actionpack 3.2.22.5 → 5.2.4

data/CHANGELOG.md

@@ -1,786 +1,462 @@
-## Rails 3.2.22 (Jun 16, 2015) ##
+## Rails 5.2.4 (November 27, 2019) ##
 
-* No changes.
-
-
-## Rails 3.2.19 (Jul 2, 2014) ##
-
-*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
-    `options[:raise]`.
-
-    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
-
-    *Shota Fukumori (sora_h)*
-
-
-## Rails 3.2.18 (May 6, 2014) ##
-
-*   Only accept actions without File::SEPARATOR in the name.
-
-    This will avoid directory traversal in implicit render.
-
-    Fixes: CVE-2014-0130
-
-    *Rafael Mendonça França*
-
-
-## Rails 3.2.17 (Feb 18, 2014) ##
-
-*   Use the reference for the mime type to get the format
+*   No changes.
 
-    Fixes: CVE-2014-0082
 
-*   Escape format, negative_format and units options of number helpers
+## Rails 5.2.3 (March 27, 2019) ##
 
-    Fixes: CVE-2014-0081
+*   Allow using `public` and `no-cache` together in the the Cache Control header.
 
+    Before this change, even if `public` was specified in the Cache Control header,
+    it was excluded when `no-cache` was included. This change preserves the
+    `public` value as is.
 
-## Rails 3.2.16 (Dec 12, 2013) ##
+    Fixes #34780.
 
-*   Deep Munge the parameters for GET and POST Fixes CVE-2013-6417
+    *Yuji Yaginuma*
 
-*   Stop using i18n's built in HTML error handling.  Fixes: CVE-2013-4491
+*   Allow `nil` params for `ActionController::TestCase`.
 
-*   Escape the unit value provided to number_to_currency Fixes CVE-2013-6415
+    *Ryo Nakamura*
 
-*   Only use valid mime type symbols as cache keys CVE-2013-6414
 
-## Rails 3.2.15 (Oct 16, 2013) ##
+## Rails 5.2.2.1 (March 11, 2019) ##
 
-*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
-    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+*   No changes.
 
-    Fixes #12410
-    Backports #10844
 
-    *Tamir Duberstein*
+## Rails 5.2.2 (December 04, 2018) ##
 
-*   Fix the assert_recognizes test method so that it works when there are
-    constraints on the querystring.
+*   Reset Capybara sessions if failed system test screenshot raising an exception.
 
-    Issue/Pull Request #9368
-    Backport #5219
+    Reset Capybara sessions if `take_failed_screenshot` raise exception
+    in system test `after_teardown`.
 
-    *Brian Hahn*
+    *Maxim Perepelitsa*
 
-*   Fix to render partial by context(#11605).
+*   Use request object for context if there's no controller
 
-    *Kassio Borges*
+    There is no controller instance when using a redirect route or a
+    mounted rack application so pass the request object as the context
+    when resolving dynamic CSP sources in this scenario.
 
-*   Fix `ActionDispatch::Assertions::ResponseAssertions#assert_redirected_to`
-    does not show user-supplied message.
+    Fixes #34200.
 
-    Issue: when `assert_redirected_to` fails due to the response redirect not
-    matching the expected redirect the user-supplied message (second parameter)
-    is not shown. This message is only shown if the response is not a redirect.
+    *Andrew White*
 
-    *Alexey Chernenkov*
+*   Apply mapping to symbols returned from dynamic CSP sources
 
+    Previously if a dynamic source returned a symbol such as :self it
+    would be converted to a string implicity, e.g:
 
-## Rails 3.2.14 (Jul 22, 2013) ##
+        policy.default_src -> { :self }
 
-*   Merge `:action` from routing scope and assign endpoint if both `:controller`
-    and `:action` are present. The endpoint assignment only occurs if there is
-    no `:to` present in the options hash so should only affect routes using the
-    shorthand syntax (i.e. endpoint is inferred from the the path).
+    would generate the header:
 
-    Fixes #9856
+        Content-Security-Policy: default-src self
 
-    *Yves Senn*, *Andrew White*
+    and now it generates:
 
-*   Always escape the result of `link_to_unless` method.
+        Content-Security-Policy: default-src 'self'
 
-    Before:
+    *Andrew White*
 
-        link_to_unless(true, '<b>Showing</b>', 'github.com')
-        # => "<b>Showing</b>"
+*   Fix `rails routes -c` for controller name consists of multiple word.
 
-    After:
+    *Yoshiyuki Kinjo*
 
-        link_to_unless(true, '<b>Showing</b>', 'github.com')
-        # => "&lt;b&gt;Showing&lt;/b&gt;"
+*   Call the `#redirect_to` block in controller context.
 
-    *dtaniwaki*
+    *Steven Peckins*
 
-*   Use a case insensitive URI Regexp for #asset_path.
 
-    This fix a problem where the same asset path using different case are generating
-    different URIs.
+## Rails 5.2.1.1 (November 27, 2018) ##
 
-    Before:
+*   No changes.
 
-        image_tag("HTTP://google.com")
-        # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
-        image_tag("http://google.com")
-        # => "<img alt=\"Google\" src=\"http://google.com\" />"
 
-    After:
+## Rails 5.2.1 (August 07, 2018) ##
 
-        image_tag("HTTP://google.com")
-        # => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
-        image_tag("http://google.com")
-        # => "<img alt=\"Google\" src=\"http://google.com\" />"
+*   Prevent `?null=` being passed on JSON encoded test requests.
 
-    *David Celis + Rafael Mendonça França*
+    `RequestEncoder#encode_params` won't attempt to parse params if
+    there are none.
 
-*   Fix explicit names on multiple file fields. If a file field tag has
-    the multiple option, it is turned into an array field (appending `[]`),
-    but if an explicit name is passed to `file_field` the `[]` is not
-    appended.
-    Fixes #9830.
+    So call like this will no longer append a `?null=` query param.
 
-    *Ryan McGeary*
+        get foos_url, as: :json
 
-*   Fix assets loading performance in 3.2.13.
+    *Alireza Bashiri*
 
-    Issue #8756 uses Sprockets for resolving files that already exist on disk,
-    for those files their extensions don't need to be rewritten.
+*   Ensure `ActionController::Parameters#transform_values` and
+    `ActionController::Parameters#transform_values!` converts hashes into
+    parameters.
 
-    Fixes #9803.
+    *Kevin Sjöberg*
 
-    *Fred Wu*
+*   Fix strong parameters `permit!` with nested arrays.
 
-*   Fix `ActionController#action_missing` not being called.
-    Fixes #9799.
+    Given:
+    ```
+    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
+    params.permit!
+    ```
 
-    *Janko Luin*
+    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
 
-*   `ActionView::Helpers::NumberHelper#number_to_human` returns the number unaltered when
-    the units hash does not contain the needed key, e.g. when the number provided is less
-    than the largest key provided.
+    *Steve Hull*
 
-    Examples:
+*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
+    `ActionController::TestCase` subclasses.
 
-        number_to_human(123, units: {})                # => 123
-        number_to_human(123, units: { thousand: 'k' }) # => 123
+    *Eugene Kenny*
 
-    Fixes #9269.
-    Backport #9347.
+*   Output only one Content-Security-Policy nonce header value per request.
 
-    *Michael Hoffman*
+    Fixes #32597.
 
-*   Include I18n locale fallbacks in view lookup.
-    Fixes GH#3512.
+    *Andrey Novikov*, *Andrew White*
 
-    *Juan Barreneche*
+*   Only disable GPUs for headless Chrome on Windows.
 
-*   Fix `ActionDispatch::Request#formats` when the Accept request-header is an
-    empty string. Fix #7774 [Backport #8977, #9541]
+    It is not necessary anymore for Linux and macOS machines.
 
-    *Soylent + Maxime Réty*
+    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
 
+    *Stefan Wrobel*
 
-## Rails 3.2.13 (Mar 18, 2013) ##
+*   Fix system tests transactions not closed between examples.
 
-*   Fix incorrectly appended square brackets to a multiple select box
-    if an explicit name has been given and it already ends with "[]".
+    *Sergey Tarasov*
 
-    Before:
 
-        select(:category, [], {}, multiple: true, name: "post[category][]")
-        # => <select name="post[category][][]" ...>
+## Rails 5.2.0 (April 09, 2018) ##
 
-    After:
+*   Check exclude before flagging cookies as secure.
 
-        select(:category, [], {}, multiple: true, name: "post[category][]")
-        # => <select name="post[category][]" ...>
+    *Catherine Khuu*
 
-    Backport #9616.
+*   Always yield a CSP policy instance from `content_security_policy`
 
-    *Olek Janiszewski*
+    This allows a controller action to enable the policy individually
+    for a controller and/or specific actions.
 
-*   Determine the controller#action from only the matched path when using the
-    shorthand syntax. Previously the complete path was used, which led
-    to problems with nesting (scopes and namespaces).
-    Fixes #7554.
-    Backport #9361.
+    *Andrew White*
 
-    Example:
+*   Add the ability to disable the global CSP in a controller, e.g:
 
-        # this will route to questions#new
-        scope ':locale' do
-          get 'questions/new'
+        class LegacyPagesController < ApplicationController
+          content_security_policy false, only: :index
         end
 
-    *Yves Senn*
-
-*   Fix `assert_template` with `render :stream => true`.
-    Fix #1743.
-    Backport #5288.
-
-    *Sergey Nartimov*
-
-*   Eagerly populate the http method lookup cache so local project inflections do
-    not interfere with use of underscore method ( and we don't need locks )
-
-    *Aditya Sanghi*
-
-*   `BestStandardsSupport` no longer duplicates `X-UA-Compatible` values on
-    each request to prevent header size from blowing up.
-
-    *Edward Anderson*
-
-*   Fixed JSON params parsing regression for non-object JSON content.
-
-    *Dylan Smith*
-
-*   Prevent unnecessary asset compilation when using `javascript_include_tag` on
-    files with non-standard extensions.
-
-    *Noah Silas*
-
-*   Fixes issue where duplicate assets can be required with sprockets.
-
-    *Jeremy Jackson*
-
-*   Bump `rack` dependency to 1.4.3, eliminate `Rack::File` headers deprecation warning.
-
-    *Sam Ruby + Carlos Antonio da Silva*
-
-*   Do not append second slash to `root_url` when using `trailing_slash: true`
-
-    Fix #8700.
-    Backport #8701.
-
-    Example:
-        # before
-        root_url # => http://test.host//
-
-        # after
-        root_url # => http://test.host/
-
-    *Yves Senn*
-
-*   Fix a bug in `content_tag_for` that prevents it for work without a block.
-
-    *Jasl*
-
-*   Clear url helper methods when routes are reloaded by removing the methods
-    explicitly rather than just clearing the module because it didn't work
-    properly and could be the source of a memory leak.
-
     *Andrew White*
 
-*   Fix a bug in `ActionDispatch::Request#raw_post` that caused `env['rack.input']`
-    to be read but not rewound.
-
-    *Matt Venables*
-
-*   More descriptive error messages when calling `render :partial` with
-    an invalid `:layout` argument.
-
-    Fixes #8376.
-
-        render :partial => 'partial', :layout => true
-        # results in ActionView::MissingTemplate: Missing partial /true
-
-    *Yves Senn*
+*   Add alias method `to_hash` to `to_h` for `cookies`.
+    Add alias method `to_h` to `to_hash` for `session`.
 
-*   Accept symbols as `#send_data` :disposition value. [Backport #8329] *Elia Schito*
+    *Igor Kasyanchuk*
 
-*   Add i18n scope to `distance_of_time_in_words`. [Backport #7997] *Steve Klabnik*
+*   Update the default HSTS max-age value to 31536000 seconds (1 year)
+    to meet the minimum max-age requirement for https://hstspreload.org/.
 
-*   Fix side effect of `url_for` changing the `:controller` string option. [Backport #6003]
-    Before:
+    *Grant Bourque*
 
-        controller = '/projects'
-        url_for :controller => controller, :action => 'status'
+*   Add support for automatic nonce generation for Rails UJS.
 
-        puts controller #=> 'projects'
+    Because the UJS library creates a script tag to process responses it
+    normally requires the script-src attribute of the content security
+    policy to include 'unsafe-inline'.
 
-    After
+    To work around this we generate a per-request nonce value that is
+    embedded in a meta tag in a similar fashion to how CSRF protection
+    embeds its token in a meta tag. The UJS library can then read the
+    nonce value and set it on the dynamically generated script tag to
+    enable it to execute without needing 'unsafe-inline' enabled.
 
-        puts controller #=> '/projects'
+    Nonce generation isn't 100% safe - if your script tag is including
+    user generated content in someway then it may be possible to exploit
+    an XSS vulnerability which can take advantage of the nonce. It is
+    however an improvement on a blanket permission for inline scripts.
 
-    *Nikita Beloglazov + Andrew White*
+    It is also possible to use the nonce within your own script tags by
+    using `nonce: true` to set the nonce value on the tag, e.g
 
-*   Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`. This is a list
-    of mime types where template text is not html escaped by default. It prevents `Jack & Joe`
-    from rendering as `Jack &amp; Joe` for the whitelisted mime types. The default whitelist
-    contains text/plain. Fix #7976 [Backport #8235]
-
-    *Joost Baaij*
-
-*   `BestStandardsSupport` middleware now appends it's `X-UA-Compatible` value to app's
-    returned value if any. Fix #8086 [Backport #8093]
-
-    *Nikita Afanasenko*
-
-*   prevent double slashes in engine urls when `Rails.application.default_url_options[:trailing_slash] = true` is set
-    Fix #7842
-
-    *Yves Senn*
-
-*   Fix input name when `:multiple => true` and `:index` are set.
-
-    Before:
-
-        check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
-        #=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
-
-    After:
-
-        check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
-        #=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
-
-    Fix #8108
-
-    *Daniel Fox, Grant Hutchins & Trace Wax*
-
-
-## Rails 3.2.12 (Feb 11, 2013) ##
-
-*   No changes.
-
-
-## Rails 3.2.11 (Jan 8, 2013) ##
-
-*   Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
-
-
-## Rails 3.2.10 (Jan 2, 2013) ##
-
-*   No changes.
-
-
-## Rails 3.2.9 (Nov 12, 2012) ##
-
-*   Clear url helpers when reloading routes.
-
-    *Santiago Pastorino*
-
-*   Revert the shorthand routes scoped with `:module` option fix
-    This added a regression since it is changing the URL mapping.
-    This makes the stable release backward compatible.
-
-    *Rafael Mendonça França*
-
-*   Revert the `assert_template` fix to not pass with ever string that matches the template name.
-    This added a regression since people were relying on this buggy behavior.
-    This will introduce back #3849 but this stable release will be backward compatible.
-    Fixes #8068.
-
-    *Rafael Mendonça França*
-
-*   Revert the rename of internal variable on ActionController::TemplateAssertions to prevent
-    naming collisions. This added a regression related with shoulda-matchers, since it is
-    expecting the [instance variable @layouts](https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74).
-    This will introduce back #7459 but this stable release will be backward compatible.
-    Fixes #8068.
-
-    *Rafael Mendonça França*
+        <%= javascript_tag nonce: true do %>
+          alert('Hello, World!');
+        <% end %>
 
-*   Accept :remote as symbolic option for `link_to` helper. *Riley Lynch*
+    Fixes #31689.
 
-*   Warn when the `:locals` option is passed to `assert_template` outside of a view test case
-    Fix #3415
+    *Andrew White*
 
-    *Yves Senn*
+*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
 
-*   Rename internal variables on ActionController::TemplateAssertions to prevent
-    naming collisions. @partials, @templates and @layouts are now prefixed with an underscore.
-    Fix #7459
+    Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
 
-    *Yves Senn*
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name|
+            puts name
+          end
+        end
 
-*   `resource` and `resources` don't modify the passed options hash
-    Fix #7777
+        # Prints
+        # param
+        # param_two
 
-    *Yves Senn*
+    In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
 
-*   Precompiled assets include aliases from foo.js to foo/index.js and vice versa.
+    To fix the code above simply change as per example below:
 
-        # Precompiles phone-<digest>.css and aliases phone/index.css to phone.css.
-        config.assets.precompile = [ 'phone.css' ]
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name, value|
+            puts name
+          end
+        end
 
-        # Precompiles phone/index-<digest>.css and aliases phone.css to phone/index.css.
-        config.assets.precompile = [ 'phone/index.css' ]
+        # Prints
+        # param
+        # param_two
 
-        # Both of these work with either precompile thanks to their aliases.
-        <%= stylesheet_link_tag 'phone', media: 'all' %>
-        <%= stylesheet_link_tag 'phone/index', media: 'all' %>
+    *Dominic Cleal*
 
-    *Jeremy Kemper*
+*   Add `Referrer-Policy` header to default headers set.
 
-*   `assert_template` is no more passing with what ever string that matches
-    with the template name.
+    *Guillermo Iguaran*
 
-    Before when we have a template `/layout/hello.html.erb`, `assert_template`
-    was passing with any string that matches. This behavior allowed false
-    positive like:
+*   Changed the system tests to set Puma as default server only when the
+    user haven't specified manually another server.
 
-        assert_template "layout"
-        assert_template "out/hello"
+    *Guillermo Iguaran*
 
-    Now it only passes with:
+*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
+    default headers set.
 
-        assert_template "layout/hello"
-        assert_template "hello"
+    *Guillermo Iguaran*
 
-    Fixes #3849.
+*   Add headless firefox support to System Tests.
 
-    *Hugolnx*
+    *bogdanvlviv*
 
-*   Handle `ActionDispatch::Http::UploadedFile` like `Rack::Test::UploadedFile`, don't call to_param on it. Since
-    `Rack::Test::UploadedFile` isn't API compatible this is needed to test file uploads that rely on `tempfile`
-    being available.
+*   Changed the default system test screenshot output from `inline` to `simple`.
 
-    *Tim Vandecasteele*
+    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
+    Terminal.app ignore the `inline` and output the path to the file since it can't
+    render the image. Other terminals, like those on Ubuntu, cannot handle the image
+    inline, but also don't handle it gracefully and instead of outputting the file
+    path, it dumps binary into the terminal.
 
-*   Respect `config.digest = false` for `asset_path`
+    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
 
-    Previously, the `asset_path` internals only respected the `:digest`
-    option, but ignored the global config setting. This meant that
-    `config.digest = false` could not be used in conjunction with
-    `config.compile = false` this corrects the behavior.
+    *Eileen M. Uchitelle*
 
-    *Peter Wagenet*
+*   Register most popular audio/video/font mime types supported by modern browsers.
 
-*   Fix #7646, the log now displays the correct status code when an exception is raised.
+    *Guillermo Iguaran*
 
-    *Yves Senn*
+*   Fix optimized url helpers when using relative url root.
 
-*   Fix handling of date selects when using both disabled and discard options.
-    Fixes #7431.
+    Fixes #31220.
 
-    *Vasiliy Ermolovich*
+    *Andrew White*
 
-*   Fix select_tag when option_tags is nil.
-    Fixes #7404.
+*   Add DSL for configuring Content-Security-Policy header.
 
-    *Sandeep Ravichandran*
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
 
-*   `javascript_include_tag :all` will now not include `application.js` if the file does not exists. *Prem Sichanugrist*
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-*   Support cookie jar options (e.g., domain :all) for all session stores.
-    Fixes GH#3047, GH#2483.
+    Example global policy:
 
-    *Ravil Bayramgalin*
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do |p|
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
 
-*   Performance Improvement to send_file: Avoid having to pass an open file handle as the response body. Rack::Sendfile
-    will usually intercept the response and just uses the path directly, so no reason to open the file. This performance
-    improvement also resolves an issue with jRuby encodings, and is the reason for the backport, see issue #6844.
+    Example controller overrides:
 
-    *Jeremy Kemper & Erich Menge*
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
 
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
 
-## Rails 3.2.8 (Aug 9, 2012) ##
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
 
-*   There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
-    helper doesn't correctly handle malformed html.  As a result an attacker can
-    execute arbitrary javascript through the use of specially crafted malformed
-    html.
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
 
-    *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
 
-*   When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
-    If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
-    Vulnerable code will look something like this:
-    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+        # controller override
+        class PostsController < ApplicationController
+          content_security_policy_report_only only: :index
+        end
 
-    *Santiago Pastorino*
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
 
-*   Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
+    *Andrew White*
 
-*   Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
+*   Make `assert_recognizes` to traverse mounted engines.
 
-*   Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França*
+    *Yuichiro Kaneko*
 
-*   Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
+*   Remove deprecated `ActionController::ParamsParser::ParseError`.
 
     *Rafael Mendonça França*
 
+*   Add `:allow_other_host` option to `redirect_back` method.
 
-## Rails 3.2.7 (Jul 26, 2012) ##
-
-*   Do not convert digest auth strings to symbols. CVE-2012-3424
-
-*   Bump Journey requirements to 1.0.4
-
-*   Add support for optional root segments containing slashes
-
-*   Fixed bug creating invalid HTML in select options
-
-*   Show in log correct wrapped keys
-
-*   Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
-
-*   ActionController::Metal doesn't have logger method, check it and then delegate
-
-*   ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
-
-
-## Rails 3.2.6 (Jun 12, 2012) ##
-
-*   nil is removed from array parameter values
-
-    CVE-2012-2694
-
-*   Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
-
-    *Carlos Galdino*
-
-*   Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
-
-*   Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
-
-
-## Rails 3.2.5 (Jun 1, 2012) ##
-
-*   No changes.
-
-
-## Rails 3.2.4 (May 31, 2012) ##
-
-*   Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy Walker*
-
-*   Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to`, `button_tag` and `submit_tag` helpers.
-
-    *Carlos Galdino + Rafael Mendonça França*
-
-*   Deprecate `:mouseover` option for `image_tag` helper. *Rafael Mendonça França*
-
-*   Deprecate `button_to_function` and `link_to_function` helpers. *Rafael Mendonça França*
-
-*   Don't break Haml with textarea newline fix.  GH #393, #4000, #5190, #5191
-
-*   Fix options handling on labels. GH #2492, #5614
-
-*   Added config.action_view.embed_authenticity_token_in_remote_forms to deal
-    with regression from 16ee611fa
-
-*   Set rendered_format when doing render :inline. GH #5632
-
-*   Fix the redirect when it receive blocks with arity of 1. Closes #5677
-
-*   Strip [nil] from parameters hash. Thanks to Ben Murphy for
-    reporting this! CVE-2012-2660
-
-
-## Rails 3.2.3 (March 30, 2012) ##
-
-*   Allow to lazy load `default_form_builder` by passing a `String` instead of a constant. *Piotr Sarnacki*
-
-*   Fix #5632, render :inline set the proper rendered format. *Santiago Pastorino*
-
-*   Fix textarea rendering when using plugins like HAML. Such plugins encode the first newline character in the content. This issue was introduced in https://github.com/rails/rails/pull/5191 *James Coleman*
-
-*   Remove the leading \n added by textarea on assert_select. *Santiago Pastorino*
-
-*   Add `config.action_view.embed_authenticity_token_in_remote_forms` (defaults to true) which allows to set if authenticity token will be included by default in remote forms. If you change it to false, you can still force authenticity token by passing `:authenticity_token => true` in form options *Piotr Sarnacki*
+    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
+    different host. `allow_other_host` is `true` by default.
 
-*   Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value *DHH*
+    *Tim Masliuchenko*
 
-*   Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
-    check that info. Closes #5245. *Santiago Pastorino*
+*   Add headless chrome support to System Tests.
 
-*   Fix #5238, rendered_format is not set when template is not rendered. *Piotr Sarnacki*
+    *Yuji Yaginuma*
 
-*   Upgrade rack-cache to 1.2. *José Valim*
+*   Add ability to enable Early Hints for HTTP/2
 
-*   ActionController::SessionManagement is deprecated. *Santiago Pastorino*
+    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
 
-*   Since the router holds references to many parts of the system like engines, controllers and the application itself, inspecting the route set can actually be really slow, therefore we default alias inspect to to_s. *José Valim*
+    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
 
-*   Add a new line after the textarea opening tag. Closes #393 *Rafael Mendonça França*
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Always pass a respond block from to responder. We should let the responder to decide what to do with the given overridden response block, and not short circuit it. *sikachu*
+*   Simplify cookies middleware with key rotation support
 
-*   Fixes layout rendering regression from 3.2.2. *José Valim*
+    Use the `rotate` method for both `MessageEncryptor` and
+    `MessageVerifier` to add key rotation support for encrypted and
+    signed cookies. This also helps simplify support for legacy cookie
+    security.
 
+    *Michael J Coyne*
 
-## Rails 3.2.2 (March 1, 2012) ##
+*   Use Capybara registered `:puma` server config.
 
-*   Format lookup for partials is derived from the format in which the template is being rendered. Closes #5025 part 2 *Santiago Pastorino*
+    The Capybara registered `:puma` server ensures the puma server is run in process so
+    connection sharing and open request detection work correctly by default.
 
-*   Use the right format when a partial is missing. Closes #5025. *Santiago Pastorino*
+    *Thomas Walpole*
 
-*   Default responder will now always use your overridden block in `respond_with` to render your response. *Prem Sichanugrist*
+*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
 
-*   check_box helper with :disabled => true will generate a disabled hidden field to conform with the HTML convention where disabled fields are not submitted with the form.
-    This is a behavior change, previously the hidden tag had a value of the disabled checkbox.
-    *Tadas Tamosauskas*
+        cookies[:user_name] = { value: "assain", expires: 1.hour }
+        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
 
+    Pull Request: #30121
 
-## Rails 3.2.1 (January 26, 2012) ##
+    *Assain Jaleel*
 
-*   Documentation improvements.
+*   Enforce signed/encrypted cookie expiry server side.
 
-*   Allow `form.select` to accept ranges (regression). *Jeremy Walker*
+    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
 
-*   `datetime_select` works with -/+ infinity dates. *Joe Van Dyk*
+    It does so by stashing the expiry within the written cookie and relying on the
+    signing/encrypting to vouch that it hasn't been tampered with. Then on a
+    server-side read, the expiry is verified and any expired cookie is discarded.
 
+    Pull Request: #30121
 
-## Rails 3.2.0 (January 20, 2012) ##
+    *Assain Jaleel*
 
-*   Setting config.assets.logger to false turn off Sprockets logger *Guillermo Iguaran*
+*   Make `take_failed_screenshot` work within engine.
 
-*   Add `config.action_dispatch.default_charset` to configure default charset for ActionDispatch::Response. *Carlos Antonio da Silva*
+    Fixes #30405.
 
-*   Deprecate setting default charset at controller level, use the new `config.action_dispatch.default_charset` instead. *Carlos Antonio da Silva*
+    *Yuji Yaginuma*
 
-*   Deprecate ActionController::UnknownAction in favour of AbstractController::ActionNotFound. *Carlos Antonio da Silva*
+*   Deprecate `ActionDispatch::TestResponse` response aliases.
 
-*   Deprecate ActionController::DoubleRenderError in favour of AbstractController::DoubleRenderError. *Carlos Antonio da Silva*
+    `#success?`, `#missing?` & `#error?` are not supported by the actual
+    `ActionDispatch::Response` object and can produce false-positives. Instead,
+    use the response helpers provided by `Rack::Response`.
 
-*   Deprecate method_missing handling for not found actions, use action_missing instead. *Carlos Antonio da Silva*
+    *Trevor Wistaff*
 
-*   Deprecate ActionController#rescue_action, ActionController#initialize_template_class, and ActionController#assign_shortcuts.
-    These methods were not being used internally anymore and are going to be removed in Rails 4. *Carlos Antonio da Silva*
+*   Protect from forgery by default
 
-*   Add config.assets.logger to configure Sprockets logger *Rafael França*
+    Rather than protecting from forgery in the generated `ApplicationController`,
+    add it to `ActionController::Base` depending on
+    `config.action_controller.default_protect_from_forgery`. This configuration
+    defaults to false to support older versions which have removed it from their
+    `ApplicationController`, but is set to true for Rails 5.2.
 
-*   Use a BodyProxy instead of including a Module that responds to
-    close. Closes #4441 if Active Record is disabled assets are delivered
-    correctly *Santiago Pastorino*
+    *Lisa Ugray*
 
-*   Rails initialization with initialize_on_precompile = false should set assets_dir *Santiago Pastorino*
+*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
 
-*   Add font_path helper method *Santiago Pastorino*
+    *Kir Shatrov*
 
-*   Depends on rack ~> 1.4.0 *Santiago Pastorino*
+*   `driven_by` now registers poltergeist and capybara-webkit.
 
-*   Add :gzip option to `caches_page`. The default option can be configured globally using `page_cache_compression` *Andrey Sitnik*
+    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
+    `driven_by` will register the driver and set additional options passed via
+    the `:options` parameter.
 
-*   The ShowExceptions middleware now accepts a exceptions application that is responsible to render an exception when the application fails. The application is invoked with a copy of the exception in `env["action_dispatch.exception"]` and with the PATH_INFO rewritten to the status code. *José Valim*
+    Refer to the respective driver's documentation to see what options can be passed.
 
-*   Add `button_tag` support to ActionView::Helpers::FormBuilder.
+    *Mario Chavez*
 
-    This support mimics the default behavior of `submit_tag`.
+*   AEAD encrypted cookies and sessions with GCM.
 
-    Example:
+    Encrypted cookies now use AES-GCM which couples authentication and
+    encryption in one faster step and produces shorter ciphertexts. Cookies
+    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
+    this new mode is enabled via the
+    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
 
-        <%= form_for @post do |f| %>
-          <%= f.button %>
-        <% end %>
-
-*   Date helpers accept a new option, `:use_two_digit_numbers = true`, that renders select boxes for months and days with a leading zero without changing the respective values.
-    For example, this is useful for displaying ISO8601-style dates such as '2011-08-01'. *Lennart Fridén and Kim Persson*
-
-*   Make ActiveSupport::Benchmarkable a default module for ActionController::Base, so the #benchmark method is once again available in the controller context like it used to be *DHH*
-
-*   Deprecated implied layout lookup in controllers whose parent had a explicit layout set:
-
-        class ApplicationController
-          layout "application"
-        end
-
-        class PostsController < ApplicationController
-        end
-
-    In the example above, Posts controller will no longer automatically look up for a posts layout.
-
-    If you need this functionality you could either remove `layout "application"` from ApplicationController or explicitly set it to nil in PostsController. *José Valim*
-
-*   Rails will now use your default layout (such as "layouts/application") when you specify a layout with `:only` and `:except` condition, and those conditions fail. *Prem Sichanugrist*
-
-    For example, consider this snippet:
-
-        class CarsController
-          layout 'single_car', :only => :show
-        end
-
-    Rails will use 'layouts/single_car' when a request comes in `:show` action, and use 'layouts/application' (or 'layouts/cars', if exists) when a request comes in for any other actions.
-
-*   form_for with +:as+ option uses "#{action}_#{as}" as css class and id:
-
-    Before:
-
-        form_for(@user, :as => 'client') # => "<form class="client_new">..."
-
-    Now:
-
-        form_for(@user, :as => 'client') # => "<form class="new_client">..."
-
-    *Vasiliy Ermolovich*
-
-*   Allow rescue responses to be configured through a railtie as in `config.action_dispatch.rescue_responses`. Please look at ActiveRecord::Railtie for an example *José Valim*
-
-*   Allow fresh_when/stale? to take a record instead of an options hash *DHH*
+    *Michael J Coyne*
 
-*   Assets should use the request protocol by default or default to relative if no request is available *Jonathan del Strother*
-
-*   Log "Filter chain halted as CALLBACKNAME rendered or redirected" every time a before callback halts *José Valim*
-
-*   You can provide a namespace for your form to ensure uniqueness of id attributes on form elements.
-    The namespace attribute will be prefixed with underscore on the generate HTML id. *Vasiliy Ermolovich*
-
-    Example:
-
-        <%= form_for(@offer, :namespace => 'namespace') do |f| %>
-          <%= f.label :version, 'Version' %>:
-          <%= f.text_field :version %>
-        <% end %>
-
-*   Refactor ActionDispatch::ShowExceptions. The controller is responsible for choosing to show exceptions when `consider_all_requests_local` is false.
-
-    It's possible to override `show_detailed_exceptions?` in controllers to specify which requests should provide debugging information on errors. The default value is now false, meaning local requests in production will no longer show the detailed exceptions page unless `show_detailed_exceptions?` is overridden and set to `request.local?`.
-
-*   Responders now return 204 No Content for API requests without a response body (as in the new scaffold) *José Valim*
-
-*   Added ActionDispatch::RequestId middleware that'll make a unique X-Request-Id header available to the response and enables the ActionDispatch::Request#uuid method. This makes it easy to trace requests from end-to-end in the stack and to identify individual requests in mixed logs like Syslog *DHH*
-
-*   Limit the number of options for select_year to 1000.
-
-    Pass the :max_years_allowed option to set your own limit.
-
-    *Libo Cannici*
-
-*   Passing formats or handlers to render :template and friends is deprecated. For example: *Nick Sutterer & José Valim*
-
-        render :template => "foo.html.erb"
-
-    Instead, you can provide :handlers and :formats directly as option:
-             render :template => "foo", :formats => [:html, :js], :handlers => :erb
-
-*   Changed log level of warning for missing CSRF token from :debug to :warn. *Mike Dillon*
-
-*   content_tag_for and div_for can now take the collection of records. It will also yield the record as the first argument if you set a receiving argument in your block *Prem Sichanugrist*
-
-    So instead of having to do this:
-
-        @items.each do |item|
-          content_tag_for(:li, item) do
-             Title: <%= item.title %>
-          end
-        end
-
-    You can now do this:
-
-        content_tag_for(:li, @items) do |item|
-          Title: <%= item.title %>
-        end
+*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
 
-*   send_file now guess the mime type *Esad Hajdarevic*
+        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
+              ^template path           ^template tree digest            ^class   ^id
 
-*   Mime type entries for PDF, ZIP and other formats were added *Esad Hajdarevic*
+    *DHH*
 
-*   Generate hidden input before select with :multiple option set to true.
-    This is useful when you rely on the fact that when no options is set,
-    the state of select will be sent to rails application. Without hidden field
-    nothing is sent according to HTML spec *Bogdan Gusiev*
+*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
+    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
+    to support it.
 
-*   Refactor ActionController::TestCase cookies *Andrew White*
+    *DHH*
 
-    Assigning cookies for test cases should now use cookies[], e.g:
+*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
 
-        cookies[:email] = 'user@example.com'
-        get :index
-        assert_equal 'user@example.com', cookies[:email]
+    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
+    the one umbrella hook `action_controller` is not able to address certain situations where a method
+    may not exist in a certain implementation.
 
-    To clear the cookies, use clear, e.g:
+    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
 
-        cookies.clear
-        get :index
-        assert_nil cookies[:email]
+    Fixes #27013.
 
-    We now no longer write out HTTP_COOKIE and the cookie jar is
-    persistent between requests so if you need to manipulate the environment
-    for your test you need to do it before the cookie jar is created.
+    *Julian Nadeau*
 
-*   ActionController::ParamsWrapper on ActiveRecord models now only wrap
-    attr_accessible attributes if they were set, if not, only the attributes
-    returned by the class method attribute_names will be wrapped. This fixes
-    the wrapping of nested attributes by adding them to attr_accessible.
 
-Please check [3-1-stable](https://github.com/rails/rails/blob/3-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.