actionpack 5.2.4.rc1 → 6.0.0.rc2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +179 -335
- data/MIT-LICENSE +1 -1
- data/README.rdoc +3 -2
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal.rb +1 -1
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +22 -1
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +15 -56
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +3 -4
- data/lib/action_controller/metal/http_authentication.rb +20 -21
- data/lib/action_controller/metal/implicit_render.rb +4 -14
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +29 -27
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +17 -13
- data/lib/action_controller/metal/redirecting.rb +5 -5
- data/lib/action_controller/metal/renderers.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
- data/lib/action_controller/metal/strong_parameters.rb +63 -44
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +16 -3
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +3 -7
- data/lib/action_dispatch.rb +4 -1
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +28 -16
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
- data/lib/action_dispatch/http/mime_type.rb +14 -6
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +33 -19
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +6 -2
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +46 -72
- data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +68 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -6
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +33 -1
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +3 -0
- data/lib/action_dispatch/request/session.rb +8 -0
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +60 -38
- data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
- data/lib/action_dispatch/routing/route_set.rb +24 -27
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +23 -2
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
- data/lib/action_dispatch/testing/integration.rb +12 -5
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- metadata +24 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 26f4fec272345e80b305e73426e4663417440124270a5983ed336e1a9c42f557
|
4
|
+
data.tar.gz: 59685a9093f22dce01fc58fede17184c7574cb60a70e64ef594bef87ad6abadd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f68fa705893a264ffbda5af95e3ed0273f05db7daff281ebb9fafb123e8e42eca36f56a0e98a24a63b26856f2b528a3459ff8277df21e2a6282d329dd215a8cb
|
7
|
+
data.tar.gz: 3de347c592dd31a0c39216438ae0171f470e334ef6e357063130507630dc95ba78b158c544fda3fd24b2f16aebe77c0058bc534c725499cb85b2106794d28a67
|
data/CHANGELOG.md
CHANGED
@@ -1,462 +1,306 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 5.2.3 (March 27, 2019) ##
|
7
|
-
|
8
|
-
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
9
|
-
|
10
|
-
Before this change, even if `public` was specified in the Cache Control header,
|
11
|
-
it was excluded when `no-cache` was included. This change preserves the
|
12
|
-
`public` value as is.
|
3
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
13
4
|
|
14
|
-
Fixes #
|
5
|
+
Fixes #35137.
|
15
6
|
|
16
7
|
*Yuji Yaginuma*
|
17
8
|
|
18
|
-
*
|
19
|
-
|
20
|
-
*Ryo Nakamura*
|
21
|
-
|
22
|
-
|
23
|
-
## Rails 5.2.2.1 (March 11, 2019) ##
|
24
|
-
|
25
|
-
* No changes.
|
9
|
+
* Keep part when scope option has value.
|
26
10
|
|
11
|
+
When a route was defined within an optional scope, if that route didn't
|
12
|
+
take parameters the scope was lost when using path helpers. This commit
|
13
|
+
ensures scope is kept both when the route takes parameters or when it
|
14
|
+
doesn't.
|
27
15
|
|
28
|
-
|
16
|
+
Fixes #33219
|
29
17
|
|
30
|
-
*
|
18
|
+
*Alberto Almagro*
|
31
19
|
|
32
|
-
|
33
|
-
in system test `after_teardown`.
|
20
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
34
21
|
|
35
|
-
|
22
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
23
|
+
contain charset part. This behavior changed to returned Content-Type header
|
24
|
+
containing charset part as it is.
|
36
25
|
|
37
|
-
|
26
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
27
|
+
instead.
|
38
28
|
|
39
|
-
|
40
|
-
|
41
|
-
|
29
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
30
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
31
|
+
value as before version, but its behavior is deprecate.
|
42
32
|
|
43
|
-
|
44
|
-
|
45
|
-
*Andrew White*
|
46
|
-
|
47
|
-
* Apply mapping to symbols returned from dynamic CSP sources
|
48
|
-
|
49
|
-
Previously if a dynamic source returned a symbol such as :self it
|
50
|
-
would be converted to a string implicity, e.g:
|
51
|
-
|
52
|
-
policy.default_src -> { :self }
|
53
|
-
|
54
|
-
would generate the header:
|
55
|
-
|
56
|
-
Content-Security-Policy: default-src self
|
57
|
-
|
58
|
-
and now it generates:
|
59
|
-
|
60
|
-
Content-Security-Policy: default-src 'self'
|
61
|
-
|
62
|
-
*Andrew White*
|
63
|
-
|
64
|
-
* Fix `rails routes -c` for controller name consists of multiple word.
|
65
|
-
|
66
|
-
*Yoshiyuki Kinjo*
|
33
|
+
*Yuji Yaginuma*
|
67
34
|
|
68
|
-
*
|
35
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
36
|
+
an enumerator for the parameters instead of the underlying hash.
|
69
37
|
|
70
|
-
*
|
38
|
+
*Eugene Kenny*
|
71
39
|
|
40
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
72
41
|
|
73
|
-
|
42
|
+
*Yuki Nishijima*, *Stan Lo*
|
74
43
|
|
75
|
-
* No changes.
|
76
44
|
|
45
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
77
46
|
|
78
|
-
|
47
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
48
|
+
rather than an `after_teardown` hook.
|
79
49
|
|
80
|
-
|
50
|
+
This helps minimize the time gap between when an assertion fails and when
|
51
|
+
the screenshot is taken (reducing the time in which the page could have
|
52
|
+
been dynamically updated after the assertion failed).
|
81
53
|
|
82
|
-
|
83
|
-
there are none.
|
54
|
+
*Richard Macklin*
|
84
55
|
|
85
|
-
|
56
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
86
57
|
|
87
|
-
|
58
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
59
|
+
from `ActiveSupport::ActionableError` descendants.
|
88
60
|
|
89
|
-
|
61
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
90
62
|
|
91
|
-
*
|
92
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
93
|
-
parameters.
|
63
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
94
64
|
|
95
|
-
|
65
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
96
66
|
|
97
|
-
|
67
|
+
After this change it's not possible anymore to configure routes like this:
|
98
68
|
|
99
|
-
Given:
|
100
69
|
```
|
101
|
-
|
102
|
-
|
70
|
+
routes.draw do
|
71
|
+
resources :users, param: 'name/:sneaky'
|
72
|
+
end
|
103
73
|
```
|
104
74
|
|
105
|
-
|
106
|
-
|
107
|
-
*Steve Hull*
|
108
|
-
|
109
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
110
|
-
`ActionController::TestCase` subclasses.
|
111
|
-
|
112
|
-
*Eugene Kenny*
|
113
|
-
|
114
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
115
|
-
|
116
|
-
Fixes #32597.
|
117
|
-
|
118
|
-
*Andrey Novikov*, *Andrew White*
|
119
|
-
|
120
|
-
* Only disable GPUs for headless Chrome on Windows.
|
121
|
-
|
122
|
-
It is not necessary anymore for Linux and macOS machines.
|
123
|
-
|
124
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
125
|
-
|
126
|
-
*Stefan Wrobel*
|
127
|
-
|
128
|
-
* Fix system tests transactions not closed between examples.
|
129
|
-
|
130
|
-
*Sergey Tarasov*
|
131
|
-
|
132
|
-
|
133
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
75
|
+
Fixes #30467.
|
134
76
|
|
135
|
-
*
|
77
|
+
*Josua Schmid*
|
136
78
|
|
137
|
-
*Catherine Khuu*
|
138
79
|
|
139
|
-
|
140
|
-
|
141
|
-
This allows a controller action to enable the policy individually
|
142
|
-
for a controller and/or specific actions.
|
143
|
-
|
144
|
-
*Andrew White*
|
145
|
-
|
146
|
-
* Add the ability to disable the global CSP in a controller, e.g:
|
147
|
-
|
148
|
-
class LegacyPagesController < ApplicationController
|
149
|
-
content_security_policy false, only: :index
|
150
|
-
end
|
151
|
-
|
152
|
-
*Andrew White*
|
80
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
153
81
|
|
154
|
-
*
|
155
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
156
|
-
|
157
|
-
*Igor Kasyanchuk*
|
82
|
+
* No changes.
|
158
83
|
|
159
|
-
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
160
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
161
84
|
|
162
|
-
|
85
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
163
86
|
|
164
|
-
*
|
87
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
165
88
|
|
166
|
-
|
167
|
-
normally requires the script-src attribute of the content security
|
168
|
-
policy to include 'unsafe-inline'.
|
89
|
+
*Tomoyuki Kurosawa*
|
169
90
|
|
170
|
-
|
171
|
-
|
172
|
-
embeds its token in a meta tag. The UJS library can then read the
|
173
|
-
nonce value and set it on the dynamically generated script tag to
|
174
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
91
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
92
|
+
to define specific browser capabilities.
|
175
93
|
|
176
|
-
|
177
|
-
user generated content in someway then it may be possible to exploit
|
178
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
179
|
-
however an improvement on a blanket permission for inline scripts.
|
94
|
+
*Edouard Chin*
|
180
95
|
|
181
|
-
It is also possible to use the nonce within your own script tags by
|
182
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
183
96
|
|
184
|
-
|
185
|
-
alert('Hello, World!');
|
186
|
-
<% end %>
|
97
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
187
98
|
|
188
|
-
|
99
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
189
100
|
|
190
|
-
*
|
101
|
+
*Rafael Mendonça França*
|
191
102
|
|
192
|
-
*
|
103
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
193
104
|
|
194
|
-
|
105
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
106
|
+
`#successful?`, `not_found?` and `server_error?`.
|
195
107
|
|
196
|
-
|
197
|
-
def index
|
198
|
-
params.each do |name|
|
199
|
-
puts name
|
200
|
-
end
|
201
|
-
end
|
108
|
+
*Rafael Mendonça França*
|
202
109
|
|
203
|
-
|
204
|
-
# param
|
205
|
-
# param_two
|
110
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
206
111
|
|
207
|
-
|
112
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
113
|
+
explicitly permitting the hosts a request can be made to.
|
208
114
|
|
209
|
-
|
115
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
116
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
210
117
|
|
211
|
-
|
212
|
-
def index
|
213
|
-
params.each do |name, value|
|
214
|
-
puts name
|
215
|
-
end
|
216
|
-
end
|
118
|
+
*Genadi Samokovarov*
|
217
119
|
|
218
|
-
|
219
|
-
# param
|
220
|
-
# param_two
|
120
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
221
121
|
|
222
|
-
|
122
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
123
|
+
`parsed_body` in `ActionController::TestCase`:
|
223
124
|
|
224
|
-
|
225
|
-
|
226
|
-
|
125
|
+
```
|
126
|
+
class SomeControllerTest < ActionController::TestCase
|
127
|
+
def test_some_action
|
128
|
+
post :action, body: { foo: 'bar' }
|
129
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
```
|
227
133
|
|
228
|
-
|
229
|
-
user haven't specified manually another server.
|
134
|
+
Fixes #34676.
|
230
135
|
|
231
|
-
*
|
136
|
+
*Tobias Bühlmann*
|
232
137
|
|
233
|
-
*
|
234
|
-
default headers set.
|
138
|
+
* Raise an error on root route naming conflicts.
|
235
139
|
|
236
|
-
|
140
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
141
|
+
same context instead of assigning nil names to subsequent roots.
|
237
142
|
|
238
|
-
*
|
143
|
+
*Gannon McGibbon*
|
239
144
|
|
240
|
-
|
145
|
+
* Allow rescue from parameter parse errors:
|
241
146
|
|
242
|
-
|
147
|
+
```
|
148
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
149
|
+
head :unauthorized
|
150
|
+
end
|
151
|
+
```
|
243
152
|
|
244
|
-
|
245
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
246
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
247
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
248
|
-
path, it dumps binary into the terminal.
|
153
|
+
*Gannon McGibbon*, *Josh Cheek*
|
249
154
|
|
250
|
-
|
155
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
251
156
|
|
252
|
-
|
157
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
158
|
+
in system test `after_teardown`.
|
253
159
|
|
254
|
-
*
|
160
|
+
*Maxim Perepelitsa*
|
255
161
|
|
256
|
-
|
162
|
+
* Use request object for context if there's no controller
|
257
163
|
|
258
|
-
|
164
|
+
There is no controller instance when using a redirect route or a
|
165
|
+
mounted rack application so pass the request object as the context
|
166
|
+
when resolving dynamic CSP sources in this scenario.
|
259
167
|
|
260
|
-
Fixes #
|
168
|
+
Fixes #34200.
|
261
169
|
|
262
170
|
*Andrew White*
|
263
171
|
|
264
|
-
*
|
265
|
-
|
266
|
-
The DSL allows you to configure a global Content-Security-Policy
|
267
|
-
header and then override within a controller. For more information
|
268
|
-
about the Content-Security-Policy header see MDN:
|
269
|
-
|
270
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
271
|
-
|
272
|
-
Example global policy:
|
273
|
-
|
274
|
-
# config/initializers/content_security_policy.rb
|
275
|
-
Rails.application.config.content_security_policy do |p|
|
276
|
-
p.default_src :self, :https
|
277
|
-
p.font_src :self, :https, :data
|
278
|
-
p.img_src :self, :https, :data
|
279
|
-
p.object_src :none
|
280
|
-
p.script_src :self, :https
|
281
|
-
p.style_src :self, :https, :unsafe_inline
|
282
|
-
end
|
283
|
-
|
284
|
-
Example controller overrides:
|
285
|
-
|
286
|
-
# Override policy inline
|
287
|
-
class PostsController < ApplicationController
|
288
|
-
content_security_policy do |p|
|
289
|
-
p.upgrade_insecure_requests true
|
290
|
-
end
|
291
|
-
end
|
172
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
292
173
|
|
293
|
-
|
294
|
-
|
295
|
-
content_security_policy do |p|
|
296
|
-
p.base_uri "https://www.example.com"
|
297
|
-
end
|
298
|
-
end
|
174
|
+
Previously if a dynamic source returned a symbol such as :self it
|
175
|
+
would be converted to a string implicitly, e.g:
|
299
176
|
|
300
|
-
|
301
|
-
class PostsController < ApplicationController
|
302
|
-
content_security_policy do |p|
|
303
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
304
|
-
end
|
305
|
-
end
|
177
|
+
policy.default_src -> { :self }
|
306
178
|
|
307
|
-
|
308
|
-
legacy content using the `content_security_policy_report_only`
|
309
|
-
configuration attribute, e.g;
|
179
|
+
would generate the header:
|
310
180
|
|
311
|
-
|
312
|
-
Rails.application.config.content_security_policy_report_only = true
|
181
|
+
Content-Security-Policy: default-src self
|
313
182
|
|
314
|
-
|
315
|
-
class PostsController < ApplicationController
|
316
|
-
content_security_policy_report_only only: :index
|
317
|
-
end
|
183
|
+
and now it generates:
|
318
184
|
|
319
|
-
|
320
|
-
reasons since the header is calculated at runtime.
|
185
|
+
Content-Security-Policy: default-src 'self'
|
321
186
|
|
322
187
|
*Andrew White*
|
323
188
|
|
324
|
-
*
|
325
|
-
|
326
|
-
*Yuichiro Kaneko*
|
327
|
-
|
328
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
329
|
-
|
330
|
-
*Rafael Mendonça França*
|
331
|
-
|
332
|
-
* Add `:allow_other_host` option to `redirect_back` method.
|
333
|
-
|
334
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
335
|
-
different host. `allow_other_host` is `true` by default.
|
336
|
-
|
337
|
-
*Tim Masliuchenko*
|
189
|
+
* Add `ActionController::Parameters#each_value`.
|
338
190
|
|
339
|
-
*
|
191
|
+
*Lukáš Zapletal*
|
340
192
|
|
341
|
-
|
342
|
-
|
343
|
-
* Add ability to enable Early Hints for HTTP/2
|
344
|
-
|
345
|
-
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
346
|
-
|
347
|
-
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
348
|
-
|
349
|
-
*Eileen M. Uchitelle*, *Aaron Patterson*
|
193
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
350
194
|
|
351
|
-
*
|
195
|
+
*Yoshiyuki Kinjo*
|
352
196
|
|
353
|
-
|
354
|
-
`
|
355
|
-
|
356
|
-
|
197
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
198
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
199
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
200
|
+
garbled.
|
201
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
202
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
203
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
204
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
205
|
+
converted name.
|
357
206
|
|
358
|
-
*
|
207
|
+
*Fumiaki Matsushima*
|
359
208
|
|
360
|
-
*
|
209
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
210
|
+
keys without allocating an array.
|
361
211
|
|
362
|
-
|
363
|
-
connection sharing and open request detection work correctly by default.
|
212
|
+
*Richard Schneeman*
|
364
213
|
|
365
|
-
|
214
|
+
* Purpose metadata for signed/encrypted cookies.
|
366
215
|
|
367
|
-
|
216
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
217
|
+
of a cookie and use it as the value of another cookie.
|
368
218
|
|
369
|
-
|
370
|
-
|
219
|
+
It does so by stashing the cookie-name in the purpose field which is
|
220
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
221
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
371
222
|
|
372
|
-
|
223
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
224
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
373
225
|
|
374
226
|
*Assain Jaleel*
|
375
227
|
|
376
|
-
*
|
377
|
-
|
378
|
-
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
228
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
379
229
|
|
380
|
-
|
381
|
-
|
382
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
230
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
231
|
+
multiple invocations are made and the types do not match:
|
383
232
|
|
384
|
-
|
385
|
-
|
386
|
-
|
387
|
-
|
388
|
-
|
233
|
+
respond_to do |outer_type|
|
234
|
+
outer_type.js do
|
235
|
+
respond_to do |inner_type|
|
236
|
+
inner_type.html { render body: "HTML" }
|
237
|
+
end
|
238
|
+
end
|
239
|
+
end
|
389
240
|
|
390
|
-
|
241
|
+
*Patrick Toomey*
|
391
242
|
|
392
|
-
|
243
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
393
244
|
|
394
|
-
|
245
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
246
|
+
without raising a `TypeError`:
|
395
247
|
|
396
|
-
|
397
|
-
|
398
|
-
use the response helpers provided by `Rack::Response`.
|
248
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
249
|
+
File.read(uploaded_file)
|
399
250
|
|
400
|
-
*
|
251
|
+
*Aaron Kromer*
|
401
252
|
|
402
|
-
*
|
253
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
403
254
|
|
404
|
-
|
405
|
-
|
406
|
-
|
407
|
-
defaults to false to support older versions which have removed it from their
|
408
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
255
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
256
|
+
`get` method. This for example allows to set custom headers for the
|
257
|
+
redirection request to the server.
|
409
258
|
|
410
|
-
|
259
|
+
follow_redirect!(params: { foo: :bar })
|
411
260
|
|
412
|
-
*
|
261
|
+
*Remo Fritzsche*
|
413
262
|
|
414
|
-
|
263
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
415
264
|
|
416
|
-
|
265
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
266
|
+
one informative page.
|
417
267
|
|
418
|
-
|
419
|
-
`driven_by` will register the driver and set additional options passed via
|
420
|
-
the `:options` parameter.
|
268
|
+
*Vinicius Stock*
|
421
269
|
|
422
|
-
|
270
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
423
271
|
|
424
|
-
|
272
|
+
Exception aware plugin authors can use the newly introduced
|
273
|
+
`.register_interceptor` method to get the processed exception, instead of
|
274
|
+
monkey patching DebugExceptions.
|
425
275
|
|
426
|
-
|
276
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
277
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
278
|
+
end
|
427
279
|
|
428
|
-
|
429
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
430
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
431
|
-
this new mode is enabled via the
|
432
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
280
|
+
*Genadi Samokovarov*
|
433
281
|
|
434
|
-
|
282
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
435
283
|
|
436
|
-
|
284
|
+
Fixes #32597.
|
437
285
|
|
438
|
-
|
439
|
-
^template path ^template tree digest ^class ^id
|
286
|
+
*Andrey Novikov*, *Andrew White*
|
440
287
|
|
441
|
-
|
288
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
442
289
|
|
443
|
-
*
|
444
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
445
|
-
to support it.
|
290
|
+
*Kevin Deisz*
|
446
291
|
|
447
|
-
|
292
|
+
* Add method `dig` to `session`.
|
448
293
|
|
449
|
-
*
|
294
|
+
*claudiob*, *Takumi Shotoku*
|
450
295
|
|
451
|
-
|
452
|
-
|
453
|
-
may not exist in a certain implementation.
|
296
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
297
|
+
`config.force_ssl`.
|
454
298
|
|
455
|
-
|
299
|
+
*Derek Prior*
|
456
300
|
|
457
|
-
|
301
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
458
302
|
|
459
|
-
*
|
303
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
460
304
|
|
461
305
|
|
462
|
-
Please check [5-
|
306
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|