actionpack 5.2.7.1 → 6.0.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +109 -472
- data/MIT-LICENSE +1 -1
- data/README.rdoc +1 -1
- data/lib/abstract_controller/base.rb +4 -2
- data/lib/abstract_controller/caching/fragments.rb +6 -21
- data/lib/abstract_controller/callbacks.rb +12 -0
- data/lib/abstract_controller/collector.rb +1 -1
- data/lib/abstract_controller/helpers.rb +2 -2
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
- data/lib/action_controller/api.rb +2 -1
- data/lib/action_controller/base.rb +2 -7
- data/lib/action_controller/caching.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +8 -5
- data/lib/action_controller/metal/conditional_get.rb +9 -3
- data/lib/action_controller/metal/data_streaming.rb +5 -6
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/exceptions.rb +22 -1
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/force_ssl.rb +17 -57
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +1 -2
- data/lib/action_controller/metal/http_authentication.rb +21 -22
- data/lib/action_controller/metal/implicit_render.rb +2 -12
- data/lib/action_controller/metal/instrumentation.rb +3 -5
- data/lib/action_controller/metal/live.rb +28 -26
- data/lib/action_controller/metal/mime_responds.rb +13 -2
- data/lib/action_controller/metal/params_wrapper.rb +18 -14
- data/lib/action_controller/metal/redirecting.rb +32 -11
- data/lib/action_controller/metal/rendering.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +32 -97
- data/lib/action_controller/metal/strong_parameters.rb +57 -34
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +15 -2
- data/lib/action_controller/test_case.rb +5 -9
- data/lib/action_controller.rb +1 -0
- data/lib/action_dispatch/http/cache.rb +14 -10
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +17 -8
- data/lib/action_dispatch/http/filter_parameters.rb +8 -6
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +7 -10
- data/lib/action_dispatch/http/mime_type.rb +1 -5
- data/lib/action_dispatch/http/parameter_filter.rb +5 -79
- data/lib/action_dispatch/http/parameters.rb +13 -3
- data/lib/action_dispatch/http/request.rb +10 -13
- data/lib/action_dispatch/http/response.rb +14 -14
- data/lib/action_dispatch/http/upload.rb +5 -0
- data/lib/action_dispatch/http/url.rb +81 -81
- data/lib/action_dispatch/journey/formatter.rb +1 -1
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
- data/lib/action_dispatch/journey/nodes/node.rb +9 -8
- data/lib/action_dispatch/journey/path/pattern.rb +3 -4
- data/lib/action_dispatch/journey/router/utils.rb +10 -10
- data/lib/action_dispatch/journey/router.rb +0 -3
- data/lib/action_dispatch/journey/scanner.rb +11 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +49 -70
- data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -58
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +50 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +36 -7
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
- data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
- data/lib/action_dispatch/middleware/request_id.rb +2 -2
- data/lib/action_dispatch/middleware/session/abstract_store.rb +0 -14
- data/lib/action_dispatch/middleware/session/cache_store.rb +6 -11
- data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -27
- data/lib/action_dispatch/middleware/ssl.rb +8 -8
- data/lib/action_dispatch/middleware/stack.rb +2 -2
- data/lib/action_dispatch/middleware/static.rb +5 -6
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +20 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
- data/lib/action_dispatch/railtie.rb +1 -0
- data/lib/action_dispatch/request/session.rb +8 -6
- data/lib/action_dispatch/routing/inspector.rb +99 -50
- data/lib/action_dispatch/routing/mapper.rb +36 -29
- data/lib/action_dispatch/routing/polymorphic_routes.rb +7 -12
- data/lib/action_dispatch/routing/route_set.rb +11 -12
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/routing.rb +3 -2
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -3
- data/lib/action_dispatch/testing/assertions/response.rb +2 -3
- data/lib/action_dispatch/testing/assertions/routing.rb +7 -2
- data/lib/action_dispatch/testing/integration.rb +11 -5
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_dispatch.rb +7 -6
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +25 -23
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: df5b083c08009f1025bfbf541400a4819b5620f5bb49aa3d4bbe0c056eae44b3
|
4
|
+
data.tar.gz: '0374579e1273c1d727e0bc94d7a73b3933d8c0f54e7196beedc61ea30d88209f'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cb0e467dc8c10baa42df2d08d79b2f5caedad996d247523abf54713a542f6d49a01f120ca0b0faa6930ea89592bfe074979201adec97d33135a5877391a5d4bb
|
7
|
+
data.tar.gz: dee5cf35ce9af7e795d65bb2a44d5edb229439f5fbde0dde1c35e8d3cf2564c49ddf929a9d5499b3aa6248c42cf6f61ca2c75c85a623ba51f1dd6106750d3267
|
data/CHANGELOG.md
CHANGED
@@ -1,148 +1,66 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.0.0.beta1 (January 18, 2019) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
|
4
4
|
|
5
|
-
*
|
6
|
-
|
7
|
-
## Rails 5.2.7 (March 10, 2022) ##
|
8
|
-
|
9
|
-
* No changes.
|
10
|
-
|
11
|
-
## Rails 5.2.6.3 (March 08, 2022) ##
|
12
|
-
|
13
|
-
* No changes.
|
14
|
-
|
15
|
-
|
16
|
-
## Rails 5.2.6.2 (February 11, 2022) ##
|
17
|
-
|
18
|
-
* No changes.
|
5
|
+
*Rafael Mendonça França*
|
19
6
|
|
7
|
+
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
20
8
|
|
21
|
-
|
9
|
+
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
|
10
|
+
`#successful?`, `not_found?` and `server_error?`.
|
22
11
|
|
23
|
-
*
|
24
|
-
response body has been fully closed which result in request state not
|
25
|
-
being fully reset before the next request
|
12
|
+
*Rafael Mendonça França*
|
26
13
|
|
27
|
-
|
14
|
+
* Ensure external redirects are explicitly allowed
|
28
15
|
|
16
|
+
Add `fallback_location` and `allow_other_host` options to `redirect_to`.
|
29
17
|
|
30
|
-
|
18
|
+
*Gannon McGibbon*
|
31
19
|
|
32
|
-
*
|
20
|
+
* Introduce ActionDispatch::HostAuthorization
|
33
21
|
|
34
|
-
|
35
|
-
|
36
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
37
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
22
|
+
This is a new middleware that guards against DNS rebinding attacks by
|
23
|
+
white-listing the allowed hosts a request can be made to.
|
38
24
|
|
39
|
-
|
40
|
-
|
41
|
-
tokens for backwards compatibility.
|
25
|
+
Each host is checked with the case operator (`#===`) to support `RegExp`,
|
26
|
+
`Proc`, `IPAddr` and custom objects as host allowances.
|
42
27
|
|
43
|
-
|
44
|
-
config.
|
28
|
+
*Genadi Samokovarov*
|
45
29
|
|
46
|
-
|
30
|
+
* Allow using `parsed_body` in `ActionController::TestCase`.
|
47
31
|
|
48
|
-
|
49
|
-
`
|
50
|
-
during the deploy of this new version.
|
32
|
+
In addition to `ActionDispatch::IntegrationTest`, allow using
|
33
|
+
`parsed_body` in `ActionController::TestCase`:
|
51
34
|
|
52
|
-
```
|
53
|
-
|
35
|
+
```
|
36
|
+
class SomeControllerTest < ActionController::TestCase
|
37
|
+
def test_some_action
|
38
|
+
post :action, body: { foo: 'bar' }
|
39
|
+
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
40
|
+
end
|
41
|
+
end
|
54
42
|
```
|
55
43
|
|
56
|
-
|
57
|
-
|
58
|
-
*Scott Blum*, *Étienne Barrié*
|
59
|
-
|
60
|
-
|
61
|
-
## Rails 5.2.5 (March 26, 2021) ##
|
62
|
-
|
63
|
-
* No changes.
|
64
|
-
|
65
|
-
|
66
|
-
## Rails 5.2.4.6 (May 05, 2021) ##
|
67
|
-
|
68
|
-
* Prevent regex DoS in HTTP token authentication
|
69
|
-
CVE-2021-22904
|
44
|
+
Fixes #34676.
|
70
45
|
|
71
|
-
*
|
46
|
+
*Tobias Bühlmann*
|
72
47
|
|
73
|
-
|
74
|
-
of arguments (usually symbols and records). If a developer passes a
|
75
|
-
user input array, strings can result in unwanted route helper calls.
|
48
|
+
* Raise an error on root route naming conflicts.
|
76
49
|
|
77
|
-
|
50
|
+
Raises an ArgumentError when multiple root routes are defined in the
|
51
|
+
same context instead of assigning nil names to subsequent roots.
|
78
52
|
|
79
53
|
*Gannon McGibbon*
|
80
54
|
|
81
|
-
|
82
|
-
|
83
|
-
* No changes.
|
84
|
-
|
85
|
-
|
86
|
-
## Rails 5.2.4.4 (September 09, 2020) ##
|
87
|
-
|
88
|
-
* No changes.
|
89
|
-
|
90
|
-
|
91
|
-
## Rails 5.2.4.3 (May 18, 2020) ##
|
92
|
-
|
93
|
-
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
94
|
-
|
95
|
-
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
96
|
-
|
97
|
-
|
98
|
-
## Rails 5.2.4.2 (March 19, 2020) ##
|
99
|
-
|
100
|
-
* No changes.
|
101
|
-
|
102
|
-
|
103
|
-
## Rails 5.2.4.1 (December 18, 2019) ##
|
104
|
-
|
105
|
-
* Fix possible information leak / session hijacking vulnerability.
|
106
|
-
|
107
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
108
|
-
gem dalli to be updated as well.
|
109
|
-
|
110
|
-
_Breaking changes:_
|
111
|
-
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
112
|
-
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
113
|
-
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
114
|
-
|
115
|
-
CVE-2019-16782.
|
116
|
-
|
117
|
-
|
118
|
-
## Rails 5.2.4 (November 27, 2019) ##
|
119
|
-
|
120
|
-
* No changes.
|
121
|
-
|
122
|
-
|
123
|
-
## Rails 5.2.3 (March 27, 2019) ##
|
124
|
-
|
125
|
-
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
126
|
-
|
127
|
-
Before this change, even if `public` was specified in the Cache Control header,
|
128
|
-
it was excluded when `no-cache` was included. This change preserves the
|
129
|
-
`public` value as is.
|
130
|
-
|
131
|
-
Fixes #34780.
|
132
|
-
|
133
|
-
*Yuji Yaginuma*
|
134
|
-
|
135
|
-
* Allow `nil` params for `ActionController::TestCase`.
|
136
|
-
|
137
|
-
*Ryo Nakamura*
|
138
|
-
|
139
|
-
|
140
|
-
## Rails 5.2.2.1 (March 11, 2019) ##
|
141
|
-
|
142
|
-
* No changes.
|
55
|
+
* Allow rescue from parameter parse errors:
|
143
56
|
|
57
|
+
```
|
58
|
+
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
59
|
+
head :unauthorized
|
60
|
+
end
|
61
|
+
```
|
144
62
|
|
145
|
-
|
63
|
+
*Gannon McGibbon*, *Josh Cheek*
|
146
64
|
|
147
65
|
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
148
66
|
|
@@ -178,402 +96,121 @@
|
|
178
96
|
|
179
97
|
*Andrew White*
|
180
98
|
|
181
|
-
*
|
182
|
-
|
183
|
-
*Yoshiyuki Kinjo*
|
184
|
-
|
185
|
-
* Call the `#redirect_to` block in controller context.
|
186
|
-
|
187
|
-
*Steven Peckins*
|
188
|
-
|
189
|
-
|
190
|
-
## Rails 5.2.1.1 (November 27, 2018) ##
|
191
|
-
|
192
|
-
* No changes.
|
193
|
-
|
194
|
-
|
195
|
-
## Rails 5.2.1 (August 07, 2018) ##
|
196
|
-
|
197
|
-
* Prevent `?null=` being passed on JSON encoded test requests.
|
198
|
-
|
199
|
-
`RequestEncoder#encode_params` won't attempt to parse params if
|
200
|
-
there are none.
|
201
|
-
|
202
|
-
So call like this will no longer append a `?null=` query param.
|
203
|
-
|
204
|
-
get foos_url, as: :json
|
205
|
-
|
206
|
-
*Alireza Bashiri*
|
207
|
-
|
208
|
-
* Ensure `ActionController::Parameters#transform_values` and
|
209
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
210
|
-
parameters.
|
211
|
-
|
212
|
-
*Kevin Sjöberg*
|
213
|
-
|
214
|
-
* Fix strong parameters `permit!` with nested arrays.
|
215
|
-
|
216
|
-
Given:
|
217
|
-
```
|
218
|
-
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
219
|
-
params.permit!
|
220
|
-
```
|
221
|
-
|
222
|
-
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
223
|
-
|
224
|
-
*Steve Hull*
|
225
|
-
|
226
|
-
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
227
|
-
`ActionController::TestCase` subclasses.
|
228
|
-
|
229
|
-
*Eugene Kenny*
|
230
|
-
|
231
|
-
* Output only one Content-Security-Policy nonce header value per request.
|
232
|
-
|
233
|
-
Fixes #32597.
|
234
|
-
|
235
|
-
*Andrey Novikov*, *Andrew White*
|
236
|
-
|
237
|
-
* Only disable GPUs for headless Chrome on Windows.
|
238
|
-
|
239
|
-
It is not necessary anymore for Linux and macOS machines.
|
240
|
-
|
241
|
-
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
242
|
-
|
243
|
-
*Stefan Wrobel*
|
244
|
-
|
245
|
-
* Fix system tests transactions not closed between examples.
|
246
|
-
|
247
|
-
*Sergey Tarasov*
|
248
|
-
|
249
|
-
|
250
|
-
## Rails 5.2.0 (April 09, 2018) ##
|
251
|
-
|
252
|
-
* Check exclude before flagging cookies as secure.
|
253
|
-
|
254
|
-
*Catherine Khuu*
|
255
|
-
|
256
|
-
* Always yield a CSP policy instance from `content_security_policy`
|
257
|
-
|
258
|
-
This allows a controller action to enable the policy individually
|
259
|
-
for a controller and/or specific actions.
|
260
|
-
|
261
|
-
*Andrew White*
|
262
|
-
|
263
|
-
* Add the ability to disable the global CSP in a controller, e.g:
|
264
|
-
|
265
|
-
class LegacyPagesController < ApplicationController
|
266
|
-
content_security_policy false, only: :index
|
267
|
-
end
|
268
|
-
|
269
|
-
*Andrew White*
|
270
|
-
|
271
|
-
* Add alias method `to_hash` to `to_h` for `cookies`.
|
272
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
273
|
-
|
274
|
-
*Igor Kasyanchuk*
|
99
|
+
* Add `ActionController::Parameters#each_value`.
|
275
100
|
|
276
|
-
*
|
277
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
101
|
+
*Lukáš Zapletal*
|
278
102
|
|
279
|
-
|
103
|
+
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
280
104
|
|
281
|
-
*
|
282
|
-
|
283
|
-
Because the UJS library creates a script tag to process responses it
|
284
|
-
normally requires the script-src attribute of the content security
|
285
|
-
policy to include 'unsafe-inline'.
|
286
|
-
|
287
|
-
To work around this we generate a per-request nonce value that is
|
288
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
289
|
-
embeds its token in a meta tag. The UJS library can then read the
|
290
|
-
nonce value and set it on the dynamically generated script tag to
|
291
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
105
|
+
*Yoshiyuki Kinjo*
|
292
106
|
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
|
107
|
+
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
108
|
+
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
109
|
+
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
110
|
+
garbled.
|
111
|
+
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
112
|
+
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
113
|
+
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
114
|
+
Most browsers can find filename correctly and old browsers fallback to ASCII
|
115
|
+
converted name.
|
297
116
|
|
298
|
-
|
299
|
-
using `nonce: true` to set the nonce value on the tag, e.g
|
117
|
+
*Fumiaki Matsushima*
|
300
118
|
|
301
|
-
|
302
|
-
|
303
|
-
<% end %>
|
119
|
+
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
120
|
+
keys without allocating an array.
|
304
121
|
|
305
|
-
|
122
|
+
*Richard Schneeman*
|
306
123
|
|
307
|
-
|
124
|
+
* Purpose metadata for signed/encrypted cookies.
|
308
125
|
|
309
|
-
|
126
|
+
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
127
|
+
of a cookie and use it as the value of another cookie.
|
310
128
|
|
311
|
-
|
129
|
+
It does so by stashing the cookie-name in the purpose field which is
|
130
|
+
then signed/encrypted along with the cookie value. Then, on a server-side
|
131
|
+
read, we verify the cookie-names and discard any attacked cookies.
|
312
132
|
|
313
|
-
|
314
|
-
|
315
|
-
params.each do |name|
|
316
|
-
puts name
|
317
|
-
end
|
318
|
-
end
|
133
|
+
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
134
|
+
writes cookies with the new purpose and expiry metadata embedded.
|
319
135
|
|
320
|
-
|
321
|
-
# param
|
322
|
-
# param_two
|
136
|
+
*Assain Jaleel*
|
323
137
|
|
324
|
-
|
138
|
+
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
|
325
139
|
|
326
|
-
|
140
|
+
`respond_to` can match multiple types and lead to undefined behavior when
|
141
|
+
multiple invocations are made and the types do not match:
|
327
142
|
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
143
|
+
respond_to do |outer_type|
|
144
|
+
outer_type.js do
|
145
|
+
respond_to do |inner_type|
|
146
|
+
inner_type.html { render body: "HTML" }
|
147
|
+
end
|
332
148
|
end
|
333
149
|
end
|
334
150
|
|
335
|
-
|
336
|
-
# param
|
337
|
-
# param_two
|
338
|
-
|
339
|
-
*Dominic Cleal*
|
340
|
-
|
341
|
-
* Add `Referrer-Policy` header to default headers set.
|
151
|
+
*Patrick Toomey*
|
342
152
|
|
343
|
-
|
153
|
+
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
344
154
|
|
345
|
-
|
346
|
-
|
155
|
+
This allows uploaded file objects to be passed directly to `File.read`
|
156
|
+
without raising a `TypeError`:
|
347
157
|
|
348
|
-
|
158
|
+
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
159
|
+
File.read(uploaded_file)
|
349
160
|
|
350
|
-
*
|
351
|
-
default headers set.
|
161
|
+
*Aaron Kromer*
|
352
162
|
|
353
|
-
|
163
|
+
* Pass along arguments to underlying `get` method in `follow_redirect!`.
|
354
164
|
|
355
|
-
|
165
|
+
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
166
|
+
`get` method. This for example allows to set custom headers for the
|
167
|
+
redirection request to the server.
|
356
168
|
|
357
|
-
|
169
|
+
follow_redirect!(params: { foo: :bar })
|
358
170
|
|
359
|
-
*
|
171
|
+
*Remo Fritzsche*
|
360
172
|
|
361
|
-
|
362
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
363
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
364
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
365
|
-
path, it dumps binary into the terminal.
|
173
|
+
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
366
174
|
|
367
|
-
|
175
|
+
Now instead of showing an error page that with exception and backtraces we now show only
|
176
|
+
one informative page.
|
368
177
|
|
369
|
-
*
|
370
|
-
|
371
|
-
* Register most popular audio/video/font mime types supported by modern browsers.
|
372
|
-
|
373
|
-
*Guillermo Iguaran*
|
374
|
-
|
375
|
-
* Fix optimized url helpers when using relative url root.
|
376
|
-
|
377
|
-
Fixes #31220.
|
378
|
-
|
379
|
-
*Andrew White*
|
178
|
+
*Vinicius Stock*
|
380
179
|
|
381
|
-
*
|
180
|
+
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
382
181
|
|
383
|
-
|
384
|
-
|
385
|
-
|
182
|
+
Exception aware plugin authors can use the newly introduced
|
183
|
+
`.register_interceptor` method to get the processed exception, instead of
|
184
|
+
monkey patching DebugExceptions.
|
386
185
|
|
387
|
-
|
388
|
-
|
389
|
-
Example global policy:
|
390
|
-
|
391
|
-
# config/initializers/content_security_policy.rb
|
392
|
-
Rails.application.config.content_security_policy do |p|
|
393
|
-
p.default_src :self, :https
|
394
|
-
p.font_src :self, :https, :data
|
395
|
-
p.img_src :self, :https, :data
|
396
|
-
p.object_src :none
|
397
|
-
p.script_src :self, :https
|
398
|
-
p.style_src :self, :https, :unsafe_inline
|
399
|
-
end
|
400
|
-
|
401
|
-
Example controller overrides:
|
402
|
-
|
403
|
-
# Override policy inline
|
404
|
-
class PostsController < ApplicationController
|
405
|
-
content_security_policy do |p|
|
406
|
-
p.upgrade_insecure_requests true
|
407
|
-
end
|
408
|
-
end
|
409
|
-
|
410
|
-
# Using literal values
|
411
|
-
class PostsController < ApplicationController
|
412
|
-
content_security_policy do |p|
|
413
|
-
p.base_uri "https://www.example.com"
|
414
|
-
end
|
415
|
-
end
|
416
|
-
|
417
|
-
# Using mixed static and dynamic values
|
418
|
-
class PostsController < ApplicationController
|
419
|
-
content_security_policy do |p|
|
420
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
421
|
-
end
|
186
|
+
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
187
|
+
HypoteticalPlugin.capture_exception(request, exception)
|
422
188
|
end
|
423
189
|
|
424
|
-
|
425
|
-
legacy content using the `content_security_policy_report_only`
|
426
|
-
configuration attribute, e.g;
|
427
|
-
|
428
|
-
# config/initializers/content_security_policy.rb
|
429
|
-
Rails.application.config.content_security_policy_report_only = true
|
430
|
-
|
431
|
-
# controller override
|
432
|
-
class PostsController < ApplicationController
|
433
|
-
content_security_policy_report_only only: :index
|
434
|
-
end
|
435
|
-
|
436
|
-
Note that this feature does not validate the header for performance
|
437
|
-
reasons since the header is calculated at runtime.
|
438
|
-
|
439
|
-
*Andrew White*
|
440
|
-
|
441
|
-
* Make `assert_recognizes` to traverse mounted engines.
|
442
|
-
|
443
|
-
*Yuichiro Kaneko*
|
444
|
-
|
445
|
-
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
446
|
-
|
447
|
-
*Rafael Mendonça França*
|
190
|
+
*Genadi Samokovarov*
|
448
191
|
|
449
|
-
*
|
450
|
-
|
451
|
-
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
452
|
-
different host. `allow_other_host` is `true` by default.
|
453
|
-
|
454
|
-
*Tim Masliuchenko*
|
455
|
-
|
456
|
-
* Add headless chrome support to System Tests.
|
457
|
-
|
458
|
-
*Yuji Yaginuma*
|
459
|
-
|
460
|
-
* Add ability to enable Early Hints for HTTP/2
|
461
|
-
|
462
|
-
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
463
|
-
|
464
|
-
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
465
|
-
|
466
|
-
*Eileen M. Uchitelle*, *Aaron Patterson*
|
467
|
-
|
468
|
-
* Simplify cookies middleware with key rotation support
|
469
|
-
|
470
|
-
Use the `rotate` method for both `MessageEncryptor` and
|
471
|
-
`MessageVerifier` to add key rotation support for encrypted and
|
472
|
-
signed cookies. This also helps simplify support for legacy cookie
|
473
|
-
security.
|
474
|
-
|
475
|
-
*Michael J Coyne*
|
476
|
-
|
477
|
-
* Use Capybara registered `:puma` server config.
|
478
|
-
|
479
|
-
The Capybara registered `:puma` server ensures the puma server is run in process so
|
480
|
-
connection sharing and open request detection work correctly by default.
|
481
|
-
|
482
|
-
*Thomas Walpole*
|
483
|
-
|
484
|
-
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
485
|
-
|
486
|
-
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
487
|
-
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
488
|
-
|
489
|
-
Pull Request: #30121
|
490
|
-
|
491
|
-
*Assain Jaleel*
|
492
|
-
|
493
|
-
* Enforce signed/encrypted cookie expiry server side.
|
494
|
-
|
495
|
-
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
496
|
-
|
497
|
-
It does so by stashing the expiry within the written cookie and relying on the
|
498
|
-
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
499
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
500
|
-
|
501
|
-
Pull Request: #30121
|
502
|
-
|
503
|
-
*Assain Jaleel*
|
504
|
-
|
505
|
-
* Make `take_failed_screenshot` work within engine.
|
506
|
-
|
507
|
-
Fixes #30405.
|
508
|
-
|
509
|
-
*Yuji Yaginuma*
|
510
|
-
|
511
|
-
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
512
|
-
|
513
|
-
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
514
|
-
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
515
|
-
use the response helpers provided by `Rack::Response`.
|
516
|
-
|
517
|
-
*Trevor Wistaff*
|
518
|
-
|
519
|
-
* Protect from forgery by default
|
520
|
-
|
521
|
-
Rather than protecting from forgery in the generated `ApplicationController`,
|
522
|
-
add it to `ActionController::Base` depending on
|
523
|
-
`config.action_controller.default_protect_from_forgery`. This configuration
|
524
|
-
defaults to false to support older versions which have removed it from their
|
525
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
526
|
-
|
527
|
-
*Lisa Ugray*
|
528
|
-
|
529
|
-
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
530
|
-
|
531
|
-
*Kir Shatrov*
|
532
|
-
|
533
|
-
* `driven_by` now registers poltergeist and capybara-webkit.
|
534
|
-
|
535
|
-
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
536
|
-
`driven_by` will register the driver and set additional options passed via
|
537
|
-
the `:options` parameter.
|
538
|
-
|
539
|
-
Refer to the respective driver's documentation to see what options can be passed.
|
540
|
-
|
541
|
-
*Mario Chavez*
|
542
|
-
|
543
|
-
* AEAD encrypted cookies and sessions with GCM.
|
544
|
-
|
545
|
-
Encrypted cookies now use AES-GCM which couples authentication and
|
546
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
547
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
548
|
-
this new mode is enabled via the
|
549
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
550
|
-
|
551
|
-
*Michael J Coyne*
|
192
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
552
193
|
|
553
|
-
|
194
|
+
Fixes #32597.
|
554
195
|
|
555
|
-
|
556
|
-
^template path ^template tree digest ^class ^id
|
196
|
+
*Andrey Novikov*, *Andrew White*
|
557
197
|
|
558
|
-
|
198
|
+
* Move default headers configuration into their own module that can be included in controllers.
|
559
199
|
|
560
|
-
*
|
561
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
562
|
-
to support it.
|
200
|
+
*Kevin Deisz*
|
563
201
|
|
564
|
-
|
202
|
+
* Add method `dig` to `session`.
|
565
203
|
|
566
|
-
*
|
204
|
+
*claudiob*, *Takumi Shotoku*
|
567
205
|
|
568
|
-
|
569
|
-
|
570
|
-
may not exist in a certain implementation.
|
206
|
+
* Controller level `force_ssl` has been deprecated in favor of
|
207
|
+
`config.force_ssl`.
|
571
208
|
|
572
|
-
|
209
|
+
*Derek Prior*
|
573
210
|
|
574
|
-
|
211
|
+
* Rails 6 requires Ruby 2.5.0 or newer.
|
575
212
|
|
576
|
-
*
|
213
|
+
*Jeremy Daer*, *Kasper Timm Hansen*
|
577
214
|
|
578
215
|
|
579
|
-
Please check [5-
|
216
|
+
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|
data/MIT-LICENSE
CHANGED