actionpack 5.1.7 → 5.2.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b74291670f1ba9c12fe411448739a7435744e7594005819f11ff447a0db28e26
-  data.tar.gz: ac53ac07f2a25fe3a212acbe4717d55e2fe361267648820ecd72ede6e0167245
+  metadata.gz: 96e28e2da73fb0ace4e8c62221ba405c625b91a1a5a66c691862543b557fb193
+  data.tar.gz: 0eb0326558ad0f1e88d21cff30e29d24a3dbee244140d1099aca3d9fb2610d3c
 SHA512:
-  metadata.gz: 8cd67c197cff3ae4c31e9e64c4d24a7b05dfbce7b0c289122554e7a60eb38256cf6ea85bd2d49092dfed2c6fc4aa32cd0bf93ab6fdc81388e6d40d25348fba5f
-  data.tar.gz: d005d7a4ea15138642967820d6c585d1eedf169d06012ea19f6cab2810e5ac21d62d938e633724a916570ab7804b8f7315874bdf4fa696128968240ec77917d9
+  metadata.gz: b29c5f753ceebd2fea0b9ef51563c3b728fafb0d45d9cba7dc6ed16507557d986114a323071c6fa4ad81c0e10534483dd9e374039c1d9827ccedc010c7ac528c
+  data.tar.gz: eac84dbeb5610ea6327a32268820fcf214ad84fb943fd3f98f4b4b905287afe22e33993e075081bf7cc9fd534eb8d7fef100e938ae5d75dabe977e778852b329

data/CHANGELOG.md

@@ -1,559 +1,479 @@
-## Rails 5.1.7 (March 27, 2019) ##
+## Rails 5.2.4.3 (May 18, 2020) ##
 
-*   No changes.
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
 
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
 
-## Rails 5.1.6.2 (March 11, 2019) ##
 
-*   No changes.
+## Rails 5.2.4.1 (December 18, 2019) ##
 
+*   Fix possible information leak / session hijacking vulnerability.
 
-## Rails 5.1.6.1 (November 27, 2018) ##
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
 
-*   No changes.
+    CVE-2019-16782.
 
 
-## Rails 5.1.6 (March 29, 2018) ##
+## Rails 5.2.4 (November 27, 2019) ##
 
-*   Check exclude before flagging cookies as secure.
+*   No changes.
 
-    *Catherine Khuu*
 
+## Rails 5.2.3 (March 27, 2019) ##
 
-## Rails 5.1.5 (February 14, 2018) ##
+*   Allow using `public` and `no-cache` together in the the Cache Control header.
 
-*   Fix optimized url helpers when using relative url root
+    Before this change, even if `public` was specified in the Cache Control header,
+    it was excluded when `no-cache` was included. This change preserves the
+    `public` value as is.
 
-    Fixes #31220.
+    Fixes #34780.
 
-    *Andrew White*
+    *Yuji Yaginuma*
 
-*   Ensure dev and prod puma configs do not clobber `ActionDispatch::SystemTesting` defaults. Adds workers: 0 and daemon: false
+*   Allow `nil` params for `ActionController::TestCase`.
 
-    *Max Schwenk*
+    *Ryo Nakamura*
 
-## Rails 5.1.4 (September 07, 2017) ##
 
-*   Make `take_failed_screenshot` work within engine.
+## Rails 5.2.2.1 (March 11, 2019) ##
 
-    Fixes #30405.
+*   No changes.
 
-    *Yuji Yaginuma*
 
-## Rails 5.1.4.rc1 (August 24, 2017) ##
+## Rails 5.2.2 (December 04, 2018) ##
 
-*   No changes.
+*   Reset Capybara sessions if failed system test screenshot raising an exception.
 
+    Reset Capybara sessions if `take_failed_screenshot` raise exception
+    in system test `after_teardown`.
 
-## Rails 5.1.3 (August 03, 2017) ##
+    *Maxim Perepelitsa*
 
-*   No changes.
+*   Use request object for context if there's no controller
 
+    There is no controller instance when using a redirect route or a
+    mounted rack application so pass the request object as the context
+    when resolving dynamic CSP sources in this scenario.
 
-## Rails 5.1.3.rc3 (July 31, 2017) ##
+    Fixes #34200.
 
-*   No changes.
+    *Andrew White*
 
+*   Apply mapping to symbols returned from dynamic CSP sources
 
-## Rails 5.1.3.rc2 (July 25, 2017) ##
+    Previously if a dynamic source returned a symbol such as :self it
+    would be converted to a string implicity, e.g:
 
-*   No changes.
+        policy.default_src -> { :self }
 
+    would generate the header:
 
-## Rails 5.1.3.rc1 (July 19, 2017) ##
+        Content-Security-Policy: default-src self
 
-*   No changes.
+    and now it generates:
 
+        Content-Security-Policy: default-src 'self'
 
-## Rails 5.1.2 (June 26, 2017) ##
+    *Andrew White*
 
-*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
+*   Fix `rails routes -c` for controller name consists of multiple word.
 
-    *Kir Shatrov*
+    *Yoshiyuki Kinjo*
 
-*   `driven_by` now registers poltergeist and capybara-webkit
+*   Call the `#redirect_to` block in controller context.
 
-    If driver poltergeist or capybara-webkit is set for System Tests,
-    `driven_by` will register the driver and set additional options passed via
-    `:options` param.
+    *Steven Peckins*
 
-    Refer to drivers documentation to learn what options can be passed.
 
-    *Mario Chavez*
-
-## Rails 5.1.1 (May 12, 2017) ##
+## Rails 5.2.1.1 (November 27, 2018) ##
 
 *   No changes.
 
 
-## Rails 5.1.0 (April 27, 2017) ##
-
-*   Raise exception when calling `to_h` and `to_hash` in an unpermitted Parameters.
+## Rails 5.2.1 (August 07, 2018) ##
 
-    Before we returned either an empty hash or only the always permitted parameters
-    (`:controller` and `:action` by default).
+*   Prevent `?null=` being passed on JSON encoded test requests.
 
-    The previous behavior was dangerous because in order to get the attributes users
-    usually fallback to use `to_unsafe_h that` could potentially introduce security issues.
+    `RequestEncoder#encode_params` won't attempt to parse params if
+    there are none.
 
-    *Rafael Mendonça França*
+    So call like this will no longer append a `?null=` query param.
 
-*   Deprecate `config.action_controller.raise_on_unfiltered_parameters`.
+        get foos_url, as: :json
 
-    This option has no effect in Rails 5.1.
+    *Alireza Bashiri*
 
-    *Rafael Mendonça França*
+*   Ensure `ActionController::Parameters#transform_values` and
+    `ActionController::Parameters#transform_values!` converts hashes into
+    parameters.
 
-*   Use more specific check for :format in route path
+    *Kevin Sjöberg*
 
-    The current check for whether to add an optional format to the path is very lax
-    and will match things like `:format_id` where there are nested resources, e.g:
+*   Fix strong parameters `permit!` with nested arrays.
 
-    ``` ruby
-    resources :formats do
-      resources :items
-    end
+    Given:
     ```
-
-    Fix this by using a more restrictive regex pattern that looks for the patterns
-    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
-    allow for multiple closing parenthesis since the route may be of this form:
-
-    ``` ruby
-    get "/books(/:action(.:format))", controller: "books"
+    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
+    params.permit!
     ```
 
-    This probably isn't what's intended since it means that the default index action
-    route doesn't support a format but we have a test for it so we need to allow it.
+    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
 
-    Fixes #28517.
+    *Steve Hull*
 
-    *Andrew White*
+*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
+    `ActionController::TestCase` subclasses.
 
-*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
+    *Eugene Kenny*
 
-    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
-    the one umbrella hook `action_controller` is not able to address certain situations where a method
-    may not exist in a certain implementation.
+*   Output only one Content-Security-Policy nonce header value per request.
 
-    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
+    Fixes #32597.
 
-    Fixes #27013.
+    *Andrey Novikov*, *Andrew White*
 
-    *Julian Nadeau*
-
-*   Don't include default headers in `ActionController::Metal` responses
-
-    The commit e16afe6 introduced an unintentional change of behavior where the default
-    headers were included in responses from `ActionController::Metal` based controllers.
-    This is now reverted to the previous behavior of having no default headers.
+*   Only disable GPUs for headless Chrome on Windows.
 
-    Fixes #25820.
+    It is not necessary anymore for Linux and macOS machines.
 
-    *Jon Moss*
+    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
 
-*   Fix `NameError` raised in `ActionController::Renderer#with_defaults`
+    *Stefan Wrobel*
 
-    *Hiroyuki Ishii*
+*   Fix system tests transactions not closed between examples.
 
-*   Added `#reverse_merge` and `#reverse_merge!` methods to `ActionController::Parameters`
+    *Sergey Tarasov*
 
-    *Edouard Chin*, *Mitsutaka Mimura*
 
-*   Fix malformed URLS when using `ApplicationController.renderer`
+## Rails 5.2.0 (April 09, 2018) ##
 
-    The Rack environment variable `rack.url_scheme` was not being set so `scheme` was
-    returning `nil`. This caused URLs to be malformed with the default settings.
-    Fix this by setting `rack.url_scheme` when the environment is normalized.
-
-    Fixes #28151.
+*   Check exclude before flagging cookies as secure.
 
-    *George Vrettos*
+    *Catherine Khuu*
 
-*   Commit flash changes when using a redirect route.
+*   Always yield a CSP policy instance from `content_security_policy`
 
-    Fixes #27992.
+    This allows a controller action to enable the policy individually
+    for a controller and/or specific actions.
 
     *Andrew White*
 
-*   Prefer `remove_method` over `undef_method` when reloading routes
+*   Add the ability to disable the global CSP in a controller, e.g:
 
-    When `undef_method` is used it prevents access to other implementations of that
-    url helper in the ancestor chain so use `remove_method` instead to restore access.
+        class LegacyPagesController < ApplicationController
+          content_security_policy false, only: :index
+        end
 
     *Andrew White*
 
-*   Add the `resolve` method to the routing DSL
-
-    This new method allows customization of the polymorphic mapping of models:
+*   Add alias method `to_hash` to `to_h` for `cookies`.
+    Add alias method `to_h` to `to_hash` for `session`.
 
-    ``` ruby
-    resource :basket
-    resolve("Basket") { [:basket] }
-    ```
+    *Igor Kasyanchuk*
 
-    ``` erb
-    <%= form_for @basket do |form| %>
-    <!-- basket form -->
-    <% end %>
-    ```
+*   Update the default HSTS max-age value to 31536000 seconds (1 year)
+    to meet the minimum max-age requirement for https://hstspreload.org/.
 
-    This generates the correct singular URL for the form instead of the default
-    resources member url, e.g. `/basket` vs. `/basket/:id`.
+    *Grant Bourque*
 
-    Fixes #1769.
+*   Add support for automatic nonce generation for Rails UJS.
 
-    *Andrew White*
+    Because the UJS library creates a script tag to process responses it
+    normally requires the script-src attribute of the content security
+    policy to include 'unsafe-inline'.
 
-*   Add the `direct` method to the routing DSL
+    To work around this we generate a per-request nonce value that is
+    embedded in a meta tag in a similar fashion to how CSRF protection
+    embeds its token in a meta tag. The UJS library can then read the
+    nonce value and set it on the dynamically generated script tag to
+    enable it to execute without needing 'unsafe-inline' enabled.
 
-    This new method allows creation of custom url helpers, e.g:
+    Nonce generation isn't 100% safe - if your script tag is including
+    user generated content in someway then it may be possible to exploit
+    an XSS vulnerability which can take advantage of the nonce. It is
+    however an improvement on a blanket permission for inline scripts.
 
-    ``` ruby
-    direct(:apple) { "http://www.apple.com" }
+    It is also possible to use the nonce within your own script tags by
+    using `nonce: true` to set the nonce value on the tag, e.g
 
-    >> apple_url
-    => "http://www.apple.com"
-    ```
+        <%= javascript_tag nonce: true do %>
+          alert('Hello, World!');
+        <% end %>
 
-    This has the advantage of being available everywhere url helpers are available
-    unlike custom url helpers defined in helper modules, etc.
+    Fixes #31689.
 
     *Andrew White*
 
-*   Add `ActionDispatch::SystemTestCase` to Action Pack
-
-    Adds Capybara integration directly into Rails through Action Pack!
-
-    See PR [#26703](https://github.com/rails/rails/pull/26703)
-
-    *Eileen M. Uchitelle*
-
-*   Remove deprecated `.to_prepare`, `.to_cleanup`, `.prepare!` and `.cleanup!` from `ActionDispatch::Reloader`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionDispatch::Callbacks.to_prepare` and `ActionDispatch::Callbacks.to_cleanup`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionController::Metal.call`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `ActionController::Metal#env`.
-
-    *Rafael Mendonça França*
-
-*   Make `with_routing` test helper work when testing controllers inheriting from `ActionController::API`
-
-    *Julia López*
-
-*   Use accept header in integration tests with `as: :json`
-
-    Instead of appending the `format` to the request path, Rails will figure
-    out the format from the header instead.
-
-    This allows devs to use `:as` on routes that don't have a format.
-
-    Fixes #27144.
-
-    *Kasper Timm Hansen*
-
-*   Reset a new session directly after its creation in `ActionDispatch::IntegrationTest#open_session`.
-
-    Fixes #22742.
+*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
 
-    *Tawan Sierek*
+    Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
 
-*   Fixes incorrect output from `rails routes` when using singular resources.
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name|
+            puts name
+          end
+        end
 
-    Fixes #26606.
+        # Prints
+        # param
+        # param_two
 
-    *Erick Reyna*
+    In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
 
-*   Fixes multiple calls to `logger.fatal` instead of a single call,
-    for every line in an exception backtrace, when printing trace
-    from `DebugExceptions` middleware.
+    To fix the code above simply change as per example below:
 
-    Fixes #26134.
+        # Parameters: {"param"=>"1", "param_two"=>"2"}
+        def index
+          params.each do |name, value|
+            puts name
+          end
+        end
 
-    *Vipul A M*
+        # Prints
+        # param
+        # param_two
 
-*   Add support for arbitrary hashes in strong parameters:
+    *Dominic Cleal*
 
-    ```ruby
-    params.permit(preferences: {})
-    ```
+*   Add `Referrer-Policy` header to default headers set.
 
-    *Xavier Noria*
+    *Guillermo Iguaran*
 
-*   Add `ActionController::Parameters#merge!`, which behaves the same as `Hash#merge!`.
+*   Changed the system tests to set Puma as default server only when the
+    user haven't specified manually another server.
 
-    *Yuji Yaginuma*
+    *Guillermo Iguaran*
 
-*   Allow keys not found in `RACK_KEY_TRANSLATION` for setting the environment when rendering
-    arbitrary templates.
+*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
+    default headers set.
 
-    *Sammy Larbi*
+    *Guillermo Iguaran*
 
-*   Remove deprecated support to non-keyword arguments in `ActionDispatch::IntegrationTest#process`,
-    `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
+*   Add headless firefox support to System Tests.
 
-    *Rafael Mendonça França*
+    *bogdanvlviv*
 
-*   Remove deprecated `ActionDispatch::IntegrationTest#*_via_redirect`.
-
-    *Rafael Mendonça França*
+*   Changed the default system test screenshot output from `inline` to `simple`.
 
-*   Remove deprecated `ActionDispatch::IntegrationTest#xml_http_request`.
+    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
+    Terminal.app ignore the `inline` and output the path to the file since it can't
+    render the image. Other terminals, like those on Ubuntu, cannot handle the image
+    inline, but also don't handle it gracefully and instead of outputting the file
+    path, it dumps binary into the terminal.
 
-    *Rafael Mendonça França*
+    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
 
-*   Remove deprecated support for passing `:path` and route path as strings in `ActionDispatch::Routing::Mapper#match`.
+    *Eileen M. Uchitelle*
 
-    *Rafael Mendonça França*
+*   Register most popular audio/video/font mime types supported by modern browsers.
 
-*   Remove deprecated support for passing path as `nil` in `ActionDispatch::Routing::Mapper#match`.
+    *Guillermo Iguaran*
 
-    *Rafael Mendonça França*
+*   Fix optimized url helpers when using relative url root.
 
-*   Remove deprecated `cache_control` argument from `ActionDispatch::Static#initialize`.
+    Fixes #31220.
 
-    *Rafael Mendonça França*
+    *Andrew White*
 
-*   Remove deprecated support to passing strings or symbols to the middleware stack.
+*   Add DSL for configuring Content-Security-Policy header.
 
-    *Rafael Mendonça França*
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
 
-*   Change HSTS subdomain to true.
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-    *Rafael Mendonça França*
+    Example global policy:
 
-*   Remove deprecated `host` and `port` ssl options.
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do |p|
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
 
-    *Rafael Mendonça França*
+    Example controller overrides:
 
-*   Remove deprecated `const_error` argument in
-    `ActionDispatch::Session::SessionRestoreError#initialize`.
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
 
-    *Rafael Mendonça França*
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
 
-*   Remove deprecated `#original_exception` in `ActionDispatch::Session::SessionRestoreError`.
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
 
-    *Rafael Mendonça França*
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
 
-*   Deprecate `ActionDispatch::ParamsParser::ParseError` in favor of
-    `ActionDispatch::Http::Parameters::ParseError`.
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
 
-    *Rafael Mendonça França*
+        # controller override
+        class PostsController < ApplicationController
+          content_security_policy_report_only only: :index
+        end
 
-*   Remove deprecated `ActionDispatch::ParamsParser`.
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
 
-    *Rafael Mendonça França*
+    *Andrew White*
 
-*   Remove deprecated `original_exception` and `message` arguments in
-    `ActionDispatch::ParamsParser::ParseError#initialize`.
+*   Make `assert_recognizes` to traverse mounted engines.
 
-    *Rafael Mendonça França*
+    *Yuichiro Kaneko*
 
-*   Remove deprecated `#original_exception` in `ActionDispatch::ParamsParser::ParseError`.
+*   Remove deprecated `ActionController::ParamsParser::ParseError`.
 
     *Rafael Mendonça França*
 
-*   Remove deprecated access to mime types through constants.
+*   Add `:allow_other_host` option to `redirect_back` method.
 
-    *Rafael Mendonça França*
+    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
+    different host. `allow_other_host` is `true` by default.
 
-*   Remove deprecated support to non-keyword arguments in `ActionController::TestCase#process`,
-    `#get`, `#post`, `#patch`, `#put`, `#delete`, and `#head`.
-
-    *Rafael Mendonça França*
+    *Tim Masliuchenko*
 
-*   Remove deprecated `xml_http_request` and `xhr` methods in `ActionController::TestCase`.
+*   Add headless chrome support to System Tests.
 
-    *Rafael Mendonça França*
-
-*   Remove deprecated methods in `ActionController::Parameters`.
-
-    *Rafael Mendonça França*
+    *Yuji Yaginuma*
 
-*   Remove deprecated support to comparing a `ActionController::Parameters`
-    with a `Hash`.
+*   Add ability to enable Early Hints for HTTP/2
 
-    *Rafael Mendonça França*
+    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
 
-*   Remove deprecated support to `:text` in `render`.
+    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
 
-    *Rafael Mendonça França*
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Remove deprecated support to `:nothing` in `render`.
+*   Simplify cookies middleware with key rotation support
 
-    *Rafael Mendonça França*
+    Use the `rotate` method for both `MessageEncryptor` and
+    `MessageVerifier` to add key rotation support for encrypted and
+    signed cookies. This also helps simplify support for legacy cookie
+    security.
 
-*   Remove deprecated support to `:back` in `redirect_to`.
+    *Michael J Coyne*
 
-    *Rafael Mendonça França*
+*   Use Capybara registered `:puma` server config.
 
-*   Remove deprecated support to passing status as option `head`.
+    The Capybara registered `:puma` server ensures the puma server is run in process so
+    connection sharing and open request detection work correctly by default.
 
-    *Rafael Mendonça França*
+    *Thomas Walpole*
 
-*   Remove deprecated support to passing original exception to `ActionController::BadRequest`
-    and the `ActionController::BadRequest#original_exception` method.
+*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
 
-    *Rafael Mendonça França*
+        cookies[:user_name] = { value: "assain", expires: 1.hour }
+        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
 
-*   Remove deprecated methods `skip_action_callback`, `skip_filter`, `before_filter`,
-    `prepend_before_filter`, `skip_before_filter`, `append_before_filter`, `around_filter`
-    `prepend_around_filter`, `skip_around_filter`, `append_around_filter`, `after_filter`,
-    `prepend_after_filter`, `skip_after_filter` and `append_after_filter`.
+    Pull Request: #30121
 
-    *Rafael Mendonça França*
+    *Assain Jaleel*
 
-*   Show an "unmatched constraints" error when params fail to match constraints
-    on a matched route, rather than a "missing keys" error.
+*   Enforce signed/encrypted cookie expiry server side.
 
-    Fixes #26470.
+    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
 
-    *Chris Carter*
+    It does so by stashing the expiry within the written cookie and relying on the
+    signing/encrypting to vouch that it hasn't been tampered with. Then on a
+    server-side read, the expiry is verified and any expired cookie is discarded.
 
-*   Fix adding implicitly rendered template digests to ETags.
+    Pull Request: #30121
 
-    Fixes a case when modifying an implicitly rendered template for a
-    controller action using `fresh_when` or `stale?` would not result in a new
-    `ETag` value.
+    *Assain Jaleel*
 
-    *Javan Makhmali*
+*   Make `take_failed_screenshot` work within engine.
 
-*   Make `fixture_file_upload` work in integration tests.
+    Fixes #30405.
 
     *Yuji Yaginuma*
 
-*   Add `to_param` to `ActionController::Parameters` deprecations.
-
-    In the future `ActionController::Parameters` are discouraged from being used
-    in URLs without explicit whitelisting. Go through `to_h` to use `to_param`.
-
-    *Kir Shatrov*
-
-*   Fix nested multiple roots
-
-    The PR #20940 enabled the use of multiple roots with different constraints
-    at the top level but unfortunately didn't work when those roots were inside
-    a namespace and also broke the use of root inside a namespace after a top
-    level root was defined because the check for the existence of the named route
-    used the global :root name and not the namespaced name.
-
-    This is fixed by using the name_for_action method to expand the :root name to
-    the full namespaced name. We can pass nil for the second argument as we're not
-    dealing with resource definitions so don't need to handle the cases for edit
-    and new routes.
-
-    Fixes #26148.
-
-    *Ryo Hashimoto*, *Andrew White*
-
-*   Include the content of the flash in the auto-generated etag. This solves the following problem:
-
-      1. POST /messages
-      2. redirect_to messages_url, notice: 'Message was created'
-      3. GET /messages/1
-      4. GET /messages
-
-      Step 4 would before still include the flash message, even though it's no longer relevant,
-      because the etag cache was recorded with the flash in place and didn't change when it was gone.
-
-    *DHH*
-
-*   SSL: Changes redirect behavior for all non-GET and non-HEAD requests
-    (like POST/PUT/PATCH etc) to `http://` resources to redirect to `https://`
-    with a [307 status code](http://tools.ietf.org/html/rfc7231#section-6.4.7) instead of [301 status code](http://tools.ietf.org/html/rfc7231#section-6.4.2).
-
-    307 status code instructs the HTTP clients to preserve the original
-    request method while redirecting. It has been part of HTTP RFC since
-    1999 and is implemented/recognized by most (if not all) user agents.
-
-        # Before
-        POST http://example.com/articles (i.e. ArticlesContoller#create)
-        redirects to
-        GET https://example.com/articles (i.e. ArticlesContoller#index)
-
-        # After
-        POST http://example.com/articles (i.e. ArticlesContoller#create)
-        redirects to
-        POST https://example.com/articles (i.e. ArticlesContoller#create)
+*   Deprecate `ActionDispatch::TestResponse` response aliases.
 
-    *Chirag Singhal*
+    `#success?`, `#missing?` & `#error?` are not supported by the actual
+    `ActionDispatch::Response` object and can produce false-positives. Instead,
+    use the response helpers provided by `Rack::Response`.
 
-*   Add `:as` option to `ActionController:TestCase#process` and related methods.
+    *Trevor Wistaff*
 
-    Specifying `as: mime_type` allows the `CONTENT_TYPE` header to be specified
-    in controller tests without manually doing this through `@request.headers['CONTENT_TYPE']`.
+*   Protect from forgery by default
 
-    *Everest Stefan Munro-Zeisberger*
+    Rather than protecting from forgery in the generated `ApplicationController`,
+    add it to `ActionController::Base` depending on
+    `config.action_controller.default_protect_from_forgery`. This configuration
+    defaults to false to support older versions which have removed it from their
+    `ApplicationController`, but is set to true for Rails 5.2.
 
-*   Show cache hits and misses when rendering partials.
+    *Lisa Ugray*
 
-    Partials using the `cache` helper will show whether a render hit or missed
-    the cache:
+*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
 
-    ```
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
+    *Kir Shatrov*
 
-    This removes the need for the old fragment cache logging:
+*   `driven_by` now registers poltergeist and capybara-webkit.
 
-    ```
-    Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms)
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms)
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
-
-    Though that full output can be reenabled with
-    `config.action_controller.enable_fragment_cache_logging = true`.
+    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
+    `driven_by` will register the driver and set additional options passed via
+    the `:options` parameter.
 
-    *Stan Lo*
+    Refer to the respective driver's documentation to see what options can be passed.
 
-*   Don't override the `Accept` header in integration tests when called with `xhr: true`.
+    *Mario Chavez*
 
-    Fixes #25859.
+*   AEAD encrypted cookies and sessions with GCM.
 
-    *David Chen*
+    Encrypted cookies now use AES-GCM which couples authentication and
+    encryption in one faster step and produces shorter ciphertexts. Cookies
+    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
+    this new mode is enabled via the
+    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
 
-*   Fix `defaults` option for root route.
+    *Michael J Coyne*
 
-    A regression from some refactoring for the 5.0 release, this change
-    fixes the use of `defaults` (default parameters) in the `root` routing method.
+*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
 
-    *Chris Arcand*
+        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
+              ^template path           ^template tree digest            ^class   ^id
 
-*   Check `request.path_parameters` encoding at the point they're set.
+    *DHH*
 
-    Check for any non-UTF8 characters in path parameters at the point they're
-    set in `env`. Previously they were checked for when used to get a controller
-    class, but this meant routes that went directly to a Rack app, or skipped
-    controller instantiation for some other reason, had to defend against
-    non-UTF8 characters themselves.
+*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
+    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
+    to support it.
 
-    *Grey Baker*
+    *DHH*
 
-*   Don't raise `ActionController::UnknownHttpMethod` from `ActionDispatch::Static`.
+*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
 
-    Pass `Rack::Request` objects to `ActionDispatch::FileHandler` to avoid it
-    raising `ActionController::UnknownHttpMethod`. If an unknown method is
-    passed, it should pass exception higher in the stack instead, once we've had a
-    chance to define exception handling behaviour.
+    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
+    the one umbrella hook `action_controller` is not able to address certain situations where a method
+    may not exist in a certain implementation.
 
-    *Grey Baker*
+    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
 
-*   Handle `Rack::QueryParser` errors in `ActionDispatch::ExceptionWrapper`.
+    Fixes #27013.
 
-    Updated `ActionDispatch::ExceptionWrapper` to handle the Rack 2.0 namespace
-    for `ParameterTypeError` and `InvalidParameterError` errors.
+    *Julian Nadeau*
 
-    *Grey Baker*
 
-Please check [5-0-stable](https://github.com/rails/rails/blob/5-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.