actionpack 5.2.1 → 7.0.2.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +264 -220
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -6
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +24 -4
- data/lib/abstract_controller/caching/fragments.rb +8 -24
- data/lib/abstract_controller/caching.rb +2 -2
- data/lib/abstract_controller/callbacks.rb +34 -8
- data/lib/abstract_controller/collector.rb +5 -4
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +107 -90
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +19 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +12 -5
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/abstract_controller.rb +2 -0
- data/lib/action_controller/api.rb +5 -4
- data/lib/action_controller/base.rb +6 -9
- data/lib/action_controller/caching.rb +1 -3
- data/lib/action_controller/log_subscriber.rb +13 -9
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +57 -6
- data/lib/action_controller/metal/content_security_policy.rb +2 -3
- data/lib/action_controller/metal/cookies.rb +4 -2
- data/lib/action_controller/metal/data_streaming.rb +9 -18
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +4 -6
- data/lib/action_controller/metal/exceptions.rb +55 -12
- data/lib/action_controller/metal/flash.rb +10 -6
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +15 -6
- data/lib/action_controller/metal/http_authentication.rb +41 -39
- data/lib/action_controller/metal/implicit_render.rb +5 -15
- data/lib/action_controller/metal/instrumentation.rb +59 -55
- data/lib/action_controller/metal/live.rb +80 -33
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +22 -7
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +50 -31
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +93 -23
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +14 -9
- data/lib/action_controller/metal/request_forgery_protection.rb +160 -58
- data/lib/action_controller/metal/rescue.rb +2 -2
- data/lib/action_controller/metal/streaming.rb +1 -4
- data/lib/action_controller/metal/strong_parameters.rb +236 -88
- data/lib/action_controller/metal/testing.rb +9 -2
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/metal.rb +16 -17
- data/lib/action_controller/railtie.rb +49 -6
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +37 -13
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +98 -68
- data/lib/action_controller.rb +4 -5
- data/lib/action_dispatch/http/cache.rb +45 -32
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +69 -56
- data/lib/action_dispatch/http/filter_parameters.rb +14 -8
- data/lib/action_dispatch/http/filter_redirect.rb +2 -3
- data/lib/action_dispatch/http/headers.rb +4 -4
- data/lib/action_dispatch/http/mime_negotiation.rb +44 -16
- data/lib/action_dispatch/http/mime_type.rb +47 -30
- data/lib/action_dispatch/http/parameters.rb +18 -27
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +49 -35
- data/lib/action_dispatch/http/response.rb +34 -26
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +86 -94
- data/lib/action_dispatch/journey/formatter.rb +55 -31
- data/lib/action_dispatch/journey/gtg/builder.rb +30 -46
- data/lib/action_dispatch/journey/gtg/simulator.rb +15 -8
- data/lib/action_dispatch/journey/gtg/transition_table.rb +78 -21
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +83 -16
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +42 -34
- data/lib/action_dispatch/journey/route.rb +14 -31
- data/lib/action_dispatch/journey/router/utils.rb +16 -14
- data/lib/action_dispatch/journey/router.rb +27 -35
- data/lib/action_dispatch/journey/routes.rb +3 -5
- data/lib/action_dispatch/journey/scanner.rb +10 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -4
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +45 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +136 -113
- data/lib/action_dispatch/middleware/debug_exceptions.rb +47 -68
- data/lib/action_dispatch/middleware/debug_locks.rb +8 -8
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +79 -30
- data/lib/action_dispatch/middleware/executor.rb +4 -1
- data/lib/action_dispatch/middleware/flash.rb +10 -12
- data/lib/action_dispatch/middleware/host_authorization.rb +159 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
- data/lib/action_dispatch/middleware/remote_ip.rb +30 -20
- data/lib/action_dispatch/middleware/request_id.rb +5 -6
- data/lib/action_dispatch/middleware/server_timing.rb +33 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +16 -3
- data/lib/action_dispatch/middleware/session/cache_store.rb +11 -6
- data/lib/action_dispatch/middleware/session/cookie_store.rb +24 -19
- data/lib/action_dispatch/middleware/show_exceptions.rb +20 -11
- data/lib/action_dispatch/middleware/ssl.rb +20 -15
- data/lib/action_dispatch/middleware/stack.rb +79 -7
- data/lib/action_dispatch/middleware/static.rb +150 -94
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +6 -11
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +46 -36
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +25 -6
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +9 -6
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -1
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +121 -15
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +5 -5
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +5 -5
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +16 -2
- data/lib/action_dispatch/railtie.rb +16 -4
- data/lib/action_dispatch/request/session.rb +59 -22
- data/lib/action_dispatch/request/utils.rb +28 -2
- data/lib/action_dispatch/routing/inspector.rb +102 -54
- data/lib/action_dispatch/routing/mapper.rb +184 -156
- data/lib/action_dispatch/routing/polymorphic_routes.rb +21 -19
- data/lib/action_dispatch/routing/redirection.rb +4 -6
- data/lib/action_dispatch/routing/route_set.rb +83 -73
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +2 -3
- data/lib/action_dispatch/routing.rb +23 -22
- data/lib/action_dispatch/system_test_case.rb +65 -16
- data/lib/action_dispatch/system_testing/browser.rb +43 -16
- data/lib/action_dispatch/system_testing/driver.rb +42 -10
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +58 -12
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +3 -10
- data/lib/action_dispatch/testing/assertion_response.rb +0 -1
- data/lib/action_dispatch/testing/assertions/response.rb +4 -7
- data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
- data/lib/action_dispatch/testing/assertions.rb +3 -6
- data/lib/action_dispatch/testing/integration.rb +61 -30
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +8 -6
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_dispatch.rb +15 -7
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +44 -25
- data/lib/action_controller/metal/force_ssl.rb +0 -99
- data/lib/action_dispatch/http/parameter_filter.rb +0 -86
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 06e621226ed4db65eca7f6c6a5194702b49e8287e513e241ed511dc096ef320e
|
4
|
+
data.tar.gz: 4c7c1405b2e523f77fdd076755c9311528bc5e38fac81823330719846a562736
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a1d0d5c67985a6d93bff849b4fd2c21ebb6f0572d64109aaad0bd47317e72cde6c5ba66d1bcf88fe3378dedb37d788f264405f98d11fc3f9c0a4ccad34d8bf1c
|
7
|
+
data.tar.gz: 459de47bc8f00dd8f69b147dac927c30f757657cd5eb3b22518fba2922a0cc96892552f46f32b25bf38aee6ba3deb1ad6272398642befed341621e55d44b88e0
|
data/CHANGELOG.md
CHANGED
@@ -1,357 +1,401 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
4
4
|
|
5
|
-
|
6
|
-
there are none.
|
5
|
+
*Tim Wade*
|
7
6
|
|
8
|
-
|
7
|
+
## Rails 7.0.2.3 (March 08, 2022) ##
|
9
8
|
|
10
|
-
|
9
|
+
* No changes.
|
11
10
|
|
12
|
-
*Alireza Bashiri*
|
13
11
|
|
14
|
-
|
15
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
16
|
-
parameters.
|
12
|
+
## Rails 7.0.2.2 (February 11, 2022) ##
|
17
13
|
|
18
|
-
|
14
|
+
* No changes.
|
19
15
|
|
20
|
-
* Fix strong parameters `permit!` with nested arrays.
|
21
16
|
|
22
|
-
|
23
|
-
```
|
24
|
-
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
25
|
-
params.permit!
|
26
|
-
```
|
17
|
+
## Rails 7.0.2.1 (February 11, 2022) ##
|
27
18
|
|
28
|
-
|
19
|
+
* Under certain circumstances, the middleware isn't informed that the
|
20
|
+
response body has been fully closed which result in request state not
|
21
|
+
being fully reset before the next request
|
29
22
|
|
30
|
-
|
23
|
+
[CVE-2022-23633]
|
31
24
|
|
32
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
33
|
-
`ActionController::TestCase` subclasses.
|
34
25
|
|
35
|
-
|
26
|
+
## Rails 7.0.2 (February 08, 2022) ##
|
36
27
|
|
37
|
-
*
|
28
|
+
* No changes.
|
38
29
|
|
39
|
-
Fixes #32597.
|
40
30
|
|
41
|
-
|
31
|
+
## Rails 7.0.1 (January 06, 2022) ##
|
42
32
|
|
43
|
-
*
|
33
|
+
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
34
|
+
of the original object.
|
44
35
|
|
45
|
-
|
36
|
+
*Yutaka Kamei*
|
46
37
|
|
47
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
48
38
|
|
49
|
-
|
39
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
50
40
|
|
51
|
-
*
|
41
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
52
42
|
|
53
|
-
|
43
|
+
*Étienne Barrié*
|
54
44
|
|
45
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
55
46
|
|
56
|
-
|
47
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
48
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
57
49
|
|
58
|
-
*
|
50
|
+
*Alex Ghiculescu*
|
59
51
|
|
60
|
-
*Catherine Khuu*
|
61
52
|
|
62
|
-
|
53
|
+
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
63
54
|
|
64
|
-
|
65
|
-
for a controller and/or specific actions.
|
55
|
+
* No changes.
|
66
56
|
|
67
|
-
*Andrew White*
|
68
57
|
|
69
|
-
|
58
|
+
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
70
59
|
|
71
|
-
|
72
|
-
content_security_policy false, only: :index
|
73
|
-
end
|
60
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
74
61
|
|
75
|
-
*Andrew White*
|
76
62
|
|
77
|
-
|
78
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
63
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
79
64
|
|
80
|
-
|
65
|
+
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
81
66
|
|
82
|
-
|
83
|
-
|
67
|
+
This helps to better simulate request or job local state being reset between requests and prevent state
|
68
|
+
leaking from one request to another.
|
84
69
|
|
85
|
-
|
70
|
+
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
86
71
|
|
87
|
-
*
|
72
|
+
*Alex Ghiculescu*
|
88
73
|
|
89
|
-
|
90
|
-
normally requires the script-src attribute of the content security
|
91
|
-
policy to include 'unsafe-inline'.
|
74
|
+
* Consider onion services secure for cookies.
|
92
75
|
|
93
|
-
|
94
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
95
|
-
embeds its token in a meta tag. The UJS library can then read the
|
96
|
-
nonce value and set it on the dynamically generated script tag to
|
97
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
76
|
+
*Justin Tracey*
|
98
77
|
|
99
|
-
|
100
|
-
user generated content in someway then it may be possible to exploit
|
101
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
102
|
-
however an improvement on a blanket permission for inline scripts.
|
78
|
+
* Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
|
103
79
|
|
104
|
-
|
105
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
80
|
+
*Rafael Mendonça França*
|
106
81
|
|
107
|
-
|
108
|
-
alert('Hello, World!');
|
109
|
-
<% end %>
|
82
|
+
* Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
|
110
83
|
|
111
|
-
|
84
|
+
*Rafael Mendonça França*
|
112
85
|
|
113
|
-
|
86
|
+
* Remove deprecated `ActionDispatch::SystemTestCase#host!`.
|
114
87
|
|
115
|
-
*
|
88
|
+
*Rafael Mendonça França*
|
116
89
|
|
117
|
-
|
90
|
+
* Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
|
118
91
|
|
119
|
-
*
|
92
|
+
*Rafael Mendonça França*
|
120
93
|
|
121
|
-
|
94
|
+
* Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
|
122
95
|
|
123
|
-
*
|
124
|
-
user haven't specified manually another server.
|
96
|
+
*Rafael Mendonça França*
|
125
97
|
|
126
|
-
|
98
|
+
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
127
99
|
|
128
|
-
|
129
|
-
default headers set.
|
100
|
+
This allows `rescue_from` to be used to add a default fallback route:
|
130
101
|
|
131
|
-
|
102
|
+
```ruby
|
103
|
+
rescue_from ActionController::Redirecting::UnsafeRedirectError do
|
104
|
+
redirect_to root_url
|
105
|
+
end
|
106
|
+
```
|
132
107
|
|
133
|
-
*
|
108
|
+
*Kasper Timm Hansen*, *Chris Oliver*
|
134
109
|
|
135
|
-
|
110
|
+
* Add `url_from` to verify a redirect location is internal.
|
136
111
|
|
137
|
-
|
112
|
+
Takes the open redirect protection from `redirect_to` so users can wrap a
|
113
|
+
param, and fall back to an alternate redirect URL when the param provided
|
114
|
+
one is unsafe.
|
138
115
|
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
116
|
+
```ruby
|
117
|
+
def create
|
118
|
+
redirect_to url_from(params[:redirect_url]) || root_url
|
119
|
+
end
|
120
|
+
```
|
144
121
|
|
145
|
-
|
122
|
+
*dmcge*, *Kasper Timm Hansen*
|
146
123
|
|
147
|
-
|
124
|
+
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
148
125
|
|
149
|
-
|
126
|
+
Allow users to prevent conflicts among drivers that use the same driver
|
127
|
+
type (selenium, poltergeist, webkit, rack test).
|
150
128
|
|
151
|
-
|
129
|
+
Fixes #42502
|
152
130
|
|
153
|
-
*
|
131
|
+
*Chris LaRose*
|
154
132
|
|
155
|
-
|
133
|
+
* Allow multiline to be passed in routes when using wildcard segments.
|
156
134
|
|
157
|
-
|
135
|
+
Previously routes with newlines weren't detected when using wildcard segments, returning
|
136
|
+
a `No route matches` error.
|
137
|
+
After this change, routes with newlines are detected on wildcard segments. Example
|
158
138
|
|
159
|
-
|
139
|
+
```ruby
|
140
|
+
draw do
|
141
|
+
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
142
|
+
end
|
160
143
|
|
161
|
-
|
162
|
-
|
163
|
-
|
144
|
+
# After the change, the path matches.
|
145
|
+
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
146
|
+
```
|
164
147
|
|
165
|
-
|
148
|
+
Fixes #39103
|
166
149
|
|
167
|
-
|
150
|
+
*Ignacio Chiazzo*
|
168
151
|
|
169
|
-
|
170
|
-
Rails.application.config.content_security_policy do |p|
|
171
|
-
p.default_src :self, :https
|
172
|
-
p.font_src :self, :https, :data
|
173
|
-
p.img_src :self, :https, :data
|
174
|
-
p.object_src :none
|
175
|
-
p.script_src :self, :https
|
176
|
-
p.style_src :self, :https, :unsafe_inline
|
177
|
-
end
|
152
|
+
* Treat html suffix in controller translation.
|
178
153
|
|
179
|
-
|
154
|
+
*Rui Onodera*, *Gavin Miller*
|
180
155
|
|
181
|
-
|
182
|
-
class PostsController < ApplicationController
|
183
|
-
content_security_policy do |p|
|
184
|
-
p.upgrade_insecure_requests true
|
185
|
-
end
|
186
|
-
end
|
156
|
+
* Allow permitting numeric params.
|
187
157
|
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
158
|
+
Previously it was impossible to permit different fields on numeric parameters.
|
159
|
+
After this change you can specify different fields for each numbered parameter.
|
160
|
+
For example params like,
|
161
|
+
```ruby
|
162
|
+
book: {
|
163
|
+
authors_attributes: {
|
164
|
+
'0': { name: "William Shakespeare", age_of_death: "52" },
|
165
|
+
'1': { name: "Unattributed Assistant" },
|
166
|
+
'2': "Not a hash",
|
167
|
+
'new_record': { name: "Some name" }
|
168
|
+
}
|
169
|
+
}
|
170
|
+
```
|
194
171
|
|
195
|
-
|
196
|
-
|
197
|
-
content_security_policy do |p|
|
198
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
199
|
-
end
|
200
|
-
end
|
172
|
+
Before you could permit name on each author with,
|
173
|
+
`permit book: { authors_attributes: [ :name ] }`
|
201
174
|
|
202
|
-
|
203
|
-
|
204
|
-
configuration attribute, e.g;
|
175
|
+
After this change you can permit different keys on each numbered element,
|
176
|
+
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
205
177
|
|
206
|
-
|
207
|
-
Rails.application.config.content_security_policy_report_only = true
|
178
|
+
Fixes #41625
|
208
179
|
|
209
|
-
|
210
|
-
class PostsController < ApplicationController
|
211
|
-
content_security_policy_report_only only: :index
|
212
|
-
end
|
180
|
+
*Adam Hess*
|
213
181
|
|
214
|
-
|
215
|
-
|
182
|
+
* Update `HostAuthorization` middleware to render debug info only
|
183
|
+
when `config.consider_all_requests_local` is set to true.
|
216
184
|
|
217
|
-
|
185
|
+
Also, blocked host info is always logged with level `error`.
|
218
186
|
|
219
|
-
|
187
|
+
Fixes #42813
|
220
188
|
|
221
|
-
*
|
189
|
+
*Nikita Vyrko*
|
222
190
|
|
223
|
-
*
|
191
|
+
* Add Server-Timing middleware
|
224
192
|
|
225
|
-
|
193
|
+
Server-Timing specification defines how the server can communicate to browsers performance metrics
|
194
|
+
about the request it is responding to.
|
195
|
+
|
196
|
+
The ServerTiming middleware is enabled by default on `development` environment by default using the
|
197
|
+
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
198
|
+
|
199
|
+
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
200
|
+
|
201
|
+
*Sebastian Sogamoso*, *Guillermo Iguaran*
|
202
|
+
|
203
|
+
|
204
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
226
205
|
|
227
|
-
*
|
206
|
+
* No changes.
|
228
207
|
|
229
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
230
|
-
different host. `allow_other_host` is `true` by default.
|
231
208
|
|
232
|
-
|
209
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
233
210
|
|
234
|
-
*
|
211
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
212
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
213
|
+
malformed JSON.
|
235
214
|
|
236
|
-
|
215
|
+
Fixes #41145
|
237
216
|
|
238
|
-
*
|
217
|
+
*Aaron Lahey*
|
239
218
|
|
240
|
-
|
219
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
241
220
|
|
242
|
-
|
221
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
222
|
+
raise an error if the middleware isn't found.
|
243
223
|
|
244
|
-
*
|
224
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
245
225
|
|
246
|
-
*
|
226
|
+
* Raise error on unpermitted open redirects.
|
247
227
|
|
248
|
-
|
249
|
-
|
250
|
-
signed cookies. This also helps simplify support for legacy cookie
|
251
|
-
security.
|
228
|
+
Add `allow_other_host` options to `redirect_to`.
|
229
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
252
230
|
|
253
|
-
*
|
231
|
+
*Gannon McGibbon*
|
254
232
|
|
255
|
-
*
|
233
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
256
234
|
|
257
|
-
|
258
|
-
connection sharing and open request detection work correctly by default.
|
235
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
259
236
|
|
260
|
-
|
237
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
261
238
|
|
262
|
-
*
|
239
|
+
*Yusuke Iwaki*
|
263
240
|
|
264
|
-
|
265
|
-
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
241
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
266
242
|
|
267
|
-
|
243
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
244
|
+
are not listed as actions on that controller.
|
268
245
|
|
269
|
-
|
246
|
+
class MyController < ApplicationController
|
247
|
+
add_flash_types :hype
|
248
|
+
end
|
249
|
+
|
250
|
+
MyController.action_methods.include?('hype') # => false
|
251
|
+
|
252
|
+
*Gavin Morrice*
|
253
|
+
|
254
|
+
* OpenSSL constants are now used for Digest computations.
|
270
255
|
|
271
|
-
*
|
256
|
+
*Dirkjan Bussink*
|
272
257
|
|
273
|
-
|
258
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
274
259
|
|
275
|
-
|
276
|
-
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
277
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
260
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
278
261
|
|
279
|
-
|
262
|
+
*Tadas Sasnauskas*
|
280
263
|
|
281
|
-
|
264
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
265
|
+
present in `rescued_responses`.
|
282
266
|
|
283
|
-
|
267
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
268
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
269
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
270
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
271
|
+
|
272
|
+
*Alexander Azarov*, *Mike Dalessio*
|
273
|
+
|
274
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
275
|
+
|
276
|
+
*Kevin Sjöberg*
|
284
277
|
|
285
|
-
|
278
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
286
279
|
|
287
|
-
*
|
280
|
+
*Dylan Thacker-Smith*
|
288
281
|
|
289
|
-
*
|
282
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
290
283
|
|
291
|
-
|
292
|
-
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
293
|
-
use the response helpers provided by `Rack::Response`.
|
284
|
+
*Tadas Sasnauskas*
|
294
285
|
|
295
|
-
|
286
|
+
* Drop support for the `SERVER_ADDR` header.
|
296
287
|
|
297
|
-
|
288
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
298
289
|
|
299
|
-
|
300
|
-
add it to `ActionController::Base` depending on
|
301
|
-
`config.action_controller.default_protect_from_forgery`. This configuration
|
302
|
-
defaults to false to support older versions which have removed it from their
|
303
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
290
|
+
*Ricardo Díaz*
|
304
291
|
|
305
|
-
|
292
|
+
* Set session options when initializing a basic session.
|
306
293
|
|
307
|
-
*
|
294
|
+
*Gannon McGibbon*
|
308
295
|
|
309
|
-
|
296
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
310
297
|
|
311
|
-
|
298
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
312
299
|
|
313
|
-
|
314
|
-
`driven_by` will register the driver and set additional options passed via
|
315
|
-
the `:options` parameter.
|
300
|
+
*Jacopo Beschi*
|
316
301
|
|
317
|
-
|
302
|
+
* Writing into a disabled session will now raise an error.
|
318
303
|
|
319
|
-
|
304
|
+
Previously when no session store was set, writing into the session would silently fail.
|
320
305
|
|
321
|
-
*
|
306
|
+
*Jean Boussier*
|
322
307
|
|
323
|
-
|
324
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
325
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
326
|
-
this new mode is enabled via the
|
327
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
308
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
328
309
|
|
329
|
-
|
310
|
+
Fixes #42034.
|
330
311
|
|
331
|
-
*
|
312
|
+
*lfalcao*
|
332
313
|
|
333
|
-
|
334
|
-
|
314
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
315
|
+
|
316
|
+
*Jacob Herrington*
|
317
|
+
|
318
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
319
|
+
|
320
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
321
|
+
|
322
|
+
*Alex Smith*
|
323
|
+
|
324
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
325
|
+
know which controller action received unpermitted parameters.
|
326
|
+
|
327
|
+
*bbuchalter*
|
328
|
+
|
329
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
330
|
+
|
331
|
+
```ruby
|
332
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
333
|
+
stream.writeln "email_address,updated_at"
|
334
|
+
|
335
|
+
@subscribers.find_each do |subscriber|
|
336
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
337
|
+
end
|
338
|
+
end
|
339
|
+
```
|
335
340
|
|
336
341
|
*DHH*
|
337
342
|
|
338
|
-
* Add
|
339
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
340
|
-
to support it.
|
343
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
341
344
|
|
342
345
|
*DHH*
|
343
346
|
|
344
|
-
*
|
347
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
348
|
+
|
349
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
350
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
351
|
+
|
352
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
345
353
|
|
346
|
-
|
347
|
-
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
348
|
-
may not exist in a certain implementation.
|
354
|
+
Before:
|
349
355
|
|
350
|
-
|
356
|
+
```ruby
|
357
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
358
|
+
request.content_type #=> "text/csv"
|
359
|
+
```
|
360
|
+
|
361
|
+
After:
|
351
362
|
|
352
|
-
|
363
|
+
```ruby
|
364
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
365
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
366
|
+
request.media_type #=> "text/csv"
|
367
|
+
```
|
353
368
|
|
354
|
-
*
|
369
|
+
*Rafael Mendonça França*
|
370
|
+
|
371
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
372
|
+
|
373
|
+
*Rafael Mendonça França*
|
374
|
+
|
375
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
376
|
+
|
377
|
+
*Janko Marohnić*
|
378
|
+
|
379
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
380
|
+
|
381
|
+
*ojab*
|
382
|
+
|
383
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
384
|
+
|
385
|
+
*Alex Robbin*
|
386
|
+
|
387
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
388
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
389
|
+
with a single value or an enumerable.
|
390
|
+
|
391
|
+
Fixes #40772.
|
392
|
+
|
393
|
+
*Christian Sutter*
|
394
|
+
|
395
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
396
|
+
The old method name is retained without explicit deprecation.
|
397
|
+
|
398
|
+
*DHH*
|
355
399
|
|
356
400
|
|
357
|
-
Please check [
|
401
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|
data/MIT-LICENSE
CHANGED