actionpack 4.2.10 → 6.1.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +318 -460
- data/MIT-LICENSE +1 -1
- data/README.rdoc +9 -9
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +81 -51
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +61 -33
- data/lib/abstract_controller/collector.rb +9 -13
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +115 -99
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
- data/lib/abstract_controller/rendering.rb +48 -47
- data/lib/abstract_controller/translation.rb +17 -8
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +13 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +150 -0
- data/lib/action_controller/base.rb +29 -24
- data/lib/action_controller/caching.rb +12 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +17 -19
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +134 -46
- data/lib/action_controller/metal/content_security_policy.rb +51 -0
- data/lib/action_controller/metal/cookies.rb +6 -4
- data/lib/action_controller/metal/data_streaming.rb +30 -50
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
- data/lib/action_controller/metal/exceptions.rb +63 -15
- data/lib/action_controller/metal/flash.rb +9 -8
- data/lib/action_controller/metal/head.rb +26 -21
- data/lib/action_controller/metal/helpers.rb +37 -18
- data/lib/action_controller/metal/http_authentication.rb +81 -73
- data/lib/action_controller/metal/implicit_render.rb +53 -9
- data/lib/action_controller/metal/instrumentation.rb +32 -35
- data/lib/action_controller/metal/live.rb +110 -119
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +49 -47
- data/lib/action_controller/metal/parameter_encoding.rb +82 -0
- data/lib/action_controller/metal/params_wrapper.rb +84 -66
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +53 -32
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +77 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
- data/lib/action_controller/metal/rescue.rb +10 -17
- data/lib/action_controller/metal/streaming.rb +12 -11
- data/lib/action_controller/metal/strong_parameters.rb +714 -186
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +104 -87
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +3 -1
- data/lib/action_controller/renderer.rb +141 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +298 -421
- data/lib/action_controller.rb +34 -23
- data/lib/action_dispatch/http/cache.rb +108 -58
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +286 -0
- data/lib/action_dispatch/http/filter_parameters.rb +32 -25
- data/lib/action_dispatch/http/filter_redirect.rb +10 -12
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +82 -50
- data/lib/action_dispatch/http/mime_type.rb +153 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameters.rb +90 -40
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +226 -121
- data/lib/action_dispatch/http/response.rb +248 -113
- data/lib/action_dispatch/http/upload.rb +21 -7
- data/lib/action_dispatch/http/url.rb +182 -100
- data/lib/action_dispatch/journey/formatter.rb +91 -44
- data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
- data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
- data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
- data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
- data/lib/action_dispatch/journey/nodes/node.rb +29 -15
- data/lib/action_dispatch/journey/parser.rb +17 -16
- data/lib/action_dispatch/journey/parser.y +4 -3
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +58 -54
- data/lib/action_dispatch/journey/route.rb +100 -32
- data/lib/action_dispatch/journey/router/utils.rb +29 -18
- data/lib/action_dispatch/journey/router.rb +55 -51
- data/lib/action_dispatch/journey/routes.rb +17 -17
- data/lib/action_dispatch/journey/scanner.rb +26 -17
- data/lib/action_dispatch/journey/visitors.rb +98 -54
- data/lib/action_dispatch/journey.rb +5 -5
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +3 -6
- data/lib/action_dispatch/middleware/cookies.rb +347 -217
- data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/host_authorization.rb +124 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
- data/lib/action_dispatch/middleware/request_id.rb +17 -10
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
- data/lib/action_dispatch/middleware/ssl.rb +118 -35
- data/lib/action_dispatch/middleware/stack.rb +82 -41
- data/lib/action_dispatch/middleware/static.rb +156 -89
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +16 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
- data/lib/action_dispatch/railtie.rb +27 -13
- data/lib/action_dispatch/request/session.rb +109 -61
- data/lib/action_dispatch/request/utils.rb +90 -23
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +141 -102
- data/lib/action_dispatch/routing/mapper.rb +811 -473
- data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
- data/lib/action_dispatch/routing/redirection.rb +37 -27
- data/lib/action_dispatch/routing/route_set.rb +363 -331
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +66 -26
- data/lib/action_dispatch/routing.rb +36 -36
- data/lib/action_dispatch/system_test_case.rb +190 -0
- data/lib/action_dispatch/system_testing/browser.rb +86 -0
- data/lib/action_dispatch/system_testing/driver.rb +67 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
- data/lib/action_dispatch/testing/assertion_response.rb +46 -0
- data/lib/action_dispatch/testing/assertions/response.rb +44 -22
- data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +391 -220
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +53 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +11 -11
- data/lib/action_dispatch.rb +35 -21
- data/lib/action_pack/gem_version.rb +6 -4
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +78 -49
- data/lib/action_controller/metal/force_ssl.rb +0 -97
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/http/parameter_filter.rb +0 -72
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,670 +1,528 @@
|
|
1
|
-
## Rails 4.
|
1
|
+
## Rails 6.1.4.1 (August 19, 2021) ##
|
2
2
|
|
3
|
-
* Fix
|
3
|
+
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
|
4
4
|
|
5
|
-
|
6
|
-
|
7
|
-
|
5
|
+
Specially crafted "X-Forwarded-Host" headers in combination with certain
|
6
|
+
"allowed host" formats can cause the Host Authorization middleware in Action
|
7
|
+
Pack to redirect users to a malicious website.
|
8
8
|
|
9
|
-
|
9
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
10
10
|
|
11
|
-
|
11
|
+
* Ignore file fixtures on `db:fixtures:load`
|
12
12
|
|
13
|
-
*
|
13
|
+
*Kevin Sjöberg*
|
14
14
|
|
15
|
-
|
16
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
15
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
17
16
|
|
18
|
-
|
19
|
-
resources :formats do
|
20
|
-
resources :items
|
21
|
-
end
|
22
|
-
```
|
17
|
+
*Dylan Thacker-Smith*
|
23
18
|
|
24
|
-
|
25
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
26
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
27
|
-
|
28
|
-
``` ruby
|
29
|
-
get "/books(/:action(.:format))", controller: "books"
|
30
|
-
```
|
19
|
+
* Correctly place optional path parameter booleans.
|
31
20
|
|
32
|
-
|
33
|
-
|
21
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
22
|
+
of the path as parameter for example:
|
34
23
|
|
35
|
-
|
24
|
+
```
|
25
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
26
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
27
|
+
```
|
36
28
|
|
37
|
-
|
29
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
38
30
|
|
31
|
+
```
|
32
|
+
get '(this/:my_bool)/that' as: :that
|
39
33
|
|
40
|
-
|
34
|
+
that_path(my_bool: true) # => `/this/true/that`
|
35
|
+
that_path(my_bool: false) # => `/this/false/that`
|
36
|
+
```
|
41
37
|
|
42
|
-
*
|
38
|
+
*Adam Hess*
|
43
39
|
|
40
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
44
41
|
|
45
|
-
|
42
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
46
43
|
|
47
|
-
*
|
44
|
+
*Alex Smith*
|
48
45
|
|
49
46
|
|
50
|
-
## Rails
|
47
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
51
48
|
|
52
|
-
*
|
49
|
+
* Prevent open redirects by correctly escaping the host allow list
|
50
|
+
CVE-2021-22903
|
53
51
|
|
52
|
+
* Prevent catastrophic backtracking during mime parsing
|
53
|
+
CVE-2021-22902
|
54
54
|
|
55
|
-
|
55
|
+
* Prevent regex DoS in HTTP token authentication
|
56
|
+
CVE-2021-22904
|
56
57
|
|
57
|
-
*
|
58
|
+
* Prevent string polymorphic route arguments.
|
58
59
|
|
59
|
-
|
60
|
+
`url_for` supports building polymorphic URLs via an array
|
61
|
+
of arguments (usually symbols and records). If a developer passes a
|
62
|
+
user input array, strings can result in unwanted route helper calls.
|
60
63
|
|
61
|
-
|
64
|
+
CVE-2021-22885
|
62
65
|
|
66
|
+
*Gannon McGibbon*
|
63
67
|
|
64
|
-
## Rails
|
68
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
65
69
|
|
66
70
|
* No changes.
|
67
71
|
|
68
72
|
|
69
|
-
## Rails
|
70
|
-
|
71
|
-
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
72
|
-
early in the `setup` chain.
|
73
|
-
|
74
|
-
*Yves Senn*
|
75
|
-
|
76
|
-
* Parse RSS/ATOM responses as XML, not HTML.
|
77
|
-
|
78
|
-
*Alexander Kaupanin*
|
79
|
-
|
80
|
-
* Fix regression in mounted engine named routes generation for app deployed to
|
81
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
82
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
83
|
-
|
84
|
-
Fixes #20920. Fixes #21459.
|
85
|
-
|
86
|
-
*Matthew Erhard*
|
87
|
-
|
88
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
89
|
-
|
90
|
-
*Bernerd Schaefer*
|
91
|
-
|
92
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
93
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
94
|
-
|
95
|
-
*Jeremy Friesen*
|
96
|
-
|
97
|
-
|
98
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
99
|
-
|
100
|
-
* ActionController::TestSession now accepts a default value as well as
|
101
|
-
a block for generating a default value based off the key provided.
|
73
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
102
74
|
|
103
|
-
|
104
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
105
|
-
number of arguments (2 for 1)` when performing controller tests.
|
75
|
+
* Re-define routes when not set correctly via inheritance.
|
106
76
|
|
107
|
-
*
|
77
|
+
*John Hawthorn*
|
108
78
|
|
109
|
-
* Fix to keep original header instance in `ActionDispatch::SSL`
|
110
79
|
|
111
|
-
|
112
|
-
So some headers will be broken if there are some middlewares
|
113
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
80
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
114
81
|
|
115
|
-
|
82
|
+
* Prevent open redirect when allowed host starts with a dot
|
116
83
|
|
84
|
+
[CVE-2021-22881]
|
117
85
|
|
118
|
-
|
86
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
87
|
+
issue and the patch!
|
119
88
|
|
120
|
-
*
|
121
|
-
nesting multiple routes.
|
122
|
-
|
123
|
-
See #18373.
|
124
|
-
|
125
|
-
*Ravil Bayramgalin*
|
126
|
-
|
127
|
-
* Fix regression where a gzip file response would have a Content-type,
|
128
|
-
even when it was a 304 status code.
|
129
|
-
|
130
|
-
See #19271.
|
131
|
-
|
132
|
-
*Kohei Suzuki*
|
133
|
-
|
134
|
-
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
|
135
|
-
|
136
|
-
Previously, an empty X_FORWARDED_HOST header would cause
|
137
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
138
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
89
|
+
*Aaron Patterson*
|
139
90
|
|
140
|
-
*Adam Forsyth*
|
141
91
|
|
142
|
-
|
92
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
143
93
|
|
144
|
-
|
145
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
146
|
-
is set, it takes precedence.
|
94
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
147
95
|
|
148
|
-
|
96
|
+
*Janko Marohnić*
|
149
97
|
|
150
|
-
|
98
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
151
99
|
|
152
|
-
*
|
153
|
-
assigned.
|
100
|
+
*Eugene Kenny*
|
154
101
|
|
155
|
-
See #18423.
|
156
102
|
|
157
|
-
|
103
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
158
104
|
|
105
|
+
* Fix nil translation key lookup in controllers/
|
159
106
|
|
160
|
-
|
107
|
+
*Jan Klimo*
|
161
108
|
|
162
|
-
*
|
109
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
163
110
|
|
111
|
+
*Alex Robbin*
|
164
112
|
|
165
|
-
|
113
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
166
114
|
|
167
|
-
*
|
168
|
-
the masked token.
|
115
|
+
*Alex Robbin*
|
169
116
|
|
170
|
-
*Ville Lautanala*
|
171
117
|
|
172
|
-
|
118
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
173
119
|
|
174
|
-
|
175
|
-
|
120
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
121
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
176
122
|
|
177
|
-
Example:
|
178
123
|
```ruby
|
179
|
-
|
180
|
-
|
181
|
-
|
124
|
+
Rails.application.config.permissions_policy do |p|
|
125
|
+
p.camera :none
|
126
|
+
p.gyroscope :none
|
127
|
+
p.microphone :none
|
128
|
+
p.usb :none
|
129
|
+
p.fullscreen :self
|
130
|
+
p.payment :self, "https://secure-example.com"
|
182
131
|
end
|
183
|
-
head '/home'
|
184
|
-
assert_response :success
|
185
132
|
```
|
186
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
187
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
188
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
189
|
-
|
190
|
-
*Terence Sun*
|
191
|
-
|
192
|
-
* Preserve default format when generating URLs
|
193
|
-
|
194
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
195
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
196
|
-
the route definition.
|
197
|
-
|
198
|
-
Backport of #18627
|
199
|
-
|
200
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
201
|
-
|
202
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
203
|
-
the test response.
|
204
|
-
|
205
|
-
*Jonas Baumann*
|
206
|
-
|
207
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
208
|
-
|
209
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
210
|
-
payload data is not available.
|
211
|
-
|
212
|
-
See:
|
213
|
-
* #14903
|
214
|
-
* https://github.com/roidrage/lograge/issues/37
|
215
|
-
|
216
|
-
*Dieter Komendera*, *Margus Pärt*
|
217
|
-
|
218
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
219
|
-
|
220
|
-
*Robin Dupret*
|
221
|
-
|
222
|
-
* Using `head` method returns empty response_body instead
|
223
|
-
of returning a single space " ".
|
224
133
|
|
225
|
-
|
226
|
-
version of Safari, where the HTTP headers are not returned correctly
|
227
|
-
if the response body has a 0-length. This is been fixed since and
|
228
|
-
the workaround is no longer necessary.
|
134
|
+
*Julien Grillot*
|
229
135
|
|
230
|
-
|
136
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
231
137
|
|
232
|
-
|
138
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
233
139
|
|
234
|
-
*
|
140
|
+
*Chris Bisnett*
|
235
141
|
|
236
|
-
|
142
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
143
|
+
the unique X-Request-Id header
|
237
144
|
|
238
|
-
*
|
145
|
+
*Arlston Fernandes*
|
239
146
|
|
240
|
-
|
147
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
241
148
|
|
242
|
-
*
|
243
|
-
|
244
|
-
* Fixed usage of optional scopes in URL helpers.
|
245
|
-
|
246
|
-
*Alex Robbin*
|
247
|
-
|
248
|
-
|
249
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
250
|
-
|
251
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
252
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
253
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
254
|
-
object in Rails 5.0.
|
255
|
-
|
256
|
-
*Prem Sichanugrist*
|
257
|
-
|
258
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
259
|
-
prefix.
|
260
|
-
|
261
|
-
Fixes #17108.
|
262
|
-
|
263
|
-
*Guo Xiang Tan*
|
264
|
-
|
265
|
-
* Deprecate use of string keys in URL helpers.
|
266
|
-
|
267
|
-
Use symbols instead.
|
268
|
-
Fixes #16958.
|
269
|
-
|
270
|
-
*Byron Bischoff*, *Melanie Gilman*
|
271
|
-
|
272
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
273
|
-
|
274
|
-
In cases where this option is set to `true`, the option is redundant and can
|
275
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
276
|
-
used instead.
|
277
|
-
|
278
|
-
Fixes #17294.
|
279
|
-
|
280
|
-
*Dan Olson*, *Godfrey Chan*
|
281
|
-
|
282
|
-
* Improve Journey compliance to RFC 3986.
|
283
|
-
|
284
|
-
The scanner in Journey failed to recognize routes that use literals
|
285
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
286
|
-
authorized delimiters and route as expected.
|
287
|
-
|
288
|
-
Fixes #17212.
|
289
|
-
|
290
|
-
*Nicolas Cavigneaux*
|
291
|
-
|
292
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
293
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
294
|
-
|
295
|
-
status, headers, body = response
|
149
|
+
*Rafael Mendonça França*
|
296
150
|
|
297
|
-
|
298
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
299
|
-
explicit conversion and splatting with `#to_a`:
|
151
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
300
152
|
|
301
|
-
|
153
|
+
*Rafael Mendonça França*
|
302
154
|
|
303
|
-
|
155
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
304
156
|
|
305
|
-
*
|
157
|
+
*Rafael Mendonça França*
|
306
158
|
|
307
|
-
|
308
|
-
and fails for JRuby in 1.9 mode.
|
159
|
+
* Added support for exclusive no-store Cache-Control header.
|
309
160
|
|
310
|
-
|
161
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
311
162
|
|
312
|
-
*
|
313
|
-
routes.
|
163
|
+
*Chris Kruger*
|
314
164
|
|
315
|
-
|
165
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
316
166
|
|
317
|
-
|
167
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
168
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
318
169
|
|
319
|
-
*
|
170
|
+
*Adrianna Chang*
|
320
171
|
|
321
|
-
|
172
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
322
173
|
|
323
|
-
|
324
|
-
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
174
|
+
*Gannon McGibbon*
|
325
175
|
|
326
|
-
|
176
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
327
177
|
|
328
|
-
*
|
178
|
+
*Alan Tan*, *Oz Ben-David*
|
329
179
|
|
330
|
-
|
331
|
-
|
332
|
-
GET routes.
|
180
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
181
|
+
a 308 redirection.
|
333
182
|
|
334
|
-
*
|
183
|
+
*Alan Tan*
|
335
184
|
|
336
|
-
*
|
337
|
-
|
338
|
-
the client supports gzip and a compressed file is on disk.
|
185
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
186
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
339
187
|
|
340
|
-
*
|
188
|
+
*Jonathan Hefner*
|
341
189
|
|
342
|
-
* `
|
343
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
344
|
-
that is not available on `ActionController::Parameters` you should consider
|
345
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
190
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
346
191
|
|
347
|
-
|
192
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
193
|
+
Brotli files are preferred due to much better compression.
|
348
194
|
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
object which does not maintain `permitted?` status. If you would like to
|
353
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
354
|
-
before calling `#to_h`.
|
195
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
196
|
+
we check for public/some.js.br and serve that file, if present, with
|
197
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
355
198
|
|
356
|
-
|
357
|
-
name: 'Senjougahara Hitagi',
|
358
|
-
oddity: 'Heavy stone crab'
|
359
|
-
})
|
360
|
-
params.to_h
|
361
|
-
# => {}
|
199
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
362
200
|
|
363
|
-
|
364
|
-
unsafe_params.to_h
|
365
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
201
|
+
* Add raise_on_missing_translations support for controllers.
|
366
202
|
|
367
|
-
|
368
|
-
|
369
|
-
|
203
|
+
This configuration determines whether an error should be raised for missing translations.
|
204
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
205
|
+
configuration also affects raising error for missing translations in views.
|
370
206
|
|
371
|
-
|
372
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
373
|
-
in the next minor release.
|
207
|
+
*fatkodima*
|
374
208
|
|
375
|
-
|
209
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
376
210
|
|
377
|
-
*
|
211
|
+
*Eugene Kenny*
|
378
212
|
|
379
|
-
|
213
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
214
|
+
without passing a block now returns an enumerator.
|
380
215
|
|
381
|
-
*
|
382
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
383
|
-
cookies by defining the `#as_json` hook on such objects.
|
216
|
+
*Eugene Kenny*
|
384
217
|
|
385
|
-
|
218
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
386
219
|
|
387
|
-
|
220
|
+
Previously the path had to be relative to `fixture_path`.
|
221
|
+
You can change your existing code as follow:
|
388
222
|
|
389
|
-
|
390
|
-
|
223
|
+
```ruby
|
224
|
+
# Before
|
225
|
+
fixture_file_upload('files/dog.png')
|
391
226
|
|
392
|
-
|
227
|
+
# After
|
228
|
+
fixture_file_upload('dog.png')
|
229
|
+
```
|
393
230
|
|
394
|
-
*
|
395
|
-
the `responders` gem.
|
231
|
+
*Edouard Chin*
|
396
232
|
|
397
|
-
|
233
|
+
* Remove deprecated `force_ssl` at the controller level.
|
398
234
|
|
399
|
-
*
|
235
|
+
*Rafael Mendonça França*
|
400
236
|
|
401
|
-
|
402
|
-
|
403
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
404
|
-
This makes it easy to HTTP-cache many more of your actions.
|
237
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
238
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
405
239
|
|
406
|
-
|
407
|
-
|
240
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
241
|
+
always pass a module object:
|
408
242
|
|
409
|
-
|
243
|
+
```ruby
|
244
|
+
helper UtilsHelper
|
245
|
+
```
|
410
246
|
|
411
|
-
|
247
|
+
which is recommended because it is simple and direct. When a string/symbol
|
248
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
249
|
+
that same module object.
|
412
250
|
|
413
|
-
|
251
|
+
*Xavier Noria*, *Jean Boussier*
|
414
252
|
|
415
|
-
|
253
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
416
254
|
|
417
|
-
*
|
418
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
255
|
+
*Nick Soracco*
|
419
256
|
|
420
|
-
|
257
|
+
* `url_for` will now use "https://" as the default protocol when
|
258
|
+
`Rails.application.config.force_ssl` is set to true.
|
421
259
|
|
422
|
-
*
|
260
|
+
*Jonathan Hefner*
|
423
261
|
|
424
|
-
|
262
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
425
263
|
|
426
|
-
|
427
|
-
|
264
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
265
|
+
them difficult to deal with. For example, the common practice of sending
|
266
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
267
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
428
268
|
|
429
|
-
|
269
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
270
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
271
|
+
for backwards compatibility.
|
430
272
|
|
431
|
-
*
|
432
|
-
loopback address.
|
273
|
+
*Scott Blum*
|
433
274
|
|
434
|
-
|
275
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
435
276
|
|
436
|
-
|
437
|
-
|
277
|
+
In a distributed configuration like rolling update, users may observe
|
278
|
+
both old and new instances during deployment. Users may be served by a
|
279
|
+
new instance and then by an old instance.
|
438
280
|
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
|
443
|
-
stashed in `env["action_dispatch.original_path"]`.
|
281
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
282
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
283
|
+
from `false` to `true`, users may lose their sessions if they access the
|
284
|
+
server during deployment.
|
444
285
|
|
445
|
-
|
286
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
287
|
+
deployment, ensuring compatibility on both old and new instances.
|
446
288
|
|
447
|
-
*
|
448
|
-
overflow.
|
289
|
+
*Masaki Hara*
|
449
290
|
|
450
|
-
|
291
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
451
292
|
|
452
|
-
|
453
|
-
|
293
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
294
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
454
295
|
|
455
|
-
|
456
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
457
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
458
|
-
longer necessary.
|
296
|
+
*Keenan Brock*
|
459
297
|
|
460
|
-
|
298
|
+
* Fix possible information leak / session hijacking vulnerability.
|
461
299
|
|
462
|
-
|
300
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
301
|
+
gem dalli to be updated as well.
|
463
302
|
|
464
|
-
|
303
|
+
CVE-2019-16782.
|
465
304
|
|
466
|
-
*
|
467
|
-
("Rosetta Flash").
|
305
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
468
306
|
|
469
|
-
|
307
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
308
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
309
|
+
from being correctly counted and reported.
|
470
310
|
|
471
|
-
|
472
|
-
|
473
|
-
This essentially replicates the functionality of the monkey patch to
|
474
|
-
URI.parser.unescape in active_support/core_ext/uri.rb.
|
311
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
312
|
+
root session.
|
475
313
|
|
476
|
-
Fixes #
|
314
|
+
Fixes #32142.
|
477
315
|
|
478
|
-
*
|
316
|
+
*Sam Bostock*
|
479
317
|
|
480
|
-
*
|
318
|
+
* Add SameSite protection to every written cookie.
|
481
319
|
|
482
|
-
|
320
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
321
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
483
322
|
|
484
|
-
|
323
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
485
324
|
|
486
|
-
|
487
|
-
when rendering through a `respond_to` block.
|
325
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
488
326
|
|
489
|
-
|
327
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
490
328
|
|
491
|
-
|
329
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
492
330
|
|
493
|
-
|
494
|
-
parameters are permitted globally. The default value of this configuration is
|
495
|
-
`['controller', 'action']`.
|
331
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
496
332
|
|
497
|
-
*
|
333
|
+
*Cédric Fabianski*
|
498
334
|
|
499
|
-
*
|
335
|
+
* Bring back the feature that allows loading external route files from the router.
|
500
336
|
|
501
|
-
|
337
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
338
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
339
|
+
that this wasn't fully the case and loading external route files from the router
|
340
|
+
can be helpful for applications with a really large set of routes.
|
341
|
+
Without this feature, application needs to implement routes reloading
|
342
|
+
themselves and it's not straightforward.
|
502
343
|
|
503
|
-
|
344
|
+
```ruby
|
345
|
+
# config/routes.rb
|
504
346
|
|
505
|
-
|
347
|
+
Rails.application.routes.draw do
|
348
|
+
draw(:admin)
|
349
|
+
end
|
506
350
|
|
507
|
-
|
351
|
+
# config/routes/admin.rb
|
508
352
|
|
509
|
-
|
353
|
+
get :foo, to: 'foo#bar'
|
354
|
+
```
|
510
355
|
|
511
|
-
*
|
512
|
-
recognize token as nil, instead of "token".
|
356
|
+
*Yehuda Katz*, *Edouard Chin*
|
513
357
|
|
514
|
-
|
358
|
+
* Fix system test driver option initialization for non-headless browsers.
|
515
359
|
|
516
|
-
*
|
360
|
+
*glaszig*
|
517
361
|
|
518
|
-
*
|
519
|
-
|
362
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
363
|
+
their payloads as `:request`.
|
520
364
|
|
521
|
-
*
|
365
|
+
*Austin Story*
|
522
366
|
|
523
|
-
*
|
524
|
-
|
525
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
367
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
368
|
+
request format but based on the block given.
|
526
369
|
|
527
|
-
|
370
|
+
Example:
|
528
371
|
|
529
|
-
|
530
|
-
|
372
|
+
```ruby
|
373
|
+
def my_action
|
374
|
+
respond_to do |format|
|
375
|
+
format.any { render(json: { foo: 'bar' }) }
|
376
|
+
end
|
377
|
+
end
|
531
378
|
|
532
|
-
|
379
|
+
get('my_action.csv')
|
380
|
+
```
|
533
381
|
|
534
|
-
|
535
|
-
|
536
|
-
is now required in integration test `process` helpers, whereas previously
|
537
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
538
|
-
of the implementation and was never an intentional feature.
|
382
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
383
|
+
is inaccurate since a JSON response is being rendered.
|
539
384
|
|
540
|
-
|
385
|
+
Now it correctly returns a `application/json` Content-Type.
|
541
386
|
|
542
|
-
*
|
543
|
-
called 'status' in a controller.
|
387
|
+
*Edouard Chin*
|
544
388
|
|
545
|
-
|
389
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
546
390
|
|
547
|
-
|
391
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
392
|
+
nested directory, causing issues with `tmp:clear`.
|
548
393
|
|
549
|
-
*
|
394
|
+
*Damir Zekic*
|
550
395
|
|
551
|
-
|
396
|
+
* Add `params.member?` to mimic Hash behavior.
|
552
397
|
|
553
|
-
*
|
398
|
+
*Younes Serraj*
|
554
399
|
|
555
|
-
|
556
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
557
|
-
e.g. the fragment cache hit rates for each controller action.
|
400
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
558
401
|
|
559
|
-
*
|
402
|
+
* `:request` - the `ActionDispatch::Request`
|
403
|
+
* `:response` - the `ActionDispatch::Response`
|
560
404
|
|
561
|
-
*
|
405
|
+
*George Claghorn*
|
562
406
|
|
563
|
-
|
407
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
408
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
409
|
+
from.
|
564
410
|
|
565
|
-
|
411
|
+
Fixes #37383.
|
566
412
|
|
567
|
-
*
|
568
|
-
and improved tests.
|
413
|
+
*Norm Provost*
|
569
414
|
|
570
|
-
|
415
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
571
416
|
|
572
|
-
|
417
|
+
```ruby
|
418
|
+
# Use the debug level if a particular cookie is set.
|
419
|
+
class ApplicationController < ActionController::Base
|
420
|
+
log_at :debug, if: -> { cookies[:debug] }
|
421
|
+
end
|
422
|
+
```
|
573
423
|
|
574
|
-
*
|
575
|
-
to `:matches?`. Previously, when given an non-complying object, it would just
|
576
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
577
|
-
when setting up the routes.
|
424
|
+
*George Claghorn*
|
578
425
|
|
579
|
-
|
426
|
+
* Allow system test screen shots to be taken more than once in
|
427
|
+
a test by prefixing the file name with an incrementing counter.
|
580
428
|
|
581
|
-
|
582
|
-
|
583
|
-
|
429
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
430
|
+
enable saving of HTML during a screenshot in addition to the image.
|
431
|
+
This uses the same image name, with the extension replaced with `.html`
|
584
432
|
|
585
|
-
|
433
|
+
*Tom Fakes*
|
586
434
|
|
587
|
-
|
435
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
588
436
|
|
589
|
-
|
437
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
438
|
+
header to determine what to return. And if we don't add `Vary`
|
439
|
+
in the response header, browsers might accidentally cache different
|
440
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
441
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
442
|
+
in these types of requests. For more detailed problem description, please read:
|
590
443
|
|
591
|
-
|
592
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
593
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
444
|
+
https://github.com/rails/rails/pull/36213
|
594
445
|
|
595
|
-
|
596
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
446
|
+
Fixes #25842.
|
597
447
|
|
598
|
-
|
448
|
+
*Stan Lo*
|
599
449
|
|
600
|
-
|
450
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
451
|
+
a 307 redirection.
|
601
452
|
|
602
|
-
*
|
453
|
+
*Edouard Chin*
|
603
454
|
|
604
|
-
|
605
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
606
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
607
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
455
|
+
* System tests require Capybara 3.26 or newer.
|
608
456
|
|
609
|
-
|
610
|
-
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
|
611
|
-
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
|
612
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
457
|
+
*George Claghorn*
|
613
458
|
|
614
|
-
|
459
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
615
460
|
|
616
|
-
*
|
461
|
+
*Alberto Fernández-Capel*
|
617
462
|
|
618
|
-
* Add
|
619
|
-
`ActionDispatch::Http::UploadedFile#tempfile`.
|
463
|
+
* Add DSL for configuring HTTP Feature Policy.
|
620
464
|
|
621
|
-
|
465
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
466
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
467
|
+
specification and guidelines can be found at MDN:
|
622
468
|
|
623
|
-
|
624
|
-
format block.
|
469
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
625
470
|
|
626
|
-
|
471
|
+
Example global policy:
|
627
472
|
|
628
|
-
|
473
|
+
```ruby
|
474
|
+
Rails.application.config.feature_policy do |f|
|
475
|
+
f.camera :none
|
476
|
+
f.gyroscope :none
|
477
|
+
f.microphone :none
|
478
|
+
f.usb :none
|
479
|
+
f.fullscreen :self
|
480
|
+
f.payment :self, "https://secure.example.com"
|
481
|
+
end
|
482
|
+
```
|
629
483
|
|
630
|
-
|
484
|
+
Example controller level policy:
|
631
485
|
|
632
|
-
|
486
|
+
```ruby
|
487
|
+
class PagesController < ApplicationController
|
488
|
+
feature_policy do |p|
|
489
|
+
p.geolocation "https://example.com"
|
490
|
+
end
|
491
|
+
end
|
492
|
+
```
|
633
493
|
|
634
|
-
*
|
494
|
+
*Jacob Bednarz*
|
635
495
|
|
636
|
-
|
496
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
637
497
|
|
638
|
-
|
498
|
+
Fixes #35137.
|
639
499
|
|
640
|
-
*
|
500
|
+
*Yuji Yaginuma*
|
641
501
|
|
642
|
-
|
502
|
+
* Keep part when scope option has value.
|
643
503
|
|
644
|
-
|
645
|
-
|
504
|
+
When a route was defined within an optional scope, if that route didn't
|
505
|
+
take parameters the scope was lost when using path helpers. This commit
|
506
|
+
ensures scope is kept both when the route takes parameters or when it
|
507
|
+
doesn't.
|
646
508
|
|
647
|
-
Fixes #
|
509
|
+
Fixes #33219.
|
648
510
|
|
649
|
-
*
|
511
|
+
*Alberto Almagro*
|
650
512
|
|
651
|
-
*
|
652
|
-
we need to check if we're not inside a nested scope before copying the :path
|
653
|
-
and :as options to their shallow equivalents.
|
513
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
654
514
|
|
655
|
-
|
515
|
+
*Gustavo Gutierrez*
|
656
516
|
|
657
|
-
|
517
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
518
|
+
an enumerator for the parameters instead of the underlying hash.
|
658
519
|
|
659
|
-
*
|
660
|
-
`log_warning_on_csrf_failure` configuration setting in
|
661
|
-
`ActionController::RequestForgeryProtection`.
|
520
|
+
*Eugene Kenny*
|
662
521
|
|
663
|
-
|
522
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
523
|
+
It should only block invalid key's values instead.
|
664
524
|
|
665
|
-
*
|
666
|
-
`default_url_options` methods.
|
525
|
+
*Stan Lo*
|
667
526
|
|
668
|
-
*Tony Wooster*
|
669
527
|
|
670
|
-
Please check [
|
528
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|