actionpack 4.1.7 → 4.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fd553597f482cd30ac29dec61f759fbfc0dc1005
-  data.tar.gz: 1a22032cc1c4b44051182dff1fba4762885f83f0
+  metadata.gz: 8ef0e423a29cfd8eebd990a4b4a321fdb340b395
+  data.tar.gz: e5337332c73cacc288bd03eddbb9680609a40978
 SHA512:
-  metadata.gz: cf3fba7f2188f04480178dfc0e9e1a6265da868dfd7f11d35ec0b024155c9ce4f8bdccda3dfae58b96de23f3ff7de118ecda483b37301814c9711e268cf9dde8
-  data.tar.gz: 6deca2a2a3f989a1b2e385a09ba2d616e0e0d43e2cf9b1cb3d4ee91dfccc426b1a08b696f9e285ab489cca6d7d752e5a8cda15b39612ab86b88847b7b6eb7ac5
+  metadata.gz: 03137cd7e8c5220e0b2bc852e1e61cc90fbd0ba9a6ae181dcc04f3510f7e94e16819a4c0f9aa4b15975be413816fd189412f69c7accc74a87634346204299bd2
+  data.tar.gz: 89cb8daa44d1a361d123aa41594c61d0c4c0b89bf3bca750bc8c5854db90cf37dfc52575de22d9d140f9bded1f9fc28ed2d83306f44f0b297521253f39b83d20

data/CHANGELOG.md

@@ -1,722 +1,506 @@
-## Rails 4.1.6 (September 11, 2014) ##
-
-*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
-    ("Rosetta Flash")
-
-    *Greg Campbell*
-
-*   Because URI paths may contain non US-ASCII characters we need to force
-    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
-    This essentially replicates the functionality of the monkey patch to
-    URI.parser.unescape in active_support/core_ext/uri.rb.
-
-    Fixes #16104.
-
-    *Karl Entwistle*
-
-*   Generate shallow paths for all children of shallow resources.
-
-    Fixes #15783.
-
-    *Seb Jacobs*
-
-*   JSONP responses are now rendered with the `text/javascript` content type
-    when rendering through a `respond_to` block.
-
-    Fixes #15081.
-
-    *Lucas Mazza*
-
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
-
-    Fixes #15511.
-
-    *Larry Lv*
-
-*   ActionController::Parameters#require now accepts `false` values.
-
-    Fixes #15685.
-
-    *Sergio Romano*
-
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
-
-    Fixes #14846.
-
-    *Larry Lv*
-
-
-## Rails 4.1.4 (July 2, 2014) ##
-
-*   No changes.
+## Rails 4.2.1 (March 19, 2014) ##
 
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
 
-## Rails 4.1.3 (July 2, 2014) ##
+    *Ville Lautanala*
 
-*   No changes.
-
-
-## Rails 4.1.2 (June 26, 2014) ##
-
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
-
-    *Dan Langevin*
-
-*   Fix an issue with migrating legacy json cookies.
-
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumed all incoming
-    cookies were marshal-encoded. This was not the case when `secret_token` was
-    used in conjunction with the `:json` or `:hybrid` serializer.
-
-    In those cases, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
-
-    Fixes #14774.
-
-    *Godfrey Chan*
+*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
 
-*   `http_basic_authenticate_with` only checks the authentication if the schema is
-    `Basic`.
+    Fixes an issue where a mounted rack app at root would intercept the HEAD
+    request causing an incorrect behavior during the fall back to GET requests.
 
-    Fixes #10257.
-
-    *tomykaira*
-
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
-
-    Fixes #13905.
-
-    *Christiaan Van den Poel*
-
-*   Always use the provided port if the protocol is relative.
-
-    Fixes #15043.
-
-    *Guilherme Cavalcanti*, *Andrew White*
-
-*   Append a link in the backtrace to the bad code when a `SyntaxError` exception occurs.
-
-    *Boris Kuznetsov*
-
-*   Make URL escaping more consistent:
-
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
-
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
-
-    Fixes #14629, #14636 and #14070.
-
-    *Andrew White*, *Edho Arief*
+    Example:
+    ```ruby
+    draw do
+        get '/home' => 'test#index'
+        mount rack_app, at: '/'
+    end
+    head '/home'
+    assert_response :success
+    ```
+    In this case, a HEAD request runs through the routes the first time and fails
+    to match anything. Then, it runs through the list with the fallback and matches
+    `get '/home'`. The original behavior would match the rack app in the first pass.
 
-*   Returns a null type format when the format is not known and the controller is using an
-    `any` format block.
+    *Terence Sun*
 
-    Fixes #14462.
+*   Preserve default format when generating URLs
 
-    *Rafael Mendonça França*
+    Fixes an issue that would cause the format set in default_url_options to be
+    lost when generating URLs with fewer positional arguments than parameters in
+    the route definition.
 
-*   Only make deeply nested routes shallow when the parent is shallow.
+    Backport of #18627
 
-    Fixes #14684.
+    *Tekin Suleyman*, *Dominic Baggott*
 
-    *Andrew White*, *James Coglan*
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
 
+    *Jonas Baumann*
 
-## Rails 4.1.1 (May 6, 2014) ##
+*   Ensure `append_info_to_payload` is called even if an exception is raised.
 
-*   Only accept actions without `File::SEPARATOR` in the name.
+    Fixes an issue where when an exception is raised in the request the additonal
+    payload data is not available.
 
-    This will avoid directory traversal in implicit render.
+    See:
+    * #14903
+    * https://github.com/roidrage/lograge/issues/37
 
-    Fixes: CVE-2014-0130
+    *Dieter Komendera*, *Margus Pärt*
 
-    *Rafael Mendonça França*
+*   Correctly rely on the response's status code to handle calls to `head`.
 
+    *Robin Dupret*
 
-## Rails 4.1.0 (April 8, 2014) ##
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
 
-*   Swap the parameters of assert_equal in `assert_select` so that the
-    proper values are printed correctly
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-    Fixes #14422.
+    Fixes #18253.
 
-    *Vishal Lal*
+    *Prathamesh Sonpatki*
 
-*   The method `shallow?` returns false if the parent resource is a singleton, so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
+*   Fix how polymorphic routes works with objects that implement `to_model`.
 
-    Fixes #14388.
+    *Travis Grathwell*
 
-    *Andrew White*
+*   Fixed handling of positional url helper arguments when `format: false`.
 
+    Fixes #17819.
 
-## Rails 4.1.0 (April 8, 2014) ##
+    *Andrew White*, *Tatiana Soukiassian*
 
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
+*   Fixed usage of optional scopes in URL helpers.
 
-    *Tony Wooster*
+    *Alex Robbin*
 
-*   Introduce `render :html` as an option to render HTML content with a content
-    type of `text/html`. This rendering option calls `ERB::Util.html_escape`
-    internally to escape unsafe HTML strings, so you will need to mark a
-    string as `html_safe` if it contains any HTML tag.
 
-    See #14062, #12374.
+## Rails 4.2.0 (December 20, 2014) ##
 
-    *Prem Sichanugrist*
-
-*   Introduce `render :plain` as an option to render content with a content type
-    of `text/plain`. This is the preferred option if you are planning to render
-    a plain text content.
-
-    See #14062, #12374.
-
-    *Prem Sichanugrist*
-
-*   Introduce `render :body` as an option for sending a raw content back to
-    browser. Note that this rendering option does not include "Content-Type"
-    header back in the response.
-
-    You should only use this option if you don't care about the content type
-    of the response. More information on "Content-Type" header can be found
-    on RFC 2616, section 7.2.1.
-
-    See #14062, #12374.
+*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
+    `Hash` representation of Parameters object. This is now a preferred way to
+    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
+    object in Rails 5.0.
 
     *Prem Sichanugrist*
 
-*   Set stream status to 500 (or 400 on BadRequest) when an error is thrown
-    before committing.
-
-    Fixes #12552.
-
-    *Kevin Casey*
-
-*   Add a new config option `config.action_dispatch.cookies_serializer` for
-    specifying a serializer for the signed and encrypted cookie jars.
-
-    The possible values are:
-
-    * `:json` - serialize cookie values with `JSON`
-    * `:marshal` - serialize cookie values with `Marshal`
-    * `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
-
-    For new apps the `:json` option is added by default and `:marshal` is used
-    when no option is specified to maintain backwards compatibility.
-
-    *Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
+*   Restore handling of a bare `Authorization` header, without `token=`
+    prefix.
 
-*   `FlashHash` now behaves like a `HashWithIndifferentAccess`.
+    Fixes #17108.
 
-    *Guillermo Iguaran*
+    *Guo Xiang Tan*
 
-*   Set the `:shallow_path` scope option as each scope is generated rather than
-    waiting until the `shallow` option is set. Also make the behavior of the
-    `:shallow` resource option consistent with the behavior of the `shallow` method.
+*   Deprecate use of string keys in URL helpers.
 
-    Fixes #12498.
+    Use symbols instead.
+    Fixes #16958.
 
-    *Andrew White*, *Aleksi Aalto*
+    *Byron Bischoff*, *Melanie Gilman*
 
-*   Properly require `action_view` in `AbstractController::Rendering` to prevent
-    an uninitialized constant error for `ENCODING_FLAG`.
+*   Deprecate the `only_path` option on `*_path` helpers.
 
-    *Philipe Fatio*
+    In cases where this option is set to `true`, the option is redundant and can
+    be safely removed; otherwise, the corresponding `*_url` helper should be
+    used instead.
 
-*   Do not discard query parameters that form a hash with the same root key as
-    the `wrapper_key` for a request using `wrap_parameters`.
+    Fixes #17294.
 
-    *Josh Jordan*
+    *Dan Olson*, *Godfrey Chan*
 
-*   Ensure that `request.filtered_parameters` is reset between calls to `process`
-    in `ActionController::TestCase`.
+*   Improve Journey compliance to RFC 3986.
 
-    Fixes #13803.
+    The scanner in Journey failed to recognize routes that use literals
+    from the sub-delims section of RFC 3986. It's now able to parse those
+    authorized delimiters and route as expected.
 
-    *Andrew White*
-
-*   Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
-
-    Fixes #13810.
-
-    *Maurizio De Santis*
-
-*   Log which keys were affected by deep munge.
-
-    Deep munge solves the CVE-2013-0155 security vulnerability, but its
-    behaviour is confusing. With this commit, the information about which
-    key values were set to nil is now visible in logs.
-
-    *Łukasz Sarnacki*
-
-*   Automatically convert dashes to underscores for shorthand routes, e.g:
+    Fixes #17212.
 
-        get '/our-work/latest'
+    *Nicolas Cavigneaux*
 
-    When running `rake routes` you will get the following output:
+*   Deprecate implicit Array conversion for Response objects. It was added
+    (using `#to_ary`) so we could conveniently use implicit splatting:
 
-                 Prefix Verb URI Pattern                Controller#Action
-        our_work_latest GET  /our-work/latest(.:format) our_work#latest
+        status, headers, body = response
 
-    *Mikko Johansson*
+    But it also means `response + response` works and `[response].flatten`
+    cascades down to the Rack body. Nonsense behavior. Instead, rely on
+    explicit conversion and splatting with `#to_a`:
 
-*   Automatically convert dashes to underscores for url helpers, e.g:
+        status, header, body = *response
 
-        get '/contact-us' => 'pages#contact'
-        get '/about-us'   => 'pages#about_us'
+    *Jeremy Kemper*
 
-    When running `rake routes` you will get the following output:
+*   Don't rescue `IPAddr::InvalidAddressError`.
 
-            Prefix Verb URI Pattern           Controller#Action
-        contact_us GET  /contact-us(.:format) pages#contact
-          about_us GET  /about-us(.:format)   pages#about_us
+    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
+    and fails for JRuby in 1.9 mode.
 
-    *Amr Tamimi*
+    *Peter Suschlik*
 
-*   Fix stream closing when sending file with `ActionController::Live` included.
+*   Fix bug where the router would ignore any constraints added to redirect
+    routes.
 
-    Fixes #12381.
+    Fixes #16605.
 
-    *Alessandro Diaferia*
+    *Agis Anastasopoulos*
 
-*   Allow an absolute controller path inside a module scope. Fixes #12777.
+*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
 
     Example:
 
-        namespace :foo do
-          # will route to BarController without the namespace.
-          get '/special', to: '/bar#index'
-        end
-
-
-*   Unique the segment keys array for non-optimized url helpers
-
-    In Rails 3.2 you only needed to pass an argument for a dynamic segment
-    once so unique the segment keys array to match the number of args. Since
-    the number of args is less than the required parts, the non-optimized code
-    path is selected. To benefit from optimized url generation, the arg needs
-    to be specified as many times as it appears in the path.
-
-    Fixes #12808.
-
-    *Andrew White*
-
-*   Show full route constraints in error message.
+        # config/environments/production.rb
+        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
 
-    When an optimized helper fails to generate, show the full route constraints
-    in the error message. Previously it would only show the contraints that were
-    required as part of the path.
+    *Sam Aarons*
 
-    Fixes #13592.
+*   Avoid duplicating routes for HEAD requests.
 
-    *Andrew White*
+    Instead of duplicating the routes, we will first match the HEAD request to
+    HEAD routes. If no match is found, we will then map the HEAD request to
+    GET routes.
 
-*   Use a custom route visitor for optimized url generation. Fixes #13349.
+    *Guo Xiang Tan*, *Andrew White*
 
-    *Andrew White*
+*   Requests that hit `ActionDispatch::Static` can now take advantage
+    of gzipped assets on disk. By default a gzip asset will be served if
+    the client supports gzip and a compressed file is on disk.
 
-*   Allow engine root relative redirects using an empty string.
+    *Richard Schneeman*
 
-    Example:
+*   `ActionController::Parameters` will stop inheriting from `Hash` and
+    `HashWithIndifferentAccess` in the next major release. If you use any method
+    that is not available on `ActionController::Parameters` you should consider
+    calling `#to_h` to convert it to a `Hash` first before calling that method.
 
-        # application routes.rb
-        mount BlogEngine => '/blog'
+    *Prem Sichanugrist*
 
-        # engine routes.rb
-        get '/welcome' => redirect('')
+*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
+    keys removed. This change is to reflect on a security concern where some
+    method performed on an `ActionController::Parameters` may yield a `Hash`
+    object which does not maintain `permitted?` status. If you would like to
+    get a `Hash` with all the keys intact, duplicate and mark it as permitted
+    before calling `#to_h`.
 
-    This now redirects to the path `/blog`, whereas before it would redirect
-    to the application root path. In the case of a path redirect or a custom
-    redirect, if the path returned contains a host then the path is treated as
-    absolute. Similarly for option redirects, if the options hash returned
-    contains a `:host` or `:domain` key then the path is treated as absolute.
+        params = ActionController::Parameters.new({
+          name: 'Senjougahara Hitagi',
+          oddity: 'Heavy stone crab'
+        })
+        params.to_h
+        # => {}
 
-    Fixes #7977.
+        unsafe_params = params.dup.permit!
+        unsafe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
 
-    *Andrew White*
+        safe_params = params.permit(:name)
+        safe_params.to_h
+        # => {"name"=>"Senjougahara Hitagi"}
 
-*   Fix `Encoding::CompatibilityError` when public path is UTF-8
+    This change is consider a stopgap as we cannot change the code to stop
+    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
+    in the next minor release.
 
-    In #5337 we forced the path encoding to ASCII-8BIT to prevent static file
-    handling from blowing up before an application has had a chance to deal
-    with possibly invalid urls. However this has a negative side effect of
-    making it an incompatible encoding if the application's public path has
-    UTF-8 characters in it.
+    *Prem Sichanugrist*
 
-    To work around the problem we check to see if the path has a valid encoding once
-    it has been unescaped. If it is not valid then we can return early since it will
-    not match any file anyway.
+*   Deprecated `TagAssertions`.
 
-    Fixes #13518.
+    *Kasper Timm Hansen*
 
-    *Andrew White*
+*   Use the Active Support JSON encoder for cookie jars using the `:json` or
+    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
+    cookies by defining the `#as_json` hook on such objects.
 
-*   `ActionController::Parameters#permit!` permits hashes in array values.
+    Fixes #16520.
 
-    *Xavier Noria*
+    *Godfrey Chan*
 
-*   Converts hashes in arrays of unfiltered params to unpermitted params.
+*   Add `config.action_dispatch.cookies_digest` option for setting custom
+    digest. The default remains the same - 'SHA1'.
 
-    Fixes #13382.
+    *Łukasz Strzałkowski*
 
-    *Xavier Noria*
+*   Move `respond_with` (and the class-level `respond_to`) to
+    the `responders` gem.
 
-*   New config option to opt out of params "deep munging" that was used to
-    address the security vulnerability CVE-2013-0155. In your app config:
+    *José Valim*
 
-        config.action_dispatch.perform_deep_munge = false
+*   When your templates change, browser caches bust automatically.
 
-    Take care to understand the security risk involved before disabling this.
-    [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
+    New default: the template digest is automatically included in your ETags.
+    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
+    is mixed in so future changes to the HTML will blow HTTP caches for you.
+    This makes it easy to HTTP-cache many more of your actions.
 
-    *Bernard Potocki*
+    If you render a different template, you can now pass the `:template`
+    option to include its digest instead:
 
-*   `rake routes` shows routes defined under assets prefix.
+        fresh_when @post, template: 'widgets/show'
 
-    *Ryunosuke SATO*
+    Pass `template: false` to skip the lookup. To turn this off entirely, set:
 
-*   Extend cross-site request forgery (CSRF) protection to GET requests with
-    JavaScript responses, protecting apps from cross-origin `<script>` tags.
+        config.action_controller.etag_with_template_digest = false
 
     *Jeremy Kemper*
 
-*   Fix generating a path for an engine inside a resources block.
-
-    Fixes #8533.
-
-    *Piotr Sarnacki*
-
-*   Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
-
-    *DHH*
-
-*   Remove deprecated `ActionController::RecordIdentifier`, use
-    `ActionView::RecordIdentifier` instead.
-
-    *kennyj*
-
-*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
-    `options[:raise]`.
+*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
+    in favor of `AbstractController::Helpers::MissingHelperError`.
 
-    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
-
-    *Shota Fukumori (sora_h)*
+    *Yves Senn*
 
-*   Introducing Variants
+*   Fix `assert_template` not being able to assert that no files were rendered.
 
-    We often want to render different html/json/xml templates for phones,
-    tablets, and desktop browsers. Variants make it easy.
+    *Guo Xiang Tan*
 
-    The request variant is a specialization of the request format, like `:tablet`,
-    `:phone`, or `:desktop`.
+*   Extract source code for the entire exception stack trace for
+    better debugging and diagnosis.
 
-    You can set the variant in a `before_action`:
+    *Ryan Dao*
 
-        request.variant = :tablet if request.user_agent =~ /iPad/
+*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
+    loopback address.
 
-    Respond to variants in the action just like you respond to formats:
+    *Earl St Sauver*, *Sven Riedel*
 
-        respond_to do |format|
-          format.html do |html|
-            html.tablet # renders app/views/projects/show.html+tablet.erb
-            html.phone { extra_setup; render ... }
-          end
-        end
+*   Preserve original path in `ShowExceptions` middleware by stashing it as
+    `env["action_dispatch.original_path"]`
 
-    Provide separate templates for each format and variant:
+    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
+    for the exception defined in `ExceptionWrapper`, so the path
+    the user was visiting when an exception occurred was not previously
+    available to any custom exceptions_app. The original `PATH_INFO` is now
+    stashed in `env["action_dispatch.original_path"]`.
 
-        app/views/projects/show.html.erb
-        app/views/projects/show.html+tablet.erb
-        app/views/projects/show.html+phone.erb
+    *Grey Baker*
 
-    You can also simplify the variants definition using the inline syntax:
+*   Use `String#bytesize` instead of `String#size` when checking for cookie
+    overflow.
 
-        respond_to do |format|
-          format.js         { render "trash" }
-          format.html.phone { redirect_to progress_path }
-          format.html.none  { render "trash" }
-        end
+    *Agis Anastasopoulos*
 
-    Variants also support the common `any`/`all` block that formats have.
+*   `render nothing: true` or rendering a `nil` body no longer add a single
+    space to the response body.
 
-    It works for both inline:
+    The old behavior was added as a workaround for a bug in an early version of
+    Safari, where the HTTP headers are not returned correctly if the response
+    body has a 0-length. This is been fixed since and the workaround is no
+    longer necessary.
 
-        respond_to do |format|
-          format.html.any   { render text: "any"   }
-          format.html.phone { render text: "phone" }
-        end
+    Use `render body: ' '` if the old behavior is desired.
 
-    and block syntax:
+    See #14883 for details.
 
-        respond_to do |format|
-          format.html do |variant|
-            variant.any(:tablet, :phablet){ render text: "any" }
-            variant.phone { render text: "phone" }
-          end
-        end
+    *Godfrey Chan*
 
-    *Łukasz Strzałkowski*
+*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
+    ("Rosetta Flash").
 
-*   Fix rendering localized templates without an explicit format using wrong
-    content header and not passing correct formats to template due to the
-    introduction of the `NullType` for mimes.
+    *Greg Campbell*
 
-    Templates like `hello.it.erb` were subject to this issue.
+*   Because URI paths may contain non US-ASCII characters we need to force
+    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
+    This essentially replicates the functionality of the monkey patch to
+    URI.parser.unescape in active_support/core_ext/uri.rb.
 
-    Fixes #13064.
+    Fixes #16104.
 
-    *Angelo Capilleri*, *Carlos Antonio da Silva*
+    *Karl Entwistle*
 
-*   Try to escape each part of a url correctly when using a redirect route.
+*   Generate shallow paths for all children of shallow resources.
 
-    Fixes #13110.
+    Fixes #15783.
 
-    *Andrew White*
+    *Seb Jacobs*
 
-*   Better error message for typos in assert_response arguments.
+*   JSONP responses are now rendered with the `text/javascript` content type
+    when rendering through a `respond_to` block.
 
-    When the response type argument to `assert_response` is not a known
-    response type, `assert_response` now throws an ArgumentError with a clear
-    message. This is intended to help debug typos in the response type.
+    Fixes #15081.
 
-    *Victor Costan*
+    *Lucas Mazza*
 
-*   Fix formatting for `rake routes` when a section is shorter than a header.
+*   Add `config.action_controller.always_permitted_parameters` to configure which
+    parameters are permitted globally. The default value of this configuration is
+    `['controller', 'action']`.
 
-    *Sıtkı Bağdat*
+    *Gary S. Weaver*, *Rafael Chacon*
 
-*   Accept an options hash inside the array in `#url_for`.
+*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
 
-    Example:
+    Fixes #15511.
 
-        url_for [:new, :admin, :post, { param: 'value' }]
-        # => http://example.com/admin/posts/new?param=value
+    *Larry Lv*
 
-    *Andrey Ognevsky*
+*   ActionController::Parameters#require now accepts `false` values.
 
-*   Add `session#fetch` method
+    Fixes #15685.
 
-    fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
-    It returns a value from the hash for the given key.
-    If the key can’t be found, there are several options:
+    *Sergio Romano*
 
-      * With no other arguments, it will raise a KeyError exception.
-      * If a default value is given, then it will be returned.
-      * If the optional code block is specified, then it will be run and its result returned.
+*   With authorization header `Authorization: Token token=`, `authenticate` now
+    recognize token as nil, instead of "token".
 
-    *Damien Mathieu*
+    Fixes #14846.
 
-*   Don't let strong parameters mutate the given hash via `fetch`
+    *Larry Lv*
 
-    Create a new instance if the given parameter is a `Hash` instead of
-    passing it to the `convert_hashes_to_parameters` method since it is
-    overriding its default value.
+*   Ensure the controller is always notified as soon as the client disconnects
+    during live streaming, even when the controller is blocked on a write.
 
-    *Brendon Murphy*, *Doug Cole*
+    *Nicholas Jakobsen*, *Matthew Draper*
 
-*   Add a `params` option to the `button_to` form helper which renders
-    the given hash as hidden form fields.
+*   Routes specifying 'to:' must be a string that contains a "#" or a rack
+    application.  Use of a symbol should be replaced with `action: symbol`.
+    Use of a string without a "#" should be replaced with `controller: string`.
 
-    *Andy Waite*
+    *Aaron Patterson*
 
-*   Enable assets helpers to work in the controllers like they do in the views.
+*   Fix URL generation with `:trailing_slash` such that it does not add
+    a trailing slash after `.:format`
 
-    Example:
+    *Dan Langevin*
 
-        # config/application.rb
-        config.asset_host = 'http://mycdn.com'
+*   Build full URI as string when processing path in integration tests for
+    performance reasons. One consequence of this is that the leading slash
+    is now required in integration test `process` helpers, whereas previously
+    it could be omitted. The fact that this worked was a unintended consequence
+    of the implementation and was never an intentional feature.
 
-        ActionController::Base.helpers.asset_path('fallback.png')
-        # => http://mycdn.com/assets/fallback.png
+    *Guo Xiang Tan*
 
-    Fixes #10051.
+*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
+    called 'status' in a controller.
 
-    *Tima Maslyuchenko*
+    Fixes #13905.
 
-*   Respect `SCRIPT_NAME` when using `redirect` with a relative path
+    *Christiaan Van den Poel*
 
-    Example:
+*   Add MKCALENDAR HTTP method (RFC 4791).
 
-        # application routes.rb
-        mount BlogEngine => '/blog'
+    *Sergey Karpesh*
 
-        # engine routes.rb
-        get '/admin' => redirect('admin/dashboard')
+*   Instrument fragment cache metrics.
 
-    This now redirects to the path `/blog/admin/dashboard`, whereas before it would
-    have generated an invalid url because there would be no slash between the host name
-    and the path. It also allows redirects to work when the application is deployed
-    to a subdirectory of a website.
+    Adds `:controller`: and `:action` keys to the instrumentation payload
+    for the `*_fragment.action_controller` notifications. This allows tracking
+    e.g. the fragment cache hit rates for each controller action.
 
-    Fixes #7977.
+    *Daniel Schierbeck*
 
-    *Andrew White*
+*   Always use the provided port if the protocol is relative.
 
-*   Fixing `repond_with` working directly on the options hash
-    This fixes an issue where the `respond_with` worked directly with the given
-    options hash, so that if a user relied on it after calling `respond_with`,
-    the hash wouldn't be the same.
+    Fixes #15043.
 
-    Fixes #12029.
+    *Guilherme Cavalcanti*, *Andrew White*
 
-    *bluehotdog*
+*   Moved `params[request_forgery_protection_token]` into its own method
+    and improved tests.
 
-*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
-    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+    Fixes #11316.
 
-    Fixes #10844.
+    *Tom Kadwill*
 
-    *Tamir Duberstein*
+*   Added verification of route constraints given as a Proc or an object responding
+    to `:matches?`. Previously, when given an non-complying object, it would just
+    silently fail to enforce the constraint. It will now raise an `ArgumentError`
+    when setting up the routes.
 
-*   Strong parameters should permit a nested number to be a key.
+    *Xavier Defrang*
 
-    Fixes #12293.
+*   Properly treat the entire IPv6 User Local Address space as private for
+    purposes of remote IP detection. Also handle uppercase private IPv6
+    addresses.
 
-    *kennyj*
+    Fixes #12638.
 
-*   Fix the regex used to detect URI schemes in `redirect_to`, to be consistent
-    with RFC 3986.
+    *Caleb Spare*
 
-    *Derek Prior*
+*   Fixed an issue with migrating legacy json cookies.
 
-*   Fix incorrect `assert_redirected_to` failure message for protocol-relative
-    URLs.
+    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
+    cookies are marshal-encoded. This is not the case when `secret_token` is
+    used in conjunction with the `:json` or `:hybrid` serializer.
 
-    *Derek Prior*
+    In those case, when upgrading to use `secret_key_base`, this would cause a
+    `TypeError: incompatible marshal file format` and a 500 error for the user.
 
-*   Fix an issue where the router could not recognize a downcased url encoding path.
+    Fixes #14774.
 
-    Fixes #12269.
+    *Godfrey Chan*
 
-    *kennyj*
+*   Make URL escaping more consistent:
 
-*   Fix custom flash type definition. Misuse of the `_flash_types` class variable
-    caused an error when reloading controllers with custom flash types.
+    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
+    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
+    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
+    4. Use `escape_segment` rather than `escape_path` in URL generation
 
-    Fixes #12057.
+    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
+    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
+    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
+    is used in the path then this uses `escape_path` as the controller may be namespaced.
 
-    *Ricardo de Cillo*
+    Fixes #14629, #14636 and #14070.
 
-*   Do not break params filtering on `nil` values.
+    *Andrew White*, *Edho Arief*
 
-    Fixes #12149.
+*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
+    `ActionDispatch::Http::UploadedFile#tempfile`.
 
-    *Vasiliy Ermolovich*
+    *Tim Linquist*
 
-*   Development mode exceptions are rendered in text format in case of
-    an XHR request.
+*   Returns null type format when format is not know and controller is using `any`
+    format block.
 
-    *Kir Shatrov*
+    Fixes #14462.
 
-*   Fix an issue where :if and :unless controller action procs were being run
-    before checking for the correct action in the :only and :unless options.
+    *Rafael Mendonça França*
 
-    Fixes #11799.
+*   Improve routing error page with fuzzy matching search.
 
-    *Nicholas Jakobsen*
+    *Winston*
 
-*   Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were
-    ignoring the passed failure message argument.
+*   Only make deeply nested routes shallow when parent is shallow.
 
-    Fixes #11751.
+    Fixes #14684.
 
-    *Ryan McGeary*
+    *Andrew White*, *James Coglan*
 
-*   Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from
-    the environment passed into `ActionDispatch::TestRequest.new`.
+*   Append link to bad code to backtrace when exception is `SyntaxError`.
 
-    Fixes #11590.
+    *Boris Kuznetsov*
 
-    *Andrew White*
+*   Swapped the parameters of assert_equal in `assert_select` so that the
+    proper values were printed correctly.
 
-*   Fix an issue where Journey was failing to clear the named routes hash when the
-    routes were reloaded and since it doesn't overwrite existing routes then if a
-    route changed but wasn't renamed it kept the old definition. This was being
-    masked by the optimised url helpers so it only became apparent when passing an
-    options hash to the url helper.
+    Fixes #14422.
 
-    *Andrew White*
+    *Vishal Lal*
 
-*   Skip routes pointing to a redirect or mounted application when generating urls
-    using an options hash as they aren't relevant and generate incorrect urls.
+*   The method `shallow?` returns false if the parent resource is a singleton so
+    we need to check if we're not inside a nested scope before copying the :path
+    and :as options to their shallow equivalents.
 
-    Fixes #8018.
+    Fixes #14388.
 
     *Andrew White*
 
-*   Move `MissingHelperError` out of the `ClassMethods` module.
-
-    *Yves Senn*
-
-*   Fix an issue where Rails raised an exception about a missing helper when
-    it should have thrown a `LoadError` instead. When the helper file exists
-    and only the loaded file from the helper does not exist, Rails should now
-    throw a `LoadError` instead of a `MissingHelperError`.
-
-    *Piotr Niełacny*
-
-*   Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind
-    body input stream on parsing json params.
-
-    Fixes #11345.
-
-    *Yuri Bol*, *Paul Nikitochkin*
-
-*   Ignore spaces around delimiters in the Set-Cookie header.
-
-    *Yamagishi Kazutoshi*
+*   Make logging of CSRF failures optional (but on by default) with the
+    `log_warning_on_csrf_failure` configuration setting in
+    `ActionController::RequestForgeryProtection`.
 
-*   Remove deprecated Rails application fallback for integration testing.
-    Set `ActionDispatch.test_app` instead.
+    *John Barton*
 
-    *Carlos Antonio da Silva*
-
-*   Remove deprecated `page_cache_extension` config.
-
-    *Francesco Rodriguez*
-
-*   Remove deprecated constants from Action Controller:
-
-        ActionController::AbstractRequest  => ActionDispatch::Request
-        ActionController::Request          => ActionDispatch::Request
-        ActionController::AbstractResponse => ActionDispatch::Response
-        ActionController::Response         => ActionDispatch::Response
-        ActionController::Routing          => ActionDispatch::Routing
-        ActionController::Integration      => ActionDispatch::Integration
-        ActionController::IntegrationTest  => ActionDispatch::IntegrationTest
-
-    *Carlos Antonio da Silva*
-
-*   Fix `Mime::Type.parse` when a bad accepts header is looked up.
-    Previously, it was setting `request.formats` with an array containing a
-    `nil` value, which raised an error when setting the controller formats.
-
-    Fixes #10965.
-
-    *Becker*
-
-*   Merge `:action` from routing scope and assign endpoint if both `:controller`
-    and `:action` are present. The endpoint assignment only occurs if there is
-    no `:to` present in the options hash, so should only affect routes using the
-    shorthand syntax (i.e. endpoint is inferred from the path).
-
-    Fixes #9856.
-
-    *Yves Senn*, *Andrew White*
-
-*   Action View extracted from Action Pack.
+*   Fix URL generation in controller tests with request-dependent
+    `default_url_options` methods.
 
-    *Piotr Sarnacki*, *Łukasz Strzałkowski*
+    *Tony Wooster*
 
-Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.