actionpack 6.0.3.2 → 6.1.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (115) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +258 -223
  3. data/MIT-LICENSE +1 -1
  4. data/lib/abstract_controller.rb +1 -0
  5. data/lib/abstract_controller/base.rb +35 -2
  6. data/lib/abstract_controller/callbacks.rb +2 -2
  7. data/lib/abstract_controller/helpers.rb +105 -90
  8. data/lib/abstract_controller/rendering.rb +9 -9
  9. data/lib/abstract_controller/translation.rb +8 -2
  10. data/lib/action_controller.rb +2 -3
  11. data/lib/action_controller/api.rb +2 -2
  12. data/lib/action_controller/base.rb +4 -2
  13. data/lib/action_controller/caching.rb +0 -1
  14. data/lib/action_controller/log_subscriber.rb +3 -3
  15. data/lib/action_controller/metal.rb +2 -2
  16. data/lib/action_controller/metal/conditional_get.rb +10 -2
  17. data/lib/action_controller/metal/content_security_policy.rb +1 -1
  18. data/lib/action_controller/metal/cookies.rb +3 -1
  19. data/lib/action_controller/metal/data_streaming.rb +1 -1
  20. data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
  21. data/lib/action_controller/metal/exceptions.rb +33 -0
  22. data/lib/action_controller/metal/head.rb +7 -4
  23. data/lib/action_controller/metal/helpers.rb +11 -1
  24. data/lib/action_controller/metal/http_authentication.rb +4 -2
  25. data/lib/action_controller/metal/implicit_render.rb +1 -1
  26. data/lib/action_controller/metal/instrumentation.rb +11 -9
  27. data/lib/action_controller/metal/live.rb +1 -1
  28. data/lib/action_controller/metal/logging.rb +20 -0
  29. data/lib/action_controller/metal/mime_responds.rb +6 -2
  30. data/lib/action_controller/metal/parameter_encoding.rb +35 -4
  31. data/lib/action_controller/metal/params_wrapper.rb +14 -8
  32. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  33. data/lib/action_controller/metal/redirecting.rb +1 -1
  34. data/lib/action_controller/metal/rendering.rb +6 -0
  35. data/lib/action_controller/metal/request_forgery_protection.rb +48 -24
  36. data/lib/action_controller/metal/rescue.rb +1 -1
  37. data/lib/action_controller/metal/strong_parameters.rb +103 -15
  38. data/lib/action_controller/renderer.rb +24 -13
  39. data/lib/action_controller/test_case.rb +62 -56
  40. data/lib/action_dispatch.rb +3 -2
  41. data/lib/action_dispatch/http/cache.rb +12 -10
  42. data/lib/action_dispatch/http/content_disposition.rb +2 -2
  43. data/lib/action_dispatch/http/content_security_policy.rb +5 -1
  44. data/lib/action_dispatch/http/filter_parameters.rb +1 -1
  45. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  46. data/lib/action_dispatch/http/headers.rb +3 -2
  47. data/lib/action_dispatch/http/mime_negotiation.rb +20 -8
  48. data/lib/action_dispatch/http/mime_type.rb +28 -15
  49. data/lib/action_dispatch/http/parameters.rb +1 -19
  50. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  51. data/lib/action_dispatch/http/request.rb +26 -8
  52. data/lib/action_dispatch/http/response.rb +17 -16
  53. data/lib/action_dispatch/http/url.rb +3 -2
  54. data/lib/action_dispatch/journey.rb +0 -2
  55. data/lib/action_dispatch/journey/formatter.rb +53 -28
  56. data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
  57. data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
  58. data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
  59. data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
  60. data/lib/action_dispatch/journey/nodes/node.rb +4 -3
  61. data/lib/action_dispatch/journey/parser.rb +13 -13
  62. data/lib/action_dispatch/journey/parser.y +1 -1
  63. data/lib/action_dispatch/journey/path/pattern.rb +13 -18
  64. data/lib/action_dispatch/journey/route.rb +7 -18
  65. data/lib/action_dispatch/journey/router.rb +26 -30
  66. data/lib/action_dispatch/journey/router/utils.rb +6 -4
  67. data/lib/action_dispatch/middleware/actionable_exceptions.rb +9 -2
  68. data/lib/action_dispatch/middleware/cookies.rb +74 -33
  69. data/lib/action_dispatch/middleware/debug_exceptions.rb +10 -17
  70. data/lib/action_dispatch/middleware/debug_view.rb +1 -1
  71. data/lib/action_dispatch/middleware/exception_wrapper.rb +29 -17
  72. data/lib/action_dispatch/middleware/host_authorization.rb +25 -5
  73. data/lib/action_dispatch/middleware/public_exceptions.rb +1 -1
  74. data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
  75. data/lib/action_dispatch/middleware/request_id.rb +4 -5
  76. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
  77. data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
  78. data/lib/action_dispatch/middleware/ssl.rb +9 -6
  79. data/lib/action_dispatch/middleware/stack.rb +18 -0
  80. data/lib/action_dispatch/middleware/static.rb +154 -93
  81. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
  86. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  87. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +12 -1
  88. data/lib/action_dispatch/railtie.rb +3 -2
  89. data/lib/action_dispatch/request/session.rb +2 -8
  90. data/lib/action_dispatch/request/utils.rb +26 -2
  91. data/lib/action_dispatch/routing/inspector.rb +8 -7
  92. data/lib/action_dispatch/routing/mapper.rb +102 -71
  93. data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
  94. data/lib/action_dispatch/routing/redirection.rb +3 -3
  95. data/lib/action_dispatch/routing/route_set.rb +49 -41
  96. data/lib/action_dispatch/routing/url_for.rb +1 -0
  97. data/lib/action_dispatch/system_test_case.rb +29 -24
  98. data/lib/action_dispatch/system_testing/browser.rb +33 -27
  99. data/lib/action_dispatch/system_testing/driver.rb +6 -7
  100. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
  101. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
  102. data/lib/action_dispatch/testing/assertions.rb +1 -1
  103. data/lib/action_dispatch/testing/assertions/response.rb +2 -4
  104. data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
  105. data/lib/action_dispatch/testing/integration.rb +38 -27
  106. data/lib/action_dispatch/testing/test_process.rb +29 -4
  107. data/lib/action_dispatch/testing/test_request.rb +3 -3
  108. data/lib/action_pack.rb +1 -1
  109. data/lib/action_pack/gem_version.rb +3 -3
  110. metadata +21 -22
  111. data/lib/action_controller/metal/force_ssl.rb +0 -58
  112. data/lib/action_dispatch/http/parameter_filter.rb +0 -12
  113. data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
  114. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
  115. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8b64b66c90800df2c6d807903bf40f902efb79bc47ca5b83dbd1b247e1bdffcf
4
- data.tar.gz: 93e1f48c69ef9d057a40d0b838eea0535bf66d1b683ee5971f7c6c181467a98c
3
+ metadata.gz: f5c07812b199dbd709dd68cf20c6fc356ba02969718d9f943e8f568615563592
4
+ data.tar.gz: ecd71be0281fdc31cafb3ab68a0dadf5eeee2bacd5ea4a88251b96823e18a866
5
5
  SHA512:
6
- metadata.gz: 15c8497c65a02f8b1d25c441ba2df08f9a815b96d503ebdfb5bffd396094b6dd8383adafaf8c1c72dffd8c52d1544418b6051e12b22d41d335e222b1e45751cd
7
- data.tar.gz: d7de3f0b1c8e0a1d8ca347786a348cbee449cad8583b2255aa33d79d65de8f182e9a105bc750ee8e498ffc2a8899770f5f9cab1cc2a40c7ceb939fcbdb327a73
6
+ metadata.gz: e2d28b6ede8bab6b1b59aedc9224a1a33d12c9a1c4f8b6a37acbe9ea1918a531801735483767df679c32dee43410d43d6e1128a35c863171b4c2ab228ddda9f1
7
+ data.tar.gz: 5a4e97d5960a4529644ff60a2c30a87f9ff40135da46f22950ee5e7d58ac7d1d62936be19155e05a07e81914464581c35bf6e1810dc60721e12f12f2d834292a
@@ -1,376 +1,411 @@
1
- ## Rails 6.0.3.2 (June 17, 2020) ##
1
+ ## Rails 6.1.0 (December 09, 2020) ##
2
2
 
3
- * [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
3
+ * Support for the HTTP header `Feature-Policy` has been revised to reflect
4
+ its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
4
5
 
5
- ## Rails 6.0.3.1 (May 18, 2020) ##
6
+ ```ruby
7
+ Rails.application.config.permissions_policy do |p|
8
+ p.camera :none
9
+ p.gyroscope :none
10
+ p.microphone :none
11
+ p.usb :none
12
+ p.fullscreen :self
13
+ p.payment :self, "https://secure-example.com"
14
+ end
15
+ ```
6
16
 
7
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
17
+ *Julien Grillot*
8
18
 
9
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
19
+ * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
10
20
 
11
- ## Rails 6.0.3 (May 06, 2020) ##
21
+ Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
12
22
 
13
- * Include child session assertion count in ActionDispatch::IntegrationTest
23
+ *Chris Bisnett*
14
24
 
15
- `IntegrationTest#open_session` uses `dup` to create the new session, which
16
- meant it had its own copy of `@assertions`. This prevented the assertions
17
- from being correctly counted and reported.
25
+ * Add `config.action_dispatch.request_id_header` to allow changing the name of
26
+ the unique X-Request-Id header
18
27
 
19
- Child sessions now have their `attr_accessor` overriden to delegate to the
20
- root session.
28
+ *Arlston Fernandes*
21
29
 
22
- Fixes #32142
30
+ * Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
23
31
 
24
- *Sam Bostock*
32
+ *Rafael Mendonça França*
25
33
 
34
+ * Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
26
35
 
27
- ## Rails 6.0.2.2 (March 19, 2020) ##
36
+ *Rafael Mendonça França*
28
37
 
29
- * No changes.
38
+ * Remove deprecated `ActionDispatch::Http::ParameterFilter`.
30
39
 
40
+ *Rafael Mendonça França*
31
41
 
32
- ## Rails 6.0.2.1 (December 18, 2019) ##
42
+ * Added support for exclusive no-store Cache-Control header.
33
43
 
34
- * Fix possible information leak / session hijacking vulnerability.
44
+ If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
35
45
 
36
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
37
- gem dalli to be updated as well.
46
+ *Chris Kruger*
38
47
 
39
- CVE-2019-16782.
48
+ * Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
40
49
 
50
+ Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
51
+ `ActionDispatch::Http::Request#POST` prior to validating encoding.
41
52
 
42
- ## Rails 6.0.2 (December 13, 2019) ##
53
+ *Adrianna Chang*
43
54
 
44
- * Allow using mountable engine route helpers in System Tests.
55
+ * Allow `assert_recognizes` routing assertions to work on mounted root routes.
45
56
 
46
- *Chalo Fernandez*
57
+ *Gannon McGibbon*
47
58
 
59
+ * Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
48
60
 
49
- ## Rails 6.0.1 (November 5, 2019) ##
61
+ *Alan Tan*, *Oz Ben-David*
50
62
 
51
- * `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
52
- rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
53
- system tests.
63
+ * Fix `follow_redirect!` to follow redirection with same HTTP verb when following
64
+ a 308 redirection.
54
65
 
55
- *George Claghorn*, *Edouard Chin*
66
+ *Alan Tan*
56
67
 
57
- * Registered MIME types may contain extra flags:
68
+ * When multiple domains are specified for a cookie, a domain will now be
69
+ chosen only if it is equal to or is a superdomain of the request host.
58
70
 
59
- ```ruby
60
- Mime::Type.register "text/html; fragment", :html_fragment
61
- ```
71
+ *Jonathan Hefner*
62
72
 
63
- *Aaron Patterson*
73
+ * `ActionDispatch::Static` handles precompiled Brotli (.br) files.
64
74
 
75
+ Adds to existing support for precompiled gzip (.gz) files.
76
+ Brotli files are preferred due to much better compression.
65
77
 
66
- ## Rails 6.0.0 (August 16, 2019) ##
78
+ When the browser requests /some.js with `Accept-Encoding: br`,
79
+ we check for public/some.js.br and serve that file, if present, with
80
+ `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
67
81
 
68
- * No changes.
82
+ *Ryan Edward Hall*, *Jeremy Daer*
69
83
 
84
+ * Add raise_on_missing_translations support for controllers.
70
85
 
71
- ## Rails 6.0.0.rc2 (July 22, 2019) ##
86
+ This configuration determines whether an error should be raised for missing translations.
87
+ It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
88
+ configuration also affects raising error for missing translations in views.
72
89
 
73
- * Add the ability to set the CSP nonce only to the specified directives.
90
+ *fatkodima*
74
91
 
75
- Fixes #35137.
92
+ * Added `compact` and `compact!` to `ActionController::Parameters`.
76
93
 
77
- *Yuji Yaginuma*
94
+ *Eugene Kenny*
78
95
 
79
- * Keep part when scope option has value.
96
+ * Calling `each_pair` or `each_value` on an `ActionController::Parameters`
97
+ without passing a block now returns an enumerator.
80
98
 
81
- When a route was defined within an optional scope, if that route didn't
82
- take parameters the scope was lost when using path helpers. This commit
83
- ensures scope is kept both when the route takes parameters or when it
84
- doesn't.
99
+ *Eugene Kenny*
85
100
 
86
- Fixes #33219
101
+ * `fixture_file_upload` now uses path relative to `file_fixture_path`
87
102
 
88
- *Alberto Almagro*
103
+ Previously the path had to be relative to `fixture_path`.
104
+ You can change your existing code as follow:
89
105
 
90
- * Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
106
+ ```ruby
107
+ # Before
108
+ fixture_file_upload('files/dog.png')
91
109
 
92
- Previously, `ActionDispatch::Response#content_type` returned value does NOT
93
- contain charset part. This behavior changed to returned Content-Type header
94
- containing charset part as it is.
110
+ # After
111
+ fixture_file_upload('dog.png')
112
+ ```
95
113
 
96
- If you want just MIME type, please use `ActionDispatch::Response#media_type`
97
- instead.
114
+ *Edouard Chin*
98
115
 
99
- Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
100
- If not enabled, `ActionDispatch::Response#content_type` returns the same
101
- value as before version, but its behavior is deprecate.
116
+ * Remove deprecated `force_ssl` at the controller level.
102
117
 
103
- *Yuji Yaginuma*
118
+ *Rafael Mendonça França*
104
119
 
105
- * Calling `ActionController::Parameters#transform_keys/!` without a block now returns
106
- an enumerator for the parameters instead of the underlying hash.
120
+ * The +helper+ class method for controllers loads helper modules specified as
121
+ strings/symbols with `String#constantize` instead of `require_dependency`.
107
122
 
108
- *Eugene Kenny*
123
+ Remember that support for strings/symbols is only a convenient API. You can
124
+ always pass a module object:
109
125
 
110
- * Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
126
+ ```ruby
127
+ helper UtilsHelper
128
+ ```
111
129
 
112
- *Yuki Nishijima*, *Stan Lo*
130
+ which is recommended because it is simple and direct. When a string/symbol
131
+ is received, `helper` just manipulates and inflects the argument to obtain
132
+ that same module object.
113
133
 
134
+ *Xavier Noria*, *Jean Boussier*
114
135
 
115
- ## Rails 6.0.0.rc1 (April 24, 2019) ##
136
+ * Correctly identify the entire localhost IPv4 range as trusted proxy.
116
137
 
117
- * Make system tests take a failed screenshot in a `before_teardown` hook
118
- rather than an `after_teardown` hook.
138
+ *Nick Soracco*
119
139
 
120
- This helps minimize the time gap between when an assertion fails and when
121
- the screenshot is taken (reducing the time in which the page could have
122
- been dynamically updated after the assertion failed).
140
+ * `url_for` will now use "https://" as the default protocol when
141
+ `Rails.application.config.force_ssl` is set to true.
123
142
 
124
- *Richard Macklin*
143
+ *Jonathan Hefner*
125
144
 
126
- * Introduce `ActionDispatch::ActionableExceptions`.
145
+ * Accept and default to base64_urlsafe CSRF tokens.
127
146
 
128
- The `ActionDispatch::ActionableExceptions` middleware dispatches actions
129
- from `ActiveSupport::ActionableError` descendants.
147
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
148
+ them difficult to deal with. For example, the common practice of sending
149
+ the CSRF token to a browser in a client-readable cookie does not work properly
150
+ out of the box: the value has to be url-encoded and decoded to survive transport.
130
151
 
131
- Actionable errors let's you dispatch actions from Rails' error pages.
152
+ Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
153
+ to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
154
+ for backwards compatibility.
132
155
 
133
- *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
156
+ *Scott Blum*
134
157
 
135
- * Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
158
+ * Support rolling deploys for cookie serialization/encryption changes.
136
159
 
137
- After this change it's not possible anymore to configure routes like this:
160
+ In a distributed configuration like rolling update, users may observe
161
+ both old and new instances during deployment. Users may be served by a
162
+ new instance and then by an old instance.
138
163
 
139
- ```
140
- routes.draw do
141
- resources :users, param: 'name/:sneaky'
142
- end
143
- ```
164
+ That means when the server changes `cookies_serializer` from `:marshal`
165
+ to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
166
+ from `false` to `true`, users may lose their sessions if they access the
167
+ server during deployment.
144
168
 
145
- Fixes #30467.
169
+ We added fallbacks to downgrade the cookie format when necessary during
170
+ deployment, ensuring compatibility on both old and new instances.
146
171
 
147
- *Josua Schmid*
172
+ *Masaki Hara*
148
173
 
174
+ * `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
149
175
 
150
- ## Rails 6.0.0.beta3 (March 11, 2019) ##
176
+ Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
177
+ Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
151
178
 
152
- * No changes.
179
+ *Keenan Brock*
153
180
 
181
+ * Fix possible information leak / session hijacking vulnerability.
154
182
 
155
- ## Rails 6.0.0.beta2 (February 25, 2019) ##
183
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
184
+ gem dalli to be updated as well.
156
185
 
157
- * Make debug exceptions works in an environment where ActiveStorage is not loaded.
186
+ CVE-2019-16782.
158
187
 
159
- *Tomoyuki Kurosawa*
188
+ * Include child session assertion count in ActionDispatch::IntegrationTest.
160
189
 
161
- * `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
162
- to define specific browser capabilities.
190
+ `IntegrationTest#open_session` uses `dup` to create the new session, which
191
+ meant it had its own copy of `@assertions`. This prevented the assertions
192
+ from being correctly counted and reported.
163
193
 
164
- *Edouard Chin*
194
+ Child sessions now have their `attr_accessor` overridden to delegate to the
195
+ root session.
165
196
 
197
+ Fixes #32142.
166
198
 
167
- ## Rails 6.0.0.beta1 (January 18, 2019) ##
199
+ *Sam Bostock*
168
200
 
169
- * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
201
+ * Add SameSite protection to every written cookie.
170
202
 
171
- *Rafael Mendonça França*
203
+ Enabling `SameSite` cookie protection is an addition to CSRF protection,
204
+ where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
172
205
 
173
- * Remove deprecated methods in `ActionDispatch::TestResponse`.
206
+ `:strict` disables cookies being sent in cross-site GET or POST requests.
174
207
 
175
- `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
176
- `#successful?`, `not_found?` and `server_error?`.
208
+ Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
177
209
 
178
- *Rafael Mendonça França*
210
+ See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
179
211
 
180
- * Introduce `ActionDispatch::HostAuthorization`.
212
+ More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
181
213
 
182
- This is a new middleware that guards against DNS rebinding attacks by
183
- explicitly permitting the hosts a request can be made to.
214
+ _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
184
215
 
185
- Each host is checked with the case operator (`#===`) to support `Regexp`,
186
- `Proc`, `IPAddr` and custom objects as host allowances.
216
+ *Cédric Fabianski*
187
217
 
188
- *Genadi Samokovarov*
218
+ * Bring back the feature that allows loading external route files from the router.
189
219
 
190
- * Allow using `parsed_body` in `ActionController::TestCase`.
220
+ This feature existed back in 2012 but got reverted with the incentive that
221
+ https://github.com/rails/routing_concerns was a better approach. Turned out
222
+ that this wasn't fully the case and loading external route files from the router
223
+ can be helpful for applications with a really large set of routes.
224
+ Without this feature, application needs to implement routes reloading
225
+ themselves and it's not straightforward.
191
226
 
192
- In addition to `ActionDispatch::IntegrationTest`, allow using
193
- `parsed_body` in `ActionController::TestCase`:
227
+ ```ruby
228
+ # config/routes.rb
194
229
 
195
- ```
196
- class SomeControllerTest < ActionController::TestCase
197
- def test_some_action
198
- post :action, body: { foo: 'bar' }
199
- assert_equal({ "foo" => "bar" }, response.parsed_body)
200
- end
230
+ Rails.application.routes.draw do
231
+ draw(:admin)
201
232
  end
202
- ```
203
-
204
- Fixes #34676.
205
-
206
- *Tobias Bühlmann*
207
233
 
208
- * Raise an error on root route naming conflicts.
234
+ # config/routes/admin.rb
209
235
 
210
- Raises an `ArgumentError` when multiple root routes are defined in the
211
- same context instead of assigning nil names to subsequent roots.
212
-
213
- *Gannon McGibbon*
236
+ get :foo, to: 'foo#bar'
237
+ ```
214
238
 
215
- * Allow rescue from parameter parse errors:
239
+ *Yehuda Katz*, *Edouard Chin*
216
240
 
217
- ```
218
- rescue_from ActionDispatch::Http::Parameters::ParseError do
219
- head :unauthorized
220
- end
221
- ```
241
+ * Fix system test driver option initialization for non-headless browsers.
222
242
 
223
- *Gannon McGibbon*, *Josh Cheek*
243
+ *glaszig*
224
244
 
225
- * Reset Capybara sessions if failed system test screenshot raising an exception.
245
+ * `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
246
+ their payloads as `:request`.
226
247
 
227
- Reset Capybara sessions if `take_failed_screenshot` raise exception
228
- in system test `after_teardown`.
248
+ *Austin Story*
229
249
 
230
- *Maxim Perepelitsa*
250
+ * `respond_to#any` no longer returns a response's Content-Type based on the
251
+ request format but based on the block given.
231
252
 
232
- * Use request object for context if there's no controller
253
+ Example:
233
254
 
234
- There is no controller instance when using a redirect route or a
235
- mounted rack application so pass the request object as the context
236
- when resolving dynamic CSP sources in this scenario.
255
+ ```ruby
256
+ def my_action
257
+ respond_to do |format|
258
+ format.any { render(json: { foo: 'bar' }) }
259
+ end
260
+ end
237
261
 
238
- Fixes #34200.
262
+ get('my_action.csv')
263
+ ```
239
264
 
240
- *Andrew White*
265
+ The previous behaviour was to respond with a `text/csv` Content-Type which
266
+ is inaccurate since a JSON response is being rendered.
241
267
 
242
- * Apply mapping to symbols returned from dynamic CSP sources
268
+ Now it correctly returns a `application/json` Content-Type.
243
269
 
244
- Previously if a dynamic source returned a symbol such as :self it
245
- would be converted to a string implicitly, e.g:
270
+ *Edouard Chin*
246
271
 
247
- policy.default_src -> { :self }
272
+ * Replaces (back)slashes in failure screenshot image paths with dashes.
248
273
 
249
- would generate the header:
274
+ If a failed test case contained a slash or a backslash, a screenshot would be created in a
275
+ nested directory, causing issues with `tmp:clear`.
250
276
 
251
- Content-Security-Policy: default-src self
277
+ *Damir Zekic*
252
278
 
253
- and now it generates:
279
+ * Add `params.member?` to mimic Hash behavior.
254
280
 
255
- Content-Security-Policy: default-src 'self'
281
+ *Younes Serraj*
256
282
 
257
- *Andrew White*
283
+ * `process_action.action_controller` notifications now include the following in their payloads:
258
284
 
259
- * Add `ActionController::Parameters#each_value`.
285
+ * `:request` - the `ActionDispatch::Request`
286
+ * `:response` - the `ActionDispatch::Response`
260
287
 
261
- *Lukáš Zapletal*
288
+ *George Claghorn*
262
289
 
263
- * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
290
+ * Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
291
+ `remote_ip` to `nil` before setting the header that the value is derived
292
+ from.
264
293
 
265
- *Yoshiyuki Kinjo*
294
+ Fixes #37383.
266
295
 
267
- * Encode Content-Disposition filenames on `send_data` and `send_file`.
268
- Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
269
- `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
270
- garbled.
271
- Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
272
- [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
273
- `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
274
- Most browsers can find filename correctly and old browsers fallback to ASCII
275
- converted name.
296
+ *Norm Provost*
276
297
 
277
- *Fumiaki Matsushima*
298
+ * `ActionController::Base.log_at` allows setting a different log level per request.
278
299
 
279
- * Expose `ActionController::Parameters#each_key` which allows iterating over
280
- keys without allocating an array.
300
+ ```ruby
301
+ # Use the debug level if a particular cookie is set.
302
+ class ApplicationController < ActionController::Base
303
+ log_at :debug, if: -> { cookies[:debug] }
304
+ end
305
+ ```
281
306
 
282
- *Richard Schneeman*
307
+ *George Claghorn*
283
308
 
284
- * Purpose metadata for signed/encrypted cookies.
309
+ * Allow system test screen shots to be taken more than once in
310
+ a test by prefixing the file name with an incrementing counter.
285
311
 
286
- Rails can now thwart attacks that attempt to copy signed/encrypted value
287
- of a cookie and use it as the value of another cookie.
312
+ Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
313
+ enable saving of HTML during a screenshot in addition to the image.
314
+ This uses the same image name, with the extension replaced with `.html`
288
315
 
289
- It does so by stashing the cookie-name in the purpose field which is
290
- then signed/encrypted along with the cookie value. Then, on a server-side
291
- read, we verify the cookie-names and discard any attacked cookies.
316
+ *Tom Fakes*
292
317
 
293
- Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
294
- writes cookies with the new purpose and expiry metadata embedded.
318
+ * Add `Vary: Accept` header when using `Accept` header for response.
295
319
 
296
- *Assain Jaleel*
320
+ For some requests like `/users/1`, Rails uses requests' `Accept`
321
+ header to determine what to return. And if we don't add `Vary`
322
+ in the response header, browsers might accidentally cache different
323
+ types of content, which would cause issues: e.g. javascript got displayed
324
+ instead of html content. This PR fixes these issues by adding `Vary: Accept`
325
+ in these types of requests. For more detailed problem description, please read:
297
326
 
298
- * Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
327
+ https://github.com/rails/rails/pull/36213
299
328
 
300
- `respond_to` can match multiple types and lead to undefined behavior when
301
- multiple invocations are made and the types do not match:
329
+ Fixes #25842.
302
330
 
303
- respond_to do |outer_type|
304
- outer_type.js do
305
- respond_to do |inner_type|
306
- inner_type.html { render body: "HTML" }
307
- end
308
- end
309
- end
331
+ *Stan Lo*
310
332
 
311
- *Patrick Toomey*
333
+ * Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
334
+ a 307 redirection.
312
335
 
313
- * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
336
+ *Edouard Chin*
314
337
 
315
- This allows uploaded file objects to be passed directly to `File.read`
316
- without raising a `TypeError`:
338
+ * System tests require Capybara 3.26 or newer.
317
339
 
318
- uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
319
- File.read(uploaded_file)
340
+ *George Claghorn*
320
341
 
321
- *Aaron Kromer*
342
+ * Reduced log noise handling ActionController::RoutingErrors.
322
343
 
323
- * Pass along arguments to underlying `get` method in `follow_redirect!`
344
+ *Alberto Fernández-Capel*
324
345
 
325
- Now all arguments passed to `follow_redirect!` are passed to the underlying
326
- `get` method. This for example allows to set custom headers for the
327
- redirection request to the server.
346
+ * Add DSL for configuring HTTP Feature Policy.
328
347
 
329
- follow_redirect!(params: { foo: :bar })
348
+ This new DSL provides a way to configure an HTTP Feature Policy at a
349
+ global or per-controller level. Full details of HTTP Feature Policy
350
+ specification and guidelines can be found at MDN:
330
351
 
331
- *Remo Fritzsche*
352
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
332
353
 
333
- * Introduce a new error page to when the implicit render page is accessed in the browser.
354
+ Example global policy:
334
355
 
335
- Now instead of showing an error page that with exception and backtraces we now show only
336
- one informative page.
356
+ ```ruby
357
+ Rails.application.config.feature_policy do |f|
358
+ f.camera :none
359
+ f.gyroscope :none
360
+ f.microphone :none
361
+ f.usb :none
362
+ f.fullscreen :self
363
+ f.payment :self, "https://secure.example.com"
364
+ end
365
+ ```
337
366
 
338
- *Vinicius Stock*
367
+ Example controller level policy:
339
368
 
340
- * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
369
+ ```ruby
370
+ class PagesController < ApplicationController
371
+ feature_policy do |p|
372
+ p.geolocation "https://example.com"
373
+ end
374
+ end
375
+ ```
341
376
 
342
- Exception aware plugin authors can use the newly introduced
343
- `.register_interceptor` method to get the processed exception, instead of
344
- monkey patching DebugExceptions.
377
+ *Jacob Bednarz*
345
378
 
346
- ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
347
- HypoteticalPlugin.capture_exception(request, exception)
348
- end
379
+ * Add the ability to set the CSP nonce only to the specified directives.
349
380
 
350
- *Genadi Samokovarov*
381
+ Fixes #35137.
351
382
 
352
- * Output only one Content-Security-Policy nonce header value per request.
383
+ *Yuji Yaginuma*
353
384
 
354
- Fixes #32597.
385
+ * Keep part when scope option has value.
355
386
 
356
- *Andrey Novikov*, *Andrew White*
387
+ When a route was defined within an optional scope, if that route didn't
388
+ take parameters the scope was lost when using path helpers. This commit
389
+ ensures scope is kept both when the route takes parameters or when it
390
+ doesn't.
357
391
 
358
- * Move default headers configuration into their own module that can be included in controllers.
392
+ Fixes #33219.
359
393
 
360
- *Kevin Deisz*
394
+ *Alberto Almagro*
361
395
 
362
- * Add method `dig` to `session`.
396
+ * Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
363
397
 
364
- *claudiob*, *Takumi Shotoku*
398
+ *Gustavo Gutierrez*
365
399
 
366
- * Controller level `force_ssl` has been deprecated in favor of
367
- `config.force_ssl`.
400
+ * Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
401
+ an enumerator for the parameters instead of the underlying hash.
368
402
 
369
- *Derek Prior*
403
+ *Eugene Kenny*
370
404
 
371
- * Rails 6 requires Ruby 2.5.0 or newer.
405
+ * Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
406
+ It should only block invalid key's values instead.
372
407
 
373
- *Jeremy Daer*, *Kasper Timm Hansen*
408
+ *Stan Lo*
374
409
 
375
410
 
376
- Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
411
+ Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.