actionpack 4.2.8 → 5.2.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +285 -444
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -7
- data/lib/abstract_controller.rb +12 -5
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +45 -49
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +78 -15
- data/lib/abstract_controller/callbacks.rb +47 -31
- data/lib/abstract_controller/collector.rb +8 -11
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +25 -25
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +4 -2
- data/lib/abstract_controller/rendering.rb +42 -41
- data/lib/abstract_controller/translation.rb +10 -7
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/action_controller.rb +29 -21
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/base.rb +27 -19
- data/lib/action_controller/caching.rb +14 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +10 -15
- data/lib/action_controller/metal.rb +98 -83
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +118 -44
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +27 -46
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +20 -13
- data/lib/action_controller/metal/exceptions.rb +8 -14
- data/lib/action_controller/metal/flash.rb +4 -3
- data/lib/action_controller/metal/force_ssl.rb +23 -21
- data/lib/action_controller/metal/head.rb +21 -19
- data/lib/action_controller/metal/helpers.rb +24 -14
- data/lib/action_controller/metal/http_authentication.rb +64 -57
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +19 -21
- data/lib/action_controller/metal/live.rb +90 -106
- data/lib/action_controller/metal/mime_responds.rb +33 -46
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +61 -53
- data/lib/action_controller/metal/redirecting.rb +49 -28
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +72 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +203 -92
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +12 -10
- data/lib/action_controller/metal/strong_parameters.rb +582 -165
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +280 -411
- data/lib/action_dispatch.rb +27 -19
- data/lib/action_dispatch/http/cache.rb +93 -47
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +26 -20
- data/lib/action_dispatch/http/filter_redirect.rb +10 -11
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +60 -41
- data/lib/action_dispatch/http/mime_type.rb +134 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameter_filter.rb +25 -11
- data/lib/action_dispatch/http/parameters.rb +98 -39
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +200 -118
- data/lib/action_dispatch/http/response.rb +225 -110
- data/lib/action_dispatch/http/upload.rb +12 -6
- data/lib/action_dispatch/http/url.rb +110 -28
- data/lib/action_dispatch/journey.rb +7 -5
- data/lib/action_dispatch/journey/formatter.rb +55 -32
- data/lib/action_dispatch/journey/gtg/builder.rb +7 -5
- data/lib/action_dispatch/journey/gtg/simulator.rb +3 -9
- data/lib/action_dispatch/journey/gtg/transition_table.rb +17 -16
- data/lib/action_dispatch/journey/nfa/builder.rb +5 -3
- data/lib/action_dispatch/journey/nfa/dot.rb +13 -13
- data/lib/action_dispatch/journey/nfa/simulator.rb +3 -1
- data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -48
- data/lib/action_dispatch/journey/nodes/node.rb +18 -6
- data/lib/action_dispatch/journey/parser.rb +23 -22
- data/lib/action_dispatch/journey/parser.y +3 -2
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +50 -44
- data/lib/action_dispatch/journey/route.rb +106 -28
- data/lib/action_dispatch/journey/router.rb +35 -23
- data/lib/action_dispatch/journey/router/utils.rb +20 -11
- data/lib/action_dispatch/journey/routes.rb +18 -16
- data/lib/action_dispatch/journey/scanner.rb +18 -15
- data/lib/action_dispatch/journey/visitors.rb +99 -52
- data/lib/action_dispatch/middleware/callbacks.rb +1 -2
- data/lib/action_dispatch/middleware/cookies.rb +304 -193
- data/lib/action_dispatch/middleware/debug_exceptions.rb +152 -57
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +68 -69
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/public_exceptions.rb +27 -25
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +41 -31
- data/lib/action_dispatch/middleware/request_id.rb +17 -9
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -25
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +72 -67
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +26 -22
- data/lib/action_dispatch/middleware/ssl.rb +114 -36
- data/lib/action_dispatch/middleware/stack.rb +31 -44
- data/lib/action_dispatch/middleware/static.rb +57 -50
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +2 -14
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -64
- data/lib/action_dispatch/railtie.rb +19 -11
- data/lib/action_dispatch/request/session.rb +106 -59
- data/lib/action_dispatch/request/utils.rb +67 -24
- data/lib/action_dispatch/routing.rb +17 -18
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +58 -67
- data/lib/action_dispatch/routing/mapper.rb +734 -447
- data/lib/action_dispatch/routing/polymorphic_routes.rb +161 -139
- data/lib/action_dispatch/routing/redirection.rb +36 -26
- data/lib/action_dispatch/routing/route_set.rb +321 -291
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +65 -25
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/assertions/response.rb +45 -20
- data/lib/action_dispatch/testing/assertions/routing.rb +30 -26
- data/lib/action_dispatch/testing/integration.rb +347 -209
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +35 -7
- data/lib/action_pack.rb +4 -2
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- metadata +56 -39
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: a770f49aab7d65db1ffb6e76c8810ab85e6d38deb551f2907f3e82b344ec1d1f
|
4
|
+
data.tar.gz: b930fa5de60ed01197bf87464fc21547fea61a3ecdb9765afd208fc79ea1ca49
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 06134db053fcfb4cdbdcfff76e890022b02ebadcb66c5181c428647170c5a8560c496a7da84c4307b77362f0ee566ea0f214d46711595d274b20722adc49c02d
|
7
|
+
data.tar.gz: 62e1cb34ba5c5a5bb40cdccf8102e4eef74da0537e579254f5e16692013764db13cc5c23b27025b5d08f1445fa45c82cf2221df067755bd2e48ed78cbf44133e
|
data/CHANGELOG.md
CHANGED
@@ -1,631 +1,472 @@
|
|
1
|
-
## Rails
|
2
|
-
|
3
|
-
* No changes.
|
1
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
4
2
|
|
3
|
+
* Fix possible information leak / session hijacking vulnerability.
|
5
4
|
|
6
|
-
|
5
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
6
|
+
gem dalli to be updated as well.
|
7
7
|
|
8
|
-
|
8
|
+
CVE-2019-16782.
|
9
9
|
|
10
10
|
|
11
|
-
## Rails
|
11
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
12
12
|
|
13
13
|
* No changes.
|
14
14
|
|
15
15
|
|
16
|
-
## Rails
|
17
|
-
|
18
|
-
* Do not allow render with unpermitted parameter.
|
19
|
-
|
20
|
-
Fixes CVE-2016-2098.
|
21
|
-
|
22
|
-
*Arthur Neves*
|
23
|
-
|
24
|
-
|
25
|
-
## Rails 4.2.5.1 (January 25, 2015) ##
|
26
|
-
|
27
|
-
* No changes.
|
28
|
-
|
16
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
29
17
|
|
30
|
-
|
18
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
31
19
|
|
32
|
-
|
33
|
-
|
20
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
21
|
+
it was excluded when `no-cache` was included. This change preserves the
|
22
|
+
`public` value as is.
|
34
23
|
|
35
|
-
|
24
|
+
Fixes #34780.
|
36
25
|
|
37
|
-
*
|
26
|
+
*Yuji Yaginuma*
|
38
27
|
|
39
|
-
|
28
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
40
29
|
|
41
|
-
*
|
42
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
43
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
30
|
+
*Ryo Nakamura*
|
44
31
|
|
45
|
-
Fixes #20920. Fixes #21459.
|
46
32
|
|
47
|
-
|
48
|
-
|
49
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
50
|
-
|
51
|
-
*Bernerd Schaefer*
|
52
|
-
|
53
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
54
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
55
|
-
|
56
|
-
*Jeremy Friesen*
|
33
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
57
34
|
|
35
|
+
* No changes.
|
58
36
|
|
59
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
60
37
|
|
61
|
-
|
62
|
-
a block for generating a default value based off the key provided.
|
38
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
63
39
|
|
64
|
-
|
65
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
66
|
-
number of arguments (2 for 1)` when performing controller tests.
|
40
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
67
41
|
|
68
|
-
|
42
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
43
|
+
in system test `after_teardown`.
|
69
44
|
|
70
|
-
*
|
45
|
+
*Maxim Perepelitsa*
|
71
46
|
|
72
|
-
|
73
|
-
So some headers will be broken if there are some middlewares
|
74
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
47
|
+
* Use request object for context if there's no controller
|
75
48
|
|
76
|
-
|
49
|
+
There is no controller instance when using a redirect route or a
|
50
|
+
mounted rack application so pass the request object as the context
|
51
|
+
when resolving dynamic CSP sources in this scenario.
|
77
52
|
|
53
|
+
Fixes #34200.
|
78
54
|
|
79
|
-
|
55
|
+
*Andrew White*
|
80
56
|
|
81
|
-
*
|
82
|
-
nesting multiple routes.
|
57
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
83
58
|
|
84
|
-
|
59
|
+
Previously if a dynamic source returned a symbol such as :self it
|
60
|
+
would be converted to a string implicity, e.g:
|
85
61
|
|
86
|
-
|
62
|
+
policy.default_src -> { :self }
|
87
63
|
|
88
|
-
|
89
|
-
even when it was a 304 status code.
|
64
|
+
would generate the header:
|
90
65
|
|
91
|
-
|
66
|
+
Content-Security-Policy: default-src self
|
92
67
|
|
93
|
-
|
68
|
+
and now it generates:
|
94
69
|
|
95
|
-
|
70
|
+
Content-Security-Policy: default-src 'self'
|
96
71
|
|
97
|
-
|
98
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
99
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
72
|
+
*Andrew White*
|
100
73
|
|
101
|
-
|
74
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
102
75
|
|
103
|
-
*
|
76
|
+
*Yoshiyuki Kinjo*
|
104
77
|
|
105
|
-
|
106
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
107
|
-
is set, it takes precedence.
|
78
|
+
* Call the `#redirect_to` block in controller context.
|
108
79
|
|
109
|
-
|
80
|
+
*Steven Peckins*
|
110
81
|
|
111
|
-
*Yasyf Mohamedali*
|
112
82
|
|
113
|
-
|
114
|
-
assigned.
|
83
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
115
84
|
|
116
|
-
|
85
|
+
* No changes.
|
117
86
|
|
118
|
-
*Jeremy Kemper*, *Yves Senn*
|
119
87
|
|
88
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
120
89
|
|
121
|
-
|
90
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
122
91
|
|
123
|
-
|
92
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
93
|
+
there are none.
|
124
94
|
|
95
|
+
So call like this will no longer append a `?null=` query param.
|
125
96
|
|
126
|
-
|
97
|
+
get foos_url, as: :json
|
127
98
|
|
128
|
-
*
|
129
|
-
the masked token.
|
99
|
+
*Alireza Bashiri*
|
130
100
|
|
131
|
-
|
101
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
102
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
103
|
+
parameters.
|
132
104
|
|
133
|
-
*
|
105
|
+
*Kevin Sjöberg*
|
134
106
|
|
135
|
-
|
136
|
-
request causing an incorrect behavior during the fall back to GET requests.
|
107
|
+
* Fix strong parameters `permit!` with nested arrays.
|
137
108
|
|
138
|
-
|
139
|
-
```
|
140
|
-
|
141
|
-
|
142
|
-
mount rack_app, at: '/'
|
143
|
-
end
|
144
|
-
head '/home'
|
145
|
-
assert_response :success
|
109
|
+
Given:
|
110
|
+
```
|
111
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
112
|
+
params.permit!
|
146
113
|
```
|
147
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
148
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
149
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
150
|
-
|
151
|
-
*Terence Sun*
|
152
|
-
|
153
|
-
* Preserve default format when generating URLs
|
154
|
-
|
155
|
-
Fixes an issue that would cause the format set in default_url_options to be
|
156
|
-
lost when generating URLs with fewer positional arguments than parameters in
|
157
|
-
the route definition.
|
158
|
-
|
159
|
-
Backport of #18627
|
160
|
-
|
161
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
162
|
-
|
163
|
-
* Default headers, removed in controller actions, are no longer reapplied on
|
164
|
-
the test response.
|
165
|
-
|
166
|
-
*Jonas Baumann*
|
167
|
-
|
168
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
169
|
-
|
170
|
-
Fixes an issue where when an exception is raised in the request the additonal
|
171
|
-
payload data is not available.
|
172
|
-
|
173
|
-
See:
|
174
|
-
* #14903
|
175
|
-
* https://github.com/roidrage/lograge/issues/37
|
176
|
-
|
177
|
-
*Dieter Komendera*, *Margus Pärt*
|
178
|
-
|
179
|
-
* Correctly rely on the response's status code to handle calls to `head`.
|
180
|
-
|
181
|
-
*Robin Dupret*
|
182
|
-
|
183
|
-
* Using `head` method returns empty response_body instead
|
184
|
-
of returning a single space " ".
|
185
|
-
|
186
|
-
The old behavior was added as a workaround for a bug in an early
|
187
|
-
version of Safari, where the HTTP headers are not returned correctly
|
188
|
-
if the response body has a 0-length. This is been fixed since and
|
189
|
-
the workaround is no longer necessary.
|
190
|
-
|
191
|
-
Fixes #18253.
|
192
|
-
|
193
|
-
*Prathamesh Sonpatki*
|
194
|
-
|
195
|
-
* Fix how polymorphic routes works with objects that implement `to_model`.
|
196
|
-
|
197
|
-
*Travis Grathwell*
|
198
|
-
|
199
|
-
* Fixed handling of positional url helper arguments when `format: false`.
|
200
|
-
|
201
|
-
Fixes #17819.
|
202
|
-
|
203
|
-
*Andrew White*, *Tatiana Soukiassian*
|
204
|
-
|
205
|
-
* Fixed usage of optional scopes in URL helpers.
|
206
|
-
|
207
|
-
*Alex Robbin*
|
208
|
-
|
209
|
-
|
210
|
-
## Rails 4.2.0 (December 20, 2014) ##
|
211
|
-
|
212
|
-
* Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
|
213
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
214
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
215
|
-
object in Rails 5.0.
|
216
|
-
|
217
|
-
*Prem Sichanugrist*
|
218
|
-
|
219
|
-
* Restore handling of a bare `Authorization` header, without `token=`
|
220
|
-
prefix.
|
221
|
-
|
222
|
-
Fixes #17108.
|
223
|
-
|
224
|
-
*Guo Xiang Tan*
|
225
|
-
|
226
|
-
* Deprecate use of string keys in URL helpers.
|
227
|
-
|
228
|
-
Use symbols instead.
|
229
|
-
Fixes #16958.
|
230
|
-
|
231
|
-
*Byron Bischoff*, *Melanie Gilman*
|
232
|
-
|
233
|
-
* Deprecate the `only_path` option on `*_path` helpers.
|
234
|
-
|
235
|
-
In cases where this option is set to `true`, the option is redundant and can
|
236
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
237
|
-
used instead.
|
238
|
-
|
239
|
-
Fixes #17294.
|
240
|
-
|
241
|
-
*Dan Olson*, *Godfrey Chan*
|
242
|
-
|
243
|
-
* Improve Journey compliance to RFC 3986.
|
244
|
-
|
245
|
-
The scanner in Journey failed to recognize routes that use literals
|
246
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
247
|
-
authorized delimiters and route as expected.
|
248
|
-
|
249
|
-
Fixes #17212.
|
250
|
-
|
251
|
-
*Nicolas Cavigneaux*
|
252
|
-
|
253
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
254
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
255
|
-
|
256
|
-
status, headers, body = response
|
257
|
-
|
258
|
-
But it also means `response + response` works and `[response].flatten`
|
259
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
260
|
-
explicit conversion and splatting with `#to_a`:
|
261
|
-
|
262
|
-
status, header, body = *response
|
263
|
-
|
264
|
-
*Jeremy Kemper*
|
265
|
-
|
266
|
-
* Don't rescue `IPAddr::InvalidAddressError`.
|
267
|
-
|
268
|
-
`IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
|
269
|
-
and fails for JRuby in 1.9 mode.
|
270
|
-
|
271
|
-
*Peter Suschlik*
|
272
|
-
|
273
|
-
* Fix bug where the router would ignore any constraints added to redirect
|
274
|
-
routes.
|
275
|
-
|
276
|
-
Fixes #16605.
|
277
|
-
|
278
|
-
*Agis Anastasopoulos*
|
279
114
|
|
280
|
-
|
115
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
281
116
|
|
282
|
-
|
117
|
+
*Steve Hull*
|
283
118
|
|
284
|
-
|
285
|
-
|
119
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
120
|
+
`ActionController::TestCase` subclasses.
|
286
121
|
|
287
|
-
*
|
122
|
+
*Eugene Kenny*
|
288
123
|
|
289
|
-
*
|
124
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
290
125
|
|
291
|
-
|
292
|
-
HEAD routes. If no match is found, we will then map the HEAD request to
|
293
|
-
GET routes.
|
126
|
+
Fixes #32597.
|
294
127
|
|
295
|
-
*
|
128
|
+
*Andrey Novikov*, *Andrew White*
|
296
129
|
|
297
|
-
*
|
298
|
-
of gzipped assets on disk. By default a gzip asset will be served if
|
299
|
-
the client supports gzip and a compressed file is on disk.
|
130
|
+
* Only disable GPUs for headless Chrome on Windows.
|
300
131
|
|
301
|
-
|
132
|
+
It is not necessary anymore for Linux and macOS machines.
|
302
133
|
|
303
|
-
|
304
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
305
|
-
that is not available on `ActionController::Parameters` you should consider
|
306
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
134
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
307
135
|
|
308
|
-
*
|
136
|
+
*Stefan Wrobel*
|
309
137
|
|
310
|
-
*
|
311
|
-
keys removed. This change is to reflect on a security concern where some
|
312
|
-
method performed on an `ActionController::Parameters` may yield a `Hash`
|
313
|
-
object which does not maintain `permitted?` status. If you would like to
|
314
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
315
|
-
before calling `#to_h`.
|
138
|
+
* Fix system tests transactions not closed between examples.
|
316
139
|
|
317
|
-
|
318
|
-
name: 'Senjougahara Hitagi',
|
319
|
-
oddity: 'Heavy stone crab'
|
320
|
-
})
|
321
|
-
params.to_h
|
322
|
-
# => {}
|
140
|
+
*Sergey Tarasov*
|
323
141
|
|
324
|
-
unsafe_params = params.dup.permit!
|
325
|
-
unsafe_params.to_h
|
326
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
327
142
|
|
328
|
-
|
329
|
-
safe_params.to_h
|
330
|
-
# => {"name"=>"Senjougahara Hitagi"}
|
143
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
331
144
|
|
332
|
-
|
333
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
334
|
-
in the next minor release.
|
145
|
+
* Check exclude before flagging cookies as secure.
|
335
146
|
|
336
|
-
*
|
147
|
+
*Catherine Khuu*
|
337
148
|
|
338
|
-
*
|
149
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
339
150
|
|
340
|
-
|
151
|
+
This allows a controller action to enable the policy individually
|
152
|
+
for a controller and/or specific actions.
|
341
153
|
|
342
|
-
*
|
343
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
344
|
-
cookies by defining the `#as_json` hook on such objects.
|
154
|
+
*Andrew White*
|
345
155
|
|
346
|
-
|
156
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
347
157
|
|
348
|
-
|
158
|
+
class LegacyPagesController < ApplicationController
|
159
|
+
content_security_policy false, only: :index
|
160
|
+
end
|
349
161
|
|
350
|
-
*
|
351
|
-
digest. The default remains the same - 'SHA1'.
|
162
|
+
*Andrew White*
|
352
163
|
|
353
|
-
|
164
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
165
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
354
166
|
|
355
|
-
*
|
356
|
-
the `responders` gem.
|
167
|
+
*Igor Kasyanchuk*
|
357
168
|
|
358
|
-
|
169
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
170
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
359
171
|
|
360
|
-
*
|
172
|
+
*Grant Bourque*
|
361
173
|
|
362
|
-
|
363
|
-
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
364
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
365
|
-
This makes it easy to HTTP-cache many more of your actions.
|
174
|
+
* Add support for automatic nonce generation for Rails UJS.
|
366
175
|
|
367
|
-
|
368
|
-
|
176
|
+
Because the UJS library creates a script tag to process responses it
|
177
|
+
normally requires the script-src attribute of the content security
|
178
|
+
policy to include 'unsafe-inline'.
|
369
179
|
|
370
|
-
|
180
|
+
To work around this we generate a per-request nonce value that is
|
181
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
182
|
+
embeds its token in a meta tag. The UJS library can then read the
|
183
|
+
nonce value and set it on the dynamically generated script tag to
|
184
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
371
185
|
|
372
|
-
|
186
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
187
|
+
user generated content in someway then it may be possible to exploit
|
188
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
189
|
+
however an improvement on a blanket permission for inline scripts.
|
373
190
|
|
374
|
-
|
191
|
+
It is also possible to use the nonce within your own script tags by
|
192
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
375
193
|
|
376
|
-
|
194
|
+
<%= javascript_tag nonce: true do %>
|
195
|
+
alert('Hello, World!');
|
196
|
+
<% end %>
|
377
197
|
|
378
|
-
|
379
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
198
|
+
Fixes #31689.
|
380
199
|
|
381
|
-
*
|
200
|
+
*Andrew White*
|
382
201
|
|
383
|
-
*
|
202
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
384
203
|
|
385
|
-
|
204
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
386
205
|
|
387
|
-
|
388
|
-
|
206
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
207
|
+
def index
|
208
|
+
params.each do |name|
|
209
|
+
puts name
|
210
|
+
end
|
211
|
+
end
|
389
212
|
|
390
|
-
|
213
|
+
# Prints
|
214
|
+
# param
|
215
|
+
# param_two
|
391
216
|
|
392
|
-
|
393
|
-
loopback address.
|
217
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
394
218
|
|
395
|
-
|
219
|
+
To fix the code above simply change as per example below:
|
396
220
|
|
397
|
-
|
398
|
-
|
221
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
222
|
+
def index
|
223
|
+
params.each do |name, value|
|
224
|
+
puts name
|
225
|
+
end
|
226
|
+
end
|
399
227
|
|
400
|
-
|
401
|
-
|
402
|
-
|
403
|
-
available to any custom exceptions_app. The original `PATH_INFO` is now
|
404
|
-
stashed in `env["action_dispatch.original_path"]`.
|
228
|
+
# Prints
|
229
|
+
# param
|
230
|
+
# param_two
|
405
231
|
|
406
|
-
*
|
232
|
+
*Dominic Cleal*
|
407
233
|
|
408
|
-
*
|
409
|
-
overflow.
|
234
|
+
* Add `Referrer-Policy` header to default headers set.
|
410
235
|
|
411
|
-
*
|
236
|
+
*Guillermo Iguaran*
|
412
237
|
|
413
|
-
*
|
414
|
-
|
238
|
+
* Changed the system tests to set Puma as default server only when the
|
239
|
+
user haven't specified manually another server.
|
415
240
|
|
416
|
-
|
417
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
418
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
419
|
-
longer necessary.
|
241
|
+
*Guillermo Iguaran*
|
420
242
|
|
421
|
-
|
243
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
244
|
+
default headers set.
|
422
245
|
|
423
|
-
|
246
|
+
*Guillermo Iguaran*
|
424
247
|
|
425
|
-
|
248
|
+
* Add headless firefox support to System Tests.
|
426
249
|
|
427
|
-
*
|
428
|
-
("Rosetta Flash").
|
250
|
+
*bogdanvlviv*
|
429
251
|
|
430
|
-
|
252
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
431
253
|
|
432
|
-
|
433
|
-
the
|
434
|
-
|
435
|
-
|
254
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
255
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
256
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
257
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
258
|
+
path, it dumps binary into the terminal.
|
436
259
|
|
437
|
-
|
260
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
438
261
|
|
439
|
-
*
|
262
|
+
*Eileen M. Uchitelle*
|
440
263
|
|
441
|
-
*
|
264
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
442
265
|
|
443
|
-
|
266
|
+
*Guillermo Iguaran*
|
444
267
|
|
445
|
-
|
268
|
+
* Fix optimized url helpers when using relative url root.
|
446
269
|
|
447
|
-
|
448
|
-
when rendering through a `respond_to` block.
|
270
|
+
Fixes #31220.
|
449
271
|
|
450
|
-
|
272
|
+
*Andrew White*
|
451
273
|
|
452
|
-
|
274
|
+
* Add DSL for configuring Content-Security-Policy header.
|
453
275
|
|
454
|
-
|
455
|
-
|
456
|
-
|
276
|
+
The DSL allows you to configure a global Content-Security-Policy
|
277
|
+
header and then override within a controller. For more information
|
278
|
+
about the Content-Security-Policy header see MDN:
|
457
279
|
|
458
|
-
|
280
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
459
281
|
|
460
|
-
|
282
|
+
Example global policy:
|
461
283
|
|
462
|
-
|
284
|
+
# config/initializers/content_security_policy.rb
|
285
|
+
Rails.application.config.content_security_policy do |p|
|
286
|
+
p.default_src :self, :https
|
287
|
+
p.font_src :self, :https, :data
|
288
|
+
p.img_src :self, :https, :data
|
289
|
+
p.object_src :none
|
290
|
+
p.script_src :self, :https
|
291
|
+
p.style_src :self, :https, :unsafe_inline
|
292
|
+
end
|
463
293
|
|
464
|
-
|
294
|
+
Example controller overrides:
|
465
295
|
|
466
|
-
|
296
|
+
# Override policy inline
|
297
|
+
class PostsController < ApplicationController
|
298
|
+
content_security_policy do |p|
|
299
|
+
p.upgrade_insecure_requests true
|
300
|
+
end
|
301
|
+
end
|
467
302
|
|
468
|
-
|
303
|
+
# Using literal values
|
304
|
+
class PostsController < ApplicationController
|
305
|
+
content_security_policy do |p|
|
306
|
+
p.base_uri "https://www.example.com"
|
307
|
+
end
|
308
|
+
end
|
469
309
|
|
470
|
-
|
310
|
+
# Using mixed static and dynamic values
|
311
|
+
class PostsController < ApplicationController
|
312
|
+
content_security_policy do |p|
|
313
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
314
|
+
end
|
315
|
+
end
|
471
316
|
|
472
|
-
|
473
|
-
|
317
|
+
Allows you to also only report content violations for migrating
|
318
|
+
legacy content using the `content_security_policy_report_only`
|
319
|
+
configuration attribute, e.g;
|
474
320
|
|
475
|
-
|
321
|
+
# config/initializers/content_security_policy.rb
|
322
|
+
Rails.application.config.content_security_policy_report_only = true
|
476
323
|
|
477
|
-
|
324
|
+
# controller override
|
325
|
+
class PostsController < ApplicationController
|
326
|
+
content_security_policy_report_only only: :index
|
327
|
+
end
|
478
328
|
|
479
|
-
|
480
|
-
|
329
|
+
Note that this feature does not validate the header for performance
|
330
|
+
reasons since the header is calculated at runtime.
|
481
331
|
|
482
|
-
*
|
332
|
+
*Andrew White*
|
483
333
|
|
484
|
-
*
|
485
|
-
application. Use of a symbol should be replaced with `action: symbol`.
|
486
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
334
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
487
335
|
|
488
|
-
*
|
336
|
+
*Yuichiro Kaneko*
|
489
337
|
|
490
|
-
*
|
491
|
-
a trailing slash after `.:format`
|
338
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
492
339
|
|
493
|
-
*
|
340
|
+
*Rafael Mendonça França*
|
494
341
|
|
495
|
-
*
|
496
|
-
performance reasons. One consequence of this is that the leading slash
|
497
|
-
is now required in integration test `process` helpers, whereas previously
|
498
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
499
|
-
of the implementation and was never an intentional feature.
|
342
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
500
343
|
|
501
|
-
|
344
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
345
|
+
different host. `allow_other_host` is `true` by default.
|
502
346
|
|
503
|
-
*
|
504
|
-
called 'status' in a controller.
|
347
|
+
*Tim Masliuchenko*
|
505
348
|
|
506
|
-
|
349
|
+
* Add headless chrome support to System Tests.
|
507
350
|
|
508
|
-
*
|
351
|
+
*Yuji Yaginuma*
|
509
352
|
|
510
|
-
* Add
|
353
|
+
* Add ability to enable Early Hints for HTTP/2
|
511
354
|
|
512
|
-
|
355
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
513
356
|
|
514
|
-
|
357
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
515
358
|
|
516
|
-
|
517
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
518
|
-
e.g. the fragment cache hit rates for each controller action.
|
359
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
519
360
|
|
520
|
-
|
361
|
+
* Simplify cookies middleware with key rotation support
|
521
362
|
|
522
|
-
|
363
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
364
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
365
|
+
signed cookies. This also helps simplify support for legacy cookie
|
366
|
+
security.
|
523
367
|
|
524
|
-
|
368
|
+
*Michael J Coyne*
|
525
369
|
|
526
|
-
|
370
|
+
* Use Capybara registered `:puma` server config.
|
527
371
|
|
528
|
-
|
529
|
-
and
|
372
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
373
|
+
connection sharing and open request detection work correctly by default.
|
530
374
|
|
531
|
-
|
375
|
+
*Thomas Walpole*
|
532
376
|
|
533
|
-
|
377
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
534
378
|
|
535
|
-
|
536
|
-
|
537
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
538
|
-
when setting up the routes.
|
379
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
380
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
539
381
|
|
540
|
-
|
382
|
+
Pull Request: #30121
|
541
383
|
|
542
|
-
*
|
543
|
-
purposes of remote IP detection. Also handle uppercase private IPv6
|
544
|
-
addresses.
|
384
|
+
*Assain Jaleel*
|
545
385
|
|
546
|
-
|
386
|
+
* Enforce signed/encrypted cookie expiry server side.
|
547
387
|
|
548
|
-
|
388
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
549
389
|
|
550
|
-
|
390
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
391
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
392
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
551
393
|
|
552
|
-
|
553
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
554
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
394
|
+
Pull Request: #30121
|
555
395
|
|
556
|
-
|
557
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
396
|
+
*Assain Jaleel*
|
558
397
|
|
559
|
-
|
398
|
+
* Make `take_failed_screenshot` work within engine.
|
560
399
|
|
561
|
-
|
400
|
+
Fixes #30405.
|
562
401
|
|
563
|
-
*
|
402
|
+
*Yuji Yaginuma*
|
564
403
|
|
565
|
-
|
566
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
567
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
568
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
404
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
569
405
|
|
570
|
-
|
571
|
-
|
572
|
-
|
573
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
406
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
407
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
408
|
+
use the response helpers provided by `Rack::Response`.
|
574
409
|
|
575
|
-
|
410
|
+
*Trevor Wistaff*
|
576
411
|
|
577
|
-
|
412
|
+
* Protect from forgery by default
|
578
413
|
|
579
|
-
|
580
|
-
`
|
414
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
415
|
+
add it to `ActionController::Base` depending on
|
416
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
417
|
+
defaults to false to support older versions which have removed it from their
|
418
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
581
419
|
|
582
|
-
*
|
420
|
+
*Lisa Ugray*
|
583
421
|
|
584
|
-
*
|
585
|
-
format block.
|
422
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
586
423
|
|
587
|
-
|
424
|
+
*Kir Shatrov*
|
588
425
|
|
589
|
-
|
426
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
590
427
|
|
591
|
-
|
428
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
429
|
+
`driven_by` will register the driver and set additional options passed via
|
430
|
+
the `:options` parameter.
|
592
431
|
|
593
|
-
|
432
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
594
433
|
|
595
|
-
*
|
434
|
+
*Mario Chavez*
|
596
435
|
|
597
|
-
|
436
|
+
* AEAD encrypted cookies and sessions with GCM.
|
598
437
|
|
599
|
-
|
438
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
439
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
440
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
441
|
+
this new mode is enabled via the
|
442
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
600
443
|
|
601
|
-
*
|
444
|
+
*Michael J Coyne*
|
602
445
|
|
603
|
-
|
446
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
604
447
|
|
605
|
-
|
606
|
-
|
448
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
449
|
+
^template path ^template tree digest ^class ^id
|
607
450
|
|
608
|
-
|
451
|
+
*DHH*
|
609
452
|
|
610
|
-
|
453
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
454
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
455
|
+
to support it.
|
611
456
|
|
612
|
-
*
|
613
|
-
we need to check if we're not inside a nested scope before copying the :path
|
614
|
-
and :as options to their shallow equivalents.
|
457
|
+
*DHH*
|
615
458
|
|
616
|
-
|
459
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
617
460
|
|
618
|
-
|
461
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
462
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
463
|
+
may not exist in a certain implementation.
|
619
464
|
|
620
|
-
|
621
|
-
`log_warning_on_csrf_failure` configuration setting in
|
622
|
-
`ActionController::RequestForgeryProtection`.
|
465
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
623
466
|
|
624
|
-
|
467
|
+
Fixes #27013.
|
625
468
|
|
626
|
-
*
|
627
|
-
`default_url_options` methods.
|
469
|
+
*Julian Nadeau*
|
628
470
|
|
629
|
-
*Tony Wooster*
|
630
471
|
|
631
|
-
Please check [
|
472
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|