actionpack 5.2.4.5 → 6.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (107) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +111 -384
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +1 -1
  5. data/lib/abstract_controller/base.rb +4 -2
  6. data/lib/abstract_controller/caching/fragments.rb +6 -21
  7. data/lib/abstract_controller/callbacks.rb +12 -0
  8. data/lib/abstract_controller/collector.rb +1 -1
  9. data/lib/abstract_controller/helpers.rb +2 -2
  10. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  11. data/lib/action_controller.rb +1 -0
  12. data/lib/action_controller/api.rb +2 -1
  13. data/lib/action_controller/base.rb +2 -7
  14. data/lib/action_controller/caching.rb +1 -1
  15. data/lib/action_controller/log_subscriber.rb +8 -5
  16. data/lib/action_controller/metal.rb +2 -2
  17. data/lib/action_controller/metal/conditional_get.rb +9 -3
  18. data/lib/action_controller/metal/data_streaming.rb +5 -6
  19. data/lib/action_controller/metal/default_headers.rb +17 -0
  20. data/lib/action_controller/metal/exceptions.rb +22 -1
  21. data/lib/action_controller/metal/flash.rb +5 -5
  22. data/lib/action_controller/metal/force_ssl.rb +17 -57
  23. data/lib/action_controller/metal/head.rb +1 -1
  24. data/lib/action_controller/metal/helpers.rb +1 -2
  25. data/lib/action_controller/metal/http_authentication.rb +20 -21
  26. data/lib/action_controller/metal/implicit_render.rb +2 -12
  27. data/lib/action_controller/metal/instrumentation.rb +3 -5
  28. data/lib/action_controller/metal/live.rb +28 -26
  29. data/lib/action_controller/metal/mime_responds.rb +13 -2
  30. data/lib/action_controller/metal/params_wrapper.rb +18 -14
  31. data/lib/action_controller/metal/redirecting.rb +32 -11
  32. data/lib/action_controller/metal/rendering.rb +1 -1
  33. data/lib/action_controller/metal/request_forgery_protection.rb +26 -40
  34. data/lib/action_controller/metal/strong_parameters.rb +57 -34
  35. data/lib/action_controller/metal/url_for.rb +1 -1
  36. data/lib/action_controller/railties/helpers.rb +1 -1
  37. data/lib/action_controller/renderer.rb +15 -2
  38. data/lib/action_controller/test_case.rb +3 -7
  39. data/lib/action_dispatch.rb +7 -6
  40. data/lib/action_dispatch/http/cache.rb +14 -10
  41. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  42. data/lib/action_dispatch/http/content_security_policy.rb +9 -8
  43. data/lib/action_dispatch/http/filter_parameters.rb +8 -6
  44. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  45. data/lib/action_dispatch/http/headers.rb +1 -1
  46. data/lib/action_dispatch/http/mime_negotiation.rb +7 -10
  47. data/lib/action_dispatch/http/mime_type.rb +1 -5
  48. data/lib/action_dispatch/http/parameter_filter.rb +5 -79
  49. data/lib/action_dispatch/http/parameters.rb +13 -3
  50. data/lib/action_dispatch/http/request.rb +10 -13
  51. data/lib/action_dispatch/http/response.rb +14 -14
  52. data/lib/action_dispatch/http/upload.rb +5 -0
  53. data/lib/action_dispatch/http/url.rb +81 -81
  54. data/lib/action_dispatch/journey/formatter.rb +1 -1
  55. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
  56. data/lib/action_dispatch/journey/nodes/node.rb +9 -8
  57. data/lib/action_dispatch/journey/path/pattern.rb +3 -4
  58. data/lib/action_dispatch/journey/router.rb +0 -3
  59. data/lib/action_dispatch/journey/router/utils.rb +10 -10
  60. data/lib/action_dispatch/journey/scanner.rb +11 -4
  61. data/lib/action_dispatch/journey/visitors.rb +1 -1
  62. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  63. data/lib/action_dispatch/middleware/cookies.rb +49 -70
  64. data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -58
  65. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  66. data/lib/action_dispatch/middleware/debug_view.rb +50 -0
  67. data/lib/action_dispatch/middleware/exception_wrapper.rb +36 -7
  68. data/lib/action_dispatch/middleware/flash.rb +1 -1
  69. data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
  70. data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
  71. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  72. data/lib/action_dispatch/middleware/session/abstract_store.rb +0 -14
  73. data/lib/action_dispatch/middleware/session/cache_store.rb +6 -11
  74. data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -27
  75. data/lib/action_dispatch/middleware/ssl.rb +8 -8
  76. data/lib/action_dispatch/middleware/stack.rb +2 -2
  77. data/lib/action_dispatch/middleware/static.rb +5 -6
  78. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  79. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  80. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  81. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +20 -2
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -4
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  86. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  87. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  88. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  89. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  90. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
  91. data/lib/action_dispatch/railtie.rb +1 -0
  92. data/lib/action_dispatch/request/session.rb +8 -6
  93. data/lib/action_dispatch/routing.rb +3 -2
  94. data/lib/action_dispatch/routing/inspector.rb +99 -50
  95. data/lib/action_dispatch/routing/mapper.rb +36 -29
  96. data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
  97. data/lib/action_dispatch/routing/route_set.rb +11 -12
  98. data/lib/action_dispatch/routing/url_for.rb +1 -0
  99. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -3
  100. data/lib/action_dispatch/testing/assertions/response.rb +2 -3
  101. data/lib/action_dispatch/testing/assertions/routing.rb +7 -2
  102. data/lib/action_dispatch/testing/integration.rb +11 -4
  103. data/lib/action_dispatch/testing/test_process.rb +2 -2
  104. data/lib/action_dispatch/testing/test_response.rb +4 -32
  105. data/lib/action_pack.rb +1 -1
  106. data/lib/action_pack/gem_version.rb +4 -4
  107. metadata +22 -20
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8458248b602da029b1e9113db9f0305888fdf99bf83ea4fe679ad0ed49b22175
4
- data.tar.gz: '085825f1ed9d286aa92cf5fa06fb039534331030d5b70da304c237a492f7ded9'
3
+ metadata.gz: df5b083c08009f1025bfbf541400a4819b5620f5bb49aa3d4bbe0c056eae44b3
4
+ data.tar.gz: '0374579e1273c1d727e0bc94d7a73b3933d8c0f54e7196beedc61ea30d88209f'
5
5
  SHA512:
6
- metadata.gz: 7a6b62b3afeeb992a981128fbfab64944e897f20a0e75cbef6fd3d972108321ff440f7344935c8d196c1d1e6d3e08d64f040c6c5aa9ad63f06e9b78875da0c54
7
- data.tar.gz: 27a049710288451664d3672a6fb18fe505003d9bb91826408ab507d9de06fa9f1a877a2dfc6b9a9b91e32c0f122cdfd33b1bcd3802e64966e4388c17dcad08e6
6
+ metadata.gz: cb0e467dc8c10baa42df2d08d79b2f5caedad996d247523abf54713a542f6d49a01f120ca0b0faa6930ea89592bfe074979201adec97d33135a5877391a5d4bb
7
+ data.tar.gz: dee5cf35ce9af7e795d65bb2a44d5edb229439f5fbde0dde1c35e8d3cf2564c49ddf929a9d5499b3aa6248c42cf6f61ca2c75c85a623ba51f1dd6106750d3267
data/CHANGELOG.md CHANGED
@@ -1,58 +1,66 @@
1
- ## Rails 5.2.4.5 (February 10, 2021) ##
1
+ ## Rails 6.0.0.beta1 (January 18, 2019) ##
2
2
 
3
- * No changes.
3
+ * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
4
4
 
5
+ *Rafael Mendonça França*
5
6
 
6
- ## Rails 5.2.4.4 (September 09, 2020) ##
7
-
8
- * No changes.
9
-
10
-
11
- ## Rails 5.2.4.3 (May 18, 2020) ##
12
-
13
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
14
-
15
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
16
-
7
+ * Remove deprecated methods in `ActionDispatch::TestResponse`.
17
8
 
18
- ## Rails 5.2.4.1 (December 18, 2019) ##
9
+ `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
10
+ `#successful?`, `not_found?` and `server_error?`.
19
11
 
20
- * Fix possible information leak / session hijacking vulnerability.
12
+ *Rafael Mendonça França*
21
13
 
22
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
23
- gem dalli to be updated as well.
14
+ * Ensure external redirects are explicitly allowed
24
15
 
25
- CVE-2019-16782.
16
+ Add `fallback_location` and `allow_other_host` options to `redirect_to`.
26
17
 
18
+ *Gannon McGibbon*
27
19
 
28
- ## Rails 5.2.4 (November 27, 2019) ##
20
+ * Introduce ActionDispatch::HostAuthorization
29
21
 
30
- * No changes.
22
+ This is a new middleware that guards against DNS rebinding attacks by
23
+ white-listing the allowed hosts a request can be made to.
31
24
 
25
+ Each host is checked with the case operator (`#===`) to support `RegExp`,
26
+ `Proc`, `IPAddr` and custom objects as host allowances.
32
27
 
33
- ## Rails 5.2.3 (March 27, 2019) ##
28
+ *Genadi Samokovarov*
34
29
 
35
- * Allow using `public` and `no-cache` together in the the Cache Control header.
30
+ * Allow using `parsed_body` in `ActionController::TestCase`.
36
31
 
37
- Before this change, even if `public` was specified in the Cache Control header,
38
- it was excluded when `no-cache` was included. This change preserves the
39
- `public` value as is.
32
+ In addition to `ActionDispatch::IntegrationTest`, allow using
33
+ `parsed_body` in `ActionController::TestCase`:
40
34
 
41
- Fixes #34780.
35
+ ```
36
+ class SomeControllerTest < ActionController::TestCase
37
+ def test_some_action
38
+ post :action, body: { foo: 'bar' }
39
+ assert_equal({ "foo" => "bar" }, response.parsed_body)
40
+ end
41
+ end
42
+ ```
42
43
 
43
- *Yuji Yaginuma*
44
+ Fixes #34676.
44
45
 
45
- * Allow `nil` params for `ActionController::TestCase`.
46
+ *Tobias Bühlmann*
46
47
 
47
- *Ryo Nakamura*
48
+ * Raise an error on root route naming conflicts.
48
49
 
50
+ Raises an ArgumentError when multiple root routes are defined in the
51
+ same context instead of assigning nil names to subsequent roots.
49
52
 
50
- ## Rails 5.2.2.1 (March 11, 2019) ##
53
+ *Gannon McGibbon*
51
54
 
52
- * No changes.
55
+ * Allow rescue from parameter parse errors:
53
56
 
57
+ ```
58
+ rescue_from ActionDispatch::Http::Parameters::ParseError do
59
+ head :unauthorized
60
+ end
61
+ ```
54
62
 
55
- ## Rails 5.2.2 (December 04, 2018) ##
63
+ *Gannon McGibbon*, *Josh Cheek*
56
64
 
57
65
  * Reset Capybara sessions if failed system test screenshot raising an exception.
58
66
 
@@ -88,402 +96,121 @@
88
96
 
89
97
  *Andrew White*
90
98
 
91
- * Fix `rails routes -c` for controller name consists of multiple word.
92
-
93
- *Yoshiyuki Kinjo*
94
-
95
- * Call the `#redirect_to` block in controller context.
96
-
97
- *Steven Peckins*
98
-
99
-
100
- ## Rails 5.2.1.1 (November 27, 2018) ##
101
-
102
- * No changes.
103
-
104
-
105
- ## Rails 5.2.1 (August 07, 2018) ##
106
-
107
- * Prevent `?null=` being passed on JSON encoded test requests.
108
-
109
- `RequestEncoder#encode_params` won't attempt to parse params if
110
- there are none.
111
-
112
- So call like this will no longer append a `?null=` query param.
113
-
114
- get foos_url, as: :json
115
-
116
- *Alireza Bashiri*
117
-
118
- * Ensure `ActionController::Parameters#transform_values` and
119
- `ActionController::Parameters#transform_values!` converts hashes into
120
- parameters.
121
-
122
- *Kevin Sjöberg*
123
-
124
- * Fix strong parameters `permit!` with nested arrays.
125
-
126
- Given:
127
- ```
128
- params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
129
- params.permit!
130
- ```
131
-
132
- `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
133
-
134
- *Steve Hull*
135
-
136
- * Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
137
- `ActionController::TestCase` subclasses.
138
-
139
- *Eugene Kenny*
140
-
141
- * Output only one Content-Security-Policy nonce header value per request.
142
-
143
- Fixes #32597.
144
-
145
- *Andrey Novikov*, *Andrew White*
146
-
147
- * Only disable GPUs for headless Chrome on Windows.
148
-
149
- It is not necessary anymore for Linux and macOS machines.
150
-
151
- https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
152
-
153
- *Stefan Wrobel*
154
-
155
- * Fix system tests transactions not closed between examples.
156
-
157
- *Sergey Tarasov*
158
-
159
-
160
- ## Rails 5.2.0 (April 09, 2018) ##
161
-
162
- * Check exclude before flagging cookies as secure.
163
-
164
- *Catherine Khuu*
165
-
166
- * Always yield a CSP policy instance from `content_security_policy`
167
-
168
- This allows a controller action to enable the policy individually
169
- for a controller and/or specific actions.
170
-
171
- *Andrew White*
172
-
173
- * Add the ability to disable the global CSP in a controller, e.g:
174
-
175
- class LegacyPagesController < ApplicationController
176
- content_security_policy false, only: :index
177
- end
178
-
179
- *Andrew White*
180
-
181
- * Add alias method `to_hash` to `to_h` for `cookies`.
182
- Add alias method `to_h` to `to_hash` for `session`.
183
-
184
- *Igor Kasyanchuk*
185
-
186
- * Update the default HSTS max-age value to 31536000 seconds (1 year)
187
- to meet the minimum max-age requirement for https://hstspreload.org/.
188
-
189
- *Grant Bourque*
99
+ * Add `ActionController::Parameters#each_value`.
190
100
 
191
- * Add support for automatic nonce generation for Rails UJS.
101
+ *Lukáš Zapletal*
192
102
 
193
- Because the UJS library creates a script tag to process responses it
194
- normally requires the script-src attribute of the content security
195
- policy to include 'unsafe-inline'.
103
+ * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
196
104
 
197
- To work around this we generate a per-request nonce value that is
198
- embedded in a meta tag in a similar fashion to how CSRF protection
199
- embeds its token in a meta tag. The UJS library can then read the
200
- nonce value and set it on the dynamically generated script tag to
201
- enable it to execute without needing 'unsafe-inline' enabled.
105
+ *Yoshiyuki Kinjo*
202
106
 
203
- Nonce generation isn't 100% safe - if your script tag is including
204
- user generated content in someway then it may be possible to exploit
205
- an XSS vulnerability which can take advantage of the nonce. It is
206
- however an improvement on a blanket permission for inline scripts.
107
+ * Encode Content-Disposition filenames on `send_data` and `send_file`.
108
+ Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
109
+ `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
110
+ garbled.
111
+ Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
112
+ [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
113
+ `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
114
+ Most browsers can find filename correctly and old browsers fallback to ASCII
115
+ converted name.
207
116
 
208
- It is also possible to use the nonce within your own script tags by
209
- using `nonce: true` to set the nonce value on the tag, e.g
117
+ *Fumiaki Matsushima*
210
118
 
211
- <%= javascript_tag nonce: true do %>
212
- alert('Hello, World!');
213
- <% end %>
119
+ * Expose `ActionController::Parameters#each_key` which allows iterating over
120
+ keys without allocating an array.
214
121
 
215
- Fixes #31689.
122
+ *Richard Schneeman*
216
123
 
217
- *Andrew White*
124
+ * Purpose metadata for signed/encrypted cookies.
218
125
 
219
- * Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
126
+ Rails can now thwart attacks that attempt to copy signed/encrypted value
127
+ of a cookie and use it as the value of another cookie.
220
128
 
221
- Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
129
+ It does so by stashing the cookie-name in the purpose field which is
130
+ then signed/encrypted along with the cookie value. Then, on a server-side
131
+ read, we verify the cookie-names and discard any attacked cookies.
222
132
 
223
- # Parameters: {"param"=>"1", "param_two"=>"2"}
224
- def index
225
- params.each do |name|
226
- puts name
227
- end
228
- end
133
+ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
134
+ writes cookies with the new purpose and expiry metadata embedded.
229
135
 
230
- # Prints
231
- # param
232
- # param_two
136
+ *Assain Jaleel*
233
137
 
234
- In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
138
+ * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
235
139
 
236
- To fix the code above simply change as per example below:
140
+ `respond_to` can match multiple types and lead to undefined behavior when
141
+ multiple invocations are made and the types do not match:
237
142
 
238
- # Parameters: {"param"=>"1", "param_two"=>"2"}
239
- def index
240
- params.each do |name, value|
241
- puts name
143
+ respond_to do |outer_type|
144
+ outer_type.js do
145
+ respond_to do |inner_type|
146
+ inner_type.html { render body: "HTML" }
147
+ end
242
148
  end
243
149
  end
244
150
 
245
- # Prints
246
- # param
247
- # param_two
248
-
249
- *Dominic Cleal*
250
-
251
- * Add `Referrer-Policy` header to default headers set.
252
-
253
- *Guillermo Iguaran*
254
-
255
- * Changed the system tests to set Puma as default server only when the
256
- user haven't specified manually another server.
151
+ *Patrick Toomey*
257
152
 
258
- *Guillermo Iguaran*
153
+ * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
259
154
 
260
- * Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
261
- default headers set.
155
+ This allows uploaded file objects to be passed directly to `File.read`
156
+ without raising a `TypeError`:
262
157
 
263
- *Guillermo Iguaran*
158
+ uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
159
+ File.read(uploaded_file)
264
160
 
265
- * Add headless firefox support to System Tests.
161
+ *Aaron Kromer*
266
162
 
267
- *bogdanvlviv*
163
+ * Pass along arguments to underlying `get` method in `follow_redirect!`.
268
164
 
269
- * Changed the default system test screenshot output from `inline` to `simple`.
165
+ Now all arguments passed to `follow_redirect!` are passed to the underlying
166
+ `get` method. This for example allows to set custom headers for the
167
+ redirection request to the server.
270
168
 
271
- `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
272
- Terminal.app ignore the `inline` and output the path to the file since it can't
273
- render the image. Other terminals, like those on Ubuntu, cannot handle the image
274
- inline, but also don't handle it gracefully and instead of outputting the file
275
- path, it dumps binary into the terminal.
169
+ follow_redirect!(params: { foo: :bar })
276
170
 
277
- Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
171
+ *Remo Fritzsche*
278
172
 
279
- *Eileen M. Uchitelle*
173
+ * Introduce a new error page to when the implicit render page is accessed in the browser.
280
174
 
281
- * Register most popular audio/video/font mime types supported by modern browsers.
175
+ Now instead of showing an error page that with exception and backtraces we now show only
176
+ one informative page.
282
177
 
283
- *Guillermo Iguaran*
178
+ *Vinicius Stock*
284
179
 
285
- * Fix optimized url helpers when using relative url root.
180
+ * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
286
181
 
287
- Fixes #31220.
182
+ Exception aware plugin authors can use the newly introduced
183
+ `.register_interceptor` method to get the processed exception, instead of
184
+ monkey patching DebugExceptions.
288
185
 
289
- *Andrew White*
290
-
291
- * Add DSL for configuring Content-Security-Policy header.
292
-
293
- The DSL allows you to configure a global Content-Security-Policy
294
- header and then override within a controller. For more information
295
- about the Content-Security-Policy header see MDN:
296
-
297
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
298
-
299
- Example global policy:
300
-
301
- # config/initializers/content_security_policy.rb
302
- Rails.application.config.content_security_policy do |p|
303
- p.default_src :self, :https
304
- p.font_src :self, :https, :data
305
- p.img_src :self, :https, :data
306
- p.object_src :none
307
- p.script_src :self, :https
308
- p.style_src :self, :https, :unsafe_inline
309
- end
310
-
311
- Example controller overrides:
312
-
313
- # Override policy inline
314
- class PostsController < ApplicationController
315
- content_security_policy do |p|
316
- p.upgrade_insecure_requests true
317
- end
186
+ ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
187
+ HypoteticalPlugin.capture_exception(request, exception)
318
188
  end
319
189
 
320
- # Using literal values
321
- class PostsController < ApplicationController
322
- content_security_policy do |p|
323
- p.base_uri "https://www.example.com"
324
- end
325
- end
326
-
327
- # Using mixed static and dynamic values
328
- class PostsController < ApplicationController
329
- content_security_policy do |p|
330
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
331
- end
332
- end
333
-
334
- Allows you to also only report content violations for migrating
335
- legacy content using the `content_security_policy_report_only`
336
- configuration attribute, e.g;
337
-
338
- # config/initializers/content_security_policy.rb
339
- Rails.application.config.content_security_policy_report_only = true
340
-
341
- # controller override
342
- class PostsController < ApplicationController
343
- content_security_policy_report_only only: :index
344
- end
345
-
346
- Note that this feature does not validate the header for performance
347
- reasons since the header is calculated at runtime.
348
-
349
- *Andrew White*
350
-
351
- * Make `assert_recognizes` to traverse mounted engines.
352
-
353
- *Yuichiro Kaneko*
354
-
355
- * Remove deprecated `ActionController::ParamsParser::ParseError`.
356
-
357
- *Rafael Mendonça França*
358
-
359
- * Add `:allow_other_host` option to `redirect_back` method.
360
-
361
- When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
362
- different host. `allow_other_host` is `true` by default.
363
-
364
- *Tim Masliuchenko*
365
-
366
- * Add headless chrome support to System Tests.
367
-
368
- *Yuji Yaginuma*
369
-
370
- * Add ability to enable Early Hints for HTTP/2
371
-
372
- If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
373
-
374
- The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
375
-
376
- *Eileen M. Uchitelle*, *Aaron Patterson*
377
-
378
- * Simplify cookies middleware with key rotation support
190
+ *Genadi Samokovarov*
379
191
 
380
- Use the `rotate` method for both `MessageEncryptor` and
381
- `MessageVerifier` to add key rotation support for encrypted and
382
- signed cookies. This also helps simplify support for legacy cookie
383
- security.
384
-
385
- *Michael J Coyne*
386
-
387
- * Use Capybara registered `:puma` server config.
388
-
389
- The Capybara registered `:puma` server ensures the puma server is run in process so
390
- connection sharing and open request detection work correctly by default.
391
-
392
- *Thomas Walpole*
393
-
394
- * Cookies `:expires` option supports `ActiveSupport::Duration` object.
395
-
396
- cookies[:user_name] = { value: "assain", expires: 1.hour }
397
- cookies[:key] = { value: "a yummy cookie", expires: 6.months }
398
-
399
- Pull Request: #30121
400
-
401
- *Assain Jaleel*
402
-
403
- * Enforce signed/encrypted cookie expiry server side.
404
-
405
- Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
406
-
407
- It does so by stashing the expiry within the written cookie and relying on the
408
- signing/encrypting to vouch that it hasn't been tampered with. Then on a
409
- server-side read, the expiry is verified and any expired cookie is discarded.
410
-
411
- Pull Request: #30121
412
-
413
- *Assain Jaleel*
414
-
415
- * Make `take_failed_screenshot` work within engine.
416
-
417
- Fixes #30405.
418
-
419
- *Yuji Yaginuma*
420
-
421
- * Deprecate `ActionDispatch::TestResponse` response aliases.
422
-
423
- `#success?`, `#missing?` & `#error?` are not supported by the actual
424
- `ActionDispatch::Response` object and can produce false-positives. Instead,
425
- use the response helpers provided by `Rack::Response`.
426
-
427
- *Trevor Wistaff*
428
-
429
- * Protect from forgery by default
430
-
431
- Rather than protecting from forgery in the generated `ApplicationController`,
432
- add it to `ActionController::Base` depending on
433
- `config.action_controller.default_protect_from_forgery`. This configuration
434
- defaults to false to support older versions which have removed it from their
435
- `ApplicationController`, but is set to true for Rails 5.2.
436
-
437
- *Lisa Ugray*
438
-
439
- * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
440
-
441
- *Kir Shatrov*
442
-
443
- * `driven_by` now registers poltergeist and capybara-webkit.
444
-
445
- If poltergeist or capybara-webkit are set as drivers is set for System Tests,
446
- `driven_by` will register the driver and set additional options passed via
447
- the `:options` parameter.
448
-
449
- Refer to the respective driver's documentation to see what options can be passed.
450
-
451
- *Mario Chavez*
452
-
453
- * AEAD encrypted cookies and sessions with GCM.
454
-
455
- Encrypted cookies now use AES-GCM which couples authentication and
456
- encryption in one faster step and produces shorter ciphertexts. Cookies
457
- encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
458
- this new mode is enabled via the
459
- `action_dispatch.use_authenticated_cookie_encryption` configuration value.
460
-
461
- *Michael J Coyne*
192
+ * Output only one Content-Security-Policy nonce header value per request.
462
193
 
463
- * Change the cache key format for fragments to make it easier to debug key churn. The new format is:
194
+ Fixes #32597.
464
195
 
465
- views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
466
- ^template path ^template tree digest ^class ^id
196
+ *Andrey Novikov*, *Andrew White*
467
197
 
468
- *DHH*
198
+ * Move default headers configuration into their own module that can be included in controllers.
469
199
 
470
- * Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
471
- `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
472
- to support it.
200
+ *Kevin Deisz*
473
201
 
474
- *DHH*
202
+ * Add method `dig` to `session`.
475
203
 
476
- * Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
204
+ *claudiob*, *Takumi Shotoku*
477
205
 
478
- `ActionController::Base` and `ActionController::API` have differing implementations. This means that
479
- the one umbrella hook `action_controller` is not able to address certain situations where a method
480
- may not exist in a certain implementation.
206
+ * Controller level `force_ssl` has been deprecated in favor of
207
+ `config.force_ssl`.
481
208
 
482
- This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
209
+ *Derek Prior*
483
210
 
484
- Fixes #27013.
211
+ * Rails 6 requires Ruby 2.5.0 or newer.
485
212
 
486
- *Julian Nadeau*
213
+ *Jeremy Daer*, *Kasper Timm Hansen*
487
214
 
488
215
 
489
- Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
216
+ Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.