actionpack 4.1.7 → 4.2.11

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (112) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +404 -451
  3. data/README.rdoc +7 -2
  4. data/lib/abstract_controller/base.rb +16 -6
  5. data/lib/abstract_controller/callbacks.rb +28 -51
  6. data/lib/abstract_controller/helpers.rb +11 -4
  7. data/lib/abstract_controller/railties/routes_helpers.rb +3 -3
  8. data/lib/abstract_controller/rendering.rb +7 -1
  9. data/lib/abstract_controller/url_for.rb +1 -1
  10. data/lib/action_controller/base.rb +3 -2
  11. data/lib/action_controller/caching/fragments.rb +7 -1
  12. data/lib/action_controller/caching.rb +1 -1
  13. data/lib/action_controller/log_subscriber.rb +26 -26
  14. data/lib/action_controller/metal/conditional_get.rb +37 -12
  15. data/lib/action_controller/metal/etag_with_template_digest.rb +50 -0
  16. data/lib/action_controller/metal/exceptions.rb +1 -1
  17. data/lib/action_controller/metal/force_ssl.rb +1 -1
  18. data/lib/action_controller/metal/head.rb +7 -3
  19. data/lib/action_controller/metal/http_authentication.rb +20 -10
  20. data/lib/action_controller/metal/instrumentation.rb +8 -5
  21. data/lib/action_controller/metal/live.rb +57 -6
  22. data/lib/action_controller/metal/mime_responds.rb +25 -246
  23. data/lib/action_controller/metal/params_wrapper.rb +5 -5
  24. data/lib/action_controller/metal/rack_delegation.rb +1 -1
  25. data/lib/action_controller/metal/redirecting.rb +14 -8
  26. data/lib/action_controller/metal/renderers.rb +29 -11
  27. data/lib/action_controller/metal/rendering.rb +2 -6
  28. data/lib/action_controller/metal/request_forgery_protection.rb +78 -7
  29. data/lib/action_controller/metal/streaming.rb +1 -1
  30. data/lib/action_controller/metal/strong_parameters.rb +129 -14
  31. data/lib/action_controller/metal/url_for.rb +11 -12
  32. data/lib/action_controller/metal.rb +12 -11
  33. data/lib/action_controller/model_naming.rb +1 -1
  34. data/lib/action_controller/railtie.rb +4 -0
  35. data/lib/action_controller/test_case.rb +119 -75
  36. data/lib/action_controller.rb +1 -1
  37. data/lib/action_dispatch/http/cache.rb +5 -4
  38. data/lib/action_dispatch/http/filter_parameters.rb +2 -2
  39. data/lib/action_dispatch/http/headers.rb +43 -9
  40. data/lib/action_dispatch/http/mime_negotiation.rb +10 -3
  41. data/lib/action_dispatch/http/mime_type.rb +18 -4
  42. data/lib/action_dispatch/http/parameter_filter.rb +1 -1
  43. data/lib/action_dispatch/http/parameters.rb +11 -26
  44. data/lib/action_dispatch/http/request.rb +37 -11
  45. data/lib/action_dispatch/http/response.rb +74 -23
  46. data/lib/action_dispatch/http/upload.rb +9 -8
  47. data/lib/action_dispatch/http/url.rb +89 -70
  48. data/lib/action_dispatch/journey/formatter.rb +34 -18
  49. data/lib/action_dispatch/journey/gtg/builder.rb +3 -3
  50. data/lib/action_dispatch/journey/gtg/simulator.rb +10 -7
  51. data/lib/action_dispatch/journey/gtg/transition_table.rb +20 -28
  52. data/lib/action_dispatch/journey/nfa/dot.rb +2 -2
  53. data/lib/action_dispatch/journey/nfa/simulator.rb +1 -1
  54. data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -5
  55. data/lib/action_dispatch/journey/nodes/node.rb +4 -0
  56. data/lib/action_dispatch/journey/parser.rb +52 -60
  57. data/lib/action_dispatch/journey/parser.y +11 -10
  58. data/lib/action_dispatch/journey/path/pattern.rb +16 -19
  59. data/lib/action_dispatch/journey/route.rb +4 -19
  60. data/lib/action_dispatch/journey/router/strexp.rb +9 -6
  61. data/lib/action_dispatch/journey/router/utils.rb +1 -1
  62. data/lib/action_dispatch/journey/router.rb +53 -77
  63. data/lib/action_dispatch/journey/routes.rb +4 -0
  64. data/lib/action_dispatch/journey/scanner.rb +5 -5
  65. data/lib/action_dispatch/journey/visitors.rb +81 -92
  66. data/lib/action_dispatch/journey/visualizer/fsm.css +0 -4
  67. data/lib/action_dispatch/journey/visualizer/index.html.erb +2 -2
  68. data/lib/action_dispatch/middleware/callbacks.rb +1 -1
  69. data/lib/action_dispatch/middleware/cookies.rb +34 -34
  70. data/lib/action_dispatch/middleware/debug_exceptions.rb +15 -4
  71. data/lib/action_dispatch/middleware/exception_wrapper.rb +50 -18
  72. data/lib/action_dispatch/middleware/flash.rb +13 -7
  73. data/lib/action_dispatch/middleware/params_parser.rb +1 -1
  74. data/lib/action_dispatch/middleware/public_exceptions.rb +12 -3
  75. data/lib/action_dispatch/middleware/remote_ip.rb +40 -54
  76. data/lib/action_dispatch/middleware/request_id.rb +1 -1
  77. data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -1
  78. data/lib/action_dispatch/middleware/show_exceptions.rb +1 -0
  79. data/lib/action_dispatch/middleware/ssl.rb +1 -1
  80. data/lib/action_dispatch/middleware/static.rb +75 -39
  81. data/lib/action_dispatch/middleware/templates/rescues/_source.erb +21 -19
  82. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +37 -9
  83. data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb +2 -8
  84. data/lib/action_dispatch/middleware/templates/rescues/{diagnostics.erb → diagnostics.html.erb} +0 -0
  85. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +9 -0
  86. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +6 -0
  87. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +4 -0
  88. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +2 -0
  89. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -24
  90. data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +0 -1
  91. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +120 -64
  92. data/lib/action_dispatch/railtie.rb +2 -0
  93. data/lib/action_dispatch/routing/endpoint.rb +10 -0
  94. data/lib/action_dispatch/routing/inspector.rb +5 -12
  95. data/lib/action_dispatch/routing/mapper.rb +414 -283
  96. data/lib/action_dispatch/routing/polymorphic_routes.rb +191 -79
  97. data/lib/action_dispatch/routing/redirection.rb +10 -12
  98. data/lib/action_dispatch/routing/route_set.rb +300 -173
  99. data/lib/action_dispatch/routing/routes_proxy.rb +5 -4
  100. data/lib/action_dispatch/routing/url_for.rb +17 -5
  101. data/lib/action_dispatch/testing/assertions/dom.rb +2 -26
  102. data/lib/action_dispatch/testing/assertions/response.rb +2 -7
  103. data/lib/action_dispatch/testing/assertions/routing.rb +22 -22
  104. data/lib/action_dispatch/testing/assertions/selector.rb +2 -429
  105. data/lib/action_dispatch/testing/assertions/tag.rb +2 -134
  106. data/lib/action_dispatch/testing/assertions.rb +11 -7
  107. data/lib/action_dispatch/testing/integration.rb +28 -20
  108. data/lib/action_dispatch/testing/test_request.rb +1 -1
  109. data/lib/action_dispatch/testing/test_response.rb +1 -5
  110. data/lib/action_pack/gem_version.rb +3 -3
  111. metadata +55 -13
  112. data/lib/action_controller/metal/responder.rb +0 -297
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: fd553597f482cd30ac29dec61f759fbfc0dc1005
4
- data.tar.gz: 1a22032cc1c4b44051182dff1fba4762885f83f0
2
+ SHA256:
3
+ metadata.gz: ca5363691f229882926e2b6259dcee770b51c6da696593f6eb424d9704091a0e
4
+ data.tar.gz: '08b1ad5323f59b77942413b43d9c4e89ca885a8f3ea28e50bfd38b1c59011a50'
5
5
  SHA512:
6
- metadata.gz: cf3fba7f2188f04480178dfc0e9e1a6265da868dfd7f11d35ec0b024155c9ce4f8bdccda3dfae58b96de23f3ff7de118ecda483b37301814c9711e268cf9dde8
7
- data.tar.gz: 6deca2a2a3f989a1b2e385a09ba2d616e0e0d43e2cf9b1cb3d4ee91dfccc426b1a08b696f9e285ab489cca6d7d752e5a8cda15b39612ab86b88847b7b6eb7ac5
6
+ metadata.gz: 63aad3941272837cbc8cab73503a445a64b795d2388f4f95b44e14db19a280ce65376c9bffcc7fe89a33e10c5ab0bbf9aa250ef70838cf5ae0bcd9e1a5a3b963
7
+ data.tar.gz: d320a9729a5636e9f2b06d433c48fd06fb4d632309745823f79b6e961561af013934de360a3b9afdeaa4e5fa8f6afdcd278add3ea13965ad09b8317dc49fcc6a
data/CHANGELOG.md CHANGED
@@ -1,722 +1,675 @@
1
- ## Rails 4.1.6 (September 11, 2014) ##
1
+ ## Rails 4.2.11 (November 27, 2018) ##
2
2
 
3
- * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
4
- ("Rosetta Flash")
5
-
6
- *Greg Campbell*
7
-
8
- * Because URI paths may contain non US-ASCII characters we need to force
9
- the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
10
- This essentially replicates the functionality of the monkey patch to
11
- URI.parser.unescape in active_support/core_ext/uri.rb.
3
+ * No changes.
12
4
 
13
- Fixes #16104.
14
5
 
15
- *Karl Entwistle*
6
+ ## Rails 4.2.10 (September 27, 2017) ##
16
7
 
17
- * Generate shallow paths for all children of shallow resources.
8
+ * Fix regression in behavior of `normalize_path`.
18
9
 
19
- Fixes #15783.
10
+ In Rails 5 there was a change to ensure the encoding of the original string
11
+ in a path was maintained. This was incorrectly backported to Rails 4.2 which
12
+ caused a regression.
20
13
 
21
- *Seb Jacobs*
14
+ *Eileen M. Uchitelle*
22
15
 
23
- * JSONP responses are now rendered with the `text/javascript` content type
24
- when rendering through a `respond_to` block.
16
+ ## Rails 4.2.9 (June 26, 2017) ##
25
17
 
26
- Fixes #15081.
18
+ * Use more specific check for :format in route path
27
19
 
28
- *Lucas Mazza*
20
+ The current check for whether to add an optional format to the path is very lax
21
+ and will match things like `:format_id` where there are nested resources, e.g:
29
22
 
30
- * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
23
+ ``` ruby
24
+ resources :formats do
25
+ resources :items
26
+ end
27
+ ```
31
28
 
32
- Fixes #15511.
29
+ Fix this by using a more restrictive regex pattern that looks for the patterns
30
+ `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
31
+ allow for multiple closing parenthesis since the route may be of this form:
33
32
 
34
- *Larry Lv*
33
+ ``` ruby
34
+ get "/books(/:action(.:format))", controller: "books"
35
+ ```
35
36
 
36
- * ActionController::Parameters#require now accepts `false` values.
37
+ This probably isn't what's intended since it means that the default index action
38
+ route doesn't support a format but we have a test for it so we need to allow it.
37
39
 
38
- Fixes #15685.
40
+ Fixes #28517.
39
41
 
40
- *Sergio Romano*
42
+ *Andrew White*
41
43
 
42
- * With authorization header `Authorization: Token token=`, `authenticate` now
43
- recognize token as nil, instead of "token".
44
44
 
45
- Fixes #14846.
45
+ ## Rails 4.2.8 (February 21, 2017) ##
46
46
 
47
- *Larry Lv*
47
+ * No changes.
48
48
 
49
49
 
50
- ## Rails 4.1.4 (July 2, 2014) ##
50
+ ## Rails 4.2.7 (July 12, 2016) ##
51
51
 
52
52
  * No changes.
53
53
 
54
54
 
55
- ## Rails 4.1.3 (July 2, 2014) ##
55
+ ## Rails 4.2.6 (March 07, 2016) ##
56
56
 
57
57
  * No changes.
58
58
 
59
59
 
60
- ## Rails 4.1.2 (June 26, 2014) ##
60
+ ## Rails 4.2.5.2 (February 26, 2016) ##
61
61
 
62
- * Fix URL generation with `:trailing_slash` such that it does not add
63
- a trailing slash after `.:format`
62
+ * Do not allow render with unpermitted parameter.
64
63
 
65
- *Dan Langevin*
64
+ Fixes CVE-2016-2098.
66
65
 
67
- * Fix an issue with migrating legacy json cookies.
66
+ *Arthur Neves*
68
67
 
69
- Previously, the `VerifyAndUpgradeLegacySignedMessage` assumed all incoming
70
- cookies were marshal-encoded. This was not the case when `secret_token` was
71
- used in conjunction with the `:json` or `:hybrid` serializer.
72
68
 
73
- In those cases, when upgrading to use `secret_key_base`, this would cause a
74
- `TypeError: incompatible marshal file format` and a 500 error for the user.
69
+ ## Rails 4.2.5.1 (January 25, 2015) ##
75
70
 
76
- Fixes #14774.
77
-
78
- *Godfrey Chan*
79
-
80
- * `http_basic_authenticate_with` only checks the authentication if the schema is
81
- `Basic`.
71
+ * No changes.
82
72
 
83
- Fixes #10257.
84
73
 
85
- *tomykaira*
74
+ ## Rails 4.2.5 (November 12, 2015) ##
86
75
 
87
- * Fix `'Stack level too deep'` when rendering `head :ok` in an action method
88
- called 'status' in a controller.
76
+ * `ActionController::TestCase` can teardown gracefully if an error is raised
77
+ early in the `setup` chain.
89
78
 
90
- Fixes #13905.
79
+ *Yves Senn*
91
80
 
92
- *Christiaan Van den Poel*
81
+ * Parse RSS/ATOM responses as XML, not HTML.
93
82
 
94
- * Always use the provided port if the protocol is relative.
83
+ *Alexander Kaupanin*
95
84
 
96
- Fixes #15043.
85
+ * Fix regression in mounted engine named routes generation for app deployed to
86
+ a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
87
+ "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
97
88
 
98
- *Guilherme Cavalcanti*, *Andrew White*
89
+ Fixes #20920. Fixes #21459.
99
90
 
100
- * Append a link in the backtrace to the bad code when a `SyntaxError` exception occurs.
91
+ *Matthew Erhard*
101
92
 
102
- *Boris Kuznetsov*
93
+ * `url_for` does not modify its arguments when generating polymorphic URLs.
103
94
 
104
- * Make URL escaping more consistent:
95
+ *Bernerd Schaefer*
105
96
 
106
- 1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
107
- 2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
108
- 3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
109
- 4. Use `escape_segment` rather than `escape_path` in URL generation
97
+ * Update `ActionController::TestSession#fetch` to behave more like
98
+ `ActionDispatch::Request::Session#fetch` when using non-string keys.
110
99
 
111
- For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
112
- (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
113
- means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
114
- is used in the path then this uses `escape_path` as the controller may be namespaced.
100
+ *Jeremy Friesen*
115
101
 
116
- Fixes #14629, #14636 and #14070.
117
102
 
118
- *Andrew White*, *Edho Arief*
103
+ ## Rails 4.2.4 (August 24, 2015) ##
119
104
 
120
- * Returns a null type format when the format is not known and the controller is using an
121
- `any` format block.
105
+ * ActionController::TestSession now accepts a default value as well as
106
+ a block for generating a default value based off the key provided.
122
107
 
123
- Fixes #14462.
108
+ This fixes calls to session#fetch in ApplicationController instances that
109
+ take more two arguments or a block from raising `ArgumentError: wrong
110
+ number of arguments (2 for 1)` when performing controller tests.
124
111
 
125
- *Rafael Mendonça França*
112
+ *Matthew Gerrior*
126
113
 
127
- * Only make deeply nested routes shallow when the parent is shallow.
114
+ * Fix to keep original header instance in `ActionDispatch::SSL`
128
115
 
129
- Fixes #14684.
116
+ `ActionDispatch::SSL` changes headers to `Hash`.
117
+ So some headers will be broken if there are some middlewares
118
+ on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
130
119
 
131
- *Andrew White*, *James Coglan*
120
+ *Fumiaki Matsushima*
132
121
 
133
122
 
134
- ## Rails 4.1.1 (May 6, 2014) ##
123
+ ## Rails 4.2.3 (June 25, 2015) ##
135
124
 
136
- * Only accept actions without `File::SEPARATOR` in the name.
125
+ * Fix rake routes not showing the right format when
126
+ nesting multiple routes.
137
127
 
138
- This will avoid directory traversal in implicit render.
128
+ See #18373.
139
129
 
140
- Fixes: CVE-2014-0130
130
+ *Ravil Bayramgalin*
141
131
 
142
- *Rafael Mendonça França*
132
+ * Fix regression where a gzip file response would have a Content-type,
133
+ even when it was a 304 status code.
143
134
 
135
+ See #19271.
144
136
 
145
- ## Rails 4.1.0 (April 8, 2014) ##
137
+ *Kohei Suzuki*
146
138
 
147
- * Swap the parameters of assert_equal in `assert_select` so that the
148
- proper values are printed correctly
139
+ * Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
149
140
 
150
- Fixes #14422.
141
+ Previously, an empty X_FORWARDED_HOST header would cause
142
+ Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
143
+ Actiondispatch::Http:URL.host to raise a NoMethodError.
151
144
 
152
- *Vishal Lal*
145
+ *Adam Forsyth*
153
146
 
154
- * The method `shallow?` returns false if the parent resource is a singleton, so
155
- we need to check if we're not inside a nested scope before copying the :path
156
- and :as options to their shallow equivalents.
147
+ * Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
157
148
 
158
- Fixes #14388.
149
+ Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
150
+ prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
151
+ is set, it takes precedence.
159
152
 
160
- *Andrew White*
153
+ Fixes #5122.
161
154
 
155
+ *Yasyf Mohamedali*
162
156
 
163
- ## Rails 4.1.0 (April 8, 2014) ##
157
+ * Fix regression in functional tests. Responses should have default headers
158
+ assigned.
164
159
 
165
- * Fix URL generation in controller tests with request-dependent
166
- `default_url_options` methods.
160
+ See #18423.
167
161
 
168
- *Tony Wooster*
162
+ *Jeremy Kemper*, *Yves Senn*
169
163
 
170
- * Introduce `render :html` as an option to render HTML content with a content
171
- type of `text/html`. This rendering option calls `ERB::Util.html_escape`
172
- internally to escape unsafe HTML strings, so you will need to mark a
173
- string as `html_safe` if it contains any HTML tag.
174
164
 
175
- See #14062, #12374.
165
+ ## Rails 4.2.2 (June 16, 2015) ##
176
166
 
177
- *Prem Sichanugrist*
167
+ * No Changes *
178
168
 
179
- * Introduce `render :plain` as an option to render content with a content type
180
- of `text/plain`. This is the preferred option if you are planning to render
181
- a plain text content.
182
169
 
183
- See #14062, #12374.
170
+ ## Rails 4.2.1 (March 19, 2015) ##
184
171
 
185
- *Prem Sichanugrist*
172
+ * Non-string authenticity tokens do not raise NoMethodError when decoding
173
+ the masked token.
186
174
 
187
- * Introduce `render :body` as an option for sending a raw content back to
188
- browser. Note that this rendering option does not include "Content-Type"
189
- header back in the response.
175
+ *Ville Lautanala*
190
176
 
191
- You should only use this option if you don't care about the content type
192
- of the response. More information on "Content-Type" header can be found
193
- on RFC 2616, section 7.2.1.
177
+ * Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
194
178
 
195
- See #14062, #12374.
179
+ Fixes an issue where a mounted rack app at root would intercept the HEAD
180
+ request causing an incorrect behavior during the fall back to GET requests.
196
181
 
197
- *Prem Sichanugrist*
182
+ Example:
183
+ ```ruby
184
+ draw do
185
+ get '/home' => 'test#index'
186
+ mount rack_app, at: '/'
187
+ end
188
+ head '/home'
189
+ assert_response :success
190
+ ```
191
+ In this case, a HEAD request runs through the routes the first time and fails
192
+ to match anything. Then, it runs through the list with the fallback and matches
193
+ `get '/home'`. The original behavior would match the rack app in the first pass.
198
194
 
199
- * Set stream status to 500 (or 400 on BadRequest) when an error is thrown
200
- before committing.
195
+ *Terence Sun*
201
196
 
202
- Fixes #12552.
197
+ * Preserve default format when generating URLs
203
198
 
204
- *Kevin Casey*
199
+ Fixes an issue that would cause the format set in default_url_options to be
200
+ lost when generating URLs with fewer positional arguments than parameters in
201
+ the route definition.
205
202
 
206
- * Add a new config option `config.action_dispatch.cookies_serializer` for
207
- specifying a serializer for the signed and encrypted cookie jars.
203
+ Backport of #18627
208
204
 
209
- The possible values are:
205
+ *Tekin Suleyman*, *Dominic Baggott*
210
206
 
211
- * `:json` - serialize cookie values with `JSON`
212
- * `:marshal` - serialize cookie values with `Marshal`
213
- * `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
207
+ * Default headers, removed in controller actions, are no longer reapplied on
208
+ the test response.
214
209
 
215
- For new apps the `:json` option is added by default and `:marshal` is used
216
- when no option is specified to maintain backwards compatibility.
210
+ *Jonas Baumann*
217
211
 
218
- *Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
212
+ * Ensure `append_info_to_payload` is called even if an exception is raised.
219
213
 
220
- * `FlashHash` now behaves like a `HashWithIndifferentAccess`.
214
+ Fixes an issue where when an exception is raised in the request the additonal
215
+ payload data is not available.
221
216
 
222
- *Guillermo Iguaran*
217
+ See:
218
+ * #14903
219
+ * https://github.com/roidrage/lograge/issues/37
223
220
 
224
- * Set the `:shallow_path` scope option as each scope is generated rather than
225
- waiting until the `shallow` option is set. Also make the behavior of the
226
- `:shallow` resource option consistent with the behavior of the `shallow` method.
221
+ *Dieter Komendera*, *Margus Pärt*
227
222
 
228
- Fixes #12498.
223
+ * Correctly rely on the response's status code to handle calls to `head`.
229
224
 
230
- *Andrew White*, *Aleksi Aalto*
225
+ *Robin Dupret*
231
226
 
232
- * Properly require `action_view` in `AbstractController::Rendering` to prevent
233
- an uninitialized constant error for `ENCODING_FLAG`.
227
+ * Using `head` method returns empty response_body instead
228
+ of returning a single space " ".
234
229
 
235
- *Philipe Fatio*
230
+ The old behavior was added as a workaround for a bug in an early
231
+ version of Safari, where the HTTP headers are not returned correctly
232
+ if the response body has a 0-length. This is been fixed since and
233
+ the workaround is no longer necessary.
236
234
 
237
- * Do not discard query parameters that form a hash with the same root key as
238
- the `wrapper_key` for a request using `wrap_parameters`.
235
+ Fixes #18253.
239
236
 
240
- *Josh Jordan*
237
+ *Prathamesh Sonpatki*
241
238
 
242
- * Ensure that `request.filtered_parameters` is reset between calls to `process`
243
- in `ActionController::TestCase`.
239
+ * Fix how polymorphic routes works with objects that implement `to_model`.
244
240
 
245
- Fixes #13803.
241
+ *Travis Grathwell*
246
242
 
247
- *Andrew White*
243
+ * Fixed handling of positional url helper arguments when `format: false`.
248
244
 
249
- * Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
245
+ Fixes #17819.
250
246
 
251
- Fixes #13810.
247
+ *Andrew White*, *Tatiana Soukiassian*
252
248
 
253
- *Maurizio De Santis*
249
+ * Fixed usage of optional scopes in URL helpers.
254
250
 
255
- * Log which keys were affected by deep munge.
251
+ *Alex Robbin*
256
252
 
257
- Deep munge solves the CVE-2013-0155 security vulnerability, but its
258
- behaviour is confusing. With this commit, the information about which
259
- key values were set to nil is now visible in logs.
260
253
 
261
- *Łukasz Sarnacki*
254
+ ## Rails 4.2.0 (December 20, 2014) ##
262
255
 
263
- * Automatically convert dashes to underscores for shorthand routes, e.g:
256
+ * Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
257
+ `Hash` representation of Parameters object. This is now a preferred way to
258
+ retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
259
+ object in Rails 5.0.
264
260
 
265
- get '/our-work/latest'
261
+ *Prem Sichanugrist*
266
262
 
267
- When running `rake routes` you will get the following output:
263
+ * Restore handling of a bare `Authorization` header, without `token=`
264
+ prefix.
268
265
 
269
- Prefix Verb URI Pattern Controller#Action
270
- our_work_latest GET /our-work/latest(.:format) our_work#latest
266
+ Fixes #17108.
271
267
 
272
- *Mikko Johansson*
268
+ *Guo Xiang Tan*
273
269
 
274
- * Automatically convert dashes to underscores for url helpers, e.g:
270
+ * Deprecate use of string keys in URL helpers.
275
271
 
276
- get '/contact-us' => 'pages#contact'
277
- get '/about-us' => 'pages#about_us'
272
+ Use symbols instead.
273
+ Fixes #16958.
278
274
 
279
- When running `rake routes` you will get the following output:
275
+ *Byron Bischoff*, *Melanie Gilman*
280
276
 
281
- Prefix Verb URI Pattern Controller#Action
282
- contact_us GET /contact-us(.:format) pages#contact
283
- about_us GET /about-us(.:format) pages#about_us
277
+ * Deprecate the `only_path` option on `*_path` helpers.
284
278
 
285
- *Amr Tamimi*
279
+ In cases where this option is set to `true`, the option is redundant and can
280
+ be safely removed; otherwise, the corresponding `*_url` helper should be
281
+ used instead.
286
282
 
287
- * Fix stream closing when sending file with `ActionController::Live` included.
283
+ Fixes #17294.
288
284
 
289
- Fixes #12381.
285
+ *Dan Olson*, *Godfrey Chan*
290
286
 
291
- *Alessandro Diaferia*
287
+ * Improve Journey compliance to RFC 3986.
292
288
 
293
- * Allow an absolute controller path inside a module scope. Fixes #12777.
289
+ The scanner in Journey failed to recognize routes that use literals
290
+ from the sub-delims section of RFC 3986. It's now able to parse those
291
+ authorized delimiters and route as expected.
294
292
 
295
- Example:
293
+ Fixes #17212.
296
294
 
297
- namespace :foo do
298
- # will route to BarController without the namespace.
299
- get '/special', to: '/bar#index'
300
- end
295
+ *Nicolas Cavigneaux*
301
296
 
297
+ * Deprecate implicit Array conversion for Response objects. It was added
298
+ (using `#to_ary`) so we could conveniently use implicit splatting:
302
299
 
303
- * Unique the segment keys array for non-optimized url helpers
300
+ status, headers, body = response
304
301
 
305
- In Rails 3.2 you only needed to pass an argument for a dynamic segment
306
- once so unique the segment keys array to match the number of args. Since
307
- the number of args is less than the required parts, the non-optimized code
308
- path is selected. To benefit from optimized url generation, the arg needs
309
- to be specified as many times as it appears in the path.
302
+ But it also means `response + response` works and `[response].flatten`
303
+ cascades down to the Rack body. Nonsense behavior. Instead, rely on
304
+ explicit conversion and splatting with `#to_a`:
310
305
 
311
- Fixes #12808.
306
+ status, header, body = *response
312
307
 
313
- *Andrew White*
308
+ *Jeremy Kemper*
314
309
 
315
- * Show full route constraints in error message.
310
+ * Don't rescue `IPAddr::InvalidAddressError`.
316
311
 
317
- When an optimized helper fails to generate, show the full route constraints
318
- in the error message. Previously it would only show the contraints that were
319
- required as part of the path.
312
+ `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
313
+ and fails for JRuby in 1.9 mode.
320
314
 
321
- Fixes #13592.
315
+ *Peter Suschlik*
322
316
 
323
- *Andrew White*
317
+ * Fix bug where the router would ignore any constraints added to redirect
318
+ routes.
324
319
 
325
- * Use a custom route visitor for optimized url generation. Fixes #13349.
320
+ Fixes #16605.
326
321
 
327
- *Andrew White*
322
+ *Agis Anastasopoulos*
328
323
 
329
- * Allow engine root relative redirects using an empty string.
324
+ * Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
330
325
 
331
326
  Example:
332
327
 
333
- # application routes.rb
334
- mount BlogEngine => '/blog'
328
+ # config/environments/production.rb
329
+ config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
335
330
 
336
- # engine routes.rb
337
- get '/welcome' => redirect('')
331
+ *Sam Aarons*
338
332
 
339
- This now redirects to the path `/blog`, whereas before it would redirect
340
- to the application root path. In the case of a path redirect or a custom
341
- redirect, if the path returned contains a host then the path is treated as
342
- absolute. Similarly for option redirects, if the options hash returned
343
- contains a `:host` or `:domain` key then the path is treated as absolute.
333
+ * Avoid duplicating routes for HEAD requests.
344
334
 
345
- Fixes #7977.
335
+ Instead of duplicating the routes, we will first match the HEAD request to
336
+ HEAD routes. If no match is found, we will then map the HEAD request to
337
+ GET routes.
346
338
 
347
- *Andrew White*
339
+ *Guo Xiang Tan*, *Andrew White*
348
340
 
349
- * Fix `Encoding::CompatibilityError` when public path is UTF-8
341
+ * Requests that hit `ActionDispatch::Static` can now take advantage
342
+ of gzipped assets on disk. By default a gzip asset will be served if
343
+ the client supports gzip and a compressed file is on disk.
350
344
 
351
- In #5337 we forced the path encoding to ASCII-8BIT to prevent static file
352
- handling from blowing up before an application has had a chance to deal
353
- with possibly invalid urls. However this has a negative side effect of
354
- making it an incompatible encoding if the application's public path has
355
- UTF-8 characters in it.
345
+ *Richard Schneeman*
356
346
 
357
- To work around the problem we check to see if the path has a valid encoding once
358
- it has been unescaped. If it is not valid then we can return early since it will
359
- not match any file anyway.
347
+ * `ActionController::Parameters` will stop inheriting from `Hash` and
348
+ `HashWithIndifferentAccess` in the next major release. If you use any method
349
+ that is not available on `ActionController::Parameters` you should consider
350
+ calling `#to_h` to convert it to a `Hash` first before calling that method.
360
351
 
361
- Fixes #13518.
352
+ *Prem Sichanugrist*
362
353
 
363
- *Andrew White*
354
+ * `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
355
+ keys removed. This change is to reflect on a security concern where some
356
+ method performed on an `ActionController::Parameters` may yield a `Hash`
357
+ object which does not maintain `permitted?` status. If you would like to
358
+ get a `Hash` with all the keys intact, duplicate and mark it as permitted
359
+ before calling `#to_h`.
364
360
 
365
- * `ActionController::Parameters#permit!` permits hashes in array values.
361
+ params = ActionController::Parameters.new({
362
+ name: 'Senjougahara Hitagi',
363
+ oddity: 'Heavy stone crab'
364
+ })
365
+ params.to_h
366
+ # => {}
366
367
 
367
- *Xavier Noria*
368
+ unsafe_params = params.dup.permit!
369
+ unsafe_params.to_h
370
+ # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
368
371
 
369
- * Converts hashes in arrays of unfiltered params to unpermitted params.
372
+ safe_params = params.permit(:name)
373
+ safe_params.to_h
374
+ # => {"name"=>"Senjougahara Hitagi"}
370
375
 
371
- Fixes #13382.
376
+ This change is consider a stopgap as we cannot change the code to stop
377
+ `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
378
+ in the next minor release.
372
379
 
373
- *Xavier Noria*
380
+ *Prem Sichanugrist*
374
381
 
375
- * New config option to opt out of params "deep munging" that was used to
376
- address the security vulnerability CVE-2013-0155. In your app config:
382
+ * Deprecated `TagAssertions`.
377
383
 
378
- config.action_dispatch.perform_deep_munge = false
384
+ *Kasper Timm Hansen*
379
385
 
380
- Take care to understand the security risk involved before disabling this.
381
- [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
386
+ * Use the Active Support JSON encoder for cookie jars using the `:json` or
387
+ `:hybrid` serializer. This allows you to serialize custom Ruby objects into
388
+ cookies by defining the `#as_json` hook on such objects.
382
389
 
383
- *Bernard Potocki*
390
+ Fixes #16520.
384
391
 
385
- * `rake routes` shows routes defined under assets prefix.
392
+ *Godfrey Chan*
386
393
 
387
- *Ryunosuke SATO*
394
+ * Add `config.action_dispatch.cookies_digest` option for setting custom
395
+ digest. The default remains the same - 'SHA1'.
388
396
 
389
- * Extend cross-site request forgery (CSRF) protection to GET requests with
390
- JavaScript responses, protecting apps from cross-origin `<script>` tags.
397
+ *Łukasz Strzałkowski*
391
398
 
392
- *Jeremy Kemper*
399
+ * Move `respond_with` (and the class-level `respond_to`) to
400
+ the `responders` gem.
393
401
 
394
- * Fix generating a path for an engine inside a resources block.
402
+ *José Valim*
395
403
 
396
- Fixes #8533.
404
+ * When your templates change, browser caches bust automatically.
397
405
 
398
- *Piotr Sarnacki*
406
+ New default: the template digest is automatically included in your ETags.
407
+ When you call `fresh_when @post`, the digest for `posts/show.html.erb`
408
+ is mixed in so future changes to the HTML will blow HTTP caches for you.
409
+ This makes it easy to HTTP-cache many more of your actions.
399
410
 
400
- * Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
411
+ If you render a different template, you can now pass the `:template`
412
+ option to include its digest instead:
401
413
 
402
- *DHH*
414
+ fresh_when @post, template: 'widgets/show'
403
415
 
404
- * Remove deprecated `ActionController::RecordIdentifier`, use
405
- `ActionView::RecordIdentifier` instead.
416
+ Pass `template: false` to skip the lookup. To turn this off entirely, set:
406
417
 
407
- *kennyj*
418
+ config.action_controller.etag_with_template_digest = false
408
419
 
409
- * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
410
- `options[:raise]`.
420
+ *Jeremy Kemper*
411
421
 
412
- This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
422
+ * Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
423
+ in favor of `AbstractController::Helpers::MissingHelperError`.
413
424
 
414
- *Shota Fukumori (sora_h)*
425
+ *Yves Senn*
415
426
 
416
- * Introducing Variants
427
+ * Fix `assert_template` not being able to assert that no files were rendered.
417
428
 
418
- We often want to render different html/json/xml templates for phones,
419
- tablets, and desktop browsers. Variants make it easy.
429
+ *Guo Xiang Tan*
420
430
 
421
- The request variant is a specialization of the request format, like `:tablet`,
422
- `:phone`, or `:desktop`.
431
+ * Extract source code for the entire exception stack trace for
432
+ better debugging and diagnosis.
423
433
 
424
- You can set the variant in a `before_action`:
434
+ *Ryan Dao*
425
435
 
426
- request.variant = :tablet if request.user_agent =~ /iPad/
436
+ * Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
437
+ loopback address.
427
438
 
428
- Respond to variants in the action just like you respond to formats:
439
+ *Earl St Sauver*, *Sven Riedel*
429
440
 
430
- respond_to do |format|
431
- format.html do |html|
432
- html.tablet # renders app/views/projects/show.html+tablet.erb
433
- html.phone { extra_setup; render ... }
434
- end
435
- end
441
+ * Preserve original path in `ShowExceptions` middleware by stashing it as
442
+ `env["action_dispatch.original_path"]`
436
443
 
437
- Provide separate templates for each format and variant:
444
+ `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
445
+ for the exception defined in `ExceptionWrapper`, so the path
446
+ the user was visiting when an exception occurred was not previously
447
+ available to any custom exceptions_app. The original `PATH_INFO` is now
448
+ stashed in `env["action_dispatch.original_path"]`.
438
449
 
439
- app/views/projects/show.html.erb
440
- app/views/projects/show.html+tablet.erb
441
- app/views/projects/show.html+phone.erb
450
+ *Grey Baker*
442
451
 
443
- You can also simplify the variants definition using the inline syntax:
452
+ * Use `String#bytesize` instead of `String#size` when checking for cookie
453
+ overflow.
444
454
 
445
- respond_to do |format|
446
- format.js { render "trash" }
447
- format.html.phone { redirect_to progress_path }
448
- format.html.none { render "trash" }
449
- end
455
+ *Agis Anastasopoulos*
450
456
 
451
- Variants also support the common `any`/`all` block that formats have.
457
+ * `render nothing: true` or rendering a `nil` body no longer add a single
458
+ space to the response body.
452
459
 
453
- It works for both inline:
460
+ The old behavior was added as a workaround for a bug in an early version of
461
+ Safari, where the HTTP headers are not returned correctly if the response
462
+ body has a 0-length. This is been fixed since and the workaround is no
463
+ longer necessary.
454
464
 
455
- respond_to do |format|
456
- format.html.any { render text: "any" }
457
- format.html.phone { render text: "phone" }
458
- end
465
+ Use `render body: ' '` if the old behavior is desired.
459
466
 
460
- and block syntax:
467
+ See #14883 for details.
461
468
 
462
- respond_to do |format|
463
- format.html do |variant|
464
- variant.any(:tablet, :phablet){ render text: "any" }
465
- variant.phone { render text: "phone" }
466
- end
467
- end
469
+ *Godfrey Chan*
468
470
 
469
- *Łukasz Strzałkowski*
471
+ * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
472
+ ("Rosetta Flash").
470
473
 
471
- * Fix rendering localized templates without an explicit format using wrong
472
- content header and not passing correct formats to template due to the
473
- introduction of the `NullType` for mimes.
474
+ *Greg Campbell*
474
475
 
475
- Templates like `hello.it.erb` were subject to this issue.
476
+ * Because URI paths may contain non US-ASCII characters we need to force
477
+ the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
478
+ This essentially replicates the functionality of the monkey patch to
479
+ URI.parser.unescape in active_support/core_ext/uri.rb.
476
480
 
477
- Fixes #13064.
481
+ Fixes #16104.
478
482
 
479
- *Angelo Capilleri*, *Carlos Antonio da Silva*
483
+ *Karl Entwistle*
480
484
 
481
- * Try to escape each part of a url correctly when using a redirect route.
485
+ * Generate shallow paths for all children of shallow resources.
482
486
 
483
- Fixes #13110.
487
+ Fixes #15783.
484
488
 
485
- *Andrew White*
489
+ *Seb Jacobs*
486
490
 
487
- * Better error message for typos in assert_response arguments.
491
+ * JSONP responses are now rendered with the `text/javascript` content type
492
+ when rendering through a `respond_to` block.
488
493
 
489
- When the response type argument to `assert_response` is not a known
490
- response type, `assert_response` now throws an ArgumentError with a clear
491
- message. This is intended to help debug typos in the response type.
494
+ Fixes #15081.
492
495
 
493
- *Victor Costan*
496
+ *Lucas Mazza*
494
497
 
495
- * Fix formatting for `rake routes` when a section is shorter than a header.
498
+ * Add `config.action_controller.always_permitted_parameters` to configure which
499
+ parameters are permitted globally. The default value of this configuration is
500
+ `['controller', 'action']`.
496
501
 
497
- *Sıtkı Bağdat*
502
+ *Gary S. Weaver*, *Rafael Chacon*
498
503
 
499
- * Accept an options hash inside the array in `#url_for`.
504
+ * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
500
505
 
501
- Example:
506
+ Fixes #15511.
502
507
 
503
- url_for [:new, :admin, :post, { param: 'value' }]
504
- # => http://example.com/admin/posts/new?param=value
508
+ *Larry Lv*
505
509
 
506
- *Andrey Ognevsky*
510
+ * ActionController::Parameters#require now accepts `false` values.
507
511
 
508
- * Add `session#fetch` method
512
+ Fixes #15685.
509
513
 
510
- fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
511
- It returns a value from the hash for the given key.
512
- If the key can’t be found, there are several options:
514
+ *Sergio Romano*
513
515
 
514
- * With no other arguments, it will raise a KeyError exception.
515
- * If a default value is given, then it will be returned.
516
- * If the optional code block is specified, then it will be run and its result returned.
516
+ * With authorization header `Authorization: Token token=`, `authenticate` now
517
+ recognize token as nil, instead of "token".
517
518
 
518
- *Damien Mathieu*
519
+ Fixes #14846.
519
520
 
520
- * Don't let strong parameters mutate the given hash via `fetch`
521
+ *Larry Lv*
521
522
 
522
- Create a new instance if the given parameter is a `Hash` instead of
523
- passing it to the `convert_hashes_to_parameters` method since it is
524
- overriding its default value.
523
+ * Ensure the controller is always notified as soon as the client disconnects
524
+ during live streaming, even when the controller is blocked on a write.
525
525
 
526
- *Brendon Murphy*, *Doug Cole*
526
+ *Nicholas Jakobsen*, *Matthew Draper*
527
527
 
528
- * Add a `params` option to the `button_to` form helper which renders
529
- the given hash as hidden form fields.
528
+ * Routes specifying 'to:' must be a string that contains a "#" or a rack
529
+ application. Use of a symbol should be replaced with `action: symbol`.
530
+ Use of a string without a "#" should be replaced with `controller: string`.
530
531
 
531
- *Andy Waite*
532
+ *Aaron Patterson*
532
533
 
533
- * Enable assets helpers to work in the controllers like they do in the views.
534
+ * Fix URL generation with `:trailing_slash` such that it does not add
535
+ a trailing slash after `.:format`
534
536
 
535
- Example:
537
+ *Dan Langevin*
536
538
 
537
- # config/application.rb
538
- config.asset_host = 'http://mycdn.com'
539
+ * Build full URI as string when processing path in integration tests for
540
+ performance reasons. One consequence of this is that the leading slash
541
+ is now required in integration test `process` helpers, whereas previously
542
+ it could be omitted. The fact that this worked was a unintended consequence
543
+ of the implementation and was never an intentional feature.
539
544
 
540
- ActionController::Base.helpers.asset_path('fallback.png')
541
- # => http://mycdn.com/assets/fallback.png
545
+ *Guo Xiang Tan*
542
546
 
543
- Fixes #10051.
547
+ * Fix `'Stack level too deep'` when rendering `head :ok` in an action method
548
+ called 'status' in a controller.
544
549
 
545
- *Tima Maslyuchenko*
550
+ Fixes #13905.
546
551
 
547
- * Respect `SCRIPT_NAME` when using `redirect` with a relative path
552
+ *Christiaan Van den Poel*
548
553
 
549
- Example:
554
+ * Add MKCALENDAR HTTP method (RFC 4791).
550
555
 
551
- # application routes.rb
552
- mount BlogEngine => '/blog'
556
+ *Sergey Karpesh*
553
557
 
554
- # engine routes.rb
555
- get '/admin' => redirect('admin/dashboard')
558
+ * Instrument fragment cache metrics.
556
559
 
557
- This now redirects to the path `/blog/admin/dashboard`, whereas before it would
558
- have generated an invalid url because there would be no slash between the host name
559
- and the path. It also allows redirects to work when the application is deployed
560
- to a subdirectory of a website.
560
+ Adds `:controller`: and `:action` keys to the instrumentation payload
561
+ for the `*_fragment.action_controller` notifications. This allows tracking
562
+ e.g. the fragment cache hit rates for each controller action.
561
563
 
562
- Fixes #7977.
564
+ *Daniel Schierbeck*
563
565
 
564
- *Andrew White*
566
+ * Always use the provided port if the protocol is relative.
565
567
 
566
- * Fixing `repond_with` working directly on the options hash
567
- This fixes an issue where the `respond_with` worked directly with the given
568
- options hash, so that if a user relied on it after calling `respond_with`,
569
- the hash wouldn't be the same.
568
+ Fixes #15043.
570
569
 
571
- Fixes #12029.
570
+ *Guilherme Cavalcanti*, *Andrew White*
572
571
 
573
- *bluehotdog*
572
+ * Moved `params[request_forgery_protection_token]` into its own method
573
+ and improved tests.
574
574
 
575
- * Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
576
- attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
575
+ Fixes #11316.
577
576
 
578
- Fixes #10844.
577
+ *Tom Kadwill*
579
578
 
580
- *Tamir Duberstein*
579
+ * Added verification of route constraints given as a Proc or an object responding
580
+ to `:matches?`. Previously, when given an non-complying object, it would just
581
+ silently fail to enforce the constraint. It will now raise an `ArgumentError`
582
+ when setting up the routes.
581
583
 
582
- * Strong parameters should permit a nested number to be a key.
584
+ *Xavier Defrang*
583
585
 
584
- Fixes #12293.
586
+ * Properly treat the entire IPv6 User Local Address space as private for
587
+ purposes of remote IP detection. Also handle uppercase private IPv6
588
+ addresses.
585
589
 
586
- *kennyj*
590
+ Fixes #12638.
587
591
 
588
- * Fix the regex used to detect URI schemes in `redirect_to`, to be consistent
589
- with RFC 3986.
592
+ *Caleb Spare*
590
593
 
591
- *Derek Prior*
594
+ * Fixed an issue with migrating legacy json cookies.
592
595
 
593
- * Fix incorrect `assert_redirected_to` failure message for protocol-relative
594
- URLs.
596
+ Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
597
+ cookies are marshal-encoded. This is not the case when `secret_token` is
598
+ used in conjunction with the `:json` or `:hybrid` serializer.
595
599
 
596
- *Derek Prior*
600
+ In those case, when upgrading to use `secret_key_base`, this would cause a
601
+ `TypeError: incompatible marshal file format` and a 500 error for the user.
597
602
 
598
- * Fix an issue where the router could not recognize a downcased url encoding path.
603
+ Fixes #14774.
599
604
 
600
- Fixes #12269.
605
+ *Godfrey Chan*
601
606
 
602
- *kennyj*
607
+ * Make URL escaping more consistent:
603
608
 
604
- * Fix custom flash type definition. Misuse of the `_flash_types` class variable
605
- caused an error when reloading controllers with custom flash types.
609
+ 1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
610
+ 2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
611
+ 3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
612
+ 4. Use `escape_segment` rather than `escape_path` in URL generation
606
613
 
607
- Fixes #12057.
614
+ For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
615
+ (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
616
+ means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
617
+ is used in the path then this uses `escape_path` as the controller may be namespaced.
608
618
 
609
- *Ricardo de Cillo*
619
+ Fixes #14629, #14636 and #14070.
610
620
 
611
- * Do not break params filtering on `nil` values.
621
+ *Andrew White*, *Edho Arief*
612
622
 
613
- Fixes #12149.
623
+ * Add alias `ActionDispatch::Http::UploadedFile#to_io` to
624
+ `ActionDispatch::Http::UploadedFile#tempfile`.
614
625
 
615
- *Vasiliy Ermolovich*
626
+ *Tim Linquist*
616
627
 
617
- * Development mode exceptions are rendered in text format in case of
618
- an XHR request.
628
+ * Returns null type format when format is not know and controller is using `any`
629
+ format block.
619
630
 
620
- *Kir Shatrov*
631
+ Fixes #14462.
621
632
 
622
- * Fix an issue where :if and :unless controller action procs were being run
623
- before checking for the correct action in the :only and :unless options.
633
+ *Rafael Mendonça França*
624
634
 
625
- Fixes #11799.
635
+ * Improve routing error page with fuzzy matching search.
626
636
 
627
- *Nicholas Jakobsen*
637
+ *Winston*
628
638
 
629
- * Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were
630
- ignoring the passed failure message argument.
639
+ * Only make deeply nested routes shallow when parent is shallow.
631
640
 
632
- Fixes #11751.
641
+ Fixes #14684.
633
642
 
634
- *Ryan McGeary*
643
+ *Andrew White*, *James Coglan*
635
644
 
636
- * Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from
637
- the environment passed into `ActionDispatch::TestRequest.new`.
645
+ * Append link to bad code to backtrace when exception is `SyntaxError`.
638
646
 
639
- Fixes #11590.
647
+ *Boris Kuznetsov*
640
648
 
641
- *Andrew White*
649
+ * Swapped the parameters of assert_equal in `assert_select` so that the
650
+ proper values were printed correctly.
642
651
 
643
- * Fix an issue where Journey was failing to clear the named routes hash when the
644
- routes were reloaded and since it doesn't overwrite existing routes then if a
645
- route changed but wasn't renamed it kept the old definition. This was being
646
- masked by the optimised url helpers so it only became apparent when passing an
647
- options hash to the url helper.
652
+ Fixes #14422.
648
653
 
649
- *Andrew White*
654
+ *Vishal Lal*
650
655
 
651
- * Skip routes pointing to a redirect or mounted application when generating urls
652
- using an options hash as they aren't relevant and generate incorrect urls.
656
+ * The method `shallow?` returns false if the parent resource is a singleton so
657
+ we need to check if we're not inside a nested scope before copying the :path
658
+ and :as options to their shallow equivalents.
653
659
 
654
- Fixes #8018.
660
+ Fixes #14388.
655
661
 
656
662
  *Andrew White*
657
663
 
658
- * Move `MissingHelperError` out of the `ClassMethods` module.
659
-
660
- *Yves Senn*
661
-
662
- * Fix an issue where Rails raised an exception about a missing helper when
663
- it should have thrown a `LoadError` instead. When the helper file exists
664
- and only the loaded file from the helper does not exist, Rails should now
665
- throw a `LoadError` instead of a `MissingHelperError`.
666
-
667
- *Piotr Niełacny*
668
-
669
- * Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind
670
- body input stream on parsing json params.
671
-
672
- Fixes #11345.
673
-
674
- *Yuri Bol*, *Paul Nikitochkin*
675
-
676
- * Ignore spaces around delimiters in the Set-Cookie header.
677
-
678
- *Yamagishi Kazutoshi*
679
-
680
- * Remove deprecated Rails application fallback for integration testing.
681
- Set `ActionDispatch.test_app` instead.
682
-
683
- *Carlos Antonio da Silva*
684
-
685
- * Remove deprecated `page_cache_extension` config.
686
-
687
- *Francesco Rodriguez*
664
+ * Make logging of CSRF failures optional (but on by default) with the
665
+ `log_warning_on_csrf_failure` configuration setting in
666
+ `ActionController::RequestForgeryProtection`.
688
667
 
689
- * Remove deprecated constants from Action Controller:
668
+ *John Barton*
690
669
 
691
- ActionController::AbstractRequest => ActionDispatch::Request
692
- ActionController::Request => ActionDispatch::Request
693
- ActionController::AbstractResponse => ActionDispatch::Response
694
- ActionController::Response => ActionDispatch::Response
695
- ActionController::Routing => ActionDispatch::Routing
696
- ActionController::Integration => ActionDispatch::Integration
697
- ActionController::IntegrationTest => ActionDispatch::IntegrationTest
698
-
699
- *Carlos Antonio da Silva*
700
-
701
- * Fix `Mime::Type.parse` when a bad accepts header is looked up.
702
- Previously, it was setting `request.formats` with an array containing a
703
- `nil` value, which raised an error when setting the controller formats.
704
-
705
- Fixes #10965.
706
-
707
- *Becker*
708
-
709
- * Merge `:action` from routing scope and assign endpoint if both `:controller`
710
- and `:action` are present. The endpoint assignment only occurs if there is
711
- no `:to` present in the options hash, so should only affect routes using the
712
- shorthand syntax (i.e. endpoint is inferred from the path).
713
-
714
- Fixes #9856.
715
-
716
- *Yves Senn*, *Andrew White*
717
-
718
- * Action View extracted from Action Pack.
670
+ * Fix URL generation in controller tests with request-dependent
671
+ `default_url_options` methods.
719
672
 
720
- *Piotr Sarnacki*, *Łukasz Strzałkowski*
673
+ *Tony Wooster*
721
674
 
722
- Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.
675
+ Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.