actionpack 4.2.10 → 6.1.3.2

data/CHANGELOG.md

@@ -1,670 +1,482 @@
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 6.1.3.2 (May 05, 2021) ##
 
-*   Fix regression in behavior of `normalize_path`.
+*   Prevent open redirects by correctly escaping the host allow list
+    CVE-2021-22903
 
-    In Rails 5 there was a change to ensure the encoding of the original string
-    in a path was maintained. This was incorrectly backported to Rails 4.2 which
-    caused a regression.
+*   Prevent catastrophic backtracking during mime parsing
+    CVE-2021-22902
 
-    *Eileen M. Uchitelle*
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
 
-## Rails 4.2.9 (June 26, 2017) ##
+*   Prevent string polymorphic route arguments.
 
-*   Use more specific check for :format in route path
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
 
-    The current check for whether to add an optional format to the path is very lax
-    and will match things like `:format_id` where there are nested resources, e.g:
+    CVE-2021-22885
 
-    ``` ruby
-    resources :formats do
-      resources :items
-    end
-    ```
-
-    Fix this by using a more restrictive regex pattern that looks for the patterns
-    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
-    allow for multiple closing parenthesis since the route may be of this form:
-
-    ``` ruby
-    get "/books(/:action(.:format))", controller: "books"
-    ```
-
-    This probably isn't what's intended since it means that the default index action
-    route doesn't support a format but we have a test for it so we need to allow it.
-
-    Fixes #28517.
-
-    *Andrew White*
+    *Gannon McGibbon*
 
-
-## Rails 4.2.8 (February 21, 2017) ##
+## Rails 6.1.3.1 (March 26, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.7 (July 12, 2016) ##
-
-*   No changes.
-
-
-## Rails 4.2.6 (March 07, 2016) ##
-
-*   No changes.
-
-
-## Rails 4.2.5.2 (February 26, 2016) ##
-
-*   Do not allow render with unpermitted parameter.
-
-    Fixes CVE-2016-2098.
-
-    *Arthur Neves*
-
-
-## Rails 4.2.5.1 (January 25, 2015) ##
-
-*   No changes.
-
-
-## Rails 4.2.5 (November 12, 2015) ##
-
-*   `ActionController::TestCase` can teardown gracefully if an error is raised
-    early in the `setup` chain.
-
-    *Yves Senn*
-
-*   Parse RSS/ATOM responses as XML, not HTML.
+## Rails 6.1.3 (February 17, 2021) ##
 
-    *Alexander Kaupanin*
+*   Re-define routes when not set correctly via inheritance.
 
-*   Fix regression in mounted engine named routes generation for app deployed to
-    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
-    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
+    *John Hawthorn*
 
-    Fixes #20920. Fixes #21459.
 
-    *Matthew Erhard*
+## Rails 6.1.2.1 (February 10, 2021) ##
 
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
+*   Prevent open redirect when allowed host starts with a dot
 
-    *Bernerd Schaefer*
+    [CVE-2021-22881]
 
-*   Update `ActionController::TestSession#fetch` to behave more like
-    `ActionDispatch::Request::Session#fetch` when using non-string keys.
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
 
-    *Jeremy Friesen*
-
-
-## Rails 4.2.4 (August 24, 2015) ##
-
-*   ActionController::TestSession now accepts a default value as well as
-    a block for generating a default value based off the key provided.
-
-    This fixes calls to session#fetch in ApplicationController instances that
-    take more two arguments or a block from raising `ArgumentError: wrong
-    number of arguments (2 for 1)` when performing controller tests.
-
-    *Matthew Gerrior*
-
-*   Fix to keep original header instance in `ActionDispatch::SSL`
-
-    `ActionDispatch::SSL` changes headers to `Hash`.
-    So some headers will be broken if there are some middlewares
-    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
-
-    *Fumiaki Matsushima*
-
-
-## Rails 4.2.3 (June 25, 2015) ##
-
-*   Fix rake routes not showing the right format when
-    nesting multiple routes.
-
-    See #18373.
-
-    *Ravil Bayramgalin*
-
-*   Fix regression where a gzip file response would have a Content-type,
-    even when it was a 304 status code.
-
-    See #19271.
-
-    *Kohei Suzuki*
-
-*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
-
-    Previously, an empty X_FORWARDED_HOST header would cause
-    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
-    Actiondispatch::Http:URL.host to raise a NoMethodError.
+    *Aaron Patterson*
 
-    *Adam Forsyth*
 
-*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
+## Rails 6.1.2 (February 09, 2021) ##
 
-    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
-    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
-    is set, it takes precedence.
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
 
-    Fixes #5122.
+    *Janko Marohnić*
 
-    *Yasyf Mohamedali*
+*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
 
-*   Fix regression in functional tests. Responses should have default headers
-    assigned.
+    *Eugene Kenny*
 
-    See #18423.
 
-    *Jeremy Kemper*, *Yves Senn*
+## Rails 6.1.1 (January 07, 2021) ##
 
+*   Fix nil translation key lookup in controllers/
 
-## Rails 4.2.2 (June 16, 2015) ##
+    *Jan Klimo*
 
-* No Changes *
+*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
 
+    *Alex Robbin*
 
-## Rails 4.2.1 (March 19, 2015) ##
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
 
-*   Non-string authenticity tokens do not raise NoMethodError when decoding
-    the masked token.
+    *Alex Robbin*
 
-    *Ville Lautanala*
 
-*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
+## Rails 6.1.0 (December 09, 2020) ##
 
-    Fixes an issue where a mounted rack app at root would intercept the HEAD
-    request causing an incorrect behavior during the fall back to GET requests.
+*   Support for the HTTP header `Feature-Policy` has been revised to reflect
+    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
 
-    Example:
     ```ruby
-    draw do
-        get '/home' => 'test#index'
-        mount rack_app, at: '/'
+    Rails.application.config.permissions_policy do |p|
+      p.camera     :none
+      p.gyroscope  :none
+      p.microphone :none
+      p.usb        :none
+      p.fullscreen :self
+      p.payment    :self, "https://secure-example.com"
     end
-    head '/home'
-    assert_response :success
     ```
-    In this case, a HEAD request runs through the routes the first time and fails
-    to match anything. Then, it runs through the list with the fallback and matches
-    `get '/home'`. The original behavior would match the rack app in the first pass.
-
-    *Terence Sun*
-
-*   Preserve default format when generating URLs
-
-    Fixes an issue that would cause the format set in default_url_options to be
-    lost when generating URLs with fewer positional arguments than parameters in
-    the route definition.
-
-    Backport of #18627
-
-    *Tekin Suleyman*, *Dominic Baggott*
-
-*   Default headers, removed in controller actions, are no longer reapplied on
-    the test response.
 
-    *Jonas Baumann*
+    *Julien Grillot*
 
-*   Ensure `append_info_to_payload` is called even if an exception is raised.
+*   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 
-    Fixes an issue where when an exception is raised in the request the additonal
-    payload data is not available.
+    Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
 
-    See:
-    * #14903
-    * https://github.com/roidrage/lograge/issues/37
+    *Chris Bisnett*
 
-    *Dieter Komendera*, *Margus Pärt*
+*   Add `config.action_dispatch.request_id_header` to allow changing the name of
+    the unique X-Request-Id header
 
-*   Correctly rely on the response's status code to handle calls to `head`.
+    *Arlston Fernandes*
 
-    *Robin Dupret*
+*   Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
 
-*   Using `head` method returns empty response_body instead
-    of returning a single space " ".
-
-    The old behavior was added as a workaround for a bug in an early
-    version of Safari, where the HTTP headers are not returned correctly
-    if the response body has a 0-length. This is been fixed since and
-    the workaround is no longer necessary.
-
-    Fixes #18253.
-
-    *Prathamesh Sonpatki*
-
-*   Fix how polymorphic routes works with objects that implement `to_model`.
-
-    *Travis Grathwell*
-
-*   Fixed handling of positional url helper arguments when `format: false`.
-
-    Fixes #17819.
-
-    *Andrew White*, *Tatiana Soukiassian*
-
-*   Fixed usage of optional scopes in URL helpers.
-
-    *Alex Robbin*
-
-
-## Rails 4.2.0 (December 20, 2014) ##
-
-*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
-    `Hash` representation of Parameters object. This is now a preferred way to
-    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
-    object in Rails 5.0.
-
-    *Prem Sichanugrist*
-
-*   Restore handling of a bare `Authorization` header, without `token=`
-    prefix.
-
-    Fixes #17108.
-
-    *Guo Xiang Tan*
-
-*   Deprecate use of string keys in URL helpers.
-
-    Use symbols instead.
-    Fixes #16958.
-
-    *Byron Bischoff*, *Melanie Gilman*
-
-*   Deprecate the `only_path` option on `*_path` helpers.
-
-    In cases where this option is set to `true`, the option is redundant and can
-    be safely removed; otherwise, the corresponding `*_url` helper should be
-    used instead.
-
-    Fixes #17294.
-
-    *Dan Olson*, *Godfrey Chan*
-
-*   Improve Journey compliance to RFC 3986.
-
-    The scanner in Journey failed to recognize routes that use literals
-    from the sub-delims section of RFC 3986. It's now able to parse those
-    authorized delimiters and route as expected.
-
-    Fixes #17212.
-
-    *Nicolas Cavigneaux*
-
-*   Deprecate implicit Array conversion for Response objects. It was added
-    (using `#to_ary`) so we could conveniently use implicit splatting:
-
-        status, headers, body = response
+    *Rafael Mendonça França*
 
-    But it also means `response + response` works and `[response].flatten`
-    cascades down to the Rack body. Nonsense behavior. Instead, rely on
-    explicit conversion and splatting with `#to_a`:
+*   Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
 
-        status, header, body = *response
+    *Rafael Mendonça França*
 
-    *Jeremy Kemper*
+*   Remove deprecated `ActionDispatch::Http::ParameterFilter`.
 
-*   Don't rescue `IPAddr::InvalidAddressError`.
+    *Rafael Mendonça França*
 
-    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
-    and fails for JRuby in 1.9 mode.
+*   Added support for exclusive no-store Cache-Control header.
 
-    *Peter Suschlik*
+    If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
 
-*   Fix bug where the router would ignore any constraints added to redirect
-    routes.
+    *Chris Kruger*
 
-    Fixes #16605.
+*   Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
 
-    *Agis Anastasopoulos*
+    Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
+    `ActionDispatch::Http::Request#POST` prior to validating encoding.
 
-*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
+    *Adrianna Chang*
 
-    Example:
+*   Allow `assert_recognizes` routing assertions to work on mounted root routes.
 
-        # config/environments/production.rb
-        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
+    *Gannon McGibbon*
 
-    *Sam Aarons*
+*   Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
 
-*   Avoid duplicating routes for HEAD requests.
+    *Alan Tan*, *Oz Ben-David*
 
-    Instead of duplicating the routes, we will first match the HEAD request to
-    HEAD routes. If no match is found, we will then map the HEAD request to
-    GET routes.
+*   Fix `follow_redirect!` to follow redirection with same HTTP verb when following
+    a 308 redirection.
 
-    *Guo Xiang Tan*, *Andrew White*
+    *Alan Tan*
 
-*   Requests that hit `ActionDispatch::Static` can now take advantage
-    of gzipped assets on disk. By default a gzip asset will be served if
-    the client supports gzip and a compressed file is on disk.
+*   When multiple domains are specified for a cookie, a domain will now be
+    chosen only if it is equal to or is a superdomain of the request host.
 
-    *Richard Schneeman*
+    *Jonathan Hefner*
 
-*   `ActionController::Parameters` will stop inheriting from `Hash` and
-    `HashWithIndifferentAccess` in the next major release. If you use any method
-    that is not available on `ActionController::Parameters` you should consider
-    calling `#to_h` to convert it to a `Hash` first before calling that method.
+*   `ActionDispatch::Static` handles precompiled Brotli (.br) files.
 
-    *Prem Sichanugrist*
+    Adds to existing support for precompiled gzip (.gz) files.
+    Brotli files are preferred due to much better compression.
 
-*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
-    keys removed. This change is to reflect on a security concern where some
-    method performed on an `ActionController::Parameters` may yield a `Hash`
-    object which does not maintain `permitted?` status. If you would like to
-    get a `Hash` with all the keys intact, duplicate and mark it as permitted
-    before calling `#to_h`.
+    When the browser requests /some.js with `Accept-Encoding: br`,
+    we check for public/some.js.br and serve that file, if present, with
+    `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
 
-        params = ActionController::Parameters.new({
-          name: 'Senjougahara Hitagi',
-          oddity: 'Heavy stone crab'
-        })
-        params.to_h
-        # => {}
+    *Ryan Edward Hall*, *Jeremy Daer*
 
-        unsafe_params = params.dup.permit!
-        unsafe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
+*   Add raise_on_missing_translations support for controllers.
 
-        safe_params = params.permit(:name)
-        safe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi"}
+    This configuration determines whether an error should be raised for missing translations.
+    It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
+    configuration also affects raising error for missing translations in views.
 
-    This change is consider a stopgap as we cannot change the code to stop
-    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
-    in the next minor release.
+    *fatkodima*
 
-    *Prem Sichanugrist*
+*   Added `compact` and `compact!` to `ActionController::Parameters`.
 
-*   Deprecated `TagAssertions`.
+    *Eugene Kenny*
 
-    *Kasper Timm Hansen*
+*   Calling `each_pair` or `each_value` on an `ActionController::Parameters`
+    without passing a block now returns an enumerator.
 
-*   Use the Active Support JSON encoder for cookie jars using the `:json` or
-    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
-    cookies by defining the `#as_json` hook on such objects.
+    *Eugene Kenny*
 
-    Fixes #16520.
+*   `fixture_file_upload` now uses path relative to `file_fixture_path`
 
-    *Godfrey Chan*
+    Previously the path had to be relative to `fixture_path`.
+    You can change your existing code as follow:
 
-*   Add `config.action_dispatch.cookies_digest` option for setting custom
-    digest. The default remains the same - 'SHA1'.
+    ```ruby
+    # Before
+    fixture_file_upload('files/dog.png')
 
-    *Łukasz Strzałkowski*
+    # After
+    fixture_file_upload('dog.png')
+    ```
 
-*   Move `respond_with` (and the class-level `respond_to`) to
-    the `responders` gem.
+    *Edouard Chin*
 
-    *José Valim*
+*   Remove deprecated `force_ssl` at the controller level.
 
-*   When your templates change, browser caches bust automatically.
+    *Rafael Mendonça França*
 
-    New default: the template digest is automatically included in your ETags.
-    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
-    is mixed in so future changes to the HTML will blow HTTP caches for you.
-    This makes it easy to HTTP-cache many more of your actions.
+*   The +helper+ class method for controllers loads helper modules specified as
+    strings/symbols with `String#constantize` instead of `require_dependency`.
 
-    If you render a different template, you can now pass the `:template`
-    option to include its digest instead:
+    Remember that support for strings/symbols is only a convenient API. You can
+    always pass a module object:
 
-        fresh_when @post, template: 'widgets/show'
+    ```ruby
+    helper UtilsHelper
+    ```
 
-    Pass `template: false` to skip the lookup. To turn this off entirely, set:
+    which is recommended because it is simple and direct. When a string/symbol
+    is received, `helper` just manipulates and inflects the argument to obtain
+    that same module object.
 
-        config.action_controller.etag_with_template_digest = false
+    *Xavier Noria*, *Jean Boussier*
 
-    *Jeremy Kemper*
+*   Correctly identify the entire localhost IPv4 range as trusted proxy.
 
-*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
-    in favor of `AbstractController::Helpers::MissingHelperError`.
+    *Nick Soracco*
 
-    *Yves Senn*
+*   `url_for` will now use "https://" as the default protocol when
+    `Rails.application.config.force_ssl` is set to true.
 
-*   Fix `assert_template` not being able to assert that no files were rendered.
+    *Jonathan Hefner*
 
-    *Guo Xiang Tan*
+*   Accept and default to base64_urlsafe CSRF tokens.
 
-*   Extract source code for the entire exception stack trace for
-    better debugging and diagnosis.
+    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+    them difficult to deal with. For example, the common practice of sending
+    the CSRF token to a browser in a client-readable cookie does not work properly
+    out of the box: the value has to be url-encoded and decoded to survive transport.
 
-    *Ryan Dao*
+    Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
+    to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
+    for backwards compatibility.
 
-*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
-    loopback address.
+    *Scott Blum*
 
-    *Earl St Sauver*, *Sven Riedel*
+*   Support rolling deploys for cookie serialization/encryption changes.
 
-*   Preserve original path in `ShowExceptions` middleware by stashing it as
-    `env["action_dispatch.original_path"]`
+    In a distributed configuration like rolling update, users may observe
+    both old and new instances during deployment. Users may be served by a
+    new instance and then by an old instance.
 
-    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
-    for the exception defined in `ExceptionWrapper`, so the path
-    the user was visiting when an exception occurred was not previously
-    available to any custom exceptions_app. The original `PATH_INFO` is now
-    stashed in `env["action_dispatch.original_path"]`.
+    That means when the server changes `cookies_serializer` from `:marshal`
+    to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
+    from `false` to `true`, users may lose their sessions if they access the
+    server during deployment.
 
-    *Grey Baker*
+    We added fallbacks to downgrade the cookie format when necessary during
+    deployment, ensuring compatibility on both old and new instances.
 
-*   Use `String#bytesize` instead of `String#size` when checking for cookie
-    overflow.
+    *Masaki Hara*
 
-    *Agis Anastasopoulos*
+*   `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
 
-*   `render nothing: true` or rendering a `nil` body no longer add a single
-    space to the response body.
+    Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
+    Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
 
-    The old behavior was added as a workaround for a bug in an early version of
-    Safari, where the HTTP headers are not returned correctly if the response
-    body has a 0-length. This is been fixed since and the workaround is no
-    longer necessary.
+    *Keenan Brock*
 
-    Use `render body: ' '` if the old behavior is desired.
+*   Fix possible information leak / session hijacking vulnerability.
 
-    See #14883 for details.
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
 
-    *Godfrey Chan*
+    CVE-2019-16782.
 
-*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
-    ("Rosetta Flash").
+*   Include child session assertion count in ActionDispatch::IntegrationTest.
 
-    *Greg Campbell*
+    `IntegrationTest#open_session` uses `dup` to create the new session, which
+    meant it had its own copy of `@assertions`. This prevented the assertions
+    from being correctly counted and reported.
 
-*   Because URI paths may contain non US-ASCII characters we need to force
-    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
-    This essentially replicates the functionality of the monkey patch to
-    URI.parser.unescape in active_support/core_ext/uri.rb.
+    Child sessions now have their `attr_accessor` overridden to delegate to the
+    root session.
 
-    Fixes #16104.
+    Fixes #32142.
 
-    *Karl Entwistle*
+    *Sam Bostock*
 
-*   Generate shallow paths for all children of shallow resources.
+*   Add SameSite protection to every written cookie.
 
-    Fixes #15783.
+    Enabling `SameSite` cookie protection is an addition to CSRF protection,
+    where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
 
-    *Seb Jacobs*
+    `:strict` disables cookies being sent in cross-site GET or POST requests.
 
-*   JSONP responses are now rendered with the `text/javascript` content type
-    when rendering through a `respond_to` block.
+    Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
 
-    Fixes #15081.
+    See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
 
-    *Lucas Mazza*
+    More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
 
-*   Add `config.action_controller.always_permitted_parameters` to configure which
-    parameters are permitted globally. The default value of this configuration is
-    `['controller', 'action']`.
+    _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
 
-    *Gary S. Weaver*, *Rafael Chacon*
+    *Cédric Fabianski*
 
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+*   Bring back the feature that allows loading external route files from the router.
 
-    Fixes #15511.
+    This feature existed back in 2012 but got reverted with the incentive that
+    https://github.com/rails/routing_concerns was a better approach. Turned out
+    that this wasn't fully the case and loading external route files from the router
+    can be helpful for applications with a really large set of routes.
+    Without this feature, application needs to implement routes reloading
+    themselves and it's not straightforward.
 
-    *Larry Lv*
+    ```ruby
+    # config/routes.rb
 
-*   ActionController::Parameters#require now accepts `false` values.
+    Rails.application.routes.draw do
+      draw(:admin)
+    end
 
-    Fixes #15685.
+    # config/routes/admin.rb
 
-    *Sergio Romano*
+    get :foo, to: 'foo#bar'
+    ```
 
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
+    *Yehuda Katz*, *Edouard Chin*
 
-    Fixes #14846.
+*   Fix system test driver option initialization for non-headless browsers.
 
-    *Larry Lv*
+    *glaszig*
 
-*   Ensure the controller is always notified as soon as the client disconnects
-    during live streaming, even when the controller is blocked on a write.
+*   `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
+    their payloads as `:request`.
 
-    *Nicholas Jakobsen*, *Matthew Draper*
+    *Austin Story*
 
-*   Routes specifying 'to:' must be a string that contains a "#" or a rack
-    application.  Use of a symbol should be replaced with `action: symbol`.
-    Use of a string without a "#" should be replaced with `controller: string`.
+*   `respond_to#any` no longer returns a response's Content-Type based on the
+    request format but based on the block given.
 
-    *Aaron Patterson*
+    Example:
 
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
+    ```ruby
+      def my_action
+        respond_to do |format|
+          format.any { render(json: { foo: 'bar' }) }
+        end
+      end
 
-    *Dan Langevin*
+      get('my_action.csv')
+    ```
 
-*   Build full URI as string when processing path in integration tests for
-    performance reasons. One consequence of this is that the leading slash
-    is now required in integration test `process` helpers, whereas previously
-    it could be omitted. The fact that this worked was a unintended consequence
-    of the implementation and was never an intentional feature.
+    The previous behaviour was to respond with a `text/csv` Content-Type which
+    is inaccurate since a JSON response is being rendered.
 
-    *Guo Xiang Tan*
+    Now it correctly returns a `application/json` Content-Type.
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+    *Edouard Chin*
 
-    Fixes #13905.
+*   Replaces (back)slashes in failure screenshot image paths with dashes.
 
-    *Christiaan Van den Poel*
+    If a failed test case contained a slash or a backslash, a screenshot would be created in a
+    nested directory, causing issues with `tmp:clear`.
 
-*   Add MKCALENDAR HTTP method (RFC 4791).
+    *Damir Zekic*
 
-    *Sergey Karpesh*
+*   Add `params.member?` to mimic Hash behavior.
 
-*   Instrument fragment cache metrics.
+    *Younes Serraj*
 
-    Adds `:controller`: and `:action` keys to the instrumentation payload
-    for the `*_fragment.action_controller` notifications. This allows tracking
-    e.g. the fragment cache hit rates for each controller action.
+*   `process_action.action_controller` notifications now include the following in their payloads:
 
-    *Daniel Schierbeck*
+    * `:request` - the `ActionDispatch::Request`
+    * `:response` - the `ActionDispatch::Response`
 
-*   Always use the provided port if the protocol is relative.
+    *George Claghorn*
 
-    Fixes #15043.
+*   Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
+    `remote_ip` to `nil` before setting the header that the value is derived
+    from.
 
-    *Guilherme Cavalcanti*, *Andrew White*
+    Fixes #37383.
 
-*   Moved `params[request_forgery_protection_token]` into its own method
-    and improved tests.
+    *Norm Provost*
 
-    Fixes #11316.
+*   `ActionController::Base.log_at` allows setting a different log level per request.
 
-    *Tom Kadwill*
+    ```ruby
+    # Use the debug level if a particular cookie is set.
+    class ApplicationController < ActionController::Base
+      log_at :debug, if: -> { cookies[:debug] }
+    end
+    ```
 
-*   Added verification of route constraints given as a Proc or an object responding
-    to `:matches?`. Previously, when given an non-complying object, it would just
-    silently fail to enforce the constraint. It will now raise an `ArgumentError`
-    when setting up the routes.
+    *George Claghorn*
 
-    *Xavier Defrang*
+*   Allow system test screen shots to be taken more than once in
+    a test by prefixing the file name with an incrementing counter.
 
-*   Properly treat the entire IPv6 User Local Address space as private for
-    purposes of remote IP detection. Also handle uppercase private IPv6
-    addresses.
+    Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
+    enable saving of HTML during a screenshot in addition to the image.
+    This uses the same image name, with the extension replaced with `.html`
 
-    Fixes #12638.
+    *Tom Fakes*
 
-    *Caleb Spare*
+*   Add `Vary: Accept` header when using `Accept` header for response.
 
-*   Fixed an issue with migrating legacy json cookies.
+    For some requests like `/users/1`, Rails uses requests' `Accept`
+    header to determine what to return. And if we don't add `Vary`
+    in the response header, browsers might accidentally cache different
+    types of content, which would cause issues: e.g. javascript got displayed
+    instead of html content. This PR fixes these issues by adding `Vary: Accept`
+    in these types of requests. For more detailed problem description, please read:
 
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
-    cookies are marshal-encoded. This is not the case when `secret_token` is
-    used in conjunction with the `:json` or `:hybrid` serializer.
+    https://github.com/rails/rails/pull/36213
 
-    In those case, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
+    Fixes #25842.
 
-    Fixes #14774.
+    *Stan Lo*
 
-    *Godfrey Chan*
+*   Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
+    a 307 redirection.
 
-*   Make URL escaping more consistent:
+    *Edouard Chin*
 
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
+*   System tests require Capybara 3.26 or newer.
 
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
+    *George Claghorn*
 
-    Fixes #14629, #14636 and #14070.
+*   Reduced log noise handling ActionController::RoutingErrors.
 
-    *Andrew White*, *Edho Arief*
+    *Alberto Fernández-Capel*
 
-*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
-    `ActionDispatch::Http::UploadedFile#tempfile`.
+*   Add DSL for configuring HTTP Feature Policy.
 
-    *Tim Linquist*
+    This new DSL provides a way to configure an HTTP Feature Policy at a
+    global or per-controller level. Full details of HTTP Feature Policy
+    specification and guidelines can be found at MDN:
 
-*   Returns null type format when format is not know and controller is using `any`
-    format block.
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
 
-    Fixes #14462.
+    Example global policy:
 
-    *Rafael Mendonça França*
+    ```ruby
+    Rails.application.config.feature_policy do |f|
+      f.camera      :none
+      f.gyroscope   :none
+      f.microphone  :none
+      f.usb         :none
+      f.fullscreen  :self
+      f.payment     :self, "https://secure.example.com"
+    end
+    ```
 
-*   Improve routing error page with fuzzy matching search.
+    Example controller level policy:
 
-    *Winston*
+    ```ruby
+    class PagesController < ApplicationController
+      feature_policy do |p|
+        p.geolocation "https://example.com"
+      end
+    end
+    ```
 
-*   Only make deeply nested routes shallow when parent is shallow.
+    *Jacob Bednarz*
 
-    Fixes #14684.
+*   Add the ability to set the CSP nonce only to the specified directives.
 
-    *Andrew White*, *James Coglan*
+    Fixes #35137.
 
-*   Append link to bad code to backtrace when exception is `SyntaxError`.
+    *Yuji Yaginuma*
 
-    *Boris Kuznetsov*
+*   Keep part when scope option has value.
 
-*   Swapped the parameters of assert_equal in `assert_select` so that the
-    proper values were printed correctly.
+    When a route was defined within an optional scope, if that route didn't
+    take parameters the scope was lost when using path helpers. This commit
+    ensures scope is kept both when the route takes parameters or when it
+    doesn't.
 
-    Fixes #14422.
+    Fixes #33219.
 
-    *Vishal Lal*
+    *Alberto Almagro*
 
-*   The method `shallow?` returns false if the parent resource is a singleton so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
+*   Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
 
-    Fixes #14388.
+    *Gustavo Gutierrez*
 
-    *Andrew White*
+*   Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
+    an enumerator for the parameters instead of the underlying hash.
 
-*   Make logging of CSRF failures optional (but on by default) with the
-    `log_warning_on_csrf_failure` configuration setting in
-    `ActionController::RequestForgeryProtection`.
+    *Eugene Kenny*
 
-    *John Barton*
+*   Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
+    It should only block invalid key's values instead.
 
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
+    *Stan Lo*
 
-    *Tony Wooster*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.