actionpack 4.2.10 → 6.1.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +311 -461
- data/MIT-LICENSE +1 -1
- data/README.rdoc +9 -9
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +81 -51
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +61 -33
- data/lib/abstract_controller/collector.rb +9 -13
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +115 -99
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
- data/lib/abstract_controller/rendering.rb +48 -47
- data/lib/abstract_controller/translation.rb +17 -8
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +13 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +150 -0
- data/lib/action_controller/base.rb +29 -24
- data/lib/action_controller/caching.rb +12 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +17 -19
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +134 -46
- data/lib/action_controller/metal/content_security_policy.rb +51 -0
- data/lib/action_controller/metal/cookies.rb +6 -4
- data/lib/action_controller/metal/data_streaming.rb +30 -50
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
- data/lib/action_controller/metal/exceptions.rb +63 -15
- data/lib/action_controller/metal/flash.rb +9 -8
- data/lib/action_controller/metal/head.rb +26 -21
- data/lib/action_controller/metal/helpers.rb +37 -18
- data/lib/action_controller/metal/http_authentication.rb +81 -73
- data/lib/action_controller/metal/implicit_render.rb +53 -9
- data/lib/action_controller/metal/instrumentation.rb +32 -35
- data/lib/action_controller/metal/live.rb +110 -119
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +49 -47
- data/lib/action_controller/metal/parameter_encoding.rb +82 -0
- data/lib/action_controller/metal/params_wrapper.rb +84 -66
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +53 -32
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +77 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
- data/lib/action_controller/metal/rescue.rb +10 -17
- data/lib/action_controller/metal/streaming.rb +12 -11
- data/lib/action_controller/metal/strong_parameters.rb +714 -186
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +104 -87
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +3 -1
- data/lib/action_controller/renderer.rb +141 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +298 -421
- data/lib/action_controller.rb +34 -23
- data/lib/action_dispatch/http/cache.rb +108 -58
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +286 -0
- data/lib/action_dispatch/http/filter_parameters.rb +32 -25
- data/lib/action_dispatch/http/filter_redirect.rb +10 -12
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +82 -50
- data/lib/action_dispatch/http/mime_type.rb +153 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameters.rb +90 -40
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +226 -121
- data/lib/action_dispatch/http/response.rb +248 -113
- data/lib/action_dispatch/http/upload.rb +21 -7
- data/lib/action_dispatch/http/url.rb +182 -100
- data/lib/action_dispatch/journey/formatter.rb +91 -44
- data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
- data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
- data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
- data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
- data/lib/action_dispatch/journey/nodes/node.rb +29 -15
- data/lib/action_dispatch/journey/parser.rb +17 -16
- data/lib/action_dispatch/journey/parser.y +4 -3
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +58 -54
- data/lib/action_dispatch/journey/route.rb +100 -32
- data/lib/action_dispatch/journey/router/utils.rb +29 -18
- data/lib/action_dispatch/journey/router.rb +55 -51
- data/lib/action_dispatch/journey/routes.rb +17 -17
- data/lib/action_dispatch/journey/scanner.rb +26 -17
- data/lib/action_dispatch/journey/visitors.rb +98 -54
- data/lib/action_dispatch/journey.rb +5 -5
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +3 -6
- data/lib/action_dispatch/middleware/cookies.rb +347 -217
- data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/host_authorization.rb +130 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
- data/lib/action_dispatch/middleware/request_id.rb +17 -10
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
- data/lib/action_dispatch/middleware/ssl.rb +118 -35
- data/lib/action_dispatch/middleware/stack.rb +82 -41
- data/lib/action_dispatch/middleware/static.rb +156 -89
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +16 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
- data/lib/action_dispatch/railtie.rb +27 -13
- data/lib/action_dispatch/request/session.rb +109 -61
- data/lib/action_dispatch/request/utils.rb +90 -23
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +141 -102
- data/lib/action_dispatch/routing/mapper.rb +811 -473
- data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
- data/lib/action_dispatch/routing/redirection.rb +37 -27
- data/lib/action_dispatch/routing/route_set.rb +363 -331
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +66 -26
- data/lib/action_dispatch/routing.rb +36 -36
- data/lib/action_dispatch/system_test_case.rb +190 -0
- data/lib/action_dispatch/system_testing/browser.rb +86 -0
- data/lib/action_dispatch/system_testing/driver.rb +67 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
- data/lib/action_dispatch/testing/assertion_response.rb +46 -0
- data/lib/action_dispatch/testing/assertions/response.rb +44 -22
- data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +391 -220
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +53 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +11 -11
- data/lib/action_dispatch.rb +35 -21
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +75 -46
- data/lib/action_controller/metal/force_ssl.rb +0 -97
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/http/parameter_filter.rb +0 -72
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,670 +1,520 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Ignore file fixtures on `db:fixtures:load`
|
4
4
|
|
5
|
-
|
6
|
-
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
7
|
-
caused a regression.
|
5
|
+
*Kevin Sjöberg*
|
8
6
|
|
9
|
-
|
7
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
10
8
|
|
11
|
-
|
9
|
+
*Dylan Thacker-Smith*
|
12
10
|
|
13
|
-
*
|
11
|
+
* Correctly place optional path parameter booleans.
|
14
12
|
|
15
|
-
|
16
|
-
|
13
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
14
|
+
of the path as parameter for example:
|
17
15
|
|
18
|
-
```
|
19
|
-
|
20
|
-
|
21
|
-
end
|
16
|
+
```
|
17
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
18
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
22
19
|
```
|
23
20
|
|
24
|
-
|
25
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
26
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
21
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
27
22
|
|
28
|
-
``` ruby
|
29
|
-
get "/books(/:action(.:format))", controller: "books"
|
30
23
|
```
|
24
|
+
get '(this/:my_bool)/that' as: :that
|
31
25
|
|
32
|
-
|
33
|
-
|
26
|
+
that_path(my_bool: true) # => `/this/true/that`
|
27
|
+
that_path(my_bool: false) # => `/this/false/that`
|
28
|
+
```
|
34
29
|
|
35
|
-
|
30
|
+
*Adam Hess*
|
36
31
|
|
37
|
-
|
32
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
38
33
|
|
34
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
39
35
|
|
40
|
-
|
36
|
+
*Alex Smith*
|
41
37
|
|
42
|
-
* No changes.
|
43
38
|
|
39
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
44
40
|
|
45
|
-
|
46
|
-
|
47
|
-
* No changes.
|
41
|
+
* Prevent open redirects by correctly escaping the host allow list
|
42
|
+
CVE-2021-22903
|
48
43
|
|
44
|
+
* Prevent catastrophic backtracking during mime parsing
|
45
|
+
CVE-2021-22902
|
49
46
|
|
50
|
-
|
47
|
+
* Prevent regex DoS in HTTP token authentication
|
48
|
+
CVE-2021-22904
|
51
49
|
|
52
|
-
*
|
50
|
+
* Prevent string polymorphic route arguments.
|
53
51
|
|
52
|
+
`url_for` supports building polymorphic URLs via an array
|
53
|
+
of arguments (usually symbols and records). If a developer passes a
|
54
|
+
user input array, strings can result in unwanted route helper calls.
|
54
55
|
|
55
|
-
|
56
|
+
CVE-2021-22885
|
56
57
|
|
57
|
-
*
|
58
|
+
*Gannon McGibbon*
|
58
59
|
|
59
|
-
|
60
|
-
|
61
|
-
*Arthur Neves*
|
62
|
-
|
63
|
-
|
64
|
-
## Rails 4.2.5.1 (January 25, 2015) ##
|
60
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
65
61
|
|
66
62
|
* No changes.
|
67
63
|
|
68
64
|
|
69
|
-
## Rails
|
70
|
-
|
71
|
-
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
72
|
-
early in the `setup` chain.
|
73
|
-
|
74
|
-
*Yves Senn*
|
75
|
-
|
76
|
-
* Parse RSS/ATOM responses as XML, not HTML.
|
77
|
-
|
78
|
-
*Alexander Kaupanin*
|
79
|
-
|
80
|
-
* Fix regression in mounted engine named routes generation for app deployed to
|
81
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
82
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
83
|
-
|
84
|
-
Fixes #20920. Fixes #21459.
|
85
|
-
|
86
|
-
*Matthew Erhard*
|
87
|
-
|
88
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
89
|
-
|
90
|
-
*Bernerd Schaefer*
|
91
|
-
|
92
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
93
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
94
|
-
|
95
|
-
*Jeremy Friesen*
|
96
|
-
|
97
|
-
|
98
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
99
|
-
|
100
|
-
* ActionController::TestSession now accepts a default value as well as
|
101
|
-
a block for generating a default value based off the key provided.
|
102
|
-
|
103
|
-
This fixes calls to session#fetch in ApplicationController instances that
|
104
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
105
|
-
number of arguments (2 for 1)` when performing controller tests.
|
65
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
106
66
|
|
107
|
-
|
67
|
+
* Re-define routes when not set correctly via inheritance.
|
108
68
|
|
109
|
-
*
|
69
|
+
*John Hawthorn*
|
110
70
|
|
111
|
-
`ActionDispatch::SSL` changes headers to `Hash`.
|
112
|
-
So some headers will be broken if there are some middlewares
|
113
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
114
71
|
|
115
|
-
|
72
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
116
73
|
|
74
|
+
* Prevent open redirect when allowed host starts with a dot
|
117
75
|
|
118
|
-
|
76
|
+
[CVE-2021-22881]
|
119
77
|
|
120
|
-
|
121
|
-
|
78
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
79
|
+
issue and the patch!
|
122
80
|
|
123
|
-
|
124
|
-
|
125
|
-
*Ravil Bayramgalin*
|
126
|
-
|
127
|
-
* Fix regression where a gzip file response would have a Content-type,
|
128
|
-
even when it was a 304 status code.
|
129
|
-
|
130
|
-
See #19271.
|
131
|
-
|
132
|
-
*Kohei Suzuki*
|
133
|
-
|
134
|
-
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
|
135
|
-
|
136
|
-
Previously, an empty X_FORWARDED_HOST header would cause
|
137
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
138
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
81
|
+
*Aaron Patterson*
|
139
82
|
|
140
|
-
*Adam Forsyth*
|
141
83
|
|
142
|
-
|
84
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
143
85
|
|
144
|
-
|
145
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
146
|
-
is set, it takes precedence.
|
86
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
147
87
|
|
148
|
-
|
88
|
+
*Janko Marohnić*
|
149
89
|
|
150
|
-
|
90
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
151
91
|
|
152
|
-
*
|
153
|
-
assigned.
|
92
|
+
*Eugene Kenny*
|
154
93
|
|
155
|
-
See #18423.
|
156
94
|
|
157
|
-
|
95
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
158
96
|
|
97
|
+
* Fix nil translation key lookup in controllers/
|
159
98
|
|
160
|
-
|
99
|
+
*Jan Klimo*
|
161
100
|
|
162
|
-
*
|
101
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
163
102
|
|
103
|
+
*Alex Robbin*
|
164
104
|
|
165
|
-
|
105
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
166
106
|
|
167
|
-
*
|
168
|
-
the masked token.
|
107
|
+
*Alex Robbin*
|
169
108
|
|
170
|
-
*Ville Lautanala*
|
171
109
|
|
172
|
-
|
110
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
173
111
|
|
174
|
-
|
175
|
-
|
112
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
113
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
176
114
|
|
177
|
-
Example:
|
178
115
|
```ruby
|
179
|
-
|
180
|
-
|
181
|
-
|
116
|
+
Rails.application.config.permissions_policy do |p|
|
117
|
+
p.camera :none
|
118
|
+
p.gyroscope :none
|
119
|
+
p.microphone :none
|
120
|
+
p.usb :none
|
121
|
+
p.fullscreen :self
|
122
|
+
p.payment :self, "https://secure-example.com"
|
182
123
|
end
|
183
|
-
head '/home'
|
184
|
-
assert_response :success
|
185
124
|
```
|
186
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
187
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
188
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
189
|
-
|
190
|
-
*Terence Sun*
|
191
|
-
|
192
|
-
* Preserve default format when generating URLs
|
193
|
-
|
194
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
195
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
196
|
-
the route definition.
|
197
|
-
|
198
|
-
Backport of #18627
|
199
|
-
|
200
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
201
|
-
|
202
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
203
|
-
the test response.
|
204
|
-
|
205
|
-
*Jonas Baumann*
|
206
|
-
|
207
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
208
|
-
|
209
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
210
|
-
payload data is not available.
|
211
|
-
|
212
|
-
See:
|
213
|
-
* #14903
|
214
|
-
* https://github.com/roidrage/lograge/issues/37
|
215
|
-
|
216
|
-
*Dieter Komendera*, *Margus Pärt*
|
217
|
-
|
218
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
219
|
-
|
220
|
-
*Robin Dupret*
|
221
|
-
|
222
|
-
* Using `head` method returns empty response_body instead
|
223
|
-
of returning a single space " ".
|
224
125
|
|
225
|
-
|
226
|
-
version of Safari, where the HTTP headers are not returned correctly
|
227
|
-
if the response body has a 0-length. This is been fixed since and
|
228
|
-
the workaround is no longer necessary.
|
126
|
+
*Julien Grillot*
|
229
127
|
|
230
|
-
|
128
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
231
129
|
|
232
|
-
|
130
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
233
131
|
|
234
|
-
*
|
132
|
+
*Chris Bisnett*
|
235
133
|
|
236
|
-
|
134
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
135
|
+
the unique X-Request-Id header
|
237
136
|
|
238
|
-
*
|
137
|
+
*Arlston Fernandes*
|
239
138
|
|
240
|
-
|
139
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
241
140
|
|
242
|
-
*
|
243
|
-
|
244
|
-
* Fixed usage of optional scopes in URL helpers.
|
245
|
-
|
246
|
-
*Alex Robbin*
|
247
|
-
|
248
|
-
|
249
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
250
|
-
|
251
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
252
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
253
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
254
|
-
object in Rails 5.0.
|
255
|
-
|
256
|
-
*Prem Sichanugrist*
|
257
|
-
|
258
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
259
|
-
prefix.
|
260
|
-
|
261
|
-
Fixes #17108.
|
262
|
-
|
263
|
-
*Guo Xiang Tan*
|
264
|
-
|
265
|
-
* Deprecate use of string keys in URL helpers.
|
266
|
-
|
267
|
-
Use symbols instead.
|
268
|
-
Fixes #16958.
|
269
|
-
|
270
|
-
*Byron Bischoff*, *Melanie Gilman*
|
271
|
-
|
272
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
273
|
-
|
274
|
-
In cases where this option is set to `true`, the option is redundant and can
|
275
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
276
|
-
used instead.
|
277
|
-
|
278
|
-
Fixes #17294.
|
279
|
-
|
280
|
-
*Dan Olson*, *Godfrey Chan*
|
281
|
-
|
282
|
-
* Improve Journey compliance to RFC 3986.
|
283
|
-
|
284
|
-
The scanner in Journey failed to recognize routes that use literals
|
285
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
286
|
-
authorized delimiters and route as expected.
|
287
|
-
|
288
|
-
Fixes #17212.
|
289
|
-
|
290
|
-
*Nicolas Cavigneaux*
|
291
|
-
|
292
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
293
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
294
|
-
|
295
|
-
status, headers, body = response
|
141
|
+
*Rafael Mendonça França*
|
296
142
|
|
297
|
-
|
298
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
299
|
-
explicit conversion and splatting with `#to_a`:
|
143
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
300
144
|
|
301
|
-
|
145
|
+
*Rafael Mendonça França*
|
302
146
|
|
303
|
-
|
147
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
304
148
|
|
305
|
-
*
|
149
|
+
*Rafael Mendonça França*
|
306
150
|
|
307
|
-
|
308
|
-
and fails for JRuby in 1.9 mode.
|
151
|
+
* Added support for exclusive no-store Cache-Control header.
|
309
152
|
|
310
|
-
|
153
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
311
154
|
|
312
|
-
*
|
313
|
-
routes.
|
155
|
+
*Chris Kruger*
|
314
156
|
|
315
|
-
|
157
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
316
158
|
|
317
|
-
|
159
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
160
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
318
161
|
|
319
|
-
*
|
162
|
+
*Adrianna Chang*
|
320
163
|
|
321
|
-
|
164
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
322
165
|
|
323
|
-
|
324
|
-
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
166
|
+
*Gannon McGibbon*
|
325
167
|
|
326
|
-
|
168
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
327
169
|
|
328
|
-
*
|
170
|
+
*Alan Tan*, *Oz Ben-David*
|
329
171
|
|
330
|
-
|
331
|
-
|
332
|
-
GET routes.
|
172
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
173
|
+
a 308 redirection.
|
333
174
|
|
334
|
-
*
|
175
|
+
*Alan Tan*
|
335
176
|
|
336
|
-
*
|
337
|
-
|
338
|
-
the client supports gzip and a compressed file is on disk.
|
177
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
178
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
339
179
|
|
340
|
-
*
|
180
|
+
*Jonathan Hefner*
|
341
181
|
|
342
|
-
* `
|
343
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
344
|
-
that is not available on `ActionController::Parameters` you should consider
|
345
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
182
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
346
183
|
|
347
|
-
|
184
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
185
|
+
Brotli files are preferred due to much better compression.
|
348
186
|
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
object which does not maintain `permitted?` status. If you would like to
|
353
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
354
|
-
before calling `#to_h`.
|
187
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
188
|
+
we check for public/some.js.br and serve that file, if present, with
|
189
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
355
190
|
|
356
|
-
|
357
|
-
name: 'Senjougahara Hitagi',
|
358
|
-
oddity: 'Heavy stone crab'
|
359
|
-
})
|
360
|
-
params.to_h
|
361
|
-
# => {}
|
191
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
362
192
|
|
363
|
-
|
364
|
-
unsafe_params.to_h
|
365
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
193
|
+
* Add raise_on_missing_translations support for controllers.
|
366
194
|
|
367
|
-
|
368
|
-
|
369
|
-
|
195
|
+
This configuration determines whether an error should be raised for missing translations.
|
196
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
197
|
+
configuration also affects raising error for missing translations in views.
|
370
198
|
|
371
|
-
|
372
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
373
|
-
in the next minor release.
|
199
|
+
*fatkodima*
|
374
200
|
|
375
|
-
|
201
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
376
202
|
|
377
|
-
*
|
203
|
+
*Eugene Kenny*
|
378
204
|
|
379
|
-
|
205
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
206
|
+
without passing a block now returns an enumerator.
|
380
207
|
|
381
|
-
*
|
382
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
383
|
-
cookies by defining the `#as_json` hook on such objects.
|
208
|
+
*Eugene Kenny*
|
384
209
|
|
385
|
-
|
210
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
386
211
|
|
387
|
-
|
212
|
+
Previously the path had to be relative to `fixture_path`.
|
213
|
+
You can change your existing code as follow:
|
388
214
|
|
389
|
-
|
390
|
-
|
215
|
+
```ruby
|
216
|
+
# Before
|
217
|
+
fixture_file_upload('files/dog.png')
|
391
218
|
|
392
|
-
|
219
|
+
# After
|
220
|
+
fixture_file_upload('dog.png')
|
221
|
+
```
|
393
222
|
|
394
|
-
*
|
395
|
-
the `responders` gem.
|
223
|
+
*Edouard Chin*
|
396
224
|
|
397
|
-
|
225
|
+
* Remove deprecated `force_ssl` at the controller level.
|
398
226
|
|
399
|
-
*
|
227
|
+
*Rafael Mendonça França*
|
400
228
|
|
401
|
-
|
402
|
-
|
403
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
404
|
-
This makes it easy to HTTP-cache many more of your actions.
|
229
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
230
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
405
231
|
|
406
|
-
|
407
|
-
|
232
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
233
|
+
always pass a module object:
|
408
234
|
|
409
|
-
|
235
|
+
```ruby
|
236
|
+
helper UtilsHelper
|
237
|
+
```
|
410
238
|
|
411
|
-
|
239
|
+
which is recommended because it is simple and direct. When a string/symbol
|
240
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
241
|
+
that same module object.
|
412
242
|
|
413
|
-
|
243
|
+
*Xavier Noria*, *Jean Boussier*
|
414
244
|
|
415
|
-
|
245
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
416
246
|
|
417
|
-
*
|
418
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
247
|
+
*Nick Soracco*
|
419
248
|
|
420
|
-
|
249
|
+
* `url_for` will now use "https://" as the default protocol when
|
250
|
+
`Rails.application.config.force_ssl` is set to true.
|
421
251
|
|
422
|
-
*
|
252
|
+
*Jonathan Hefner*
|
423
253
|
|
424
|
-
|
254
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
425
255
|
|
426
|
-
|
427
|
-
|
256
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
257
|
+
them difficult to deal with. For example, the common practice of sending
|
258
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
259
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
428
260
|
|
429
|
-
|
261
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
262
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
263
|
+
for backwards compatibility.
|
430
264
|
|
431
|
-
*
|
432
|
-
loopback address.
|
265
|
+
*Scott Blum*
|
433
266
|
|
434
|
-
|
267
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
435
268
|
|
436
|
-
|
437
|
-
|
269
|
+
In a distributed configuration like rolling update, users may observe
|
270
|
+
both old and new instances during deployment. Users may be served by a
|
271
|
+
new instance and then by an old instance.
|
438
272
|
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
|
443
|
-
stashed in `env["action_dispatch.original_path"]`.
|
273
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
274
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
275
|
+
from `false` to `true`, users may lose their sessions if they access the
|
276
|
+
server during deployment.
|
444
277
|
|
445
|
-
|
278
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
279
|
+
deployment, ensuring compatibility on both old and new instances.
|
446
280
|
|
447
|
-
*
|
448
|
-
overflow.
|
281
|
+
*Masaki Hara*
|
449
282
|
|
450
|
-
|
283
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
451
284
|
|
452
|
-
|
453
|
-
|
285
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
286
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
454
287
|
|
455
|
-
|
456
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
457
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
458
|
-
longer necessary.
|
288
|
+
*Keenan Brock*
|
459
289
|
|
460
|
-
|
290
|
+
* Fix possible information leak / session hijacking vulnerability.
|
461
291
|
|
462
|
-
|
292
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
293
|
+
gem dalli to be updated as well.
|
463
294
|
|
464
|
-
|
295
|
+
CVE-2019-16782.
|
465
296
|
|
466
|
-
*
|
467
|
-
("Rosetta Flash").
|
297
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
468
298
|
|
469
|
-
|
299
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
300
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
301
|
+
from being correctly counted and reported.
|
470
302
|
|
471
|
-
|
472
|
-
|
473
|
-
This essentially replicates the functionality of the monkey patch to
|
474
|
-
URI.parser.unescape in active_support/core_ext/uri.rb.
|
303
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
304
|
+
root session.
|
475
305
|
|
476
|
-
Fixes #
|
306
|
+
Fixes #32142.
|
477
307
|
|
478
|
-
*
|
308
|
+
*Sam Bostock*
|
479
309
|
|
480
|
-
*
|
310
|
+
* Add SameSite protection to every written cookie.
|
481
311
|
|
482
|
-
|
312
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
313
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
483
314
|
|
484
|
-
|
315
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
485
316
|
|
486
|
-
|
487
|
-
when rendering through a `respond_to` block.
|
317
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
488
318
|
|
489
|
-
|
319
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
490
320
|
|
491
|
-
|
321
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
492
322
|
|
493
|
-
|
494
|
-
parameters are permitted globally. The default value of this configuration is
|
495
|
-
`['controller', 'action']`.
|
323
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
496
324
|
|
497
|
-
*
|
325
|
+
*Cédric Fabianski*
|
498
326
|
|
499
|
-
*
|
327
|
+
* Bring back the feature that allows loading external route files from the router.
|
500
328
|
|
501
|
-
|
329
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
330
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
331
|
+
that this wasn't fully the case and loading external route files from the router
|
332
|
+
can be helpful for applications with a really large set of routes.
|
333
|
+
Without this feature, application needs to implement routes reloading
|
334
|
+
themselves and it's not straightforward.
|
502
335
|
|
503
|
-
|
336
|
+
```ruby
|
337
|
+
# config/routes.rb
|
504
338
|
|
505
|
-
|
339
|
+
Rails.application.routes.draw do
|
340
|
+
draw(:admin)
|
341
|
+
end
|
506
342
|
|
507
|
-
|
343
|
+
# config/routes/admin.rb
|
508
344
|
|
509
|
-
|
345
|
+
get :foo, to: 'foo#bar'
|
346
|
+
```
|
510
347
|
|
511
|
-
*
|
512
|
-
recognize token as nil, instead of "token".
|
348
|
+
*Yehuda Katz*, *Edouard Chin*
|
513
349
|
|
514
|
-
|
350
|
+
* Fix system test driver option initialization for non-headless browsers.
|
515
351
|
|
516
|
-
*
|
352
|
+
*glaszig*
|
517
353
|
|
518
|
-
*
|
519
|
-
|
354
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
355
|
+
their payloads as `:request`.
|
520
356
|
|
521
|
-
*
|
357
|
+
*Austin Story*
|
522
358
|
|
523
|
-
*
|
524
|
-
|
525
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
359
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
360
|
+
request format but based on the block given.
|
526
361
|
|
527
|
-
|
362
|
+
Example:
|
528
363
|
|
529
|
-
|
530
|
-
|
364
|
+
```ruby
|
365
|
+
def my_action
|
366
|
+
respond_to do |format|
|
367
|
+
format.any { render(json: { foo: 'bar' }) }
|
368
|
+
end
|
369
|
+
end
|
531
370
|
|
532
|
-
|
371
|
+
get('my_action.csv')
|
372
|
+
```
|
533
373
|
|
534
|
-
|
535
|
-
|
536
|
-
is now required in integration test `process` helpers, whereas previously
|
537
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
538
|
-
of the implementation and was never an intentional feature.
|
374
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
375
|
+
is inaccurate since a JSON response is being rendered.
|
539
376
|
|
540
|
-
|
377
|
+
Now it correctly returns a `application/json` Content-Type.
|
541
378
|
|
542
|
-
*
|
543
|
-
called 'status' in a controller.
|
379
|
+
*Edouard Chin*
|
544
380
|
|
545
|
-
|
381
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
546
382
|
|
547
|
-
|
383
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
384
|
+
nested directory, causing issues with `tmp:clear`.
|
548
385
|
|
549
|
-
*
|
386
|
+
*Damir Zekic*
|
550
387
|
|
551
|
-
|
388
|
+
* Add `params.member?` to mimic Hash behavior.
|
552
389
|
|
553
|
-
*
|
390
|
+
*Younes Serraj*
|
554
391
|
|
555
|
-
|
556
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
557
|
-
e.g. the fragment cache hit rates for each controller action.
|
392
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
558
393
|
|
559
|
-
*
|
394
|
+
* `:request` - the `ActionDispatch::Request`
|
395
|
+
* `:response` - the `ActionDispatch::Response`
|
560
396
|
|
561
|
-
*
|
397
|
+
*George Claghorn*
|
562
398
|
|
563
|
-
|
399
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
400
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
401
|
+
from.
|
564
402
|
|
565
|
-
|
403
|
+
Fixes #37383.
|
566
404
|
|
567
|
-
*
|
568
|
-
and improved tests.
|
405
|
+
*Norm Provost*
|
569
406
|
|
570
|
-
|
407
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
571
408
|
|
572
|
-
|
409
|
+
```ruby
|
410
|
+
# Use the debug level if a particular cookie is set.
|
411
|
+
class ApplicationController < ActionController::Base
|
412
|
+
log_at :debug, if: -> { cookies[:debug] }
|
413
|
+
end
|
414
|
+
```
|
573
415
|
|
574
|
-
*
|
575
|
-
to `:matches?`. Previously, when given an non-complying object, it would just
|
576
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
577
|
-
when setting up the routes.
|
416
|
+
*George Claghorn*
|
578
417
|
|
579
|
-
|
418
|
+
* Allow system test screen shots to be taken more than once in
|
419
|
+
a test by prefixing the file name with an incrementing counter.
|
580
420
|
|
581
|
-
|
582
|
-
|
583
|
-
|
421
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
422
|
+
enable saving of HTML during a screenshot in addition to the image.
|
423
|
+
This uses the same image name, with the extension replaced with `.html`
|
584
424
|
|
585
|
-
|
425
|
+
*Tom Fakes*
|
586
426
|
|
587
|
-
|
427
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
588
428
|
|
589
|
-
|
429
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
430
|
+
header to determine what to return. And if we don't add `Vary`
|
431
|
+
in the response header, browsers might accidentally cache different
|
432
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
433
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
434
|
+
in these types of requests. For more detailed problem description, please read:
|
590
435
|
|
591
|
-
|
592
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
593
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
436
|
+
https://github.com/rails/rails/pull/36213
|
594
437
|
|
595
|
-
|
596
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
438
|
+
Fixes #25842.
|
597
439
|
|
598
|
-
|
440
|
+
*Stan Lo*
|
599
441
|
|
600
|
-
|
442
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
443
|
+
a 307 redirection.
|
601
444
|
|
602
|
-
*
|
445
|
+
*Edouard Chin*
|
603
446
|
|
604
|
-
|
605
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
606
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
607
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
447
|
+
* System tests require Capybara 3.26 or newer.
|
608
448
|
|
609
|
-
|
610
|
-
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
|
611
|
-
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
|
612
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
449
|
+
*George Claghorn*
|
613
450
|
|
614
|
-
|
451
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
615
452
|
|
616
|
-
*
|
453
|
+
*Alberto Fernández-Capel*
|
617
454
|
|
618
|
-
* Add
|
619
|
-
`ActionDispatch::Http::UploadedFile#tempfile`.
|
455
|
+
* Add DSL for configuring HTTP Feature Policy.
|
620
456
|
|
621
|
-
|
457
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
458
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
459
|
+
specification and guidelines can be found at MDN:
|
622
460
|
|
623
|
-
|
624
|
-
format block.
|
461
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
625
462
|
|
626
|
-
|
463
|
+
Example global policy:
|
627
464
|
|
628
|
-
|
465
|
+
```ruby
|
466
|
+
Rails.application.config.feature_policy do |f|
|
467
|
+
f.camera :none
|
468
|
+
f.gyroscope :none
|
469
|
+
f.microphone :none
|
470
|
+
f.usb :none
|
471
|
+
f.fullscreen :self
|
472
|
+
f.payment :self, "https://secure.example.com"
|
473
|
+
end
|
474
|
+
```
|
629
475
|
|
630
|
-
|
476
|
+
Example controller level policy:
|
631
477
|
|
632
|
-
|
478
|
+
```ruby
|
479
|
+
class PagesController < ApplicationController
|
480
|
+
feature_policy do |p|
|
481
|
+
p.geolocation "https://example.com"
|
482
|
+
end
|
483
|
+
end
|
484
|
+
```
|
633
485
|
|
634
|
-
*
|
486
|
+
*Jacob Bednarz*
|
635
487
|
|
636
|
-
|
488
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
637
489
|
|
638
|
-
|
490
|
+
Fixes #35137.
|
639
491
|
|
640
|
-
*
|
492
|
+
*Yuji Yaginuma*
|
641
493
|
|
642
|
-
|
494
|
+
* Keep part when scope option has value.
|
643
495
|
|
644
|
-
|
645
|
-
|
496
|
+
When a route was defined within an optional scope, if that route didn't
|
497
|
+
take parameters the scope was lost when using path helpers. This commit
|
498
|
+
ensures scope is kept both when the route takes parameters or when it
|
499
|
+
doesn't.
|
646
500
|
|
647
|
-
Fixes #
|
501
|
+
Fixes #33219.
|
648
502
|
|
649
|
-
*
|
503
|
+
*Alberto Almagro*
|
650
504
|
|
651
|
-
*
|
652
|
-
we need to check if we're not inside a nested scope before copying the :path
|
653
|
-
and :as options to their shallow equivalents.
|
505
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
654
506
|
|
655
|
-
|
507
|
+
*Gustavo Gutierrez*
|
656
508
|
|
657
|
-
|
509
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
510
|
+
an enumerator for the parameters instead of the underlying hash.
|
658
511
|
|
659
|
-
*
|
660
|
-
`log_warning_on_csrf_failure` configuration setting in
|
661
|
-
`ActionController::RequestForgeryProtection`.
|
512
|
+
*Eugene Kenny*
|
662
513
|
|
663
|
-
|
514
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
515
|
+
It should only block invalid key's values instead.
|
664
516
|
|
665
|
-
*
|
666
|
-
`default_url_options` methods.
|
517
|
+
*Stan Lo*
|
667
518
|
|
668
|
-
*Tony Wooster*
|
669
519
|
|
670
|
-
Please check [
|
520
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|