actionpack 5.2.3 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (127) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +181 -299
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +3 -2
  5. data/lib/abstract_controller/base.rb +4 -2
  6. data/lib/abstract_controller/caching/fragments.rb +6 -22
  7. data/lib/abstract_controller/callbacks.rb +12 -0
  8. data/lib/abstract_controller/collector.rb +1 -1
  9. data/lib/abstract_controller/helpers.rb +2 -2
  10. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  11. data/lib/abstract_controller/translation.rb +1 -0
  12. data/lib/action_controller.rb +1 -0
  13. data/lib/action_controller/api.rb +2 -1
  14. data/lib/action_controller/base.rb +2 -7
  15. data/lib/action_controller/caching.rb +1 -1
  16. data/lib/action_controller/log_subscriber.rb +8 -5
  17. data/lib/action_controller/metal.rb +3 -3
  18. data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
  19. data/lib/action_controller/metal/conditional_get.rb +9 -3
  20. data/lib/action_controller/metal/data_streaming.rb +5 -6
  21. data/lib/action_controller/metal/default_headers.rb +17 -0
  22. data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
  23. data/lib/action_controller/metal/exceptions.rb +22 -1
  24. data/lib/action_controller/metal/flash.rb +5 -5
  25. data/lib/action_controller/metal/force_ssl.rb +15 -56
  26. data/lib/action_controller/metal/head.rb +1 -1
  27. data/lib/action_controller/metal/helpers.rb +3 -4
  28. data/lib/action_controller/metal/http_authentication.rb +20 -21
  29. data/lib/action_controller/metal/implicit_render.rb +4 -14
  30. data/lib/action_controller/metal/instrumentation.rb +3 -5
  31. data/lib/action_controller/metal/live.rb +29 -27
  32. data/lib/action_controller/metal/mime_responds.rb +13 -2
  33. data/lib/action_controller/metal/params_wrapper.rb +17 -13
  34. data/lib/action_controller/metal/redirecting.rb +5 -5
  35. data/lib/action_controller/metal/renderers.rb +4 -4
  36. data/lib/action_controller/metal/rendering.rb +2 -2
  37. data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
  38. data/lib/action_controller/metal/strong_parameters.rb +63 -44
  39. data/lib/action_controller/metal/url_for.rb +1 -1
  40. data/lib/action_controller/railties/helpers.rb +1 -1
  41. data/lib/action_controller/renderer.rb +16 -3
  42. data/lib/action_controller/template_assertions.rb +1 -1
  43. data/lib/action_controller/test_case.rb +1 -4
  44. data/lib/action_dispatch.rb +4 -2
  45. data/lib/action_dispatch/http/cache.rb +14 -10
  46. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  47. data/lib/action_dispatch/http/content_security_policy.rb +28 -16
  48. data/lib/action_dispatch/http/filter_parameters.rb +8 -6
  49. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  50. data/lib/action_dispatch/http/headers.rb +1 -1
  51. data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
  52. data/lib/action_dispatch/http/mime_type.rb +14 -6
  53. data/lib/action_dispatch/http/parameter_filter.rb +5 -79
  54. data/lib/action_dispatch/http/parameters.rb +13 -3
  55. data/lib/action_dispatch/http/request.rb +10 -13
  56. data/lib/action_dispatch/http/response.rb +30 -15
  57. data/lib/action_dispatch/http/upload.rb +9 -1
  58. data/lib/action_dispatch/http/url.rb +81 -81
  59. data/lib/action_dispatch/journey/formatter.rb +2 -2
  60. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
  61. data/lib/action_dispatch/journey/nodes/node.rb +9 -8
  62. data/lib/action_dispatch/journey/path/pattern.rb +8 -3
  63. data/lib/action_dispatch/journey/route.rb +5 -4
  64. data/lib/action_dispatch/journey/router.rb +0 -3
  65. data/lib/action_dispatch/journey/router/utils.rb +10 -10
  66. data/lib/action_dispatch/journey/routes.rb +0 -1
  67. data/lib/action_dispatch/journey/scanner.rb +11 -4
  68. data/lib/action_dispatch/journey/visitors.rb +1 -1
  69. data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
  70. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  71. data/lib/action_dispatch/middleware/cookies.rb +52 -74
  72. data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
  73. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  74. data/lib/action_dispatch/middleware/debug_view.rb +68 -0
  75. data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
  76. data/lib/action_dispatch/middleware/flash.rb +1 -1
  77. data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
  78. data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
  79. data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
  80. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  81. data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -6
  82. data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
  83. data/lib/action_dispatch/middleware/ssl.rb +8 -8
  84. data/lib/action_dispatch/middleware/stack.rb +34 -2
  85. data/lib/action_dispatch/middleware/static.rb +5 -6
  86. data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
  87. data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
  88. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
  89. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
  90. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  91. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  92. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  93. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  94. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
  95. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
  96. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
  97. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
  98. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
  99. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  100. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  101. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  102. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  103. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  104. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
  105. data/lib/action_dispatch/railtie.rb +3 -0
  106. data/lib/action_dispatch/request/session.rb +8 -0
  107. data/lib/action_dispatch/routing.rb +21 -20
  108. data/lib/action_dispatch/routing/inspector.rb +99 -50
  109. data/lib/action_dispatch/routing/mapper.rb +60 -38
  110. data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
  111. data/lib/action_dispatch/routing/route_set.rb +24 -27
  112. data/lib/action_dispatch/routing/url_for.rb +1 -0
  113. data/lib/action_dispatch/system_test_case.rb +23 -2
  114. data/lib/action_dispatch/system_testing/browser.rb +38 -7
  115. data/lib/action_dispatch/system_testing/driver.rb +10 -1
  116. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
  117. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -5
  118. data/lib/action_dispatch/testing/assertions.rb +1 -1
  119. data/lib/action_dispatch/testing/assertions/response.rb +2 -3
  120. data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
  121. data/lib/action_dispatch/testing/integration.rb +12 -5
  122. data/lib/action_dispatch/testing/request_encoder.rb +2 -2
  123. data/lib/action_dispatch/testing/test_process.rb +2 -2
  124. data/lib/action_dispatch/testing/test_response.rb +4 -32
  125. data/lib/action_pack.rb +1 -1
  126. data/lib/action_pack/gem_version.rb +3 -3
  127. metadata +25 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fdbc11b76565d6d325a51b67c7a598b0a70c33e3e26c849dc57733e3fa7c0833
4
- data.tar.gz: 3afcd1526eb36e16fd199bb242fb232ddc3c01125e0d1306c94d31b315e93039
3
+ metadata.gz: b8db1d871d96c2bc367142553c0904b94c3d97016dabf79b4a6b8937bca18936
4
+ data.tar.gz: 667375200f2d159a53b70dbf607d35c37422e4289dbede8ff83da7cebad95f47
5
5
  SHA512:
6
- metadata.gz: 3122260924160e941c750fba0e3a671b2b2f40723c9c6766fae0f3987ac9521332d3a4128959fa61b993d72bd0539b7925ebb785b50d9b9811514897a2d5bf9e
7
- data.tar.gz: 4be02fcd7f87d2b725ba823274bc2c40eb367a2a26d7b1b53da8e4df699eae389fec796ff5164c7cb721426fa6cdf8f8b5ae5b6d74a712e5631e5e1ded283717
6
+ metadata.gz: e19317e121515e9866836182682c94f5d71f9d70236c710a41680ae9caa4b2376f888e975ff287a6cbb1f187547c59e9f7583ab410a2f437a01b2a57abf725c1
7
+ data.tar.gz: 21557eab0cd33607cbbd3e020d2dae220df079be98ccdeca0e93340824801f695a01fb882de686d9eddddeb2eaf5d165eec64d2eaa40981537baa8379bb98cc3
@@ -1,429 +1,311 @@
1
- ## Rails 5.2.3 (March 27, 2019) ##
2
-
3
- * Allow using combine the Cache Control `public` and `no-cache` headers.
4
-
5
- Before this change, even if `public` was specified for Cache Control header,
6
- it was excluded when `no-cache` was included. This fixed to keep `public`
7
- header as is.
8
-
9
- Fixes #34780.
10
-
11
- *Yuji Yaginuma*
12
-
13
- * Allow `nil` params for `ActionController::TestCase`.
14
-
15
- *Ryo Nakamura*
16
-
17
-
18
- ## Rails 5.2.2.1 (March 11, 2019) ##
1
+ ## Rails 6.0.0 (August 16, 2019) ##
19
2
 
20
3
  * No changes.
21
4
 
22
5
 
23
- ## Rails 5.2.2 (December 04, 2018) ##
24
-
25
- * Reset Capybara sessions if failed system test screenshot raising an exception.
26
-
27
- Reset Capybara sessions if `take_failed_screenshot` raise exception
28
- in system test `after_teardown`.
29
-
30
- *Maxim Perepelitsa*
31
-
32
- * Use request object for context if there's no controller
6
+ ## Rails 6.0.0.rc2 (July 22, 2019) ##
33
7
 
34
- There is no controller instance when using a redirect route or a
35
- mounted rack application so pass the request object as the context
36
- when resolving dynamic CSP sources in this scenario.
8
+ * Add the ability to set the CSP nonce only to the specified directives.
37
9
 
38
- Fixes #34200.
10
+ Fixes #35137.
39
11
 
40
- *Andrew White*
12
+ *Yuji Yaginuma*
41
13
 
42
- * Apply mapping to symbols returned from dynamic CSP sources
14
+ * Keep part when scope option has value.
43
15
 
44
- Previously if a dynamic source returned a symbol such as :self it
45
- would be converted to a string implicity, e.g:
16
+ When a route was defined within an optional scope, if that route didn't
17
+ take parameters the scope was lost when using path helpers. This commit
18
+ ensures scope is kept both when the route takes parameters or when it
19
+ doesn't.
46
20
 
47
- policy.default_src -> { :self }
21
+ Fixes #33219
48
22
 
49
- would generate the header:
50
-
51
- Content-Security-Policy: default-src self
23
+ *Alberto Almagro*
52
24
 
53
- and now it generates:
25
+ * Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
54
26
 
55
- Content-Security-Policy: default-src 'self'
27
+ Previously, `ActionDispatch::Response#content_type` returned value does NOT
28
+ contain charset part. This behavior changed to returned Content-Type header
29
+ containing charset part as it is.
56
30
 
57
- *Andrew White*
31
+ If you want just MIME type, please use `ActionDispatch::Response#media_type`
32
+ instead.
58
33
 
59
- * Fix `rails routes -c` for controller name consists of multiple word.
34
+ Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
35
+ If not enabled, `ActionDispatch::Response#content_type` returns the same
36
+ value as before version, but its behavior is deprecate.
60
37
 
61
- *Yoshiyuki Kinjo*
38
+ *Yuji Yaginuma*
62
39
 
63
- * Call the `#redirect_to` block in controller context.
40
+ * Calling `ActionController::Parameters#transform_keys/!` without a block now returns
41
+ an enumerator for the parameters instead of the underlying hash.
64
42
 
65
- *Steven Peckins*
43
+ *Eugene Kenny*
66
44
 
45
+ * Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
67
46
 
68
- ## Rails 5.2.1.1 (November 27, 2018) ##
47
+ *Yuki Nishijima*, *Stan Lo*
69
48
 
70
- * No changes.
71
49
 
50
+ ## Rails 6.0.0.rc1 (April 24, 2019) ##
72
51
 
73
- ## Rails 5.2.1 (August 07, 2018) ##
52
+ * Make system tests take a failed screenshot in a `before_teardown` hook
53
+ rather than an `after_teardown` hook.
74
54
 
75
- * Prevent `?null=` being passed on JSON encoded test requests.
55
+ This helps minimize the time gap between when an assertion fails and when
56
+ the screenshot is taken (reducing the time in which the page could have
57
+ been dynamically updated after the assertion failed).
76
58
 
77
- `RequestEncoder#encode_params` won't attempt to parse params if
78
- there are none.
59
+ *Richard Macklin*
79
60
 
80
- So call like this will no longer append a `?null=` query param.
61
+ * Introduce `ActionDispatch::ActionableExceptions`.
81
62
 
82
- get foos_url, as: :json
63
+ The `ActionDispatch::ActionableExceptions` middleware dispatches actions
64
+ from `ActiveSupport::ActionableError` descendants.
83
65
 
84
- *Alireza Bashiri*
66
+ Actionable errors let's you dispatch actions from Rails' error pages.
85
67
 
86
- * Ensure `ActionController::Parameters#transform_values` and
87
- `ActionController::Parameters#transform_values!` converts hashes into
88
- parameters.
68
+ *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
89
69
 
90
- *Kevin Sjöberg*
70
+ * Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
91
71
 
92
- * Fix strong parameters `permit!` with nested arrays.
72
+ After this change it's not possible anymore to configure routes like this:
93
73
 
94
- Given:
95
74
  ```
96
- params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
97
- params.permit!
75
+ routes.draw do
76
+ resources :users, param: 'name/:sneaky'
77
+ end
98
78
  ```
99
79
 
100
- `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
101
-
102
- *Steve Hull*
103
-
104
- * Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
105
- `ActionController::TestCase` subclasses.
106
-
107
- *Eugene Kenny*
108
-
109
- * Output only one Content-Security-Policy nonce header value per request.
110
-
111
- Fixes #32597.
112
-
113
- *Andrey Novikov*, *Andrew White*
114
-
115
- * Only disable GPUs for headless Chrome on Windows.
116
-
117
- It is not necessary anymore for Linux and macOS machines.
118
-
119
- https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
120
-
121
- *Stefan Wrobel*
122
-
123
- * Fix system tests transactions not closed between examples.
124
-
125
- *Sergey Tarasov*
80
+ Fixes #30467.
126
81
 
82
+ *Josua Schmid*
127
83
 
128
- ## Rails 5.2.0 (April 09, 2018) ##
129
84
 
130
- * Check exclude before flagging cookies as secure.
85
+ ## Rails 6.0.0.beta3 (March 11, 2019) ##
131
86
 
132
- *Catherine Khuu*
87
+ * No changes.
133
88
 
134
- * Always yield a CSP policy instance from `content_security_policy`
135
89
 
136
- This allows a controller action to enable the policy individually
137
- for a controller and/or specific actions.
90
+ ## Rails 6.0.0.beta2 (February 25, 2019) ##
138
91
 
139
- *Andrew White*
92
+ * Make debug exceptions works in an environment where ActiveStorage is not loaded.
140
93
 
141
- * Add the ability to disable the global CSP in a controller, e.g:
94
+ *Tomoyuki Kurosawa*
142
95
 
143
- class LegacyPagesController < ApplicationController
144
- content_security_policy false, only: :index
145
- end
96
+ * `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
97
+ to define specific browser capabilities.
146
98
 
147
- *Andrew White*
99
+ *Edouard Chin*
148
100
 
149
- * Add alias method `to_hash` to `to_h` for `cookies`.
150
- Add alias method `to_h` to `to_hash` for `session`.
151
101
 
152
- *Igor Kasyanchuk*
102
+ ## Rails 6.0.0.beta1 (January 18, 2019) ##
153
103
 
154
- * Update the default HSTS max-age value to 31536000 seconds (1 year)
155
- to meet the minimum max-age requirement for https://hstspreload.org/.
104
+ * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
156
105
 
157
- *Grant Bourque*
158
-
159
- * Add support for automatic nonce generation for Rails UJS.
160
-
161
- Because the UJS library creates a script tag to process responses it
162
- normally requires the script-src attribute of the content security
163
- policy to include 'unsafe-inline'.
106
+ *Rafael Mendonça França*
164
107
 
165
- To work around this we generate a per-request nonce value that is
166
- embedded in a meta tag in a similar fashion to how CSRF protection
167
- embeds its token in a meta tag. The UJS library can then read the
168
- nonce value and set it on the dynamically generated script tag to
169
- enable it to execute without needing 'unsafe-inline' enabled.
108
+ * Remove deprecated methods in `ActionDispatch::TestResponse`.
170
109
 
171
- Nonce generation isn't 100% safe - if your script tag is including
172
- user generated content in someway then it may be possible to exploit
173
- an XSS vulnerability which can take advantage of the nonce. It is
174
- however an improvement on a blanket permission for inline scripts.
110
+ `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
111
+ `#successful?`, `not_found?` and `server_error?`.
175
112
 
176
- It is also possible to use the nonce within your own script tags by
177
- using `nonce: true` to set the nonce value on the tag, e.g
113
+ *Rafael Mendonça França*
178
114
 
179
- <%= javascript_tag nonce: true do %>
180
- alert('Hello, World!');
181
- <% end %>
115
+ * Introduce `ActionDispatch::HostAuthorization`.
182
116
 
183
- Fixes #31689.
117
+ This is a new middleware that guards against DNS rebinding attacks by
118
+ explicitly permitting the hosts a request can be made to.
184
119
 
185
- *Andrew White*
120
+ Each host is checked with the case operator (`#===`) to support `Regexp`,
121
+ `Proc`, `IPAddr` and custom objects as host allowances.
186
122
 
187
- * Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
123
+ *Genadi Samokovarov*
188
124
 
189
- *Dominic Cleal*
125
+ * Allow using `parsed_body` in `ActionController::TestCase`.
190
126
 
191
- * Add `Referrer-Policy` header to default headers set.
127
+ In addition to `ActionDispatch::IntegrationTest`, allow using
128
+ `parsed_body` in `ActionController::TestCase`:
192
129
 
193
- *Guillermo Iguaran*
130
+ ```
131
+ class SomeControllerTest < ActionController::TestCase
132
+ def test_some_action
133
+ post :action, body: { foo: 'bar' }
134
+ assert_equal({ "foo" => "bar" }, response.parsed_body)
135
+ end
136
+ end
137
+ ```
194
138
 
195
- * Changed the system tests to set Puma as default server only when the
196
- user haven't specified manually another server.
139
+ Fixes #34676.
197
140
 
198
- *Guillermo Iguaran*
141
+ *Tobias Bühlmann*
199
142
 
200
- * Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
201
- default headers set.
143
+ * Raise an error on root route naming conflicts.
202
144
 
203
- *Guillermo Iguaran*
145
+ Raises an `ArgumentError` when multiple root routes are defined in the
146
+ same context instead of assigning nil names to subsequent roots.
204
147
 
205
- * Add headless firefox support to System Tests.
148
+ *Gannon McGibbon*
206
149
 
207
- *bogdanvlviv*
150
+ * Allow rescue from parameter parse errors:
208
151
 
209
- * Changed the default system test screenshot output from `inline` to `simple`.
152
+ ```
153
+ rescue_from ActionDispatch::Http::Parameters::ParseError do
154
+ head :unauthorized
155
+ end
156
+ ```
210
157
 
211
- `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
212
- Terminal.app ignore the `inline` and output the path to the file since it can't
213
- render the image. Other terminals, like those on Ubuntu, cannot handle the image
214
- inline, but also don't handle it gracefully and instead of outputting the file
215
- path, it dumps binary into the terminal.
158
+ *Gannon McGibbon*, *Josh Cheek*
216
159
 
217
- Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
160
+ * Reset Capybara sessions if failed system test screenshot raising an exception.
218
161
 
219
- *Eileen M. Uchitelle*
162
+ Reset Capybara sessions if `take_failed_screenshot` raise exception
163
+ in system test `after_teardown`.
220
164
 
221
- * Register most popular audio/video/font mime types supported by modern browsers.
165
+ *Maxim Perepelitsa*
222
166
 
223
- *Guillermo Iguaran*
167
+ * Use request object for context if there's no controller
224
168
 
225
- * Fix optimized url helpers when using relative url root.
169
+ There is no controller instance when using a redirect route or a
170
+ mounted rack application so pass the request object as the context
171
+ when resolving dynamic CSP sources in this scenario.
226
172
 
227
- Fixes #31220.
173
+ Fixes #34200.
228
174
 
229
175
  *Andrew White*
230
176
 
231
- * Add DSL for configuring Content-Security-Policy header.
232
-
233
- The DSL allows you to configure a global Content-Security-Policy
234
- header and then override within a controller. For more information
235
- about the Content-Security-Policy header see MDN:
236
-
237
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
238
-
239
- Example global policy:
240
-
241
- # config/initializers/content_security_policy.rb
242
- Rails.application.config.content_security_policy do |p|
243
- p.default_src :self, :https
244
- p.font_src :self, :https, :data
245
- p.img_src :self, :https, :data
246
- p.object_src :none
247
- p.script_src :self, :https
248
- p.style_src :self, :https, :unsafe_inline
249
- end
250
-
251
- Example controller overrides:
252
-
253
- # Override policy inline
254
- class PostsController < ApplicationController
255
- content_security_policy do |p|
256
- p.upgrade_insecure_requests true
257
- end
258
- end
177
+ * Apply mapping to symbols returned from dynamic CSP sources
259
178
 
260
- # Using literal values
261
- class PostsController < ApplicationController
262
- content_security_policy do |p|
263
- p.base_uri "https://www.example.com"
264
- end
265
- end
179
+ Previously if a dynamic source returned a symbol such as :self it
180
+ would be converted to a string implicitly, e.g:
266
181
 
267
- # Using mixed static and dynamic values
268
- class PostsController < ApplicationController
269
- content_security_policy do |p|
270
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
271
- end
272
- end
182
+ policy.default_src -> { :self }
273
183
 
274
- Allows you to also only report content violations for migrating
275
- legacy content using the `content_security_policy_report_only`
276
- configuration attribute, e.g;
184
+ would generate the header:
277
185
 
278
- # config/initializers/content_security_policy.rb
279
- Rails.application.config.content_security_policy_report_only = true
186
+ Content-Security-Policy: default-src self
280
187
 
281
- # controller override
282
- class PostsController < ApplicationController
283
- content_security_policy_report_only only: :index
284
- end
188
+ and now it generates:
285
189
 
286
- Note that this feature does not validate the header for performance
287
- reasons since the header is calculated at runtime.
190
+ Content-Security-Policy: default-src 'self'
288
191
 
289
192
  *Andrew White*
290
193
 
291
- * Make `assert_recognizes` to traverse mounted engines.
292
-
293
- *Yuichiro Kaneko*
294
-
295
- * Remove deprecated `ActionController::ParamsParser::ParseError`.
296
-
297
- *Rafael Mendonça França*
298
-
299
- * Add `:allow_other_host` option to `redirect_back` method.
300
-
301
- When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
302
- different host. `allow_other_host` is `true` by default.
303
-
304
- *Tim Masliuchenko*
305
-
306
- * Add headless chrome support to System Tests.
307
-
308
- *Yuji Yaginuma*
309
-
310
- * Add ability to enable Early Hints for HTTP/2
194
+ * Add `ActionController::Parameters#each_value`.
311
195
 
312
- If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
196
+ *Lukáš Zapletal*
313
197
 
314
- The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
198
+ * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
315
199
 
316
- *Eileen M. Uchitelle*, *Aaron Patterson*
317
-
318
- * Simplify cookies middleware with key rotation support
200
+ *Yoshiyuki Kinjo*
319
201
 
320
- Use the `rotate` method for both `MessageEncryptor` and
321
- `MessageVerifier` to add key rotation support for encrypted and
322
- signed cookies. This also helps simplify support for legacy cookie
323
- security.
202
+ * Encode Content-Disposition filenames on `send_data` and `send_file`.
203
+ Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
204
+ `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
205
+ garbled.
206
+ Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
207
+ [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
208
+ `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
209
+ Most browsers can find filename correctly and old browsers fallback to ASCII
210
+ converted name.
324
211
 
325
- *Michael J Coyne*
212
+ *Fumiaki Matsushima*
326
213
 
327
- * Use Capybara registered `:puma` server config.
214
+ * Expose `ActionController::Parameters#each_key` which allows iterating over
215
+ keys without allocating an array.
328
216
 
329
- The Capybara registered `:puma` server ensures the puma server is run in process so
330
- connection sharing and open request detection work correctly by default.
217
+ *Richard Schneeman*
331
218
 
332
- *Thomas Walpole*
219
+ * Purpose metadata for signed/encrypted cookies.
333
220
 
334
- * Cookies `:expires` option supports `ActiveSupport::Duration` object.
221
+ Rails can now thwart attacks that attempt to copy signed/encrypted value
222
+ of a cookie and use it as the value of another cookie.
335
223
 
336
- cookies[:user_name] = { value: "assain", expires: 1.hour }
337
- cookies[:key] = { value: "a yummy cookie", expires: 6.months }
224
+ It does so by stashing the cookie-name in the purpose field which is
225
+ then signed/encrypted along with the cookie value. Then, on a server-side
226
+ read, we verify the cookie-names and discard any attacked cookies.
338
227
 
339
- Pull Request: #30121
228
+ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
229
+ writes cookies with the new purpose and expiry metadata embedded.
340
230
 
341
231
  *Assain Jaleel*
342
232
 
343
- * Enforce signed/encrypted cookie expiry server side.
233
+ * Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
344
234
 
345
- Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
346
-
347
- It does so by stashing the expiry within the written cookie and relying on the
348
- signing/encrypting to vouch that it hasn't been tampered with. Then on a
349
- server-side read, the expiry is verified and any expired cookie is discarded.
350
-
351
- Pull Request: #30121
352
-
353
- *Assain Jaleel*
235
+ `respond_to` can match multiple types and lead to undefined behavior when
236
+ multiple invocations are made and the types do not match:
354
237
 
355
- * Make `take_failed_screenshot` work within engine.
238
+ respond_to do |outer_type|
239
+ outer_type.js do
240
+ respond_to do |inner_type|
241
+ inner_type.html { render body: "HTML" }
242
+ end
243
+ end
244
+ end
356
245
 
357
- Fixes #30405.
246
+ *Patrick Toomey*
358
247
 
359
- *Yuji Yaginuma*
248
+ * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
360
249
 
361
- * Deprecate `ActionDispatch::TestResponse` response aliases.
250
+ This allows uploaded file objects to be passed directly to `File.read`
251
+ without raising a `TypeError`:
362
252
 
363
- `#success?`, `#missing?` & `#error?` are not supported by the actual
364
- `ActionDispatch::Response` object and can produce false-positives. Instead,
365
- use the response helpers provided by `Rack::Response`.
253
+ uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
254
+ File.read(uploaded_file)
366
255
 
367
- *Trevor Wistaff*
256
+ *Aaron Kromer*
368
257
 
369
- * Protect from forgery by default
258
+ * Pass along arguments to underlying `get` method in `follow_redirect!`
370
259
 
371
- Rather than protecting from forgery in the generated `ApplicationController`,
372
- add it to `ActionController::Base` depending on
373
- `config.action_controller.default_protect_from_forgery`. This configuration
374
- defaults to false to support older versions which have removed it from their
375
- `ApplicationController`, but is set to true for Rails 5.2.
260
+ Now all arguments passed to `follow_redirect!` are passed to the underlying
261
+ `get` method. This for example allows to set custom headers for the
262
+ redirection request to the server.
376
263
 
377
- *Lisa Ugray*
264
+ follow_redirect!(params: { foo: :bar })
378
265
 
379
- * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
266
+ *Remo Fritzsche*
380
267
 
381
- *Kir Shatrov*
268
+ * Introduce a new error page to when the implicit render page is accessed in the browser.
382
269
 
383
- * `driven_by` now registers poltergeist and capybara-webkit.
270
+ Now instead of showing an error page that with exception and backtraces we now show only
271
+ one informative page.
384
272
 
385
- If poltergeist or capybara-webkit are set as drivers is set for System Tests,
386
- `driven_by` will register the driver and set additional options passed via
387
- the `:options` parameter.
273
+ *Vinicius Stock*
388
274
 
389
- Refer to the respective driver's documentation to see what options can be passed.
275
+ * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
390
276
 
391
- *Mario Chavez*
277
+ Exception aware plugin authors can use the newly introduced
278
+ `.register_interceptor` method to get the processed exception, instead of
279
+ monkey patching DebugExceptions.
392
280
 
393
- * AEAD encrypted cookies and sessions with GCM.
281
+ ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
282
+ HypoteticalPlugin.capture_exception(request, exception)
283
+ end
394
284
 
395
- Encrypted cookies now use AES-GCM which couples authentication and
396
- encryption in one faster step and produces shorter ciphertexts. Cookies
397
- encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
398
- this new mode is enabled via the
399
- `action_dispatch.use_authenticated_cookie_encryption` configuration value.
285
+ *Genadi Samokovarov*
400
286
 
401
- *Michael J Coyne*
287
+ * Output only one Content-Security-Policy nonce header value per request.
402
288
 
403
- * Change the cache key format for fragments to make it easier to debug key churn. The new format is:
289
+ Fixes #32597.
404
290
 
405
- views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
406
- ^template path ^template tree digest ^class ^id
291
+ *Andrey Novikov*, *Andrew White*
407
292
 
408
- *DHH*
293
+ * Move default headers configuration into their own module that can be included in controllers.
409
294
 
410
- * Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
411
- `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
412
- to support it.
295
+ *Kevin Deisz*
413
296
 
414
- *DHH*
297
+ * Add method `dig` to `session`.
415
298
 
416
- * Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
299
+ *claudiob*, *Takumi Shotoku*
417
300
 
418
- `ActionController::Base` and `ActionController::API` have differing implementations. This means that
419
- the one umbrella hook `action_controller` is not able to address certain situations where a method
420
- may not exist in a certain implementation.
301
+ * Controller level `force_ssl` has been deprecated in favor of
302
+ `config.force_ssl`.
421
303
 
422
- This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
304
+ *Derek Prior*
423
305
 
424
- Fixes #27013.
306
+ * Rails 6 requires Ruby 2.5.0 or newer.
425
307
 
426
- *Julian Nadeau*
308
+ *Jeremy Daer*, *Kasper Timm Hansen*
427
309
 
428
310
 
429
- Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
311
+ Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.