actionpack 4.2.11.1 → 6.1.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +291 -489
- data/MIT-LICENSE +1 -1
- data/README.rdoc +9 -9
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +81 -51
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +61 -33
- data/lib/abstract_controller/collector.rb +9 -13
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +115 -99
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
- data/lib/abstract_controller/rendering.rb +48 -47
- data/lib/abstract_controller/translation.rb +17 -8
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +13 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +150 -0
- data/lib/action_controller/base.rb +29 -24
- data/lib/action_controller/caching.rb +12 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +17 -19
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +134 -46
- data/lib/action_controller/metal/content_security_policy.rb +51 -0
- data/lib/action_controller/metal/cookies.rb +6 -4
- data/lib/action_controller/metal/data_streaming.rb +30 -50
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
- data/lib/action_controller/metal/exceptions.rb +63 -15
- data/lib/action_controller/metal/flash.rb +9 -8
- data/lib/action_controller/metal/head.rb +26 -21
- data/lib/action_controller/metal/helpers.rb +37 -18
- data/lib/action_controller/metal/http_authentication.rb +81 -73
- data/lib/action_controller/metal/implicit_render.rb +53 -9
- data/lib/action_controller/metal/instrumentation.rb +32 -35
- data/lib/action_controller/metal/live.rb +102 -120
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +49 -47
- data/lib/action_controller/metal/parameter_encoding.rb +82 -0
- data/lib/action_controller/metal/params_wrapper.rb +83 -66
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +53 -32
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +77 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
- data/lib/action_controller/metal/rescue.rb +10 -17
- data/lib/action_controller/metal/streaming.rb +12 -11
- data/lib/action_controller/metal/strong_parameters.rb +714 -186
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +104 -87
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +3 -1
- data/lib/action_controller/renderer.rb +141 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +296 -422
- data/lib/action_controller.rb +34 -23
- data/lib/action_dispatch/http/cache.rb +107 -56
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +286 -0
- data/lib/action_dispatch/http/filter_parameters.rb +32 -25
- data/lib/action_dispatch/http/filter_redirect.rb +10 -12
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +79 -51
- data/lib/action_dispatch/http/mime_type.rb +153 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameters.rb +90 -40
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +226 -121
- data/lib/action_dispatch/http/response.rb +248 -113
- data/lib/action_dispatch/http/upload.rb +21 -7
- data/lib/action_dispatch/http/url.rb +182 -100
- data/lib/action_dispatch/journey/formatter.rb +90 -43
- data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
- data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
- data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
- data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
- data/lib/action_dispatch/journey/nodes/node.rb +29 -15
- data/lib/action_dispatch/journey/parser.rb +17 -16
- data/lib/action_dispatch/journey/parser.y +4 -3
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +58 -54
- data/lib/action_dispatch/journey/route.rb +100 -32
- data/lib/action_dispatch/journey/router/utils.rb +29 -18
- data/lib/action_dispatch/journey/router.rb +55 -51
- data/lib/action_dispatch/journey/routes.rb +17 -17
- data/lib/action_dispatch/journey/scanner.rb +26 -17
- data/lib/action_dispatch/journey/visitors.rb +98 -54
- data/lib/action_dispatch/journey.rb +5 -5
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +3 -6
- data/lib/action_dispatch/middleware/cookies.rb +347 -217
- data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/host_authorization.rb +130 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
- data/lib/action_dispatch/middleware/request_id.rb +17 -10
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
- data/lib/action_dispatch/middleware/ssl.rb +118 -35
- data/lib/action_dispatch/middleware/stack.rb +82 -41
- data/lib/action_dispatch/middleware/static.rb +156 -89
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +15 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
- data/lib/action_dispatch/railtie.rb +27 -13
- data/lib/action_dispatch/request/session.rb +109 -61
- data/lib/action_dispatch/request/utils.rb +90 -23
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +141 -102
- data/lib/action_dispatch/routing/mapper.rb +811 -473
- data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
- data/lib/action_dispatch/routing/redirection.rb +37 -27
- data/lib/action_dispatch/routing/route_set.rb +363 -331
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +66 -26
- data/lib/action_dispatch/routing.rb +36 -36
- data/lib/action_dispatch/system_test_case.rb +190 -0
- data/lib/action_dispatch/system_testing/browser.rb +86 -0
- data/lib/action_dispatch/system_testing/driver.rb +67 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
- data/lib/action_dispatch/testing/assertion_response.rb +46 -0
- data/lib/action_dispatch/testing/assertions/response.rb +44 -22
- data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +391 -220
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +53 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +11 -11
- data/lib/action_dispatch.rb +35 -21
- data/lib/action_pack/gem_version.rb +6 -4
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +78 -48
- data/lib/action_controller/metal/force_ssl.rb +0 -97
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/http/parameter_filter.rb +0 -72
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,680 +1,482 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 4.2.11 (November 27, 2018) ##
|
7
|
-
|
8
|
-
* No changes.
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 4.2.10 (September 27, 2017) ##
|
12
|
-
|
13
|
-
* Fix regression in behavior of `normalize_path`.
|
3
|
+
* Prevent open redirects by correctly escaping the host allow list
|
4
|
+
CVE-2021-22903
|
14
5
|
|
15
|
-
|
16
|
-
|
17
|
-
caused a regression.
|
6
|
+
* Prevent catastrophic backtracking during mime parsing
|
7
|
+
CVE-2021-22902
|
18
8
|
|
19
|
-
|
9
|
+
* Prevent regex DoS in HTTP token authentication
|
10
|
+
CVE-2021-22904
|
20
11
|
|
21
|
-
|
22
|
-
|
23
|
-
* Use more specific check for :format in route path
|
24
|
-
|
25
|
-
The current check for whether to add an optional format to the path is very lax
|
26
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
27
|
-
|
28
|
-
``` ruby
|
29
|
-
resources :formats do
|
30
|
-
resources :items
|
31
|
-
end
|
32
|
-
```
|
33
|
-
|
34
|
-
Fix this by using a more restrictive regex pattern that looks for the patterns
|
35
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
36
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
37
|
-
|
38
|
-
``` ruby
|
39
|
-
get "/books(/:action(.:format))", controller: "books"
|
40
|
-
```
|
12
|
+
* Prevent string polymorphic route arguments.
|
41
13
|
|
42
|
-
|
43
|
-
|
14
|
+
`url_for` supports building polymorphic URLs via an array
|
15
|
+
of arguments (usually symbols and records). If a developer passes a
|
16
|
+
user input array, strings can result in unwanted route helper calls.
|
44
17
|
|
45
|
-
|
18
|
+
CVE-2021-22885
|
46
19
|
|
47
|
-
*
|
20
|
+
*Gannon McGibbon*
|
48
21
|
|
49
|
-
|
50
|
-
## Rails 4.2.8 (February 21, 2017) ##
|
51
|
-
|
52
|
-
* No changes.
|
53
|
-
|
54
|
-
|
55
|
-
## Rails 4.2.7 (July 12, 2016) ##
|
22
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
56
23
|
|
57
24
|
* No changes.
|
58
25
|
|
59
26
|
|
60
|
-
## Rails
|
61
|
-
|
62
|
-
* No changes.
|
63
|
-
|
27
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
64
28
|
|
65
|
-
|
66
|
-
|
67
|
-
* Do not allow render with unpermitted parameter.
|
68
|
-
|
69
|
-
Fixes CVE-2016-2098.
|
70
|
-
|
71
|
-
*Arthur Neves*
|
72
|
-
|
73
|
-
|
74
|
-
## Rails 4.2.5.1 (January 25, 2015) ##
|
75
|
-
|
76
|
-
* No changes.
|
29
|
+
* Re-define routes when not set correctly via inheritance.
|
77
30
|
|
31
|
+
*John Hawthorn*
|
78
32
|
|
79
|
-
## Rails 4.2.5 (November 12, 2015) ##
|
80
33
|
|
81
|
-
|
82
|
-
early in the `setup` chain.
|
34
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
83
35
|
|
84
|
-
|
36
|
+
* Prevent open redirect when allowed host starts with a dot
|
85
37
|
|
86
|
-
|
38
|
+
[CVE-2021-22881]
|
87
39
|
|
88
|
-
|
40
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
41
|
+
issue and the patch!
|
89
42
|
|
90
|
-
*
|
91
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
92
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
93
|
-
|
94
|
-
Fixes #20920. Fixes #21459.
|
95
|
-
|
96
|
-
*Matthew Erhard*
|
97
|
-
|
98
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
99
|
-
|
100
|
-
*Bernerd Schaefer*
|
101
|
-
|
102
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
103
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
104
|
-
|
105
|
-
*Jeremy Friesen*
|
106
|
-
|
107
|
-
|
108
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
109
|
-
|
110
|
-
* ActionController::TestSession now accepts a default value as well as
|
111
|
-
a block for generating a default value based off the key provided.
|
112
|
-
|
113
|
-
This fixes calls to session#fetch in ApplicationController instances that
|
114
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
115
|
-
number of arguments (2 for 1)` when performing controller tests.
|
116
|
-
|
117
|
-
*Matthew Gerrior*
|
118
|
-
|
119
|
-
* Fix to keep original header instance in `ActionDispatch::SSL`
|
120
|
-
|
121
|
-
`ActionDispatch::SSL` changes headers to `Hash`.
|
122
|
-
So some headers will be broken if there are some middlewares
|
123
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
124
|
-
|
125
|
-
*Fumiaki Matsushima*
|
126
|
-
|
127
|
-
|
128
|
-
## Rails 4.2.3 (June 25, 2015) ##
|
129
|
-
|
130
|
-
* Fix rake routes not showing the right format when
|
131
|
-
nesting multiple routes.
|
132
|
-
|
133
|
-
See #18373.
|
134
|
-
|
135
|
-
*Ravil Bayramgalin*
|
136
|
-
|
137
|
-
* Fix regression where a gzip file response would have a Content-type,
|
138
|
-
even when it was a 304 status code.
|
139
|
-
|
140
|
-
See #19271.
|
141
|
-
|
142
|
-
*Kohei Suzuki*
|
143
|
-
|
144
|
-
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
|
145
|
-
|
146
|
-
Previously, an empty X_FORWARDED_HOST header would cause
|
147
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
148
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
43
|
+
*Aaron Patterson*
|
149
44
|
|
150
|
-
*Adam Forsyth*
|
151
45
|
|
152
|
-
|
46
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
153
47
|
|
154
|
-
|
155
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
156
|
-
is set, it takes precedence.
|
48
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
157
49
|
|
158
|
-
|
50
|
+
*Janko Marohnić*
|
159
51
|
|
160
|
-
|
52
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
161
53
|
|
162
|
-
*
|
163
|
-
assigned.
|
54
|
+
*Eugene Kenny*
|
164
55
|
|
165
|
-
See #18423.
|
166
56
|
|
167
|
-
|
57
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
168
58
|
|
59
|
+
* Fix nil translation key lookup in controllers/
|
169
60
|
|
170
|
-
|
61
|
+
*Jan Klimo*
|
171
62
|
|
172
|
-
*
|
63
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
173
64
|
|
65
|
+
*Alex Robbin*
|
174
66
|
|
175
|
-
|
67
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
176
68
|
|
177
|
-
*
|
178
|
-
the masked token.
|
69
|
+
*Alex Robbin*
|
179
70
|
|
180
|
-
*Ville Lautanala*
|
181
71
|
|
182
|
-
|
72
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
183
73
|
|
184
|
-
|
185
|
-
|
74
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
75
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
186
76
|
|
187
|
-
Example:
|
188
77
|
```ruby
|
189
|
-
|
190
|
-
|
191
|
-
|
78
|
+
Rails.application.config.permissions_policy do |p|
|
79
|
+
p.camera :none
|
80
|
+
p.gyroscope :none
|
81
|
+
p.microphone :none
|
82
|
+
p.usb :none
|
83
|
+
p.fullscreen :self
|
84
|
+
p.payment :self, "https://secure-example.com"
|
192
85
|
end
|
193
|
-
head '/home'
|
194
|
-
assert_response :success
|
195
86
|
```
|
196
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
197
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
198
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
199
|
-
|
200
|
-
*Terence Sun*
|
201
|
-
|
202
|
-
* Preserve default format when generating URLs
|
203
87
|
|
204
|
-
|
205
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
206
|
-
the route definition.
|
88
|
+
*Julien Grillot*
|
207
89
|
|
208
|
-
|
90
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
209
91
|
|
210
|
-
|
92
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
211
93
|
|
212
|
-
*
|
213
|
-
the test response.
|
94
|
+
*Chris Bisnett*
|
214
95
|
|
215
|
-
|
96
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
97
|
+
the unique X-Request-Id header
|
216
98
|
|
217
|
-
*
|
99
|
+
*Arlston Fernandes*
|
218
100
|
|
219
|
-
|
220
|
-
payload data is not available.
|
101
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
221
102
|
|
222
|
-
|
223
|
-
* #14903
|
224
|
-
* https://github.com/roidrage/lograge/issues/37
|
225
|
-
|
226
|
-
*Dieter Komendera*, *Margus Pärt*
|
227
|
-
|
228
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
229
|
-
|
230
|
-
*Robin Dupret*
|
231
|
-
|
232
|
-
* Using `head` method returns empty response_body instead
|
233
|
-
of returning a single space " ".
|
234
|
-
|
235
|
-
The old behavior was added as a workaround for a bug in an early
|
236
|
-
version of Safari, where the HTTP headers are not returned correctly
|
237
|
-
if the response body has a 0-length. This is been fixed since and
|
238
|
-
the workaround is no longer necessary.
|
239
|
-
|
240
|
-
Fixes #18253.
|
241
|
-
|
242
|
-
*Prathamesh Sonpatki*
|
243
|
-
|
244
|
-
* Fix how polymorphic routes works with objects that implement `to_model`.
|
245
|
-
|
246
|
-
*Travis Grathwell*
|
247
|
-
|
248
|
-
* Fixed handling of positional url helper arguments when `format: false`.
|
249
|
-
|
250
|
-
Fixes #17819.
|
251
|
-
|
252
|
-
*Andrew White*, *Tatiana Soukiassian*
|
253
|
-
|
254
|
-
* Fixed usage of optional scopes in URL helpers.
|
255
|
-
|
256
|
-
*Alex Robbin*
|
257
|
-
|
258
|
-
|
259
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
260
|
-
|
261
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
262
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
263
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
264
|
-
object in Rails 5.0.
|
265
|
-
|
266
|
-
*Prem Sichanugrist*
|
267
|
-
|
268
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
269
|
-
prefix.
|
270
|
-
|
271
|
-
Fixes #17108.
|
272
|
-
|
273
|
-
*Guo Xiang Tan*
|
274
|
-
|
275
|
-
* Deprecate use of string keys in URL helpers.
|
276
|
-
|
277
|
-
Use symbols instead.
|
278
|
-
Fixes #16958.
|
279
|
-
|
280
|
-
*Byron Bischoff*, *Melanie Gilman*
|
281
|
-
|
282
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
283
|
-
|
284
|
-
In cases where this option is set to `true`, the option is redundant and can
|
285
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
286
|
-
used instead.
|
287
|
-
|
288
|
-
Fixes #17294.
|
289
|
-
|
290
|
-
*Dan Olson*, *Godfrey Chan*
|
291
|
-
|
292
|
-
* Improve Journey compliance to RFC 3986.
|
293
|
-
|
294
|
-
The scanner in Journey failed to recognize routes that use literals
|
295
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
296
|
-
authorized delimiters and route as expected.
|
297
|
-
|
298
|
-
Fixes #17212.
|
299
|
-
|
300
|
-
*Nicolas Cavigneaux*
|
301
|
-
|
302
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
303
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
304
|
-
|
305
|
-
status, headers, body = response
|
103
|
+
*Rafael Mendonça França*
|
306
104
|
|
307
|
-
|
308
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
309
|
-
explicit conversion and splatting with `#to_a`:
|
105
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
310
106
|
|
311
|
-
|
107
|
+
*Rafael Mendonça França*
|
312
108
|
|
313
|
-
|
109
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
314
110
|
|
315
|
-
*
|
111
|
+
*Rafael Mendonça França*
|
316
112
|
|
317
|
-
|
318
|
-
and fails for JRuby in 1.9 mode.
|
113
|
+
* Added support for exclusive no-store Cache-Control header.
|
319
114
|
|
320
|
-
|
115
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
321
116
|
|
322
|
-
*
|
323
|
-
routes.
|
117
|
+
*Chris Kruger*
|
324
118
|
|
325
|
-
|
119
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
326
120
|
|
327
|
-
|
121
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
122
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
328
123
|
|
329
|
-
*
|
124
|
+
*Adrianna Chang*
|
330
125
|
|
331
|
-
|
126
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
332
127
|
|
333
|
-
|
334
|
-
config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
|
128
|
+
*Gannon McGibbon*
|
335
129
|
|
336
|
-
|
130
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
337
131
|
|
338
|
-
*
|
132
|
+
*Alan Tan*, *Oz Ben-David*
|
339
133
|
|
340
|
-
|
341
|
-
|
342
|
-
GET routes.
|
134
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
135
|
+
a 308 redirection.
|
343
136
|
|
344
|
-
*
|
137
|
+
*Alan Tan*
|
345
138
|
|
346
|
-
*
|
347
|
-
|
348
|
-
the client supports gzip and a compressed file is on disk.
|
139
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
140
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
349
141
|
|
350
|
-
*
|
142
|
+
*Jonathan Hefner*
|
351
143
|
|
352
|
-
* `
|
353
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
354
|
-
that is not available on `ActionController::Parameters` you should consider
|
355
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
144
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
356
145
|
|
357
|
-
|
146
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
147
|
+
Brotli files are preferred due to much better compression.
|
358
148
|
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
object which does not maintain `permitted?` status. If you would like to
|
363
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
364
|
-
before calling `#to_h`.
|
149
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
150
|
+
we check for public/some.js.br and serve that file, if present, with
|
151
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
365
152
|
|
366
|
-
|
367
|
-
name: 'Senjougahara Hitagi',
|
368
|
-
oddity: 'Heavy stone crab'
|
369
|
-
})
|
370
|
-
params.to_h
|
371
|
-
# => {}
|
153
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
372
154
|
|
373
|
-
|
374
|
-
unsafe_params.to_h
|
375
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
155
|
+
* Add raise_on_missing_translations support for controllers.
|
376
156
|
|
377
|
-
|
378
|
-
|
379
|
-
|
157
|
+
This configuration determines whether an error should be raised for missing translations.
|
158
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
159
|
+
configuration also affects raising error for missing translations in views.
|
380
160
|
|
381
|
-
|
382
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
383
|
-
in the next minor release.
|
161
|
+
*fatkodima*
|
384
162
|
|
385
|
-
|
163
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
386
164
|
|
387
|
-
*
|
165
|
+
*Eugene Kenny*
|
388
166
|
|
389
|
-
|
167
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
168
|
+
without passing a block now returns an enumerator.
|
390
169
|
|
391
|
-
*
|
392
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
393
|
-
cookies by defining the `#as_json` hook on such objects.
|
170
|
+
*Eugene Kenny*
|
394
171
|
|
395
|
-
|
172
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
396
173
|
|
397
|
-
|
174
|
+
Previously the path had to be relative to `fixture_path`.
|
175
|
+
You can change your existing code as follow:
|
398
176
|
|
399
|
-
|
400
|
-
|
177
|
+
```ruby
|
178
|
+
# Before
|
179
|
+
fixture_file_upload('files/dog.png')
|
401
180
|
|
402
|
-
|
181
|
+
# After
|
182
|
+
fixture_file_upload('dog.png')
|
183
|
+
```
|
403
184
|
|
404
|
-
*
|
405
|
-
the `responders` gem.
|
185
|
+
*Edouard Chin*
|
406
186
|
|
407
|
-
|
187
|
+
* Remove deprecated `force_ssl` at the controller level.
|
408
188
|
|
409
|
-
*
|
189
|
+
*Rafael Mendonça França*
|
410
190
|
|
411
|
-
|
412
|
-
|
413
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
414
|
-
This makes it easy to HTTP-cache many more of your actions.
|
191
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
192
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
415
193
|
|
416
|
-
|
417
|
-
|
194
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
195
|
+
always pass a module object:
|
418
196
|
|
419
|
-
|
197
|
+
```ruby
|
198
|
+
helper UtilsHelper
|
199
|
+
```
|
420
200
|
|
421
|
-
|
201
|
+
which is recommended because it is simple and direct. When a string/symbol
|
202
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
203
|
+
that same module object.
|
422
204
|
|
423
|
-
|
205
|
+
*Xavier Noria*, *Jean Boussier*
|
424
206
|
|
425
|
-
|
207
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
426
208
|
|
427
|
-
*
|
428
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
209
|
+
*Nick Soracco*
|
429
210
|
|
430
|
-
|
211
|
+
* `url_for` will now use "https://" as the default protocol when
|
212
|
+
`Rails.application.config.force_ssl` is set to true.
|
431
213
|
|
432
|
-
*
|
214
|
+
*Jonathan Hefner*
|
433
215
|
|
434
|
-
|
216
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
435
217
|
|
436
|
-
|
437
|
-
|
218
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
219
|
+
them difficult to deal with. For example, the common practice of sending
|
220
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
221
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
438
222
|
|
439
|
-
|
223
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
224
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
225
|
+
for backwards compatibility.
|
440
226
|
|
441
|
-
*
|
442
|
-
loopback address.
|
227
|
+
*Scott Blum*
|
443
228
|
|
444
|
-
|
229
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
445
230
|
|
446
|
-
|
447
|
-
|
231
|
+
In a distributed configuration like rolling update, users may observe
|
232
|
+
both old and new instances during deployment. Users may be served by a
|
233
|
+
new instance and then by an old instance.
|
448
234
|
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
|
453
|
-
stashed in `env["action_dispatch.original_path"]`.
|
235
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
236
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
237
|
+
from `false` to `true`, users may lose their sessions if they access the
|
238
|
+
server during deployment.
|
454
239
|
|
455
|
-
|
240
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
241
|
+
deployment, ensuring compatibility on both old and new instances.
|
456
242
|
|
457
|
-
*
|
458
|
-
overflow.
|
243
|
+
*Masaki Hara*
|
459
244
|
|
460
|
-
|
245
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
461
246
|
|
462
|
-
|
463
|
-
|
247
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
248
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
464
249
|
|
465
|
-
|
466
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
467
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
468
|
-
longer necessary.
|
250
|
+
*Keenan Brock*
|
469
251
|
|
470
|
-
|
252
|
+
* Fix possible information leak / session hijacking vulnerability.
|
471
253
|
|
472
|
-
|
254
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
255
|
+
gem dalli to be updated as well.
|
473
256
|
|
474
|
-
|
257
|
+
CVE-2019-16782.
|
475
258
|
|
476
|
-
*
|
477
|
-
("Rosetta Flash").
|
259
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
478
260
|
|
479
|
-
|
261
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
262
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
263
|
+
from being correctly counted and reported.
|
480
264
|
|
481
|
-
|
482
|
-
|
483
|
-
This essentially replicates the functionality of the monkey patch to
|
484
|
-
URI.parser.unescape in active_support/core_ext/uri.rb.
|
265
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
266
|
+
root session.
|
485
267
|
|
486
|
-
Fixes #
|
268
|
+
Fixes #32142.
|
487
269
|
|
488
|
-
*
|
270
|
+
*Sam Bostock*
|
489
271
|
|
490
|
-
*
|
272
|
+
* Add SameSite protection to every written cookie.
|
491
273
|
|
492
|
-
|
274
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
275
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
493
276
|
|
494
|
-
|
277
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
495
278
|
|
496
|
-
|
497
|
-
when rendering through a `respond_to` block.
|
279
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
498
280
|
|
499
|
-
|
281
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
500
282
|
|
501
|
-
|
283
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
502
284
|
|
503
|
-
|
504
|
-
parameters are permitted globally. The default value of this configuration is
|
505
|
-
`['controller', 'action']`.
|
285
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
506
286
|
|
507
|
-
*
|
287
|
+
*Cédric Fabianski*
|
508
288
|
|
509
|
-
*
|
289
|
+
* Bring back the feature that allows loading external route files from the router.
|
510
290
|
|
511
|
-
|
291
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
292
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
293
|
+
that this wasn't fully the case and loading external route files from the router
|
294
|
+
can be helpful for applications with a really large set of routes.
|
295
|
+
Without this feature, application needs to implement routes reloading
|
296
|
+
themselves and it's not straightforward.
|
512
297
|
|
513
|
-
|
298
|
+
```ruby
|
299
|
+
# config/routes.rb
|
514
300
|
|
515
|
-
|
301
|
+
Rails.application.routes.draw do
|
302
|
+
draw(:admin)
|
303
|
+
end
|
516
304
|
|
517
|
-
|
305
|
+
# config/routes/admin.rb
|
518
306
|
|
519
|
-
|
307
|
+
get :foo, to: 'foo#bar'
|
308
|
+
```
|
520
309
|
|
521
|
-
*
|
522
|
-
recognize token as nil, instead of "token".
|
310
|
+
*Yehuda Katz*, *Edouard Chin*
|
523
311
|
|
524
|
-
|
312
|
+
* Fix system test driver option initialization for non-headless browsers.
|
525
313
|
|
526
|
-
*
|
314
|
+
*glaszig*
|
527
315
|
|
528
|
-
*
|
529
|
-
|
316
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
317
|
+
their payloads as `:request`.
|
530
318
|
|
531
|
-
*
|
319
|
+
*Austin Story*
|
532
320
|
|
533
|
-
*
|
534
|
-
|
535
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
321
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
322
|
+
request format but based on the block given.
|
536
323
|
|
537
|
-
|
324
|
+
Example:
|
538
325
|
|
539
|
-
|
540
|
-
|
326
|
+
```ruby
|
327
|
+
def my_action
|
328
|
+
respond_to do |format|
|
329
|
+
format.any { render(json: { foo: 'bar' }) }
|
330
|
+
end
|
331
|
+
end
|
541
332
|
|
542
|
-
|
333
|
+
get('my_action.csv')
|
334
|
+
```
|
543
335
|
|
544
|
-
|
545
|
-
|
546
|
-
is now required in integration test `process` helpers, whereas previously
|
547
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
548
|
-
of the implementation and was never an intentional feature.
|
336
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
337
|
+
is inaccurate since a JSON response is being rendered.
|
549
338
|
|
550
|
-
|
339
|
+
Now it correctly returns a `application/json` Content-Type.
|
551
340
|
|
552
|
-
*
|
553
|
-
called 'status' in a controller.
|
341
|
+
*Edouard Chin*
|
554
342
|
|
555
|
-
|
343
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
556
344
|
|
557
|
-
|
345
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
346
|
+
nested directory, causing issues with `tmp:clear`.
|
558
347
|
|
559
|
-
*
|
348
|
+
*Damir Zekic*
|
560
349
|
|
561
|
-
|
350
|
+
* Add `params.member?` to mimic Hash behavior.
|
562
351
|
|
563
|
-
*
|
352
|
+
*Younes Serraj*
|
564
353
|
|
565
|
-
|
566
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
567
|
-
e.g. the fragment cache hit rates for each controller action.
|
354
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
568
355
|
|
569
|
-
*
|
356
|
+
* `:request` - the `ActionDispatch::Request`
|
357
|
+
* `:response` - the `ActionDispatch::Response`
|
570
358
|
|
571
|
-
*
|
359
|
+
*George Claghorn*
|
572
360
|
|
573
|
-
|
361
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
362
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
363
|
+
from.
|
574
364
|
|
575
|
-
|
365
|
+
Fixes #37383.
|
576
366
|
|
577
|
-
*
|
578
|
-
and improved tests.
|
367
|
+
*Norm Provost*
|
579
368
|
|
580
|
-
|
369
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
581
370
|
|
582
|
-
|
371
|
+
```ruby
|
372
|
+
# Use the debug level if a particular cookie is set.
|
373
|
+
class ApplicationController < ActionController::Base
|
374
|
+
log_at :debug, if: -> { cookies[:debug] }
|
375
|
+
end
|
376
|
+
```
|
583
377
|
|
584
|
-
*
|
585
|
-
to `:matches?`. Previously, when given an non-complying object, it would just
|
586
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
587
|
-
when setting up the routes.
|
378
|
+
*George Claghorn*
|
588
379
|
|
589
|
-
|
380
|
+
* Allow system test screen shots to be taken more than once in
|
381
|
+
a test by prefixing the file name with an incrementing counter.
|
590
382
|
|
591
|
-
|
592
|
-
|
593
|
-
|
383
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
384
|
+
enable saving of HTML during a screenshot in addition to the image.
|
385
|
+
This uses the same image name, with the extension replaced with `.html`
|
594
386
|
|
595
|
-
|
387
|
+
*Tom Fakes*
|
596
388
|
|
597
|
-
|
389
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
598
390
|
|
599
|
-
|
391
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
392
|
+
header to determine what to return. And if we don't add `Vary`
|
393
|
+
in the response header, browsers might accidentally cache different
|
394
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
395
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
396
|
+
in these types of requests. For more detailed problem description, please read:
|
600
397
|
|
601
|
-
|
602
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
603
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
398
|
+
https://github.com/rails/rails/pull/36213
|
604
399
|
|
605
|
-
|
606
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
400
|
+
Fixes #25842.
|
607
401
|
|
608
|
-
|
402
|
+
*Stan Lo*
|
609
403
|
|
610
|
-
|
404
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
405
|
+
a 307 redirection.
|
611
406
|
|
612
|
-
*
|
407
|
+
*Edouard Chin*
|
613
408
|
|
614
|
-
|
615
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
616
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
617
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
409
|
+
* System tests require Capybara 3.26 or newer.
|
618
410
|
|
619
|
-
|
620
|
-
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
|
621
|
-
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
|
622
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
411
|
+
*George Claghorn*
|
623
412
|
|
624
|
-
|
413
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
625
414
|
|
626
|
-
*
|
415
|
+
*Alberto Fernández-Capel*
|
627
416
|
|
628
|
-
* Add
|
629
|
-
`ActionDispatch::Http::UploadedFile#tempfile`.
|
417
|
+
* Add DSL for configuring HTTP Feature Policy.
|
630
418
|
|
631
|
-
|
419
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
420
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
421
|
+
specification and guidelines can be found at MDN:
|
632
422
|
|
633
|
-
|
634
|
-
format block.
|
423
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
635
424
|
|
636
|
-
|
425
|
+
Example global policy:
|
637
426
|
|
638
|
-
|
427
|
+
```ruby
|
428
|
+
Rails.application.config.feature_policy do |f|
|
429
|
+
f.camera :none
|
430
|
+
f.gyroscope :none
|
431
|
+
f.microphone :none
|
432
|
+
f.usb :none
|
433
|
+
f.fullscreen :self
|
434
|
+
f.payment :self, "https://secure.example.com"
|
435
|
+
end
|
436
|
+
```
|
639
437
|
|
640
|
-
|
438
|
+
Example controller level policy:
|
641
439
|
|
642
|
-
|
440
|
+
```ruby
|
441
|
+
class PagesController < ApplicationController
|
442
|
+
feature_policy do |p|
|
443
|
+
p.geolocation "https://example.com"
|
444
|
+
end
|
445
|
+
end
|
446
|
+
```
|
643
447
|
|
644
|
-
*
|
448
|
+
*Jacob Bednarz*
|
645
449
|
|
646
|
-
|
450
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
647
451
|
|
648
|
-
|
452
|
+
Fixes #35137.
|
649
453
|
|
650
|
-
*
|
454
|
+
*Yuji Yaginuma*
|
651
455
|
|
652
|
-
|
456
|
+
* Keep part when scope option has value.
|
653
457
|
|
654
|
-
|
655
|
-
|
458
|
+
When a route was defined within an optional scope, if that route didn't
|
459
|
+
take parameters the scope was lost when using path helpers. This commit
|
460
|
+
ensures scope is kept both when the route takes parameters or when it
|
461
|
+
doesn't.
|
656
462
|
|
657
|
-
Fixes #
|
463
|
+
Fixes #33219.
|
658
464
|
|
659
|
-
*
|
465
|
+
*Alberto Almagro*
|
660
466
|
|
661
|
-
*
|
662
|
-
we need to check if we're not inside a nested scope before copying the :path
|
663
|
-
and :as options to their shallow equivalents.
|
467
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
664
468
|
|
665
|
-
|
469
|
+
*Gustavo Gutierrez*
|
666
470
|
|
667
|
-
|
471
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
472
|
+
an enumerator for the parameters instead of the underlying hash.
|
668
473
|
|
669
|
-
*
|
670
|
-
`log_warning_on_csrf_failure` configuration setting in
|
671
|
-
`ActionController::RequestForgeryProtection`.
|
474
|
+
*Eugene Kenny*
|
672
475
|
|
673
|
-
|
476
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
477
|
+
It should only block invalid key's values instead.
|
674
478
|
|
675
|
-
*
|
676
|
-
`default_url_options` methods.
|
479
|
+
*Stan Lo*
|
677
480
|
|
678
|
-
*Tony Wooster*
|
679
481
|
|
680
|
-
Please check [
|
482
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|