RubyGems - actionpack - Versions diffs - 5.2.8.1 → 6.0.6 - Mend

actionpack 5.2.8.1 → 6.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (136) hide show

data/CHANGELOG.md CHANGED Viewed

@@ -1,34 +1,35 @@
-## Rails 5.2.8.1 (July 12, 2022) ##
+## Rails 6.0.6 (September 09, 2022) ##
 *   No changes.
-## Rails 5.2.8 (May 09, 2022) ##
+## Rails 6.0.5.1 (July 12, 2022) ##
 *   No changes.
-## Rails 5.2.7.1 (April 26, 2022) ##
+## Rails 6.0.5 (May 09, 2022) ##
-*   Allow Content Security Policy DSL to generate for API responses.
+*   No changes.
-    *Tim Wade*
-## Rails 5.2.7 (March 10, 2022) ##
+## Rails 6.0.4.8 (April 26, 2022) ##
-*   No changes.
+*   Allow Content Security Policy DSL to generate for API responses.
-## Rails 5.2.6.3 (March 08, 2022) ##
+    *Tim Wade*
+## Rails 6.0.4.7 (March 08, 2022) ##
 *   No changes.
-## Rails 5.2.6.2 (February 11, 2022) ##
+## Rails 6.0.4.6 (February 11, 2022) ##
 *   No changes.
-## Rails 5.2.6.1 (February 11, 2022) ##
+## Rails 6.0.4.5 (February 11, 2022) ##
 *   Under certain circumstances, the middleware isn't informed that the
     response body has been fully closed which result in request state not
@@ -37,7 +38,29 @@
     [CVE-2022-23633]
-## Rails 5.2.6 (May 05, 2021) ##
+## Rails 6.0.4.4 (December 15, 2021) ##
+*   Fix issue with host protection not allowing host with port in development.
+## Rails 6.0.4.3 (December 14, 2021) ##
+*   Fix issue with host protection not allowing localhost in development.
+## Rails 6.0.4.2 (December 14, 2021) ##
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
+## Rails 6.1.4.1 (August 19, 2021) ##
+*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
+    Specially crafted "X-Forwarded-Host" headers in combination with certain
+    "allowed host" formats can cause the Host Authorization middleware in Action
+    Pack to redirect users to a malicious website.
+## Rails 6.0.4 (June 15, 2021) ##
 *   Accept base64_urlsafe CSRF tokens to make forward compatible.
@@ -46,34 +69,29 @@
     the CSRF token to a browser in a client-readable cookie does not work properly
     out of the box: the value has to be url-encoded and decoded to survive transport.
-    In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
+    In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
     safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
     tokens for backwards compatibility.
-    How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
-    config.
-    In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
-    **Atention**: If you already upgraded your application to 5.2.5, set the config
-    `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
-    during the deploy of this new version.
+    In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
+    If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
     ```ruby
     Rails.application.config.action_controller.urlsafe_csrf_tokens = true
     ```
-    If you are upgrading from 5.2.4.x, you don't need to change this configuration.
     *Scott Blum*, *Étienne Barrié*
+*   Signed and encrypted cookies can now store `false` as their value when
+    `action_dispatch.use_cookies_with_metadata` is enabled.
-## Rails 5.2.5 (March 26, 2021) ##
+    *Rolandas Barysas*
-*   No changes.
+## Rails 6.0.3.7 (May 05, 2021) ##
-## Rails 5.2.4.6 (May 05, 2021) ##
+*   Prevent catastrophic backtracking during mime parsing
+    CVE-2021-22902
 *   Prevent regex DoS in HTTP token authentication
     CVE-2021-22904
@@ -88,502 +106,407 @@
     *Gannon McGibbon*
-## Rails 5.2.4.5 (February 10, 2021) ##
+## Rails 6.0.3.6 (March 26, 2021) ##
 *   No changes.
-## Rails 5.2.4.4 (September 09, 2020) ##
-*   No changes.
+## Rails 6.0.3.5 (February 10, 2021) ##
-## Rails 5.2.4.3 (May 18, 2020) ##
+*   Prevent open redirect when allowed host starts with a dot
-*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
+    [CVE-2021-22881]
-*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
+    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
+    issue and the patch!
+    *Aaron Patterson*
-## Rails 5.2.4.2 (March 19, 2020) ##
-*   No changes.
+## Rails 6.0.3.4 (October 07, 2020) ##
+*   [CVE-2020-8264] Prevent XSS in Actionable Exceptions
-## Rails 5.2.4.1 (December 18, 2019) ##
-*   Fix possible information leak / session hijacking vulnerability.
-    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
-    gem dalli to be updated as well.
-    _Breaking changes:_
-    *   `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
-    *   Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
-        ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
-    CVE-2019-16782.
-## Rails 5.2.4 (November 27, 2019) ##
+## Rails 6.0.3.3 (September 09, 2020) ##
 *   No changes.
-## Rails 5.2.3 (March 27, 2019) ##
+## Rails 6.0.3.2 (June 17, 2020) ##
-*   Allow using `public` and `no-cache` together in the the Cache Control header.
+*   [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
-    Before this change, even if `public` was specified in the Cache Control header,
-    it was excluded when `no-cache` was included. This change preserves the
-    `public` value as is.
+## Rails 6.0.3.1 (May 18, 2020) ##
-    Fixes #34780.
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
-    *Yuji Yaginuma*
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
-*   Allow `nil` params for `ActionController::TestCase`.
-    *Ryo Nakamura*
+## Rails 6.0.3 (May 06, 2020) ##
+*   Include child session assertion count in ActionDispatch::IntegrationTest
-## Rails 5.2.2.1 (March 11, 2019) ##
+    `IntegrationTest#open_session` uses `dup` to create the new session, which
+    meant it had its own copy of `@assertions`. This prevented the assertions
+    from being correctly counted and reported.
-*   No changes.
+    Child sessions now have their `attr_accessor` overriden to delegate to the
+    root session.
+    Fixes #32142
-## Rails 5.2.2 (December 04, 2018) ##
+    *Sam Bostock*
-*   Reset Capybara sessions if failed system test screenshot raising an exception.
-    Reset Capybara sessions if `take_failed_screenshot` raise exception
-    in system test `after_teardown`.
+## Rails 6.0.2.2 (March 19, 2020) ##
-    *Maxim Perepelitsa*
+*   No changes.
-*   Use request object for context if there's no controller
-    There is no controller instance when using a redirect route or a
-    mounted rack application so pass the request object as the context
-    when resolving dynamic CSP sources in this scenario.
+## Rails 6.0.2.1 (December 18, 2019) ##
-    Fixes #34200.
+*   Fix possible information leak / session hijacking vulnerability.
-    *Andrew White*
+    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
+    gem dalli to be updated as well.
-*   Apply mapping to symbols returned from dynamic CSP sources
+    CVE-2019-16782.
-    Previously if a dynamic source returned a symbol such as :self it
-    would be converted to a string implicity, e.g:
-        policy.default_src -> { :self }
+## Rails 6.0.2 (December 13, 2019) ##
-    would generate the header:
+*   Allow using mountable engine route helpers in System Tests.
-        Content-Security-Policy: default-src self
+    *Chalo Fernandez*
-    and now it generates:
-        Content-Security-Policy: default-src 'self'
+## Rails 6.0.1 (November 5, 2019) ##
-    *Andrew White*
+*   `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
+    rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
+    system tests.
-*   Fix `rails routes -c` for controller name consists of multiple word.
+    *George Claghorn*, *Edouard Chin*
-    *Yoshiyuki Kinjo*
+*   Registered MIME types may contain extra flags:
-*   Call the `#redirect_to` block in controller context.
+    ```ruby
+    Mime::Type.register "text/html; fragment", :html_fragment
+    ```
-    *Steven Peckins*
+    *Aaron Patterson*
-## Rails 5.2.1.1 (November 27, 2018) ##
+## Rails 6.0.0 (August 16, 2019) ##
 *   No changes.
-## Rails 5.2.1 (August 07, 2018) ##
-*   Prevent `?null=` being passed on JSON encoded test requests.
+## Rails 6.0.0.rc2 (July 22, 2019) ##
-    `RequestEncoder#encode_params` won't attempt to parse params if
-    there are none.
+*   Add the ability to set the CSP nonce only to the specified directives.
-    So call like this will no longer append a `?null=` query param.
+    Fixes #35137.
-        get foos_url, as: :json
+    *Yuji Yaginuma*
-    *Alireza Bashiri*
+*   Keep part when scope option has value.
-*   Ensure `ActionController::Parameters#transform_values` and
-    `ActionController::Parameters#transform_values!` converts hashes into
-    parameters.
+    When a route was defined within an optional scope, if that route didn't
+    take parameters the scope was lost when using path helpers. This commit
+    ensures scope is kept both when the route takes parameters or when it
+    doesn't.
-    *Kevin Sjöberg*
+    Fixes #33219
-*   Fix strong parameters `permit!` with nested arrays.
+    *Alberto Almagro*
-    Given:
-    ```
-    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
-    params.permit!
-    ```
+*   Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
-    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
+    Previously, `ActionDispatch::Response#content_type` returned value does NOT
+    contain charset part. This behavior changed to returned Content-Type header
+    containing charset part as it is.
-    *Steve Hull*
+    If you want just MIME type, please use `ActionDispatch::Response#media_type`
+    instead.
-*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
-    `ActionController::TestCase` subclasses.
+    Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
+    If not enabled, `ActionDispatch::Response#content_type` returns the same
+    value as before version, but its behavior is deprecate.
-    *Eugene Kenny*
-*   Output only one Content-Security-Policy nonce header value per request.
+    *Yuji Yaginuma*
-    Fixes #32597.
+*   Calling `ActionController::Parameters#transform_keys/!` without a block now returns
+    an enumerator for the parameters instead of the underlying hash.
-    *Andrey Novikov*, *Andrew White*
+    *Eugene Kenny*
-*   Only disable GPUs for headless Chrome on Windows.
+*   Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
-    It is not necessary anymore for Linux and macOS machines.
+    *Yuki Nishijima*, *Stan Lo*
-    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
-    *Stefan Wrobel*
+## Rails 6.0.0.rc1 (April 24, 2019) ##
-*   Fix system tests transactions not closed between examples.
+*   Make system tests take a failed screenshot in a `before_teardown` hook
+    rather than an `after_teardown` hook.
-    *Sergey Tarasov*
+    This helps minimize the time gap between when an assertion fails and when
+    the screenshot is taken (reducing the time in which the page could have
+    been dynamically updated after the assertion failed).
+    *Richard Macklin*
-## Rails 5.2.0 (April 09, 2018) ##
+*   Introduce `ActionDispatch::ActionableExceptions`.
-*   Check exclude before flagging cookies as secure.
+    The `ActionDispatch::ActionableExceptions` middleware dispatches actions
+    from `ActiveSupport::ActionableError` descendants.
-    *Catherine Khuu*
+    Actionable errors let's you dispatch actions from Rails' error pages.
-*   Always yield a CSP policy instance from `content_security_policy`
+    *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
-    This allows a controller action to enable the policy individually
-    for a controller and/or specific actions.
+*   Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
-    *Andrew White*
+    After this change it's not possible anymore to configure routes like this:
-*   Add the ability to disable the global CSP in a controller, e.g:
+    ```
+    routes.draw do
+      resources :users, param: 'name/:sneaky'
+    end
+    ```
-        class LegacyPagesController < ApplicationController
-          content_security_policy false, only: :index
-        end
+    Fixes #30467.
-    *Andrew White*
+    *Josua Schmid*
-*   Add alias method `to_hash` to `to_h` for `cookies`.
-    Add alias method `to_h` to `to_hash` for `session`.
-    *Igor Kasyanchuk*
+## Rails 6.0.0.beta3 (March 11, 2019) ##
-*   Update the default HSTS max-age value to 31536000 seconds (1 year)
-    to meet the minimum max-age requirement for https://hstspreload.org/.
+*   No changes.
-    *Grant Bourque*
-*   Add support for automatic nonce generation for Rails UJS.
+## Rails 6.0.0.beta2 (February 25, 2019) ##
-    Because the UJS library creates a script tag to process responses it
-    normally requires the script-src attribute of the content security
-    policy to include 'unsafe-inline'.
+*   Make debug exceptions works in an environment where ActiveStorage is not loaded.
-    To work around this we generate a per-request nonce value that is
-    embedded in a meta tag in a similar fashion to how CSRF protection
-    embeds its token in a meta tag. The UJS library can then read the
-    nonce value and set it on the dynamically generated script tag to
-    enable it to execute without needing 'unsafe-inline' enabled.
+    *Tomoyuki Kurosawa*
-    Nonce generation isn't 100% safe - if your script tag is including
-    user generated content in someway then it may be possible to exploit
-    an XSS vulnerability which can take advantage of the nonce. It is
-    however an improvement on a blanket permission for inline scripts.
+*   `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
+    to define specific browser capabilities.
-    It is also possible to use the nonce within your own script tags by
-    using `nonce: true` to set the nonce value on the tag, e.g
+    *Edouard Chin*
-        <%= javascript_tag nonce: true do %>
-          alert('Hello, World!');
-        <% end %>
-    Fixes #31689.
+## Rails 6.0.0.beta1 (January 18, 2019) ##
-    *Andrew White*
+*   Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
-*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
+    *Rafael Mendonça França*
-    Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
+*   Remove deprecated methods in `ActionDispatch::TestResponse`.
-        # Parameters: {"param"=>"1", "param_two"=>"2"}
-        def index
-          params.each do |name|
-            puts name
-          end
-        end
+    `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
+    `#successful?`, `not_found?` and `server_error?`.
-        # Prints
-        # param
-        # param_two
+    *Rafael Mendonça França*
-    In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
+*   Introduce `ActionDispatch::HostAuthorization`.
-    To fix the code above simply change as per example below:
+    This is a new middleware that guards against DNS rebinding attacks by
+    explicitly permitting the hosts a request can be made to.
-        # Parameters: {"param"=>"1", "param_two"=>"2"}
-        def index
-          params.each do |name, value|
-            puts name
-          end
-        end
+    Each host is checked with the case operator (`#===`) to support `Regexp`,
+    `Proc`, `IPAddr` and custom objects as host allowances.
-        # Prints
-        # param
-        # param_two
+    *Genadi Samokovarov*
-    *Dominic Cleal*
+*   Allow using `parsed_body` in `ActionController::TestCase`.
-*   Add `Referrer-Policy` header to default headers set.
+    In addition to `ActionDispatch::IntegrationTest`, allow using
+    `parsed_body` in `ActionController::TestCase`:
-    *Guillermo Iguaran*
+    ```
+    class SomeControllerTest < ActionController::TestCase
+      def test_some_action
+        post :action, body: { foo: 'bar' }
+        assert_equal({ "foo" => "bar" }, response.parsed_body)
+      end
+    end
+    ```
-*   Changed the system tests to set Puma as default server only when the
-    user haven't specified manually another server.
+    Fixes #34676.
-    *Guillermo Iguaran*
+    *Tobias Bühlmann*
-*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
-    default headers set.
+*   Raise an error on root route naming conflicts.
-    *Guillermo Iguaran*
+    Raises an `ArgumentError` when multiple root routes are defined in the
+    same context instead of assigning nil names to subsequent roots.
-*   Add headless firefox support to System Tests.
+    *Gannon McGibbon*
-    *bogdanvlviv*
+*   Allow rescue from parameter parse errors:
-*   Changed the default system test screenshot output from `inline` to `simple`.
+    ```
+    rescue_from ActionDispatch::Http::Parameters::ParseError do
+      head :unauthorized
+    end
+    ```
-    `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
-    Terminal.app ignore the `inline` and output the path to the file since it can't
-    render the image. Other terminals, like those on Ubuntu, cannot handle the image
-    inline, but also don't handle it gracefully and instead of outputting the file
-    path, it dumps binary into the terminal.
+    *Gannon McGibbon*, *Josh Cheek*
-    Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
+*   Reset Capybara sessions if failed system test screenshot raising an exception.
-    *Eileen M. Uchitelle*
+    Reset Capybara sessions if `take_failed_screenshot` raise exception
+    in system test `after_teardown`.
-*   Register most popular audio/video/font mime types supported by modern browsers.
+    *Maxim Perepelitsa*
-    *Guillermo Iguaran*
+*   Use request object for context if there's no controller
-*   Fix optimized url helpers when using relative url root.
+    There is no controller instance when using a redirect route or a
+    mounted rack application so pass the request object as the context
+    when resolving dynamic CSP sources in this scenario.
-    Fixes #31220.
+    Fixes #34200.
     *Andrew White*
-*   Add DSL for configuring Content-Security-Policy header.
-    The DSL allows you to configure a global Content-Security-Policy
-    header and then override within a controller. For more information
-    about the Content-Security-Policy header see MDN:
-    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-    Example global policy:
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy do |p|
-          p.default_src :self, :https
-          p.font_src    :self, :https, :data
-          p.img_src     :self, :https, :data
-          p.object_src  :none
-          p.script_src  :self, :https
-          p.style_src   :self, :https, :unsafe_inline
-        end
-    Example controller overrides:
-        # Override policy inline
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.upgrade_insecure_requests true
-          end
-        end
+*   Apply mapping to symbols returned from dynamic CSP sources
-        # Using literal values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri "https://www.example.com"
-          end
-        end
+    Previously if a dynamic source returned a symbol such as :self it
+    would be converted to a string implicitly, e.g:
-        # Using mixed static and dynamic values
-        class PostsController < ApplicationController
-          content_security_policy do |p|
-            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
-          end
-        end
+        policy.default_src -> { :self }
-    Allows you to also only report content violations for migrating
-    legacy content using the `content_security_policy_report_only`
-    configuration attribute, e.g;
+    would generate the header:
-        # config/initializers/content_security_policy.rb
-        Rails.application.config.content_security_policy_report_only = true
+        Content-Security-Policy: default-src self
-        # controller override
-        class PostsController < ApplicationController
-          content_security_policy_report_only only: :index
-        end
+    and now it generates:
-    Note that this feature does not validate the header for performance
-    reasons since the header is calculated at runtime.
+        Content-Security-Policy: default-src 'self'
     *Andrew White*
-*   Make `assert_recognizes` to traverse mounted engines.
-    *Yuichiro Kaneko*
-*   Remove deprecated `ActionController::ParamsParser::ParseError`.
-    *Rafael Mendonça França*
-*   Add `:allow_other_host` option to `redirect_back` method.
-    When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
-    different host. `allow_other_host` is `true` by default.
+*   Add `ActionController::Parameters#each_value`.
-    *Tim Masliuchenko*
+    *Lukáš Zapletal*
-*   Add headless chrome support to System Tests.
+*   Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
-    *Yuji Yaginuma*
-*   Add ability to enable Early Hints for HTTP/2
-    If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
-    The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
-    *Eileen M. Uchitelle*, *Aaron Patterson*
-*   Simplify cookies middleware with key rotation support
+    *Yoshiyuki Kinjo*
-    Use the `rotate` method for both `MessageEncryptor` and
-    `MessageVerifier` to add key rotation support for encrypted and
-    signed cookies. This also helps simplify support for legacy cookie
-    security.
+*   Encode Content-Disposition filenames on `send_data` and `send_file`.
+    Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
+    `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
+    garbled.
+    Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
+    [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
+    `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
+    Most browsers can find filename correctly and old browsers fallback to ASCII
+    converted name.
-    *Michael J Coyne*
+    *Fumiaki Matsushima*
-*   Use Capybara registered `:puma` server config.
+*   Expose `ActionController::Parameters#each_key` which allows iterating over
+    keys without allocating an array.
-    The Capybara registered `:puma` server ensures the puma server is run in process so
-    connection sharing and open request detection work correctly by default.
+    *Richard Schneeman*
-    *Thomas Walpole*
+*   Purpose metadata for signed/encrypted cookies.
-*   Cookies `:expires` option supports `ActiveSupport::Duration` object.
+    Rails can now thwart attacks that attempt to copy signed/encrypted value
+    of a cookie and use it as the value of another cookie.
-        cookies[:user_name] = { value: "assain", expires: 1.hour }
-        cookies[:key] = { value: "a yummy cookie", expires: 6.months }
+    It does so by stashing the cookie-name in the purpose field which is
+    then signed/encrypted along with the cookie value. Then, on a server-side
+    read, we verify the cookie-names and discard any attacked cookies.
-    Pull Request: #30121
+    Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
+    writes cookies with the new purpose and expiry metadata embedded.
     *Assain Jaleel*
-*   Enforce signed/encrypted cookie expiry server side.
-    Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
-    It does so by stashing the expiry within the written cookie and relying on the
-    signing/encrypting to vouch that it hasn't been tampered with. Then on a
-    server-side read, the expiry is verified and any expired cookie is discarded.
+*   Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
-    Pull Request: #30121
+    `respond_to` can match multiple types and lead to undefined behavior when
+    multiple invocations are made and the types do not match:
-    *Assain Jaleel*
-*   Make `take_failed_screenshot` work within engine.
+        respond_to do |outer_type|
+          outer_type.js do
+            respond_to do |inner_type|
+              inner_type.html { render body: "HTML" }
+            end
+          end
+        end
-    Fixes #30405.
+    *Patrick Toomey*
-    *Yuji Yaginuma*
+*   `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
-*   Deprecate `ActionDispatch::TestResponse` response aliases.
+    This allows uploaded file objects to be passed directly to `File.read`
+    without raising a `TypeError`:
-    `#success?`, `#missing?` & `#error?` are not supported by the actual
-    `ActionDispatch::Response` object and can produce false-positives. Instead,
-    use the response helpers provided by `Rack::Response`.
+        uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
+        File.read(uploaded_file)
-    *Trevor Wistaff*
+    *Aaron Kromer*
-*   Protect from forgery by default
+*   Pass along arguments to underlying `get` method in `follow_redirect!`
-    Rather than protecting from forgery in the generated `ApplicationController`,
-    add it to `ActionController::Base` depending on
-    `config.action_controller.default_protect_from_forgery`. This configuration
-    defaults to false to support older versions which have removed it from their
-    `ApplicationController`, but is set to true for Rails 5.2.
+    Now all arguments passed to `follow_redirect!` are passed to the underlying
+    `get` method. This for example allows to set custom headers for the
+    redirection request to the server.
-    *Lisa Ugray*
+        follow_redirect!(params: { foo: :bar })
-*   Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
+    *Remo Fritzsche*
-    *Kir Shatrov*
+*   Introduce a new error page to when the implicit render page is accessed in the browser.
-*   `driven_by` now registers poltergeist and capybara-webkit.
+    Now instead of showing an error page that with exception and backtraces we now show only
+    one informative page.
-    If poltergeist or capybara-webkit are set as drivers is set for System Tests,
-    `driven_by` will register the driver and set additional options passed via
-    the `:options` parameter.
+    *Vinicius Stock*
-    Refer to the respective driver's documentation to see what options can be passed.
+*   Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
-    *Mario Chavez*
+    Exception aware plugin authors can use the newly introduced
+    `.register_interceptor` method to get the processed exception, instead of
+    monkey patching DebugExceptions.
-*   AEAD encrypted cookies and sessions with GCM.
+        ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
+          HypoteticalPlugin.capture_exception(request, exception)
+        end
-    Encrypted cookies now use AES-GCM which couples authentication and
-    encryption in one faster step and produces shorter ciphertexts. Cookies
-    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
-    this new mode is enabled via the
-    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
+    *Genadi Samokovarov*
-    *Michael J Coyne*
+*   Output only one Content-Security-Policy nonce header value per request.
-*   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
+    Fixes #32597.
-        views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
-              ^template path           ^template tree digest            ^class   ^id
+    *Andrey Novikov*, *Andrew White*
-    *DHH*
+*   Move default headers configuration into their own module that can be included in controllers.
-*   Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
-    `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
-    to support it.
+    *Kevin Deisz*
-    *DHH*
+*   Add method `dig` to `session`.
-*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
+    *claudiob*, *Takumi Shotoku*
-    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
-    the one umbrella hook `action_controller` is not able to address certain situations where a method
-    may not exist in a certain implementation.
+*   Controller level `force_ssl` has been deprecated in favor of
+    `config.force_ssl`.
-    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
+    *Derek Prior*
-    Fixes #27013.
+*   Rails 6 requires Ruby 2.5.0 or newer.
-    *Julian Nadeau*
+    *Jeremy Daer*, *Kasper Timm Hansen*
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.