actionpack 5.2.6 → 6.1.4.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +327 -335
- data/MIT-LICENSE +1 -1
- data/README.rdoc +4 -3
- data/lib/abstract_controller/base.rb +38 -4
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +14 -2
- data/lib/abstract_controller/collector.rb +1 -2
- data/lib/abstract_controller/helpers.rb +106 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +11 -5
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +4 -3
- data/lib/action_controller/base.rb +6 -9
- data/lib/action_controller/caching.rb +1 -3
- data/lib/action_controller/log_subscriber.rb +10 -7
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +19 -5
- data/lib/action_controller/metal/content_security_policy.rb +1 -2
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +6 -7
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +4 -6
- data/lib/action_controller/metal/exceptions.rb +56 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +14 -5
- data/lib/action_controller/metal/http_authentication.rb +24 -23
- data/lib/action_controller/metal/implicit_render.rb +5 -15
- data/lib/action_controller/metal/instrumentation.rb +13 -14
- data/lib/action_controller/metal/live.rb +39 -32
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +19 -4
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +32 -22
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +8 -3
- data/lib/action_controller/metal/request_forgery_protection.rb +26 -49
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +0 -1
- data/lib/action_controller/metal/strong_parameters.rb +167 -58
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/metal.rb +10 -8
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +37 -13
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +71 -63
- data/lib/action_controller.rb +7 -4
- data/lib/action_dispatch/http/cache.rb +31 -27
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +33 -19
- data/lib/action_dispatch/http/filter_parameters.rb +9 -8
- data/lib/action_dispatch/http/filter_redirect.rb +2 -3
- data/lib/action_dispatch/http/headers.rb +4 -4
- data/lib/action_dispatch/http/mime_negotiation.rb +26 -13
- data/lib/action_dispatch/http/mime_type.rb +43 -24
- data/lib/action_dispatch/http/parameters.rb +14 -23
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +45 -22
- data/lib/action_dispatch/http/response.rb +45 -25
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +82 -82
- data/lib/action_dispatch/journey/formatter.rb +55 -31
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -37
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -5
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +13 -11
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +19 -21
- data/lib/action_dispatch/journey/route.rb +10 -20
- data/lib/action_dispatch/journey/router/utils.rb +14 -12
- data/lib/action_dispatch/journey/router.rb +26 -34
- data/lib/action_dispatch/journey/routes.rb +0 -2
- data/lib/action_dispatch/journey/scanner.rb +10 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -4
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +128 -109
- data/lib/action_dispatch/middleware/debug_exceptions.rb +43 -66
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -30
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +141 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
- data/lib/action_dispatch/middleware/remote_ip.rb +14 -16
- data/lib/action_dispatch/middleware/request_id.rb +5 -6
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -3
- data/lib/action_dispatch/middleware/session/cookie_store.rb +3 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +3 -2
- data/lib/action_dispatch/middleware/ssl.rb +20 -15
- data/lib/action_dispatch/middleware/stack.rb +56 -2
- data/lib/action_dispatch/middleware/static.rb +153 -93
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +6 -3
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -1
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +104 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +24 -1
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +11 -10
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +100 -52
- data/lib/action_dispatch/routing/mapper.rb +155 -103
- data/lib/action_dispatch/routing/polymorphic_routes.rb +13 -15
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +71 -69
- data/lib/action_dispatch/routing/url_for.rb +2 -2
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/system_test_case.rb +54 -11
- data/lib/action_dispatch/system_testing/browser.rb +53 -16
- data/lib/action_dispatch/system_testing/driver.rb +11 -3
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +49 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -10
- data/lib/action_dispatch/testing/assertion_response.rb +0 -1
- data/lib/action_dispatch/testing/assertions/response.rb +4 -7
- data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +60 -28
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +29 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_dispatch.rb +9 -3
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +35 -23
- data/lib/action_controller/metal/force_ssl.rb +0 -99
- data/lib/action_dispatch/http/parameter_filter.rb +0 -86
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
data/CHANGELOG.md
CHANGED
@@ -1,550 +1,542 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix issue with host protection not allowing host with port in development.
|
4
4
|
|
5
|
-
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
6
|
-
them difficult to deal with. For example, the common practice of sending
|
7
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
8
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
9
|
-
|
10
|
-
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
|
11
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
12
|
-
tokens for backwards compatibility.
|
13
|
-
|
14
|
-
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
|
15
|
-
config.
|
16
5
|
|
17
|
-
|
6
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
18
7
|
|
19
|
-
|
20
|
-
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
21
|
-
during the deploy of this new version.
|
8
|
+
* Fix issue with host protection not allowing localhost in development.
|
22
9
|
|
23
|
-
```ruby
|
24
|
-
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
25
|
-
```
|
26
|
-
|
27
|
-
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
|
28
10
|
|
29
|
-
|
11
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
30
12
|
|
13
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
31
14
|
|
32
|
-
## Rails
|
33
|
-
|
34
|
-
* No changes.
|
15
|
+
## Rails 6.1.4.1 (August 19, 2021) ##
|
35
16
|
|
17
|
+
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
|
36
18
|
|
37
|
-
|
19
|
+
Specially crafted "X-Forwarded-Host" headers in combination with certain
|
20
|
+
"allowed host" formats can cause the Host Authorization middleware in Action
|
21
|
+
Pack to redirect users to a malicious website.
|
38
22
|
|
39
|
-
|
40
|
-
CVE-2021-22904
|
23
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
41
24
|
|
42
|
-
*
|
25
|
+
* Ignore file fixtures on `db:fixtures:load`
|
43
26
|
|
44
|
-
|
45
|
-
of arguments (usually symbols and records). If a developer passes a
|
46
|
-
user input array, strings can result in unwanted route helper calls.
|
27
|
+
*Kevin Sjöberg*
|
47
28
|
|
48
|
-
|
29
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
49
30
|
|
50
|
-
*
|
31
|
+
*Dylan Thacker-Smith*
|
51
32
|
|
52
|
-
|
33
|
+
* Correctly place optional path parameter booleans.
|
53
34
|
|
54
|
-
|
35
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
36
|
+
of the path as parameter for example:
|
55
37
|
|
38
|
+
```
|
39
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
40
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
41
|
+
```
|
56
42
|
|
57
|
-
|
43
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
58
44
|
|
59
|
-
|
45
|
+
```
|
46
|
+
get '(this/:my_bool)/that' as: :that
|
60
47
|
|
48
|
+
that_path(my_bool: true) # => `/this/true/that`
|
49
|
+
that_path(my_bool: false) # => `/this/false/that`
|
50
|
+
```
|
61
51
|
|
62
|
-
|
52
|
+
*Adam Hess*
|
63
53
|
|
64
|
-
*
|
54
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
65
55
|
|
66
|
-
|
56
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
67
57
|
|
58
|
+
*Alex Smith*
|
68
59
|
|
69
|
-
## Rails 5.2.4.2 (March 19, 2020) ##
|
70
60
|
|
71
|
-
|
61
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
72
62
|
|
63
|
+
* Prevent open redirects by correctly escaping the host allow list
|
64
|
+
CVE-2021-22903
|
73
65
|
|
74
|
-
|
66
|
+
* Prevent catastrophic backtracking during mime parsing
|
67
|
+
CVE-2021-22902
|
75
68
|
|
76
|
-
*
|
69
|
+
* Prevent regex DoS in HTTP token authentication
|
70
|
+
CVE-2021-22904
|
77
71
|
|
78
|
-
|
79
|
-
gem dalli to be updated as well.
|
72
|
+
* Prevent string polymorphic route arguments.
|
80
73
|
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
74
|
+
`url_for` supports building polymorphic URLs via an array
|
75
|
+
of arguments (usually symbols and records). If a developer passes a
|
76
|
+
user input array, strings can result in unwanted route helper calls.
|
85
77
|
|
86
|
-
CVE-
|
78
|
+
CVE-2021-22885
|
87
79
|
|
80
|
+
*Gannon McGibbon*
|
88
81
|
|
89
|
-
## Rails
|
82
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
90
83
|
|
91
84
|
* No changes.
|
92
85
|
|
93
86
|
|
94
|
-
## Rails
|
87
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
95
88
|
|
96
|
-
*
|
89
|
+
* Re-define routes when not set correctly via inheritance.
|
97
90
|
|
98
|
-
|
99
|
-
it was excluded when `no-cache` was included. This change preserves the
|
100
|
-
`public` value as is.
|
91
|
+
*John Hawthorn*
|
101
92
|
|
102
|
-
Fixes #34780.
|
103
93
|
|
104
|
-
|
105
|
-
|
106
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
94
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
107
95
|
|
108
|
-
|
96
|
+
* Prevent open redirect when allowed host starts with a dot
|
109
97
|
|
98
|
+
[CVE-2021-22881]
|
110
99
|
|
111
|
-
|
100
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
101
|
+
issue and the patch!
|
112
102
|
|
113
|
-
*
|
103
|
+
*Aaron Patterson*
|
114
104
|
|
115
105
|
|
116
|
-
## Rails
|
106
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
117
107
|
|
118
|
-
*
|
108
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
119
109
|
|
120
|
-
|
121
|
-
in system test `after_teardown`.
|
110
|
+
*Janko Marohnić*
|
122
111
|
|
123
|
-
|
112
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
124
113
|
|
125
|
-
*
|
114
|
+
*Eugene Kenny*
|
126
115
|
|
127
|
-
There is no controller instance when using a redirect route or a
|
128
|
-
mounted rack application so pass the request object as the context
|
129
|
-
when resolving dynamic CSP sources in this scenario.
|
130
116
|
|
131
|
-
|
117
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
132
118
|
|
133
|
-
|
119
|
+
* Fix nil translation key lookup in controllers/
|
134
120
|
|
135
|
-
*
|
121
|
+
*Jan Klimo*
|
136
122
|
|
137
|
-
|
138
|
-
would be converted to a string implicity, e.g:
|
123
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
139
124
|
|
140
|
-
|
125
|
+
*Alex Robbin*
|
141
126
|
|
142
|
-
|
127
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
143
128
|
|
144
|
-
|
129
|
+
*Alex Robbin*
|
145
130
|
|
146
|
-
and now it generates:
|
147
131
|
|
148
|
-
|
132
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
149
133
|
|
150
|
-
|
134
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
135
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
151
136
|
|
152
|
-
|
137
|
+
```ruby
|
138
|
+
Rails.application.config.permissions_policy do |p|
|
139
|
+
p.camera :none
|
140
|
+
p.gyroscope :none
|
141
|
+
p.microphone :none
|
142
|
+
p.usb :none
|
143
|
+
p.fullscreen :self
|
144
|
+
p.payment :self, "https://secure-example.com"
|
145
|
+
end
|
146
|
+
```
|
153
147
|
|
154
|
-
*
|
148
|
+
*Julien Grillot*
|
155
149
|
|
156
|
-
*
|
150
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
157
151
|
|
158
|
-
|
152
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
159
153
|
|
154
|
+
*Chris Bisnett*
|
160
155
|
|
161
|
-
|
156
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
157
|
+
the unique X-Request-Id header
|
162
158
|
|
163
|
-
*
|
159
|
+
*Arlston Fernandes*
|
164
160
|
|
161
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
165
162
|
|
166
|
-
|
163
|
+
*Rafael Mendonça França*
|
167
164
|
|
168
|
-
*
|
165
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
169
166
|
|
170
|
-
|
171
|
-
there are none.
|
167
|
+
*Rafael Mendonça França*
|
172
168
|
|
173
|
-
|
169
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
174
170
|
|
175
|
-
|
171
|
+
*Rafael Mendonça França*
|
176
172
|
|
177
|
-
|
173
|
+
* Added support for exclusive no-store Cache-Control header.
|
178
174
|
|
179
|
-
|
180
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
181
|
-
parameters.
|
175
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
182
176
|
|
183
|
-
*
|
177
|
+
*Chris Kruger*
|
184
178
|
|
185
|
-
*
|
179
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
186
180
|
|
187
|
-
|
188
|
-
|
189
|
-
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
190
|
-
params.permit!
|
191
|
-
```
|
181
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
182
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
192
183
|
|
193
|
-
|
184
|
+
*Adrianna Chang*
|
194
185
|
|
195
|
-
|
186
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
196
187
|
|
197
|
-
*
|
198
|
-
`ActionController::TestCase` subclasses.
|
188
|
+
*Gannon McGibbon*
|
199
189
|
|
200
|
-
|
190
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
201
191
|
|
202
|
-
*
|
192
|
+
*Alan Tan*, *Oz Ben-David*
|
203
193
|
|
204
|
-
|
194
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
195
|
+
a 308 redirection.
|
205
196
|
|
206
|
-
*
|
197
|
+
*Alan Tan*
|
207
198
|
|
208
|
-
*
|
199
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
200
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
209
201
|
|
210
|
-
|
202
|
+
*Jonathan Hefner*
|
211
203
|
|
212
|
-
|
204
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
213
205
|
|
214
|
-
|
206
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
207
|
+
Brotli files are preferred due to much better compression.
|
215
208
|
|
216
|
-
|
209
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
210
|
+
we check for public/some.js.br and serve that file, if present, with
|
211
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
217
212
|
|
218
|
-
*
|
213
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
219
214
|
|
215
|
+
* Add raise_on_missing_translations support for controllers.
|
220
216
|
|
221
|
-
|
217
|
+
This configuration determines whether an error should be raised for missing translations.
|
218
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
219
|
+
configuration also affects raising error for missing translations in views.
|
222
220
|
|
223
|
-
*
|
221
|
+
*fatkodima*
|
224
222
|
|
225
|
-
|
223
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
226
224
|
|
227
|
-
*
|
225
|
+
*Eugene Kenny*
|
228
226
|
|
229
|
-
|
230
|
-
|
227
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
228
|
+
without passing a block now returns an enumerator.
|
231
229
|
|
232
|
-
*
|
230
|
+
*Eugene Kenny*
|
233
231
|
|
234
|
-
*
|
232
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
235
233
|
|
236
|
-
|
237
|
-
|
238
|
-
end
|
234
|
+
Previously the path had to be relative to `fixture_path`.
|
235
|
+
You can change your existing code as follow:
|
239
236
|
|
240
|
-
|
237
|
+
```ruby
|
238
|
+
# Before
|
239
|
+
fixture_file_upload('files/dog.png')
|
241
240
|
|
242
|
-
|
243
|
-
|
241
|
+
# After
|
242
|
+
fixture_file_upload('dog.png')
|
243
|
+
```
|
244
244
|
|
245
|
-
*
|
245
|
+
*Edouard Chin*
|
246
246
|
|
247
|
-
*
|
248
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
247
|
+
* Remove deprecated `force_ssl` at the controller level.
|
249
248
|
|
250
|
-
*
|
249
|
+
*Rafael Mendonça França*
|
251
250
|
|
252
|
-
*
|
251
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
252
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
253
253
|
|
254
|
-
|
255
|
-
|
256
|
-
policy to include 'unsafe-inline'.
|
254
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
255
|
+
always pass a module object:
|
257
256
|
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
nonce value and set it on the dynamically generated script tag to
|
262
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
257
|
+
```ruby
|
258
|
+
helper UtilsHelper
|
259
|
+
```
|
263
260
|
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
however an improvement on a blanket permission for inline scripts.
|
261
|
+
which is recommended because it is simple and direct. When a string/symbol
|
262
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
263
|
+
that same module object.
|
268
264
|
|
269
|
-
|
270
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
265
|
+
*Xavier Noria*, *Jean Boussier*
|
271
266
|
|
272
|
-
|
273
|
-
alert('Hello, World!');
|
274
|
-
<% end %>
|
267
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
275
268
|
|
276
|
-
|
269
|
+
*Nick Soracco*
|
277
270
|
|
278
|
-
|
271
|
+
* `url_for` will now use "https://" as the default protocol when
|
272
|
+
`Rails.application.config.force_ssl` is set to true.
|
279
273
|
|
280
|
-
*
|
274
|
+
*Jonathan Hefner*
|
281
275
|
|
282
|
-
|
276
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
283
277
|
|
284
|
-
|
285
|
-
|
286
|
-
|
287
|
-
|
288
|
-
end
|
289
|
-
end
|
278
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
279
|
+
them difficult to deal with. For example, the common practice of sending
|
280
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
281
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
290
282
|
|
291
|
-
|
292
|
-
|
293
|
-
|
283
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
284
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
285
|
+
for backwards compatibility.
|
294
286
|
|
295
|
-
|
287
|
+
*Scott Blum*
|
296
288
|
|
297
|
-
|
289
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
298
290
|
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
puts name
|
303
|
-
end
|
304
|
-
end
|
291
|
+
In a distributed configuration like rolling update, users may observe
|
292
|
+
both old and new instances during deployment. Users may be served by a
|
293
|
+
new instance and then by an old instance.
|
305
294
|
|
306
|
-
|
307
|
-
|
308
|
-
|
295
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
296
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
297
|
+
from `false` to `true`, users may lose their sessions if they access the
|
298
|
+
server during deployment.
|
309
299
|
|
310
|
-
|
300
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
301
|
+
deployment, ensuring compatibility on both old and new instances.
|
311
302
|
|
312
|
-
*
|
303
|
+
*Masaki Hara*
|
313
304
|
|
314
|
-
|
305
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
315
306
|
|
316
|
-
|
317
|
-
|
307
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
308
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
318
309
|
|
319
|
-
*
|
310
|
+
*Keenan Brock*
|
320
311
|
|
321
|
-
*
|
322
|
-
default headers set.
|
312
|
+
* Fix possible information leak / session hijacking vulnerability.
|
323
313
|
|
324
|
-
|
314
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
315
|
+
gem dalli to be updated as well.
|
325
316
|
|
326
|
-
|
317
|
+
CVE-2019-16782.
|
327
318
|
|
328
|
-
|
319
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
329
320
|
|
330
|
-
|
321
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
322
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
323
|
+
from being correctly counted and reported.
|
331
324
|
|
332
|
-
|
333
|
-
|
334
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
335
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
336
|
-
path, it dumps binary into the terminal.
|
325
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
326
|
+
root session.
|
337
327
|
|
338
|
-
|
328
|
+
Fixes #32142.
|
339
329
|
|
340
|
-
*
|
330
|
+
*Sam Bostock*
|
341
331
|
|
342
|
-
*
|
332
|
+
* Add SameSite protection to every written cookie.
|
343
333
|
|
344
|
-
|
334
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
335
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
345
336
|
|
346
|
-
|
337
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
347
338
|
|
348
|
-
|
339
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
349
340
|
|
350
|
-
|
341
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
351
342
|
|
352
|
-
|
343
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
353
344
|
|
354
|
-
|
355
|
-
header and then override within a controller. For more information
|
356
|
-
about the Content-Security-Policy header see MDN:
|
345
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
357
346
|
|
358
|
-
|
347
|
+
*Cédric Fabianski*
|
359
348
|
|
360
|
-
|
349
|
+
* Bring back the feature that allows loading external route files from the router.
|
361
350
|
|
362
|
-
|
363
|
-
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
|
368
|
-
p.script_src :self, :https
|
369
|
-
p.style_src :self, :https, :unsafe_inline
|
370
|
-
end
|
351
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
352
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
353
|
+
that this wasn't fully the case and loading external route files from the router
|
354
|
+
can be helpful for applications with a really large set of routes.
|
355
|
+
Without this feature, application needs to implement routes reloading
|
356
|
+
themselves and it's not straightforward.
|
371
357
|
|
372
|
-
|
358
|
+
```ruby
|
359
|
+
# config/routes.rb
|
373
360
|
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
p.upgrade_insecure_requests true
|
378
|
-
end
|
379
|
-
end
|
361
|
+
Rails.application.routes.draw do
|
362
|
+
draw(:admin)
|
363
|
+
end
|
380
364
|
|
381
|
-
|
382
|
-
class PostsController < ApplicationController
|
383
|
-
content_security_policy do |p|
|
384
|
-
p.base_uri "https://www.example.com"
|
385
|
-
end
|
386
|
-
end
|
365
|
+
# config/routes/admin.rb
|
387
366
|
|
388
|
-
|
389
|
-
|
390
|
-
content_security_policy do |p|
|
391
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
392
|
-
end
|
393
|
-
end
|
367
|
+
get :foo, to: 'foo#bar'
|
368
|
+
```
|
394
369
|
|
395
|
-
|
396
|
-
legacy content using the `content_security_policy_report_only`
|
397
|
-
configuration attribute, e.g;
|
370
|
+
*Yehuda Katz*, *Edouard Chin*
|
398
371
|
|
399
|
-
|
400
|
-
Rails.application.config.content_security_policy_report_only = true
|
372
|
+
* Fix system test driver option initialization for non-headless browsers.
|
401
373
|
|
402
|
-
|
403
|
-
class PostsController < ApplicationController
|
404
|
-
content_security_policy_report_only only: :index
|
405
|
-
end
|
374
|
+
*glaszig*
|
406
375
|
|
407
|
-
|
408
|
-
|
376
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
377
|
+
their payloads as `:request`.
|
409
378
|
|
410
|
-
*
|
379
|
+
*Austin Story*
|
411
380
|
|
412
|
-
*
|
381
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
382
|
+
request format but based on the block given.
|
413
383
|
|
414
|
-
|
384
|
+
Example:
|
415
385
|
|
416
|
-
|
386
|
+
```ruby
|
387
|
+
def my_action
|
388
|
+
respond_to do |format|
|
389
|
+
format.any { render(json: { foo: 'bar' }) }
|
390
|
+
end
|
391
|
+
end
|
417
392
|
|
418
|
-
|
393
|
+
get('my_action.csv')
|
394
|
+
```
|
419
395
|
|
420
|
-
|
396
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
397
|
+
is inaccurate since a JSON response is being rendered.
|
421
398
|
|
422
|
-
|
423
|
-
different host. `allow_other_host` is `true` by default.
|
399
|
+
Now it correctly returns a `application/json` Content-Type.
|
424
400
|
|
425
|
-
*
|
401
|
+
*Edouard Chin*
|
426
402
|
|
427
|
-
*
|
403
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
428
404
|
|
429
|
-
|
405
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
406
|
+
nested directory, causing issues with `tmp:clear`.
|
430
407
|
|
431
|
-
*
|
408
|
+
*Damir Zekic*
|
432
409
|
|
433
|
-
|
410
|
+
* Add `params.member?` to mimic Hash behavior.
|
434
411
|
|
435
|
-
|
412
|
+
*Younes Serraj*
|
436
413
|
|
437
|
-
|
414
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
438
415
|
|
439
|
-
*
|
416
|
+
* `:request` - the `ActionDispatch::Request`
|
417
|
+
* `:response` - the `ActionDispatch::Response`
|
440
418
|
|
441
|
-
|
442
|
-
`MessageVerifier` to add key rotation support for encrypted and
|
443
|
-
signed cookies. This also helps simplify support for legacy cookie
|
444
|
-
security.
|
419
|
+
*George Claghorn*
|
445
420
|
|
446
|
-
|
421
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
422
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
423
|
+
from.
|
447
424
|
|
448
|
-
|
425
|
+
Fixes #37383.
|
449
426
|
|
450
|
-
|
451
|
-
connection sharing and open request detection work correctly by default.
|
427
|
+
*Norm Provost*
|
452
428
|
|
453
|
-
|
429
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
454
430
|
|
455
|
-
|
431
|
+
```ruby
|
432
|
+
# Use the debug level if a particular cookie is set.
|
433
|
+
class ApplicationController < ActionController::Base
|
434
|
+
log_at :debug, if: -> { cookies[:debug] }
|
435
|
+
end
|
436
|
+
```
|
456
437
|
|
457
|
-
|
458
|
-
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
438
|
+
*George Claghorn*
|
459
439
|
|
460
|
-
|
440
|
+
* Allow system test screen shots to be taken more than once in
|
441
|
+
a test by prefixing the file name with an incrementing counter.
|
461
442
|
|
462
|
-
|
443
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
444
|
+
enable saving of HTML during a screenshot in addition to the image.
|
445
|
+
This uses the same image name, with the extension replaced with `.html`
|
463
446
|
|
464
|
-
*
|
447
|
+
*Tom Fakes*
|
465
448
|
|
466
|
-
|
449
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
467
450
|
|
468
|
-
|
469
|
-
|
470
|
-
|
451
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
452
|
+
header to determine what to return. And if we don't add `Vary`
|
453
|
+
in the response header, browsers might accidentally cache different
|
454
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
455
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
456
|
+
in these types of requests. For more detailed problem description, please read:
|
471
457
|
|
472
|
-
|
458
|
+
https://github.com/rails/rails/pull/36213
|
473
459
|
|
474
|
-
|
460
|
+
Fixes #25842.
|
475
461
|
|
476
|
-
*
|
462
|
+
*Stan Lo*
|
477
463
|
|
478
|
-
|
464
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
465
|
+
a 307 redirection.
|
479
466
|
|
480
|
-
*
|
467
|
+
*Edouard Chin*
|
481
468
|
|
482
|
-
*
|
469
|
+
* System tests require Capybara 3.26 or newer.
|
483
470
|
|
484
|
-
|
485
|
-
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
486
|
-
use the response helpers provided by `Rack::Response`.
|
471
|
+
*George Claghorn*
|
487
472
|
|
488
|
-
|
473
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
489
474
|
|
490
|
-
*
|
475
|
+
*Alberto Fernández-Capel*
|
491
476
|
|
492
|
-
|
493
|
-
add it to `ActionController::Base` depending on
|
494
|
-
`config.action_controller.default_protect_from_forgery`. This configuration
|
495
|
-
defaults to false to support older versions which have removed it from their
|
496
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
477
|
+
* Add DSL for configuring HTTP Feature Policy.
|
497
478
|
|
498
|
-
|
479
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
480
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
481
|
+
specification and guidelines can be found at MDN:
|
499
482
|
|
500
|
-
|
483
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
501
484
|
|
502
|
-
|
485
|
+
Example global policy:
|
503
486
|
|
504
|
-
|
487
|
+
```ruby
|
488
|
+
Rails.application.config.feature_policy do |f|
|
489
|
+
f.camera :none
|
490
|
+
f.gyroscope :none
|
491
|
+
f.microphone :none
|
492
|
+
f.usb :none
|
493
|
+
f.fullscreen :self
|
494
|
+
f.payment :self, "https://secure.example.com"
|
495
|
+
end
|
496
|
+
```
|
505
497
|
|
506
|
-
|
507
|
-
`driven_by` will register the driver and set additional options passed via
|
508
|
-
the `:options` parameter.
|
498
|
+
Example controller level policy:
|
509
499
|
|
510
|
-
|
500
|
+
```ruby
|
501
|
+
class PagesController < ApplicationController
|
502
|
+
feature_policy do |p|
|
503
|
+
p.geolocation "https://example.com"
|
504
|
+
end
|
505
|
+
end
|
506
|
+
```
|
511
507
|
|
512
|
-
*
|
508
|
+
*Jacob Bednarz*
|
513
509
|
|
514
|
-
*
|
510
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
515
511
|
|
516
|
-
|
517
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
518
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
519
|
-
this new mode is enabled via the
|
520
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
512
|
+
Fixes #35137.
|
521
513
|
|
522
|
-
*
|
514
|
+
*Yuji Yaginuma*
|
523
515
|
|
524
|
-
*
|
516
|
+
* Keep part when scope option has value.
|
525
517
|
|
526
|
-
|
527
|
-
|
518
|
+
When a route was defined within an optional scope, if that route didn't
|
519
|
+
take parameters the scope was lost when using path helpers. This commit
|
520
|
+
ensures scope is kept both when the route takes parameters or when it
|
521
|
+
doesn't.
|
528
522
|
|
529
|
-
|
523
|
+
Fixes #33219.
|
530
524
|
|
531
|
-
*
|
532
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
533
|
-
to support it.
|
525
|
+
*Alberto Almagro*
|
534
526
|
|
535
|
-
|
527
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
536
528
|
|
537
|
-
*
|
529
|
+
*Gustavo Gutierrez*
|
538
530
|
|
539
|
-
|
540
|
-
|
541
|
-
may not exist in a certain implementation.
|
531
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
532
|
+
an enumerator for the parameters instead of the underlying hash.
|
542
533
|
|
543
|
-
|
534
|
+
*Eugene Kenny*
|
544
535
|
|
545
|
-
|
536
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
537
|
+
It should only block invalid key's values instead.
|
546
538
|
|
547
|
-
*
|
539
|
+
*Stan Lo*
|
548
540
|
|
549
541
|
|
550
|
-
Please check [
|
542
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|