actionpack 5.2.1 → 7.0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9305274faee39adcd8d4186fca94a40628c1388306e67fd2ad723211570d6883
-  data.tar.gz: 4c4817cf6548eb96069927737bcd72050bc7af3e8a369821a9187384c0a1c37d
+  metadata.gz: 06e621226ed4db65eca7f6c6a5194702b49e8287e513e241ed511dc096ef320e
+  data.tar.gz: 4c7c1405b2e523f77fdd076755c9311528bc5e38fac81823330719846a562736
 SHA512:
-  metadata.gz: 9dd5b86c36e7c92df007c0965e4a98216dc8c40fd4e0bef93c65f81a1d9a4dc3547c92e0f93c472802721bdb9bba7851c5384bea6cd396a1bb62f0a97d57b266
-  data.tar.gz: 07d1e9f9c4829961e66b20d011b9286841794088447c733a0bbeded2a2e13333ae8d9880562348830d3abc52d6a1c2eeabf2434499968b2c39862fd0868641bc
+  metadata.gz: a1d0d5c67985a6d93bff849b4fd2c21ebb6f0572d64109aaad0bd47317e72cde6c5ba66d1bcf88fe3378dedb37d788f264405f98d11fc3f9c0a4ccad34d8bf1c
+  data.tar.gz: 459de47bc8f00dd8f69b147dac927c30f757657cd5eb3b22518fba2922a0cc96892552f46f32b25bf38aee6ba3deb1ad6272398642befed341621e55d44b88e0

data/CHANGELOG.md

@@ -1,357 +1,401 @@
-## Rails 5.2.1 (August 07, 2018) ##
+## Rails 7.0.2.4 (April 26, 2022) ##
 
-*   Prevent `?null=` being passed on JSON encoded test requests.
+*   Allow Content Security Policy DSL to generate for API responses.
 
-    `RequestEncoder#encode_params` won't attempt to parse params if
-    there are none.
+    *Tim Wade*
 
-    So call like this will no longer append a `?null=` query param.
+## Rails 7.0.2.3 (March 08, 2022) ##
 
-        get foos_url, as: :json
+*   No changes.
 
-    *Alireza Bashiri*
 
-*   Ensure `ActionController::Parameters#transform_values` and
-    `ActionController::Parameters#transform_values!` converts hashes into
-    parameters.
+## Rails 7.0.2.2 (February 11, 2022) ##
 
-    *Kevin Sjöberg*
+*   No changes.
 
-*   Fix strong parameters `permit!` with nested arrays.
 
-    Given:
-    ```
-    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
-    params.permit!
-    ```
+## Rails 7.0.2.1 (February 11, 2022) ##
 
-    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
+*   Under certain circumstances, the middleware isn't informed that the
+    response body has been fully closed which result in request state not
+    being fully reset before the next request
 
-    *Steve Hull*
+    [CVE-2022-23633]
 
-*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
-    `ActionController::TestCase` subclasses.
 
-    *Eugene Kenny*
+## Rails 7.0.2 (February 08, 2022) ##
 
-*   Output only one Content-Security-Policy nonce header value per request.
+*   No changes.
 
-    Fixes #32597.
 
-    *Andrey Novikov*, *Andrew White*
+## Rails 7.0.1 (January 06, 2022) ##
 
-*   Only disable GPUs for headless Chrome on Windows.
+*   Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
+    of the original object.
 
-    It is not necessary anymore for Linux and macOS machines.
+    *Yutaka Kamei*
 
-    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
 
-    *Stefan Wrobel*
+## Rails 7.0.0 (December 15, 2021) ##
 
-*   Fix system tests transactions not closed between examples.
+*   Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
 
-    *Sergey Tarasov*
+    *Étienne Barrié*
 
+*   Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
 
-## Rails 5.2.0 (April 09, 2018) ##
+    This means if you make multiple requests in the same test, instance variables set in the first request will
+    not persist into the second one. (It's not recommended to make multiple requests in the same test.)
 
-*   Check exclude before flagging cookies as secure.
+    *Alex Ghiculescu*
 
-    *Catherine Khuu*
 
-*   Always yield a CSP policy instance from `content_security_policy`
+## Rails 7.0.0.rc3 (December 14, 2021) ##
 
-    This allows a controller action to enable the policy individually
-    for a controller and/or specific actions.
+*   No changes.
 
-    *Andrew White*
 
-*   Add the ability to disable the global CSP in a controller, e.g:
+## Rails 7.0.0.rc2 (December 14, 2021) ##
 
-        class LegacyPagesController < ApplicationController
-          content_security_policy false, only: :index
-        end
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
 
-    *Andrew White*
 
-*   Add alias method `to_hash` to `to_h` for `cookies`.
-    Add alias method `to_h` to `to_hash` for `session`.
+## Rails 7.0.0.rc1 (December 06, 2021) ##
 
-    *Igor Kasyanchuk*
+*   `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
 
-*   Update the default HSTS max-age value to 31536000 seconds (1 year)
-    to meet the minimum max-age requirement for https://hstspreload.org/.
+    This helps to better simulate request or job local state being reset between requests and prevent state
+    leaking from one request to another.
 
-    *Grant Bourque*
+    To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
 
-*   Add support for automatic nonce generation for Rails UJS.
+    *Alex Ghiculescu*
 
-    Because the UJS library creates a script tag to process responses it
-    normally requires the script-src attribute of the content security
-    policy to include 'unsafe-inline'.
+*   Consider onion services secure for cookies.
 
-    To work around this we generate a per-request nonce value that is
-    embedded in a meta tag in a similar fashion to how CSRF protection
-    embeds its token in a meta tag. The UJS library can then read the
-    nonce value and set it on the dynamically generated script tag to
-    enable it to execute without needing 'unsafe-inline' enabled.
+    *Justin Tracey*
 
-    Nonce generation isn't 100% safe - if your script tag is including
-    user generated content in someway then it may be possible to exploit
-    an XSS vulnerability which can take advantage of the nonce. It is
-    however an improvement on a blanket permission for inline scripts.
+*   Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
 
-    It is also possible to use the nonce within your own script tags by
-    using `nonce: true` to set the nonce value on the tag, e.g
+    *Rafael Mendonça França*
 
-        <%= javascript_tag nonce: true do %>
-          alert('Hello, World!');
-        <% end %>
+*   Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
 
-    Fixes #31689.
+    *Rafael Mendonça França*
 
-    *Andrew White*
+*   Remove deprecated `ActionDispatch::SystemTestCase#host!`.
 
-*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
+    *Rafael Mendonça França*
 
-    *Dominic Cleal*
+*   Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
 
-*   Add `Referrer-Policy` header to default headers set.
+    *Rafael Mendonça França*
 
-    *Guillermo Iguaran*
+*   Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
 
-*   Changed the system tests to set Puma as default server only when the
-    user haven't specified manually another server.
+    *Rafael Mendonça França*
 
-    *Guillermo Iguaran*
+*   Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
 
-*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
-    default headers set.
+    This allows `rescue_from` to be used to add a default fallback route:
 
-    *Guillermo Iguaran*
+    ```ruby
+    rescue_from ActionController::Redirecting::UnsafeRedirectError do
+      redirect_to root_url
+    end
+    ```
 
-*   Add headless firefox support to System Tests.
+    *Kasper Timm Hansen*, *Chris Oliver*
 
-    *bogdanvlviv*
+*   Add `url_from` to verify a redirect location is internal.
 
-*   Changed the default system test screenshot output from `inline` to `simple`.
+    Takes the open redirect protection from `redirect_to` so users can wrap a
+    param, and fall back to an alternate redirect URL when the param provided
+    one is unsafe.
 
-    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
-    Terminal.app ignore the `inline` and output the path to the file since it can't
-    render the image. Other terminals, like those on Ubuntu, cannot handle the image
-    inline, but also don't handle it gracefully and instead of outputting the file
-    path, it dumps binary into the terminal.
+    ```ruby
+    def create
+      redirect_to url_from(params[:redirect_url]) || root_url
+    end
+    ```
 
-    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
+    *dmcge*, *Kasper Timm Hansen*
 
-    *Eileen M. Uchitelle*
+*   Allow Capybara driver name overrides in `SystemTestCase::driven_by`
 
-*   Register most popular audio/video/font mime types supported by modern browsers.
+    Allow users to prevent conflicts among drivers that use the same driver
+    type (selenium, poltergeist, webkit, rack test).
 
-    *Guillermo Iguaran*
+    Fixes #42502
 
-*   Fix optimized url helpers when using relative url root.
+    *Chris LaRose*
 
-    Fixes #31220.
+*   Allow multiline to be passed in routes when using wildcard segments.
 
-    *Andrew White*
+    Previously routes with newlines weren't detected when using wildcard segments, returning
+    a `No route matches` error.
+    After this change, routes with newlines are detected on wildcard segments. Example
 
-*   Add DSL for configuring Content-Security-Policy header.
+    ```ruby
+      draw do
+        get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
+      end
 
-    The DSL allows you to configure a global Content-Security-Policy
-    header and then override within a controller. For more information
-    about the Content-Security-Policy header see MDN:
+      # After the change, the path matches.
+      assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
+    ```
 
-    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+    Fixes #39103
 
-    Example global policy:
+    *Ignacio Chiazzo*
 
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy do |p|
-          p.default_src :self, :https
-          p.font_src    :self, :https, :data
-          p.img_src     :self, :https, :data
-          p.object_src  :none
-          p.script_src  :self, :https
-          p.style_src   :self, :https, :unsafe_inline
-        end
+*   Treat html suffix in controller translation.
 
-    Example controller overrides:
+    *Rui Onodera*, *Gavin Miller*
 
-        # Override policy inline
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.upgrade_insecure_requests true
-          end
-        end
+*   Allow permitting numeric params.
 
-        # Using literal values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri "https://www.example.com"
-          end
-        end
+    Previously it was impossible to permit different fields on numeric parameters.
+    After this change you can specify different fields for each numbered parameter.
+    For example params like,
+    ```ruby
+    book: {
+            authors_attributes: {
+              '0': { name: "William Shakespeare", age_of_death: "52" },
+              '1': { name: "Unattributed Assistant" },
+              '2': "Not a hash",
+              'new_record': { name: "Some name" }
+            }
+          }
+    ```
 
-        # Using mixed static and dynamic values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
-          end
-        end
+    Before you could permit name on each author with,
+    `permit book: { authors_attributes: [ :name ] }`
 
-    Allows you to also only report content violations for migrating
-    legacy content using the `content_security_policy_report_only`
-    configuration attribute, e.g;
+    After this change you can permit different keys on each numbered element,
+    `permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
 
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy_report_only = true
+    Fixes #41625
 
-        # controller override
-        class PostsController < ApplicationController
-          content_security_policy_report_only only: :index
-        end
+    *Adam Hess*
 
-    Note that this feature does not validate the header for performance
-    reasons since the header is calculated at runtime.
+*   Update `HostAuthorization` middleware to render debug info only
+    when `config.consider_all_requests_local` is set to true.
 
-    *Andrew White*
+    Also, blocked host info is always logged with level `error`.
 
-*   Make `assert_recognizes` to traverse mounted engines.
+    Fixes #42813
 
-    *Yuichiro Kaneko*
+    *Nikita Vyrko*
 
-*   Remove deprecated `ActionController::ParamsParser::ParseError`.
+*  Add Server-Timing middleware
 
-    *Rafael Mendonça França*
+   Server-Timing specification defines how the server can communicate to browsers performance metrics
+   about the request it is responding to.
+
+   The ServerTiming middleware is enabled by default on `development` environment by default using the
+   `config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
+
+   The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
+
+   *Sebastian Sogamoso*, *Guillermo Iguaran*
+
+
+## Rails 7.0.0.alpha2 (September 15, 2021) ##
 
-*   Add `:allow_other_host` option to `redirect_back` method.
+*   No changes.
 
-    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
-    different host. `allow_other_host` is `true` by default.
 
-    *Tim Masliuchenko*
+## Rails 7.0.0.alpha1 (September 15, 2021) ##
 
-*   Add headless chrome support to System Tests.
+*   Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
+    to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
+    malformed JSON.
 
-    *Yuji Yaginuma*
+    Fixes #41145
 
-*   Add ability to enable Early Hints for HTTP/2
+    *Aaron Lahey*
 
-    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
+*   Add `Middleware#delete!` to delete middleware or raise if not found.
 
-    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
+    `Middleware#delete!` works just like `Middleware#delete` but will
+    raise an error if the middleware isn't found.
 
-    *Eileen M. Uchitelle*, *Aaron Patterson*
+    *Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
 
-*   Simplify cookies middleware with key rotation support
+*   Raise error on unpermitted open redirects.
 
-    Use the `rotate` method for both `MessageEncryptor` and
-    `MessageVerifier` to add key rotation support for encrypted and
-    signed cookies. This also helps simplify support for legacy cookie
-    security.
+    Add `allow_other_host` options to `redirect_to`.
+    Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
 
-    *Michael J Coyne*
+    *Gannon McGibbon*
 
-*   Use Capybara registered `:puma` server config.
+*   Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
 
-    The Capybara registered `:puma` server ensures the puma server is run in process so
-    connection sharing and open request detection work correctly by default.
+    [Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
 
-    *Thomas Walpole*
+    [Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
 
-*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
+    *Yusuke Iwaki*
 
-        cookies[:user_name] = { value: "assain", expires: 1.hour }
-        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
+*   Exclude additional flash types from `ActionController::Base.action_methods`.
 
-    Pull Request: #30121
+    Ensures that additional flash types defined on ActionController::Base subclasses
+    are not listed as actions on that controller.
 
-    *Assain Jaleel*
+        class MyController < ApplicationController
+          add_flash_types :hype
+        end
+
+        MyController.action_methods.include?('hype') # => false
+
+    *Gavin Morrice*
+
+*   OpenSSL constants are now used for Digest computations.
 
-*   Enforce signed/encrypted cookie expiry server side.
+    *Dirkjan Bussink*
 
-    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
+*   Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
 
-    It does so by stashing the expiry within the written cookie and relying on the
-    signing/encrypting to vouch that it hasn't been tampered with. Then on a
-    server-side read, the expiry is verified and any expired cookie is discarded.
+    Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
 
-    Pull Request: #30121
+    *Tadas Sasnauskas*
 
-    *Assain Jaleel*
+*   Configuration setting to skip logging an uncaught exception backtrace when the exception is
+    present in `rescued_responses`.
 
-*   Make `take_failed_screenshot` work within engine.
+    It may be too noisy to get all backtraces logged for applications that manage uncaught
+    exceptions via `rescued_responses` and `exceptions_app`.
+    `config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
+    this case, so that only exceptions not found in `rescued_responses` will be logged.
+
+    *Alexander Azarov*, *Mike Dalessio*
+
+*   Ignore file fixtures on `db:fixtures:load`.
+
+    *Kevin Sjöberg*
 
-    Fixes #30405.
+*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
 
-    *Yuji Yaginuma*
+    *Dylan Thacker-Smith*
 
-*   Deprecate `ActionDispatch::TestResponse` response aliases.
+*   New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
 
-    `#success?`, `#missing?` & `#error?` are not supported by the actual
-    `ActionDispatch::Response` object and can produce false-positives. Instead,
-    use the response helpers provided by `Rack::Response`.
+    *Tadas Sasnauskas*
 
-    *Trevor Wistaff*
+*   Drop support for the `SERVER_ADDR` header.
 
-*   Protect from forgery by default
+    Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
 
-    Rather than protecting from forgery in the generated `ApplicationController`,
-    add it to `ActionController::Base` depending on
-    `config.action_controller.default_protect_from_forgery`. This configuration
-    defaults to false to support older versions which have removed it from their
-    `ApplicationController`, but is set to true for Rails 5.2.
+    *Ricardo Díaz*
 
-    *Lisa Ugray*
+*   Set session options when initializing a basic session.
 
-*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
+    *Gannon McGibbon*
 
-    *Kir Shatrov*
+*   Add `cache_control: {}` option to `fresh_when` and `stale?`.
 
-*   `driven_by` now registers poltergeist and capybara-webkit.
+    Works as a shortcut to set `response.cache_control` with the above methods.
 
-    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
-    `driven_by` will register the driver and set additional options passed via
-    the `:options` parameter.
+    *Jacopo Beschi*
 
-    Refer to the respective driver's documentation to see what options can be passed.
+*   Writing into a disabled session will now raise an error.
 
-    *Mario Chavez*
+    Previously when no session store was set, writing into the session would silently fail.
 
-*   AEAD encrypted cookies and sessions with GCM.
+    *Jean Boussier*
 
-    Encrypted cookies now use AES-GCM which couples authentication and
-    encryption in one faster step and produces shorter ciphertexts. Cookies
-    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
-    this new mode is enabled via the
-    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
+*   Add support for 'require-trusted-types-for' and 'trusted-types' headers.
 
-    *Michael J Coyne*
+    Fixes #42034.
 
-*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
+    *lfalcao*
 
-        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
-              ^template path           ^template tree digest            ^class   ^id
+*   Remove inline styles and address basic accessibility issues on rescue templates.
+
+    *Jacob Herrington*
+
+*   Add support for 'private, no-store' Cache-Control headers.
+
+    Previously, 'no-store' was exclusive; no other directives could be specified.
+
+    *Alex Smith*
+
+*   Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
+    know which controller action received unpermitted parameters.
+
+    *bbuchalter*
+
+*   Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
+
+    ```ruby
+    send_stream(filename: "subscribers.csv") do |stream|
+      stream.writeln "email_address,updated_at"
+
+      @subscribers.find_each do |subscriber|
+        stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
+      end
+    end
+    ```
 
     *DHH*
 
-*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
-    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
-    to support it.
+*   Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
 
     *DHH*
 
-*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
+*   `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
+
+    Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
+    This behavior changed to returned Content-Type header containing charset part as it is.
+
+    If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
 
-    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
-    the one umbrella hook `action_controller` is not able to address certain situations where a method
-    may not exist in a certain implementation.
+    Before:
 
-    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
+    ```ruby
+    request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
+    request.content_type #=> "text/csv"
+    ```
+
+    After:
 
-    Fixes #27013.
+    ```ruby
+    request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
+    request.content_type #=> "text/csv; header=present; charset=utf-16"
+    request.media_type   #=> "text/csv"
+    ```
 
-    *Julian Nadeau*
+    *Rafael Mendonça França*
+
+*   Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
+
+    *Rafael Mendonça França*
+
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
+
+    *Janko Marohnić*
+
+*   Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
+
+    *ojab*
+
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
+
+    *Alex Robbin*
+
+*   Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
+    as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
+    with a single value or an enumerable.
+
+    Fixes #40772.
+
+    *Christian Sutter*
+
+*   Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
+    The old method name is retained without explicit deprecation.
+
+    *DHH*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2022 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the