actionpack 5.2.4 → 6.0.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +200 -317
- data/MIT-LICENSE +1 -1
- data/README.rdoc +3 -2
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/abstract_controller/translation.rb +1 -0
- data/lib/action_controller.rb +5 -1
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal.rb +1 -1
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +23 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +15 -56
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +3 -4
- data/lib/action_controller/metal/http_authentication.rb +20 -21
- data/lib/action_controller/metal/implicit_render.rb +4 -14
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +29 -27
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +17 -13
- data/lib/action_controller/metal/redirecting.rb +5 -5
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +2 -2
- data/lib/action_controller/metal/request_forgery_protection.rb +23 -12
- data/lib/action_controller/metal/strong_parameters.rb +63 -44
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +16 -3
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +2 -5
- data/lib/action_dispatch.rb +9 -6
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +28 -16
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -5
- data/lib/action_dispatch/http/mime_type.rb +14 -6
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +40 -20
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +2 -2
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +6 -2
- data/lib/action_dispatch/journey/route.rb +5 -4
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/routes.rb +0 -1
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +39 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +52 -74
- data/lib/action_dispatch/middleware/debug_exceptions.rb +39 -59
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +68 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +49 -15
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -2
- data/lib/action_dispatch/middleware/remote_ip.rb +9 -11
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/abstract_store.rb +14 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +11 -6
- data/lib/action_dispatch/middleware/session/cookie_store.rb +18 -13
- data/lib/action_dispatch/middleware/show_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +33 -1
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +7 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +4 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +7 -2
- data/lib/action_dispatch/request/session.rb +15 -1
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +61 -39
- data/lib/action_dispatch/routing/polymorphic_routes.rb +3 -4
- data/lib/action_dispatch/routing/route_set.rb +24 -27
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +44 -5
- data/lib/action_dispatch/system_testing/browser.rb +38 -7
- data/lib/action_dispatch/system_testing/driver.rb +10 -1
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +6 -5
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +7 -6
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +15 -3
- data/lib/action_dispatch/testing/integration.rb +12 -5
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- metadata +34 -15
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fb4d2886c2ddd45b39d89f4adb1d70764435a236d046d4db4d703ad93318e464
|
4
|
+
data.tar.gz: 776bd2d00abd923d4a80437fb99fd77741d90ca0269b16ca2e03b3de99e966aa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9858771c2bcabdc985dcd72927c56ec47fc4e54d3c1a1e0e116111fcf70046f8add6a4cde9448611552fae7131b6e87e68eec389212ff989174ebd7e997bb675
|
7
|
+
data.tar.gz: 3761566fbc2835aa652aee777633857b29e3dfab4556c3fc0a1f16ffa53f28cb3f7166fb42f04917bdf3df79e75320e0eea865f12ad4762deb6c5e0d47a969c8
|
data/CHANGELOG.md
CHANGED
@@ -1,462 +1,345 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.0.2.1 (December 18, 2019) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix possible information leak / session hijacking vulnerability.
|
4
4
|
|
5
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
6
|
+
gem dalli to be updated as well.
|
5
7
|
|
6
|
-
|
8
|
+
CVE-2019-16782.
|
7
9
|
|
8
|
-
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
9
10
|
|
10
|
-
|
11
|
-
it was excluded when `no-cache` was included. This change preserves the
|
12
|
-
`public` value as is.
|
11
|
+
## Rails 6.0.2 (December 13, 2019) ##
|
13
12
|
|
14
|
-
|
13
|
+
* Allow using mountable engine route helpers in System Tests.
|
15
14
|
|
16
|
-
*
|
15
|
+
*Chalo Fernandez*
|
17
16
|
|
18
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
19
17
|
|
20
|
-
|
18
|
+
## Rails 6.0.1 (November 5, 2019) ##
|
21
19
|
|
20
|
+
* `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
|
21
|
+
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
22
|
+
system tests.
|
22
23
|
|
23
|
-
|
24
|
+
*George Claghorn*, *Edouard Chin*
|
24
25
|
|
25
|
-
*
|
26
|
+
* Registered MIME types may contain extra flags:
|
26
27
|
|
28
|
+
```ruby
|
29
|
+
Mime::Type.register "text/html; fragment", :html_fragment
|
30
|
+
```
|
27
31
|
|
28
|
-
|
32
|
+
*Aaron Patterson*
|
29
33
|
|
30
|
-
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
31
34
|
|
32
|
-
|
33
|
-
in system test `after_teardown`.
|
35
|
+
## Rails 6.0.0 (August 16, 2019) ##
|
34
36
|
|
35
|
-
|
37
|
+
* No changes.
|
36
38
|
|
37
|
-
* Use request object for context if there's no controller
|
38
39
|
|
39
|
-
|
40
|
-
mounted rack application so pass the request object as the context
|
41
|
-
when resolving dynamic CSP sources in this scenario.
|
40
|
+
## Rails 6.0.0.rc2 (July 22, 2019) ##
|
42
41
|
|
43
|
-
|
42
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
44
43
|
|
45
|
-
|
44
|
+
Fixes #35137.
|
46
45
|
|
47
|
-
*
|
46
|
+
*Yuji Yaginuma*
|
48
47
|
|
49
|
-
|
50
|
-
would be converted to a string implicity, e.g:
|
48
|
+
* Keep part when scope option has value.
|
51
49
|
|
52
|
-
|
50
|
+
When a route was defined within an optional scope, if that route didn't
|
51
|
+
take parameters the scope was lost when using path helpers. This commit
|
52
|
+
ensures scope is kept both when the route takes parameters or when it
|
53
|
+
doesn't.
|
53
54
|
|
54
|
-
|
55
|
+
Fixes #33219
|
55
56
|
|
56
|
-
|
57
|
+
*Alberto Almagro*
|
57
58
|
|
58
|
-
|
59
|
+
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
59
60
|
|
60
|
-
|
61
|
+
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
62
|
+
contain charset part. This behavior changed to returned Content-Type header
|
63
|
+
containing charset part as it is.
|
61
64
|
|
62
|
-
|
65
|
+
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
66
|
+
instead.
|
63
67
|
|
64
|
-
|
68
|
+
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
69
|
+
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
70
|
+
value as before version, but its behavior is deprecate.
|
65
71
|
|
66
|
-
*
|
72
|
+
*Yuji Yaginuma*
|
67
73
|
|
68
|
-
*
|
74
|
+
* Calling `ActionController::Parameters#transform_keys/!` without a block now returns
|
75
|
+
an enumerator for the parameters instead of the underlying hash.
|
69
76
|
|
70
|
-
*
|
77
|
+
*Eugene Kenny*
|
71
78
|
|
79
|
+
* Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
|
72
80
|
|
73
|
-
|
81
|
+
*Yuki Nishijima*, *Stan Lo*
|
74
82
|
|
75
|
-
* No changes.
|
76
83
|
|
84
|
+
## Rails 6.0.0.rc1 (April 24, 2019) ##
|
77
85
|
|
78
|
-
|
86
|
+
* Make system tests take a failed screenshot in a `before_teardown` hook
|
87
|
+
rather than an `after_teardown` hook.
|
79
88
|
|
80
|
-
|
89
|
+
This helps minimize the time gap between when an assertion fails and when
|
90
|
+
the screenshot is taken (reducing the time in which the page could have
|
91
|
+
been dynamically updated after the assertion failed).
|
81
92
|
|
82
|
-
|
83
|
-
there are none.
|
93
|
+
*Richard Macklin*
|
84
94
|
|
85
|
-
|
95
|
+
* Introduce `ActionDispatch::ActionableExceptions`.
|
86
96
|
|
87
|
-
|
97
|
+
The `ActionDispatch::ActionableExceptions` middleware dispatches actions
|
98
|
+
from `ActiveSupport::ActionableError` descendants.
|
88
99
|
|
89
|
-
|
100
|
+
Actionable errors let's you dispatch actions from Rails' error pages.
|
90
101
|
|
91
|
-
*
|
92
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
93
|
-
parameters.
|
102
|
+
*Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
|
94
103
|
|
95
|
-
|
104
|
+
* Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
|
96
105
|
|
97
|
-
|
106
|
+
After this change it's not possible anymore to configure routes like this:
|
98
107
|
|
99
|
-
Given:
|
100
108
|
```
|
101
|
-
|
102
|
-
|
109
|
+
routes.draw do
|
110
|
+
resources :users, param: 'name/:sneaky'
|
111
|
+
end
|
103
112
|
```
|
104
113
|
|
105
|
-
|
114
|
+
Fixes #30467.
|
106
115
|
|
107
|
-
*
|
116
|
+
*Josua Schmid*
|
108
117
|
|
109
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
110
|
-
`ActionController::TestCase` subclasses.
|
111
118
|
|
112
|
-
|
113
|
-
|
114
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
119
|
+
## Rails 6.0.0.beta3 (March 11, 2019) ##
|
115
120
|
|
116
|
-
|
117
|
-
|
118
|
-
*Andrey Novikov*, *Andrew White*
|
119
|
-
|
120
|
-
* Only disable GPUs for headless Chrome on Windows.
|
121
|
-
|
122
|
-
It is not necessary anymore for Linux and macOS machines.
|
123
|
-
|
124
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
125
|
-
|
126
|
-
*Stefan Wrobel*
|
127
|
-
|
128
|
-
* Fix system tests transactions not closed between examples.
|
129
|
-
|
130
|
-
*Sergey Tarasov*
|
131
|
-
|
132
|
-
|
133
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
134
|
-
|
135
|
-
* Check exclude before flagging cookies as secure.
|
136
|
-
|
137
|
-
*Catherine Khuu*
|
138
|
-
|
139
|
-
* Always yield a CSP policy instance from `content_security_policy`
|
140
|
-
|
141
|
-
This allows a controller action to enable the policy individually
|
142
|
-
for a controller and/or specific actions.
|
143
|
-
|
144
|
-
*Andrew White*
|
145
|
-
|
146
|
-
* Add the ability to disable the global CSP in a controller, e.g:
|
147
|
-
|
148
|
-
class LegacyPagesController < ApplicationController
|
149
|
-
content_security_policy false, only: :index
|
150
|
-
end
|
151
|
-
|
152
|
-
*Andrew White*
|
153
|
-
|
154
|
-
* Add alias method `to_hash` to `to_h` for `cookies`.
|
155
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
156
|
-
|
157
|
-
*Igor Kasyanchuk*
|
158
|
-
|
159
|
-
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
160
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
121
|
+
* No changes.
|
161
122
|
|
162
|
-
*Grant Bourque*
|
163
123
|
|
164
|
-
|
124
|
+
## Rails 6.0.0.beta2 (February 25, 2019) ##
|
165
125
|
|
166
|
-
|
167
|
-
normally requires the script-src attribute of the content security
|
168
|
-
policy to include 'unsafe-inline'.
|
126
|
+
* Make debug exceptions works in an environment where ActiveStorage is not loaded.
|
169
127
|
|
170
|
-
|
171
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
172
|
-
embeds its token in a meta tag. The UJS library can then read the
|
173
|
-
nonce value and set it on the dynamically generated script tag to
|
174
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
128
|
+
*Tomoyuki Kurosawa*
|
175
129
|
|
176
|
-
|
177
|
-
|
178
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
179
|
-
however an improvement on a blanket permission for inline scripts.
|
130
|
+
* `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
|
131
|
+
to define specific browser capabilities.
|
180
132
|
|
181
|
-
|
182
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
133
|
+
*Edouard Chin*
|
183
134
|
|
184
|
-
<%= javascript_tag nonce: true do %>
|
185
|
-
alert('Hello, World!');
|
186
|
-
<% end %>
|
187
135
|
|
188
|
-
|
136
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
189
137
|
|
190
|
-
|
138
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
191
139
|
|
192
|
-
*
|
140
|
+
*Rafael Mendonça França*
|
193
141
|
|
194
|
-
|
142
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
195
143
|
|
196
|
-
|
197
|
-
|
198
|
-
params.each do |name|
|
199
|
-
puts name
|
200
|
-
end
|
201
|
-
end
|
144
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
145
|
+
`#successful?`, `not_found?` and `server_error?`.
|
202
146
|
|
203
|
-
|
204
|
-
# param
|
205
|
-
# param_two
|
147
|
+
*Rafael Mendonça França*
|
206
148
|
|
207
|
-
|
149
|
+
* Introduce `ActionDispatch::HostAuthorization`.
|
208
150
|
|
209
|
-
|
151
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
152
|
+
explicitly permitting the hosts a request can be made to.
|
210
153
|
|
211
|
-
|
212
|
-
|
213
|
-
params.each do |name, value|
|
214
|
-
puts name
|
215
|
-
end
|
216
|
-
end
|
154
|
+
Each host is checked with the case operator (`#===`) to support `Regexp`,
|
155
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
217
156
|
|
218
|
-
|
219
|
-
# param
|
220
|
-
# param_two
|
157
|
+
*Genadi Samokovarov*
|
221
158
|
|
222
|
-
|
159
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
223
160
|
|
224
|
-
|
161
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
162
|
+
`parsed_body` in `ActionController::TestCase`:
|
225
163
|
|
226
|
-
|
164
|
+
```
|
165
|
+
class SomeControllerTest < ActionController::TestCase
|
166
|
+
def test_some_action
|
167
|
+
post :action, body: { foo: 'bar' }
|
168
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
169
|
+
end
|
170
|
+
end
|
171
|
+
```
|
227
172
|
|
228
|
-
|
229
|
-
user haven't specified manually another server.
|
173
|
+
Fixes #34676.
|
230
174
|
|
231
|
-
*
|
175
|
+
*Tobias Bühlmann*
|
232
176
|
|
233
|
-
*
|
234
|
-
default headers set.
|
177
|
+
* Raise an error on root route naming conflicts.
|
235
178
|
|
236
|
-
|
179
|
+
Raises an `ArgumentError` when multiple root routes are defined in the
|
180
|
+
same context instead of assigning nil names to subsequent roots.
|
237
181
|
|
238
|
-
*
|
182
|
+
*Gannon McGibbon*
|
239
183
|
|
240
|
-
|
184
|
+
* Allow rescue from parameter parse errors:
|
241
185
|
|
242
|
-
|
186
|
+
```
|
187
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
188
|
+
head :unauthorized
|
189
|
+
end
|
190
|
+
```
|
243
191
|
|
244
|
-
|
245
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
246
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
247
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
248
|
-
path, it dumps binary into the terminal.
|
192
|
+
*Gannon McGibbon*, *Josh Cheek*
|
249
193
|
|
250
|
-
|
194
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
251
195
|
|
252
|
-
|
196
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
197
|
+
in system test `after_teardown`.
|
253
198
|
|
254
|
-
*
|
199
|
+
*Maxim Perepelitsa*
|
255
200
|
|
256
|
-
|
201
|
+
* Use request object for context if there's no controller
|
257
202
|
|
258
|
-
|
203
|
+
There is no controller instance when using a redirect route or a
|
204
|
+
mounted rack application so pass the request object as the context
|
205
|
+
when resolving dynamic CSP sources in this scenario.
|
259
206
|
|
260
|
-
Fixes #
|
207
|
+
Fixes #34200.
|
261
208
|
|
262
209
|
*Andrew White*
|
263
210
|
|
264
|
-
*
|
265
|
-
|
266
|
-
The DSL allows you to configure a global Content-Security-Policy
|
267
|
-
header and then override within a controller. For more information
|
268
|
-
about the Content-Security-Policy header see MDN:
|
269
|
-
|
270
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
271
|
-
|
272
|
-
Example global policy:
|
273
|
-
|
274
|
-
# config/initializers/content_security_policy.rb
|
275
|
-
Rails.application.config.content_security_policy do |p|
|
276
|
-
p.default_src :self, :https
|
277
|
-
p.font_src :self, :https, :data
|
278
|
-
p.img_src :self, :https, :data
|
279
|
-
p.object_src :none
|
280
|
-
p.script_src :self, :https
|
281
|
-
p.style_src :self, :https, :unsafe_inline
|
282
|
-
end
|
283
|
-
|
284
|
-
Example controller overrides:
|
285
|
-
|
286
|
-
# Override policy inline
|
287
|
-
class PostsController < ApplicationController
|
288
|
-
content_security_policy do |p|
|
289
|
-
p.upgrade_insecure_requests true
|
290
|
-
end
|
291
|
-
end
|
211
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
292
212
|
|
293
|
-
|
294
|
-
|
295
|
-
content_security_policy do |p|
|
296
|
-
p.base_uri "https://www.example.com"
|
297
|
-
end
|
298
|
-
end
|
213
|
+
Previously if a dynamic source returned a symbol such as :self it
|
214
|
+
would be converted to a string implicitly, e.g:
|
299
215
|
|
300
|
-
|
301
|
-
class PostsController < ApplicationController
|
302
|
-
content_security_policy do |p|
|
303
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
304
|
-
end
|
305
|
-
end
|
216
|
+
policy.default_src -> { :self }
|
306
217
|
|
307
|
-
|
308
|
-
legacy content using the `content_security_policy_report_only`
|
309
|
-
configuration attribute, e.g;
|
218
|
+
would generate the header:
|
310
219
|
|
311
|
-
|
312
|
-
Rails.application.config.content_security_policy_report_only = true
|
220
|
+
Content-Security-Policy: default-src self
|
313
221
|
|
314
|
-
|
315
|
-
class PostsController < ApplicationController
|
316
|
-
content_security_policy_report_only only: :index
|
317
|
-
end
|
222
|
+
and now it generates:
|
318
223
|
|
319
|
-
|
320
|
-
reasons since the header is calculated at runtime.
|
224
|
+
Content-Security-Policy: default-src 'self'
|
321
225
|
|
322
226
|
*Andrew White*
|
323
227
|
|
324
|
-
*
|
325
|
-
|
326
|
-
*Yuichiro Kaneko*
|
327
|
-
|
328
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
329
|
-
|
330
|
-
*Rafael Mendonça França*
|
331
|
-
|
332
|
-
* Add `:allow_other_host` option to `redirect_back` method.
|
333
|
-
|
334
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
335
|
-
different host. `allow_other_host` is `true` by default.
|
336
|
-
|
337
|
-
*Tim Masliuchenko*
|
338
|
-
|
339
|
-
* Add headless chrome support to System Tests.
|
340
|
-
|
341
|
-
*Yuji Yaginuma*
|
342
|
-
|
343
|
-
* Add ability to enable Early Hints for HTTP/2
|
228
|
+
* Add `ActionController::Parameters#each_value`.
|
344
229
|
|
345
|
-
|
230
|
+
*Lukáš Zapletal*
|
346
231
|
|
347
|
-
|
232
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
348
233
|
|
349
|
-
*
|
350
|
-
|
351
|
-
* Simplify cookies middleware with key rotation support
|
234
|
+
*Yoshiyuki Kinjo*
|
352
235
|
|
353
|
-
|
354
|
-
`
|
355
|
-
|
356
|
-
|
236
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
237
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
238
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
239
|
+
garbled.
|
240
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
241
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
242
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
243
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
244
|
+
converted name.
|
357
245
|
|
358
|
-
*
|
246
|
+
*Fumiaki Matsushima*
|
359
247
|
|
360
|
-
*
|
248
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
249
|
+
keys without allocating an array.
|
361
250
|
|
362
|
-
|
363
|
-
connection sharing and open request detection work correctly by default.
|
251
|
+
*Richard Schneeman*
|
364
252
|
|
365
|
-
|
253
|
+
* Purpose metadata for signed/encrypted cookies.
|
366
254
|
|
367
|
-
|
255
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
256
|
+
of a cookie and use it as the value of another cookie.
|
368
257
|
|
369
|
-
|
370
|
-
|
258
|
+
It does so by stashing the cookie-name in the purpose field which is
|
259
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
260
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
371
261
|
|
372
|
-
|
262
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
263
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
373
264
|
|
374
265
|
*Assain Jaleel*
|
375
266
|
|
376
|
-
*
|
267
|
+
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
377
268
|
|
378
|
-
|
379
|
-
|
380
|
-
It does so by stashing the expiry within the written cookie and relying on the
|
381
|
-
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
382
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
383
|
-
|
384
|
-
Pull Request: #30121
|
385
|
-
|
386
|
-
*Assain Jaleel*
|
269
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
270
|
+
multiple invocations are made and the types do not match:
|
387
271
|
|
388
|
-
|
272
|
+
respond_to do |outer_type|
|
273
|
+
outer_type.js do
|
274
|
+
respond_to do |inner_type|
|
275
|
+
inner_type.html { render body: "HTML" }
|
276
|
+
end
|
277
|
+
end
|
278
|
+
end
|
389
279
|
|
390
|
-
|
280
|
+
*Patrick Toomey*
|
391
281
|
|
392
|
-
|
282
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
393
283
|
|
394
|
-
|
284
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
285
|
+
without raising a `TypeError`:
|
395
286
|
|
396
|
-
|
397
|
-
|
398
|
-
use the response helpers provided by `Rack::Response`.
|
287
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
288
|
+
File.read(uploaded_file)
|
399
289
|
|
400
|
-
*
|
290
|
+
*Aaron Kromer*
|
401
291
|
|
402
|
-
*
|
292
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
403
293
|
|
404
|
-
|
405
|
-
|
406
|
-
|
407
|
-
defaults to false to support older versions which have removed it from their
|
408
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
294
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
295
|
+
`get` method. This for example allows to set custom headers for the
|
296
|
+
redirection request to the server.
|
409
297
|
|
410
|
-
|
298
|
+
follow_redirect!(params: { foo: :bar })
|
411
299
|
|
412
|
-
*
|
300
|
+
*Remo Fritzsche*
|
413
301
|
|
414
|
-
|
302
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
415
303
|
|
416
|
-
|
304
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
305
|
+
one informative page.
|
417
306
|
|
418
|
-
|
419
|
-
`driven_by` will register the driver and set additional options passed via
|
420
|
-
the `:options` parameter.
|
307
|
+
*Vinicius Stock*
|
421
308
|
|
422
|
-
|
309
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
423
310
|
|
424
|
-
|
311
|
+
Exception aware plugin authors can use the newly introduced
|
312
|
+
`.register_interceptor` method to get the processed exception, instead of
|
313
|
+
monkey patching DebugExceptions.
|
425
314
|
|
426
|
-
|
315
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
316
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
317
|
+
end
|
427
318
|
|
428
|
-
|
429
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
430
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
431
|
-
this new mode is enabled via the
|
432
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
319
|
+
*Genadi Samokovarov*
|
433
320
|
|
434
|
-
|
321
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
435
322
|
|
436
|
-
|
323
|
+
Fixes #32597.
|
437
324
|
|
438
|
-
|
439
|
-
^template path ^template tree digest ^class ^id
|
325
|
+
*Andrey Novikov*, *Andrew White*
|
440
326
|
|
441
|
-
|
327
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
442
328
|
|
443
|
-
*
|
444
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
445
|
-
to support it.
|
329
|
+
*Kevin Deisz*
|
446
330
|
|
447
|
-
|
331
|
+
* Add method `dig` to `session`.
|
448
332
|
|
449
|
-
*
|
333
|
+
*claudiob*, *Takumi Shotoku*
|
450
334
|
|
451
|
-
|
452
|
-
|
453
|
-
may not exist in a certain implementation.
|
335
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
336
|
+
`config.force_ssl`.
|
454
337
|
|
455
|
-
|
338
|
+
*Derek Prior*
|
456
339
|
|
457
|
-
|
340
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
458
341
|
|
459
|
-
*
|
342
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
460
343
|
|
461
344
|
|
462
|
-
Please check [5-
|
345
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|