actionpack 5.2.4.4 → 6.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +264 -322
- data/MIT-LICENSE +1 -1
- data/README.rdoc +4 -3
- data/lib/abstract_controller.rb +1 -0
- data/lib/abstract_controller/base.rb +38 -4
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +14 -2
- data/lib/abstract_controller/collector.rb +1 -2
- data/lib/abstract_controller/helpers.rb +106 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +11 -5
- data/lib/action_controller.rb +7 -4
- data/lib/action_controller/api.rb +4 -3
- data/lib/action_controller/base.rb +6 -9
- data/lib/action_controller/caching.rb +1 -3
- data/lib/action_controller/log_subscriber.rb +10 -7
- data/lib/action_controller/metal.rb +10 -8
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +19 -5
- data/lib/action_controller/metal/content_security_policy.rb +1 -2
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +6 -7
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
- data/lib/action_controller/metal/exceptions.rb +56 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +14 -5
- data/lib/action_controller/metal/http_authentication.rb +24 -23
- data/lib/action_controller/metal/implicit_render.rb +5 -15
- data/lib/action_controller/metal/instrumentation.rb +13 -14
- data/lib/action_controller/metal/live.rb +30 -32
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +19 -4
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +31 -22
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +8 -3
- data/lib/action_controller/metal/request_forgery_protection.rb +62 -34
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +0 -1
- data/lib/action_controller/metal/strong_parameters.rb +167 -58
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +37 -13
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +70 -65
- data/lib/action_dispatch.rb +9 -3
- data/lib/action_dispatch/http/cache.rb +26 -21
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +33 -19
- data/lib/action_dispatch/http/filter_parameters.rb +9 -8
- data/lib/action_dispatch/http/filter_redirect.rb +2 -3
- data/lib/action_dispatch/http/headers.rb +4 -4
- data/lib/action_dispatch/http/mime_negotiation.rb +26 -13
- data/lib/action_dispatch/http/mime_type.rb +42 -23
- data/lib/action_dispatch/http/parameters.rb +14 -23
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +45 -22
- data/lib/action_dispatch/http/response.rb +45 -25
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +82 -82
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/journey/formatter.rb +54 -30
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -37
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -5
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +13 -11
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +19 -21
- data/lib/action_dispatch/journey/route.rb +10 -20
- data/lib/action_dispatch/journey/router.rb +26 -34
- data/lib/action_dispatch/journey/router/utils.rb +14 -12
- data/lib/action_dispatch/journey/routes.rb +0 -2
- data/lib/action_dispatch/journey/scanner.rb +10 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -4
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +128 -109
- data/lib/action_dispatch/middleware/debug_exceptions.rb +43 -66
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -30
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +121 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
- data/lib/action_dispatch/middleware/remote_ip.rb +14 -16
- data/lib/action_dispatch/middleware/request_id.rb +5 -6
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -3
- data/lib/action_dispatch/middleware/session/cookie_store.rb +3 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +3 -2
- data/lib/action_dispatch/middleware/ssl.rb +20 -15
- data/lib/action_dispatch/middleware/stack.rb +56 -2
- data/lib/action_dispatch/middleware/static.rb +153 -93
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +6 -3
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +104 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +24 -1
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +10 -9
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +100 -52
- data/lib/action_dispatch/routing/mapper.rb +155 -103
- data/lib/action_dispatch/routing/polymorphic_routes.rb +13 -15
- data/lib/action_dispatch/routing/redirection.rb +3 -3
- data/lib/action_dispatch/routing/route_set.rb +71 -69
- data/lib/action_dispatch/routing/url_for.rb +2 -2
- data/lib/action_dispatch/system_test_case.rb +54 -11
- data/lib/action_dispatch/system_testing/browser.rb +53 -16
- data/lib/action_dispatch/system_testing/driver.rb +11 -3
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +49 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -10
- data/lib/action_dispatch/testing/assertion_response.rb +0 -1
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +4 -7
- data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
- data/lib/action_dispatch/testing/integration.rb +61 -28
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +29 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- metadata +38 -26
- data/lib/action_controller/metal/force_ssl.rb +0 -99
- data/lib/action_dispatch/http/parameter_filter.rb +0 -86
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3813bd7e46eeb386962cafd48601aace5759055c9311cc47e79706458e4d8723
|
4
|
+
data.tar.gz: 9b1c73e829be328eff697fb0472c2917516a7956db547e6f364c1fa194a49cd1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 271e0b7f7ce9cb659ffe7684f03677ea6699f065e1b2c1e8ce20cf992f3525c6ea2947702308b764fd21407498ac0e916dbd3390934615bf0c5d73450a938927
|
7
|
+
data.tar.gz: 9344404abd36b7fcc6bdf73a5186bc6bfc6665565b0fce4bf143aea6d149b61eefed5ec56787bebcbf0a9307bf464bbe4d822f726965f834fc3afaa13dde786d
|
data/CHANGELOG.md
CHANGED
@@ -1,484 +1,426 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix nil translation key lookup in controllers/
|
4
4
|
|
5
|
+
*Jan Klimo*
|
5
6
|
|
6
|
-
|
7
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
7
8
|
|
8
|
-
*
|
9
|
+
*Alex Robbin*
|
9
10
|
|
10
|
-
*
|
11
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
11
12
|
|
13
|
+
*Alex Robbin*
|
12
14
|
|
13
|
-
## Rails 5.2.4.1 (December 18, 2019) ##
|
14
15
|
|
15
|
-
|
16
|
-
|
17
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
18
|
-
gem dalli to be updated as well.
|
19
|
-
|
20
|
-
CVE-2019-16782.
|
21
|
-
|
22
|
-
|
23
|
-
## Rails 5.2.4 (November 27, 2019) ##
|
24
|
-
|
25
|
-
* No changes.
|
26
|
-
|
27
|
-
|
28
|
-
## Rails 5.2.3 (March 27, 2019) ##
|
29
|
-
|
30
|
-
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
31
|
-
|
32
|
-
Before this change, even if `public` was specified in the Cache Control header,
|
33
|
-
it was excluded when `no-cache` was included. This change preserves the
|
34
|
-
`public` value as is.
|
35
|
-
|
36
|
-
Fixes #34780.
|
37
|
-
|
38
|
-
*Yuji Yaginuma*
|
39
|
-
|
40
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
41
|
-
|
42
|
-
*Ryo Nakamura*
|
16
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
43
17
|
|
18
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
19
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
44
20
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
21
|
+
```ruby
|
22
|
+
Rails.application.config.permissions_policy do |p|
|
23
|
+
p.camera :none
|
24
|
+
p.gyroscope :none
|
25
|
+
p.microphone :none
|
26
|
+
p.usb :none
|
27
|
+
p.fullscreen :self
|
28
|
+
p.payment :self, "https://secure-example.com"
|
29
|
+
end
|
30
|
+
```
|
51
31
|
|
52
|
-
*
|
32
|
+
*Julien Grillot*
|
53
33
|
|
54
|
-
|
55
|
-
in system test `after_teardown`.
|
34
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
56
35
|
|
57
|
-
|
36
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
58
37
|
|
59
|
-
*
|
38
|
+
*Chris Bisnett*
|
60
39
|
|
61
|
-
|
62
|
-
|
63
|
-
when resolving dynamic CSP sources in this scenario.
|
40
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
41
|
+
the unique X-Request-Id header
|
64
42
|
|
65
|
-
|
43
|
+
*Arlston Fernandes*
|
66
44
|
|
67
|
-
|
45
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
68
46
|
|
69
|
-
*
|
47
|
+
*Rafael Mendonça França*
|
70
48
|
|
71
|
-
|
72
|
-
would be converted to a string implicity, e.g:
|
49
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
73
50
|
|
74
|
-
|
51
|
+
*Rafael Mendonça França*
|
75
52
|
|
76
|
-
|
53
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
77
54
|
|
78
|
-
|
55
|
+
*Rafael Mendonça França*
|
79
56
|
|
80
|
-
|
57
|
+
* Added support for exclusive no-store Cache-Control header.
|
81
58
|
|
82
|
-
|
59
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
83
60
|
|
84
|
-
*
|
61
|
+
*Chris Kruger*
|
85
62
|
|
86
|
-
*
|
63
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
87
64
|
|
88
|
-
|
65
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
66
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
89
67
|
|
90
|
-
*
|
68
|
+
*Adrianna Chang*
|
91
69
|
|
92
|
-
|
70
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
93
71
|
|
72
|
+
*Gannon McGibbon*
|
94
73
|
|
95
|
-
|
74
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
96
75
|
|
97
|
-
*
|
76
|
+
*Alan Tan*, *Oz Ben-David*
|
98
77
|
|
78
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
79
|
+
a 308 redirection.
|
99
80
|
|
100
|
-
|
81
|
+
*Alan Tan*
|
101
82
|
|
102
|
-
*
|
83
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
84
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
103
85
|
|
104
|
-
|
105
|
-
there are none.
|
86
|
+
*Jonathan Hefner*
|
106
87
|
|
107
|
-
|
88
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
108
89
|
|
109
|
-
|
90
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
91
|
+
Brotli files are preferred due to much better compression.
|
110
92
|
|
111
|
-
|
93
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
94
|
+
we check for public/some.js.br and serve that file, if present, with
|
95
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
112
96
|
|
113
|
-
*
|
114
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
115
|
-
parameters.
|
97
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
116
98
|
|
117
|
-
|
99
|
+
* Add raise_on_missing_translations support for controllers.
|
118
100
|
|
119
|
-
|
101
|
+
This configuration determines whether an error should be raised for missing translations.
|
102
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
103
|
+
configuration also affects raising error for missing translations in views.
|
120
104
|
|
121
|
-
|
122
|
-
```
|
123
|
-
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
124
|
-
params.permit!
|
125
|
-
```
|
105
|
+
*fatkodima*
|
126
106
|
|
127
|
-
|
128
|
-
|
129
|
-
*Steve Hull*
|
130
|
-
|
131
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
132
|
-
`ActionController::TestCase` subclasses.
|
107
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
133
108
|
|
134
109
|
*Eugene Kenny*
|
135
110
|
|
136
|
-
*
|
137
|
-
|
138
|
-
Fixes #32597.
|
139
|
-
|
140
|
-
*Andrey Novikov*, *Andrew White*
|
141
|
-
|
142
|
-
* Only disable GPUs for headless Chrome on Windows.
|
143
|
-
|
144
|
-
It is not necessary anymore for Linux and macOS machines.
|
145
|
-
|
146
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
147
|
-
|
148
|
-
*Stefan Wrobel*
|
111
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
112
|
+
without passing a block now returns an enumerator.
|
149
113
|
|
150
|
-
*
|
114
|
+
*Eugene Kenny*
|
151
115
|
|
152
|
-
|
116
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
153
117
|
|
118
|
+
Previously the path had to be relative to `fixture_path`.
|
119
|
+
You can change your existing code as follow:
|
154
120
|
|
155
|
-
|
121
|
+
```ruby
|
122
|
+
# Before
|
123
|
+
fixture_file_upload('files/dog.png')
|
156
124
|
|
157
|
-
|
125
|
+
# After
|
126
|
+
fixture_file_upload('dog.png')
|
127
|
+
```
|
158
128
|
|
159
|
-
*
|
129
|
+
*Edouard Chin*
|
160
130
|
|
161
|
-
*
|
131
|
+
* Remove deprecated `force_ssl` at the controller level.
|
162
132
|
|
163
|
-
|
164
|
-
for a controller and/or specific actions.
|
133
|
+
*Rafael Mendonça França*
|
165
134
|
|
166
|
-
|
135
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
136
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
167
137
|
|
168
|
-
|
138
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
139
|
+
always pass a module object:
|
169
140
|
|
170
|
-
|
171
|
-
|
172
|
-
|
141
|
+
```ruby
|
142
|
+
helper UtilsHelper
|
143
|
+
```
|
173
144
|
|
174
|
-
|
145
|
+
which is recommended because it is simple and direct. When a string/symbol
|
146
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
147
|
+
that same module object.
|
175
148
|
|
176
|
-
*
|
177
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
149
|
+
*Xavier Noria*, *Jean Boussier*
|
178
150
|
|
179
|
-
|
151
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
180
152
|
|
181
|
-
*
|
182
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
153
|
+
*Nick Soracco*
|
183
154
|
|
184
|
-
|
155
|
+
* `url_for` will now use "https://" as the default protocol when
|
156
|
+
`Rails.application.config.force_ssl` is set to true.
|
185
157
|
|
186
|
-
*
|
158
|
+
*Jonathan Hefner*
|
187
159
|
|
188
|
-
|
189
|
-
normally requires the script-src attribute of the content security
|
190
|
-
policy to include 'unsafe-inline'.
|
160
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
191
161
|
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
162
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
163
|
+
them difficult to deal with. For example, the common practice of sending
|
164
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
165
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
197
166
|
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
however an improvement on a blanket permission for inline scripts.
|
167
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
168
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
169
|
+
for backwards compatibility.
|
202
170
|
|
203
|
-
|
204
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
171
|
+
*Scott Blum*
|
205
172
|
|
206
|
-
|
207
|
-
alert('Hello, World!');
|
208
|
-
<% end %>
|
173
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
209
174
|
|
210
|
-
|
175
|
+
In a distributed configuration like rolling update, users may observe
|
176
|
+
both old and new instances during deployment. Users may be served by a
|
177
|
+
new instance and then by an old instance.
|
211
178
|
|
212
|
-
|
179
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
180
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
181
|
+
from `false` to `true`, users may lose their sessions if they access the
|
182
|
+
server during deployment.
|
213
183
|
|
214
|
-
|
184
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
185
|
+
deployment, ensuring compatibility on both old and new instances.
|
215
186
|
|
216
|
-
|
187
|
+
*Masaki Hara*
|
217
188
|
|
218
|
-
|
219
|
-
def index
|
220
|
-
params.each do |name|
|
221
|
-
puts name
|
222
|
-
end
|
223
|
-
end
|
189
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
224
190
|
|
225
|
-
|
226
|
-
|
227
|
-
# param_two
|
191
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
192
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
228
193
|
|
229
|
-
|
194
|
+
*Keenan Brock*
|
230
195
|
|
231
|
-
|
196
|
+
* Fix possible information leak / session hijacking vulnerability.
|
232
197
|
|
233
|
-
|
234
|
-
|
235
|
-
params.each do |name, value|
|
236
|
-
puts name
|
237
|
-
end
|
238
|
-
end
|
198
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
199
|
+
gem dalli to be updated as well.
|
239
200
|
|
240
|
-
|
241
|
-
# param
|
242
|
-
# param_two
|
201
|
+
CVE-2019-16782.
|
243
202
|
|
244
|
-
|
203
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
245
204
|
|
246
|
-
|
205
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
206
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
207
|
+
from being correctly counted and reported.
|
247
208
|
|
248
|
-
|
209
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
210
|
+
root session.
|
249
211
|
|
250
|
-
|
251
|
-
user haven't specified manually another server.
|
212
|
+
Fixes #32142.
|
252
213
|
|
253
|
-
*
|
214
|
+
*Sam Bostock*
|
254
215
|
|
255
|
-
* Add
|
256
|
-
default headers set.
|
216
|
+
* Add SameSite protection to every written cookie.
|
257
217
|
|
258
|
-
|
218
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
219
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
259
220
|
|
260
|
-
|
221
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
261
222
|
|
262
|
-
|
223
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
263
224
|
|
264
|
-
|
225
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
265
226
|
|
266
|
-
|
267
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
268
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
269
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
270
|
-
path, it dumps binary into the terminal.
|
227
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
271
228
|
|
272
|
-
|
229
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
273
230
|
|
274
|
-
*
|
231
|
+
*Cédric Fabianski*
|
275
232
|
|
276
|
-
*
|
233
|
+
* Bring back the feature that allows loading external route files from the router.
|
277
234
|
|
278
|
-
|
235
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
236
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
237
|
+
that this wasn't fully the case and loading external route files from the router
|
238
|
+
can be helpful for applications with a really large set of routes.
|
239
|
+
Without this feature, application needs to implement routes reloading
|
240
|
+
themselves and it's not straightforward.
|
279
241
|
|
280
|
-
|
242
|
+
```ruby
|
243
|
+
# config/routes.rb
|
281
244
|
|
282
|
-
|
245
|
+
Rails.application.routes.draw do
|
246
|
+
draw(:admin)
|
247
|
+
end
|
283
248
|
|
284
|
-
|
249
|
+
# config/routes/admin.rb
|
285
250
|
|
286
|
-
|
251
|
+
get :foo, to: 'foo#bar'
|
252
|
+
```
|
287
253
|
|
288
|
-
|
289
|
-
header and then override within a controller. For more information
|
290
|
-
about the Content-Security-Policy header see MDN:
|
254
|
+
*Yehuda Katz*, *Edouard Chin*
|
291
255
|
|
292
|
-
|
256
|
+
* Fix system test driver option initialization for non-headless browsers.
|
293
257
|
|
294
|
-
|
258
|
+
*glaszig*
|
295
259
|
|
296
|
-
|
297
|
-
|
298
|
-
p.default_src :self, :https
|
299
|
-
p.font_src :self, :https, :data
|
300
|
-
p.img_src :self, :https, :data
|
301
|
-
p.object_src :none
|
302
|
-
p.script_src :self, :https
|
303
|
-
p.style_src :self, :https, :unsafe_inline
|
304
|
-
end
|
260
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
261
|
+
their payloads as `:request`.
|
305
262
|
|
306
|
-
|
263
|
+
*Austin Story*
|
307
264
|
|
308
|
-
|
309
|
-
|
310
|
-
content_security_policy do |p|
|
311
|
-
p.upgrade_insecure_requests true
|
312
|
-
end
|
313
|
-
end
|
265
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
266
|
+
request format but based on the block given.
|
314
267
|
|
315
|
-
|
316
|
-
class PostsController < ApplicationController
|
317
|
-
content_security_policy do |p|
|
318
|
-
p.base_uri "https://www.example.com"
|
319
|
-
end
|
320
|
-
end
|
268
|
+
Example:
|
321
269
|
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
end
|
270
|
+
```ruby
|
271
|
+
def my_action
|
272
|
+
respond_to do |format|
|
273
|
+
format.any { render(json: { foo: 'bar' }) }
|
327
274
|
end
|
275
|
+
end
|
328
276
|
|
329
|
-
|
330
|
-
|
331
|
-
configuration attribute, e.g;
|
332
|
-
|
333
|
-
# config/initializers/content_security_policy.rb
|
334
|
-
Rails.application.config.content_security_policy_report_only = true
|
335
|
-
|
336
|
-
# controller override
|
337
|
-
class PostsController < ApplicationController
|
338
|
-
content_security_policy_report_only only: :index
|
339
|
-
end
|
340
|
-
|
341
|
-
Note that this feature does not validate the header for performance
|
342
|
-
reasons since the header is calculated at runtime.
|
343
|
-
|
344
|
-
*Andrew White*
|
345
|
-
|
346
|
-
* Make `assert_recognizes` to traverse mounted engines.
|
347
|
-
|
348
|
-
*Yuichiro Kaneko*
|
349
|
-
|
350
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
277
|
+
get('my_action.csv')
|
278
|
+
```
|
351
279
|
|
352
|
-
|
280
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
281
|
+
is inaccurate since a JSON response is being rendered.
|
353
282
|
|
354
|
-
|
283
|
+
Now it correctly returns a `application/json` Content-Type.
|
355
284
|
|
356
|
-
|
357
|
-
different host. `allow_other_host` is `true` by default.
|
285
|
+
*Edouard Chin*
|
358
286
|
|
359
|
-
|
287
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
360
288
|
|
361
|
-
|
289
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
290
|
+
nested directory, causing issues with `tmp:clear`.
|
362
291
|
|
363
|
-
*
|
292
|
+
*Damir Zekic*
|
364
293
|
|
365
|
-
* Add
|
294
|
+
* Add `params.member?` to mimic Hash behavior.
|
366
295
|
|
367
|
-
|
296
|
+
*Younes Serraj*
|
368
297
|
|
369
|
-
|
298
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
370
299
|
|
371
|
-
*
|
300
|
+
* `:request` - the `ActionDispatch::Request`
|
301
|
+
* `:response` - the `ActionDispatch::Response`
|
372
302
|
|
373
|
-
*
|
303
|
+
*George Claghorn*
|
374
304
|
|
375
|
-
|
376
|
-
`
|
377
|
-
|
378
|
-
security.
|
305
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
306
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
307
|
+
from.
|
379
308
|
|
380
|
-
|
309
|
+
Fixes #37383.
|
381
310
|
|
382
|
-
*
|
311
|
+
*Norm Provost*
|
383
312
|
|
384
|
-
|
385
|
-
connection sharing and open request detection work correctly by default.
|
313
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
386
314
|
|
387
|
-
|
388
|
-
|
389
|
-
|
315
|
+
```ruby
|
316
|
+
# Use the debug level if a particular cookie is set.
|
317
|
+
class ApplicationController < ActionController::Base
|
318
|
+
log_at :debug, if: -> { cookies[:debug] }
|
319
|
+
end
|
320
|
+
```
|
390
321
|
|
391
|
-
|
392
|
-
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
322
|
+
*George Claghorn*
|
393
323
|
|
394
|
-
|
324
|
+
* Allow system test screen shots to be taken more than once in
|
325
|
+
a test by prefixing the file name with an incrementing counter.
|
395
326
|
|
396
|
-
|
327
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
328
|
+
enable saving of HTML during a screenshot in addition to the image.
|
329
|
+
This uses the same image name, with the extension replaced with `.html`
|
397
330
|
|
398
|
-
*
|
331
|
+
*Tom Fakes*
|
399
332
|
|
400
|
-
|
333
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
401
334
|
|
402
|
-
|
403
|
-
|
404
|
-
|
335
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
336
|
+
header to determine what to return. And if we don't add `Vary`
|
337
|
+
in the response header, browsers might accidentally cache different
|
338
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
339
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
340
|
+
in these types of requests. For more detailed problem description, please read:
|
405
341
|
|
406
|
-
|
342
|
+
https://github.com/rails/rails/pull/36213
|
407
343
|
|
408
|
-
|
344
|
+
Fixes #25842.
|
409
345
|
|
410
|
-
*
|
346
|
+
*Stan Lo*
|
411
347
|
|
412
|
-
|
348
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
349
|
+
a 307 redirection.
|
413
350
|
|
414
|
-
*
|
351
|
+
*Edouard Chin*
|
415
352
|
|
416
|
-
*
|
353
|
+
* System tests require Capybara 3.26 or newer.
|
417
354
|
|
418
|
-
|
419
|
-
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
420
|
-
use the response helpers provided by `Rack::Response`.
|
355
|
+
*George Claghorn*
|
421
356
|
|
422
|
-
|
357
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
423
358
|
|
424
|
-
*
|
359
|
+
*Alberto Fernández-Capel*
|
425
360
|
|
426
|
-
|
427
|
-
add it to `ActionController::Base` depending on
|
428
|
-
`config.action_controller.default_protect_from_forgery`. This configuration
|
429
|
-
defaults to false to support older versions which have removed it from their
|
430
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
361
|
+
* Add DSL for configuring HTTP Feature Policy.
|
431
362
|
|
432
|
-
|
363
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
364
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
365
|
+
specification and guidelines can be found at MDN:
|
433
366
|
|
434
|
-
|
367
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
435
368
|
|
436
|
-
|
369
|
+
Example global policy:
|
437
370
|
|
438
|
-
|
371
|
+
```ruby
|
372
|
+
Rails.application.config.feature_policy do |f|
|
373
|
+
f.camera :none
|
374
|
+
f.gyroscope :none
|
375
|
+
f.microphone :none
|
376
|
+
f.usb :none
|
377
|
+
f.fullscreen :self
|
378
|
+
f.payment :self, "https://secure.example.com"
|
379
|
+
end
|
380
|
+
```
|
439
381
|
|
440
|
-
|
441
|
-
`driven_by` will register the driver and set additional options passed via
|
442
|
-
the `:options` parameter.
|
382
|
+
Example controller level policy:
|
443
383
|
|
444
|
-
|
384
|
+
```ruby
|
385
|
+
class PagesController < ApplicationController
|
386
|
+
feature_policy do |p|
|
387
|
+
p.geolocation "https://example.com"
|
388
|
+
end
|
389
|
+
end
|
390
|
+
```
|
445
391
|
|
446
|
-
*
|
392
|
+
*Jacob Bednarz*
|
447
393
|
|
448
|
-
*
|
394
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
449
395
|
|
450
|
-
|
451
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
452
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
453
|
-
this new mode is enabled via the
|
454
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
396
|
+
Fixes #35137.
|
455
397
|
|
456
|
-
*
|
398
|
+
*Yuji Yaginuma*
|
457
399
|
|
458
|
-
*
|
400
|
+
* Keep part when scope option has value.
|
459
401
|
|
460
|
-
|
461
|
-
|
402
|
+
When a route was defined within an optional scope, if that route didn't
|
403
|
+
take parameters the scope was lost when using path helpers. This commit
|
404
|
+
ensures scope is kept both when the route takes parameters or when it
|
405
|
+
doesn't.
|
462
406
|
|
463
|
-
|
407
|
+
Fixes #33219.
|
464
408
|
|
465
|
-
*
|
466
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
467
|
-
to support it.
|
409
|
+
*Alberto Almagro*
|
468
410
|
|
469
|
-
|
411
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
470
412
|
|
471
|
-
*
|
413
|
+
*Gustavo Gutierrez*
|
472
414
|
|
473
|
-
|
474
|
-
|
475
|
-
may not exist in a certain implementation.
|
415
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
416
|
+
an enumerator for the parameters instead of the underlying hash.
|
476
417
|
|
477
|
-
|
418
|
+
*Eugene Kenny*
|
478
419
|
|
479
|
-
|
420
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
421
|
+
It should only block invalid key's values instead.
|
480
422
|
|
481
|
-
*
|
423
|
+
*Stan Lo*
|
482
424
|
|
483
425
|
|
484
|
-
Please check [
|
426
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|