actionpack 4.2.10 → 5.2.4.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +300 -466
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -7
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +45 -49
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +78 -15
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +47 -31
- data/lib/abstract_controller/collector.rb +8 -11
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +25 -25
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +4 -2
- data/lib/abstract_controller/rendering.rb +42 -41
- data/lib/abstract_controller/translation.rb +10 -7
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +12 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/base.rb +27 -19
- data/lib/action_controller/caching.rb +14 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +10 -15
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +118 -44
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +27 -46
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +20 -13
- data/lib/action_controller/metal/exceptions.rb +8 -14
- data/lib/action_controller/metal/flash.rb +4 -3
- data/lib/action_controller/metal/force_ssl.rb +23 -21
- data/lib/action_controller/metal/head.rb +21 -19
- data/lib/action_controller/metal/helpers.rb +24 -14
- data/lib/action_controller/metal/http_authentication.rb +65 -58
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +19 -21
- data/lib/action_controller/metal/live.rb +90 -106
- data/lib/action_controller/metal/mime_responds.rb +33 -46
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +61 -53
- data/lib/action_controller/metal/redirecting.rb +49 -28
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +72 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +229 -93
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +12 -10
- data/lib/action_controller/metal/strong_parameters.rb +583 -164
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +98 -83
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +280 -411
- data/lib/action_controller.rb +29 -21
- data/lib/action_dispatch/http/cache.rb +93 -47
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +26 -20
- data/lib/action_dispatch/http/filter_redirect.rb +10 -11
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +60 -41
- data/lib/action_dispatch/http/mime_type.rb +134 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameter_filter.rb +25 -11
- data/lib/action_dispatch/http/parameters.rb +98 -39
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +200 -118
- data/lib/action_dispatch/http/response.rb +225 -110
- data/lib/action_dispatch/http/upload.rb +12 -6
- data/lib/action_dispatch/http/url.rb +110 -28
- data/lib/action_dispatch/journey/formatter.rb +55 -32
- data/lib/action_dispatch/journey/gtg/builder.rb +7 -5
- data/lib/action_dispatch/journey/gtg/simulator.rb +3 -9
- data/lib/action_dispatch/journey/gtg/transition_table.rb +17 -16
- data/lib/action_dispatch/journey/nfa/builder.rb +5 -3
- data/lib/action_dispatch/journey/nfa/dot.rb +13 -13
- data/lib/action_dispatch/journey/nfa/simulator.rb +3 -1
- data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -48
- data/lib/action_dispatch/journey/nodes/node.rb +18 -6
- data/lib/action_dispatch/journey/parser.rb +23 -22
- data/lib/action_dispatch/journey/parser.y +3 -2
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +50 -44
- data/lib/action_dispatch/journey/route.rb +106 -28
- data/lib/action_dispatch/journey/router/utils.rb +20 -11
- data/lib/action_dispatch/journey/router.rb +35 -23
- data/lib/action_dispatch/journey/routes.rb +18 -16
- data/lib/action_dispatch/journey/scanner.rb +18 -15
- data/lib/action_dispatch/journey/visitors.rb +99 -52
- data/lib/action_dispatch/journey.rb +7 -5
- data/lib/action_dispatch/middleware/callbacks.rb +1 -2
- data/lib/action_dispatch/middleware/cookies.rb +304 -193
- data/lib/action_dispatch/middleware/debug_exceptions.rb +152 -57
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +68 -69
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/public_exceptions.rb +27 -25
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +41 -31
- data/lib/action_dispatch/middleware/request_id.rb +17 -9
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -25
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +72 -67
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +26 -22
- data/lib/action_dispatch/middleware/ssl.rb +114 -36
- data/lib/action_dispatch/middleware/stack.rb +31 -44
- data/lib/action_dispatch/middleware/static.rb +57 -50
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +2 -14
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -64
- data/lib/action_dispatch/railtie.rb +19 -11
- data/lib/action_dispatch/request/session.rb +106 -59
- data/lib/action_dispatch/request/utils.rb +67 -24
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +58 -67
- data/lib/action_dispatch/routing/mapper.rb +733 -447
- data/lib/action_dispatch/routing/polymorphic_routes.rb +166 -140
- data/lib/action_dispatch/routing/redirection.rb +36 -26
- data/lib/action_dispatch/routing/route_set.rb +321 -291
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +65 -25
- data/lib/action_dispatch/routing.rb +17 -18
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions/response.rb +45 -20
- data/lib/action_dispatch/testing/assertions/routing.rb +30 -26
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +347 -209
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +35 -7
- data/lib/action_dispatch.rb +27 -19
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +59 -42
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,670 +1,504 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 5.2.4.6 (May 05, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Prevent regex DoS in HTTP token authentication
|
4
|
+
CVE-2021-22904
|
4
5
|
|
5
|
-
|
6
|
-
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
7
|
-
caused a regression.
|
6
|
+
* Prevent string polymorphic route arguments.
|
8
7
|
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
* Use more specific check for :format in route path
|
14
|
-
|
15
|
-
The current check for whether to add an optional format to the path is very lax
|
16
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
17
|
-
|
18
|
-
``` ruby
|
19
|
-
resources :formats do
|
20
|
-
resources :items
|
21
|
-
end
|
22
|
-
```
|
8
|
+
`url_for` supports building polymorphic URLs via an array
|
9
|
+
of arguments (usually symbols and records). If a developer passes a
|
10
|
+
user input array, strings can result in unwanted route helper calls.
|
23
11
|
|
24
|
-
|
25
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
26
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
12
|
+
CVE-2021-22885
|
27
13
|
|
28
|
-
|
29
|
-
get "/books(/:action(.:format))", controller: "books"
|
30
|
-
```
|
31
|
-
|
32
|
-
This probably isn't what's intended since it means that the default index action
|
33
|
-
route doesn't support a format but we have a test for it so we need to allow it.
|
34
|
-
|
35
|
-
Fixes #28517.
|
36
|
-
|
37
|
-
*Andrew White*
|
14
|
+
*Gannon McGibbon*
|
38
15
|
|
39
|
-
|
40
|
-
## Rails 4.2.8 (February 21, 2017) ##
|
16
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
41
17
|
|
42
18
|
* No changes.
|
43
19
|
|
44
20
|
|
45
|
-
## Rails
|
21
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
46
22
|
|
47
23
|
* No changes.
|
48
24
|
|
49
25
|
|
50
|
-
## Rails
|
51
|
-
|
52
|
-
* No changes.
|
26
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
53
27
|
|
28
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
54
29
|
|
55
|
-
|
30
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
56
31
|
|
57
|
-
* Do not allow render with unpermitted parameter.
|
58
32
|
|
59
|
-
|
33
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
60
34
|
|
61
|
-
|
35
|
+
* Fix possible information leak / session hijacking vulnerability.
|
62
36
|
|
37
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
38
|
+
gem dalli to be updated as well.
|
63
39
|
|
64
|
-
|
65
|
-
|
66
|
-
* No changes.
|
40
|
+
CVE-2019-16782.
|
67
41
|
|
68
42
|
|
69
|
-
## Rails
|
43
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
70
44
|
|
71
|
-
*
|
72
|
-
early in the `setup` chain.
|
45
|
+
* No changes.
|
73
46
|
|
74
|
-
*Yves Senn*
|
75
47
|
|
76
|
-
|
48
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
77
49
|
|
78
|
-
|
50
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
79
51
|
|
80
|
-
|
81
|
-
|
82
|
-
|
52
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
53
|
+
it was excluded when `no-cache` was included. This change preserves the
|
54
|
+
`public` value as is.
|
83
55
|
|
84
|
-
Fixes #
|
56
|
+
Fixes #34780.
|
85
57
|
|
86
|
-
*
|
58
|
+
*Yuji Yaginuma*
|
87
59
|
|
88
|
-
* `
|
60
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
89
61
|
|
90
|
-
*
|
62
|
+
*Ryo Nakamura*
|
91
63
|
|
92
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
93
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
94
64
|
|
95
|
-
|
65
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
96
66
|
|
67
|
+
* No changes.
|
97
68
|
|
98
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
99
69
|
|
100
|
-
|
101
|
-
a block for generating a default value based off the key provided.
|
70
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
102
71
|
|
103
|
-
|
104
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
105
|
-
number of arguments (2 for 1)` when performing controller tests.
|
72
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
106
73
|
|
107
|
-
|
74
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
75
|
+
in system test `after_teardown`.
|
108
76
|
|
109
|
-
*
|
77
|
+
*Maxim Perepelitsa*
|
110
78
|
|
111
|
-
|
112
|
-
So some headers will be broken if there are some middlewares
|
113
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
79
|
+
* Use request object for context if there's no controller
|
114
80
|
|
115
|
-
|
81
|
+
There is no controller instance when using a redirect route or a
|
82
|
+
mounted rack application so pass the request object as the context
|
83
|
+
when resolving dynamic CSP sources in this scenario.
|
116
84
|
|
85
|
+
Fixes #34200.
|
117
86
|
|
118
|
-
|
87
|
+
*Andrew White*
|
119
88
|
|
120
|
-
*
|
121
|
-
nesting multiple routes.
|
89
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
122
90
|
|
123
|
-
|
91
|
+
Previously if a dynamic source returned a symbol such as :self it
|
92
|
+
would be converted to a string implicity, e.g:
|
124
93
|
|
125
|
-
|
94
|
+
policy.default_src -> { :self }
|
126
95
|
|
127
|
-
|
128
|
-
even when it was a 304 status code.
|
96
|
+
would generate the header:
|
129
97
|
|
130
|
-
|
98
|
+
Content-Security-Policy: default-src self
|
131
99
|
|
132
|
-
|
100
|
+
and now it generates:
|
133
101
|
|
134
|
-
|
102
|
+
Content-Security-Policy: default-src 'self'
|
135
103
|
|
136
|
-
|
137
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
138
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
104
|
+
*Andrew White*
|
139
105
|
|
140
|
-
|
106
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
141
107
|
|
142
|
-
*
|
108
|
+
*Yoshiyuki Kinjo*
|
143
109
|
|
144
|
-
|
145
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
146
|
-
is set, it takes precedence.
|
110
|
+
* Call the `#redirect_to` block in controller context.
|
147
111
|
|
148
|
-
|
112
|
+
*Steven Peckins*
|
149
113
|
|
150
|
-
*Yasyf Mohamedali*
|
151
114
|
|
152
|
-
|
153
|
-
assigned.
|
115
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
154
116
|
|
155
|
-
|
117
|
+
* No changes.
|
156
118
|
|
157
|
-
*Jeremy Kemper*, *Yves Senn*
|
158
119
|
|
120
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
159
121
|
|
160
|
-
|
122
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
161
123
|
|
162
|
-
|
124
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
125
|
+
there are none.
|
163
126
|
|
127
|
+
So call like this will no longer append a `?null=` query param.
|
164
128
|
|
165
|
-
|
129
|
+
get foos_url, as: :json
|
166
130
|
|
167
|
-
*
|
168
|
-
the masked token.
|
131
|
+
*Alireza Bashiri*
|
169
132
|
|
170
|
-
|
133
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
134
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
135
|
+
parameters.
|
171
136
|
|
172
|
-
*
|
137
|
+
*Kevin Sjöberg*
|
173
138
|
|
174
|
-
|
175
|
-
request causing an incorrect behavior during the fall back to GET requests.
|
139
|
+
* Fix strong parameters `permit!` with nested arrays.
|
176
140
|
|
177
|
-
|
178
|
-
```
|
179
|
-
|
180
|
-
|
181
|
-
mount rack_app, at: '/'
|
182
|
-
end
|
183
|
-
head '/home'
|
184
|
-
assert_response :success
|
141
|
+
Given:
|
142
|
+
```
|
143
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
144
|
+
params.permit!
|
185
145
|
```
|
186
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
187
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
188
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
189
|
-
|
190
|
-
*Terence Sun*
|
191
|
-
|
192
|
-
* Preserve default format when generating URLs
|
193
|
-
|
194
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
195
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
196
|
-
the route definition.
|
197
|
-
|
198
|
-
Backport of #18627
|
199
|
-
|
200
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
201
|
-
|
202
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
203
|
-
the test response.
|
204
|
-
|
205
|
-
*Jonas Baumann*
|
206
|
-
|
207
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
208
|
-
|
209
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
210
|
-
payload data is not available.
|
211
|
-
|
212
|
-
See:
|
213
|
-
* #14903
|
214
|
-
* https://github.com/roidrage/lograge/issues/37
|
215
|
-
|
216
|
-
*Dieter Komendera*, *Margus Pärt*
|
217
|
-
|
218
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
219
|
-
|
220
|
-
*Robin Dupret*
|
221
|
-
|
222
|
-
* Using `head` method returns empty response_body instead
|
223
|
-
of returning a single space " ".
|
224
|
-
|
225
|
-
The old behavior was added as a workaround for a bug in an early
|
226
|
-
version of Safari, where the HTTP headers are not returned correctly
|
227
|
-
if the response body has a 0-length. This is been fixed since and
|
228
|
-
the workaround is no longer necessary.
|
229
|
-
|
230
|
-
Fixes #18253.
|
231
|
-
|
232
|
-
*Prathamesh Sonpatki*
|
233
|
-
|
234
|
-
* Fix how polymorphic routes works with objects that implement `to_model`.
|
235
|
-
|
236
|
-
*Travis Grathwell*
|
237
|
-
|
238
|
-
* Fixed handling of positional url helper arguments when `format: false`.
|
239
|
-
|
240
|
-
Fixes #17819.
|
241
|
-
|
242
|
-
*Andrew White*, *Tatiana Soukiassian*
|
243
|
-
|
244
|
-
* Fixed usage of optional scopes in URL helpers.
|
245
|
-
|
246
|
-
*Alex Robbin*
|
247
|
-
|
248
|
-
|
249
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
250
|
-
|
251
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
252
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
253
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
254
|
-
object in Rails 5.0.
|
255
|
-
|
256
|
-
*Prem Sichanugrist*
|
257
|
-
|
258
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
259
|
-
prefix.
|
260
|
-
|
261
|
-
Fixes #17108.
|
262
|
-
|
263
|
-
*Guo Xiang Tan*
|
264
|
-
|
265
|
-
* Deprecate use of string keys in URL helpers.
|
266
|
-
|
267
|
-
Use symbols instead.
|
268
|
-
Fixes #16958.
|
269
|
-
|
270
|
-
*Byron Bischoff*, *Melanie Gilman*
|
271
|
-
|
272
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
273
|
-
|
274
|
-
In cases where this option is set to `true`, the option is redundant and can
|
275
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
276
|
-
used instead.
|
277
|
-
|
278
|
-
Fixes #17294.
|
279
|
-
|
280
|
-
*Dan Olson*, *Godfrey Chan*
|
281
|
-
|
282
|
-
* Improve Journey compliance to RFC 3986.
|
283
|
-
|
284
|
-
The scanner in Journey failed to recognize routes that use literals
|
285
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
286
|
-
authorized delimiters and route as expected.
|
287
|
-
|
288
|
-
Fixes #17212.
|
289
|
-
|
290
|
-
*Nicolas Cavigneaux*
|
291
|
-
|
292
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
293
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
294
|
-
|
295
|
-
status, headers, body = response
|
296
|
-
|
297
|
-
But it also means `response + response` works and `[response].flatten`
|
298
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
299
|
-
explicit conversion and splatting with `#to_a`:
|
300
|
-
|
301
|
-
status, header, body = *response
|
302
|
-
|
303
|
-
*Jeremy Kemper*
|
304
|
-
|
305
|
-
* Don't rescue `IPAddr::InvalidAddressError`.
|
306
|
-
|
307
|
-
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
308
|
-
and fails for JRuby in 1.9 mode.
|
309
|
-
|
310
|
-
*Peter Suschlik*
|
311
|
-
|
312
|
-
* Fix bug where the router would ignore any constraints added to redirect
|
313
|
-
routes.
|
314
|
-
|
315
|
-
Fixes #16605.
|
316
|
-
|
317
|
-
*Agis Anastasopoulos*
|
318
146
|
|
319
|
-
|
147
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
320
148
|
|
321
|
-
|
149
|
+
*Steve Hull*
|
322
150
|
|
323
|
-
|
324
|
-
|
151
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
152
|
+
`ActionController::TestCase` subclasses.
|
325
153
|
|
326
|
-
*
|
154
|
+
*Eugene Kenny*
|
327
155
|
|
328
|
-
*
|
156
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
329
157
|
|
330
|
-
|
331
|
-
HEAD routes. If no match is found, we will then map the HEAD request to
|
332
|
-
GET routes.
|
158
|
+
Fixes #32597.
|
333
159
|
|
334
|
-
*
|
160
|
+
*Andrey Novikov*, *Andrew White*
|
335
161
|
|
336
|
-
*
|
337
|
-
of gzipped assets on disk. By default a gzip asset will be served if
|
338
|
-
the client supports gzip and a compressed file is on disk.
|
162
|
+
* Only disable GPUs for headless Chrome on Windows.
|
339
163
|
|
340
|
-
|
164
|
+
It is not necessary anymore for Linux and macOS machines.
|
341
165
|
|
342
|
-
|
343
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
344
|
-
that is not available on `ActionController::Parameters` you should consider
|
345
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
166
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
346
167
|
|
347
|
-
*
|
168
|
+
*Stefan Wrobel*
|
348
169
|
|
349
|
-
*
|
350
|
-
keys removed. This change is to reflect on a security concern where some
|
351
|
-
method performed on an `ActionController::Parameters` may yield a `Hash`
|
352
|
-
object which does not maintain `permitted?` status. If you would like to
|
353
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
354
|
-
before calling `#to_h`.
|
170
|
+
* Fix system tests transactions not closed between examples.
|
355
171
|
|
356
|
-
|
357
|
-
name: 'Senjougahara Hitagi',
|
358
|
-
oddity: 'Heavy stone crab'
|
359
|
-
})
|
360
|
-
params.to_h
|
361
|
-
# => {}
|
172
|
+
*Sergey Tarasov*
|
362
173
|
|
363
|
-
unsafe_params = params.dup.permit!
|
364
|
-
unsafe_params.to_h
|
365
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
366
174
|
|
367
|
-
|
368
|
-
safe_params.to_h
|
369
|
-
# => {"name"=>"Senjougahara Hitagi"}
|
175
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
370
176
|
|
371
|
-
|
372
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
373
|
-
in the next minor release.
|
177
|
+
* Check exclude before flagging cookies as secure.
|
374
178
|
|
375
|
-
*
|
179
|
+
*Catherine Khuu*
|
376
180
|
|
377
|
-
*
|
181
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
378
182
|
|
379
|
-
|
183
|
+
This allows a controller action to enable the policy individually
|
184
|
+
for a controller and/or specific actions.
|
380
185
|
|
381
|
-
*
|
382
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
383
|
-
cookies by defining the `#as_json` hook on such objects.
|
186
|
+
*Andrew White*
|
384
187
|
|
385
|
-
|
188
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
386
189
|
|
387
|
-
|
190
|
+
class LegacyPagesController < ApplicationController
|
191
|
+
content_security_policy false, only: :index
|
192
|
+
end
|
388
193
|
|
389
|
-
*
|
390
|
-
digest. The default remains the same - 'SHA1'.
|
194
|
+
*Andrew White*
|
391
195
|
|
392
|
-
|
196
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
197
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
393
198
|
|
394
|
-
*
|
395
|
-
the `responders` gem.
|
199
|
+
*Igor Kasyanchuk*
|
396
200
|
|
397
|
-
|
201
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
202
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
398
203
|
|
399
|
-
*
|
204
|
+
*Grant Bourque*
|
400
205
|
|
401
|
-
|
402
|
-
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
403
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
404
|
-
This makes it easy to HTTP-cache many more of your actions.
|
206
|
+
* Add support for automatic nonce generation for Rails UJS.
|
405
207
|
|
406
|
-
|
407
|
-
|
208
|
+
Because the UJS library creates a script tag to process responses it
|
209
|
+
normally requires the script-src attribute of the content security
|
210
|
+
policy to include 'unsafe-inline'.
|
408
211
|
|
409
|
-
|
212
|
+
To work around this we generate a per-request nonce value that is
|
213
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
214
|
+
embeds its token in a meta tag. The UJS library can then read the
|
215
|
+
nonce value and set it on the dynamically generated script tag to
|
216
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
410
217
|
|
411
|
-
|
218
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
219
|
+
user generated content in someway then it may be possible to exploit
|
220
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
221
|
+
however an improvement on a blanket permission for inline scripts.
|
412
222
|
|
413
|
-
|
223
|
+
It is also possible to use the nonce within your own script tags by
|
224
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
414
225
|
|
415
|
-
|
226
|
+
<%= javascript_tag nonce: true do %>
|
227
|
+
alert('Hello, World!');
|
228
|
+
<% end %>
|
416
229
|
|
417
|
-
|
418
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
230
|
+
Fixes #31689.
|
419
231
|
|
420
|
-
*
|
232
|
+
*Andrew White*
|
421
233
|
|
422
|
-
*
|
234
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
423
235
|
|
424
|
-
|
236
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
425
237
|
|
426
|
-
|
427
|
-
|
238
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
239
|
+
def index
|
240
|
+
params.each do |name|
|
241
|
+
puts name
|
242
|
+
end
|
243
|
+
end
|
428
244
|
|
429
|
-
|
245
|
+
# Prints
|
246
|
+
# param
|
247
|
+
# param_two
|
430
248
|
|
431
|
-
|
432
|
-
loopback address.
|
249
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
433
250
|
|
434
|
-
|
251
|
+
To fix the code above simply change as per example below:
|
435
252
|
|
436
|
-
|
437
|
-
|
253
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
254
|
+
def index
|
255
|
+
params.each do |name, value|
|
256
|
+
puts name
|
257
|
+
end
|
258
|
+
end
|
438
259
|
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
available to any custom exceptions_app. The original `PATH_INFO` is now
|
443
|
-
stashed in `env["action_dispatch.original_path"]`.
|
260
|
+
# Prints
|
261
|
+
# param
|
262
|
+
# param_two
|
444
263
|
|
445
|
-
*
|
264
|
+
*Dominic Cleal*
|
446
265
|
|
447
|
-
*
|
448
|
-
overflow.
|
266
|
+
* Add `Referrer-Policy` header to default headers set.
|
449
267
|
|
450
|
-
*
|
268
|
+
*Guillermo Iguaran*
|
451
269
|
|
452
|
-
*
|
453
|
-
|
270
|
+
* Changed the system tests to set Puma as default server only when the
|
271
|
+
user haven't specified manually another server.
|
454
272
|
|
455
|
-
|
456
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
457
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
458
|
-
longer necessary.
|
273
|
+
*Guillermo Iguaran*
|
459
274
|
|
460
|
-
|
275
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
276
|
+
default headers set.
|
461
277
|
|
462
|
-
|
278
|
+
*Guillermo Iguaran*
|
463
279
|
|
464
|
-
|
280
|
+
* Add headless firefox support to System Tests.
|
465
281
|
|
466
|
-
*
|
467
|
-
("Rosetta Flash").
|
282
|
+
*bogdanvlviv*
|
468
283
|
|
469
|
-
|
284
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
470
285
|
|
471
|
-
|
472
|
-
the
|
473
|
-
|
474
|
-
|
286
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
287
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
288
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
289
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
290
|
+
path, it dumps binary into the terminal.
|
475
291
|
|
476
|
-
|
292
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
477
293
|
|
478
|
-
*
|
294
|
+
*Eileen M. Uchitelle*
|
479
295
|
|
480
|
-
*
|
296
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
481
297
|
|
482
|
-
|
298
|
+
*Guillermo Iguaran*
|
483
299
|
|
484
|
-
|
300
|
+
* Fix optimized url helpers when using relative url root.
|
485
301
|
|
486
|
-
|
487
|
-
when rendering through a `respond_to` block.
|
302
|
+
Fixes #31220.
|
488
303
|
|
489
|
-
|
304
|
+
*Andrew White*
|
490
305
|
|
491
|
-
|
306
|
+
* Add DSL for configuring Content-Security-Policy header.
|
492
307
|
|
493
|
-
|
494
|
-
|
495
|
-
|
308
|
+
The DSL allows you to configure a global Content-Security-Policy
|
309
|
+
header and then override within a controller. For more information
|
310
|
+
about the Content-Security-Policy header see MDN:
|
496
311
|
|
497
|
-
|
312
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
498
313
|
|
499
|
-
|
314
|
+
Example global policy:
|
500
315
|
|
501
|
-
|
316
|
+
# config/initializers/content_security_policy.rb
|
317
|
+
Rails.application.config.content_security_policy do |p|
|
318
|
+
p.default_src :self, :https
|
319
|
+
p.font_src :self, :https, :data
|
320
|
+
p.img_src :self, :https, :data
|
321
|
+
p.object_src :none
|
322
|
+
p.script_src :self, :https
|
323
|
+
p.style_src :self, :https, :unsafe_inline
|
324
|
+
end
|
502
325
|
|
503
|
-
|
326
|
+
Example controller overrides:
|
504
327
|
|
505
|
-
|
328
|
+
# Override policy inline
|
329
|
+
class PostsController < ApplicationController
|
330
|
+
content_security_policy do |p|
|
331
|
+
p.upgrade_insecure_requests true
|
332
|
+
end
|
333
|
+
end
|
506
334
|
|
507
|
-
|
335
|
+
# Using literal values
|
336
|
+
class PostsController < ApplicationController
|
337
|
+
content_security_policy do |p|
|
338
|
+
p.base_uri "https://www.example.com"
|
339
|
+
end
|
340
|
+
end
|
508
341
|
|
509
|
-
|
342
|
+
# Using mixed static and dynamic values
|
343
|
+
class PostsController < ApplicationController
|
344
|
+
content_security_policy do |p|
|
345
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
346
|
+
end
|
347
|
+
end
|
510
348
|
|
511
|
-
|
512
|
-
|
349
|
+
Allows you to also only report content violations for migrating
|
350
|
+
legacy content using the `content_security_policy_report_only`
|
351
|
+
configuration attribute, e.g;
|
513
352
|
|
514
|
-
|
353
|
+
# config/initializers/content_security_policy.rb
|
354
|
+
Rails.application.config.content_security_policy_report_only = true
|
515
355
|
|
516
|
-
|
356
|
+
# controller override
|
357
|
+
class PostsController < ApplicationController
|
358
|
+
content_security_policy_report_only only: :index
|
359
|
+
end
|
517
360
|
|
518
|
-
|
519
|
-
|
361
|
+
Note that this feature does not validate the header for performance
|
362
|
+
reasons since the header is calculated at runtime.
|
520
363
|
|
521
|
-
*
|
364
|
+
*Andrew White*
|
522
365
|
|
523
|
-
*
|
524
|
-
application. Use of a symbol should be replaced with `action: symbol`.
|
525
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
366
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
526
367
|
|
527
|
-
*
|
368
|
+
*Yuichiro Kaneko*
|
528
369
|
|
529
|
-
*
|
530
|
-
a trailing slash after `.:format`
|
370
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
531
371
|
|
532
|
-
*
|
372
|
+
*Rafael Mendonça França*
|
533
373
|
|
534
|
-
*
|
535
|
-
performance reasons. One consequence of this is that the leading slash
|
536
|
-
is now required in integration test `process` helpers, whereas previously
|
537
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
538
|
-
of the implementation and was never an intentional feature.
|
374
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
539
375
|
|
540
|
-
|
376
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
377
|
+
different host. `allow_other_host` is `true` by default.
|
541
378
|
|
542
|
-
*
|
543
|
-
called 'status' in a controller.
|
379
|
+
*Tim Masliuchenko*
|
544
380
|
|
545
|
-
|
381
|
+
* Add headless chrome support to System Tests.
|
546
382
|
|
547
|
-
*
|
383
|
+
*Yuji Yaginuma*
|
548
384
|
|
549
|
-
* Add
|
385
|
+
* Add ability to enable Early Hints for HTTP/2
|
550
386
|
|
551
|
-
|
387
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
552
388
|
|
553
|
-
|
389
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
554
390
|
|
555
|
-
|
556
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
557
|
-
e.g. the fragment cache hit rates for each controller action.
|
391
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
558
392
|
|
559
|
-
|
393
|
+
* Simplify cookies middleware with key rotation support
|
560
394
|
|
561
|
-
|
395
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
396
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
397
|
+
signed cookies. This also helps simplify support for legacy cookie
|
398
|
+
security.
|
562
399
|
|
563
|
-
|
400
|
+
*Michael J Coyne*
|
564
401
|
|
565
|
-
|
402
|
+
* Use Capybara registered `:puma` server config.
|
566
403
|
|
567
|
-
|
568
|
-
and
|
404
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
405
|
+
connection sharing and open request detection work correctly by default.
|
569
406
|
|
570
|
-
|
407
|
+
*Thomas Walpole*
|
571
408
|
|
572
|
-
|
409
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
573
410
|
|
574
|
-
|
575
|
-
|
576
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
577
|
-
when setting up the routes.
|
411
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
412
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
578
413
|
|
579
|
-
|
414
|
+
Pull Request: #30121
|
580
415
|
|
581
|
-
*
|
582
|
-
purposes of remote IP detection. Also handle uppercase private IPv6
|
583
|
-
addresses.
|
416
|
+
*Assain Jaleel*
|
584
417
|
|
585
|
-
|
418
|
+
* Enforce signed/encrypted cookie expiry server side.
|
586
419
|
|
587
|
-
|
420
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
588
421
|
|
589
|
-
|
422
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
423
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
424
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
590
425
|
|
591
|
-
|
592
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
593
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
426
|
+
Pull Request: #30121
|
594
427
|
|
595
|
-
|
596
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
428
|
+
*Assain Jaleel*
|
597
429
|
|
598
|
-
|
430
|
+
* Make `take_failed_screenshot` work within engine.
|
599
431
|
|
600
|
-
|
432
|
+
Fixes #30405.
|
601
433
|
|
602
|
-
*
|
434
|
+
*Yuji Yaginuma*
|
603
435
|
|
604
|
-
|
605
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
606
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
607
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
436
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
608
437
|
|
609
|
-
|
610
|
-
|
611
|
-
|
612
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
438
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
439
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
440
|
+
use the response helpers provided by `Rack::Response`.
|
613
441
|
|
614
|
-
|
442
|
+
*Trevor Wistaff*
|
615
443
|
|
616
|
-
|
444
|
+
* Protect from forgery by default
|
617
445
|
|
618
|
-
|
619
|
-
`
|
446
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
447
|
+
add it to `ActionController::Base` depending on
|
448
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
449
|
+
defaults to false to support older versions which have removed it from their
|
450
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
620
451
|
|
621
|
-
*
|
452
|
+
*Lisa Ugray*
|
622
453
|
|
623
|
-
*
|
624
|
-
format block.
|
454
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
625
455
|
|
626
|
-
|
456
|
+
*Kir Shatrov*
|
627
457
|
|
628
|
-
|
458
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
629
459
|
|
630
|
-
|
460
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
461
|
+
`driven_by` will register the driver and set additional options passed via
|
462
|
+
the `:options` parameter.
|
631
463
|
|
632
|
-
|
464
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
633
465
|
|
634
|
-
*
|
466
|
+
*Mario Chavez*
|
635
467
|
|
636
|
-
|
468
|
+
* AEAD encrypted cookies and sessions with GCM.
|
637
469
|
|
638
|
-
|
470
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
471
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
472
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
473
|
+
this new mode is enabled via the
|
474
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
639
475
|
|
640
|
-
*
|
476
|
+
*Michael J Coyne*
|
641
477
|
|
642
|
-
|
478
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
643
479
|
|
644
|
-
|
645
|
-
|
480
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
481
|
+
^template path ^template tree digest ^class ^id
|
646
482
|
|
647
|
-
|
483
|
+
*DHH*
|
648
484
|
|
649
|
-
|
485
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
486
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
487
|
+
to support it.
|
650
488
|
|
651
|
-
*
|
652
|
-
we need to check if we're not inside a nested scope before copying the :path
|
653
|
-
and :as options to their shallow equivalents.
|
489
|
+
*DHH*
|
654
490
|
|
655
|
-
|
491
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
656
492
|
|
657
|
-
|
493
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
494
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
495
|
+
may not exist in a certain implementation.
|
658
496
|
|
659
|
-
|
660
|
-
`log_warning_on_csrf_failure` configuration setting in
|
661
|
-
`ActionController::RequestForgeryProtection`.
|
497
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
662
498
|
|
663
|
-
|
499
|
+
Fixes #27013.
|
664
500
|
|
665
|
-
*
|
666
|
-
`default_url_options` methods.
|
501
|
+
*Julian Nadeau*
|
667
502
|
|
668
|
-
*Tony Wooster*
|
669
503
|
|
670
|
-
Please check [
|
504
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|