actionpack 5.2.3 → 6.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +191 -292
- data/MIT-LICENSE +1 -1
- data/README.rdoc +3 -2
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +5 -1
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal.rb +3 -3
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +23 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +15 -56
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +3 -4
- data/lib/action_controller/metal/http_authentication.rb +20 -21
- data/lib/action_controller/metal/implicit_render.rb +4 -14
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +29 -27
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +18 -14
- data/lib/action_controller/metal/redirecting.rb +5 -5
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
- data/lib/action_controller/metal/strong_parameters.rb +63 -44
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +16 -3
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +4 -6
- data/lib/action_dispatch.rb +4 -2
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +28 -16
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
- data/lib/action_dispatch/http/mime_type.rb +14 -6
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +39 -18
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +8 -3
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +52 -74
- data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +68 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +9 -11
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -6
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +34 -2
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +7 -2
- data/lib/action_dispatch/request/session.rb +8 -0
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +61 -39
- data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
- data/lib/action_dispatch/routing/route_set.rb +24 -27
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +43 -5
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -6
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
- data/lib/action_dispatch/testing/integration.rb +12 -5
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +3 -3
- metadata +29 -16
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bc5f83963aacf31948bfa962abe255253d903e1722dd900926747d02dc6f5803
|
4
|
+
data.tar.gz: 0cdd481cd358a6a2445f12827cff82dfe0da5b01e0bc109209b016727f4e7107
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c30b9a96b7d80a6b4af7f68bdda026dc2b98eea17e1c55da9c40f61c0155b1bcf32418e275de6729115c003a1fecf2f442214002ddaacca508ad363d0c8afad5
|
7
|
+
data.tar.gz: b0dc7fb5e501e1f4d04fa0f1ec87ea5411c6e5cb067e35f5eec2d40467b4a84381b81d27d383ff416914131613042ce89efdd2854a14325dd3717aec1750da39
|
data/CHANGELOG.md
CHANGED
@@ -1,429 +1,328 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.0.1 (November 5, 2019) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
|
4
|
+
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
5
|
+
system tests.
|
4
6
|
|
5
|
-
|
6
|
-
it was excluded when `no-cache` was included. This fixed to keep `public`
|
7
|
-
header as is.
|
7
|
+
*George Claghorn*, *Edouard Chin*
|
8
8
|
|
9
|
-
|
9
|
+
* Registered MIME types may contain extra flags:
|
10
10
|
|
11
|
-
|
12
|
-
|
13
|
-
|
11
|
+
```ruby
|
12
|
+
Mime::Type.register "text/html; fragment", :html_fragment
|
13
|
+
```
|
14
14
|
|
15
|
-
*
|
15
|
+
*Aaron Patterson*
|
16
16
|
|
17
17
|
|
18
|
-
## Rails
|
18
|
+
## Rails 6.0.0 (August 16, 2019) ##
|
19
19
|
|
20
20
|
* No changes.
|
21
21
|
|
22
22
|
|
23
|
-
## Rails
|
24
|
-
|
25
|
-
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
23
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
26
24
|
|
27
|
-
|
28
|
-
in system test `after_teardown`.
|
25
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
29
26
|
|
30
|
-
|
27
|
+
Fixes #35137.
|
31
28
|
|
32
|
-
*
|
33
|
-
|
34
|
-
There is no controller instance when using a redirect route or a
|
35
|
-
mounted rack application so pass the request object as the context
|
36
|
-
when resolving dynamic CSP sources in this scenario.
|
37
|
-
|
38
|
-
Fixes #34200.
|
39
|
-
|
40
|
-
*Andrew White*
|
41
|
-
|
42
|
-
* Apply mapping to symbols returned from dynamic CSP sources
|
29
|
+
*Yuji Yaginuma*
|
43
30
|
|
44
|
-
|
45
|
-
would be converted to a string implicity, e.g:
|
31
|
+
* Keep part when scope option has value.
|
46
32
|
|
47
|
-
|
33
|
+
When a route was defined within an optional scope, if that route didn't
|
34
|
+
take parameters the scope was lost when using path helpers. This commit
|
35
|
+
ensures scope is kept both when the route takes parameters or when it
|
36
|
+
doesn't.
|
48
37
|
|
49
|
-
|
38
|
+
Fixes #33219
|
50
39
|
|
51
|
-
|
40
|
+
*Alberto Almagro*
|
52
41
|
|
53
|
-
|
42
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
54
43
|
|
55
|
-
|
44
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
45
|
+
contain charset part. This behavior changed to returned Content-Type header
|
46
|
+
containing charset part as it is.
|
56
47
|
|
57
|
-
|
48
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
49
|
+
instead.
|
58
50
|
|
59
|
-
|
51
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
52
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
53
|
+
value as before version, but its behavior is deprecate.
|
60
54
|
|
61
|
-
*
|
55
|
+
*Yuji Yaginuma*
|
62
56
|
|
63
|
-
*
|
57
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
58
|
+
an enumerator for the parameters instead of the underlying hash.
|
64
59
|
|
65
|
-
*
|
60
|
+
*Eugene Kenny*
|
66
61
|
|
62
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
67
63
|
|
68
|
-
|
64
|
+
*Yuki Nishijima*, *Stan Lo*
|
69
65
|
|
70
|
-
* No changes.
|
71
66
|
|
67
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
72
68
|
|
73
|
-
|
69
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
70
|
+
rather than an `after_teardown` hook.
|
74
71
|
|
75
|
-
|
72
|
+
This helps minimize the time gap between when an assertion fails and when
|
73
|
+
the screenshot is taken (reducing the time in which the page could have
|
74
|
+
been dynamically updated after the assertion failed).
|
76
75
|
|
77
|
-
|
78
|
-
there are none.
|
76
|
+
*Richard Macklin*
|
79
77
|
|
80
|
-
|
78
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
81
79
|
|
82
|
-
|
80
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
81
|
+
from `ActiveSupport::ActionableError` descendants.
|
83
82
|
|
84
|
-
|
83
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
85
84
|
|
86
|
-
*
|
87
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
88
|
-
parameters.
|
85
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
89
86
|
|
90
|
-
|
87
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
91
88
|
|
92
|
-
|
89
|
+
After this change it's not possible anymore to configure routes like this:
|
93
90
|
|
94
|
-
Given:
|
95
91
|
```
|
96
|
-
|
97
|
-
|
92
|
+
routes.draw do
|
93
|
+
resources :users, param: 'name/:sneaky'
|
94
|
+
end
|
98
95
|
```
|
99
96
|
|
100
|
-
|
101
|
-
|
102
|
-
*Steve Hull*
|
103
|
-
|
104
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
105
|
-
`ActionController::TestCase` subclasses.
|
106
|
-
|
107
|
-
*Eugene Kenny*
|
108
|
-
|
109
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
110
|
-
|
111
|
-
Fixes #32597.
|
112
|
-
|
113
|
-
*Andrey Novikov*, *Andrew White*
|
114
|
-
|
115
|
-
* Only disable GPUs for headless Chrome on Windows.
|
116
|
-
|
117
|
-
It is not necessary anymore for Linux and macOS machines.
|
97
|
+
Fixes #30467.
|
118
98
|
|
119
|
-
|
99
|
+
*Josua Schmid*
|
120
100
|
|
121
|
-
*Stefan Wrobel*
|
122
101
|
|
123
|
-
|
102
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
124
103
|
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
129
|
-
|
130
|
-
* Check exclude before flagging cookies as secure.
|
131
|
-
|
132
|
-
*Catherine Khuu*
|
133
|
-
|
134
|
-
* Always yield a CSP policy instance from `content_security_policy`
|
135
|
-
|
136
|
-
This allows a controller action to enable the policy individually
|
137
|
-
for a controller and/or specific actions.
|
104
|
+
* No changes.
|
138
105
|
|
139
|
-
*Andrew White*
|
140
106
|
|
141
|
-
|
107
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
142
108
|
|
143
|
-
|
144
|
-
content_security_policy false, only: :index
|
145
|
-
end
|
109
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
146
110
|
|
147
|
-
*
|
111
|
+
*Tomoyuki Kurosawa*
|
148
112
|
|
149
|
-
*
|
150
|
-
|
113
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
114
|
+
to define specific browser capabilities.
|
151
115
|
|
152
|
-
*
|
116
|
+
*Edouard Chin*
|
153
117
|
|
154
|
-
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
155
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
156
118
|
|
157
|
-
|
119
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
158
120
|
|
159
|
-
*
|
121
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
160
122
|
|
161
|
-
|
162
|
-
normally requires the script-src attribute of the content security
|
163
|
-
policy to include 'unsafe-inline'.
|
123
|
+
*Rafael Mendonça França*
|
164
124
|
|
165
|
-
|
166
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
167
|
-
embeds its token in a meta tag. The UJS library can then read the
|
168
|
-
nonce value and set it on the dynamically generated script tag to
|
169
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
125
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
170
126
|
|
171
|
-
|
172
|
-
|
173
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
174
|
-
however an improvement on a blanket permission for inline scripts.
|
127
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
128
|
+
`#successful?`, `not_found?` and `server_error?`.
|
175
129
|
|
176
|
-
|
177
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
130
|
+
*Rafael Mendonça França*
|
178
131
|
|
179
|
-
|
180
|
-
alert('Hello, World!');
|
181
|
-
<% end %>
|
132
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
182
133
|
|
183
|
-
|
134
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
135
|
+
explicitly permitting the hosts a request can be made to.
|
184
136
|
|
185
|
-
|
137
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
138
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
186
139
|
|
187
|
-
*
|
140
|
+
*Genadi Samokovarov*
|
188
141
|
|
189
|
-
|
142
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
190
143
|
|
191
|
-
|
144
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
145
|
+
`parsed_body` in `ActionController::TestCase`:
|
192
146
|
|
193
|
-
|
147
|
+
```
|
148
|
+
class SomeControllerTest < ActionController::TestCase
|
149
|
+
def test_some_action
|
150
|
+
post :action, body: { foo: 'bar' }
|
151
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
152
|
+
end
|
153
|
+
end
|
154
|
+
```
|
194
155
|
|
195
|
-
|
196
|
-
user haven't specified manually another server.
|
156
|
+
Fixes #34676.
|
197
157
|
|
198
|
-
*
|
158
|
+
*Tobias Bühlmann*
|
199
159
|
|
200
|
-
*
|
201
|
-
default headers set.
|
160
|
+
* Raise an error on root route naming conflicts.
|
202
161
|
|
203
|
-
|
162
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
163
|
+
same context instead of assigning nil names to subsequent roots.
|
204
164
|
|
205
|
-
*
|
165
|
+
*Gannon McGibbon*
|
206
166
|
|
207
|
-
|
167
|
+
* Allow rescue from parameter parse errors:
|
208
168
|
|
209
|
-
|
169
|
+
```
|
170
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
171
|
+
head :unauthorized
|
172
|
+
end
|
173
|
+
```
|
210
174
|
|
211
|
-
|
212
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
213
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
214
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
215
|
-
path, it dumps binary into the terminal.
|
175
|
+
*Gannon McGibbon*, *Josh Cheek*
|
216
176
|
|
217
|
-
|
177
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
218
178
|
|
219
|
-
|
179
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
180
|
+
in system test `after_teardown`.
|
220
181
|
|
221
|
-
*
|
182
|
+
*Maxim Perepelitsa*
|
222
183
|
|
223
|
-
|
184
|
+
* Use request object for context if there's no controller
|
224
185
|
|
225
|
-
|
186
|
+
There is no controller instance when using a redirect route or a
|
187
|
+
mounted rack application so pass the request object as the context
|
188
|
+
when resolving dynamic CSP sources in this scenario.
|
226
189
|
|
227
|
-
Fixes #
|
190
|
+
Fixes #34200.
|
228
191
|
|
229
192
|
*Andrew White*
|
230
193
|
|
231
|
-
*
|
232
|
-
|
233
|
-
The DSL allows you to configure a global Content-Security-Policy
|
234
|
-
header and then override within a controller. For more information
|
235
|
-
about the Content-Security-Policy header see MDN:
|
236
|
-
|
237
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
238
|
-
|
239
|
-
Example global policy:
|
240
|
-
|
241
|
-
# config/initializers/content_security_policy.rb
|
242
|
-
Rails.application.config.content_security_policy do |p|
|
243
|
-
p.default_src :self, :https
|
244
|
-
p.font_src :self, :https, :data
|
245
|
-
p.img_src :self, :https, :data
|
246
|
-
p.object_src :none
|
247
|
-
p.script_src :self, :https
|
248
|
-
p.style_src :self, :https, :unsafe_inline
|
249
|
-
end
|
250
|
-
|
251
|
-
Example controller overrides:
|
252
|
-
|
253
|
-
# Override policy inline
|
254
|
-
class PostsController < ApplicationController
|
255
|
-
content_security_policy do |p|
|
256
|
-
p.upgrade_insecure_requests true
|
257
|
-
end
|
258
|
-
end
|
194
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
259
195
|
|
260
|
-
|
261
|
-
|
262
|
-
content_security_policy do |p|
|
263
|
-
p.base_uri "https://www.example.com"
|
264
|
-
end
|
265
|
-
end
|
196
|
+
Previously if a dynamic source returned a symbol such as :self it
|
197
|
+
would be converted to a string implicitly, e.g:
|
266
198
|
|
267
|
-
|
268
|
-
class PostsController < ApplicationController
|
269
|
-
content_security_policy do |p|
|
270
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
271
|
-
end
|
272
|
-
end
|
199
|
+
policy.default_src -> { :self }
|
273
200
|
|
274
|
-
|
275
|
-
legacy content using the `content_security_policy_report_only`
|
276
|
-
configuration attribute, e.g;
|
201
|
+
would generate the header:
|
277
202
|
|
278
|
-
|
279
|
-
Rails.application.config.content_security_policy_report_only = true
|
203
|
+
Content-Security-Policy: default-src self
|
280
204
|
|
281
|
-
|
282
|
-
class PostsController < ApplicationController
|
283
|
-
content_security_policy_report_only only: :index
|
284
|
-
end
|
205
|
+
and now it generates:
|
285
206
|
|
286
|
-
|
287
|
-
reasons since the header is calculated at runtime.
|
207
|
+
Content-Security-Policy: default-src 'self'
|
288
208
|
|
289
209
|
*Andrew White*
|
290
210
|
|
291
|
-
*
|
292
|
-
|
293
|
-
*Yuichiro Kaneko*
|
294
|
-
|
295
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
296
|
-
|
297
|
-
*Rafael Mendonça França*
|
298
|
-
|
299
|
-
* Add `:allow_other_host` option to `redirect_back` method.
|
300
|
-
|
301
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
302
|
-
different host. `allow_other_host` is `true` by default.
|
303
|
-
|
304
|
-
*Tim Masliuchenko*
|
305
|
-
|
306
|
-
* Add headless chrome support to System Tests.
|
307
|
-
|
308
|
-
*Yuji Yaginuma*
|
309
|
-
|
310
|
-
* Add ability to enable Early Hints for HTTP/2
|
311
|
-
|
312
|
-
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
211
|
+
* Add `ActionController::Parameters#each_value`.
|
313
212
|
|
314
|
-
|
213
|
+
*Lukáš Zapletal*
|
315
214
|
|
316
|
-
|
215
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
317
216
|
|
318
|
-
*
|
217
|
+
*Yoshiyuki Kinjo*
|
319
218
|
|
320
|
-
|
321
|
-
`
|
322
|
-
|
323
|
-
|
219
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
220
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
221
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
222
|
+
garbled.
|
223
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
224
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
225
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
226
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
227
|
+
converted name.
|
324
228
|
|
325
|
-
*
|
229
|
+
*Fumiaki Matsushima*
|
326
230
|
|
327
|
-
*
|
231
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
232
|
+
keys without allocating an array.
|
328
233
|
|
329
|
-
|
330
|
-
connection sharing and open request detection work correctly by default.
|
234
|
+
*Richard Schneeman*
|
331
235
|
|
332
|
-
|
236
|
+
* Purpose metadata for signed/encrypted cookies.
|
333
237
|
|
334
|
-
|
238
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
239
|
+
of a cookie and use it as the value of another cookie.
|
335
240
|
|
336
|
-
|
337
|
-
|
241
|
+
It does so by stashing the cookie-name in the purpose field which is
|
242
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
243
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
338
244
|
|
339
|
-
|
245
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
246
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
340
247
|
|
341
248
|
*Assain Jaleel*
|
342
249
|
|
343
|
-
*
|
344
|
-
|
345
|
-
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
250
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
346
251
|
|
347
|
-
|
348
|
-
|
349
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
350
|
-
|
351
|
-
Pull Request: #30121
|
352
|
-
|
353
|
-
*Assain Jaleel*
|
252
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
253
|
+
multiple invocations are made and the types do not match:
|
354
254
|
|
355
|
-
|
255
|
+
respond_to do |outer_type|
|
256
|
+
outer_type.js do
|
257
|
+
respond_to do |inner_type|
|
258
|
+
inner_type.html { render body: "HTML" }
|
259
|
+
end
|
260
|
+
end
|
261
|
+
end
|
356
262
|
|
357
|
-
|
263
|
+
*Patrick Toomey*
|
358
264
|
|
359
|
-
|
265
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
360
266
|
|
361
|
-
|
267
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
268
|
+
without raising a `TypeError`:
|
362
269
|
|
363
|
-
|
364
|
-
|
365
|
-
use the response helpers provided by `Rack::Response`.
|
270
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
271
|
+
File.read(uploaded_file)
|
366
272
|
|
367
|
-
*
|
273
|
+
*Aaron Kromer*
|
368
274
|
|
369
|
-
*
|
275
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
370
276
|
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
defaults to false to support older versions which have removed it from their
|
375
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
277
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
278
|
+
`get` method. This for example allows to set custom headers for the
|
279
|
+
redirection request to the server.
|
376
280
|
|
377
|
-
|
281
|
+
follow_redirect!(params: { foo: :bar })
|
378
282
|
|
379
|
-
*
|
283
|
+
*Remo Fritzsche*
|
380
284
|
|
381
|
-
|
285
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
382
286
|
|
383
|
-
|
287
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
288
|
+
one informative page.
|
384
289
|
|
385
|
-
|
386
|
-
`driven_by` will register the driver and set additional options passed via
|
387
|
-
the `:options` parameter.
|
290
|
+
*Vinicius Stock*
|
388
291
|
|
389
|
-
|
292
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
390
293
|
|
391
|
-
|
294
|
+
Exception aware plugin authors can use the newly introduced
|
295
|
+
`.register_interceptor` method to get the processed exception, instead of
|
296
|
+
monkey patching DebugExceptions.
|
392
297
|
|
393
|
-
|
298
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
299
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
300
|
+
end
|
394
301
|
|
395
|
-
|
396
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
397
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
398
|
-
this new mode is enabled via the
|
399
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
302
|
+
*Genadi Samokovarov*
|
400
303
|
|
401
|
-
|
304
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
402
305
|
|
403
|
-
|
306
|
+
Fixes #32597.
|
404
307
|
|
405
|
-
|
406
|
-
^template path ^template tree digest ^class ^id
|
308
|
+
*Andrey Novikov*, *Andrew White*
|
407
309
|
|
408
|
-
|
310
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
409
311
|
|
410
|
-
*
|
411
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
412
|
-
to support it.
|
312
|
+
*Kevin Deisz*
|
413
313
|
|
414
|
-
|
314
|
+
* Add method `dig` to `session`.
|
415
315
|
|
416
|
-
*
|
316
|
+
*claudiob*, *Takumi Shotoku*
|
417
317
|
|
418
|
-
|
419
|
-
|
420
|
-
may not exist in a certain implementation.
|
318
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
319
|
+
`config.force_ssl`.
|
421
320
|
|
422
|
-
|
321
|
+
*Derek Prior*
|
423
322
|
|
424
|
-
|
323
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
425
324
|
|
426
|
-
*
|
325
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
427
326
|
|
428
327
|
|
429
|
-
Please check [5-
|
328
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|