actionpack 5.2.3 → 6.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +181 -299
- data/MIT-LICENSE +1 -1
- data/README.rdoc +3 -2
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal.rb +3 -3
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +22 -1
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +15 -56
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +3 -4
- data/lib/action_controller/metal/http_authentication.rb +20 -21
- data/lib/action_controller/metal/implicit_render.rb +4 -14
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +29 -27
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +17 -13
- data/lib/action_controller/metal/redirecting.rb +5 -5
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
- data/lib/action_controller/metal/strong_parameters.rb +63 -44
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +16 -3
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +1 -4
- data/lib/action_dispatch.rb +4 -2
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +28 -16
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
- data/lib/action_dispatch/http/mime_type.rb +14 -6
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +30 -15
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +8 -3
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +52 -74
- data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +68 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -6
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +34 -2
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +3 -0
- data/lib/action_dispatch/request/session.rb +8 -0
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +60 -38
- data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
- data/lib/action_dispatch/routing/route_set.rb +24 -27
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +23 -2
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
- data/lib/action_dispatch/testing/integration.rb +12 -5
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +3 -3
- metadata +25 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b8db1d871d96c2bc367142553c0904b94c3d97016dabf79b4a6b8937bca18936
|
4
|
+
data.tar.gz: 667375200f2d159a53b70dbf607d35c37422e4289dbede8ff83da7cebad95f47
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e19317e121515e9866836182682c94f5d71f9d70236c710a41680ae9caa4b2376f888e975ff287a6cbb1f187547c59e9f7583ab410a2f437a01b2a57abf725c1
|
7
|
+
data.tar.gz: 21557eab0cd33607cbbd3e020d2dae220df079be98ccdeca0e93340824801f695a01fb882de686d9eddddeb2eaf5d165eec64d2eaa40981537baa8379bb98cc3
|
data/CHANGELOG.md
CHANGED
@@ -1,429 +1,311 @@
|
|
1
|
-
## Rails
|
2
|
-
|
3
|
-
* Allow using combine the Cache Control `public` and `no-cache` headers.
|
4
|
-
|
5
|
-
Before this change, even if `public` was specified for Cache Control header,
|
6
|
-
it was excluded when `no-cache` was included. This fixed to keep `public`
|
7
|
-
header as is.
|
8
|
-
|
9
|
-
Fixes #34780.
|
10
|
-
|
11
|
-
*Yuji Yaginuma*
|
12
|
-
|
13
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
14
|
-
|
15
|
-
*Ryo Nakamura*
|
16
|
-
|
17
|
-
|
18
|
-
## Rails 5.2.2.1 (March 11, 2019) ##
|
1
|
+
## Rails 6.0.0 (August 16, 2019) ##
|
19
2
|
|
20
3
|
* No changes.
|
21
4
|
|
22
5
|
|
23
|
-
## Rails
|
24
|
-
|
25
|
-
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
26
|
-
|
27
|
-
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
28
|
-
in system test `after_teardown`.
|
29
|
-
|
30
|
-
*Maxim Perepelitsa*
|
31
|
-
|
32
|
-
* Use request object for context if there's no controller
|
6
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
33
7
|
|
34
|
-
|
35
|
-
mounted rack application so pass the request object as the context
|
36
|
-
when resolving dynamic CSP sources in this scenario.
|
8
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
37
9
|
|
38
|
-
Fixes #
|
10
|
+
Fixes #35137.
|
39
11
|
|
40
|
-
*
|
12
|
+
*Yuji Yaginuma*
|
41
13
|
|
42
|
-
*
|
14
|
+
* Keep part when scope option has value.
|
43
15
|
|
44
|
-
|
45
|
-
|
16
|
+
When a route was defined within an optional scope, if that route didn't
|
17
|
+
take parameters the scope was lost when using path helpers. This commit
|
18
|
+
ensures scope is kept both when the route takes parameters or when it
|
19
|
+
doesn't.
|
46
20
|
|
47
|
-
|
21
|
+
Fixes #33219
|
48
22
|
|
49
|
-
|
50
|
-
|
51
|
-
Content-Security-Policy: default-src self
|
23
|
+
*Alberto Almagro*
|
52
24
|
|
53
|
-
|
25
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
54
26
|
|
55
|
-
|
27
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
28
|
+
contain charset part. This behavior changed to returned Content-Type header
|
29
|
+
containing charset part as it is.
|
56
30
|
|
57
|
-
|
31
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
32
|
+
instead.
|
58
33
|
|
59
|
-
|
34
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
35
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
36
|
+
value as before version, but its behavior is deprecate.
|
60
37
|
|
61
|
-
*
|
38
|
+
*Yuji Yaginuma*
|
62
39
|
|
63
|
-
*
|
40
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
41
|
+
an enumerator for the parameters instead of the underlying hash.
|
64
42
|
|
65
|
-
*
|
43
|
+
*Eugene Kenny*
|
66
44
|
|
45
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
67
46
|
|
68
|
-
|
47
|
+
*Yuki Nishijima*, *Stan Lo*
|
69
48
|
|
70
|
-
* No changes.
|
71
49
|
|
50
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
72
51
|
|
73
|
-
|
52
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
53
|
+
rather than an `after_teardown` hook.
|
74
54
|
|
75
|
-
|
55
|
+
This helps minimize the time gap between when an assertion fails and when
|
56
|
+
the screenshot is taken (reducing the time in which the page could have
|
57
|
+
been dynamically updated after the assertion failed).
|
76
58
|
|
77
|
-
|
78
|
-
there are none.
|
59
|
+
*Richard Macklin*
|
79
60
|
|
80
|
-
|
61
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
81
62
|
|
82
|
-
|
63
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
64
|
+
from `ActiveSupport::ActionableError` descendants.
|
83
65
|
|
84
|
-
|
66
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
85
67
|
|
86
|
-
*
|
87
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
88
|
-
parameters.
|
68
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
89
69
|
|
90
|
-
|
70
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
91
71
|
|
92
|
-
|
72
|
+
After this change it's not possible anymore to configure routes like this:
|
93
73
|
|
94
|
-
Given:
|
95
74
|
```
|
96
|
-
|
97
|
-
|
75
|
+
routes.draw do
|
76
|
+
resources :users, param: 'name/:sneaky'
|
77
|
+
end
|
98
78
|
```
|
99
79
|
|
100
|
-
|
101
|
-
|
102
|
-
*Steve Hull*
|
103
|
-
|
104
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
105
|
-
`ActionController::TestCase` subclasses.
|
106
|
-
|
107
|
-
*Eugene Kenny*
|
108
|
-
|
109
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
110
|
-
|
111
|
-
Fixes #32597.
|
112
|
-
|
113
|
-
*Andrey Novikov*, *Andrew White*
|
114
|
-
|
115
|
-
* Only disable GPUs for headless Chrome on Windows.
|
116
|
-
|
117
|
-
It is not necessary anymore for Linux and macOS machines.
|
118
|
-
|
119
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
120
|
-
|
121
|
-
*Stefan Wrobel*
|
122
|
-
|
123
|
-
* Fix system tests transactions not closed between examples.
|
124
|
-
|
125
|
-
*Sergey Tarasov*
|
80
|
+
Fixes #30467.
|
126
81
|
|
82
|
+
*Josua Schmid*
|
127
83
|
|
128
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
129
84
|
|
130
|
-
|
85
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
131
86
|
|
132
|
-
|
87
|
+
* No changes.
|
133
88
|
|
134
|
-
* Always yield a CSP policy instance from `content_security_policy`
|
135
89
|
|
136
|
-
|
137
|
-
for a controller and/or specific actions.
|
90
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
138
91
|
|
139
|
-
|
92
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
140
93
|
|
141
|
-
*
|
94
|
+
*Tomoyuki Kurosawa*
|
142
95
|
|
143
|
-
|
144
|
-
|
145
|
-
end
|
96
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
97
|
+
to define specific browser capabilities.
|
146
98
|
|
147
|
-
*
|
99
|
+
*Edouard Chin*
|
148
100
|
|
149
|
-
* Add alias method `to_hash` to `to_h` for `cookies`.
|
150
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
151
101
|
|
152
|
-
|
102
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
153
103
|
|
154
|
-
*
|
155
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
104
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
156
105
|
|
157
|
-
*
|
158
|
-
|
159
|
-
* Add support for automatic nonce generation for Rails UJS.
|
160
|
-
|
161
|
-
Because the UJS library creates a script tag to process responses it
|
162
|
-
normally requires the script-src attribute of the content security
|
163
|
-
policy to include 'unsafe-inline'.
|
106
|
+
*Rafael Mendonça França*
|
164
107
|
|
165
|
-
|
166
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
167
|
-
embeds its token in a meta tag. The UJS library can then read the
|
168
|
-
nonce value and set it on the dynamically generated script tag to
|
169
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
108
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
170
109
|
|
171
|
-
|
172
|
-
|
173
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
174
|
-
however an improvement on a blanket permission for inline scripts.
|
110
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
111
|
+
`#successful?`, `not_found?` and `server_error?`.
|
175
112
|
|
176
|
-
|
177
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
113
|
+
*Rafael Mendonça França*
|
178
114
|
|
179
|
-
|
180
|
-
alert('Hello, World!');
|
181
|
-
<% end %>
|
115
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
182
116
|
|
183
|
-
|
117
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
118
|
+
explicitly permitting the hosts a request can be made to.
|
184
119
|
|
185
|
-
|
120
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
121
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
186
122
|
|
187
|
-
*
|
123
|
+
*Genadi Samokovarov*
|
188
124
|
|
189
|
-
|
125
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
190
126
|
|
191
|
-
|
127
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
128
|
+
`parsed_body` in `ActionController::TestCase`:
|
192
129
|
|
193
|
-
|
130
|
+
```
|
131
|
+
class SomeControllerTest < ActionController::TestCase
|
132
|
+
def test_some_action
|
133
|
+
post :action, body: { foo: 'bar' }
|
134
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
135
|
+
end
|
136
|
+
end
|
137
|
+
```
|
194
138
|
|
195
|
-
|
196
|
-
user haven't specified manually another server.
|
139
|
+
Fixes #34676.
|
197
140
|
|
198
|
-
*
|
141
|
+
*Tobias Bühlmann*
|
199
142
|
|
200
|
-
*
|
201
|
-
default headers set.
|
143
|
+
* Raise an error on root route naming conflicts.
|
202
144
|
|
203
|
-
|
145
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
146
|
+
same context instead of assigning nil names to subsequent roots.
|
204
147
|
|
205
|
-
*
|
148
|
+
*Gannon McGibbon*
|
206
149
|
|
207
|
-
|
150
|
+
* Allow rescue from parameter parse errors:
|
208
151
|
|
209
|
-
|
152
|
+
```
|
153
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
154
|
+
head :unauthorized
|
155
|
+
end
|
156
|
+
```
|
210
157
|
|
211
|
-
|
212
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
213
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
214
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
215
|
-
path, it dumps binary into the terminal.
|
158
|
+
*Gannon McGibbon*, *Josh Cheek*
|
216
159
|
|
217
|
-
|
160
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
218
161
|
|
219
|
-
|
162
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
163
|
+
in system test `after_teardown`.
|
220
164
|
|
221
|
-
*
|
165
|
+
*Maxim Perepelitsa*
|
222
166
|
|
223
|
-
|
167
|
+
* Use request object for context if there's no controller
|
224
168
|
|
225
|
-
|
169
|
+
There is no controller instance when using a redirect route or a
|
170
|
+
mounted rack application so pass the request object as the context
|
171
|
+
when resolving dynamic CSP sources in this scenario.
|
226
172
|
|
227
|
-
Fixes #
|
173
|
+
Fixes #34200.
|
228
174
|
|
229
175
|
*Andrew White*
|
230
176
|
|
231
|
-
*
|
232
|
-
|
233
|
-
The DSL allows you to configure a global Content-Security-Policy
|
234
|
-
header and then override within a controller. For more information
|
235
|
-
about the Content-Security-Policy header see MDN:
|
236
|
-
|
237
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
238
|
-
|
239
|
-
Example global policy:
|
240
|
-
|
241
|
-
# config/initializers/content_security_policy.rb
|
242
|
-
Rails.application.config.content_security_policy do |p|
|
243
|
-
p.default_src :self, :https
|
244
|
-
p.font_src :self, :https, :data
|
245
|
-
p.img_src :self, :https, :data
|
246
|
-
p.object_src :none
|
247
|
-
p.script_src :self, :https
|
248
|
-
p.style_src :self, :https, :unsafe_inline
|
249
|
-
end
|
250
|
-
|
251
|
-
Example controller overrides:
|
252
|
-
|
253
|
-
# Override policy inline
|
254
|
-
class PostsController < ApplicationController
|
255
|
-
content_security_policy do |p|
|
256
|
-
p.upgrade_insecure_requests true
|
257
|
-
end
|
258
|
-
end
|
177
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
259
178
|
|
260
|
-
|
261
|
-
|
262
|
-
content_security_policy do |p|
|
263
|
-
p.base_uri "https://www.example.com"
|
264
|
-
end
|
265
|
-
end
|
179
|
+
Previously if a dynamic source returned a symbol such as :self it
|
180
|
+
would be converted to a string implicitly, e.g:
|
266
181
|
|
267
|
-
|
268
|
-
class PostsController < ApplicationController
|
269
|
-
content_security_policy do |p|
|
270
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
271
|
-
end
|
272
|
-
end
|
182
|
+
policy.default_src -> { :self }
|
273
183
|
|
274
|
-
|
275
|
-
legacy content using the `content_security_policy_report_only`
|
276
|
-
configuration attribute, e.g;
|
184
|
+
would generate the header:
|
277
185
|
|
278
|
-
|
279
|
-
Rails.application.config.content_security_policy_report_only = true
|
186
|
+
Content-Security-Policy: default-src self
|
280
187
|
|
281
|
-
|
282
|
-
class PostsController < ApplicationController
|
283
|
-
content_security_policy_report_only only: :index
|
284
|
-
end
|
188
|
+
and now it generates:
|
285
189
|
|
286
|
-
|
287
|
-
reasons since the header is calculated at runtime.
|
190
|
+
Content-Security-Policy: default-src 'self'
|
288
191
|
|
289
192
|
*Andrew White*
|
290
193
|
|
291
|
-
*
|
292
|
-
|
293
|
-
*Yuichiro Kaneko*
|
294
|
-
|
295
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
296
|
-
|
297
|
-
*Rafael Mendonça França*
|
298
|
-
|
299
|
-
* Add `:allow_other_host` option to `redirect_back` method.
|
300
|
-
|
301
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
302
|
-
different host. `allow_other_host` is `true` by default.
|
303
|
-
|
304
|
-
*Tim Masliuchenko*
|
305
|
-
|
306
|
-
* Add headless chrome support to System Tests.
|
307
|
-
|
308
|
-
*Yuji Yaginuma*
|
309
|
-
|
310
|
-
* Add ability to enable Early Hints for HTTP/2
|
194
|
+
* Add `ActionController::Parameters#each_value`.
|
311
195
|
|
312
|
-
|
196
|
+
*Lukáš Zapletal*
|
313
197
|
|
314
|
-
|
198
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
315
199
|
|
316
|
-
*
|
317
|
-
|
318
|
-
* Simplify cookies middleware with key rotation support
|
200
|
+
*Yoshiyuki Kinjo*
|
319
201
|
|
320
|
-
|
321
|
-
`
|
322
|
-
|
323
|
-
|
202
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
203
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
204
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
205
|
+
garbled.
|
206
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
207
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
208
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
209
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
210
|
+
converted name.
|
324
211
|
|
325
|
-
*
|
212
|
+
*Fumiaki Matsushima*
|
326
213
|
|
327
|
-
*
|
214
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
215
|
+
keys without allocating an array.
|
328
216
|
|
329
|
-
|
330
|
-
connection sharing and open request detection work correctly by default.
|
217
|
+
*Richard Schneeman*
|
331
218
|
|
332
|
-
|
219
|
+
* Purpose metadata for signed/encrypted cookies.
|
333
220
|
|
334
|
-
|
221
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
222
|
+
of a cookie and use it as the value of another cookie.
|
335
223
|
|
336
|
-
|
337
|
-
|
224
|
+
It does so by stashing the cookie-name in the purpose field which is
|
225
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
226
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
338
227
|
|
339
|
-
|
228
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
229
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
340
230
|
|
341
231
|
*Assain Jaleel*
|
342
232
|
|
343
|
-
*
|
233
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
344
234
|
|
345
|
-
|
346
|
-
|
347
|
-
It does so by stashing the expiry within the written cookie and relying on the
|
348
|
-
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
349
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
350
|
-
|
351
|
-
Pull Request: #30121
|
352
|
-
|
353
|
-
*Assain Jaleel*
|
235
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
236
|
+
multiple invocations are made and the types do not match:
|
354
237
|
|
355
|
-
|
238
|
+
respond_to do |outer_type|
|
239
|
+
outer_type.js do
|
240
|
+
respond_to do |inner_type|
|
241
|
+
inner_type.html { render body: "HTML" }
|
242
|
+
end
|
243
|
+
end
|
244
|
+
end
|
356
245
|
|
357
|
-
|
246
|
+
*Patrick Toomey*
|
358
247
|
|
359
|
-
|
248
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
360
249
|
|
361
|
-
|
250
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
251
|
+
without raising a `TypeError`:
|
362
252
|
|
363
|
-
|
364
|
-
|
365
|
-
use the response helpers provided by `Rack::Response`.
|
253
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
254
|
+
File.read(uploaded_file)
|
366
255
|
|
367
|
-
*
|
256
|
+
*Aaron Kromer*
|
368
257
|
|
369
|
-
*
|
258
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
370
259
|
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
defaults to false to support older versions which have removed it from their
|
375
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
260
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
261
|
+
`get` method. This for example allows to set custom headers for the
|
262
|
+
redirection request to the server.
|
376
263
|
|
377
|
-
|
264
|
+
follow_redirect!(params: { foo: :bar })
|
378
265
|
|
379
|
-
*
|
266
|
+
*Remo Fritzsche*
|
380
267
|
|
381
|
-
|
268
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
382
269
|
|
383
|
-
|
270
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
271
|
+
one informative page.
|
384
272
|
|
385
|
-
|
386
|
-
`driven_by` will register the driver and set additional options passed via
|
387
|
-
the `:options` parameter.
|
273
|
+
*Vinicius Stock*
|
388
274
|
|
389
|
-
|
275
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
390
276
|
|
391
|
-
|
277
|
+
Exception aware plugin authors can use the newly introduced
|
278
|
+
`.register_interceptor` method to get the processed exception, instead of
|
279
|
+
monkey patching DebugExceptions.
|
392
280
|
|
393
|
-
|
281
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
282
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
283
|
+
end
|
394
284
|
|
395
|
-
|
396
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
397
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
398
|
-
this new mode is enabled via the
|
399
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
285
|
+
*Genadi Samokovarov*
|
400
286
|
|
401
|
-
|
287
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
402
288
|
|
403
|
-
|
289
|
+
Fixes #32597.
|
404
290
|
|
405
|
-
|
406
|
-
^template path ^template tree digest ^class ^id
|
291
|
+
*Andrey Novikov*, *Andrew White*
|
407
292
|
|
408
|
-
|
293
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
409
294
|
|
410
|
-
*
|
411
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
412
|
-
to support it.
|
295
|
+
*Kevin Deisz*
|
413
296
|
|
414
|
-
|
297
|
+
* Add method `dig` to `session`.
|
415
298
|
|
416
|
-
*
|
299
|
+
*claudiob*, *Takumi Shotoku*
|
417
300
|
|
418
|
-
|
419
|
-
|
420
|
-
may not exist in a certain implementation.
|
301
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
302
|
+
`config.force_ssl`.
|
421
303
|
|
422
|
-
|
304
|
+
*Derek Prior*
|
423
305
|
|
424
|
-
|
306
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
425
307
|
|
426
|
-
*
|
308
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
427
309
|
|
428
310
|
|
429
|
-
Please check [5-
|
311
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|