actionpack 4.1.16 → 4.2.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fe62013e39e8b46771939c7bd21df2fc811979ac
-  data.tar.gz: a4cb179e0f663accf69a8af04968a6a96d26b865
+  metadata.gz: 6d649528dc6dcae47651b64c5dfe0e92989d3fb9
+  data.tar.gz: 4cd8d6dd611b187e5005aa4ecbe4f766c574da5e
 SHA512:
-  metadata.gz: 39f9f06ffc9546b0870246bb5c4987db9ff77a80cfe5d61bc640aea28d35ae14a03dd327f829644d3a2f7469b5d9441d423f27230ad2d75da44aa1587c828066
-  data.tar.gz: 7c22ac5277518b7dedb9c1d433d8e59b032ec36a267047a790dab5a12b4e4853bedee5a997b6b29fccd9009f7477de99efc3e5aee9c29ef180b7264d479dfcd4
+  metadata.gz: 7670d5691189a68b9a041ebd58916056febb4e71a8a2b4871edf78ba6b5cbdc18472f7e1026c76a8f6f179efdbe282ce801387887267e0d9f03cbad4193e134a
+  data.tar.gz: 6f2c063b5f9f67661c316081daf87ee7300647d54a43c2179712f69765f79472e83fe3d4457944f4d064f9c4475d0cf5a8502cc1457aeeb433336eb2a71fe671

data/CHANGELOG.md

@@ -1,135 +1,126 @@
-## Rails 4.1.16 (July 12, 2016) ##
+*   `ActionController::Parameters` will stop inheriting from `Hash` and
+    `HashWithIndifferentAccess` in the next major release. If you use any method
+    that is not available on `ActionController::Parameters` you should consider
+    calling `#to_h` to convert it to a `Hash` first before calling that method.
 
-*   No changes.
-
-
-## Rails 4.1.15 (March 07, 2016) ##
-
-*   No changes.
-
-
-## Rails 4.1.14.2 (February 26, 2016) ##
-
-*   Do not allow render with unpermitted parameter.
-
-    Fixes CVE-2016-2098.
-
-    *Arthur Neves*
-
-
-## Rails 4.1.14.1 (January 25, 2015) ##
-
-*   No changes.
-
-
-## Rails 4.1.14 (November 12, 2015) ##
-
-*   No changes.
-
-
-## Rails 4.1.13 (August 24, 2015) ##
-
-*   No changes.
-
-
-## Rails 4.1.12 (June 25, 2015) ##
-
-*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
-
-    Previously, an empty X_FORWARDED_HOST header would cause
-    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
-    Actiondispatch::Http:URL.host to raise a NoMethodError.
-
-    *Adam Forsyth*
+    *Prem Sichanugrist*
 
-*   Fix regression in functional tests. Responses should have default headers
-    assigned.
+*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
+    keys removed. This change is to reflect on a security concern where some
+    method performed on an `ActionController::Parameters` may yield a `Hash`
+    object which does not maintain `permitted?` status. If you would like to
+    get a `Hash` with all the keys intact, duplicate and mark it as permitted
+    before calling `#to_h`.
 
-    See #18423.
+        params = ActionController::Parameters.new({
+          name: 'Senjougahara Hitagi',
+          oddity: 'Heavy stone crab'
+        })
+        params.to_h
+        # => {}
 
-    *Jeremy Kemper*, *Yves Senn*
+        unsafe_params = params.dup.permit!
+        unsafe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
 
+        safe_params = params.permit(:name)
+        safe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi"}
 
-## Rails 4.1.11 (June 16, 2015) ##
+    This change is consider a stopgap as we cannot change the code to stop
+    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
+    in the next minor release.
 
-*   No changes.
+    *Prem Sichanugrist*
 
+*   Deprecated TagAssertions.
 
-## Rails 4.1.10 (March 19, 2015) ##
+    *Kasper Timm Hansen*
 
-*   Preserve default format when generating URLs
+*   Use the Active Support JSON encoder for cookie jars using the `:json` or
+    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
+    cookies by defining the `#as_json` hook on such objects.
 
-    Fixes an issue that would cause the format set in default_url_options to be
-    lost when generating URLs with fewer positional arguments than parameters in
-    the route definition.
+    Fixes #16520.
 
-    Backport of #18627
+    *Godfrey Chan*
 
-    *Tekin Suleyman*, *Dominic Baggott*
+*   Add `config.action_dispatch.cookies_digest` option for setting custom
+    digest. The default remains the same - 'SHA1'.
 
-*   Default headers, removed in controller actions, are no longer reapplied on
-    the test response.
+    *Łukasz Strzałkowski*
 
-    *Jonas Baumann*
+*   Move `respond_with` (and the class-level `respond_to`) to
+    the `responders` gem.
 
-*   Ensure `append_info_to_payload` is called even if an exception is raised.
+    *José Valim*
 
-    Fixes an issue where when an exception is raised in the request the additonal
-    payload data is not available.
+*   When your templates change, browser caches bust automatically.
 
-    See:
-    * #14903
-    * https://github.com/roidrage/lograge/issues/37
+    New default: the template digest is automatically included in your ETags.
+    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
+    is mixed in so future changes to the HTML will blow HTTP caches for you.
+    This makes it easy to HTTP-cache many more of your actions.
 
-    *Dieter Komendera*, *Margus Pärt*
+    If you render a different template, you can now pass the `:template`
+    option to include its digest instead:
 
+      fresh_when @post, template: 'widgets/show'
 
-## Rails 4.1.9 (January 6, 2015) ##
+    Pass `template: false` to skip the lookup. To turn this off entirely, set:
 
-*   Fixed handling of positional url helper arguments when `format: false`.
+      config.action_controller.etag_with_template_digest = false
 
-    Fixes #17819.
+    *Jeremy Kemper*
 
-    *Andrew White*, *Tatiana Soukiassian*
+*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
+    in favor of `AbstractController::Helpers::MissingHelperError`.
 
-*   Restore handling of a bare `Authorization` header, without `token=`
-    prefix.
+    *Yves Senn*
 
-    Fixes #17108.
+*   Fix `assert_template` not being able to assert that no files were rendered.
 
     *Guo Xiang Tan*
 
+*   Extract source code for the entire exception stack trace for
+    better debugging and diagnosis.
 
-## Rails 4.1.8 (November 16, 2014) ##
-
-*   Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
-
-    fixes #17035.
+    *Ryan Dao*
 
-    *arthurnn*
+*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
+    loopback address.
 
-*   Fix a bug where malformed query strings lead to 500.
+    *Earl St Sauver*, *Sven Riedel*
 
-    fixes #11502.
+*   Preserve original path in `ShowExceptions` middleware by stashing it as
+    `env["action_dispatch.original_path"]`
 
-    *Yuki Nishijima*
+    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
+    for the exception defined in `ExceptionWrapper`, so the path
+    the user was visiting when an exception occurred was not previously
+    available to any custom exceptions_app. The original `PATH_INFO` is now
+    stashed in `env["action_dispatch.original_path"]`.
 
+    *Grey Baker*
 
-## Rails 4.1.7.1 (November 19, 2014) ##
+*   Use `String#bytesize` instead of `String#size` when checking for cookie
+    overflow.
 
-*   Fix arbitrary file existence disclosure in Action Pack.
+    *Agis Anastasopoulos*
 
-    CVE-2014-7829.
+*   `render nothing: true` or rendering a `nil` body no longer add a single
+    space to the response body.
 
+    The old behavior was added as a workaround for a bug in an early version of
+    Safari, where the HTTP headers are not returned correctly if the response
+    body has a 0-length. This is been fixed since and the workaround is no
+    longer necessary.
 
-## Rails 4.1.7 (October 29, 2014) ##
+    Use `render body: ' '` if the old behavior is desired.
 
-*   Fix arbitrary file existence disclosure in Action Pack.
+    See #14883 for details.
 
-    CVE-2014-7818.
-
-
-## Rails 4.1.6 (September 11, 2014) ##
+    *Godfrey Chan*
 
 *   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
     ("Rosetta Flash")
@@ -158,6 +149,12 @@
 
     *Lucas Mazza*
 
+*   Add `config.action_controller.always_permitted_parameters` to configure which
+    parameters are permitted globally. The default value of this configuration is
+    `['controller', 'action']`.
+
+    *Gary S. Weaver*, *Rafael Chacon*
+
 *   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
 
     Fixes #15511.
@@ -177,50 +174,45 @@
 
     *Larry Lv*
 
+*   Ensure the controller is always notified as soon as the client disconnects
+    during live streaming, even when the controller is blocked on a write.
 
-## Rails 4.1.4 (July 2, 2014) ##
+    *Nicholas Jakobsen*, *Matthew Draper*
 
-*   No changes.
+*   Routes specifying 'to:' must be a string that contains a "#" or a rack
+    application.  Use of a symbol should be replaced with `action: symbol`.
+    Use of a string without a "#" should be replaced with `controller: string`.
 
-
-## Rails 4.1.3 (July 2, 2014) ##
-
-*   No changes.
-
-
-## Rails 4.1.2 (June 26, 2014) ##
+    *Aaron Patterson*
 
 *   Fix URL generation with `:trailing_slash` such that it does not add
     a trailing slash after `.:format`
 
     *Dan Langevin*
 
-*   Fix an issue with migrating legacy json cookies.
+*   Build full URI as string when processing path in integration tests for
+    performance reasons.
 
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumed all incoming
-    cookies were marshal-encoded. This was not the case when `secret_token` was
-    used in conjunction with the `:json` or `:hybrid` serializer.
-
-    In those cases, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
+    *Guo Xiang Tan*
 
-    Fixes #14774.
+*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
+    called 'status' in a controller.
 
-    *Godfrey Chan*
+    Fixes #13905.
 
-*   `http_basic_authenticate_with` only checks the authentication if the schema is
-    `Basic`.
+    *Christiaan Van den Poel*
 
-    Fixes #10257.
+*   Add MKCALENDAR HTTP method (RFC 4791).
 
-    *tomykaira*
+    *Sergey Karpesh*
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+*   Instrument fragment cache metrics.
 
-    Fixes #13905.
+    Adds `:controller`: and `:action` keys to the instrumentation payload
+    for the `*_fragment.action_controller` notifications. This allows tracking
+    e.g. the fragment cache hit rates for each controller action.
 
-    *Christiaan Van den Poel*
+    *Daniel Schierbeck*
 
 *   Always use the provided port if the protocol is relative.
 
@@ -228,9 +220,40 @@
 
     *Guilherme Cavalcanti*, *Andrew White*
 
-*   Append a link in the backtrace to the bad code when a `SyntaxError` exception occurs.
+*   Moved `params[request_forgery_protection_token]` into its own method
+    and improved tests.
 
-    *Boris Kuznetsov*
+    Fixes #11316.
+
+    *Tom Kadwill*
+
+*   Added verification of route constraints given as a Proc or an object responding
+    to `:matches?`. Previously, when given an non-complying object, it would just
+    silently fail to enforce the constraint. It will now raise an `ArgumentError`
+    when setting up the routes.
+
+    *Xavier Defrang*
+
+*   Properly treat the entire IPv6 User Local Address space as private for
+    purposes of remote IP detection. Also handle uppercase private IPv6
+    addresses.
+
+    Fixes #12638.
+
+    *Caleb Spare*
+
+*   Fixed an issue with migrating legacy json cookies.
+
+    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
+    cookies are marshal-encoded. This is not the case when `secret_token` is
+    used in conjunction with the `:json` or `:hybrid` serializer.
+
+    In those case, when upgrading to use `secret_key_base`, this would cause a
+    `TypeError: incompatible marshal file format` and a 500 error for the user.
+
+    Fixes #14774.
+
+    *Godfrey Chan*
 
 *   Make URL escaping more consistent:
 
@@ -248,41 +271,40 @@
 
     *Andrew White*, *Edho Arief*
 
-*   Returns a null type format when the format is not known and the controller is using an
-    `any` format block.
+*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
+    `ActionDispatch::Http::UploadedFile#tempfile`.
 
-    Fixes #14462.
+    *Tim Linquist*
 
-    *Rafael Mendonça França*
-
-*   Only make deeply nested routes shallow when the parent is shallow.
+*   Returns null type format when format is not know and controller is using `any`
+    format block.
 
-    Fixes #14684.
-
-    *Andrew White*, *James Coglan*
+    Fixes #14462.
 
+    *Rafael Mendonça França*
 
-## Rails 4.1.1 (May 6, 2014) ##
+*   Improve routing error page with fuzzy matching search.
 
-*   Only accept actions without `File::SEPARATOR` in the name.
+    *Winston*
 
-    This will avoid directory traversal in implicit render.
+*   Only make deeply nested routes shallow when parent is shallow.
 
-    Fixes: CVE-2014-0130
+    Fixes #14684.
 
-    *Rafael Mendonça França*
+    *Andrew White*, *James Coglan*
 
+*   Append link to bad code to backtrace when exception is `SyntaxError`.
 
-## Rails 4.1.0 (April 8, 2014) ##
+    *Boris Kuznetsov*
 
-*   Swap the parameters of assert_equal in `assert_select` so that the
-    proper values are printed correctly
+*   Swapped the parameters of assert_equal in `assert_select` so that the
+    proper values were printed correctly.
 
     Fixes #14422.
 
     *Vishal Lal*
 
-*   The method `shallow?` returns false if the parent resource is a singleton, so
+*   The method `shallow?` returns false if the parent resource is a singleton so
     we need to check if we're not inside a nested scope before copying the :path
     and :as options to their shallow equivalents.
 
@@ -290,564 +312,15 @@
 
     *Andrew White*
 
+*   Make logging of CSRF failures optional (but on by default) with the
+    `log_warning_on_csrf_failure` configuration setting in
+    `ActionController::RequestForgeryProtection`.
 
-## Rails 4.1.0 (April 8, 2014) ##
+    *John Barton*
 
 *   Fix URL generation in controller tests with request-dependent
     `default_url_options` methods.
 
     *Tony Wooster*
 
-*   Introduce `render :html` as an option to render HTML content with a content
-    type of `text/html`. This rendering option calls `ERB::Util.html_escape`
-    internally to escape unsafe HTML strings, so you will need to mark a
-    string as `html_safe` if it contains any HTML tag.
-
-    See #14062, #12374.
-
-    *Prem Sichanugrist*
-
-*   Introduce `render :plain` as an option to render content with a content type
-    of `text/plain`. This is the preferred option if you are planning to render
-    a plain text content.
-
-    See #14062, #12374.
-
-    *Prem Sichanugrist*
-
-*   Introduce `render :body` as an option for sending a raw content back to
-    browser. Note that this rendering option does not include "Content-Type"
-    header back in the response.
-
-    You should only use this option if you don't care about the content type
-    of the response. More information on "Content-Type" header can be found
-    on RFC 2616, section 7.2.1.
-
-    See #14062, #12374.
-
-    *Prem Sichanugrist*
-
-*   Set stream status to 500 (or 400 on BadRequest) when an error is thrown
-    before committing.
-
-    Fixes #12552.
-
-    *Kevin Casey*
-
-*   Add a new config option `config.action_dispatch.cookies_serializer` for
-    specifying a serializer for the signed and encrypted cookie jars.
-
-    The possible values are:
-
-    * `:json` - serialize cookie values with `JSON`
-    * `:marshal` - serialize cookie values with `Marshal`
-    * `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
-
-    For new apps the `:json` option is added by default and `:marshal` is used
-    when no option is specified to maintain backwards compatibility.
-
-    *Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
-
-*   `FlashHash` now behaves like a `HashWithIndifferentAccess`.
-
-    *Guillermo Iguaran*
-
-*   Set the `:shallow_path` scope option as each scope is generated rather than
-    waiting until the `shallow` option is set. Also make the behavior of the
-    `:shallow` resource option consistent with the behavior of the `shallow` method.
-
-    Fixes #12498.
-
-    *Andrew White*, *Aleksi Aalto*
-
-*   Properly require `action_view` in `AbstractController::Rendering` to prevent
-    an uninitialized constant error for `ENCODING_FLAG`.
-
-    *Philipe Fatio*
-
-*   Do not discard query parameters that form a hash with the same root key as
-    the `wrapper_key` for a request using `wrap_parameters`.
-
-    *Josh Jordan*
-
-*   Ensure that `request.filtered_parameters` is reset between calls to `process`
-    in `ActionController::TestCase`.
-
-    Fixes #13803.
-
-    *Andrew White*
-
-*   Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
-
-    Fixes #13810.
-
-    *Maurizio De Santis*
-
-*   Log which keys were affected by deep munge.
-
-    Deep munge solves the CVE-2013-0155 security vulnerability, but its
-    behaviour is confusing. With this commit, the information about which
-    key values were set to nil is now visible in logs.
-
-    *Łukasz Sarnacki*
-
-*   Automatically convert dashes to underscores for shorthand routes, e.g:
-
-        get '/our-work/latest'
-
-    When running `rake routes` you will get the following output:
-
-                 Prefix Verb URI Pattern                Controller#Action
-        our_work_latest GET  /our-work/latest(.:format) our_work#latest
-
-    *Mikko Johansson*
-
-*   Automatically convert dashes to underscores for url helpers, e.g:
-
-        get '/contact-us' => 'pages#contact'
-        get '/about-us'   => 'pages#about_us'
-
-    When running `rake routes` you will get the following output:
-
-            Prefix Verb URI Pattern           Controller#Action
-        contact_us GET  /contact-us(.:format) pages#contact
-          about_us GET  /about-us(.:format)   pages#about_us
-
-    *Amr Tamimi*
-
-*   Fix stream closing when sending file with `ActionController::Live` included.
-
-    Fixes #12381.
-
-    *Alessandro Diaferia*
-
-*   Allow an absolute controller path inside a module scope. Fixes #12777.
-
-    Example:
-
-        namespace :foo do
-          # will route to BarController without the namespace.
-          get '/special', to: '/bar#index'
-        end
-
-
-*   Unique the segment keys array for non-optimized url helpers
-
-    In Rails 3.2 you only needed to pass an argument for a dynamic segment
-    once so unique the segment keys array to match the number of args. Since
-    the number of args is less than the required parts, the non-optimized code
-    path is selected. To benefit from optimized url generation, the arg needs
-    to be specified as many times as it appears in the path.
-
-    Fixes #12808.
-
-    *Andrew White*
-
-*   Show full route constraints in error message.
-
-    When an optimized helper fails to generate, show the full route constraints
-    in the error message. Previously it would only show the contraints that were
-    required as part of the path.
-
-    Fixes #13592.
-
-    *Andrew White*
-
-*   Use a custom route visitor for optimized url generation. Fixes #13349.
-
-    *Andrew White*
-
-*   Allow engine root relative redirects using an empty string.
-
-    Example:
-
-        # application routes.rb
-        mount BlogEngine => '/blog'
-
-        # engine routes.rb
-        get '/welcome' => redirect('')
-
-    This now redirects to the path `/blog`, whereas before it would redirect
-    to the application root path. In the case of a path redirect or a custom
-    redirect, if the path returned contains a host then the path is treated as
-    absolute. Similarly for option redirects, if the options hash returned
-    contains a `:host` or `:domain` key then the path is treated as absolute.
-
-    Fixes #7977.
-
-    *Andrew White*
-
-*   Fix `Encoding::CompatibilityError` when public path is UTF-8
-
-    In #5337 we forced the path encoding to ASCII-8BIT to prevent static file
-    handling from blowing up before an application has had a chance to deal
-    with possibly invalid urls. However this has a negative side effect of
-    making it an incompatible encoding if the application's public path has
-    UTF-8 characters in it.
-
-    To work around the problem we check to see if the path has a valid encoding once
-    it has been unescaped. If it is not valid then we can return early since it will
-    not match any file anyway.
-
-    Fixes #13518.
-
-    *Andrew White*
-
-*   `ActionController::Parameters#permit!` permits hashes in array values.
-
-    *Xavier Noria*
-
-*   Converts hashes in arrays of unfiltered params to unpermitted params.
-
-    Fixes #13382.
-
-    *Xavier Noria*
-
-*   New config option to opt out of params "deep munging" that was used to
-    address the security vulnerability CVE-2013-0155. In your app config:
-
-        config.action_dispatch.perform_deep_munge = false
-
-    Take care to understand the security risk involved before disabling this.
-    [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
-
-    *Bernard Potocki*
-
-*   `rake routes` shows routes defined under assets prefix.
-
-    *Ryunosuke SATO*
-
-*   Extend cross-site request forgery (CSRF) protection to GET requests with
-    JavaScript responses, protecting apps from cross-origin `<script>` tags.
-
-    *Jeremy Kemper*
-
-*   Fix generating a path for an engine inside a resources block.
-
-    Fixes #8533.
-
-    *Piotr Sarnacki*
-
-*   Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
-
-    *DHH*
-
-*   Remove deprecated `ActionController::RecordIdentifier`, use
-    `ActionView::RecordIdentifier` instead.
-
-    *kennyj*
-
-*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
-    `options[:raise]`.
-
-    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
-
-    *Shota Fukumori (sora_h)*
-
-*   Introducing Variants
-
-    We often want to render different html/json/xml templates for phones,
-    tablets, and desktop browsers. Variants make it easy.
-
-    The request variant is a specialization of the request format, like `:tablet`,
-    `:phone`, or `:desktop`.
-
-    You can set the variant in a `before_action`:
-
-        request.variant = :tablet if request.user_agent =~ /iPad/
-
-    Respond to variants in the action just like you respond to formats:
-
-        respond_to do |format|
-          format.html do |html|
-            html.tablet # renders app/views/projects/show.html+tablet.erb
-            html.phone { extra_setup; render ... }
-          end
-        end
-
-    Provide separate templates for each format and variant:
-
-        app/views/projects/show.html.erb
-        app/views/projects/show.html+tablet.erb
-        app/views/projects/show.html+phone.erb
-
-    You can also simplify the variants definition using the inline syntax:
-
-        respond_to do |format|
-          format.js         { render "trash" }
-          format.html.phone { redirect_to progress_path }
-          format.html.none  { render "trash" }
-        end
-
-    Variants also support the common `any`/`all` block that formats have.
-
-    It works for both inline:
-
-        respond_to do |format|
-          format.html.any   { render text: "any"   }
-          format.html.phone { render text: "phone" }
-        end
-
-    and block syntax:
-
-        respond_to do |format|
-          format.html do |variant|
-            variant.any(:tablet, :phablet){ render text: "any" }
-            variant.phone { render text: "phone" }
-          end
-        end
-
-    *Łukasz Strzałkowski*
-
-*   Fix rendering localized templates without an explicit format using wrong
-    content header and not passing correct formats to template due to the
-    introduction of the `NullType` for mimes.
-
-    Templates like `hello.it.erb` were subject to this issue.
-
-    Fixes #13064.
-
-    *Angelo Capilleri*, *Carlos Antonio da Silva*
-
-*   Try to escape each part of a url correctly when using a redirect route.
-
-    Fixes #13110.
-
-    *Andrew White*
-
-*   Better error message for typos in assert_response arguments.
-
-    When the response type argument to `assert_response` is not a known
-    response type, `assert_response` now throws an ArgumentError with a clear
-    message. This is intended to help debug typos in the response type.
-
-    *Victor Costan*
-
-*   Fix formatting for `rake routes` when a section is shorter than a header.
-
-    *Sıtkı Bağdat*
-
-*   Accept an options hash inside the array in `#url_for`.
-
-    Example:
-
-        url_for [:new, :admin, :post, { param: 'value' }]
-        # => http://example.com/admin/posts/new?param=value
-
-    *Andrey Ognevsky*
-
-*   Add `session#fetch` method
-
-    fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
-    It returns a value from the hash for the given key.
-    If the key can’t be found, there are several options:
-
-      * With no other arguments, it will raise a KeyError exception.
-      * If a default value is given, then it will be returned.
-      * If the optional code block is specified, then it will be run and its result returned.
-
-    *Damien Mathieu*
-
-*   Don't let strong parameters mutate the given hash via `fetch`
-
-    Create a new instance if the given parameter is a `Hash` instead of
-    passing it to the `convert_hashes_to_parameters` method since it is
-    overriding its default value.
-
-    *Brendon Murphy*, *Doug Cole*
-
-*   Add a `params` option to the `button_to` form helper which renders
-    the given hash as hidden form fields.
-
-    *Andy Waite*
-
-*   Enable assets helpers to work in the controllers like they do in the views.
-
-    Example:
-
-        # config/application.rb
-        config.asset_host = 'http://mycdn.com'
-
-        ActionController::Base.helpers.asset_path('fallback.png')
-        # => http://mycdn.com/assets/fallback.png
-
-    Fixes #10051.
-
-    *Tima Maslyuchenko*
-
-*   Respect `SCRIPT_NAME` when using `redirect` with a relative path
-
-    Example:
-
-        # application routes.rb
-        mount BlogEngine => '/blog'
-
-        # engine routes.rb
-        get '/admin' => redirect('admin/dashboard')
-
-    This now redirects to the path `/blog/admin/dashboard`, whereas before it would
-    have generated an invalid url because there would be no slash between the host name
-    and the path. It also allows redirects to work when the application is deployed
-    to a subdirectory of a website.
-
-    Fixes #7977.
-
-    *Andrew White*
-
-*   Fixing `repond_with` working directly on the options hash
-    This fixes an issue where the `respond_with` worked directly with the given
-    options hash, so that if a user relied on it after calling `respond_with`,
-    the hash wouldn't be the same.
-
-    Fixes #12029.
-
-    *bluehotdog*
-
-*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
-    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
-
-    Fixes #10844.
-
-    *Tamir Duberstein*
-
-*   Strong parameters should permit a nested number to be a key.
-
-    Fixes #12293.
-
-    *kennyj*
-
-*   Fix the regex used to detect URI schemes in `redirect_to`, to be consistent
-    with RFC 3986.
-
-    *Derek Prior*
-
-*   Fix incorrect `assert_redirected_to` failure message for protocol-relative
-    URLs.
-
-    *Derek Prior*
-
-*   Fix an issue where the router could not recognize a downcased url encoding path.
-
-    Fixes #12269.
-
-    *kennyj*
-
-*   Fix custom flash type definition. Misuse of the `_flash_types` class variable
-    caused an error when reloading controllers with custom flash types.
-
-    Fixes #12057.
-
-    *Ricardo de Cillo*
-
-*   Do not break params filtering on `nil` values.
-
-    Fixes #12149.
-
-    *Vasiliy Ermolovich*
-
-*   Development mode exceptions are rendered in text format in case of
-    an XHR request.
-
-    *Kir Shatrov*
-
-*   Fix an issue where :if and :unless controller action procs were being run
-    before checking for the correct action in the :only and :unless options.
-
-    Fixes #11799.
-
-    *Nicholas Jakobsen*
-
-*   Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were
-    ignoring the passed failure message argument.
-
-    Fixes #11751.
-
-    *Ryan McGeary*
-
-*   Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from
-    the environment passed into `ActionDispatch::TestRequest.new`.
-
-    Fixes #11590.
-
-    *Andrew White*
-
-*   Fix an issue where Journey was failing to clear the named routes hash when the
-    routes were reloaded and since it doesn't overwrite existing routes then if a
-    route changed but wasn't renamed it kept the old definition. This was being
-    masked by the optimised url helpers so it only became apparent when passing an
-    options hash to the url helper.
-
-    *Andrew White*
-
-*   Skip routes pointing to a redirect or mounted application when generating urls
-    using an options hash as they aren't relevant and generate incorrect urls.
-
-    Fixes #8018.
-
-    *Andrew White*
-
-*   Move `MissingHelperError` out of the `ClassMethods` module.
-
-    *Yves Senn*
-
-*   Fix an issue where Rails raised an exception about a missing helper when
-    it should have thrown a `LoadError` instead. When the helper file exists
-    and only the loaded file from the helper does not exist, Rails should now
-    throw a `LoadError` instead of a `MissingHelperError`.
-
-    *Piotr Niełacny*
-
-*   Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind
-    body input stream on parsing json params.
-
-    Fixes #11345.
-
-    *Yuri Bol*, *Paul Nikitochkin*
-
-*   Ignore spaces around delimiters in the Set-Cookie header.
-
-    *Yamagishi Kazutoshi*
-
-*   Remove deprecated Rails application fallback for integration testing.
-    Set `ActionDispatch.test_app` instead.
-
-    *Carlos Antonio da Silva*
-
-*   Remove deprecated `page_cache_extension` config.
-
-    *Francesco Rodriguez*
-
-*   Remove deprecated constants from Action Controller:
-
-        ActionController::AbstractRequest  => ActionDispatch::Request
-        ActionController::Request          => ActionDispatch::Request
-        ActionController::AbstractResponse => ActionDispatch::Response
-        ActionController::Response         => ActionDispatch::Response
-        ActionController::Routing          => ActionDispatch::Routing
-        ActionController::Integration      => ActionDispatch::Integration
-        ActionController::IntegrationTest  => ActionDispatch::IntegrationTest
-
-    *Carlos Antonio da Silva*
-
-*   Fix `Mime::Type.parse` when a bad accepts header is looked up.
-    Previously, it was setting `request.formats` with an array containing a
-    `nil` value, which raised an error when setting the controller formats.
-
-    Fixes #10965.
-
-    *Becker*
-
-*   Merge `:action` from routing scope and assign endpoint if both `:controller`
-    and `:action` are present. The endpoint assignment only occurs if there is
-    no `:to` present in the options hash, so should only affect routes using the
-    shorthand syntax (i.e. endpoint is inferred from the path).
-
-    Fixes #9856.
-
-    *Yves Senn*, *Andrew White*
-
-*   Action View extracted from Action Pack.
-
-    *Piotr Sarnacki*, *Łukasz Strzałkowski*
-
-Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.