actionpack 5.2.7.1 → 6.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (108) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +109 -472
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +1 -1
  5. data/lib/abstract_controller/base.rb +4 -2
  6. data/lib/abstract_controller/caching/fragments.rb +6 -21
  7. data/lib/abstract_controller/callbacks.rb +12 -0
  8. data/lib/abstract_controller/collector.rb +1 -1
  9. data/lib/abstract_controller/helpers.rb +2 -2
  10. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  11. data/lib/action_controller/api.rb +2 -1
  12. data/lib/action_controller/base.rb +2 -7
  13. data/lib/action_controller/caching.rb +1 -1
  14. data/lib/action_controller/log_subscriber.rb +8 -5
  15. data/lib/action_controller/metal/conditional_get.rb +9 -3
  16. data/lib/action_controller/metal/data_streaming.rb +5 -6
  17. data/lib/action_controller/metal/default_headers.rb +17 -0
  18. data/lib/action_controller/metal/exceptions.rb +22 -1
  19. data/lib/action_controller/metal/flash.rb +5 -5
  20. data/lib/action_controller/metal/force_ssl.rb +17 -57
  21. data/lib/action_controller/metal/head.rb +1 -1
  22. data/lib/action_controller/metal/helpers.rb +1 -2
  23. data/lib/action_controller/metal/http_authentication.rb +21 -22
  24. data/lib/action_controller/metal/implicit_render.rb +2 -12
  25. data/lib/action_controller/metal/instrumentation.rb +3 -5
  26. data/lib/action_controller/metal/live.rb +28 -26
  27. data/lib/action_controller/metal/mime_responds.rb +13 -2
  28. data/lib/action_controller/metal/params_wrapper.rb +18 -14
  29. data/lib/action_controller/metal/redirecting.rb +32 -11
  30. data/lib/action_controller/metal/rendering.rb +1 -1
  31. data/lib/action_controller/metal/request_forgery_protection.rb +32 -97
  32. data/lib/action_controller/metal/strong_parameters.rb +57 -34
  33. data/lib/action_controller/metal/url_for.rb +1 -1
  34. data/lib/action_controller/metal.rb +2 -2
  35. data/lib/action_controller/railties/helpers.rb +1 -1
  36. data/lib/action_controller/renderer.rb +15 -2
  37. data/lib/action_controller/test_case.rb +5 -9
  38. data/lib/action_controller.rb +1 -0
  39. data/lib/action_dispatch/http/cache.rb +14 -10
  40. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  41. data/lib/action_dispatch/http/content_security_policy.rb +17 -8
  42. data/lib/action_dispatch/http/filter_parameters.rb +8 -6
  43. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  44. data/lib/action_dispatch/http/headers.rb +1 -1
  45. data/lib/action_dispatch/http/mime_negotiation.rb +7 -10
  46. data/lib/action_dispatch/http/mime_type.rb +1 -5
  47. data/lib/action_dispatch/http/parameter_filter.rb +5 -79
  48. data/lib/action_dispatch/http/parameters.rb +13 -3
  49. data/lib/action_dispatch/http/request.rb +10 -13
  50. data/lib/action_dispatch/http/response.rb +14 -14
  51. data/lib/action_dispatch/http/upload.rb +5 -0
  52. data/lib/action_dispatch/http/url.rb +81 -81
  53. data/lib/action_dispatch/journey/formatter.rb +1 -1
  54. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
  55. data/lib/action_dispatch/journey/nodes/node.rb +9 -8
  56. data/lib/action_dispatch/journey/path/pattern.rb +3 -4
  57. data/lib/action_dispatch/journey/router/utils.rb +10 -10
  58. data/lib/action_dispatch/journey/router.rb +0 -3
  59. data/lib/action_dispatch/journey/scanner.rb +11 -4
  60. data/lib/action_dispatch/journey/visitors.rb +1 -1
  61. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  62. data/lib/action_dispatch/middleware/cookies.rb +49 -70
  63. data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -58
  64. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  65. data/lib/action_dispatch/middleware/debug_view.rb +50 -0
  66. data/lib/action_dispatch/middleware/exception_wrapper.rb +36 -7
  67. data/lib/action_dispatch/middleware/executor.rb +1 -1
  68. data/lib/action_dispatch/middleware/flash.rb +1 -1
  69. data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
  70. data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
  71. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  72. data/lib/action_dispatch/middleware/session/abstract_store.rb +0 -14
  73. data/lib/action_dispatch/middleware/session/cache_store.rb +6 -11
  74. data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -27
  75. data/lib/action_dispatch/middleware/ssl.rb +8 -8
  76. data/lib/action_dispatch/middleware/stack.rb +2 -2
  77. data/lib/action_dispatch/middleware/static.rb +5 -6
  78. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  79. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  80. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  81. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +20 -2
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -4
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  86. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  87. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  88. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  89. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  90. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
  91. data/lib/action_dispatch/railtie.rb +1 -0
  92. data/lib/action_dispatch/request/session.rb +8 -6
  93. data/lib/action_dispatch/routing/inspector.rb +99 -50
  94. data/lib/action_dispatch/routing/mapper.rb +36 -29
  95. data/lib/action_dispatch/routing/polymorphic_routes.rb +7 -12
  96. data/lib/action_dispatch/routing/route_set.rb +11 -12
  97. data/lib/action_dispatch/routing/url_for.rb +1 -0
  98. data/lib/action_dispatch/routing.rb +3 -2
  99. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -3
  100. data/lib/action_dispatch/testing/assertions/response.rb +2 -3
  101. data/lib/action_dispatch/testing/assertions/routing.rb +7 -2
  102. data/lib/action_dispatch/testing/integration.rb +11 -5
  103. data/lib/action_dispatch/testing/test_process.rb +2 -2
  104. data/lib/action_dispatch/testing/test_response.rb +4 -32
  105. data/lib/action_dispatch.rb +7 -6
  106. data/lib/action_pack/gem_version.rb +4 -4
  107. data/lib/action_pack.rb +1 -1
  108. metadata +25 -23
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 35274ebf243c146d9a4f8149f58fc852b8fa419d0d98fe5d25c93c2ffb849ac7
4
- data.tar.gz: c3a86d6c25830b42c0dafa3e82322645fda469867cebe955cd58bd8d17081edd
3
+ metadata.gz: df5b083c08009f1025bfbf541400a4819b5620f5bb49aa3d4bbe0c056eae44b3
4
+ data.tar.gz: '0374579e1273c1d727e0bc94d7a73b3933d8c0f54e7196beedc61ea30d88209f'
5
5
  SHA512:
6
- metadata.gz: c548347dc7b568341963f1f19fff93422e6a01100ca15704d43ec7832094be42036dfe08004663cc0aa6e6dfade65c1c6a7c7aa99fdac3476f4feec65dcb8738
7
- data.tar.gz: f379d596f2899db4ff5f80a317d44bbb0eed5e67af7d208b97b148a566c53b51b586c960051aff203593985b35ac95ae1272a67f78366336e8244263dd001dd9
6
+ metadata.gz: cb0e467dc8c10baa42df2d08d79b2f5caedad996d247523abf54713a542f6d49a01f120ca0b0faa6930ea89592bfe074979201adec97d33135a5877391a5d4bb
7
+ data.tar.gz: dee5cf35ce9af7e795d65bb2a44d5edb229439f5fbde0dde1c35e8d3cf2564c49ddf929a9d5499b3aa6248c42cf6f61ca2c75c85a623ba51f1dd6106750d3267
data/CHANGELOG.md CHANGED
@@ -1,148 +1,66 @@
1
- ## Rails 5.2.7.1 (April 26, 2022) ##
1
+ ## Rails 6.0.0.beta1 (January 18, 2019) ##
2
2
 
3
- * Allow Content Security Policy DSL to generate for API responses.
3
+ * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
4
4
 
5
- *Tim Wade*
6
-
7
- ## Rails 5.2.7 (March 10, 2022) ##
8
-
9
- * No changes.
10
-
11
- ## Rails 5.2.6.3 (March 08, 2022) ##
12
-
13
- * No changes.
14
-
15
-
16
- ## Rails 5.2.6.2 (February 11, 2022) ##
17
-
18
- * No changes.
5
+ *Rafael Mendonça França*
19
6
 
7
+ * Remove deprecated methods in `ActionDispatch::TestResponse`.
20
8
 
21
- ## Rails 5.2.6.1 (February 11, 2022) ##
9
+ `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
10
+ `#successful?`, `not_found?` and `server_error?`.
22
11
 
23
- * Under certain circumstances, the middleware isn't informed that the
24
- response body has been fully closed which result in request state not
25
- being fully reset before the next request
12
+ *Rafael Mendonça França*
26
13
 
27
- [CVE-2022-23633]
14
+ * Ensure external redirects are explicitly allowed
28
15
 
16
+ Add `fallback_location` and `allow_other_host` options to `redirect_to`.
29
17
 
30
- ## Rails 5.2.6 (May 05, 2021) ##
18
+ *Gannon McGibbon*
31
19
 
32
- * Accept base64_urlsafe CSRF tokens to make forward compatible.
20
+ * Introduce ActionDispatch::HostAuthorization
33
21
 
34
- Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
35
- them difficult to deal with. For example, the common practice of sending
36
- the CSRF token to a browser in a client-readable cookie does not work properly
37
- out of the box: the value has to be url-encoded and decoded to survive transport.
22
+ This is a new middleware that guards against DNS rebinding attacks by
23
+ white-listing the allowed hosts a request can be made to.
38
24
 
39
- In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
40
- safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
41
- tokens for backwards compatibility.
25
+ Each host is checked with the case operator (`#===`) to support `RegExp`,
26
+ `Proc`, `IPAddr` and custom objects as host allowances.
42
27
 
43
- How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
44
- config.
28
+ *Genadi Samokovarov*
45
29
 
46
- In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
30
+ * Allow using `parsed_body` in `ActionController::TestCase`.
47
31
 
48
- **Atention**: If you already upgraded your application to 5.2.5, set the config
49
- `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
50
- during the deploy of this new version.
32
+ In addition to `ActionDispatch::IntegrationTest`, allow using
33
+ `parsed_body` in `ActionController::TestCase`:
51
34
 
52
- ```ruby
53
- Rails.application.config.action_controller.urlsafe_csrf_tokens = true
35
+ ```
36
+ class SomeControllerTest < ActionController::TestCase
37
+ def test_some_action
38
+ post :action, body: { foo: 'bar' }
39
+ assert_equal({ "foo" => "bar" }, response.parsed_body)
40
+ end
41
+ end
54
42
  ```
55
43
 
56
- If you are upgrading from 5.2.4.x, you don't need to change this configuration.
57
-
58
- *Scott Blum*, *Étienne Barrié*
59
-
60
-
61
- ## Rails 5.2.5 (March 26, 2021) ##
62
-
63
- * No changes.
64
-
65
-
66
- ## Rails 5.2.4.6 (May 05, 2021) ##
67
-
68
- * Prevent regex DoS in HTTP token authentication
69
- CVE-2021-22904
44
+ Fixes #34676.
70
45
 
71
- * Prevent string polymorphic route arguments.
46
+ *Tobias Bühlmann*
72
47
 
73
- `url_for` supports building polymorphic URLs via an array
74
- of arguments (usually symbols and records). If a developer passes a
75
- user input array, strings can result in unwanted route helper calls.
48
+ * Raise an error on root route naming conflicts.
76
49
 
77
- CVE-2021-22885
50
+ Raises an ArgumentError when multiple root routes are defined in the
51
+ same context instead of assigning nil names to subsequent roots.
78
52
 
79
53
  *Gannon McGibbon*
80
54
 
81
- ## Rails 5.2.4.5 (February 10, 2021) ##
82
-
83
- * No changes.
84
-
85
-
86
- ## Rails 5.2.4.4 (September 09, 2020) ##
87
-
88
- * No changes.
89
-
90
-
91
- ## Rails 5.2.4.3 (May 18, 2020) ##
92
-
93
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
94
-
95
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
96
-
97
-
98
- ## Rails 5.2.4.2 (March 19, 2020) ##
99
-
100
- * No changes.
101
-
102
-
103
- ## Rails 5.2.4.1 (December 18, 2019) ##
104
-
105
- * Fix possible information leak / session hijacking vulnerability.
106
-
107
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
108
- gem dalli to be updated as well.
109
-
110
- _Breaking changes:_
111
- * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
112
- * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
113
- ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
114
-
115
- CVE-2019-16782.
116
-
117
-
118
- ## Rails 5.2.4 (November 27, 2019) ##
119
-
120
- * No changes.
121
-
122
-
123
- ## Rails 5.2.3 (March 27, 2019) ##
124
-
125
- * Allow using `public` and `no-cache` together in the the Cache Control header.
126
-
127
- Before this change, even if `public` was specified in the Cache Control header,
128
- it was excluded when `no-cache` was included. This change preserves the
129
- `public` value as is.
130
-
131
- Fixes #34780.
132
-
133
- *Yuji Yaginuma*
134
-
135
- * Allow `nil` params for `ActionController::TestCase`.
136
-
137
- *Ryo Nakamura*
138
-
139
-
140
- ## Rails 5.2.2.1 (March 11, 2019) ##
141
-
142
- * No changes.
55
+ * Allow rescue from parameter parse errors:
143
56
 
57
+ ```
58
+ rescue_from ActionDispatch::Http::Parameters::ParseError do
59
+ head :unauthorized
60
+ end
61
+ ```
144
62
 
145
- ## Rails 5.2.2 (December 04, 2018) ##
63
+ *Gannon McGibbon*, *Josh Cheek*
146
64
 
147
65
  * Reset Capybara sessions if failed system test screenshot raising an exception.
148
66
 
@@ -178,402 +96,121 @@
178
96
 
179
97
  *Andrew White*
180
98
 
181
- * Fix `rails routes -c` for controller name consists of multiple word.
182
-
183
- *Yoshiyuki Kinjo*
184
-
185
- * Call the `#redirect_to` block in controller context.
186
-
187
- *Steven Peckins*
188
-
189
-
190
- ## Rails 5.2.1.1 (November 27, 2018) ##
191
-
192
- * No changes.
193
-
194
-
195
- ## Rails 5.2.1 (August 07, 2018) ##
196
-
197
- * Prevent `?null=` being passed on JSON encoded test requests.
198
-
199
- `RequestEncoder#encode_params` won't attempt to parse params if
200
- there are none.
201
-
202
- So call like this will no longer append a `?null=` query param.
203
-
204
- get foos_url, as: :json
205
-
206
- *Alireza Bashiri*
207
-
208
- * Ensure `ActionController::Parameters#transform_values` and
209
- `ActionController::Parameters#transform_values!` converts hashes into
210
- parameters.
211
-
212
- *Kevin Sjöberg*
213
-
214
- * Fix strong parameters `permit!` with nested arrays.
215
-
216
- Given:
217
- ```
218
- params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
219
- params.permit!
220
- ```
221
-
222
- `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
223
-
224
- *Steve Hull*
225
-
226
- * Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
227
- `ActionController::TestCase` subclasses.
228
-
229
- *Eugene Kenny*
230
-
231
- * Output only one Content-Security-Policy nonce header value per request.
232
-
233
- Fixes #32597.
234
-
235
- *Andrey Novikov*, *Andrew White*
236
-
237
- * Only disable GPUs for headless Chrome on Windows.
238
-
239
- It is not necessary anymore for Linux and macOS machines.
240
-
241
- https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
242
-
243
- *Stefan Wrobel*
244
-
245
- * Fix system tests transactions not closed between examples.
246
-
247
- *Sergey Tarasov*
248
-
249
-
250
- ## Rails 5.2.0 (April 09, 2018) ##
251
-
252
- * Check exclude before flagging cookies as secure.
253
-
254
- *Catherine Khuu*
255
-
256
- * Always yield a CSP policy instance from `content_security_policy`
257
-
258
- This allows a controller action to enable the policy individually
259
- for a controller and/or specific actions.
260
-
261
- *Andrew White*
262
-
263
- * Add the ability to disable the global CSP in a controller, e.g:
264
-
265
- class LegacyPagesController < ApplicationController
266
- content_security_policy false, only: :index
267
- end
268
-
269
- *Andrew White*
270
-
271
- * Add alias method `to_hash` to `to_h` for `cookies`.
272
- Add alias method `to_h` to `to_hash` for `session`.
273
-
274
- *Igor Kasyanchuk*
99
+ * Add `ActionController::Parameters#each_value`.
275
100
 
276
- * Update the default HSTS max-age value to 31536000 seconds (1 year)
277
- to meet the minimum max-age requirement for https://hstspreload.org/.
101
+ *Lukáš Zapletal*
278
102
 
279
- *Grant Bourque*
103
+ * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
280
104
 
281
- * Add support for automatic nonce generation for Rails UJS.
282
-
283
- Because the UJS library creates a script tag to process responses it
284
- normally requires the script-src attribute of the content security
285
- policy to include 'unsafe-inline'.
286
-
287
- To work around this we generate a per-request nonce value that is
288
- embedded in a meta tag in a similar fashion to how CSRF protection
289
- embeds its token in a meta tag. The UJS library can then read the
290
- nonce value and set it on the dynamically generated script tag to
291
- enable it to execute without needing 'unsafe-inline' enabled.
105
+ *Yoshiyuki Kinjo*
292
106
 
293
- Nonce generation isn't 100% safe - if your script tag is including
294
- user generated content in someway then it may be possible to exploit
295
- an XSS vulnerability which can take advantage of the nonce. It is
296
- however an improvement on a blanket permission for inline scripts.
107
+ * Encode Content-Disposition filenames on `send_data` and `send_file`.
108
+ Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
109
+ `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
110
+ garbled.
111
+ Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
112
+ [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
113
+ `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
114
+ Most browsers can find filename correctly and old browsers fallback to ASCII
115
+ converted name.
297
116
 
298
- It is also possible to use the nonce within your own script tags by
299
- using `nonce: true` to set the nonce value on the tag, e.g
117
+ *Fumiaki Matsushima*
300
118
 
301
- <%= javascript_tag nonce: true do %>
302
- alert('Hello, World!');
303
- <% end %>
119
+ * Expose `ActionController::Parameters#each_key` which allows iterating over
120
+ keys without allocating an array.
304
121
 
305
- Fixes #31689.
122
+ *Richard Schneeman*
306
123
 
307
- *Andrew White*
124
+ * Purpose metadata for signed/encrypted cookies.
308
125
 
309
- * Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
126
+ Rails can now thwart attacks that attempt to copy signed/encrypted value
127
+ of a cookie and use it as the value of another cookie.
310
128
 
311
- Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
129
+ It does so by stashing the cookie-name in the purpose field which is
130
+ then signed/encrypted along with the cookie value. Then, on a server-side
131
+ read, we verify the cookie-names and discard any attacked cookies.
312
132
 
313
- # Parameters: {"param"=>"1", "param_two"=>"2"}
314
- def index
315
- params.each do |name|
316
- puts name
317
- end
318
- end
133
+ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
134
+ writes cookies with the new purpose and expiry metadata embedded.
319
135
 
320
- # Prints
321
- # param
322
- # param_two
136
+ *Assain Jaleel*
323
137
 
324
- In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
138
+ * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
325
139
 
326
- To fix the code above simply change as per example below:
140
+ `respond_to` can match multiple types and lead to undefined behavior when
141
+ multiple invocations are made and the types do not match:
327
142
 
328
- # Parameters: {"param"=>"1", "param_two"=>"2"}
329
- def index
330
- params.each do |name, value|
331
- puts name
143
+ respond_to do |outer_type|
144
+ outer_type.js do
145
+ respond_to do |inner_type|
146
+ inner_type.html { render body: "HTML" }
147
+ end
332
148
  end
333
149
  end
334
150
 
335
- # Prints
336
- # param
337
- # param_two
338
-
339
- *Dominic Cleal*
340
-
341
- * Add `Referrer-Policy` header to default headers set.
151
+ *Patrick Toomey*
342
152
 
343
- *Guillermo Iguaran*
153
+ * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
344
154
 
345
- * Changed the system tests to set Puma as default server only when the
346
- user haven't specified manually another server.
155
+ This allows uploaded file objects to be passed directly to `File.read`
156
+ without raising a `TypeError`:
347
157
 
348
- *Guillermo Iguaran*
158
+ uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
159
+ File.read(uploaded_file)
349
160
 
350
- * Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
351
- default headers set.
161
+ *Aaron Kromer*
352
162
 
353
- *Guillermo Iguaran*
163
+ * Pass along arguments to underlying `get` method in `follow_redirect!`.
354
164
 
355
- * Add headless firefox support to System Tests.
165
+ Now all arguments passed to `follow_redirect!` are passed to the underlying
166
+ `get` method. This for example allows to set custom headers for the
167
+ redirection request to the server.
356
168
 
357
- *bogdanvlviv*
169
+ follow_redirect!(params: { foo: :bar })
358
170
 
359
- * Changed the default system test screenshot output from `inline` to `simple`.
171
+ *Remo Fritzsche*
360
172
 
361
- `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
362
- Terminal.app ignore the `inline` and output the path to the file since it can't
363
- render the image. Other terminals, like those on Ubuntu, cannot handle the image
364
- inline, but also don't handle it gracefully and instead of outputting the file
365
- path, it dumps binary into the terminal.
173
+ * Introduce a new error page to when the implicit render page is accessed in the browser.
366
174
 
367
- Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
175
+ Now instead of showing an error page that with exception and backtraces we now show only
176
+ one informative page.
368
177
 
369
- *Eileen M. Uchitelle*
370
-
371
- * Register most popular audio/video/font mime types supported by modern browsers.
372
-
373
- *Guillermo Iguaran*
374
-
375
- * Fix optimized url helpers when using relative url root.
376
-
377
- Fixes #31220.
378
-
379
- *Andrew White*
178
+ *Vinicius Stock*
380
179
 
381
- * Add DSL for configuring Content-Security-Policy header.
180
+ * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
382
181
 
383
- The DSL allows you to configure a global Content-Security-Policy
384
- header and then override within a controller. For more information
385
- about the Content-Security-Policy header see MDN:
182
+ Exception aware plugin authors can use the newly introduced
183
+ `.register_interceptor` method to get the processed exception, instead of
184
+ monkey patching DebugExceptions.
386
185
 
387
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
388
-
389
- Example global policy:
390
-
391
- # config/initializers/content_security_policy.rb
392
- Rails.application.config.content_security_policy do |p|
393
- p.default_src :self, :https
394
- p.font_src :self, :https, :data
395
- p.img_src :self, :https, :data
396
- p.object_src :none
397
- p.script_src :self, :https
398
- p.style_src :self, :https, :unsafe_inline
399
- end
400
-
401
- Example controller overrides:
402
-
403
- # Override policy inline
404
- class PostsController < ApplicationController
405
- content_security_policy do |p|
406
- p.upgrade_insecure_requests true
407
- end
408
- end
409
-
410
- # Using literal values
411
- class PostsController < ApplicationController
412
- content_security_policy do |p|
413
- p.base_uri "https://www.example.com"
414
- end
415
- end
416
-
417
- # Using mixed static and dynamic values
418
- class PostsController < ApplicationController
419
- content_security_policy do |p|
420
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
421
- end
186
+ ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
187
+ HypoteticalPlugin.capture_exception(request, exception)
422
188
  end
423
189
 
424
- Allows you to also only report content violations for migrating
425
- legacy content using the `content_security_policy_report_only`
426
- configuration attribute, e.g;
427
-
428
- # config/initializers/content_security_policy.rb
429
- Rails.application.config.content_security_policy_report_only = true
430
-
431
- # controller override
432
- class PostsController < ApplicationController
433
- content_security_policy_report_only only: :index
434
- end
435
-
436
- Note that this feature does not validate the header for performance
437
- reasons since the header is calculated at runtime.
438
-
439
- *Andrew White*
440
-
441
- * Make `assert_recognizes` to traverse mounted engines.
442
-
443
- *Yuichiro Kaneko*
444
-
445
- * Remove deprecated `ActionController::ParamsParser::ParseError`.
446
-
447
- *Rafael Mendonça França*
190
+ *Genadi Samokovarov*
448
191
 
449
- * Add `:allow_other_host` option to `redirect_back` method.
450
-
451
- When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
452
- different host. `allow_other_host` is `true` by default.
453
-
454
- *Tim Masliuchenko*
455
-
456
- * Add headless chrome support to System Tests.
457
-
458
- *Yuji Yaginuma*
459
-
460
- * Add ability to enable Early Hints for HTTP/2
461
-
462
- If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
463
-
464
- The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
465
-
466
- *Eileen M. Uchitelle*, *Aaron Patterson*
467
-
468
- * Simplify cookies middleware with key rotation support
469
-
470
- Use the `rotate` method for both `MessageEncryptor` and
471
- `MessageVerifier` to add key rotation support for encrypted and
472
- signed cookies. This also helps simplify support for legacy cookie
473
- security.
474
-
475
- *Michael J Coyne*
476
-
477
- * Use Capybara registered `:puma` server config.
478
-
479
- The Capybara registered `:puma` server ensures the puma server is run in process so
480
- connection sharing and open request detection work correctly by default.
481
-
482
- *Thomas Walpole*
483
-
484
- * Cookies `:expires` option supports `ActiveSupport::Duration` object.
485
-
486
- cookies[:user_name] = { value: "assain", expires: 1.hour }
487
- cookies[:key] = { value: "a yummy cookie", expires: 6.months }
488
-
489
- Pull Request: #30121
490
-
491
- *Assain Jaleel*
492
-
493
- * Enforce signed/encrypted cookie expiry server side.
494
-
495
- Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
496
-
497
- It does so by stashing the expiry within the written cookie and relying on the
498
- signing/encrypting to vouch that it hasn't been tampered with. Then on a
499
- server-side read, the expiry is verified and any expired cookie is discarded.
500
-
501
- Pull Request: #30121
502
-
503
- *Assain Jaleel*
504
-
505
- * Make `take_failed_screenshot` work within engine.
506
-
507
- Fixes #30405.
508
-
509
- *Yuji Yaginuma*
510
-
511
- * Deprecate `ActionDispatch::TestResponse` response aliases.
512
-
513
- `#success?`, `#missing?` & `#error?` are not supported by the actual
514
- `ActionDispatch::Response` object and can produce false-positives. Instead,
515
- use the response helpers provided by `Rack::Response`.
516
-
517
- *Trevor Wistaff*
518
-
519
- * Protect from forgery by default
520
-
521
- Rather than protecting from forgery in the generated `ApplicationController`,
522
- add it to `ActionController::Base` depending on
523
- `config.action_controller.default_protect_from_forgery`. This configuration
524
- defaults to false to support older versions which have removed it from their
525
- `ApplicationController`, but is set to true for Rails 5.2.
526
-
527
- *Lisa Ugray*
528
-
529
- * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
530
-
531
- *Kir Shatrov*
532
-
533
- * `driven_by` now registers poltergeist and capybara-webkit.
534
-
535
- If poltergeist or capybara-webkit are set as drivers is set for System Tests,
536
- `driven_by` will register the driver and set additional options passed via
537
- the `:options` parameter.
538
-
539
- Refer to the respective driver's documentation to see what options can be passed.
540
-
541
- *Mario Chavez*
542
-
543
- * AEAD encrypted cookies and sessions with GCM.
544
-
545
- Encrypted cookies now use AES-GCM which couples authentication and
546
- encryption in one faster step and produces shorter ciphertexts. Cookies
547
- encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
548
- this new mode is enabled via the
549
- `action_dispatch.use_authenticated_cookie_encryption` configuration value.
550
-
551
- *Michael J Coyne*
192
+ * Output only one Content-Security-Policy nonce header value per request.
552
193
 
553
- * Change the cache key format for fragments to make it easier to debug key churn. The new format is:
194
+ Fixes #32597.
554
195
 
555
- views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
556
- ^template path ^template tree digest ^class ^id
196
+ *Andrey Novikov*, *Andrew White*
557
197
 
558
- *DHH*
198
+ * Move default headers configuration into their own module that can be included in controllers.
559
199
 
560
- * Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
561
- `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
562
- to support it.
200
+ *Kevin Deisz*
563
201
 
564
- *DHH*
202
+ * Add method `dig` to `session`.
565
203
 
566
- * Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
204
+ *claudiob*, *Takumi Shotoku*
567
205
 
568
- `ActionController::Base` and `ActionController::API` have differing implementations. This means that
569
- the one umbrella hook `action_controller` is not able to address certain situations where a method
570
- may not exist in a certain implementation.
206
+ * Controller level `force_ssl` has been deprecated in favor of
207
+ `config.force_ssl`.
571
208
 
572
- This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
209
+ *Derek Prior*
573
210
 
574
- Fixes #27013.
211
+ * Rails 6 requires Ruby 2.5.0 or newer.
575
212
 
576
- *Julian Nadeau*
213
+ *Jeremy Daer*, *Kasper Timm Hansen*
577
214
 
578
215
 
579
- Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
216
+ Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2004-2018 David Heinemeier Hansson
1
+ Copyright (c) 2004-2019 David Heinemeier Hansson
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining
4
4
  a copy of this software and associated documentation files (the