actionpack 4.2.11.1 → 5.2.4.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +287 -488
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -7
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +45 -49
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +78 -15
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +47 -31
- data/lib/abstract_controller/collector.rb +8 -11
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +25 -25
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +4 -2
- data/lib/abstract_controller/rendering.rb +42 -41
- data/lib/abstract_controller/translation.rb +10 -7
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +12 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/base.rb +27 -19
- data/lib/action_controller/caching.rb +14 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +10 -15
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +118 -44
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +27 -46
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +20 -13
- data/lib/action_controller/metal/exceptions.rb +8 -14
- data/lib/action_controller/metal/flash.rb +4 -3
- data/lib/action_controller/metal/force_ssl.rb +23 -21
- data/lib/action_controller/metal/head.rb +21 -19
- data/lib/action_controller/metal/helpers.rb +24 -14
- data/lib/action_controller/metal/http_authentication.rb +64 -57
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +19 -21
- data/lib/action_controller/metal/live.rb +90 -106
- data/lib/action_controller/metal/mime_responds.rb +33 -46
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +61 -53
- data/lib/action_controller/metal/redirecting.rb +49 -28
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +72 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +229 -93
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +12 -10
- data/lib/action_controller/metal/strong_parameters.rb +583 -164
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +98 -83
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +280 -411
- data/lib/action_controller.rb +29 -21
- data/lib/action_dispatch/http/cache.rb +93 -47
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +26 -20
- data/lib/action_dispatch/http/filter_redirect.rb +10 -11
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +56 -41
- data/lib/action_dispatch/http/mime_type.rb +134 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameter_filter.rb +25 -11
- data/lib/action_dispatch/http/parameters.rb +98 -39
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +200 -118
- data/lib/action_dispatch/http/response.rb +225 -110
- data/lib/action_dispatch/http/upload.rb +12 -6
- data/lib/action_dispatch/http/url.rb +110 -28
- data/lib/action_dispatch/journey/formatter.rb +55 -32
- data/lib/action_dispatch/journey/gtg/builder.rb +7 -5
- data/lib/action_dispatch/journey/gtg/simulator.rb +3 -9
- data/lib/action_dispatch/journey/gtg/transition_table.rb +17 -16
- data/lib/action_dispatch/journey/nfa/builder.rb +5 -3
- data/lib/action_dispatch/journey/nfa/dot.rb +13 -13
- data/lib/action_dispatch/journey/nfa/simulator.rb +3 -1
- data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -48
- data/lib/action_dispatch/journey/nodes/node.rb +18 -6
- data/lib/action_dispatch/journey/parser.rb +23 -22
- data/lib/action_dispatch/journey/parser.y +3 -2
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +50 -44
- data/lib/action_dispatch/journey/route.rb +106 -28
- data/lib/action_dispatch/journey/router/utils.rb +20 -11
- data/lib/action_dispatch/journey/router.rb +35 -23
- data/lib/action_dispatch/journey/routes.rb +18 -16
- data/lib/action_dispatch/journey/scanner.rb +18 -15
- data/lib/action_dispatch/journey/visitors.rb +99 -52
- data/lib/action_dispatch/journey.rb +7 -5
- data/lib/action_dispatch/middleware/callbacks.rb +1 -2
- data/lib/action_dispatch/middleware/cookies.rb +304 -193
- data/lib/action_dispatch/middleware/debug_exceptions.rb +152 -57
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +68 -69
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/public_exceptions.rb +27 -25
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +41 -31
- data/lib/action_dispatch/middleware/request_id.rb +17 -9
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -25
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +72 -67
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +26 -22
- data/lib/action_dispatch/middleware/ssl.rb +114 -36
- data/lib/action_dispatch/middleware/stack.rb +31 -44
- data/lib/action_dispatch/middleware/static.rb +57 -50
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +2 -14
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -64
- data/lib/action_dispatch/railtie.rb +19 -11
- data/lib/action_dispatch/request/session.rb +106 -59
- data/lib/action_dispatch/request/utils.rb +67 -24
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +58 -67
- data/lib/action_dispatch/routing/mapper.rb +733 -447
- data/lib/action_dispatch/routing/polymorphic_routes.rb +161 -139
- data/lib/action_dispatch/routing/redirection.rb +36 -26
- data/lib/action_dispatch/routing/route_set.rb +321 -291
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +65 -25
- data/lib/action_dispatch/routing.rb +17 -18
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions/response.rb +45 -20
- data/lib/action_dispatch/testing/assertions/routing.rb +30 -26
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +347 -209
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +35 -7
- data/lib/action_dispatch.rb +27 -19
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +56 -38
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,680 +1,479 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 4.2.11 (November 27, 2018) ##
|
7
|
-
|
8
|
-
* No changes.
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 4.2.10 (September 27, 2017) ##
|
12
|
-
|
13
|
-
* Fix regression in behavior of `normalize_path`.
|
14
|
-
|
15
|
-
In Rails 5 there was a change to ensure the encoding of the original string
|
16
|
-
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
17
|
-
caused a regression.
|
18
|
-
|
19
|
-
*Eileen M. Uchitelle*
|
20
|
-
|
21
|
-
## Rails 4.2.9 (June 26, 2017) ##
|
22
|
-
|
23
|
-
* Use more specific check for :format in route path
|
3
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
24
4
|
|
25
|
-
|
26
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
5
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
27
6
|
|
28
|
-
``` ruby
|
29
|
-
resources :formats do
|
30
|
-
resources :items
|
31
|
-
end
|
32
|
-
```
|
33
|
-
|
34
|
-
Fix this by using a more restrictive regex pattern that looks for the patterns
|
35
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
36
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
37
7
|
|
38
|
-
|
39
|
-
get "/books(/:action(.:format))", controller: "books"
|
40
|
-
```
|
8
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
41
9
|
|
42
|
-
|
43
|
-
route doesn't support a format but we have a test for it so we need to allow it.
|
10
|
+
* Fix possible information leak / session hijacking vulnerability.
|
44
11
|
|
45
|
-
|
12
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
13
|
+
gem dalli to be updated as well.
|
46
14
|
|
47
|
-
|
15
|
+
CVE-2019-16782.
|
48
16
|
|
49
17
|
|
50
|
-
## Rails
|
18
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
51
19
|
|
52
20
|
* No changes.
|
53
21
|
|
54
22
|
|
55
|
-
## Rails
|
56
|
-
|
57
|
-
* No changes.
|
23
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
58
24
|
|
25
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
59
26
|
|
60
|
-
|
27
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
28
|
+
it was excluded when `no-cache` was included. This change preserves the
|
29
|
+
`public` value as is.
|
61
30
|
|
62
|
-
|
31
|
+
Fixes #34780.
|
63
32
|
|
33
|
+
*Yuji Yaginuma*
|
64
34
|
|
65
|
-
|
35
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
66
36
|
|
67
|
-
*
|
37
|
+
*Ryo Nakamura*
|
68
38
|
|
69
|
-
Fixes CVE-2016-2098.
|
70
39
|
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
## Rails 4.2.5.1 (January 25, 2015) ##
|
40
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
75
41
|
|
76
42
|
* No changes.
|
77
43
|
|
78
44
|
|
79
|
-
## Rails
|
80
|
-
|
81
|
-
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
82
|
-
early in the `setup` chain.
|
83
|
-
|
84
|
-
*Yves Senn*
|
85
|
-
|
86
|
-
* Parse RSS/ATOM responses as XML, not HTML.
|
87
|
-
|
88
|
-
*Alexander Kaupanin*
|
45
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
89
46
|
|
90
|
-
*
|
91
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
92
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
47
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
93
48
|
|
94
|
-
|
49
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
50
|
+
in system test `after_teardown`.
|
95
51
|
|
96
|
-
*
|
52
|
+
*Maxim Perepelitsa*
|
97
53
|
|
98
|
-
*
|
54
|
+
* Use request object for context if there's no controller
|
99
55
|
|
100
|
-
|
56
|
+
There is no controller instance when using a redirect route or a
|
57
|
+
mounted rack application so pass the request object as the context
|
58
|
+
when resolving dynamic CSP sources in this scenario.
|
101
59
|
|
102
|
-
|
103
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
60
|
+
Fixes #34200.
|
104
61
|
|
105
|
-
*
|
106
|
-
|
107
|
-
|
108
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
109
|
-
|
110
|
-
* ActionController::TestSession now accepts a default value as well as
|
111
|
-
a block for generating a default value based off the key provided.
|
112
|
-
|
113
|
-
This fixes calls to session#fetch in ApplicationController instances that
|
114
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
115
|
-
number of arguments (2 for 1)` when performing controller tests.
|
116
|
-
|
117
|
-
*Matthew Gerrior*
|
118
|
-
|
119
|
-
* Fix to keep original header instance in `ActionDispatch::SSL`
|
120
|
-
|
121
|
-
`ActionDispatch::SSL` changes headers to `Hash`.
|
122
|
-
So some headers will be broken if there are some middlewares
|
123
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
124
|
-
|
125
|
-
*Fumiaki Matsushima*
|
126
|
-
|
127
|
-
|
128
|
-
## Rails 4.2.3 (June 25, 2015) ##
|
62
|
+
*Andrew White*
|
129
63
|
|
130
|
-
*
|
131
|
-
nesting multiple routes.
|
64
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
132
65
|
|
133
|
-
|
66
|
+
Previously if a dynamic source returned a symbol such as :self it
|
67
|
+
would be converted to a string implicity, e.g:
|
134
68
|
|
135
|
-
|
69
|
+
policy.default_src -> { :self }
|
136
70
|
|
137
|
-
|
138
|
-
even when it was a 304 status code.
|
71
|
+
would generate the header:
|
139
72
|
|
140
|
-
|
73
|
+
Content-Security-Policy: default-src self
|
141
74
|
|
142
|
-
|
75
|
+
and now it generates:
|
143
76
|
|
144
|
-
|
77
|
+
Content-Security-Policy: default-src 'self'
|
145
78
|
|
146
|
-
|
147
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
148
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
79
|
+
*Andrew White*
|
149
80
|
|
150
|
-
|
81
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
151
82
|
|
152
|
-
*
|
83
|
+
*Yoshiyuki Kinjo*
|
153
84
|
|
154
|
-
|
155
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
156
|
-
is set, it takes precedence.
|
85
|
+
* Call the `#redirect_to` block in controller context.
|
157
86
|
|
158
|
-
|
87
|
+
*Steven Peckins*
|
159
88
|
|
160
|
-
*Yasyf Mohamedali*
|
161
89
|
|
162
|
-
|
163
|
-
assigned.
|
90
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
164
91
|
|
165
|
-
|
92
|
+
* No changes.
|
166
93
|
|
167
|
-
*Jeremy Kemper*, *Yves Senn*
|
168
94
|
|
95
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
169
96
|
|
170
|
-
|
97
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
171
98
|
|
172
|
-
|
99
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
100
|
+
there are none.
|
173
101
|
|
102
|
+
So call like this will no longer append a `?null=` query param.
|
174
103
|
|
175
|
-
|
104
|
+
get foos_url, as: :json
|
176
105
|
|
177
|
-
*
|
178
|
-
the masked token.
|
106
|
+
*Alireza Bashiri*
|
179
107
|
|
180
|
-
|
108
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
109
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
110
|
+
parameters.
|
181
111
|
|
182
|
-
*
|
112
|
+
*Kevin Sjöberg*
|
183
113
|
|
184
|
-
|
185
|
-
request causing an incorrect behavior during the fall back to GET requests.
|
114
|
+
* Fix strong parameters `permit!` with nested arrays.
|
186
115
|
|
187
|
-
|
188
|
-
```
|
189
|
-
|
190
|
-
|
191
|
-
mount rack_app, at: '/'
|
192
|
-
end
|
193
|
-
head '/home'
|
194
|
-
assert_response :success
|
116
|
+
Given:
|
117
|
+
```
|
118
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
119
|
+
params.permit!
|
195
120
|
```
|
196
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
197
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
198
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
199
|
-
|
200
|
-
*Terence Sun*
|
201
|
-
|
202
|
-
* Preserve default format when generating URLs
|
203
|
-
|
204
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
205
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
206
|
-
the route definition.
|
207
|
-
|
208
|
-
Backport of #18627
|
209
|
-
|
210
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
211
|
-
|
212
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
213
|
-
the test response.
|
214
|
-
|
215
|
-
*Jonas Baumann*
|
216
|
-
|
217
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
218
|
-
|
219
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
220
|
-
payload data is not available.
|
221
|
-
|
222
|
-
See:
|
223
|
-
* #14903
|
224
|
-
* https://github.com/roidrage/lograge/issues/37
|
225
|
-
|
226
|
-
*Dieter Komendera*, *Margus Pärt*
|
227
|
-
|
228
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
229
|
-
|
230
|
-
*Robin Dupret*
|
231
|
-
|
232
|
-
* Using `head` method returns empty response_body instead
|
233
|
-
of returning a single space " ".
|
234
|
-
|
235
|
-
The old behavior was added as a workaround for a bug in an early
|
236
|
-
version of Safari, where the HTTP headers are not returned correctly
|
237
|
-
if the response body has a 0-length. This is been fixed since and
|
238
|
-
the workaround is no longer necessary.
|
239
|
-
|
240
|
-
Fixes #18253.
|
241
|
-
|
242
|
-
*Prathamesh Sonpatki*
|
243
|
-
|
244
|
-
* Fix how polymorphic routes works with objects that implement `to_model`.
|
245
|
-
|
246
|
-
*Travis Grathwell*
|
247
|
-
|
248
|
-
* Fixed handling of positional url helper arguments when `format: false`.
|
249
|
-
|
250
|
-
Fixes #17819.
|
251
|
-
|
252
|
-
*Andrew White*, *Tatiana Soukiassian*
|
253
|
-
|
254
|
-
* Fixed usage of optional scopes in URL helpers.
|
255
|
-
|
256
|
-
*Alex Robbin*
|
257
|
-
|
258
|
-
|
259
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
260
|
-
|
261
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
262
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
263
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
264
|
-
object in Rails 5.0.
|
265
|
-
|
266
|
-
*Prem Sichanugrist*
|
267
|
-
|
268
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
269
|
-
prefix.
|
270
|
-
|
271
|
-
Fixes #17108.
|
272
|
-
|
273
|
-
*Guo Xiang Tan*
|
274
|
-
|
275
|
-
* Deprecate use of string keys in URL helpers.
|
276
|
-
|
277
|
-
Use symbols instead.
|
278
|
-
Fixes #16958.
|
279
|
-
|
280
|
-
*Byron Bischoff*, *Melanie Gilman*
|
281
|
-
|
282
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
283
|
-
|
284
|
-
In cases where this option is set to `true`, the option is redundant and can
|
285
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
286
|
-
used instead.
|
287
|
-
|
288
|
-
Fixes #17294.
|
289
|
-
|
290
|
-
*Dan Olson*, *Godfrey Chan*
|
291
|
-
|
292
|
-
* Improve Journey compliance to RFC 3986.
|
293
|
-
|
294
|
-
The scanner in Journey failed to recognize routes that use literals
|
295
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
296
|
-
authorized delimiters and route as expected.
|
297
|
-
|
298
|
-
Fixes #17212.
|
299
|
-
|
300
|
-
*Nicolas Cavigneaux*
|
301
|
-
|
302
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
303
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
304
|
-
|
305
|
-
status, headers, body = response
|
306
|
-
|
307
|
-
But it also means `response + response` works and `[response].flatten`
|
308
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
309
|
-
explicit conversion and splatting with `#to_a`:
|
310
|
-
|
311
|
-
status, header, body = *response
|
312
|
-
|
313
|
-
*Jeremy Kemper*
|
314
|
-
|
315
|
-
* Don't rescue `IPAddr::InvalidAddressError`.
|
316
|
-
|
317
|
-
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
318
|
-
and fails for JRuby in 1.9 mode.
|
319
|
-
|
320
|
-
*Peter Suschlik*
|
321
|
-
|
322
|
-
* Fix bug where the router would ignore any constraints added to redirect
|
323
|
-
routes.
|
324
|
-
|
325
|
-
Fixes #16605.
|
326
|
-
|
327
|
-
*Agis Anastasopoulos*
|
328
121
|
|
329
|
-
|
122
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
330
123
|
|
331
|
-
|
124
|
+
*Steve Hull*
|
332
125
|
|
333
|
-
|
334
|
-
|
126
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
127
|
+
`ActionController::TestCase` subclasses.
|
335
128
|
|
336
|
-
*
|
129
|
+
*Eugene Kenny*
|
337
130
|
|
338
|
-
*
|
131
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
339
132
|
|
340
|
-
|
341
|
-
HEAD routes. If no match is found, we will then map the HEAD request to
|
342
|
-
GET routes.
|
133
|
+
Fixes #32597.
|
343
134
|
|
344
|
-
*
|
135
|
+
*Andrey Novikov*, *Andrew White*
|
345
136
|
|
346
|
-
*
|
347
|
-
of gzipped assets on disk. By default a gzip asset will be served if
|
348
|
-
the client supports gzip and a compressed file is on disk.
|
137
|
+
* Only disable GPUs for headless Chrome on Windows.
|
349
138
|
|
350
|
-
|
139
|
+
It is not necessary anymore for Linux and macOS machines.
|
351
140
|
|
352
|
-
|
353
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
354
|
-
that is not available on `ActionController::Parameters` you should consider
|
355
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
141
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
356
142
|
|
357
|
-
*
|
143
|
+
*Stefan Wrobel*
|
358
144
|
|
359
|
-
*
|
360
|
-
keys removed. This change is to reflect on a security concern where some
|
361
|
-
method performed on an `ActionController::Parameters` may yield a `Hash`
|
362
|
-
object which does not maintain `permitted?` status. If you would like to
|
363
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
364
|
-
before calling `#to_h`.
|
145
|
+
* Fix system tests transactions not closed between examples.
|
365
146
|
|
366
|
-
|
367
|
-
name: 'Senjougahara Hitagi',
|
368
|
-
oddity: 'Heavy stone crab'
|
369
|
-
})
|
370
|
-
params.to_h
|
371
|
-
# => {}
|
147
|
+
*Sergey Tarasov*
|
372
148
|
|
373
|
-
unsafe_params = params.dup.permit!
|
374
|
-
unsafe_params.to_h
|
375
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
376
149
|
|
377
|
-
|
378
|
-
safe_params.to_h
|
379
|
-
# => {"name"=>"Senjougahara Hitagi"}
|
150
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
380
151
|
|
381
|
-
|
382
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
383
|
-
in the next minor release.
|
152
|
+
* Check exclude before flagging cookies as secure.
|
384
153
|
|
385
|
-
*
|
154
|
+
*Catherine Khuu*
|
386
155
|
|
387
|
-
*
|
156
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
388
157
|
|
389
|
-
|
158
|
+
This allows a controller action to enable the policy individually
|
159
|
+
for a controller and/or specific actions.
|
390
160
|
|
391
|
-
*
|
392
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
393
|
-
cookies by defining the `#as_json` hook on such objects.
|
161
|
+
*Andrew White*
|
394
162
|
|
395
|
-
|
163
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
396
164
|
|
397
|
-
|
165
|
+
class LegacyPagesController < ApplicationController
|
166
|
+
content_security_policy false, only: :index
|
167
|
+
end
|
398
168
|
|
399
|
-
*
|
400
|
-
digest. The default remains the same - 'SHA1'.
|
169
|
+
*Andrew White*
|
401
170
|
|
402
|
-
|
171
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
172
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
403
173
|
|
404
|
-
*
|
405
|
-
the `responders` gem.
|
174
|
+
*Igor Kasyanchuk*
|
406
175
|
|
407
|
-
|
176
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
177
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
408
178
|
|
409
|
-
*
|
179
|
+
*Grant Bourque*
|
410
180
|
|
411
|
-
|
412
|
-
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
413
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
414
|
-
This makes it easy to HTTP-cache many more of your actions.
|
181
|
+
* Add support for automatic nonce generation for Rails UJS.
|
415
182
|
|
416
|
-
|
417
|
-
|
183
|
+
Because the UJS library creates a script tag to process responses it
|
184
|
+
normally requires the script-src attribute of the content security
|
185
|
+
policy to include 'unsafe-inline'.
|
418
186
|
|
419
|
-
|
187
|
+
To work around this we generate a per-request nonce value that is
|
188
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
189
|
+
embeds its token in a meta tag. The UJS library can then read the
|
190
|
+
nonce value and set it on the dynamically generated script tag to
|
191
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
420
192
|
|
421
|
-
|
193
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
194
|
+
user generated content in someway then it may be possible to exploit
|
195
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
196
|
+
however an improvement on a blanket permission for inline scripts.
|
422
197
|
|
423
|
-
|
198
|
+
It is also possible to use the nonce within your own script tags by
|
199
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
424
200
|
|
425
|
-
|
201
|
+
<%= javascript_tag nonce: true do %>
|
202
|
+
alert('Hello, World!');
|
203
|
+
<% end %>
|
426
204
|
|
427
|
-
|
428
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
205
|
+
Fixes #31689.
|
429
206
|
|
430
|
-
*
|
207
|
+
*Andrew White*
|
431
208
|
|
432
|
-
*
|
209
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
433
210
|
|
434
|
-
|
211
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
435
212
|
|
436
|
-
|
437
|
-
|
213
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
214
|
+
def index
|
215
|
+
params.each do |name|
|
216
|
+
puts name
|
217
|
+
end
|
218
|
+
end
|
438
219
|
|
439
|
-
|
220
|
+
# Prints
|
221
|
+
# param
|
222
|
+
# param_two
|
440
223
|
|
441
|
-
|
442
|
-
loopback address.
|
224
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
443
225
|
|
444
|
-
|
226
|
+
To fix the code above simply change as per example below:
|
445
227
|
|
446
|
-
|
447
|
-
|
228
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
229
|
+
def index
|
230
|
+
params.each do |name, value|
|
231
|
+
puts name
|
232
|
+
end
|
233
|
+
end
|
448
234
|
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
available to any custom exceptions_app. The original `PATH_INFO` is now
|
453
|
-
stashed in `env["action_dispatch.original_path"]`.
|
235
|
+
# Prints
|
236
|
+
# param
|
237
|
+
# param_two
|
454
238
|
|
455
|
-
*
|
239
|
+
*Dominic Cleal*
|
456
240
|
|
457
|
-
*
|
458
|
-
overflow.
|
241
|
+
* Add `Referrer-Policy` header to default headers set.
|
459
242
|
|
460
|
-
*
|
243
|
+
*Guillermo Iguaran*
|
461
244
|
|
462
|
-
*
|
463
|
-
|
245
|
+
* Changed the system tests to set Puma as default server only when the
|
246
|
+
user haven't specified manually another server.
|
464
247
|
|
465
|
-
|
466
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
467
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
468
|
-
longer necessary.
|
248
|
+
*Guillermo Iguaran*
|
469
249
|
|
470
|
-
|
250
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
251
|
+
default headers set.
|
471
252
|
|
472
|
-
|
253
|
+
*Guillermo Iguaran*
|
473
254
|
|
474
|
-
|
255
|
+
* Add headless firefox support to System Tests.
|
475
256
|
|
476
|
-
*
|
477
|
-
("Rosetta Flash").
|
257
|
+
*bogdanvlviv*
|
478
258
|
|
479
|
-
|
259
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
480
260
|
|
481
|
-
|
482
|
-
the
|
483
|
-
|
484
|
-
|
261
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
262
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
263
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
264
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
265
|
+
path, it dumps binary into the terminal.
|
485
266
|
|
486
|
-
|
267
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
487
268
|
|
488
|
-
*
|
269
|
+
*Eileen M. Uchitelle*
|
489
270
|
|
490
|
-
*
|
271
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
491
272
|
|
492
|
-
|
273
|
+
*Guillermo Iguaran*
|
493
274
|
|
494
|
-
|
275
|
+
* Fix optimized url helpers when using relative url root.
|
495
276
|
|
496
|
-
|
497
|
-
when rendering through a `respond_to` block.
|
277
|
+
Fixes #31220.
|
498
278
|
|
499
|
-
|
279
|
+
*Andrew White*
|
500
280
|
|
501
|
-
|
281
|
+
* Add DSL for configuring Content-Security-Policy header.
|
502
282
|
|
503
|
-
|
504
|
-
|
505
|
-
|
283
|
+
The DSL allows you to configure a global Content-Security-Policy
|
284
|
+
header and then override within a controller. For more information
|
285
|
+
about the Content-Security-Policy header see MDN:
|
506
286
|
|
507
|
-
|
287
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
508
288
|
|
509
|
-
|
289
|
+
Example global policy:
|
510
290
|
|
511
|
-
|
291
|
+
# config/initializers/content_security_policy.rb
|
292
|
+
Rails.application.config.content_security_policy do |p|
|
293
|
+
p.default_src :self, :https
|
294
|
+
p.font_src :self, :https, :data
|
295
|
+
p.img_src :self, :https, :data
|
296
|
+
p.object_src :none
|
297
|
+
p.script_src :self, :https
|
298
|
+
p.style_src :self, :https, :unsafe_inline
|
299
|
+
end
|
512
300
|
|
513
|
-
|
301
|
+
Example controller overrides:
|
514
302
|
|
515
|
-
|
303
|
+
# Override policy inline
|
304
|
+
class PostsController < ApplicationController
|
305
|
+
content_security_policy do |p|
|
306
|
+
p.upgrade_insecure_requests true
|
307
|
+
end
|
308
|
+
end
|
516
309
|
|
517
|
-
|
310
|
+
# Using literal values
|
311
|
+
class PostsController < ApplicationController
|
312
|
+
content_security_policy do |p|
|
313
|
+
p.base_uri "https://www.example.com"
|
314
|
+
end
|
315
|
+
end
|
518
316
|
|
519
|
-
|
317
|
+
# Using mixed static and dynamic values
|
318
|
+
class PostsController < ApplicationController
|
319
|
+
content_security_policy do |p|
|
320
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
321
|
+
end
|
322
|
+
end
|
520
323
|
|
521
|
-
|
522
|
-
|
324
|
+
Allows you to also only report content violations for migrating
|
325
|
+
legacy content using the `content_security_policy_report_only`
|
326
|
+
configuration attribute, e.g;
|
523
327
|
|
524
|
-
|
328
|
+
# config/initializers/content_security_policy.rb
|
329
|
+
Rails.application.config.content_security_policy_report_only = true
|
525
330
|
|
526
|
-
|
331
|
+
# controller override
|
332
|
+
class PostsController < ApplicationController
|
333
|
+
content_security_policy_report_only only: :index
|
334
|
+
end
|
527
335
|
|
528
|
-
|
529
|
-
|
336
|
+
Note that this feature does not validate the header for performance
|
337
|
+
reasons since the header is calculated at runtime.
|
530
338
|
|
531
|
-
*
|
339
|
+
*Andrew White*
|
532
340
|
|
533
|
-
*
|
534
|
-
application. Use of a symbol should be replaced with `action: symbol`.
|
535
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
341
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
536
342
|
|
537
|
-
*
|
343
|
+
*Yuichiro Kaneko*
|
538
344
|
|
539
|
-
*
|
540
|
-
a trailing slash after `.:format`
|
345
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
541
346
|
|
542
|
-
*
|
347
|
+
*Rafael Mendonça França*
|
543
348
|
|
544
|
-
*
|
545
|
-
performance reasons. One consequence of this is that the leading slash
|
546
|
-
is now required in integration test `process` helpers, whereas previously
|
547
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
548
|
-
of the implementation and was never an intentional feature.
|
349
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
549
350
|
|
550
|
-
|
351
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
352
|
+
different host. `allow_other_host` is `true` by default.
|
551
353
|
|
552
|
-
*
|
553
|
-
called 'status' in a controller.
|
354
|
+
*Tim Masliuchenko*
|
554
355
|
|
555
|
-
|
356
|
+
* Add headless chrome support to System Tests.
|
556
357
|
|
557
|
-
*
|
358
|
+
*Yuji Yaginuma*
|
558
359
|
|
559
|
-
* Add
|
360
|
+
* Add ability to enable Early Hints for HTTP/2
|
560
361
|
|
561
|
-
|
362
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
562
363
|
|
563
|
-
|
364
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
564
365
|
|
565
|
-
|
566
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
567
|
-
e.g. the fragment cache hit rates for each controller action.
|
366
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
568
367
|
|
569
|
-
|
368
|
+
* Simplify cookies middleware with key rotation support
|
570
369
|
|
571
|
-
|
370
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
371
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
372
|
+
signed cookies. This also helps simplify support for legacy cookie
|
373
|
+
security.
|
572
374
|
|
573
|
-
|
375
|
+
*Michael J Coyne*
|
574
376
|
|
575
|
-
|
377
|
+
* Use Capybara registered `:puma` server config.
|
576
378
|
|
577
|
-
|
578
|
-
and
|
379
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
380
|
+
connection sharing and open request detection work correctly by default.
|
579
381
|
|
580
|
-
|
382
|
+
*Thomas Walpole*
|
581
383
|
|
582
|
-
|
384
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
583
385
|
|
584
|
-
|
585
|
-
|
586
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
587
|
-
when setting up the routes.
|
386
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
387
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
588
388
|
|
589
|
-
|
389
|
+
Pull Request: #30121
|
590
390
|
|
591
|
-
*
|
592
|
-
purposes of remote IP detection. Also handle uppercase private IPv6
|
593
|
-
addresses.
|
391
|
+
*Assain Jaleel*
|
594
392
|
|
595
|
-
|
393
|
+
* Enforce signed/encrypted cookie expiry server side.
|
596
394
|
|
597
|
-
|
395
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
598
396
|
|
599
|
-
|
397
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
398
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
399
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
600
400
|
|
601
|
-
|
602
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
603
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
401
|
+
Pull Request: #30121
|
604
402
|
|
605
|
-
|
606
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
403
|
+
*Assain Jaleel*
|
607
404
|
|
608
|
-
|
405
|
+
* Make `take_failed_screenshot` work within engine.
|
609
406
|
|
610
|
-
|
407
|
+
Fixes #30405.
|
611
408
|
|
612
|
-
*
|
409
|
+
*Yuji Yaginuma*
|
613
410
|
|
614
|
-
|
615
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
616
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
617
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
411
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
618
412
|
|
619
|
-
|
620
|
-
|
621
|
-
|
622
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
413
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
414
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
415
|
+
use the response helpers provided by `Rack::Response`.
|
623
416
|
|
624
|
-
|
417
|
+
*Trevor Wistaff*
|
625
418
|
|
626
|
-
|
419
|
+
* Protect from forgery by default
|
627
420
|
|
628
|
-
|
629
|
-
`
|
421
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
422
|
+
add it to `ActionController::Base` depending on
|
423
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
424
|
+
defaults to false to support older versions which have removed it from their
|
425
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
630
426
|
|
631
|
-
*
|
427
|
+
*Lisa Ugray*
|
632
428
|
|
633
|
-
*
|
634
|
-
format block.
|
429
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
635
430
|
|
636
|
-
|
431
|
+
*Kir Shatrov*
|
637
432
|
|
638
|
-
|
433
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
639
434
|
|
640
|
-
|
435
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
436
|
+
`driven_by` will register the driver and set additional options passed via
|
437
|
+
the `:options` parameter.
|
641
438
|
|
642
|
-
|
439
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
643
440
|
|
644
|
-
*
|
441
|
+
*Mario Chavez*
|
645
442
|
|
646
|
-
|
443
|
+
* AEAD encrypted cookies and sessions with GCM.
|
647
444
|
|
648
|
-
|
445
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
446
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
447
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
448
|
+
this new mode is enabled via the
|
449
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
649
450
|
|
650
|
-
*
|
451
|
+
*Michael J Coyne*
|
651
452
|
|
652
|
-
|
453
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
653
454
|
|
654
|
-
|
655
|
-
|
455
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
456
|
+
^template path ^template tree digest ^class ^id
|
656
457
|
|
657
|
-
|
458
|
+
*DHH*
|
658
459
|
|
659
|
-
|
460
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
461
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
462
|
+
to support it.
|
660
463
|
|
661
|
-
*
|
662
|
-
we need to check if we're not inside a nested scope before copying the :path
|
663
|
-
and :as options to their shallow equivalents.
|
464
|
+
*DHH*
|
664
465
|
|
665
|
-
|
466
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
666
467
|
|
667
|
-
|
468
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
469
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
470
|
+
may not exist in a certain implementation.
|
668
471
|
|
669
|
-
|
670
|
-
`log_warning_on_csrf_failure` configuration setting in
|
671
|
-
`ActionController::RequestForgeryProtection`.
|
472
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
672
473
|
|
673
|
-
|
474
|
+
Fixes #27013.
|
674
475
|
|
675
|
-
*
|
676
|
-
`default_url_options` methods.
|
476
|
+
*Julian Nadeau*
|
677
477
|
|
678
|
-
*Tony Wooster*
|
679
478
|
|
680
|
-
Please check [
|
479
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|