actionpack 5.2.0 → 6.1.4

data/CHANGELOG.md

@@ -1,302 +1,520 @@
-## Rails 5.2.0 (April 09, 2018) ##
+## Rails 6.1.4 (June 24, 2021) ##
 
-*   Check exclude before flagging cookies as secure.
+*   Ignore file fixtures on `db:fixtures:load`
 
-    *Catherine Khuu*
+    *Kevin Sjöberg*
 
-*   Always yield a CSP policy instance from `content_security_policy`
+*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
 
-    This allows a controller action to enable the policy individually
-    for a controller and/or specific actions.
+    *Dylan Thacker-Smith*
 
-    *Andrew White*
+*   Correctly place optional path parameter booleans.
 
-*   Add the ability to disable the global CSP in a controller, e.g:
+    Previously, if you specify a url parameter that is part of the path as false it would include that part
+    of the path as parameter for example:
 
-        class LegacyPagesController < ApplicationController
-          content_security_policy false, only: :index
-        end
+    ```
+    get "(/optional/:optional_id)/things" => "foo#foo", as: :things
+    things_path(optional_id: false) # => /things?optional_id=false
+    ```
 
-    *Andrew White*
+    After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
 
-*   Add alias method `to_hash` to `to_h` for `cookies`.
-    Add alias method `to_h` to `to_hash` for `session`.
+    ```
+    get '(this/:my_bool)/that' as: :that
 
-    *Igor Kasyanchuk*
+    that_path(my_bool: true) # => `/this/true/that`
+    that_path(my_bool: false) # => `/this/false/that`
+    ```
 
-*   Update the default HSTS max-age value to 31536000 seconds (1 year)
-    to meet the minimum max-age requirement for https://hstspreload.org/.
+    *Adam Hess*
 
-    *Grant Bourque*
+*   Add support for 'private, no-store' Cache-Control headers.
 
-*   Add support for automatic nonce generation for Rails UJS.
+    Previously, 'no-store' was exclusive; no other directives could be specified.
 
-    Because the UJS library creates a script tag to process responses it
-    normally requires the script-src attribute of the content security
-    policy to include 'unsafe-inline'.
+    *Alex Smith*
 
-    To work around this we generate a per-request nonce value that is
-    embedded in a meta tag in a similar fashion to how CSRF protection
-    embeds its token in a meta tag. The UJS library can then read the
-    nonce value and set it on the dynamically generated script tag to
-    enable it to execute without needing 'unsafe-inline' enabled.
 
-    Nonce generation isn't 100% safe - if your script tag is including
-    user generated content in someway then it may be possible to exploit
-    an XSS vulnerability which can take advantage of the nonce. It is
-    however an improvement on a blanket permission for inline scripts.
+## Rails 6.1.3.2 (May 05, 2021) ##
 
-    It is also possible to use the nonce within your own script tags by
-    using `nonce: true` to set the nonce value on the tag, e.g
+*   Prevent open redirects by correctly escaping the host allow list
+    CVE-2021-22903
 
-        <%= javascript_tag nonce: true do %>
-          alert('Hello, World!');
-        <% end %>
+*   Prevent catastrophic backtracking during mime parsing
+    CVE-2021-22902
 
-    Fixes #31689.
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
 
-    *Andrew White*
+*   Prevent string polymorphic route arguments.
 
-*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
 
-    *Dominic Cleal*
+    CVE-2021-22885
 
-*   Add `Referrer-Policy` header to default headers set.
+    *Gannon McGibbon*
 
-    *Guillermo Iguaran*
+## Rails 6.1.3.1 (March 26, 2021) ##
 
-*   Changed the system tests to set Puma as default server only when the
-    user haven't specified manually another server.
+*   No changes.
 
-    *Guillermo Iguaran*
 
-*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
-    default headers set.
+## Rails 6.1.3 (February 17, 2021) ##
 
-    *Guillermo Iguaran*
+*   Re-define routes when not set correctly via inheritance.
 
-*   Add headless firefox support to System Tests.
+    *John Hawthorn*
 
-    *bogdanvlviv*
 
-*   Changed the default system test screenshot output from `inline` to `simple`.
+## Rails 6.1.2.1 (February 10, 2021) ##
 
-    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
-    Terminal.app ignore the `inline` and output the path to the file since it can't
-    render the image. Other terminals, like those on Ubuntu, cannot handle the image
-    inline, but also don't handle it gracefully and instead of outputting the file
-    path, it dumps binary into the terminal.
+*   Prevent open redirect when allowed host starts with a dot
 
-    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
+    [CVE-2021-22881]
 
-    *Eileen M. Uchitelle*
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
 
-*   Register most popular audio/video/font mime types supported by modern browsers.
+    *Aaron Patterson*
 
-    *Guillermo Iguaran*
 
-*   Fix optimized url helpers when using relative url root.
+## Rails 6.1.2 (February 09, 2021) ##
 
-    Fixes #31220.
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
 
-    *Andrew White*
+    *Janko Marohnić*
 
-*   Add DSL for configuring Content-Security-Policy header.
+*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
 
-    The DSL allows you to configure a global Content-Security-Policy
-    header and then override within a controller. For more information
-    about the Content-Security-Policy header see MDN:
+    *Eugene Kenny*
 
-    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-    Example global policy:
+## Rails 6.1.1 (January 07, 2021) ##
 
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy do |p|
-          p.default_src :self, :https
-          p.font_src    :self, :https, :data
-          p.img_src     :self, :https, :data
-          p.object_src  :none
-          p.script_src  :self, :https
-          p.style_src   :self, :https, :unsafe_inline
-        end
+*   Fix nil translation key lookup in controllers/
 
-    Example controller overrides:
+    *Jan Klimo*
 
-        # Override policy inline
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.upgrade_insecure_requests true
-          end
-        end
+*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
 
-        # Using literal values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri "https://www.example.com"
-          end
-        end
+    *Alex Robbin*
 
-        # Using mixed static and dynamic values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
-          end
-        end
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
 
-    Allows you to also only report content violations for migrating
-    legacy content using the `content_security_policy_report_only`
-    configuration attribute, e.g;
+    *Alex Robbin*
 
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy_report_only = true
 
-        # controller override
-        class PostsController < ApplicationController
-          content_security_policy_report_only only: :index
-        end
+## Rails 6.1.0 (December 09, 2020) ##
 
-    Note that this feature does not validate the header for performance
-    reasons since the header is calculated at runtime.
+*   Support for the HTTP header `Feature-Policy` has been revised to reflect
+    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
 
-    *Andrew White*
+    ```ruby
+    Rails.application.config.permissions_policy do |p|
+      p.camera     :none
+      p.gyroscope  :none
+      p.microphone :none
+      p.usb        :none
+      p.fullscreen :self
+      p.payment    :self, "https://secure-example.com"
+    end
+    ```
 
-*   Make `assert_recognizes` to traverse mounted engines.
+    *Julien Grillot*
 
-    *Yuichiro Kaneko*
+*   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 
-*   Remove deprecated `ActionController::ParamsParser::ParseError`.
+    Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
+
+    *Chris Bisnett*
+
+*   Add `config.action_dispatch.request_id_header` to allow changing the name of
+    the unique X-Request-Id header
+
+    *Arlston Fernandes*
+
+*   Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
 
     *Rafael Mendonça França*
 
-*   Add `:allow_other_host` option to `redirect_back` method.
+*   Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
 
-    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
-    different host. `allow_other_host` is `true` by default.
+    *Rafael Mendonça França*
 
-    *Tim Masliuchenko*
+*   Remove deprecated `ActionDispatch::Http::ParameterFilter`.
 
-*   Add headless chrome support to System Tests.
+    *Rafael Mendonça França*
 
-    *Yuji Yaginuma*
+*   Added support for exclusive no-store Cache-Control header.
 
-*   Add ability to enable Early Hints for HTTP/2
+    If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
 
-    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
+    *Chris Kruger*
 
-    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
+*   Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
 
-    *Eileen M. Uchitelle*, *Aaron Patterson*
+    Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
+    `ActionDispatch::Http::Request#POST` prior to validating encoding.
 
-*   Simplify cookies middleware with key rotation support
+    *Adrianna Chang*
 
-    Use the `rotate` method for both `MessageEncryptor` and
-    `MessageVerifier` to add key rotation support for encrypted and
-    signed cookies. This also helps simplify support for legacy cookie
-    security.
+*   Allow `assert_recognizes` routing assertions to work on mounted root routes.
 
-    *Michael J Coyne*
+    *Gannon McGibbon*
 
-*   Use Capybara registered `:puma` server config.
+*   Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
 
-    The Capybara registered `:puma` server ensures the puma server is run in process so
-    connection sharing and open request detection work correctly by default.
+    *Alan Tan*, *Oz Ben-David*
 
-    *Thomas Walpole*
+*   Fix `follow_redirect!` to follow redirection with same HTTP verb when following
+    a 308 redirection.
 
-*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
+    *Alan Tan*
 
-        cookies[:user_name] = { value: "assain", expires: 1.hour }
-        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
+*   When multiple domains are specified for a cookie, a domain will now be
+    chosen only if it is equal to or is a superdomain of the request host.
 
-    Pull Request: #30121
+    *Jonathan Hefner*
 
-    *Assain Jaleel*
+*   `ActionDispatch::Static` handles precompiled Brotli (.br) files.
 
-*   Enforce signed/encrypted cookie expiry server side.
+    Adds to existing support for precompiled gzip (.gz) files.
+    Brotli files are preferred due to much better compression.
 
-    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
+    When the browser requests /some.js with `Accept-Encoding: br`,
+    we check for public/some.js.br and serve that file, if present, with
+    `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
 
-    It does so by stashing the expiry within the written cookie and relying on the
-    signing/encrypting to vouch that it hasn't been tampered with. Then on a
-    server-side read, the expiry is verified and any expired cookie is discarded.
+    *Ryan Edward Hall*, *Jeremy Daer*
 
-    Pull Request: #30121
+*   Add raise_on_missing_translations support for controllers.
 
-    *Assain Jaleel*
+    This configuration determines whether an error should be raised for missing translations.
+    It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
+    configuration also affects raising error for missing translations in views.
 
-*   Make `take_failed_screenshot` work within engine.
+    *fatkodima*
 
-    Fixes #30405.
+*   Added `compact` and `compact!` to `ActionController::Parameters`.
 
-    *Yuji Yaginuma*
+    *Eugene Kenny*
+
+*   Calling `each_pair` or `each_value` on an `ActionController::Parameters`
+    without passing a block now returns an enumerator.
+
+    *Eugene Kenny*
+
+*   `fixture_file_upload` now uses path relative to `file_fixture_path`
+
+    Previously the path had to be relative to `fixture_path`.
+    You can change your existing code as follow:
+
+    ```ruby
+    # Before
+    fixture_file_upload('files/dog.png')
+
+    # After
+    fixture_file_upload('dog.png')
+    ```
+
+    *Edouard Chin*
+
+*   Remove deprecated `force_ssl` at the controller level.
+
+    *Rafael Mendonça França*
+
+*   The +helper+ class method for controllers loads helper modules specified as
+    strings/symbols with `String#constantize` instead of `require_dependency`.
+
+    Remember that support for strings/symbols is only a convenient API. You can
+    always pass a module object:
+
+    ```ruby
+    helper UtilsHelper
+    ```
+
+    which is recommended because it is simple and direct. When a string/symbol
+    is received, `helper` just manipulates and inflects the argument to obtain
+    that same module object.
+
+    *Xavier Noria*, *Jean Boussier*
+
+*   Correctly identify the entire localhost IPv4 range as trusted proxy.
+
+    *Nick Soracco*
+
+*   `url_for` will now use "https://" as the default protocol when
+    `Rails.application.config.force_ssl` is set to true.
+
+    *Jonathan Hefner*
+
+*   Accept and default to base64_urlsafe CSRF tokens.
+
+    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+    them difficult to deal with. For example, the common practice of sending
+    the CSRF token to a browser in a client-readable cookie does not work properly
+    out of the box: the value has to be url-encoded and decoded to survive transport.
+
+    Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
+    to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
+    for backwards compatibility.
+
+    *Scott Blum*
+
+*   Support rolling deploys for cookie serialization/encryption changes.
+
+    In a distributed configuration like rolling update, users may observe
+    both old and new instances during deployment. Users may be served by a
+    new instance and then by an old instance.
+
+    That means when the server changes `cookies_serializer` from `:marshal`
+    to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
+    from `false` to `true`, users may lose their sessions if they access the
+    server during deployment.
+
+    We added fallbacks to downgrade the cookie format when necessary during
+    deployment, ensuring compatibility on both old and new instances.
+
+    *Masaki Hara*
+
+*   `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
+
+    Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
+    Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
+
+    *Keenan Brock*
+
+*   Fix possible information leak / session hijacking vulnerability.
+
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
+
+    CVE-2019-16782.
+
+*   Include child session assertion count in ActionDispatch::IntegrationTest.
+
+    `IntegrationTest#open_session` uses `dup` to create the new session, which
+    meant it had its own copy of `@assertions`. This prevented the assertions
+    from being correctly counted and reported.
+
+    Child sessions now have their `attr_accessor` overridden to delegate to the
+    root session.
+
+    Fixes #32142.
+
+    *Sam Bostock*
 
-*   Deprecate `ActionDispatch::TestResponse` response aliases.
+*   Add SameSite protection to every written cookie.
 
-    `#success?`, `#missing?` & `#error?` are not supported by the actual
-    `ActionDispatch::Response` object and can produce false-positives. Instead,
-    use the response helpers provided by `Rack::Response`.
+    Enabling `SameSite` cookie protection is an addition to CSRF protection,
+    where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
 
-    *Trevor Wistaff*
+    `:strict` disables cookies being sent in cross-site GET or POST requests.
 
-*   Protect from forgery by default
+    Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
 
-    Rather than protecting from forgery in the generated `ApplicationController`,
-    add it to `ActionController::Base` depending on
-    `config.action_controller.default_protect_from_forgery`. This configuration
-    defaults to false to support older versions which have removed it from their
-    `ApplicationController`, but is set to true for Rails 5.2.
+    See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
 
-    *Lisa Ugray*
+    More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
 
-*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
+    _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
 
-    *Kir Shatrov*
+    *Cédric Fabianski*
 
-*   `driven_by` now registers poltergeist and capybara-webkit.
+*   Bring back the feature that allows loading external route files from the router.
 
-    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
-    `driven_by` will register the driver and set additional options passed via
-    the `:options` parameter.
+    This feature existed back in 2012 but got reverted with the incentive that
+    https://github.com/rails/routing_concerns was a better approach. Turned out
+    that this wasn't fully the case and loading external route files from the router
+    can be helpful for applications with a really large set of routes.
+    Without this feature, application needs to implement routes reloading
+    themselves and it's not straightforward.
 
-    Refer to the respective driver's documentation to see what options can be passed.
+    ```ruby
+    # config/routes.rb
 
-    *Mario Chavez*
+    Rails.application.routes.draw do
+      draw(:admin)
+    end
 
-*   AEAD encrypted cookies and sessions with GCM.
+    # config/routes/admin.rb
 
-    Encrypted cookies now use AES-GCM which couples authentication and
-    encryption in one faster step and produces shorter ciphertexts. Cookies
-    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
-    this new mode is enabled via the
-    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
+    get :foo, to: 'foo#bar'
+    ```
 
-    *Michael J Coyne*
+    *Yehuda Katz*, *Edouard Chin*
+
+*   Fix system test driver option initialization for non-headless browsers.
+
+    *glaszig*
+
+*   `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
+    their payloads as `:request`.
+
+    *Austin Story*
+
+*   `respond_to#any` no longer returns a response's Content-Type based on the
+    request format but based on the block given.
+
+    Example:
+
+    ```ruby
+      def my_action
+        respond_to do |format|
+          format.any { render(json: { foo: 'bar' }) }
+        end
+      end
+
+      get('my_action.csv')
+    ```
+
+    The previous behaviour was to respond with a `text/csv` Content-Type which
+    is inaccurate since a JSON response is being rendered.
+
+    Now it correctly returns a `application/json` Content-Type.
+
+    *Edouard Chin*
+
+*   Replaces (back)slashes in failure screenshot image paths with dashes.
+
+    If a failed test case contained a slash or a backslash, a screenshot would be created in a
+    nested directory, causing issues with `tmp:clear`.
+
+    *Damir Zekic*
+
+*   Add `params.member?` to mimic Hash behavior.
+
+    *Younes Serraj*
+
+*   `process_action.action_controller` notifications now include the following in their payloads:
+
+    * `:request` - the `ActionDispatch::Request`
+    * `:response` - the `ActionDispatch::Response`
+
+    *George Claghorn*
+
+*   Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
+    `remote_ip` to `nil` before setting the header that the value is derived
+    from.
+
+    Fixes #37383.
+
+    *Norm Provost*
+
+*   `ActionController::Base.log_at` allows setting a different log level per request.
+
+    ```ruby
+    # Use the debug level if a particular cookie is set.
+    class ApplicationController < ActionController::Base
+      log_at :debug, if: -> { cookies[:debug] }
+    end
+    ```
+
+    *George Claghorn*
+
+*   Allow system test screen shots to be taken more than once in
+    a test by prefixing the file name with an incrementing counter.
+
+    Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
+    enable saving of HTML during a screenshot in addition to the image.
+    This uses the same image name, with the extension replaced with `.html`
+
+    *Tom Fakes*
+
+*   Add `Vary: Accept` header when using `Accept` header for response.
+
+    For some requests like `/users/1`, Rails uses requests' `Accept`
+    header to determine what to return. And if we don't add `Vary`
+    in the response header, browsers might accidentally cache different
+    types of content, which would cause issues: e.g. javascript got displayed
+    instead of html content. This PR fixes these issues by adding `Vary: Accept`
+    in these types of requests. For more detailed problem description, please read:
+
+    https://github.com/rails/rails/pull/36213
+
+    Fixes #25842.
+
+    *Stan Lo*
+
+*   Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
+    a 307 redirection.
+
+    *Edouard Chin*
+
+*   System tests require Capybara 3.26 or newer.
+
+    *George Claghorn*
+
+*   Reduced log noise handling ActionController::RoutingErrors.
+
+    *Alberto Fernández-Capel*
+
+*   Add DSL for configuring HTTP Feature Policy.
+
+    This new DSL provides a way to configure an HTTP Feature Policy at a
+    global or per-controller level. Full details of HTTP Feature Policy
+    specification and guidelines can be found at MDN:
+
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+
+    Example global policy:
+
+    ```ruby
+    Rails.application.config.feature_policy do |f|
+      f.camera      :none
+      f.gyroscope   :none
+      f.microphone  :none
+      f.usb         :none
+      f.fullscreen  :self
+      f.payment     :self, "https://secure.example.com"
+    end
+    ```
+
+    Example controller level policy:
+
+    ```ruby
+    class PagesController < ApplicationController
+      feature_policy do |p|
+        p.geolocation "https://example.com"
+      end
+    end
+    ```
+
+    *Jacob Bednarz*
+
+*   Add the ability to set the CSP nonce only to the specified directives.
+
+    Fixes #35137.
+
+    *Yuji Yaginuma*
 
-*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
+*   Keep part when scope option has value.
 
-        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
-              ^template path           ^template tree digest            ^class   ^id
+    When a route was defined within an optional scope, if that route didn't
+    take parameters the scope was lost when using path helpers. This commit
+    ensures scope is kept both when the route takes parameters or when it
+    doesn't.
 
-    *DHH*
+    Fixes #33219.
 
-*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
-    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
-    to support it.
+    *Alberto Almagro*
 
-    *DHH*
+*   Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
 
-*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
+    *Gustavo Gutierrez*
 
-    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
-    the one umbrella hook `action_controller` is not able to address certain situations where a method
-    may not exist in a certain implementation.
+*   Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
+    an enumerator for the parameters instead of the underlying hash.
 
-    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
+    *Eugene Kenny*
 
-    Fixes #27013.
+*   Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
+    It should only block invalid key's values instead.
 
-    *Julian Nadeau*
+    *Stan Lo*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.