actionpack 5.1.7 → 5.2.4.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +282 -362
- data/MIT-LICENSE +1 -1
- data/README.rdoc +5 -5
- data/lib/abstract_controller.rb +3 -0
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +10 -2
- data/lib/abstract_controller/caching.rb +3 -2
- data/lib/abstract_controller/caching/fragments.rb +30 -7
- data/lib/abstract_controller/callbacks.rb +25 -3
- data/lib/abstract_controller/collector.rb +2 -0
- data/lib/abstract_controller/error.rb +2 -0
- data/lib/abstract_controller/helpers.rb +4 -5
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/rendering.rb +9 -16
- data/lib/abstract_controller/translation.rb +2 -0
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/action_controller.rb +3 -0
- data/lib/action_controller/api.rb +2 -0
- data/lib/action_controller/api/api_rendering.rb +2 -0
- data/lib/action_controller/base.rb +3 -0
- data/lib/action_controller/caching.rb +2 -0
- data/lib/action_controller/form_builder.rb +2 -0
- data/lib/action_controller/log_subscriber.rb +5 -3
- data/lib/action_controller/metal.rb +13 -14
- data/lib/action_controller/metal/basic_implicit_render.rb +2 -0
- data/lib/action_controller/metal/conditional_get.rb +4 -3
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +2 -0
- data/lib/action_controller/metal/data_streaming.rb +7 -5
- data/lib/action_controller/metal/etag_with_flash.rb +2 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -2
- data/lib/action_controller/metal/exceptions.rb +2 -3
- data/lib/action_controller/metal/flash.rb +3 -2
- data/lib/action_controller/metal/force_ssl.rb +4 -2
- data/lib/action_controller/metal/head.rb +2 -0
- data/lib/action_controller/metal/helpers.rb +4 -3
- data/lib/action_controller/metal/http_authentication.rb +8 -9
- data/lib/action_controller/metal/implicit_render.rb +2 -0
- data/lib/action_controller/metal/instrumentation.rb +4 -6
- data/lib/action_controller/metal/live.rb +3 -1
- data/lib/action_controller/metal/mime_responds.rb +3 -1
- data/lib/action_controller/metal/parameter_encoding.rb +2 -0
- data/lib/action_controller/metal/params_wrapper.rb +14 -10
- data/lib/action_controller/metal/redirecting.rb +22 -11
- data/lib/action_controller/metal/renderers.rb +4 -3
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +62 -10
- data/lib/action_controller/metal/rescue.rb +5 -3
- data/lib/action_controller/metal/streaming.rb +3 -1
- data/lib/action_controller/metal/strong_parameters.rb +36 -25
- data/lib/action_controller/metal/testing.rb +2 -6
- data/lib/action_controller/metal/url_for.rb +2 -0
- data/lib/action_controller/railtie.rb +16 -4
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +2 -0
- data/lib/action_controller/template_assertions.rb +2 -0
- data/lib/action_controller/test_case.rb +16 -10
- data/lib/action_dispatch.rb +9 -5
- data/lib/action_dispatch/http/cache.rb +22 -14
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +4 -2
- data/lib/action_dispatch/http/filter_redirect.rb +2 -0
- data/lib/action_dispatch/http/headers.rb +2 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +4 -8
- data/lib/action_dispatch/http/mime_type.rb +15 -13
- data/lib/action_dispatch/http/mime_types.rb +17 -2
- data/lib/action_dispatch/http/parameter_filter.rb +2 -0
- data/lib/action_dispatch/http/parameters.rb +6 -9
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +36 -16
- data/lib/action_dispatch/http/response.rb +11 -9
- data/lib/action_dispatch/http/upload.rb +2 -0
- data/lib/action_dispatch/http/url.rb +5 -6
- data/lib/action_dispatch/journey.rb +2 -0
- data/lib/action_dispatch/journey/formatter.rb +4 -2
- data/lib/action_dispatch/journey/gtg/builder.rb +2 -0
- data/lib/action_dispatch/journey/gtg/simulator.rb +2 -8
- data/lib/action_dispatch/journey/gtg/transition_table.rb +3 -2
- data/lib/action_dispatch/journey/nfa/builder.rb +2 -0
- data/lib/action_dispatch/journey/nfa/dot.rb +12 -10
- data/lib/action_dispatch/journey/nfa/simulator.rb +2 -0
- data/lib/action_dispatch/journey/nfa/transition_table.rb +2 -0
- data/lib/action_dispatch/journey/nodes/node.rb +2 -0
- data/lib/action_dispatch/journey/parser_extras.rb +2 -0
- data/lib/action_dispatch/journey/path/pattern.rb +4 -1
- data/lib/action_dispatch/journey/route.rb +15 -6
- data/lib/action_dispatch/journey/router.rb +3 -1
- data/lib/action_dispatch/journey/router/utils.rb +14 -7
- data/lib/action_dispatch/journey/routes.rb +3 -1
- data/lib/action_dispatch/journey/scanner.rb +1 -0
- data/lib/action_dispatch/journey/visitors.rb +5 -3
- data/lib/action_dispatch/middleware/callbacks.rb +2 -0
- data/lib/action_dispatch/middleware/cookies.rb +148 -91
- data/lib/action_dispatch/middleware/debug_exceptions.rb +4 -2
- data/lib/action_dispatch/middleware/debug_locks.rb +9 -7
- data/lib/action_dispatch/middleware/exception_wrapper.rb +5 -6
- data/lib/action_dispatch/middleware/executor.rb +2 -0
- data/lib/action_dispatch/middleware/flash.rb +4 -2
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/reloader.rb +2 -0
- data/lib/action_dispatch/middleware/remote_ip.rb +7 -5
- data/lib/action_dispatch/middleware/request_id.rb +3 -1
- data/lib/action_dispatch/middleware/session/abstract_store.rb +17 -1
- data/lib/action_dispatch/middleware/session/cache_store.rb +13 -6
- data/lib/action_dispatch/middleware/session/cookie_store.rb +31 -32
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +2 -0
- data/lib/action_dispatch/middleware/show_exceptions.rb +3 -1
- data/lib/action_dispatch/middleware/ssl.rb +44 -38
- data/lib/action_dispatch/middleware/stack.rb +4 -2
- data/lib/action_dispatch/middleware/static.rb +14 -12
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +6 -2
- data/lib/action_dispatch/railtie.rb +11 -1
- data/lib/action_dispatch/request/session.rb +16 -5
- data/lib/action_dispatch/request/utils.rb +6 -4
- data/lib/action_dispatch/routing.rb +3 -1
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +6 -4
- data/lib/action_dispatch/routing/mapper.rb +64 -52
- data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
- data/lib/action_dispatch/routing/redirection.rb +7 -5
- data/lib/action_dispatch/routing/route_set.rb +29 -24
- data/lib/action_dispatch/routing/routes_proxy.rb +5 -2
- data/lib/action_dispatch/routing/url_for.rb +25 -5
- data/lib/action_dispatch/system_test_case.rb +22 -6
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +9 -3
- data/lib/action_dispatch/system_testing/server.rb +2 -16
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +12 -14
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -2
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +2 -0
- data/lib/action_dispatch/testing/assertions.rb +2 -0
- data/lib/action_dispatch/testing/assertions/response.rb +4 -2
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/integration.rb +24 -21
- data/lib/action_dispatch/testing/request_encoder.rb +3 -1
- data/lib/action_dispatch/testing/test_process.rb +2 -0
- data/lib/action_dispatch/testing/test_request.rb +3 -1
- data/lib/action_dispatch/testing/test_response.rb +23 -3
- data/lib/action_pack.rb +3 -1
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +2 -0
- metadata +23 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 96e28e2da73fb0ace4e8c62221ba405c625b91a1a5a66c691862543b557fb193
|
4
|
+
data.tar.gz: 0eb0326558ad0f1e88d21cff30e29d24a3dbee244140d1099aca3d9fb2610d3c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b29c5f753ceebd2fea0b9ef51563c3b728fafb0d45d9cba7dc6ed16507557d986114a323071c6fa4ad81c0e10534483dd9e374039c1d9827ccedc010c7ac528c
|
7
|
+
data.tar.gz: eac84dbeb5610ea6327a32268820fcf214ad84fb943fd3f98f4b4b905287afe22e33993e075081bf7cc9fd534eb8d7fef100e938ae5d75dabe977e778852b329
|
data/CHANGELOG.md
CHANGED
@@ -1,559 +1,479 @@
|
|
1
|
-
## Rails 5.
|
1
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
4
4
|
|
5
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
5
6
|
|
6
|
-
## Rails 5.1.6.2 (March 11, 2019) ##
|
7
7
|
|
8
|
-
|
8
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
9
9
|
|
10
|
+
* Fix possible information leak / session hijacking vulnerability.
|
10
11
|
|
11
|
-
|
12
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
13
|
+
gem dalli to be updated as well.
|
12
14
|
|
13
|
-
|
15
|
+
CVE-2019-16782.
|
14
16
|
|
15
17
|
|
16
|
-
## Rails 5.
|
18
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
17
19
|
|
18
|
-
*
|
20
|
+
* No changes.
|
19
21
|
|
20
|
-
*Catherine Khuu*
|
21
22
|
|
23
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
22
24
|
|
23
|
-
|
25
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
24
26
|
|
25
|
-
|
27
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
28
|
+
it was excluded when `no-cache` was included. This change preserves the
|
29
|
+
`public` value as is.
|
26
30
|
|
27
|
-
Fixes #
|
31
|
+
Fixes #34780.
|
28
32
|
|
29
|
-
*
|
33
|
+
*Yuji Yaginuma*
|
30
34
|
|
31
|
-
*
|
35
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
32
36
|
|
33
|
-
*
|
37
|
+
*Ryo Nakamura*
|
34
38
|
|
35
|
-
## Rails 5.1.4 (September 07, 2017) ##
|
36
39
|
|
37
|
-
|
40
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
38
41
|
|
39
|
-
|
42
|
+
* No changes.
|
40
43
|
|
41
|
-
*Yuji Yaginuma*
|
42
44
|
|
43
|
-
## Rails 5.
|
45
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
44
46
|
|
45
|
-
*
|
47
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
46
48
|
|
49
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
50
|
+
in system test `after_teardown`.
|
47
51
|
|
48
|
-
|
52
|
+
*Maxim Perepelitsa*
|
49
53
|
|
50
|
-
*
|
54
|
+
* Use request object for context if there's no controller
|
51
55
|
|
56
|
+
There is no controller instance when using a redirect route or a
|
57
|
+
mounted rack application so pass the request object as the context
|
58
|
+
when resolving dynamic CSP sources in this scenario.
|
52
59
|
|
53
|
-
|
60
|
+
Fixes #34200.
|
54
61
|
|
55
|
-
*
|
62
|
+
*Andrew White*
|
56
63
|
|
64
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
57
65
|
|
58
|
-
|
66
|
+
Previously if a dynamic source returned a symbol such as :self it
|
67
|
+
would be converted to a string implicity, e.g:
|
59
68
|
|
60
|
-
|
69
|
+
policy.default_src -> { :self }
|
61
70
|
|
71
|
+
would generate the header:
|
62
72
|
|
63
|
-
|
73
|
+
Content-Security-Policy: default-src self
|
64
74
|
|
65
|
-
|
75
|
+
and now it generates:
|
66
76
|
|
77
|
+
Content-Security-Policy: default-src 'self'
|
67
78
|
|
68
|
-
|
79
|
+
*Andrew White*
|
69
80
|
|
70
|
-
*
|
81
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
71
82
|
|
72
|
-
*
|
83
|
+
*Yoshiyuki Kinjo*
|
73
84
|
|
74
|
-
* `
|
85
|
+
* Call the `#redirect_to` block in controller context.
|
75
86
|
|
76
|
-
|
77
|
-
`driven_by` will register the driver and set additional options passed via
|
78
|
-
`:options` param.
|
87
|
+
*Steven Peckins*
|
79
88
|
|
80
|
-
Refer to drivers documentation to learn what options can be passed.
|
81
89
|
|
82
|
-
|
83
|
-
|
84
|
-
## Rails 5.1.1 (May 12, 2017) ##
|
90
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
85
91
|
|
86
92
|
* No changes.
|
87
93
|
|
88
94
|
|
89
|
-
## Rails 5.1
|
90
|
-
|
91
|
-
* Raise exception when calling `to_h` and `to_hash` in an unpermitted Parameters.
|
95
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
92
96
|
|
93
|
-
|
94
|
-
(`:controller` and `:action` by default).
|
97
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
95
98
|
|
96
|
-
|
97
|
-
|
99
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
100
|
+
there are none.
|
98
101
|
|
99
|
-
|
102
|
+
So call like this will no longer append a `?null=` query param.
|
100
103
|
|
101
|
-
|
104
|
+
get foos_url, as: :json
|
102
105
|
|
103
|
-
|
106
|
+
*Alireza Bashiri*
|
104
107
|
|
105
|
-
|
108
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
109
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
110
|
+
parameters.
|
106
111
|
|
107
|
-
*
|
112
|
+
*Kevin Sjöberg*
|
108
113
|
|
109
|
-
|
110
|
-
and will match things like `:format_id` where there are nested resources, e.g:
|
114
|
+
* Fix strong parameters `permit!` with nested arrays.
|
111
115
|
|
112
|
-
|
113
|
-
resources :formats do
|
114
|
-
resources :items
|
115
|
-
end
|
116
|
+
Given:
|
116
117
|
```
|
117
|
-
|
118
|
-
|
119
|
-
`(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
|
120
|
-
allow for multiple closing parenthesis since the route may be of this form:
|
121
|
-
|
122
|
-
``` ruby
|
123
|
-
get "/books(/:action(.:format))", controller: "books"
|
118
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
119
|
+
params.permit!
|
124
120
|
```
|
125
121
|
|
126
|
-
|
127
|
-
route doesn't support a format but we have a test for it so we need to allow it.
|
122
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
128
123
|
|
129
|
-
|
124
|
+
*Steve Hull*
|
130
125
|
|
131
|
-
|
126
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
127
|
+
`ActionController::TestCase` subclasses.
|
132
128
|
|
133
|
-
*
|
129
|
+
*Eugene Kenny*
|
134
130
|
|
135
|
-
|
136
|
-
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
137
|
-
may not exist in a certain implementation.
|
131
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
138
132
|
|
139
|
-
|
133
|
+
Fixes #32597.
|
140
134
|
|
141
|
-
|
135
|
+
*Andrey Novikov*, *Andrew White*
|
142
136
|
|
143
|
-
|
144
|
-
|
145
|
-
* Don't include default headers in `ActionController::Metal` responses
|
146
|
-
|
147
|
-
The commit e16afe6 introduced an unintentional change of behavior where the default
|
148
|
-
headers were included in responses from `ActionController::Metal` based controllers.
|
149
|
-
This is now reverted to the previous behavior of having no default headers.
|
137
|
+
* Only disable GPUs for headless Chrome on Windows.
|
150
138
|
|
151
|
-
|
139
|
+
It is not necessary anymore for Linux and macOS machines.
|
152
140
|
|
153
|
-
|
141
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
154
142
|
|
155
|
-
*
|
143
|
+
*Stefan Wrobel*
|
156
144
|
|
157
|
-
|
145
|
+
* Fix system tests transactions not closed between examples.
|
158
146
|
|
159
|
-
*
|
147
|
+
*Sergey Tarasov*
|
160
148
|
|
161
|
-
*Edouard Chin*, *Mitsutaka Mimura*
|
162
149
|
|
163
|
-
|
150
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
164
151
|
|
165
|
-
|
166
|
-
returning `nil`. This caused URLs to be malformed with the default settings.
|
167
|
-
Fix this by setting `rack.url_scheme` when the environment is normalized.
|
168
|
-
|
169
|
-
Fixes #28151.
|
152
|
+
* Check exclude before flagging cookies as secure.
|
170
153
|
|
171
|
-
*
|
154
|
+
*Catherine Khuu*
|
172
155
|
|
173
|
-
*
|
156
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
174
157
|
|
175
|
-
|
158
|
+
This allows a controller action to enable the policy individually
|
159
|
+
for a controller and/or specific actions.
|
176
160
|
|
177
161
|
*Andrew White*
|
178
162
|
|
179
|
-
*
|
163
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
180
164
|
|
181
|
-
|
182
|
-
|
165
|
+
class LegacyPagesController < ApplicationController
|
166
|
+
content_security_policy false, only: :index
|
167
|
+
end
|
183
168
|
|
184
169
|
*Andrew White*
|
185
170
|
|
186
|
-
* Add
|
187
|
-
|
188
|
-
This new method allows customization of the polymorphic mapping of models:
|
171
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
172
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
189
173
|
|
190
|
-
|
191
|
-
resource :basket
|
192
|
-
resolve("Basket") { [:basket] }
|
193
|
-
```
|
174
|
+
*Igor Kasyanchuk*
|
194
175
|
|
195
|
-
|
196
|
-
|
197
|
-
<!-- basket form -->
|
198
|
-
<% end %>
|
199
|
-
```
|
176
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
177
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
200
178
|
|
201
|
-
|
202
|
-
resources member url, e.g. `/basket` vs. `/basket/:id`.
|
179
|
+
*Grant Bourque*
|
203
180
|
|
204
|
-
|
181
|
+
* Add support for automatic nonce generation for Rails UJS.
|
205
182
|
|
206
|
-
|
183
|
+
Because the UJS library creates a script tag to process responses it
|
184
|
+
normally requires the script-src attribute of the content security
|
185
|
+
policy to include 'unsafe-inline'.
|
207
186
|
|
208
|
-
|
187
|
+
To work around this we generate a per-request nonce value that is
|
188
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
189
|
+
embeds its token in a meta tag. The UJS library can then read the
|
190
|
+
nonce value and set it on the dynamically generated script tag to
|
191
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
209
192
|
|
210
|
-
|
193
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
194
|
+
user generated content in someway then it may be possible to exploit
|
195
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
196
|
+
however an improvement on a blanket permission for inline scripts.
|
211
197
|
|
212
|
-
|
213
|
-
|
198
|
+
It is also possible to use the nonce within your own script tags by
|
199
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
214
200
|
|
215
|
-
|
216
|
-
|
217
|
-
|
201
|
+
<%= javascript_tag nonce: true do %>
|
202
|
+
alert('Hello, World!');
|
203
|
+
<% end %>
|
218
204
|
|
219
|
-
|
220
|
-
unlike custom url helpers defined in helper modules, etc.
|
205
|
+
Fixes #31689.
|
221
206
|
|
222
207
|
*Andrew White*
|
223
208
|
|
224
|
-
*
|
225
|
-
|
226
|
-
Adds Capybara integration directly into Rails through Action Pack!
|
227
|
-
|
228
|
-
See PR [#26703](https://github.com/rails/rails/pull/26703)
|
229
|
-
|
230
|
-
*Eileen M. Uchitelle*
|
231
|
-
|
232
|
-
* Remove deprecated `.to_prepare`, `.to_cleanup`, `.prepare!` and `.cleanup!` from `ActionDispatch::Reloader`.
|
233
|
-
|
234
|
-
*Rafael Mendonça França*
|
235
|
-
|
236
|
-
* Remove deprecated `ActionDispatch::Callbacks.to_prepare` and `ActionDispatch::Callbacks.to_cleanup`.
|
237
|
-
|
238
|
-
*Rafael Mendonça França*
|
239
|
-
|
240
|
-
* Remove deprecated `ActionController::Metal.call`.
|
241
|
-
|
242
|
-
*Rafael Mendonça França*
|
243
|
-
|
244
|
-
* Remove deprecated `ActionController::Metal#env`.
|
245
|
-
|
246
|
-
*Rafael Mendonça França*
|
247
|
-
|
248
|
-
* Make `with_routing` test helper work when testing controllers inheriting from `ActionController::API`
|
249
|
-
|
250
|
-
*Julia López*
|
251
|
-
|
252
|
-
* Use accept header in integration tests with `as: :json`
|
253
|
-
|
254
|
-
Instead of appending the `format` to the request path, Rails will figure
|
255
|
-
out the format from the header instead.
|
256
|
-
|
257
|
-
This allows devs to use `:as` on routes that don't have a format.
|
258
|
-
|
259
|
-
Fixes #27144.
|
260
|
-
|
261
|
-
*Kasper Timm Hansen*
|
262
|
-
|
263
|
-
* Reset a new session directly after its creation in `ActionDispatch::IntegrationTest#open_session`.
|
264
|
-
|
265
|
-
Fixes #22742.
|
209
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
266
210
|
|
267
|
-
|
211
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
268
212
|
|
269
|
-
|
213
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
214
|
+
def index
|
215
|
+
params.each do |name|
|
216
|
+
puts name
|
217
|
+
end
|
218
|
+
end
|
270
219
|
|
271
|
-
|
220
|
+
# Prints
|
221
|
+
# param
|
222
|
+
# param_two
|
272
223
|
|
273
|
-
|
224
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
274
225
|
|
275
|
-
|
276
|
-
for every line in an exception backtrace, when printing trace
|
277
|
-
from `DebugExceptions` middleware.
|
226
|
+
To fix the code above simply change as per example below:
|
278
227
|
|
279
|
-
|
228
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
229
|
+
def index
|
230
|
+
params.each do |name, value|
|
231
|
+
puts name
|
232
|
+
end
|
233
|
+
end
|
280
234
|
|
281
|
-
|
235
|
+
# Prints
|
236
|
+
# param
|
237
|
+
# param_two
|
282
238
|
|
283
|
-
*
|
239
|
+
*Dominic Cleal*
|
284
240
|
|
285
|
-
|
286
|
-
params.permit(preferences: {})
|
287
|
-
```
|
241
|
+
* Add `Referrer-Policy` header to default headers set.
|
288
242
|
|
289
|
-
*
|
243
|
+
*Guillermo Iguaran*
|
290
244
|
|
291
|
-
*
|
245
|
+
* Changed the system tests to set Puma as default server only when the
|
246
|
+
user haven't specified manually another server.
|
292
247
|
|
293
|
-
*
|
248
|
+
*Guillermo Iguaran*
|
294
249
|
|
295
|
-
*
|
296
|
-
|
250
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
251
|
+
default headers set.
|
297
252
|
|
298
|
-
*
|
253
|
+
*Guillermo Iguaran*
|
299
254
|
|
300
|
-
*
|
301
|
-
`#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
|
255
|
+
* Add headless firefox support to System Tests.
|
302
256
|
|
303
|
-
*
|
257
|
+
*bogdanvlviv*
|
304
258
|
|
305
|
-
*
|
306
|
-
|
307
|
-
*Rafael Mendonça França*
|
259
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
308
260
|
|
309
|
-
|
261
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
262
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
263
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
264
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
265
|
+
path, it dumps binary into the terminal.
|
310
266
|
|
311
|
-
|
267
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
312
268
|
|
313
|
-
*
|
269
|
+
*Eileen M. Uchitelle*
|
314
270
|
|
315
|
-
|
271
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
316
272
|
|
317
|
-
*
|
273
|
+
*Guillermo Iguaran*
|
318
274
|
|
319
|
-
|
275
|
+
* Fix optimized url helpers when using relative url root.
|
320
276
|
|
321
|
-
|
277
|
+
Fixes #31220.
|
322
278
|
|
323
|
-
*
|
279
|
+
*Andrew White*
|
324
280
|
|
325
|
-
*
|
281
|
+
* Add DSL for configuring Content-Security-Policy header.
|
326
282
|
|
327
|
-
|
283
|
+
The DSL allows you to configure a global Content-Security-Policy
|
284
|
+
header and then override within a controller. For more information
|
285
|
+
about the Content-Security-Policy header see MDN:
|
328
286
|
|
329
|
-
|
287
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
330
288
|
|
331
|
-
|
289
|
+
Example global policy:
|
332
290
|
|
333
|
-
|
291
|
+
# config/initializers/content_security_policy.rb
|
292
|
+
Rails.application.config.content_security_policy do |p|
|
293
|
+
p.default_src :self, :https
|
294
|
+
p.font_src :self, :https, :data
|
295
|
+
p.img_src :self, :https, :data
|
296
|
+
p.object_src :none
|
297
|
+
p.script_src :self, :https
|
298
|
+
p.style_src :self, :https, :unsafe_inline
|
299
|
+
end
|
334
300
|
|
335
|
-
|
301
|
+
Example controller overrides:
|
336
302
|
|
337
|
-
|
338
|
-
|
303
|
+
# Override policy inline
|
304
|
+
class PostsController < ApplicationController
|
305
|
+
content_security_policy do |p|
|
306
|
+
p.upgrade_insecure_requests true
|
307
|
+
end
|
308
|
+
end
|
339
309
|
|
340
|
-
|
310
|
+
# Using literal values
|
311
|
+
class PostsController < ApplicationController
|
312
|
+
content_security_policy do |p|
|
313
|
+
p.base_uri "https://www.example.com"
|
314
|
+
end
|
315
|
+
end
|
341
316
|
|
342
|
-
|
317
|
+
# Using mixed static and dynamic values
|
318
|
+
class PostsController < ApplicationController
|
319
|
+
content_security_policy do |p|
|
320
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
321
|
+
end
|
322
|
+
end
|
343
323
|
|
344
|
-
|
324
|
+
Allows you to also only report content violations for migrating
|
325
|
+
legacy content using the `content_security_policy_report_only`
|
326
|
+
configuration attribute, e.g;
|
345
327
|
|
346
|
-
|
347
|
-
|
328
|
+
# config/initializers/content_security_policy.rb
|
329
|
+
Rails.application.config.content_security_policy_report_only = true
|
348
330
|
|
349
|
-
|
331
|
+
# controller override
|
332
|
+
class PostsController < ApplicationController
|
333
|
+
content_security_policy_report_only only: :index
|
334
|
+
end
|
350
335
|
|
351
|
-
|
336
|
+
Note that this feature does not validate the header for performance
|
337
|
+
reasons since the header is calculated at runtime.
|
352
338
|
|
353
|
-
*
|
339
|
+
*Andrew White*
|
354
340
|
|
355
|
-
*
|
356
|
-
`ActionDispatch::ParamsParser::ParseError#initialize`.
|
341
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
357
342
|
|
358
|
-
*
|
343
|
+
*Yuichiro Kaneko*
|
359
344
|
|
360
|
-
* Remove deprecated
|
345
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
361
346
|
|
362
347
|
*Rafael Mendonça França*
|
363
348
|
|
364
|
-
*
|
349
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
365
350
|
|
366
|
-
|
351
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
352
|
+
different host. `allow_other_host` is `true` by default.
|
367
353
|
|
368
|
-
*
|
369
|
-
`#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
|
370
|
-
|
371
|
-
*Rafael Mendonça França*
|
354
|
+
*Tim Masliuchenko*
|
372
355
|
|
373
|
-
*
|
356
|
+
* Add headless chrome support to System Tests.
|
374
357
|
|
375
|
-
*
|
376
|
-
|
377
|
-
* Remove deprecated methods in `ActionController::Parameters`.
|
378
|
-
|
379
|
-
*Rafael Mendonça França*
|
358
|
+
*Yuji Yaginuma*
|
380
359
|
|
381
|
-
*
|
382
|
-
with a `Hash`.
|
360
|
+
* Add ability to enable Early Hints for HTTP/2
|
383
361
|
|
384
|
-
|
362
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
385
363
|
|
386
|
-
|
364
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
387
365
|
|
388
|
-
*
|
366
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
389
367
|
|
390
|
-
*
|
368
|
+
* Simplify cookies middleware with key rotation support
|
391
369
|
|
392
|
-
|
370
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
371
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
372
|
+
signed cookies. This also helps simplify support for legacy cookie
|
373
|
+
security.
|
393
374
|
|
394
|
-
*
|
375
|
+
*Michael J Coyne*
|
395
376
|
|
396
|
-
|
377
|
+
* Use Capybara registered `:puma` server config.
|
397
378
|
|
398
|
-
|
379
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
380
|
+
connection sharing and open request detection work correctly by default.
|
399
381
|
|
400
|
-
*
|
382
|
+
*Thomas Walpole*
|
401
383
|
|
402
|
-
*
|
403
|
-
and the `ActionController::BadRequest#original_exception` method.
|
384
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
404
385
|
|
405
|
-
|
386
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
387
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
406
388
|
|
407
|
-
|
408
|
-
`prepend_before_filter`, `skip_before_filter`, `append_before_filter`, `around_filter`
|
409
|
-
`prepend_around_filter`, `skip_around_filter`, `append_around_filter`, `after_filter`,
|
410
|
-
`prepend_after_filter`, `skip_after_filter` and `append_after_filter`.
|
389
|
+
Pull Request: #30121
|
411
390
|
|
412
|
-
*
|
391
|
+
*Assain Jaleel*
|
413
392
|
|
414
|
-
*
|
415
|
-
on a matched route, rather than a "missing keys" error.
|
393
|
+
* Enforce signed/encrypted cookie expiry server side.
|
416
394
|
|
417
|
-
|
395
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
418
396
|
|
419
|
-
|
397
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
398
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
399
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
420
400
|
|
421
|
-
|
401
|
+
Pull Request: #30121
|
422
402
|
|
423
|
-
|
424
|
-
controller action using `fresh_when` or `stale?` would not result in a new
|
425
|
-
`ETag` value.
|
403
|
+
*Assain Jaleel*
|
426
404
|
|
427
|
-
|
405
|
+
* Make `take_failed_screenshot` work within engine.
|
428
406
|
|
429
|
-
|
407
|
+
Fixes #30405.
|
430
408
|
|
431
409
|
*Yuji Yaginuma*
|
432
410
|
|
433
|
-
*
|
434
|
-
|
435
|
-
In the future `ActionController::Parameters` are discouraged from being used
|
436
|
-
in URLs without explicit whitelisting. Go through `to_h` to use `to_param`.
|
437
|
-
|
438
|
-
*Kir Shatrov*
|
439
|
-
|
440
|
-
* Fix nested multiple roots
|
441
|
-
|
442
|
-
The PR #20940 enabled the use of multiple roots with different constraints
|
443
|
-
at the top level but unfortunately didn't work when those roots were inside
|
444
|
-
a namespace and also broke the use of root inside a namespace after a top
|
445
|
-
level root was defined because the check for the existence of the named route
|
446
|
-
used the global :root name and not the namespaced name.
|
447
|
-
|
448
|
-
This is fixed by using the name_for_action method to expand the :root name to
|
449
|
-
the full namespaced name. We can pass nil for the second argument as we're not
|
450
|
-
dealing with resource definitions so don't need to handle the cases for edit
|
451
|
-
and new routes.
|
452
|
-
|
453
|
-
Fixes #26148.
|
454
|
-
|
455
|
-
*Ryo Hashimoto*, *Andrew White*
|
456
|
-
|
457
|
-
* Include the content of the flash in the auto-generated etag. This solves the following problem:
|
458
|
-
|
459
|
-
1. POST /messages
|
460
|
-
2. redirect_to messages_url, notice: 'Message was created'
|
461
|
-
3. GET /messages/1
|
462
|
-
4. GET /messages
|
463
|
-
|
464
|
-
Step 4 would before still include the flash message, even though it's no longer relevant,
|
465
|
-
because the etag cache was recorded with the flash in place and didn't change when it was gone.
|
466
|
-
|
467
|
-
*DHH*
|
468
|
-
|
469
|
-
* SSL: Changes redirect behavior for all non-GET and non-HEAD requests
|
470
|
-
(like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://`
|
471
|
-
with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2).
|
472
|
-
|
473
|
-
307 status code instructs the HTTP clients to preserve the original
|
474
|
-
request method while redirecting. It has been part of HTTP RFC since
|
475
|
-
1999 and is implemented/recognized by most (if not all) user agents.
|
476
|
-
|
477
|
-
# Before
|
478
|
-
POST http://example.com/articles (i.e. ArticlesContoller#create)
|
479
|
-
redirects to
|
480
|
-
GET https://example.com/articles (i.e. ArticlesContoller#index)
|
481
|
-
|
482
|
-
# After
|
483
|
-
POST http://example.com/articles (i.e. ArticlesContoller#create)
|
484
|
-
redirects to
|
485
|
-
POST https://example.com/articles (i.e. ArticlesContoller#create)
|
411
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
486
412
|
|
487
|
-
|
413
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
414
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
415
|
+
use the response helpers provided by `Rack::Response`.
|
488
416
|
|
489
|
-
*
|
417
|
+
*Trevor Wistaff*
|
490
418
|
|
491
|
-
|
492
|
-
in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`.
|
419
|
+
* Protect from forgery by default
|
493
420
|
|
494
|
-
|
421
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
422
|
+
add it to `ActionController::Base` depending on
|
423
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
424
|
+
defaults to false to support older versions which have removed it from their
|
425
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
495
426
|
|
496
|
-
*
|
427
|
+
*Lisa Ugray*
|
497
428
|
|
498
|
-
|
499
|
-
the cache:
|
429
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
500
430
|
|
501
|
-
|
502
|
-
Rendered messages/_message.html.erb in 1.2 ms [cache hit]
|
503
|
-
Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
|
504
|
-
```
|
431
|
+
*Kir Shatrov*
|
505
432
|
|
506
|
-
|
433
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
507
434
|
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms)
|
512
|
-
Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
|
513
|
-
```
|
514
|
-
|
515
|
-
Though that full output can be reenabled with
|
516
|
-
`config.action_controller.enable_fragment_cache_logging = true`.
|
435
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
436
|
+
`driven_by` will register the driver and set additional options passed via
|
437
|
+
the `:options` parameter.
|
517
438
|
|
518
|
-
|
439
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
519
440
|
|
520
|
-
*
|
441
|
+
*Mario Chavez*
|
521
442
|
|
522
|
-
|
443
|
+
* AEAD encrypted cookies and sessions with GCM.
|
523
444
|
|
524
|
-
|
445
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
446
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
447
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
448
|
+
this new mode is enabled via the
|
449
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
525
450
|
|
526
|
-
*
|
451
|
+
*Michael J Coyne*
|
527
452
|
|
528
|
-
|
529
|
-
fixes the use of `defaults` (default parameters) in the `root` routing method.
|
453
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
530
454
|
|
531
|
-
|
455
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
456
|
+
^template path ^template tree digest ^class ^id
|
532
457
|
|
533
|
-
*
|
458
|
+
*DHH*
|
534
459
|
|
535
|
-
|
536
|
-
|
537
|
-
|
538
|
-
controller instantiation for some other reason, had to defend against
|
539
|
-
non-UTF8 characters themselves.
|
460
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
461
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
462
|
+
to support it.
|
540
463
|
|
541
|
-
*
|
464
|
+
*DHH*
|
542
465
|
|
543
|
-
*
|
466
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
544
467
|
|
545
|
-
|
546
|
-
|
547
|
-
|
548
|
-
chance to define exception handling behaviour.
|
468
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
469
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
470
|
+
may not exist in a certain implementation.
|
549
471
|
|
550
|
-
|
472
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
551
473
|
|
552
|
-
|
474
|
+
Fixes #27013.
|
553
475
|
|
554
|
-
|
555
|
-
for `ParameterTypeError` and `InvalidParameterError` errors.
|
476
|
+
*Julian Nadeau*
|
556
477
|
|
557
|
-
*Grey Baker*
|
558
478
|
|
559
|
-
Please check [5-
|
479
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|