actionpack 5.2.8.1 → 6.1.7.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +410 -343
- data/MIT-LICENSE +1 -2
- data/README.rdoc +4 -3
- data/lib/abstract_controller/base.rb +38 -4
- data/lib/abstract_controller/caching/fragments.rb +6 -22
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +14 -2
- data/lib/abstract_controller/collector.rb +5 -4
- data/lib/abstract_controller/helpers.rb +106 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +11 -5
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +4 -3
- data/lib/action_controller/base.rb +6 -9
- data/lib/action_controller/caching.rb +1 -3
- data/lib/action_controller/log_subscriber.rb +10 -7
- data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
- data/lib/action_controller/metal/conditional_get.rb +19 -5
- data/lib/action_controller/metal/content_security_policy.rb +1 -2
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +6 -7
- data/lib/action_controller/metal/default_headers.rb +17 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +4 -6
- data/lib/action_controller/metal/exceptions.rb +56 -2
- data/lib/action_controller/metal/flash.rb +5 -5
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +14 -5
- data/lib/action_controller/metal/http_authentication.rb +25 -23
- data/lib/action_controller/metal/implicit_render.rb +5 -15
- data/lib/action_controller/metal/instrumentation.rb +13 -14
- data/lib/action_controller/metal/live.rb +39 -32
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +19 -4
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +32 -22
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +4 -4
- data/lib/action_controller/metal/rendering.rb +8 -3
- data/lib/action_controller/metal/request_forgery_protection.rb +26 -49
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +0 -1
- data/lib/action_controller/metal/strong_parameters.rb +168 -59
- data/lib/action_controller/metal/url_for.rb +1 -1
- data/lib/action_controller/metal.rb +10 -8
- data/lib/action_controller/railties/helpers.rb +1 -1
- data/lib/action_controller/renderer.rb +37 -13
- data/lib/action_controller/template_assertions.rb +1 -1
- data/lib/action_controller/test_case.rb +71 -63
- data/lib/action_controller.rb +7 -4
- data/lib/action_dispatch/http/cache.rb +32 -28
- data/lib/action_dispatch/http/content_disposition.rb +45 -0
- data/lib/action_dispatch/http/content_security_policy.rb +34 -18
- data/lib/action_dispatch/http/filter_parameters.rb +9 -8
- data/lib/action_dispatch/http/filter_redirect.rb +2 -3
- data/lib/action_dispatch/http/headers.rb +4 -4
- data/lib/action_dispatch/http/mime_negotiation.rb +26 -13
- data/lib/action_dispatch/http/mime_type.rb +43 -24
- data/lib/action_dispatch/http/parameters.rb +14 -23
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +45 -22
- data/lib/action_dispatch/http/response.rb +45 -25
- data/lib/action_dispatch/http/upload.rb +9 -1
- data/lib/action_dispatch/http/url.rb +82 -82
- data/lib/action_dispatch/journey/formatter.rb +55 -31
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -37
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -5
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +13 -11
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +19 -21
- data/lib/action_dispatch/journey/route.rb +10 -20
- data/lib/action_dispatch/journey/router/utils.rb +14 -12
- data/lib/action_dispatch/journey/router.rb +26 -34
- data/lib/action_dispatch/journey/routes.rb +0 -2
- data/lib/action_dispatch/journey/scanner.rb +10 -4
- data/lib/action_dispatch/journey/visitors.rb +1 -4
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -4
- data/lib/action_dispatch/middleware/cookies.rb +150 -123
- data/lib/action_dispatch/middleware/debug_exceptions.rb +43 -66
- data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
- data/lib/action_dispatch/middleware/debug_view.rb +66 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -30
- data/lib/action_dispatch/middleware/flash.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +170 -0
- data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
- data/lib/action_dispatch/middleware/remote_ip.rb +14 -16
- data/lib/action_dispatch/middleware/request_id.rb +5 -6
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -3
- data/lib/action_dispatch/middleware/session/cookie_store.rb +3 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +13 -2
- data/lib/action_dispatch/middleware/ssl.rb +20 -15
- data/lib/action_dispatch/middleware/stack.rb +56 -2
- data/lib/action_dispatch/middleware/static.rb +153 -93
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +6 -3
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +4 -1
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +104 -8
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +24 -1
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +11 -10
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +100 -52
- data/lib/action_dispatch/routing/mapper.rb +155 -103
- data/lib/action_dispatch/routing/polymorphic_routes.rb +13 -15
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +71 -69
- data/lib/action_dispatch/routing/url_for.rb +2 -2
- data/lib/action_dispatch/routing.rb +21 -20
- data/lib/action_dispatch/system_test_case.rb +60 -11
- data/lib/action_dispatch/system_testing/browser.rb +53 -16
- data/lib/action_dispatch/system_testing/driver.rb +11 -3
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +49 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -10
- data/lib/action_dispatch/testing/assertion_response.rb +0 -1
- data/lib/action_dispatch/testing/assertions/response.rb +4 -7
- data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +60 -28
- data/lib/action_dispatch/testing/request_encoder.rb +2 -2
- data/lib/action_dispatch/testing/test_process.rb +32 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch/testing/test_response.rb +4 -32
- data/lib/action_dispatch.rb +9 -3
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +36 -23
- data/lib/action_controller/metal/force_ssl.rb +0 -99
- data/lib/action_dispatch/http/parameter_filter.rb +0 -86
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
data/CHANGELOG.md
CHANGED
@@ -1,589 +1,656 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix `domain: :all` for two letter TLD
|
4
4
|
|
5
|
+
This fixes a compatibility issue introduced in our previous security
|
6
|
+
release when using `domain: :all` with a two letter but single level top
|
7
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
5
8
|
|
6
|
-
## Rails 5.2.8 (May 09, 2022) ##
|
7
9
|
|
8
|
-
|
10
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
9
11
|
|
12
|
+
* Avoid regex backtracking on If-None-Match header
|
10
13
|
|
11
|
-
|
14
|
+
[CVE-2023-22795]
|
12
15
|
|
13
|
-
*
|
16
|
+
* Use string#split instead of regex for domain parts
|
17
|
+
|
18
|
+
[CVE-2023-22792]
|
14
19
|
|
15
|
-
*Tim Wade*
|
16
20
|
|
17
|
-
## Rails
|
21
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
18
22
|
|
19
23
|
* No changes.
|
20
24
|
|
21
|
-
|
25
|
+
|
26
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
22
27
|
|
23
28
|
* No changes.
|
24
29
|
|
25
30
|
|
26
|
-
## Rails
|
31
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
27
32
|
|
28
33
|
* No changes.
|
29
34
|
|
30
35
|
|
31
|
-
## Rails
|
36
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
32
37
|
|
33
|
-
*
|
34
|
-
response body has been fully closed which result in request state not
|
35
|
-
being fully reset before the next request
|
38
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
36
39
|
|
37
|
-
|
40
|
+
*Tim Wade*
|
38
41
|
|
42
|
+
## Rails 6.1.5 (March 09, 2022) ##
|
39
43
|
|
40
|
-
|
44
|
+
* Fix `content_security_policy` returning invalid directives.
|
41
45
|
|
42
|
-
|
46
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
47
|
+
single quoted when the directive was the result of calling a lambda
|
48
|
+
returning an array.
|
43
49
|
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
50
|
+
```ruby
|
51
|
+
content_security_policy do |policy|
|
52
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
53
|
+
end
|
54
|
+
```
|
48
55
|
|
49
|
-
|
50
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
51
|
-
tokens for backwards compatibility.
|
56
|
+
With this fix the policy generated from above will now be valid.
|
52
57
|
|
53
|
-
|
54
|
-
config.
|
58
|
+
*Edouard Chin*
|
55
59
|
|
56
|
-
|
60
|
+
* Update `HostAuthorization` middleware to render debug info only
|
61
|
+
when `config.consider_all_requests_local` is set to true.
|
57
62
|
|
58
|
-
|
59
|
-
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
60
|
-
during the deploy of this new version.
|
63
|
+
Also, blocked host info is always logged with level `error`.
|
61
64
|
|
62
|
-
|
63
|
-
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
64
|
-
```
|
65
|
+
Fixes #42813.
|
65
66
|
|
66
|
-
|
67
|
+
*Nikita Vyrko*
|
67
68
|
|
68
|
-
|
69
|
+
* Dup arrays that get "converted".
|
69
70
|
|
71
|
+
Fixes #43681.
|
70
72
|
|
71
|
-
|
73
|
+
*Aaron Patterson*
|
72
74
|
|
73
|
-
*
|
75
|
+
* Don't show deprecation warning for equal paths.
|
74
76
|
|
77
|
+
*Anton Rieder*
|
75
78
|
|
76
|
-
|
79
|
+
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
|
77
80
|
|
78
|
-
|
79
|
-
CVE-2021-22904
|
81
|
+
Fixes #43094.
|
80
82
|
|
81
|
-
*
|
83
|
+
*Alex Ghiculescu*
|
82
84
|
|
83
|
-
|
84
|
-
of arguments (usually symbols and records). If a developer passes a
|
85
|
-
user input array, strings can result in unwanted route helper calls.
|
85
|
+
* Add fallback host for SystemTestCase driven by RackTest.
|
86
86
|
|
87
|
-
|
87
|
+
Fixes #42780.
|
88
88
|
|
89
|
-
*
|
89
|
+
*Petrik de Heus*
|
90
|
+
|
91
|
+
* Add more detail about what hosts are allowed.
|
90
92
|
|
91
|
-
|
93
|
+
*Alex Ghiculescu*
|
94
|
+
|
95
|
+
|
96
|
+
## Rails 6.1.4.7 (March 08, 2022) ##
|
92
97
|
|
93
98
|
* No changes.
|
94
99
|
|
95
100
|
|
96
|
-
## Rails
|
101
|
+
## Rails 6.1.4.6 (February 11, 2022) ##
|
97
102
|
|
98
103
|
* No changes.
|
99
104
|
|
100
105
|
|
101
|
-
## Rails
|
106
|
+
## Rails 6.1.4.5 (February 11, 2022) ##
|
102
107
|
|
103
|
-
*
|
108
|
+
* Under certain circumstances, the middleware isn't informed that the
|
109
|
+
response body has been fully closed which result in request state not
|
110
|
+
being fully reset before the next request
|
104
111
|
|
105
|
-
|
112
|
+
[CVE-2022-23633]
|
106
113
|
|
107
114
|
|
108
|
-
## Rails
|
115
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
109
116
|
|
110
|
-
*
|
117
|
+
* Fix issue with host protection not allowing host with port in development.
|
111
118
|
|
112
119
|
|
113
|
-
## Rails
|
120
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
114
121
|
|
115
|
-
*
|
122
|
+
* Fix issue with host protection not allowing localhost in development.
|
116
123
|
|
117
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
118
|
-
gem dalli to be updated as well.
|
119
124
|
|
120
|
-
|
121
|
-
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
122
|
-
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
123
|
-
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
125
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
124
126
|
|
125
|
-
|
127
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
126
128
|
|
129
|
+
## Rails 6.1.4.1 (August 19, 2021) ##
|
127
130
|
|
128
|
-
|
131
|
+
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
|
129
132
|
|
130
|
-
|
133
|
+
Specially crafted "X-Forwarded-Host" headers in combination with certain
|
134
|
+
"allowed host" formats can cause the Host Authorization middleware in Action
|
135
|
+
Pack to redirect users to a malicious website.
|
131
136
|
|
137
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
132
138
|
|
133
|
-
|
139
|
+
* Ignore file fixtures on `db:fixtures:load`
|
134
140
|
|
135
|
-
*
|
141
|
+
*Kevin Sjöberg*
|
136
142
|
|
137
|
-
|
138
|
-
it was excluded when `no-cache` was included. This change preserves the
|
139
|
-
`public` value as is.
|
143
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
140
144
|
|
141
|
-
|
145
|
+
*Dylan Thacker-Smith*
|
142
146
|
|
143
|
-
|
147
|
+
* Correctly place optional path parameter booleans.
|
144
148
|
|
145
|
-
|
149
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
150
|
+
of the path as parameter for example:
|
146
151
|
|
147
|
-
|
152
|
+
```
|
153
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
154
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
155
|
+
```
|
148
156
|
|
157
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
149
158
|
|
150
|
-
|
159
|
+
```
|
160
|
+
get '(this/:my_bool)/that' as: :that
|
151
161
|
|
152
|
-
|
162
|
+
that_path(my_bool: true) # => `/this/true/that`
|
163
|
+
that_path(my_bool: false) # => `/this/false/that`
|
164
|
+
```
|
153
165
|
|
166
|
+
*Adam Hess*
|
154
167
|
|
155
|
-
|
168
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
156
169
|
|
157
|
-
|
170
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
158
171
|
|
159
|
-
|
160
|
-
in system test `after_teardown`.
|
172
|
+
*Alex Smith*
|
161
173
|
|
162
|
-
*Maxim Perepelitsa*
|
163
174
|
|
164
|
-
|
175
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
165
176
|
|
166
|
-
|
167
|
-
|
168
|
-
when resolving dynamic CSP sources in this scenario.
|
177
|
+
* Prevent open redirects by correctly escaping the host allow list
|
178
|
+
CVE-2021-22903
|
169
179
|
|
170
|
-
|
180
|
+
* Prevent catastrophic backtracking during mime parsing
|
181
|
+
CVE-2021-22902
|
171
182
|
|
172
|
-
|
183
|
+
* Prevent regex DoS in HTTP token authentication
|
184
|
+
CVE-2021-22904
|
173
185
|
|
174
|
-
*
|
186
|
+
* Prevent string polymorphic route arguments.
|
175
187
|
|
176
|
-
|
177
|
-
|
188
|
+
`url_for` supports building polymorphic URLs via an array
|
189
|
+
of arguments (usually symbols and records). If a developer passes a
|
190
|
+
user input array, strings can result in unwanted route helper calls.
|
178
191
|
|
179
|
-
|
192
|
+
CVE-2021-22885
|
180
193
|
|
181
|
-
|
194
|
+
*Gannon McGibbon*
|
182
195
|
|
183
|
-
|
196
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
184
197
|
|
185
|
-
|
198
|
+
* No changes.
|
186
199
|
|
187
|
-
Content-Security-Policy: default-src 'self'
|
188
200
|
|
189
|
-
|
201
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
190
202
|
|
191
|
-
*
|
203
|
+
* Re-define routes when not set correctly via inheritance.
|
192
204
|
|
193
|
-
*
|
205
|
+
*John Hawthorn*
|
194
206
|
|
195
|
-
* Call the `#redirect_to` block in controller context.
|
196
207
|
|
197
|
-
|
208
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
198
209
|
|
210
|
+
* Prevent open redirect when allowed host starts with a dot
|
199
211
|
|
200
|
-
|
212
|
+
[CVE-2021-22881]
|
201
213
|
|
202
|
-
|
214
|
+
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
215
|
+
issue and the patch!
|
203
216
|
|
217
|
+
*Aaron Patterson*
|
204
218
|
|
205
|
-
## Rails 5.2.1 (August 07, 2018) ##
|
206
219
|
|
207
|
-
|
220
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
208
221
|
|
209
|
-
|
210
|
-
there are none.
|
222
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
211
223
|
|
212
|
-
|
224
|
+
*Janko Marohnić*
|
213
225
|
|
214
|
-
|
226
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
215
227
|
|
216
|
-
*
|
228
|
+
*Eugene Kenny*
|
217
229
|
|
218
|
-
* Ensure `ActionController::Parameters#transform_values` and
|
219
|
-
`ActionController::Parameters#transform_values!` converts hashes into
|
220
|
-
parameters.
|
221
230
|
|
222
|
-
|
231
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
223
232
|
|
224
|
-
* Fix
|
233
|
+
* Fix nil translation key lookup in controllers/
|
225
234
|
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
235
|
+
*Jan Klimo*
|
236
|
+
|
237
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
238
|
+
|
239
|
+
*Alex Robbin*
|
240
|
+
|
241
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
242
|
+
|
243
|
+
*Alex Robbin*
|
244
|
+
|
245
|
+
|
246
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
247
|
+
|
248
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
249
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
250
|
+
|
251
|
+
```ruby
|
252
|
+
Rails.application.config.permissions_policy do |p|
|
253
|
+
p.camera :none
|
254
|
+
p.gyroscope :none
|
255
|
+
p.microphone :none
|
256
|
+
p.usb :none
|
257
|
+
p.fullscreen :self
|
258
|
+
p.payment :self, "https://secure-example.com"
|
259
|
+
end
|
230
260
|
```
|
231
261
|
|
232
|
-
|
262
|
+
*Julien Grillot*
|
233
263
|
|
234
|
-
|
264
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
235
265
|
|
236
|
-
|
237
|
-
`ActionController::TestCase` subclasses.
|
266
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
238
267
|
|
239
|
-
*
|
268
|
+
*Chris Bisnett*
|
240
269
|
|
241
|
-
*
|
270
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
271
|
+
the unique X-Request-Id header
|
242
272
|
|
243
|
-
|
273
|
+
*Arlston Fernandes*
|
244
274
|
|
245
|
-
|
275
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
246
276
|
|
247
|
-
*
|
277
|
+
*Rafael Mendonça França*
|
248
278
|
|
249
|
-
|
279
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
250
280
|
|
251
|
-
|
281
|
+
*Rafael Mendonça França*
|
252
282
|
|
253
|
-
|
283
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
254
284
|
|
255
|
-
*
|
285
|
+
*Rafael Mendonça França*
|
256
286
|
|
257
|
-
|
287
|
+
* Added support for exclusive no-store Cache-Control header.
|
258
288
|
|
289
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
259
290
|
|
260
|
-
|
291
|
+
*Chris Kruger*
|
261
292
|
|
262
|
-
*
|
293
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
263
294
|
|
264
|
-
|
295
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
296
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
265
297
|
|
266
|
-
*
|
298
|
+
*Adrianna Chang*
|
267
299
|
|
268
|
-
|
269
|
-
for a controller and/or specific actions.
|
300
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
270
301
|
|
271
|
-
*
|
302
|
+
*Gannon McGibbon*
|
272
303
|
|
273
|
-
*
|
304
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
274
305
|
|
275
|
-
|
276
|
-
content_security_policy false, only: :index
|
277
|
-
end
|
306
|
+
*Alan Tan*, *Oz Ben-David*
|
278
307
|
|
279
|
-
|
308
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
309
|
+
a 308 redirection.
|
280
310
|
|
281
|
-
*
|
282
|
-
Add alias method `to_h` to `to_hash` for `session`.
|
311
|
+
*Alan Tan*
|
283
312
|
|
284
|
-
|
313
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
314
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
285
315
|
|
286
|
-
*
|
287
|
-
to meet the minimum max-age requirement for https://hstspreload.org/.
|
316
|
+
*Jonathan Hefner*
|
288
317
|
|
289
|
-
|
318
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
290
319
|
|
291
|
-
|
320
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
321
|
+
Brotli files are preferred due to much better compression.
|
292
322
|
|
293
|
-
|
294
|
-
|
295
|
-
|
323
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
324
|
+
we check for public/some.js.br and serve that file, if present, with
|
325
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
296
326
|
|
297
|
-
|
298
|
-
embedded in a meta tag in a similar fashion to how CSRF protection
|
299
|
-
embeds its token in a meta tag. The UJS library can then read the
|
300
|
-
nonce value and set it on the dynamically generated script tag to
|
301
|
-
enable it to execute without needing 'unsafe-inline' enabled.
|
327
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
302
328
|
|
303
|
-
|
304
|
-
user generated content in someway then it may be possible to exploit
|
305
|
-
an XSS vulnerability which can take advantage of the nonce. It is
|
306
|
-
however an improvement on a blanket permission for inline scripts.
|
329
|
+
* Add raise_on_missing_translations support for controllers.
|
307
330
|
|
308
|
-
|
309
|
-
|
331
|
+
This configuration determines whether an error should be raised for missing translations.
|
332
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
333
|
+
configuration also affects raising error for missing translations in views.
|
310
334
|
|
311
|
-
|
312
|
-
alert('Hello, World!');
|
313
|
-
<% end %>
|
335
|
+
*fatkodima*
|
314
336
|
|
315
|
-
|
337
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
316
338
|
|
317
|
-
*
|
339
|
+
*Eugene Kenny*
|
318
340
|
|
319
|
-
*
|
341
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
342
|
+
without passing a block now returns an enumerator.
|
320
343
|
|
321
|
-
|
344
|
+
*Eugene Kenny*
|
322
345
|
|
323
|
-
|
324
|
-
def index
|
325
|
-
params.each do |name|
|
326
|
-
puts name
|
327
|
-
end
|
328
|
-
end
|
346
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
329
347
|
|
330
|
-
|
331
|
-
|
332
|
-
# param_two
|
348
|
+
Previously the path had to be relative to `fixture_path`.
|
349
|
+
You can change your existing code as follow:
|
333
350
|
|
334
|
-
|
351
|
+
```ruby
|
352
|
+
# Before
|
353
|
+
fixture_file_upload('files/dog.png')
|
335
354
|
|
336
|
-
|
355
|
+
# After
|
356
|
+
fixture_file_upload('dog.png')
|
357
|
+
```
|
337
358
|
|
338
|
-
|
339
|
-
def index
|
340
|
-
params.each do |name, value|
|
341
|
-
puts name
|
342
|
-
end
|
343
|
-
end
|
359
|
+
*Edouard Chin*
|
344
360
|
|
345
|
-
|
346
|
-
# param
|
347
|
-
# param_two
|
361
|
+
* Remove deprecated `force_ssl` at the controller level.
|
348
362
|
|
349
|
-
*
|
363
|
+
*Rafael Mendonça França*
|
350
364
|
|
351
|
-
*
|
365
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
366
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
352
367
|
|
353
|
-
|
368
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
369
|
+
always pass a module object:
|
354
370
|
|
355
|
-
|
356
|
-
|
371
|
+
```ruby
|
372
|
+
helper UtilsHelper
|
373
|
+
```
|
357
374
|
|
358
|
-
|
375
|
+
which is recommended because it is simple and direct. When a string/symbol
|
376
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
377
|
+
that same module object.
|
359
378
|
|
360
|
-
*
|
361
|
-
default headers set.
|
379
|
+
*Xavier Noria*, *Jean Boussier*
|
362
380
|
|
363
|
-
|
381
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
364
382
|
|
365
|
-
*
|
383
|
+
*Nick Soracco*
|
366
384
|
|
367
|
-
|
385
|
+
* `url_for` will now use "https://" as the default protocol when
|
386
|
+
`Rails.application.config.force_ssl` is set to true.
|
368
387
|
|
369
|
-
*
|
388
|
+
*Jonathan Hefner*
|
370
389
|
|
371
|
-
|
372
|
-
Terminal.app ignore the `inline` and output the path to the file since it can't
|
373
|
-
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
374
|
-
inline, but also don't handle it gracefully and instead of outputting the file
|
375
|
-
path, it dumps binary into the terminal.
|
390
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
376
391
|
|
377
|
-
|
392
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
393
|
+
them difficult to deal with. For example, the common practice of sending
|
394
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
395
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
378
396
|
|
379
|
-
|
397
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
398
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
399
|
+
for backwards compatibility.
|
380
400
|
|
381
|
-
*
|
401
|
+
*Scott Blum*
|
382
402
|
|
383
|
-
|
403
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
384
404
|
|
385
|
-
|
405
|
+
In a distributed configuration like rolling update, users may observe
|
406
|
+
both old and new instances during deployment. Users may be served by a
|
407
|
+
new instance and then by an old instance.
|
386
408
|
|
387
|
-
|
409
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
410
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
411
|
+
from `false` to `true`, users may lose their sessions if they access the
|
412
|
+
server during deployment.
|
388
413
|
|
389
|
-
|
414
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
415
|
+
deployment, ensuring compatibility on both old and new instances.
|
390
416
|
|
391
|
-
*
|
417
|
+
*Masaki Hara*
|
392
418
|
|
393
|
-
|
394
|
-
header and then override within a controller. For more information
|
395
|
-
about the Content-Security-Policy header see MDN:
|
419
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
396
420
|
|
397
|
-
|
421
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
422
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
398
423
|
|
399
|
-
|
424
|
+
*Keenan Brock*
|
400
425
|
|
401
|
-
|
402
|
-
Rails.application.config.content_security_policy do |p|
|
403
|
-
p.default_src :self, :https
|
404
|
-
p.font_src :self, :https, :data
|
405
|
-
p.img_src :self, :https, :data
|
406
|
-
p.object_src :none
|
407
|
-
p.script_src :self, :https
|
408
|
-
p.style_src :self, :https, :unsafe_inline
|
409
|
-
end
|
426
|
+
* Fix possible information leak / session hijacking vulnerability.
|
410
427
|
|
411
|
-
|
428
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
429
|
+
gem dalli to be updated as well.
|
412
430
|
|
413
|
-
|
414
|
-
class PostsController < ApplicationController
|
415
|
-
content_security_policy do |p|
|
416
|
-
p.upgrade_insecure_requests true
|
417
|
-
end
|
418
|
-
end
|
431
|
+
CVE-2019-16782.
|
419
432
|
|
420
|
-
|
421
|
-
class PostsController < ApplicationController
|
422
|
-
content_security_policy do |p|
|
423
|
-
p.base_uri "https://www.example.com"
|
424
|
-
end
|
425
|
-
end
|
433
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
426
434
|
|
427
|
-
|
428
|
-
|
429
|
-
|
430
|
-
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
431
|
-
end
|
432
|
-
end
|
435
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
436
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
437
|
+
from being correctly counted and reported.
|
433
438
|
|
434
|
-
|
435
|
-
|
436
|
-
configuration attribute, e.g;
|
439
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
440
|
+
root session.
|
437
441
|
|
438
|
-
|
439
|
-
Rails.application.config.content_security_policy_report_only = true
|
442
|
+
Fixes #32142.
|
440
443
|
|
441
|
-
|
442
|
-
class PostsController < ApplicationController
|
443
|
-
content_security_policy_report_only only: :index
|
444
|
-
end
|
444
|
+
*Sam Bostock*
|
445
445
|
|
446
|
-
|
447
|
-
reasons since the header is calculated at runtime.
|
446
|
+
* Add SameSite protection to every written cookie.
|
448
447
|
|
449
|
-
|
448
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
449
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
450
450
|
|
451
|
-
|
451
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
452
452
|
|
453
|
-
|
453
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
454
454
|
|
455
|
-
|
455
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
456
456
|
|
457
|
-
|
457
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
458
458
|
|
459
|
-
|
459
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
460
460
|
|
461
|
-
|
462
|
-
different host. `allow_other_host` is `true` by default.
|
461
|
+
*Cédric Fabianski*
|
463
462
|
|
464
|
-
|
463
|
+
* Bring back the feature that allows loading external route files from the router.
|
465
464
|
|
466
|
-
|
465
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
466
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
467
|
+
that this wasn't fully the case and loading external route files from the router
|
468
|
+
can be helpful for applications with a really large set of routes.
|
469
|
+
Without this feature, application needs to implement routes reloading
|
470
|
+
themselves and it's not straightforward.
|
467
471
|
|
468
|
-
|
472
|
+
```ruby
|
473
|
+
# config/routes.rb
|
469
474
|
|
470
|
-
|
475
|
+
Rails.application.routes.draw do
|
476
|
+
draw(:admin)
|
477
|
+
end
|
471
478
|
|
472
|
-
|
479
|
+
# config/routes/admin.rb
|
473
480
|
|
474
|
-
|
481
|
+
get :foo, to: 'foo#bar'
|
482
|
+
```
|
475
483
|
|
476
|
-
*
|
484
|
+
*Yehuda Katz*, *Edouard Chin*
|
477
485
|
|
478
|
-
*
|
486
|
+
* Fix system test driver option initialization for non-headless browsers.
|
479
487
|
|
480
|
-
|
481
|
-
`MessageVerifier` to add key rotation support for encrypted and
|
482
|
-
signed cookies. This also helps simplify support for legacy cookie
|
483
|
-
security.
|
488
|
+
*glaszig*
|
484
489
|
|
485
|
-
|
490
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
491
|
+
their payloads as `:request`.
|
486
492
|
|
487
|
-
*
|
493
|
+
*Austin Story*
|
488
494
|
|
489
|
-
|
490
|
-
|
495
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
496
|
+
request format but based on the block given.
|
491
497
|
|
492
|
-
|
498
|
+
Example:
|
493
499
|
|
494
|
-
|
500
|
+
```ruby
|
501
|
+
def my_action
|
502
|
+
respond_to do |format|
|
503
|
+
format.any { render(json: { foo: 'bar' }) }
|
504
|
+
end
|
505
|
+
end
|
495
506
|
|
496
|
-
|
497
|
-
|
507
|
+
get('my_action.csv')
|
508
|
+
```
|
498
509
|
|
499
|
-
|
510
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
511
|
+
is inaccurate since a JSON response is being rendered.
|
500
512
|
|
501
|
-
|
513
|
+
Now it correctly returns a `application/json` Content-Type.
|
502
514
|
|
503
|
-
*
|
515
|
+
*Edouard Chin*
|
504
516
|
|
505
|
-
|
517
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
506
518
|
|
507
|
-
|
508
|
-
|
509
|
-
server-side read, the expiry is verified and any expired cookie is discarded.
|
519
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
520
|
+
nested directory, causing issues with `tmp:clear`.
|
510
521
|
|
511
|
-
|
522
|
+
*Damir Zekic*
|
512
523
|
|
513
|
-
|
524
|
+
* Add `params.member?` to mimic Hash behavior.
|
514
525
|
|
515
|
-
*
|
526
|
+
*Younes Serraj*
|
516
527
|
|
517
|
-
|
528
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
518
529
|
|
519
|
-
*
|
530
|
+
* `:request` - the `ActionDispatch::Request`
|
531
|
+
* `:response` - the `ActionDispatch::Response`
|
520
532
|
|
521
|
-
*
|
533
|
+
*George Claghorn*
|
522
534
|
|
523
|
-
|
524
|
-
`
|
525
|
-
|
535
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
536
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
537
|
+
from.
|
526
538
|
|
527
|
-
|
539
|
+
Fixes #37383.
|
528
540
|
|
529
|
-
*
|
541
|
+
*Norm Provost*
|
530
542
|
|
531
|
-
|
532
|
-
add it to `ActionController::Base` depending on
|
533
|
-
`config.action_controller.default_protect_from_forgery`. This configuration
|
534
|
-
defaults to false to support older versions which have removed it from their
|
535
|
-
`ApplicationController`, but is set to true for Rails 5.2.
|
543
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
536
544
|
|
537
|
-
|
545
|
+
```ruby
|
546
|
+
# Use the debug level if a particular cookie is set.
|
547
|
+
class ApplicationController < ActionController::Base
|
548
|
+
log_at :debug, if: -> { cookies[:debug] }
|
549
|
+
end
|
550
|
+
```
|
538
551
|
|
539
|
-
*
|
552
|
+
*George Claghorn*
|
540
553
|
|
541
|
-
|
554
|
+
* Allow system test screen shots to be taken more than once in
|
555
|
+
a test by prefixing the file name with an incrementing counter.
|
542
556
|
|
543
|
-
|
557
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
558
|
+
enable saving of HTML during a screenshot in addition to the image.
|
559
|
+
This uses the same image name, with the extension replaced with `.html`
|
544
560
|
|
545
|
-
|
546
|
-
`driven_by` will register the driver and set additional options passed via
|
547
|
-
the `:options` parameter.
|
561
|
+
*Tom Fakes*
|
548
562
|
|
549
|
-
|
563
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
550
564
|
|
551
|
-
|
565
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
566
|
+
header to determine what to return. And if we don't add `Vary`
|
567
|
+
in the response header, browsers might accidentally cache different
|
568
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
569
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
570
|
+
in these types of requests. For more detailed problem description, please read:
|
552
571
|
|
553
|
-
|
572
|
+
https://github.com/rails/rails/pull/36213
|
554
573
|
|
555
|
-
|
556
|
-
encryption in one faster step and produces shorter ciphertexts. Cookies
|
557
|
-
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
558
|
-
this new mode is enabled via the
|
559
|
-
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
574
|
+
Fixes #25842.
|
560
575
|
|
561
|
-
*
|
576
|
+
*Stan Lo*
|
562
577
|
|
563
|
-
*
|
578
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
579
|
+
a 307 redirection.
|
564
580
|
|
565
|
-
|
566
|
-
^template path ^template tree digest ^class ^id
|
581
|
+
*Edouard Chin*
|
567
582
|
|
568
|
-
|
583
|
+
* System tests require Capybara 3.26 or newer.
|
569
584
|
|
570
|
-
*
|
571
|
-
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
572
|
-
to support it.
|
585
|
+
*George Claghorn*
|
573
586
|
|
574
|
-
|
587
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
575
588
|
|
576
|
-
*
|
589
|
+
*Alberto Fernández-Capel*
|
590
|
+
|
591
|
+
* Add DSL for configuring HTTP Feature Policy.
|
592
|
+
|
593
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
594
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
595
|
+
specification and guidelines can be found at MDN:
|
596
|
+
|
597
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
598
|
+
|
599
|
+
Example global policy:
|
600
|
+
|
601
|
+
```ruby
|
602
|
+
Rails.application.config.feature_policy do |f|
|
603
|
+
f.camera :none
|
604
|
+
f.gyroscope :none
|
605
|
+
f.microphone :none
|
606
|
+
f.usb :none
|
607
|
+
f.fullscreen :self
|
608
|
+
f.payment :self, "https://secure.example.com"
|
609
|
+
end
|
610
|
+
```
|
577
611
|
|
578
|
-
|
579
|
-
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
580
|
-
may not exist in a certain implementation.
|
612
|
+
Example controller level policy:
|
581
613
|
|
582
|
-
|
614
|
+
```ruby
|
615
|
+
class PagesController < ApplicationController
|
616
|
+
feature_policy do |p|
|
617
|
+
p.geolocation "https://example.com"
|
618
|
+
end
|
619
|
+
end
|
620
|
+
```
|
621
|
+
|
622
|
+
*Jacob Bednarz*
|
623
|
+
|
624
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
625
|
+
|
626
|
+
Fixes #35137.
|
627
|
+
|
628
|
+
*Yuji Yaginuma*
|
629
|
+
|
630
|
+
* Keep part when scope option has value.
|
631
|
+
|
632
|
+
When a route was defined within an optional scope, if that route didn't
|
633
|
+
take parameters the scope was lost when using path helpers. This commit
|
634
|
+
ensures scope is kept both when the route takes parameters or when it
|
635
|
+
doesn't.
|
636
|
+
|
637
|
+
Fixes #33219.
|
638
|
+
|
639
|
+
*Alberto Almagro*
|
640
|
+
|
641
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
642
|
+
|
643
|
+
*Gustavo Gutierrez*
|
644
|
+
|
645
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
646
|
+
an enumerator for the parameters instead of the underlying hash.
|
647
|
+
|
648
|
+
*Eugene Kenny*
|
583
649
|
|
584
|
-
|
650
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
651
|
+
It should only block invalid key's values instead.
|
585
652
|
|
586
|
-
*
|
653
|
+
*Stan Lo*
|
587
654
|
|
588
655
|
|
589
|
-
Please check [
|
656
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|