actionpack 5.2.4.1 → 6.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +191 -335
- data/MIT-LICENSE +1 -1
- data/README.rdoc +3 -2
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +5 -1
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal.rb +1 -1
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +23 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +15 -56
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +3 -4
- data/lib/action_controller/metal/http_authentication.rb +20 -21
- data/lib/action_controller/metal/implicit_render.rb +4 -14
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +29 -27
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +17 -13
- data/lib/action_controller/metal/redirecting.rb +5 -5
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
- data/lib/action_controller/metal/strong_parameters.rb +63 -44
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +16 -3
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +2 -5
- data/lib/action_dispatch.rb +8 -7
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +28 -16
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
- data/lib/action_dispatch/http/mime_type.rb +14 -6
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +40 -20
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +6 -2
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +52 -74
- data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +68 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +9 -11
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/abstract_store.rb +0 -14
- data/lib/action_dispatch/middleware/session/cache_store.rb +6 -11
- data/lib/action_dispatch/middleware/session/cookie_store.rb +8 -23
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +33 -1
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +7 -2
- data/lib/action_dispatch/request/session.rb +8 -6
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +61 -39
- data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
- data/lib/action_dispatch/routing/route_set.rb +24 -27
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +43 -5
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -6
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
- data/lib/action_dispatch/testing/integration.rb +12 -5
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- metadata +28 -21
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bc5f83963aacf31948bfa962abe255253d903e1722dd900926747d02dc6f5803
|
4
|
+
data.tar.gz: 0cdd481cd358a6a2445f12827cff82dfe0da5b01e0bc109209b016727f4e7107
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c30b9a96b7d80a6b4af7f68bdda026dc2b98eea17e1c55da9c40f61c0155b1bcf32418e275de6729115c003a1fecf2f442214002ddaacca508ad363d0c8afad5
|
7
|
+
data.tar.gz: b0dc7fb5e501e1f4d04fa0f1ec87ea5411c6e5cb067e35f5eec2d40467b4a84381b81d27d383ff416914131613042ce89efdd2854a14325dd3717aec1750da39
|
data/CHANGELOG.md
CHANGED
@@ -1,472 +1,328 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.0.1 (November 5, 2019) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
|
4
|
+
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
5
|
+
system tests.
|
4
6
|
|
5
|
-
|
6
|
-
gem dalli to be updated as well.
|
7
|
+
*George Claghorn*, *Edouard Chin*
|
7
8
|
|
8
|
-
|
9
|
+
* Registered MIME types may contain extra flags:
|
9
10
|
|
11
|
+
```ruby
|
12
|
+
Mime::Type.register "text/html; fragment", :html_fragment
|
13
|
+
```
|
10
14
|
|
11
|
-
|
12
|
-
|
13
|
-
* No changes.
|
14
|
-
|
15
|
-
|
16
|
-
## Rails 5.2.3 (March 27, 2019) ##
|
17
|
-
|
18
|
-
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
19
|
-
|
20
|
-
Before this change, even if `public` was specified in the Cache Control header,
|
21
|
-
it was excluded when `no-cache` was included. This change preserves the
|
22
|
-
`public` value as is.
|
23
|
-
|
24
|
-
Fixes #34780.
|
25
|
-
|
26
|
-
*Yuji Yaginuma*
|
27
|
-
|
28
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
29
|
-
|
30
|
-
*Ryo Nakamura*
|
15
|
+
*Aaron Patterson*
|
31
16
|
|
32
17
|
|
33
|
-
## Rails
|
18
|
+
## Rails 6.0.0 (August 16, 2019) ##
|
34
19
|
|
35
20
|
* No changes.
|
36
21
|
|
37
22
|
|
38
|
-
## Rails
|
39
|
-
|
40
|
-
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
41
|
-
|
42
|
-
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
43
|
-
in system test `after_teardown`.
|
44
|
-
|
45
|
-
*Maxim Perepelitsa*
|
23
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
46
24
|
|
47
|
-
*
|
25
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
48
26
|
|
49
|
-
|
50
|
-
mounted rack application so pass the request object as the context
|
51
|
-
when resolving dynamic CSP sources in this scenario.
|
27
|
+
Fixes #35137.
|
52
28
|
|
53
|
-
|
29
|
+
*Yuji Yaginuma*
|
54
30
|
|
55
|
-
|
31
|
+
* Keep part when scope option has value.
|
56
32
|
|
57
|
-
|
33
|
+
When a route was defined within an optional scope, if that route didn't
|
34
|
+
take parameters the scope was lost when using path helpers. This commit
|
35
|
+
ensures scope is kept both when the route takes parameters or when it
|
36
|
+
doesn't.
|
58
37
|
|
59
|
-
|
60
|
-
would be converted to a string implicity, e.g:
|
38
|
+
Fixes #33219
|
61
39
|
|
62
|
-
|
40
|
+
*Alberto Almagro*
|
63
41
|
|
64
|
-
|
42
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
65
43
|
|
66
|
-
|
44
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
45
|
+
contain charset part. This behavior changed to returned Content-Type header
|
46
|
+
containing charset part as it is.
|
67
47
|
|
68
|
-
|
48
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
49
|
+
instead.
|
69
50
|
|
70
|
-
|
51
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
52
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
53
|
+
value as before version, but its behavior is deprecate.
|
71
54
|
|
72
|
-
*
|
73
|
-
|
74
|
-
* Fix `rails routes -c` for controller name consists of multiple word.
|
55
|
+
*Yuji Yaginuma*
|
75
56
|
|
76
|
-
|
57
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
58
|
+
an enumerator for the parameters instead of the underlying hash.
|
77
59
|
|
78
|
-
*
|
60
|
+
*Eugene Kenny*
|
79
61
|
|
80
|
-
|
62
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
81
63
|
|
64
|
+
*Yuki Nishijima*, *Stan Lo*
|
82
65
|
|
83
|
-
## Rails 5.2.1.1 (November 27, 2018) ##
|
84
66
|
|
85
|
-
|
67
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
86
68
|
|
69
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
70
|
+
rather than an `after_teardown` hook.
|
87
71
|
|
88
|
-
|
72
|
+
This helps minimize the time gap between when an assertion fails and when
|
73
|
+
the screenshot is taken (reducing the time in which the page could have
|
74
|
+
been dynamically updated after the assertion failed).
|
89
75
|
|
90
|
-
*
|
76
|
+
*Richard Macklin*
|
91
77
|
|
92
|
-
|
93
|
-
there are none.
|
78
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
94
79
|
|
95
|
-
|
80
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
81
|
+
from `ActiveSupport::ActionableError` descendants.
|
96
82
|
|
97
|
-
|
83
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
98
84
|
|
99
|
-
*
|
85
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
100
86
|
|
101
|
-
*
|
102
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
103
|
-
parameters.
|
87
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
104
88
|
|
105
|
-
|
89
|
+
After this change it's not possible anymore to configure routes like this:
|
106
90
|
|
107
|
-
* Fix strong parameters `permit!` with nested arrays.
|
108
|
-
|
109
|
-
Given:
|
110
91
|
```
|
111
|
-
|
112
|
-
|
92
|
+
routes.draw do
|
93
|
+
resources :users, param: 'name/:sneaky'
|
94
|
+
end
|
113
95
|
```
|
114
96
|
|
115
|
-
|
116
|
-
|
117
|
-
*Steve Hull*
|
118
|
-
|
119
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
120
|
-
`ActionController::TestCase` subclasses.
|
121
|
-
|
122
|
-
*Eugene Kenny*
|
123
|
-
|
124
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
125
|
-
|
126
|
-
Fixes #32597.
|
127
|
-
|
128
|
-
*Andrey Novikov*, *Andrew White*
|
129
|
-
|
130
|
-
* Only disable GPUs for headless Chrome on Windows.
|
131
|
-
|
132
|
-
It is not necessary anymore for Linux and macOS machines.
|
133
|
-
|
134
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
135
|
-
|
136
|
-
*Stefan Wrobel*
|
137
|
-
|
138
|
-
* Fix system tests transactions not closed between examples.
|
139
|
-
|
140
|
-
*Sergey Tarasov*
|
141
|
-
|
142
|
-
|
143
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
144
|
-
|
145
|
-
* Check exclude before flagging cookies as secure.
|
146
|
-
|
147
|
-
*Catherine Khuu*
|
148
|
-
|
149
|
-
* Always yield a CSP policy instance from `content_security_policy`
|
150
|
-
|
151
|
-
This allows a controller action to enable the policy individually
|
152
|
-
for a controller and/or specific actions.
|
153
|
-
|
154
|
-
*Andrew White*
|
155
|
-
|
156
|
-
* Add the ability to disable the global CSP in a controller, e.g:
|
157
|
-
|
158
|
-
class LegacyPagesController < ApplicationController
|
159
|
-
content_security_policy false, only: :index
|
160
|
-
end
|
97
|
+
Fixes #30467.
|
161
98
|
|
162
|
-
*
|
99
|
+
*Josua Schmid*
|
163
100
|
|
164
|
-
* Add alias method `to_hash` to `to_h` for `cookies`.
|
165
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
166
101
|
|
167
|
-
|
102
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
168
103
|
|
169
|
-
*
|
170
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
104
|
+
* No changes.
|
171
105
|
|
172
|
-
*Grant Bourque*
|
173
106
|
|
174
|
-
|
107
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
175
108
|
|
176
|
-
|
177
|
-
normally requires the script-src attribute of the content security
|
178
|
-
policy to include 'unsafe-inline'.
|
109
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
179
110
|
|
180
|
-
|
181
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
182
|
-
embeds its token in a meta tag. The UJS library can then read the
|
183
|
-
nonce value and set it on the dynamically generated script tag to
|
184
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
111
|
+
*Tomoyuki Kurosawa*
|
185
112
|
|
186
|
-
|
187
|
-
|
188
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
189
|
-
however an improvement on a blanket permission for inline scripts.
|
113
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
114
|
+
to define specific browser capabilities.
|
190
115
|
|
191
|
-
|
192
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
116
|
+
*Edouard Chin*
|
193
117
|
|
194
|
-
<%= javascript_tag nonce: true do %>
|
195
|
-
alert('Hello, World!');
|
196
|
-
<% end %>
|
197
118
|
|
198
|
-
|
119
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
199
120
|
|
200
|
-
|
121
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
201
122
|
|
202
|
-
*
|
123
|
+
*Rafael Mendonça França*
|
203
124
|
|
204
|
-
|
125
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
205
126
|
|
206
|
-
|
207
|
-
|
208
|
-
params.each do |name|
|
209
|
-
puts name
|
210
|
-
end
|
211
|
-
end
|
127
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
128
|
+
`#successful?`, `not_found?` and `server_error?`.
|
212
129
|
|
213
|
-
|
214
|
-
# param
|
215
|
-
# param_two
|
130
|
+
*Rafael Mendonça França*
|
216
131
|
|
217
|
-
|
132
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
218
133
|
|
219
|
-
|
134
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
135
|
+
explicitly permitting the hosts a request can be made to.
|
220
136
|
|
221
|
-
|
222
|
-
|
223
|
-
params.each do |name, value|
|
224
|
-
puts name
|
225
|
-
end
|
226
|
-
end
|
137
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
138
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
227
139
|
|
228
|
-
|
229
|
-
# param
|
230
|
-
# param_two
|
140
|
+
*Genadi Samokovarov*
|
231
141
|
|
232
|
-
|
142
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
233
143
|
|
234
|
-
|
144
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
145
|
+
`parsed_body` in `ActionController::TestCase`:
|
235
146
|
|
236
|
-
|
147
|
+
```
|
148
|
+
class SomeControllerTest < ActionController::TestCase
|
149
|
+
def test_some_action
|
150
|
+
post :action, body: { foo: 'bar' }
|
151
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
152
|
+
end
|
153
|
+
end
|
154
|
+
```
|
237
155
|
|
238
|
-
|
239
|
-
user haven't specified manually another server.
|
156
|
+
Fixes #34676.
|
240
157
|
|
241
|
-
*
|
158
|
+
*Tobias Bühlmann*
|
242
159
|
|
243
|
-
*
|
244
|
-
default headers set.
|
160
|
+
* Raise an error on root route naming conflicts.
|
245
161
|
|
246
|
-
|
162
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
163
|
+
same context instead of assigning nil names to subsequent roots.
|
247
164
|
|
248
|
-
*
|
165
|
+
*Gannon McGibbon*
|
249
166
|
|
250
|
-
|
167
|
+
* Allow rescue from parameter parse errors:
|
251
168
|
|
252
|
-
|
169
|
+
```
|
170
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
171
|
+
head :unauthorized
|
172
|
+
end
|
173
|
+
```
|
253
174
|
|
254
|
-
|
255
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
256
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
257
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
258
|
-
path, it dumps binary into the terminal.
|
175
|
+
*Gannon McGibbon*, *Josh Cheek*
|
259
176
|
|
260
|
-
|
177
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
261
178
|
|
262
|
-
|
179
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
180
|
+
in system test `after_teardown`.
|
263
181
|
|
264
|
-
*
|
182
|
+
*Maxim Perepelitsa*
|
265
183
|
|
266
|
-
|
184
|
+
* Use request object for context if there's no controller
|
267
185
|
|
268
|
-
|
186
|
+
There is no controller instance when using a redirect route or a
|
187
|
+
mounted rack application so pass the request object as the context
|
188
|
+
when resolving dynamic CSP sources in this scenario.
|
269
189
|
|
270
|
-
Fixes #
|
190
|
+
Fixes #34200.
|
271
191
|
|
272
192
|
*Andrew White*
|
273
193
|
|
274
|
-
*
|
275
|
-
|
276
|
-
The DSL allows you to configure a global Content-Security-Policy
|
277
|
-
header and then override within a controller. For more information
|
278
|
-
about the Content-Security-Policy header see MDN:
|
279
|
-
|
280
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
281
|
-
|
282
|
-
Example global policy:
|
283
|
-
|
284
|
-
# config/initializers/content_security_policy.rb
|
285
|
-
Rails.application.config.content_security_policy do |p|
|
286
|
-
p.default_src :self, :https
|
287
|
-
p.font_src :self, :https, :data
|
288
|
-
p.img_src :self, :https, :data
|
289
|
-
p.object_src :none
|
290
|
-
p.script_src :self, :https
|
291
|
-
p.style_src :self, :https, :unsafe_inline
|
292
|
-
end
|
293
|
-
|
294
|
-
Example controller overrides:
|
295
|
-
|
296
|
-
# Override policy inline
|
297
|
-
class PostsController < ApplicationController
|
298
|
-
content_security_policy do |p|
|
299
|
-
p.upgrade_insecure_requests true
|
300
|
-
end
|
301
|
-
end
|
194
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
302
195
|
|
303
|
-
|
304
|
-
|
305
|
-
content_security_policy do |p|
|
306
|
-
p.base_uri "https://www.example.com"
|
307
|
-
end
|
308
|
-
end
|
196
|
+
Previously if a dynamic source returned a symbol such as :self it
|
197
|
+
would be converted to a string implicitly, e.g:
|
309
198
|
|
310
|
-
|
311
|
-
class PostsController < ApplicationController
|
312
|
-
content_security_policy do |p|
|
313
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
314
|
-
end
|
315
|
-
end
|
199
|
+
policy.default_src -> { :self }
|
316
200
|
|
317
|
-
|
318
|
-
legacy content using the `content_security_policy_report_only`
|
319
|
-
configuration attribute, e.g;
|
201
|
+
would generate the header:
|
320
202
|
|
321
|
-
|
322
|
-
Rails.application.config.content_security_policy_report_only = true
|
203
|
+
Content-Security-Policy: default-src self
|
323
204
|
|
324
|
-
|
325
|
-
class PostsController < ApplicationController
|
326
|
-
content_security_policy_report_only only: :index
|
327
|
-
end
|
205
|
+
and now it generates:
|
328
206
|
|
329
|
-
|
330
|
-
reasons since the header is calculated at runtime.
|
207
|
+
Content-Security-Policy: default-src 'self'
|
331
208
|
|
332
209
|
*Andrew White*
|
333
210
|
|
334
|
-
*
|
211
|
+
* Add `ActionController::Parameters#each_value`.
|
335
212
|
|
336
|
-
*
|
213
|
+
*Lukáš Zapletal*
|
337
214
|
|
338
|
-
*
|
339
|
-
|
340
|
-
*Rafael Mendonça França*
|
341
|
-
|
342
|
-
* Add `:allow_other_host` option to `redirect_back` method.
|
343
|
-
|
344
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
345
|
-
different host. `allow_other_host` is `true` by default.
|
346
|
-
|
347
|
-
*Tim Masliuchenko*
|
348
|
-
|
349
|
-
* Add headless chrome support to System Tests.
|
350
|
-
|
351
|
-
*Yuji Yaginuma*
|
215
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
352
216
|
|
353
|
-
*
|
354
|
-
|
355
|
-
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
356
|
-
|
357
|
-
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
358
|
-
|
359
|
-
*Eileen M. Uchitelle*, *Aaron Patterson*
|
360
|
-
|
361
|
-
* Simplify cookies middleware with key rotation support
|
217
|
+
*Yoshiyuki Kinjo*
|
362
218
|
|
363
|
-
|
364
|
-
`
|
365
|
-
|
366
|
-
|
219
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
220
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
221
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
222
|
+
garbled.
|
223
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
224
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
225
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
226
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
227
|
+
converted name.
|
367
228
|
|
368
|
-
*
|
229
|
+
*Fumiaki Matsushima*
|
369
230
|
|
370
|
-
*
|
231
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
232
|
+
keys without allocating an array.
|
371
233
|
|
372
|
-
|
373
|
-
connection sharing and open request detection work correctly by default.
|
234
|
+
*Richard Schneeman*
|
374
235
|
|
375
|
-
|
236
|
+
* Purpose metadata for signed/encrypted cookies.
|
376
237
|
|
377
|
-
|
238
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
239
|
+
of a cookie and use it as the value of another cookie.
|
378
240
|
|
379
|
-
|
380
|
-
|
241
|
+
It does so by stashing the cookie-name in the purpose field which is
|
242
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
243
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
381
244
|
|
382
|
-
|
245
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
246
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
383
247
|
|
384
248
|
*Assain Jaleel*
|
385
249
|
|
386
|
-
*
|
387
|
-
|
388
|
-
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
389
|
-
|
390
|
-
It does so by stashing the expiry within the written cookie and relying on the
|
391
|
-
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
392
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
393
|
-
|
394
|
-
Pull Request: #30121
|
250
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
395
251
|
|
396
|
-
|
252
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
253
|
+
multiple invocations are made and the types do not match:
|
397
254
|
|
398
|
-
|
255
|
+
respond_to do |outer_type|
|
256
|
+
outer_type.js do
|
257
|
+
respond_to do |inner_type|
|
258
|
+
inner_type.html { render body: "HTML" }
|
259
|
+
end
|
260
|
+
end
|
261
|
+
end
|
399
262
|
|
400
|
-
|
263
|
+
*Patrick Toomey*
|
401
264
|
|
402
|
-
|
265
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
403
266
|
|
404
|
-
|
267
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
268
|
+
without raising a `TypeError`:
|
405
269
|
|
406
|
-
|
407
|
-
|
408
|
-
use the response helpers provided by `Rack::Response`.
|
270
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
271
|
+
File.read(uploaded_file)
|
409
272
|
|
410
|
-
*
|
273
|
+
*Aaron Kromer*
|
411
274
|
|
412
|
-
*
|
275
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
413
276
|
|
414
|
-
|
415
|
-
|
416
|
-
|
417
|
-
defaults to false to support older versions which have removed it from their
|
418
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
277
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
278
|
+
`get` method. This for example allows to set custom headers for the
|
279
|
+
redirection request to the server.
|
419
280
|
|
420
|
-
|
281
|
+
follow_redirect!(params: { foo: :bar })
|
421
282
|
|
422
|
-
*
|
283
|
+
*Remo Fritzsche*
|
423
284
|
|
424
|
-
|
285
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
425
286
|
|
426
|
-
|
287
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
288
|
+
one informative page.
|
427
289
|
|
428
|
-
|
429
|
-
`driven_by` will register the driver and set additional options passed via
|
430
|
-
the `:options` parameter.
|
290
|
+
*Vinicius Stock*
|
431
291
|
|
432
|
-
|
292
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
433
293
|
|
434
|
-
|
294
|
+
Exception aware plugin authors can use the newly introduced
|
295
|
+
`.register_interceptor` method to get the processed exception, instead of
|
296
|
+
monkey patching DebugExceptions.
|
435
297
|
|
436
|
-
|
298
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
299
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
300
|
+
end
|
437
301
|
|
438
|
-
|
439
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
440
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
441
|
-
this new mode is enabled via the
|
442
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
302
|
+
*Genadi Samokovarov*
|
443
303
|
|
444
|
-
|
304
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
445
305
|
|
446
|
-
|
306
|
+
Fixes #32597.
|
447
307
|
|
448
|
-
|
449
|
-
^template path ^template tree digest ^class ^id
|
308
|
+
*Andrey Novikov*, *Andrew White*
|
450
309
|
|
451
|
-
|
310
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
452
311
|
|
453
|
-
*
|
454
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
455
|
-
to support it.
|
312
|
+
*Kevin Deisz*
|
456
313
|
|
457
|
-
|
314
|
+
* Add method `dig` to `session`.
|
458
315
|
|
459
|
-
*
|
316
|
+
*claudiob*, *Takumi Shotoku*
|
460
317
|
|
461
|
-
|
462
|
-
|
463
|
-
may not exist in a certain implementation.
|
318
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
319
|
+
`config.force_ssl`.
|
464
320
|
|
465
|
-
|
321
|
+
*Derek Prior*
|
466
322
|
|
467
|
-
|
323
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
468
324
|
|
469
|
-
*
|
325
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
470
326
|
|
471
327
|
|
472
|
-
Please check [5-
|
328
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|