So call like this will no longer append a `?null=` query param.
|
131
86
|
|
132
|
-
|
87
|
+
get foos_url, as: :json
|
133
88
|
|
134
|
-
*
|
89
|
+
*Alireza Bashiri*
|
135
90
|
|
136
|
-
|
137
|
-
|
91
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
92
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
93
|
+
parameters.
|
138
94
|
|
139
|
-
|
95
|
+
*Kevin Sjöberg*
|
140
96
|
|
141
|
-
|
97
|
+
* Fix strong parameters `permit!` with nested arrays.
|
142
98
|
|
143
|
-
|
144
|
-
|
99
|
+
Given:
|
100
|
+
```
|
101
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
102
|
+
params.permit!
|
103
|
+
```
|
145
104
|
|
146
|
-
|
105
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
147
106
|
|
148
|
-
*
|
149
|
-
the units hash does not contain the needed key, e.g. when the number provided is less
|
150
|
-
than the largest key provided.
|
107
|
+
*Steve Hull*
|
151
108
|
|
152
|
-
|
109
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
110
|
+
`ActionController::TestCase` subclasses.
|
153
111
|
|
154
|
-
|
155
|
-
number_to_human(123, units: { thousand: 'k' }) # => 123
|
112
|
+
*Eugene Kenny*
|
156
113
|
|
157
|
-
|
158
|
-
Backport #9347.
|
114
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
159
115
|
|
160
|
-
|
116
|
+
Fixes #32597.
|
161
117
|
|
162
|
-
*
|
163
|
-
Fixes GH#3512.
|
118
|
+
*Andrey Novikov*, *Andrew White*
|
164
119
|
|
165
|
-
|
120
|
+
* Only disable GPUs for headless Chrome on Windows.
|
166
121
|
|
167
|
-
|
168
|
-
empty string. Fix #7774 [Backport #8977, #9541]
|
122
|
+
It is not necessary anymore for Linux and macOS machines.
|
169
123
|
|
170
|
-
|
124
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
171
125
|
|
126
|
+
*Stefan Wrobel*
|
172
127
|
|
173
|
-
|
128
|
+
* Fix system tests transactions not closed between examples.
|
174
129
|
|
175
|
-
*
|
176
|
-
if an explicit name has been given and it already ends with "[]".
|
130
|
+
*Sergey Tarasov*
|
177
131
|
|
178
|
-
Before:
|
179
132
|
|
180
|
-
|
181
|
-
# => <select name="post[category][][]" ...>
|
133
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
182
134
|
|
183
|
-
|
135
|
+
* Check exclude before flagging cookies as secure.
|
184
136
|
|
185
|
-
|
186
|
-
# => <select name="post[category][]" ...>
|
137
|
+
*Catherine Khuu*
|
187
138
|
|
188
|
-
|
139
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
189
140
|
|
190
|
-
|
141
|
+
This allows a controller action to enable the policy individually
|
142
|
+
for a controller and/or specific actions.
|
191
143
|
|
192
|
-
*
|
193
|
-
shorthand syntax. Previously the complete path was used, which led
|
194
|
-
to problems with nesting (scopes and namespaces).
|
195
|
-
Fixes #7554.
|
196
|
-
Backport #9361.
|
144
|
+
*Andrew White*
|
197
145
|
|
198
|
-
|
146
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
199
147
|
|
200
|
-
|
201
|
-
|
202
|
-
get 'questions/new'
|
148
|
+
class LegacyPagesController < ApplicationController
|
149
|
+
content_security_policy false, only: :index
|
203
150
|
end
|
204
151
|
|
205
|
-
*Yves Senn*
|
206
|
-
|
207
|
-
* Fix `assert_template` with `render :stream => true`.
|
208
|
-
Fix #1743.
|
209
|
-
Backport #5288.
|
210
|
-
|
211
|
-
*Sergey Nartimov*
|
212
|
-
|
213
|
-
* Eagerly populate the http method lookup cache so local project inflections do
|
214
|
-
not interfere with use of underscore method ( and we don't need locks )
|
215
|
-
|
216
|
-
*Aditya Sanghi*
|
217
|
-
|
218
|
-
* `BestStandardsSupport` no longer duplicates `X-UA-Compatible` values on
|
219
|
-
each request to prevent header size from blowing up.
|
220
|
-
|
221
|
-
*Edward Anderson*
|
222
|
-
|
223
|
-
* Fixed JSON params parsing regression for non-object JSON content.
|
224
|
-
|
225
|
-
*Dylan Smith*
|
226
|
-
|
227
|
-
* Prevent unnecessary asset compilation when using `javascript_include_tag` on
|
228
|
-
files with non-standard extensions.
|
229
|
-
|
230
|
-
*Noah Silas*
|
231
|
-
|
232
|
-
* Fixes issue where duplicate assets can be required with sprockets.
|
233
|
-
|
234
|
-
*Jeremy Jackson*
|
235
|
-
|
236
|
-
* Bump `rack` dependency to 1.4.3, eliminate `Rack::File` headers deprecation warning.
|
237
|
-
|
238
|
-
*Sam Ruby + Carlos Antonio da Silva*
|
239
|
-
|
240
|
-
* Do not append second slash to `root_url` when using `trailing_slash: true`
|
241
|
-
|
242
|
-
Fix #8700.
|
243
|
-
Backport #8701.
|
244
|
-
|
245
|
-
Example:
|
246
|
-
# before
|
247
|
-
root_url # => http://test.host//
|
248
|
-
|
249
|
-
# after
|
250
|
-
root_url # => http://test.host/
|
251
|
-
|
252
|
-
*Yves Senn*
|
253
|
-
|
254
|
-
* Fix a bug in `content_tag_for` that prevents it for work without a block.
|
255
|
-
|
256
|
-
*Jasl*
|
257
|
-
|
258
|
-
* Clear url helper methods when routes are reloaded by removing the methods
|
259
|
-
explicitly rather than just clearing the module because it didn't work
|
260
|
-
properly and could be the source of a memory leak.
|
261
|
-
|
262
152
|
*Andrew White*
|
263
153
|
|
264
|
-
*
|
265
|
-
|
266
|
-
|
267
|
-
*Matt Venables*
|
268
|
-
|
269
|
-
* More descriptive error messages when calling `render :partial` with
|
270
|
-
an invalid `:layout` argument.
|
271
|
-
|
272
|
-
Fixes #8376.
|
273
|
-
|
274
|
-
render :partial => 'partial', :layout => true
|
275
|
-
# results in ActionView::MissingTemplate: Missing partial /true
|
276
|
-
|
277
|
-
*Yves Senn*
|
154
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
155
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
278
156
|
|
279
|
-
*
|
157
|
+
*Igor Kasyanchuk*
|
280
158
|
|
281
|
-
*
|
159
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
160
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
282
161
|
|
283
|
-
*
|
284
|
-
Before:
|
162
|
+
*Grant Bourque*
|
285
163
|
|
286
|
-
|
287
|
-
url_for :controller => controller, :action => 'status'
|
164
|
+
* Add support for automatic nonce generation for Rails UJS.
|
288
165
|
|
289
|
-
|
166
|
+
Because the UJS library creates a script tag to process responses it
|
167
|
+
normally requires the script-src attribute of the content security
|
168
|
+
policy to include 'unsafe-inline'.
|
290
169
|
|
291
|
-
|
170
|
+
To work around this we generate a per-request nonce value that is
|
171
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
172
|
+
embeds its token in a meta tag. The UJS library can then read the
|
173
|
+
nonce value and set it on the dynamically generated script tag to
|
174
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
292
175
|
|
293
|
-
|
176
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
177
|
+
user generated content in someway then it may be possible to exploit
|
178
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
179
|
+
however an improvement on a blanket permission for inline scripts.
|
294
180
|
|
295
|
-
|
181
|
+
It is also possible to use the nonce within your own script tags by
|
182
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
296
183
|
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
contains text/plain. Fix #7976 [Backport #8235]
|
301
|
-
|
302
|
-
*Joost Baaij*
|
303
|
-
|
304
|
-
* `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's
|
305
|
-
returned value if any. Fix #8086 [Backport #8093]
|
306
|
-
|
307
|
-
*Nikita Afanasenko*
|
308
|
-
|
309
|
-
* prevent double slashes in engine urls when `Rails.application.default_url_options[:trailing_slash] = true` is set
|
310
|
-
Fix #7842
|
311
|
-
|
312
|
-
*Yves Senn*
|
313
|
-
|
314
|
-
* Fix input name when `:multiple => true` and `:index` are set.
|
315
|
-
|
316
|
-
Before:
|
317
|
-
|
318
|
-
check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
|
319
|
-
#=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
|
320
|
-
|
321
|
-
After:
|
322
|
-
|
323
|
-
check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
|
324
|
-
#=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
|
325
|
-
|
326
|
-
Fix #8108
|
327
|
-
|
328
|
-
*Daniel Fox, Grant Hutchins & Trace Wax*
|
329
|
-
|
330
|
-
|
331
|
-
## Rails 3.2.12 (Feb 11, 2013) ##
|
332
|
-
|
333
|
-
* No changes.
|
334
|
-
|
335
|
-
|
336
|
-
## Rails 3.2.11 (Jan 8, 2013) ##
|
337
|
-
|
338
|
-
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
|
339
|
-
|
340
|
-
|
341
|
-
## Rails 3.2.10 (Jan 2, 2013) ##
|
342
|
-
|
343
|
-
* No changes.
|
344
|
-
|
345
|
-
|
346
|
-
## Rails 3.2.9 (Nov 12, 2012) ##
|
347
|
-
|
348
|
-
* Clear url helpers when reloading routes.
|
349
|
-
|
350
|
-
*Santiago Pastorino*
|
351
|
-
|
352
|
-
* Revert the shorthand routes scoped with `:module` option fix
|
353
|
-
This added a regression since it is changing the URL mapping.
|
354
|
-
This makes the stable release backward compatible.
|
355
|
-
|
356
|
-
*Rafael Mendonça França*
|
357
|
-
|
358
|
-
* Revert the `assert_template` fix to not pass with ever string that matches the template name.
|
359
|
-
This added a regression since people were relying on this buggy behavior.
|
360
|
-
This will introduce back #3849 but this stable release will be backward compatible.
|
361
|
-
Fixes #8068.
|
362
|
-
|
363
|
-
*Rafael Mendonça França*
|
364
|
-
|
365
|
-
* Revert the rename of internal variable on ActionController::TemplateAssertions to prevent
|
366
|
-
naming collisions. This added a regression related with shoulda-matchers, since it is
|
367
|
-
expecting the [instance variable @layouts](https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74).
|
368
|
-
This will introduce back #7459 but this stable release will be backward compatible.
|
369
|
-
Fixes #8068.
|
370
|
-
|
371
|
-
*Rafael Mendonça França*
|
184
|
+
<%= javascript_tag nonce: true do %>
|
185
|
+
alert('Hello, World!');
|
186
|
+
<% end %>
|
372
187
|
|
373
|
-
|
188
|
+
Fixes #31689.
|
374
189
|
|
375
|
-
*
|
376
|
-
Fix #3415
|
190
|
+
*Andrew White*
|
377
191
|
|
378
|
-
|
192
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
379
193
|
|
380
|
-
|
381
|
-
naming collisions. @partials, @templates and @layouts are now prefixed with an underscore.
|
382
|
-
Fix #7459
|
194
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
383
195
|
|
384
|
-
|
196
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
197
|
+
def index
|
198
|
+
params.each do |name|
|
199
|
+
puts name
|
200
|
+
end
|
201
|
+
end
|
385
202
|
|
386
|
-
|
387
|
-
|
203
|
+
# Prints
|
204
|
+
# param
|
205
|
+
# param_two
|
388
206
|
|
389
|
-
|
207
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
390
208
|
|
391
|
-
|
209
|
+
To fix the code above simply change as per example below:
|
392
210
|
|
393
|
-
#
|
394
|
-
|
211
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
212
|
+
def index
|
213
|
+
params.each do |name, value|
|
214
|
+
puts name
|
215
|
+
end
|
216
|
+
end
|
395
217
|
|
396
|
-
#
|
397
|
-
|
218
|
+
# Prints
|
219
|
+
# param
|
220
|
+
# param_two
|
398
221
|
|
399
|
-
|
400
|
-
<%= stylesheet_link_tag 'phone', media: 'all' %>
|
401
|
-
<%= stylesheet_link_tag 'phone/index', media: 'all' %>
|
222
|
+
*Dominic Cleal*
|
402
223
|
|
403
|
-
|
224
|
+
* Add `Referrer-Policy` header to default headers set.
|
404
225
|
|
405
|
-
*
|
406
|
-
with the template name.
|
226
|
+
*Guillermo Iguaran*
|
407
227
|
|
408
|
-
|
409
|
-
|
410
|
-
positive like:
|
228
|
+
* Changed the system tests to set Puma as default server only when the
|
229
|
+
user haven't specified manually another server.
|
411
230
|
|
412
|
-
|
413
|
-
assert_template "out/hello"
|
231
|
+
*Guillermo Iguaran*
|
414
232
|
|
415
|
-
|
233
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
234
|
+
default headers set.
|
416
235
|
|
417
|
-
|
418
|
-
assert_template "hello"
|
236
|
+
*Guillermo Iguaran*
|
419
237
|
|
420
|
-
|
238
|
+
* Add headless firefox support to System Tests.
|
421
239
|
|
422
|
-
*
|
240
|
+
*bogdanvlviv*
|
423
241
|
|
424
|
-
*
|
425
|
-
`Rack::Test::UploadedFile` isn't API compatible this is needed to test file uploads that rely on `tempfile`
|
426
|
-
being available.
|
242
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
427
243
|
|
428
|
-
|
244
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
245
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
246
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
247
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
248
|
+
path, it dumps binary into the terminal.
|
429
249
|
|
430
|
-
|
250
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
431
251
|
|
432
|
-
|
433
|
-
option, but ignored the global config setting. This meant that
|
434
|
-
`config.digest = false` could not be used in conjunction with
|
435
|
-
`config.compile = false` this corrects the behavior.
|
252
|
+
*Eileen M. Uchitelle*
|
436
253
|
|
437
|
-
|
254
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
438
255
|
|
439
|
-
*
|
256
|
+
*Guillermo Iguaran*
|
440
257
|
|
441
|
-
|
258
|
+
* Fix optimized url helpers when using relative url root.
|
442
259
|
|
443
|
-
|
444
|
-
Fixes #7431.
|
260
|
+
Fixes #31220.
|
445
261
|
|
446
|
-
*
|
262
|
+
*Andrew White*
|
447
263
|
|
448
|
-
*
|
449
|
-
Fixes #7404.
|
264
|
+
* Add DSL for configuring Content-Security-Policy header.
|
450
265
|
|
451
|
-
|
266
|
+
The DSL allows you to configure a global Content-Security-Policy
|
267
|
+
header and then override within a controller. For more information
|
268
|
+
about the Content-Security-Policy header see MDN:
|
452
269
|
|
453
|
-
|
270
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
454
271
|
|
455
|
-
|
456
|
-
Fixes GH#3047, GH#2483.
|
272
|
+
Example global policy:
|
457
273
|
|
458
|
-
|
274
|
+
# config/initializers/content_security_policy.rb
|
275
|
+
Rails.application.config.content_security_policy do |p|
|
276
|
+
p.default_src :self, :https
|
277
|
+
p.font_src :self, :https, :data
|
278
|
+
p.img_src :self, :https, :data
|
279
|
+
p.object_src :none
|
280
|
+
p.script_src :self, :https
|
281
|
+
p.style_src :self, :https, :unsafe_inline
|
282
|
+
end
|
459
283
|
|
460
|
-
|
461
|
-
will usually intercept the response and just uses the path directly, so no reason to open the file. This performance
|
462
|
-
improvement also resolves an issue with jRuby encodings, and is the reason for the backport, see issue #6844.
|
284
|
+
Example controller overrides:
|
463
285
|
|
464
|
-
|
286
|
+
# Override policy inline
|
287
|
+
class PostsController < ApplicationController
|
288
|
+
content_security_policy do |p|
|
289
|
+
p.upgrade_insecure_requests true
|
290
|
+
end
|
291
|
+
end
|
465
292
|
|
293
|
+
# Using literal values
|
294
|
+
class PostsController < ApplicationController
|
295
|
+
content_security_policy do |p|
|
296
|
+
p.base_uri "https://www.example.com"
|
297
|
+
end
|
298
|
+
end
|
466
299
|
|
467
|
-
|
300
|
+
# Using mixed static and dynamic values
|
301
|
+
class PostsController < ApplicationController
|
302
|
+
content_security_policy do |p|
|
303
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
304
|
+
end
|
305
|
+
end
|
468
306
|
|
469
|
-
|
470
|
-
|
471
|
-
|
472
|
-
html.
|
307
|
+
Allows you to also only report content violations for migrating
|
308
|
+
legacy content using the `content_security_policy_report_only`
|
309
|
+
configuration attribute, e.g;
|
473
310
|
|
474
|
-
|
311
|
+
# config/initializers/content_security_policy.rb
|
312
|
+
Rails.application.config.content_security_policy_report_only = true
|
475
313
|
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
|
314
|
+
# controller override
|
315
|
+
class PostsController < ApplicationController
|
316
|
+
content_security_policy_report_only only: :index
|
317
|
+
end
|
480
318
|
|
481
|
-
|
319
|
+
Note that this feature does not validate the header for performance
|
320
|
+
reasons since the header is calculated at runtime.
|
482
321
|
|
483
|
-
*
|
322
|
+
*Andrew White*
|
484
323
|
|
485
|
-
*
|
324
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
486
325
|
|
487
|
-
*
|
326
|
+
*Yuichiro Kaneko*
|
488
327
|
|
489
|
-
*
|
328
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
490
329
|
|
491
330
|
*Rafael Mendonça França*
|
492
331
|
|
332
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
493
333
|
|
494
|
-
|
495
|
-
|
496
|
-
* Do not convert digest auth strings to symbols. CVE-2012-3424
|
497
|
-
|
498
|
-
* Bump Journey requirements to 1.0.4
|
499
|
-
|
500
|
-
* Add support for optional root segments containing slashes
|
501
|
-
|
502
|
-
* Fixed bug creating invalid HTML in select options
|
503
|
-
|
504
|
-
* Show in log correct wrapped keys
|
505
|
-
|
506
|
-
* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
|
507
|
-
|
508
|
-
* ActionController::Metal doesn't have logger method, check it and then delegate
|
509
|
-
|
510
|
-
* ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
|
511
|
-
|
512
|
-
|
513
|
-
## Rails 3.2.6 (Jun 12, 2012) ##
|
514
|
-
|
515
|
-
* nil is removed from array parameter values
|
516
|
-
|
517
|
-
CVE-2012-2694
|
518
|
-
|
519
|
-
* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
|
520
|
-
|
521
|
-
*Carlos Galdino*
|
522
|
-
|
523
|
-
* Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
|
524
|
-
|
525
|
-
* Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
|
526
|
-
|
527
|
-
|
528
|
-
## Rails 3.2.5 (Jun 1, 2012) ##
|
529
|
-
|
530
|
-
* No changes.
|
531
|
-
|
532
|
-
|
533
|
-
## Rails 3.2.4 (May 31, 2012) ##
|
534
|
-
|
535
|
-
* Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy Walker*
|
536
|
-
|
537
|
-
* Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to`, `button_tag` and `submit_tag` helpers.
|
538
|
-
|
539
|
-
*Carlos Galdino + Rafael Mendonça França*
|
540
|
-
|
541
|
-
* Deprecate `:mouseover` option for `image_tag` helper. *Rafael Mendonça França*
|
542
|
-
|
543
|
-
* Deprecate `button_to_function` and `link_to_function` helpers. *Rafael Mendonça França*
|
544
|
-
|
545
|
-
* Don't break Haml with textarea newline fix. GH #393, #4000, #5190, #5191
|
546
|
-
|
547
|
-
* Fix options handling on labels. GH #2492, #5614
|
548
|
-
|
549
|
-
* Added config.action_view.embed_authenticity_token_in_remote_forms to deal
|
550
|
-
with regression from 16ee611fa
|
551
|
-
|
552
|
-
* Set rendered_format when doing render :inline. GH #5632
|
553
|
-
|
554
|
-
* Fix the redirect when it receive blocks with arity of 1. Closes #5677
|
555
|
-
|
556
|
-
* Strip [nil] from parameters hash. Thanks to Ben Murphy for
|
557
|
-
reporting this! CVE-2012-2660
|
558
|
-
|
559
|
-
|
560
|
-
## Rails 3.2.3 (March 30, 2012) ##
|
561
|
-
|
562
|
-
* Allow to lazy load `default_form_builder` by passing a `String` instead of a constant. *Piotr Sarnacki*
|
563
|
-
|
564
|
-
* Fix #5632, render :inline set the proper rendered format. *Santiago Pastorino*
|
565
|
-
|
566
|
-
* Fix textarea rendering when using plugins like HAML. Such plugins encode the first newline character in the content. This issue was introduced in https://github.com/rails/rails/pull/5191 *James Coleman*
|
567
|
-
|
568
|
-
* Remove the leading \n added by textarea on assert_select. *Santiago Pastorino*
|
569
|
-
|
570
|
-
* Add `config.action_view.embed_authenticity_token_in_remote_forms` (defaults to true) which allows to set if authenticity token will be included by default in remote forms. If you change it to false, you can still force authenticity token by passing `:authenticity_token => true` in form options *Piotr Sarnacki*
|
334
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
335
|
+
different host. `allow_other_host` is `true` by default.
|
571
336
|
|
572
|
-
*
|
337
|
+
*Tim Masliuchenko*
|
573
338
|
|
574
|
-
*
|
575
|
-
check that info. Closes #5245. *Santiago Pastorino*
|
339
|
+
* Add headless chrome support to System Tests.
|
576
340
|
|
577
|
-
*
|
341
|
+
*Yuji Yaginuma*
|
578
342
|
|
579
|
-
*
|
343
|
+
* Add ability to enable Early Hints for HTTP/2
|
580
344
|
|
581
|
-
|
345
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
582
346
|
|
583
|
-
|
347
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
584
348
|
|
585
|
-
*
|
349
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
586
350
|
|
587
|
-
*
|
351
|
+
* Simplify cookies middleware with key rotation support
|
588
352
|
|
589
|
-
|
353
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
354
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
355
|
+
signed cookies. This also helps simplify support for legacy cookie
|
356
|
+
security.
|
590
357
|
|
358
|
+
*Michael J Coyne*
|
591
359
|
|
592
|
-
|
360
|
+
* Use Capybara registered `:puma` server config.
|
593
361
|
|
594
|
-
|
362
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
363
|
+
connection sharing and open request detection work correctly by default.
|
595
364
|
|
596
|
-
*
|
365
|
+
*Thomas Walpole*
|
597
366
|
|
598
|
-
*
|
367
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
599
368
|
|
600
|
-
|
601
|
-
|
602
|
-
*Tadas Tamosauskas*
|
369
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
370
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
603
371
|
|
372
|
+
Pull Request: #30121
|
604
373
|
|
605
|
-
|
374
|
+
*Assain Jaleel*
|
606
375
|
|
607
|
-
*
|
376
|
+
* Enforce signed/encrypted cookie expiry server side.
|
608
377
|
|
609
|
-
|
378
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
610
379
|
|
611
|
-
|
380
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
381
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
382
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
612
383
|
|
384
|
+
Pull Request: #30121
|
613
385
|
|
614
|
-
|
386
|
+
*Assain Jaleel*
|
615
387
|
|
616
|
-
*
|
388
|
+
* Make `take_failed_screenshot` work within engine.
|
617
389
|
|
618
|
-
|
390
|
+
Fixes #30405.
|
619
391
|
|
620
|
-
*
|
392
|
+
*Yuji Yaginuma*
|
621
393
|
|
622
|
-
* Deprecate
|
394
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
623
395
|
|
624
|
-
|
396
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
397
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
398
|
+
use the response helpers provided by `Rack::Response`.
|
625
399
|
|
626
|
-
*
|
400
|
+
*Trevor Wistaff*
|
627
401
|
|
628
|
-
*
|
629
|
-
These methods were not being used internally anymore and are going to be removed in Rails 4. *Carlos Antonio da Silva*
|
402
|
+
* Protect from forgery by default
|
630
403
|
|
631
|
-
|
404
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
405
|
+
add it to `ActionController::Base` depending on
|
406
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
407
|
+
defaults to false to support older versions which have removed it from their
|
408
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
632
409
|
|
633
|
-
*
|
634
|
-
close. Closes #4441 if Active Record is disabled assets are delivered
|
635
|
-
correctly *Santiago Pastorino*
|
410
|
+
*Lisa Ugray*
|
636
411
|
|
637
|
-
*
|
412
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
638
413
|
|
639
|
-
*
|
414
|
+
*Kir Shatrov*
|
640
415
|
|
641
|
-
*
|
416
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
642
417
|
|
643
|
-
|
418
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
419
|
+
`driven_by` will register the driver and set additional options passed via
|
420
|
+
the `:options` parameter.
|
644
421
|
|
645
|
-
|
422
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
646
423
|
|
647
|
-
*
|
424
|
+
*Mario Chavez*
|
648
425
|
|
649
|
-
|
426
|
+
* AEAD encrypted cookies and sessions with GCM.
|
650
427
|
|
651
|
-
|
428
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
429
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
430
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
431
|
+
this new mode is enabled via the
|
432
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
652
433
|
|
653
|
-
|
654
|
-
<%= f.button %>
|
655
|
-
<% end %>
|
656
|
-
|
657
|
-
* Date helpers accept a new option, `:use_two_digit_numbers = true`, that renders select boxes for months and days with a leading zero without changing the respective values.
|
658
|
-
For example, this is useful for displaying ISO8601-style dates such as '2011-08-01'. *Lennart Fridén and Kim Persson*
|
659
|
-
|
660
|
-
* Make ActiveSupport::Benchmarkable a default module for ActionController::Base, so the #benchmark method is once again available in the controller context like it used to be *DHH*
|
661
|
-
|
662
|
-
* Deprecated implied layout lookup in controllers whose parent had a explicit layout set:
|
663
|
-
|
664
|
-
class ApplicationController
|
665
|
-
layout "application"
|
666
|
-
end
|
667
|
-
|
668
|
-
class PostsController < ApplicationController
|
669
|
-
end
|
670
|
-
|
671
|
-
In the example above, Posts controller will no longer automatically look up for a posts layout.
|
672
|
-
|
673
|
-
If you need this functionality you could either remove `layout "application"` from ApplicationController or explicitly set it to nil in PostsController. *José Valim*
|
674
|
-
|
675
|
-
* Rails will now use your default layout (such as "layouts/application") when you specify a layout with `:only` and `:except` condition, and those conditions fail. *Prem Sichanugrist*
|
676
|
-
|
677
|
-
For example, consider this snippet:
|
678
|
-
|
679
|
-
class CarsController
|
680
|
-
layout 'single_car', :only => :show
|
681
|
-
end
|
682
|
-
|
683
|
-
Rails will use 'layouts/single_car' when a request comes in `:show` action, and use 'layouts/application' (or 'layouts/cars', if exists) when a request comes in for any other actions.
|
684
|
-
|
685
|
-
* form_for with +:as+ option uses "#{action}_#{as}" as css class and id:
|
686
|
-
|
687
|
-
Before:
|
688
|
-
|
689
|
-
form_for(@user, :as => 'client') # => "<form class="client_new">..."
|
690
|
-
|
691
|
-
Now:
|
692
|
-
|
693
|
-
form_for(@user, :as => 'client') # => "<form class="new_client">..."
|
694
|
-
|
695
|
-
*Vasiliy Ermolovich*
|
696
|
-
|
697
|
-
* Allow rescue responses to be configured through a railtie as in `config.action_dispatch.rescue_responses`. Please look at ActiveRecord::Railtie for an example *José Valim*
|
698
|
-
|
699
|
-
* Allow fresh_when/stale? to take a record instead of an options hash *DHH*
|
434
|
+
*Michael J Coyne*
|
700
435
|
|
701
|
-
*
|
702
|
-
|
703
|
-
* Log "Filter chain halted as CALLBACKNAME rendered or redirected" every time a before callback halts *José Valim*
|
704
|
-
|
705
|
-
* You can provide a namespace for your form to ensure uniqueness of id attributes on form elements.
|
706
|
-
The namespace attribute will be prefixed with underscore on the generate HTML id. *Vasiliy Ermolovich*
|
707
|
-
|
708
|
-
Example:
|
709
|
-
|
710
|
-
<%= form_for(@offer, :namespace => 'namespace') do |f| %>
|
711
|
-
<%= f.label :version, 'Version' %>:
|
712
|
-
<%= f.text_field :version %>
|
713
|
-
<% end %>
|
714
|
-
|
715
|
-
* Refactor ActionDispatch::ShowExceptions. The controller is responsible for choosing to show exceptions when `consider_all_requests_local` is false.
|
716
|
-
|
717
|
-
It's possible to override `show_detailed_exceptions?` in controllers to specify which requests should provide debugging information on errors. The default value is now false, meaning local requests in production will no longer show the detailed exceptions page unless `show_detailed_exceptions?` is overridden and set to `request.local?`.
|
718
|
-
|
719
|
-
* Responders now return 204 No Content for API requests without a response body (as in the new scaffold) *José Valim*
|
720
|
-
|
721
|
-
* Added ActionDispatch::RequestId middleware that'll make a unique X-Request-Id header available to the response and enables the ActionDispatch::Request#uuid method. This makes it easy to trace requests from end-to-end in the stack and to identify individual requests in mixed logs like Syslog *DHH*
|
722
|
-
|
723
|
-
* Limit the number of options for select_year to 1000.
|
724
|
-
|
725
|
-
Pass the :max_years_allowed option to set your own limit.
|
726
|
-
|
727
|
-
*Libo Cannici*
|
728
|
-
|
729
|
-
* Passing formats or handlers to render :template and friends is deprecated. For example: *Nick Sutterer & José Valim*
|
730
|
-
|
731
|
-
render :template => "foo.html.erb"
|
732
|
-
|
733
|
-
Instead, you can provide :handlers and :formats directly as option:
|
734
|
-
render :template => "foo", :formats => [:html, :js], :handlers => :erb
|
735
|
-
|
736
|
-
* Changed log level of warning for missing CSRF token from :debug to :warn. *Mike Dillon*
|
737
|
-
|
738
|
-
* content_tag_for and div_for can now take the collection of records. It will also yield the record as the first argument if you set a receiving argument in your block *Prem Sichanugrist*
|
739
|
-
|
740
|
-
So instead of having to do this:
|
741
|
-
|
742
|
-
@items.each do |item|
|
743
|
-
content_tag_for(:li, item) do
|
744
|
-
Title: <%= item.title %>
|
745
|
-
end
|
746
|
-
end
|
747
|
-
|
748
|
-
You can now do this:
|
749
|
-
|
750
|
-
content_tag_for(:li, @items) do |item|
|
751
|
-
Title: <%= item.title %>
|
752
|
-
end
|
436
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
753
437
|
|
754
|
-
|
438
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
439
|
+
^template path ^template tree digest ^class ^id
|
755
440
|
|
756
|
-
*
|
441
|
+
*DHH*
|
757
442
|
|
758
|
-
*
|
759
|
-
|
760
|
-
|
761
|
-
nothing is sent according to HTML spec *Bogdan Gusiev*
|
443
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
444
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
445
|
+
to support it.
|
762
446
|
|
763
|
-
*
|
447
|
+
*DHH*
|
764
448
|
|
765
|
-
|
449
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
766
450
|
|
767
|
-
|
768
|
-
|
769
|
-
|
451
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
452
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
453
|
+
may not exist in a certain implementation.
|
770
454
|
|
771
|
-
|
455
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
772
456
|
|
773
|
-
|
774
|
-
get :index
|
775
|
-
assert_nil cookies[:email]
|
457
|
+
Fixes #27013.
|
776
458
|
|
777
|
-
|
778
|
-
persistent between requests so if you need to manipulate the environment
|
779
|
-
for your test you need to do it before the cookie jar is created.
|
459
|
+
*Julian Nadeau*
|
780
460
|
|
781
|
-
* ActionController::ParamsWrapper on ActiveRecord models now only wrap
|
782
|
-
attr_accessible attributes if they were set, if not, only the attributes
|
783
|
-
returned by the class method attribute_names will be wrapped. This fixes
|
784
|
-
the wrapping of nested attributes by adding them to attr_accessible.
|
785
461
|
|
786
|
-
Please check [
|
462
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|