actionpack 5.2.3.rc1 → 6.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (103) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +124 -337
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +1 -1
  5. data/lib/abstract_controller/base.rb +4 -2
  6. data/lib/abstract_controller/caching/fragments.rb +6 -21
  7. data/lib/abstract_controller/callbacks.rb +12 -0
  8. data/lib/abstract_controller/collector.rb +1 -1
  9. data/lib/abstract_controller/helpers.rb +2 -2
  10. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  11. data/lib/action_controller.rb +1 -0
  12. data/lib/action_controller/api.rb +2 -1
  13. data/lib/action_controller/base.rb +2 -7
  14. data/lib/action_controller/caching.rb +1 -1
  15. data/lib/action_controller/log_subscriber.rb +8 -5
  16. data/lib/action_controller/metal/conditional_get.rb +9 -3
  17. data/lib/action_controller/metal/data_streaming.rb +5 -6
  18. data/lib/action_controller/metal/default_headers.rb +17 -0
  19. data/lib/action_controller/metal/exceptions.rb +22 -1
  20. data/lib/action_controller/metal/flash.rb +5 -5
  21. data/lib/action_controller/metal/force_ssl.rb +17 -57
  22. data/lib/action_controller/metal/head.rb +1 -1
  23. data/lib/action_controller/metal/helpers.rb +1 -2
  24. data/lib/action_controller/metal/http_authentication.rb +20 -21
  25. data/lib/action_controller/metal/implicit_render.rb +2 -12
  26. data/lib/action_controller/metal/instrumentation.rb +3 -5
  27. data/lib/action_controller/metal/live.rb +28 -26
  28. data/lib/action_controller/metal/mime_responds.rb +13 -2
  29. data/lib/action_controller/metal/params_wrapper.rb +16 -12
  30. data/lib/action_controller/metal/redirecting.rb +32 -11
  31. data/lib/action_controller/metal/rendering.rb +1 -1
  32. data/lib/action_controller/metal/request_forgery_protection.rb +22 -11
  33. data/lib/action_controller/metal/strong_parameters.rb +57 -32
  34. data/lib/action_controller/metal/url_for.rb +1 -1
  35. data/lib/action_controller/railties/helpers.rb +1 -1
  36. data/lib/action_controller/renderer.rb +15 -2
  37. data/lib/action_controller/test_case.rb +1 -4
  38. data/lib/action_dispatch.rb +3 -1
  39. data/lib/action_dispatch/http/cache.rb +14 -10
  40. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  41. data/lib/action_dispatch/http/content_security_policy.rb +9 -8
  42. data/lib/action_dispatch/http/filter_parameters.rb +8 -6
  43. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  44. data/lib/action_dispatch/http/headers.rb +1 -1
  45. data/lib/action_dispatch/http/mime_negotiation.rb +7 -10
  46. data/lib/action_dispatch/http/mime_type.rb +1 -5
  47. data/lib/action_dispatch/http/parameter_filter.rb +5 -79
  48. data/lib/action_dispatch/http/parameters.rb +13 -3
  49. data/lib/action_dispatch/http/request.rb +10 -13
  50. data/lib/action_dispatch/http/response.rb +18 -17
  51. data/lib/action_dispatch/http/upload.rb +5 -0
  52. data/lib/action_dispatch/http/url.rb +81 -81
  53. data/lib/action_dispatch/journey/formatter.rb +1 -1
  54. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
  55. data/lib/action_dispatch/journey/nodes/node.rb +9 -8
  56. data/lib/action_dispatch/journey/path/pattern.rb +3 -3
  57. data/lib/action_dispatch/journey/router.rb +0 -3
  58. data/lib/action_dispatch/journey/router/utils.rb +10 -10
  59. data/lib/action_dispatch/journey/scanner.rb +11 -4
  60. data/lib/action_dispatch/journey/visitors.rb +1 -1
  61. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  62. data/lib/action_dispatch/middleware/cookies.rb +49 -70
  63. data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -58
  64. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  65. data/lib/action_dispatch/middleware/debug_view.rb +50 -0
  66. data/lib/action_dispatch/middleware/exception_wrapper.rb +36 -7
  67. data/lib/action_dispatch/middleware/flash.rb +1 -1
  68. data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
  69. data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
  70. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  71. data/lib/action_dispatch/middleware/session/cookie_store.rb +4 -10
  72. data/lib/action_dispatch/middleware/ssl.rb +8 -8
  73. data/lib/action_dispatch/middleware/static.rb +5 -6
  74. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  75. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  76. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  77. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  78. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +20 -2
  79. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -4
  80. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  81. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  83. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  84. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  85. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  86. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
  87. data/lib/action_dispatch/railtie.rb +1 -0
  88. data/lib/action_dispatch/request/session.rb +8 -0
  89. data/lib/action_dispatch/routing.rb +3 -2
  90. data/lib/action_dispatch/routing/inspector.rb +99 -50
  91. data/lib/action_dispatch/routing/mapper.rb +36 -29
  92. data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
  93. data/lib/action_dispatch/routing/route_set.rb +11 -12
  94. data/lib/action_dispatch/routing/url_for.rb +1 -0
  95. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -3
  96. data/lib/action_dispatch/testing/assertions/response.rb +2 -3
  97. data/lib/action_dispatch/testing/assertions/routing.rb +7 -2
  98. data/lib/action_dispatch/testing/integration.rb +11 -4
  99. data/lib/action_dispatch/testing/test_process.rb +2 -2
  100. data/lib/action_dispatch/testing/test_response.rb +4 -32
  101. data/lib/action_pack.rb +1 -1
  102. data/lib/action_pack/gem_version.rb +4 -4
  103. metadata +19 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 771c9801723cb04594f902ec341db60241bbfe7f2cb307523418ec438ebf6331
4
- data.tar.gz: 8bdf44fd40ae05d43c3a51643c64772fa2c8f006fe706d2fe475b598f5cfebfd
3
+ metadata.gz: df5b083c08009f1025bfbf541400a4819b5620f5bb49aa3d4bbe0c056eae44b3
4
+ data.tar.gz: '0374579e1273c1d727e0bc94d7a73b3933d8c0f54e7196beedc61ea30d88209f'
5
5
  SHA512:
6
- metadata.gz: 3541ef15ed87b1c56825149a181aa117109f55b5f327ef5ee6e029fba10d705cc39972e87e75cb5dda6d6053d830ca50eb6db52efb0ca916f3c5b8687256e676
7
- data.tar.gz: 789c29c0bf2c133b98056e796a5c04d235c700227c573d9e73f396c26d24af3e40ad1abf48deb3221ddc82f50fbee39b48be0684ff552cce2e541d7708c68d05
6
+ metadata.gz: cb0e467dc8c10baa42df2d08d79b2f5caedad996d247523abf54713a542f6d49a01f120ca0b0faa6930ea89592bfe074979201adec97d33135a5877391a5d4bb
7
+ data.tar.gz: dee5cf35ce9af7e795d65bb2a44d5edb229439f5fbde0dde1c35e8d3cf2564c49ddf929a9d5499b3aa6248c42cf6f61ca2c75c85a623ba51f1dd6106750d3267
@@ -1,26 +1,66 @@
1
- ## Rails 5.2.3.rc1 (March 21, 2019) ##
1
+ ## Rails 6.0.0.beta1 (January 18, 2019) ##
2
2
 
3
- * Allow using combine the Cache Control `public` and `no-cache` headers.
3
+ * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
4
4
 
5
- Before this change, even if `public` was specified for Cache Control header,
6
- it was excluded when `no-cache` was included. This fixed to keep `public`
7
- header as is.
5
+ *Rafael Mendonça França*
6
+
7
+ * Remove deprecated methods in `ActionDispatch::TestResponse`.
8
+
9
+ `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
10
+ `#successful?`, `not_found?` and `server_error?`.
11
+
12
+ *Rafael Mendonça França*
13
+
14
+ * Ensure external redirects are explicitly allowed
15
+
16
+ Add `fallback_location` and `allow_other_host` options to `redirect_to`.
17
+
18
+ *Gannon McGibbon*
19
+
20
+ * Introduce ActionDispatch::HostAuthorization
8
21
 
9
- Fixes #34780.
22
+ This is a new middleware that guards against DNS rebinding attacks by
23
+ white-listing the allowed hosts a request can be made to.
10
24
 
11
- *Yuji Yaginuma*
25
+ Each host is checked with the case operator (`#===`) to support `RegExp`,
26
+ `Proc`, `IPAddr` and custom objects as host allowances.
12
27
 
13
- * Allow `nil` params for `ActionController::TestCase`.
28
+ *Genadi Samokovarov*
14
29
 
15
- *Ryo Nakamura*
30
+ * Allow using `parsed_body` in `ActionController::TestCase`.
16
31
 
32
+ In addition to `ActionDispatch::IntegrationTest`, allow using
33
+ `parsed_body` in `ActionController::TestCase`:
17
34
 
18
- ## Rails 5.2.2.1 (March 11, 2019) ##
35
+ ```
36
+ class SomeControllerTest < ActionController::TestCase
37
+ def test_some_action
38
+ post :action, body: { foo: 'bar' }
39
+ assert_equal({ "foo" => "bar" }, response.parsed_body)
40
+ end
41
+ end
42
+ ```
43
+
44
+ Fixes #34676.
45
+
46
+ *Tobias Bühlmann*
47
+
48
+ * Raise an error on root route naming conflicts.
19
49
 
20
- * No changes.
50
+ Raises an ArgumentError when multiple root routes are defined in the
51
+ same context instead of assigning nil names to subsequent roots.
21
52
 
53
+ *Gannon McGibbon*
54
+
55
+ * Allow rescue from parameter parse errors:
56
+
57
+ ```
58
+ rescue_from ActionDispatch::Http::Parameters::ParseError do
59
+ head :unauthorized
60
+ end
61
+ ```
22
62
 
23
- ## Rails 5.2.2 (December 04, 2018) ##
63
+ *Gannon McGibbon*, *Josh Cheek*
24
64
 
25
65
  * Reset Capybara sessions if failed system test screenshot raising an exception.
26
66
 
@@ -56,374 +96,121 @@
56
96
 
57
97
  *Andrew White*
58
98
 
59
- * Fix `rails routes -c` for controller name consists of multiple word.
60
-
61
- *Yoshiyuki Kinjo*
62
-
63
- * Call the `#redirect_to` block in controller context.
64
-
65
- *Steven Peckins*
66
-
67
-
68
- ## Rails 5.2.1.1 (November 27, 2018) ##
69
-
70
- * No changes.
71
-
72
-
73
- ## Rails 5.2.1 (August 07, 2018) ##
74
-
75
- * Prevent `?null=` being passed on JSON encoded test requests.
76
-
77
- `RequestEncoder#encode_params` won't attempt to parse params if
78
- there are none.
79
-
80
- So call like this will no longer append a `?null=` query param.
81
-
82
- get foos_url, as: :json
83
-
84
- *Alireza Bashiri*
85
-
86
- * Ensure `ActionController::Parameters#transform_values` and
87
- `ActionController::Parameters#transform_values!` converts hashes into
88
- parameters.
89
-
90
- *Kevin Sjöberg*
91
-
92
- * Fix strong parameters `permit!` with nested arrays.
93
-
94
- Given:
95
- ```
96
- params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
97
- params.permit!
98
- ```
99
-
100
- `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
101
-
102
- *Steve Hull*
103
-
104
- * Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
105
- `ActionController::TestCase` subclasses.
106
-
107
- *Eugene Kenny*
108
-
109
- * Output only one Content-Security-Policy nonce header value per request.
110
-
111
- Fixes #32597.
112
-
113
- *Andrey Novikov*, *Andrew White*
114
-
115
- * Only disable GPUs for headless Chrome on Windows.
116
-
117
- It is not necessary anymore for Linux and macOS machines.
118
-
119
- https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
120
-
121
- *Stefan Wrobel*
122
-
123
- * Fix system tests transactions not closed between examples.
124
-
125
- *Sergey Tarasov*
126
-
127
-
128
- ## Rails 5.2.0 (April 09, 2018) ##
129
-
130
- * Check exclude before flagging cookies as secure.
131
-
132
- *Catherine Khuu*
133
-
134
- * Always yield a CSP policy instance from `content_security_policy`
135
-
136
- This allows a controller action to enable the policy individually
137
- for a controller and/or specific actions.
138
-
139
- *Andrew White*
140
-
141
- * Add the ability to disable the global CSP in a controller, e.g:
142
-
143
- class LegacyPagesController < ApplicationController
144
- content_security_policy false, only: :index
145
- end
146
-
147
- *Andrew White*
148
-
149
- * Add alias method `to_hash` to `to_h` for `cookies`.
150
- Add alias method `to_h` to `to_hash` for `session`.
151
-
152
- *Igor Kasyanchuk*
153
-
154
- * Update the default HSTS max-age value to 31536000 seconds (1 year)
155
- to meet the minimum max-age requirement for https://hstspreload.org/.
156
-
157
- *Grant Bourque*
158
-
159
- * Add support for automatic nonce generation for Rails UJS.
160
-
161
- Because the UJS library creates a script tag to process responses it
162
- normally requires the script-src attribute of the content security
163
- policy to include 'unsafe-inline'.
164
-
165
- To work around this we generate a per-request nonce value that is
166
- embedded in a meta tag in a similar fashion to how CSRF protection
167
- embeds its token in a meta tag. The UJS library can then read the
168
- nonce value and set it on the dynamically generated script tag to
169
- enable it to execute without needing 'unsafe-inline' enabled.
170
-
171
- Nonce generation isn't 100% safe - if your script tag is including
172
- user generated content in someway then it may be possible to exploit
173
- an XSS vulnerability which can take advantage of the nonce. It is
174
- however an improvement on a blanket permission for inline scripts.
175
-
176
- It is also possible to use the nonce within your own script tags by
177
- using `nonce: true` to set the nonce value on the tag, e.g
178
-
179
- <%= javascript_tag nonce: true do %>
180
- alert('Hello, World!');
181
- <% end %>
182
-
183
- Fixes #31689.
184
-
185
- *Andrew White*
186
-
187
- * Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
188
-
189
- *Dominic Cleal*
190
-
191
- * Add `Referrer-Policy` header to default headers set.
192
-
193
- *Guillermo Iguaran*
194
-
195
- * Changed the system tests to set Puma as default server only when the
196
- user haven't specified manually another server.
197
-
198
- *Guillermo Iguaran*
199
-
200
- * Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
201
- default headers set.
202
-
203
- *Guillermo Iguaran*
204
-
205
- * Add headless firefox support to System Tests.
206
-
207
- *bogdanvlviv*
99
+ * Add `ActionController::Parameters#each_value`.
208
100
 
209
- * Changed the default system test screenshot output from `inline` to `simple`.
101
+ *Lukáš Zapletal*
210
102
 
211
- `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
212
- Terminal.app ignore the `inline` and output the path to the file since it can't
213
- render the image. Other terminals, like those on Ubuntu, cannot handle the image
214
- inline, but also don't handle it gracefully and instead of outputting the file
215
- path, it dumps binary into the terminal.
103
+ * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
216
104
 
217
- Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
218
-
219
- *Eileen M. Uchitelle*
105
+ *Yoshiyuki Kinjo*
220
106
 
221
- * Register most popular audio/video/font mime types supported by modern browsers.
107
+ * Encode Content-Disposition filenames on `send_data` and `send_file`.
108
+ Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
109
+ `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
110
+ garbled.
111
+ Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
112
+ [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
113
+ `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
114
+ Most browsers can find filename correctly and old browsers fallback to ASCII
115
+ converted name.
222
116
 
223
- *Guillermo Iguaran*
117
+ *Fumiaki Matsushima*
224
118
 
225
- * Fix optimized url helpers when using relative url root.
119
+ * Expose `ActionController::Parameters#each_key` which allows iterating over
120
+ keys without allocating an array.
226
121
 
227
- Fixes #31220.
122
+ *Richard Schneeman*
228
123
 
229
- *Andrew White*
124
+ * Purpose metadata for signed/encrypted cookies.
230
125
 
231
- * Add DSL for configuring Content-Security-Policy header.
126
+ Rails can now thwart attacks that attempt to copy signed/encrypted value
127
+ of a cookie and use it as the value of another cookie.
232
128
 
233
- The DSL allows you to configure a global Content-Security-Policy
234
- header and then override within a controller. For more information
235
- about the Content-Security-Policy header see MDN:
129
+ It does so by stashing the cookie-name in the purpose field which is
130
+ then signed/encrypted along with the cookie value. Then, on a server-side
131
+ read, we verify the cookie-names and discard any attacked cookies.
236
132
 
237
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
133
+ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
134
+ writes cookies with the new purpose and expiry metadata embedded.
238
135
 
239
- Example global policy:
240
-
241
- # config/initializers/content_security_policy.rb
242
- Rails.application.config.content_security_policy do |p|
243
- p.default_src :self, :https
244
- p.font_src :self, :https, :data
245
- p.img_src :self, :https, :data
246
- p.object_src :none
247
- p.script_src :self, :https
248
- p.style_src :self, :https, :unsafe_inline
249
- end
250
-
251
- Example controller overrides:
136
+ *Assain Jaleel*
252
137
 
253
- # Override policy inline
254
- class PostsController < ApplicationController
255
- content_security_policy do |p|
256
- p.upgrade_insecure_requests true
257
- end
258
- end
138
+ * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
259
139
 
260
- # Using literal values
261
- class PostsController < ApplicationController
262
- content_security_policy do |p|
263
- p.base_uri "https://www.example.com"
264
- end
265
- end
140
+ `respond_to` can match multiple types and lead to undefined behavior when
141
+ multiple invocations are made and the types do not match:
266
142
 
267
- # Using mixed static and dynamic values
268
- class PostsController < ApplicationController
269
- content_security_policy do |p|
270
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
143
+ respond_to do |outer_type|
144
+ outer_type.js do
145
+ respond_to do |inner_type|
146
+ inner_type.html { render body: "HTML" }
147
+ end
271
148
  end
272
149
  end
273
150
 
274
- Allows you to also only report content violations for migrating
275
- legacy content using the `content_security_policy_report_only`
276
- configuration attribute, e.g;
277
-
278
- # config/initializers/content_security_policy.rb
279
- Rails.application.config.content_security_policy_report_only = true
280
-
281
- # controller override
282
- class PostsController < ApplicationController
283
- content_security_policy_report_only only: :index
284
- end
285
-
286
- Note that this feature does not validate the header for performance
287
- reasons since the header is calculated at runtime.
288
-
289
- *Andrew White*
290
-
291
- * Make `assert_recognizes` to traverse mounted engines.
151
+ *Patrick Toomey*
292
152
 
293
- *Yuichiro Kaneko*
153
+ * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
294
154
 
295
- * Remove deprecated `ActionController::ParamsParser::ParseError`.
155
+ This allows uploaded file objects to be passed directly to `File.read`
156
+ without raising a `TypeError`:
296
157
 
297
- *Rafael Mendonça França*
298
-
299
- * Add `:allow_other_host` option to `redirect_back` method.
300
-
301
- When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
302
- different host. `allow_other_host` is `true` by default.
303
-
304
- *Tim Masliuchenko*
305
-
306
- * Add headless chrome support to System Tests.
307
-
308
- *Yuji Yaginuma*
309
-
310
- * Add ability to enable Early Hints for HTTP/2
311
-
312
- If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
313
-
314
- The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
315
-
316
- *Eileen M. Uchitelle*, *Aaron Patterson*
317
-
318
- * Simplify cookies middleware with key rotation support
319
-
320
- Use the `rotate` method for both `MessageEncryptor` and
321
- `MessageVerifier` to add key rotation support for encrypted and
322
- signed cookies. This also helps simplify support for legacy cookie
323
- security.
324
-
325
- *Michael J Coyne*
326
-
327
- * Use Capybara registered `:puma` server config.
328
-
329
- The Capybara registered `:puma` server ensures the puma server is run in process so
330
- connection sharing and open request detection work correctly by default.
331
-
332
- *Thomas Walpole*
333
-
334
- * Cookies `:expires` option supports `ActiveSupport::Duration` object.
335
-
336
- cookies[:user_name] = { value: "assain", expires: 1.hour }
337
- cookies[:key] = { value: "a yummy cookie", expires: 6.months }
158
+ uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
159
+ File.read(uploaded_file)
338
160
 
339
- Pull Request: #30121
161
+ *Aaron Kromer*
340
162
 
341
- *Assain Jaleel*
342
-
343
- * Enforce signed/encrypted cookie expiry server side.
344
-
345
- Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
346
-
347
- It does so by stashing the expiry within the written cookie and relying on the
348
- signing/encrypting to vouch that it hasn't been tampered with. Then on a
349
- server-side read, the expiry is verified and any expired cookie is discarded.
350
-
351
- Pull Request: #30121
352
-
353
- *Assain Jaleel*
354
-
355
- * Make `take_failed_screenshot` work within engine.
356
-
357
- Fixes #30405.
163
+ * Pass along arguments to underlying `get` method in `follow_redirect!`.
358
164
 
359
- *Yuji Yaginuma*
165
+ Now all arguments passed to `follow_redirect!` are passed to the underlying
166
+ `get` method. This for example allows to set custom headers for the
167
+ redirection request to the server.
360
168
 
361
- * Deprecate `ActionDispatch::TestResponse` response aliases.
169
+ follow_redirect!(params: { foo: :bar })
362
170
 
363
- `#success?`, `#missing?` & `#error?` are not supported by the actual
364
- `ActionDispatch::Response` object and can produce false-positives. Instead,
365
- use the response helpers provided by `Rack::Response`.
171
+ *Remo Fritzsche*
366
172
 
367
- *Trevor Wistaff*
173
+ * Introduce a new error page to when the implicit render page is accessed in the browser.
368
174
 
369
- * Protect from forgery by default
175
+ Now instead of showing an error page that with exception and backtraces we now show only
176
+ one informative page.
370
177
 
371
- Rather than protecting from forgery in the generated `ApplicationController`,
372
- add it to `ActionController::Base` depending on
373
- `config.action_controller.default_protect_from_forgery`. This configuration
374
- defaults to false to support older versions which have removed it from their
375
- `ApplicationController`, but is set to true for Rails 5.2.
178
+ *Vinicius Stock*
376
179
 
377
- *Lisa Ugray*
180
+ * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
378
181
 
379
- * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
182
+ Exception aware plugin authors can use the newly introduced
183
+ `.register_interceptor` method to get the processed exception, instead of
184
+ monkey patching DebugExceptions.
380
185
 
381
- *Kir Shatrov*
382
-
383
- * `driven_by` now registers poltergeist and capybara-webkit.
384
-
385
- If poltergeist or capybara-webkit are set as drivers is set for System Tests,
386
- `driven_by` will register the driver and set additional options passed via
387
- the `:options` parameter.
388
-
389
- Refer to the respective driver's documentation to see what options can be passed.
390
-
391
- *Mario Chavez*
392
-
393
- * AEAD encrypted cookies and sessions with GCM.
186
+ ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
187
+ HypoteticalPlugin.capture_exception(request, exception)
188
+ end
394
189
 
395
- Encrypted cookies now use AES-GCM which couples authentication and
396
- encryption in one faster step and produces shorter ciphertexts. Cookies
397
- encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
398
- this new mode is enabled via the
399
- `action_dispatch.use_authenticated_cookie_encryption` configuration value.
190
+ *Genadi Samokovarov*
400
191
 
401
- *Michael J Coyne*
192
+ * Output only one Content-Security-Policy nonce header value per request.
402
193
 
403
- * Change the cache key format for fragments to make it easier to debug key churn. The new format is:
194
+ Fixes #32597.
404
195
 
405
- views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
406
- ^template path ^template tree digest ^class ^id
196
+ *Andrey Novikov*, *Andrew White*
407
197
 
408
- *DHH*
198
+ * Move default headers configuration into their own module that can be included in controllers.
409
199
 
410
- * Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
411
- `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
412
- to support it.
200
+ *Kevin Deisz*
413
201
 
414
- *DHH*
202
+ * Add method `dig` to `session`.
415
203
 
416
- * Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
204
+ *claudiob*, *Takumi Shotoku*
417
205
 
418
- `ActionController::Base` and `ActionController::API` have differing implementations. This means that
419
- the one umbrella hook `action_controller` is not able to address certain situations where a method
420
- may not exist in a certain implementation.
206
+ * Controller level `force_ssl` has been deprecated in favor of
207
+ `config.force_ssl`.
421
208
 
422
- This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
209
+ *Derek Prior*
423
210
 
424
- Fixes #27013.
211
+ * Rails 6 requires Ruby 2.5.0 or newer.
425
212
 
426
- *Julian Nadeau*
213
+ *Jeremy Daer*, *Kasper Timm Hansen*
427
214
 
428
215
 
429
- Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
216
+ Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.