actionpack 6.0.3.4 → 6.1.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +245 -236
- data/MIT-LICENSE +1 -1
- data/lib/abstract_controller.rb +1 -0
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/action_controller.rb +2 -3
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/metal/conditional_get.rb +10 -2
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/feature_policy.rb +46 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +4 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +1 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +48 -24
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +103 -15
- data/lib/action_controller/renderer.rb +24 -13
- data/lib/action_controller/test_case.rb +62 -56
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_dispatch/http/cache.rb +12 -10
- data/lib/action_dispatch/http/content_disposition.rb +2 -2
- data/lib/action_dispatch/http/content_security_policy.rb +5 -1
- data/lib/action_dispatch/http/feature_policy.rb +168 -0
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +20 -8
- data/lib/action_dispatch/http/mime_type.rb +28 -15
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/request.rb +26 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/journey/formatter.rb +53 -28
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +2 -2
- data/lib/action_dispatch/middleware/cookies.rb +74 -33
- data/lib/action_dispatch/middleware/debug_exceptions.rb +10 -17
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +29 -17
- data/lib/action_dispatch/middleware/host_authorization.rb +23 -3
- data/lib/action_dispatch/middleware/public_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/ssl.rb +9 -6
- data/lib/action_dispatch/middleware/stack.rb +18 -0
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +18 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +88 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +12 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +3 -3
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +29 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/integration.rb +38 -27
- data/lib/action_dispatch/testing/test_process.rb +29 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +3 -3
- metadata +22 -23
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9a4a41e1ca0c25578fbd6a0ea8a05295194ae1bd4583adec81c901d36df926af
|
4
|
+
data.tar.gz: 8582c26944953ae947cf95b4582f3b000af462b0786476d4dc84a268963bbdd8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c6ae9cf119acfd74a41566d30f6d499ed3590355134a7a00ebc77b25a8516f1037448bc202c543b0c92cedc842d38e1b787df12f4260bebf5f1595c42c192d2a
|
7
|
+
data.tar.gz: 69965930679b64e98df6a5b4edaefa9f15a7c38480fd179507b3a27c663b07478411a6ae04355dd5a30f97f18be8b4441e083b5c97d0015f95963d5adf29dcda
|
data/CHANGELOG.md
CHANGED
@@ -1,386 +1,395 @@
|
|
1
|
-
## Rails 6.0.
|
1
|
+
## Rails 6.1.0.rc1 (November 02, 2020) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
4
4
|
|
5
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
5
6
|
|
6
|
-
|
7
|
+
*Chris Bisnett*
|
7
8
|
|
8
|
-
*
|
9
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
10
|
+
the unique X-Request-Id header
|
9
11
|
|
12
|
+
*Arlston Fernandes*
|
10
13
|
|
11
|
-
|
14
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
12
15
|
|
13
|
-
*
|
14
|
-
|
15
|
-
## Rails 6.0.3.1 (May 18, 2020) ##
|
16
|
-
|
17
|
-
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
18
|
-
|
19
|
-
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
20
|
-
|
21
|
-
## Rails 6.0.3 (May 06, 2020) ##
|
22
|
-
|
23
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
24
|
-
|
25
|
-
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
26
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
27
|
-
from being correctly counted and reported.
|
28
|
-
|
29
|
-
Child sessions now have their `attr_accessor` overriden to delegate to the
|
30
|
-
root session.
|
31
|
-
|
32
|
-
Fixes #32142
|
33
|
-
|
34
|
-
*Sam Bostock*
|
16
|
+
*Rafael Mendonça França*
|
35
17
|
|
18
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
36
19
|
|
37
|
-
|
20
|
+
*Rafael Mendonça França*
|
38
21
|
|
39
|
-
*
|
22
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
40
23
|
|
24
|
+
*Rafael Mendonça França*
|
41
25
|
|
42
|
-
|
26
|
+
* Added support for exclusive no-store Cache-Control header.
|
43
27
|
|
44
|
-
|
28
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
45
29
|
|
46
|
-
|
47
|
-
gem dalli to be updated as well.
|
30
|
+
*Chris Kruger*
|
48
31
|
|
49
|
-
|
32
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
50
33
|
|
34
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
35
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
51
36
|
|
52
|
-
|
37
|
+
*Adrianna Chang*
|
53
38
|
|
54
|
-
* Allow
|
39
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
55
40
|
|
56
|
-
*
|
41
|
+
*Gannon McGibbon*
|
57
42
|
|
43
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
58
44
|
|
59
|
-
|
45
|
+
*Alan Tan*, *Oz Ben-David*
|
60
46
|
|
61
|
-
* `
|
62
|
-
|
63
|
-
system tests.
|
47
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
48
|
+
a 308 redirection.
|
64
49
|
|
65
|
-
*
|
50
|
+
*Alan Tan*
|
66
51
|
|
67
|
-
*
|
52
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
53
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
68
54
|
|
69
|
-
|
70
|
-
Mime::Type.register "text/html; fragment", :html_fragment
|
71
|
-
```
|
55
|
+
*Jonathan Hefner*
|
72
56
|
|
73
|
-
|
57
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
74
58
|
|
59
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
60
|
+
Brotli files are preferred due to much better compression.
|
75
61
|
|
76
|
-
|
62
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
63
|
+
we check for public/some.js.br and serve that file, if present, with
|
64
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
77
65
|
|
78
|
-
*
|
66
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
79
67
|
|
68
|
+
* Add raise_on_missing_translations support for controllers.
|
80
69
|
|
81
|
-
|
70
|
+
This configuration determines whether an error should be raised for missing translations.
|
71
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
72
|
+
configuration also affects raising error for missing translations in views.
|
82
73
|
|
83
|
-
*
|
74
|
+
*fatkodima*
|
84
75
|
|
85
|
-
|
76
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
86
77
|
|
87
|
-
*
|
78
|
+
*Eugene Kenny*
|
88
79
|
|
89
|
-
*
|
80
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
81
|
+
without passing a block now returns an enumerator.
|
90
82
|
|
91
|
-
|
92
|
-
take parameters the scope was lost when using path helpers. This commit
|
93
|
-
ensures scope is kept both when the route takes parameters or when it
|
94
|
-
doesn't.
|
83
|
+
*Eugene Kenny*
|
95
84
|
|
96
|
-
|
85
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
97
86
|
|
98
|
-
|
87
|
+
Previously the path had to be relative to `fixture_path`.
|
88
|
+
You can change your existing code as follow:
|
99
89
|
|
100
|
-
|
90
|
+
```ruby
|
91
|
+
# Before
|
92
|
+
fixture_file_upload('files/dog.png')
|
101
93
|
|
102
|
-
|
103
|
-
|
104
|
-
|
94
|
+
# After
|
95
|
+
fixture_file_upload('dog.png')
|
96
|
+
```
|
105
97
|
|
106
|
-
|
107
|
-
instead.
|
98
|
+
*Edouard Chin*
|
108
99
|
|
109
|
-
|
110
|
-
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
111
|
-
value as before version, but its behavior is deprecate.
|
100
|
+
* Remove deprecated `force_ssl` at the controller level.
|
112
101
|
|
113
|
-
*
|
102
|
+
*Rafael Mendonça França*
|
114
103
|
|
115
|
-
*
|
116
|
-
|
104
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
105
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
117
106
|
|
118
|
-
|
107
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
108
|
+
always pass a module object:
|
119
109
|
|
120
|
-
|
110
|
+
```ruby
|
111
|
+
helper UtilsHelper
|
112
|
+
```
|
121
113
|
|
122
|
-
|
114
|
+
which is recommended because it is simple and direct. When a string/symbol
|
115
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
116
|
+
that same module object.
|
123
117
|
|
118
|
+
*Xavier Noria*, *Jean Boussier*
|
124
119
|
|
125
|
-
|
120
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
126
121
|
|
127
|
-
*
|
128
|
-
rather than an `after_teardown` hook.
|
122
|
+
*Nick Soracco*
|
129
123
|
|
130
|
-
|
131
|
-
|
132
|
-
been dynamically updated after the assertion failed).
|
124
|
+
* `url_for` will now use "https://" as the default protocol when
|
125
|
+
`Rails.application.config.force_ssl` is set to true.
|
133
126
|
|
134
|
-
*
|
127
|
+
*Jonathan Hefner*
|
135
128
|
|
136
|
-
*
|
129
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
137
130
|
|
138
|
-
|
139
|
-
|
131
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
132
|
+
them difficult to deal with. For example, the common practice of sending
|
133
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
134
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
140
135
|
|
141
|
-
|
136
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
137
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
138
|
+
for backwards compatibility.
|
142
139
|
|
143
|
-
*
|
140
|
+
*Scott Blum*
|
144
141
|
|
145
|
-
*
|
142
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
146
143
|
|
147
|
-
|
144
|
+
In a distributed configuration like rolling update, users may observe
|
145
|
+
both old and new instances during deployment. Users may be served by a
|
146
|
+
new instance and then by an old instance.
|
148
147
|
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
```
|
148
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
149
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
150
|
+
from `false` to `true`, users may lose their sessions if they access the
|
151
|
+
server during deployment.
|
154
152
|
|
155
|
-
|
153
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
154
|
+
deployment, ensuring compatibility on both old and new instances.
|
156
155
|
|
157
|
-
*
|
156
|
+
*Masaki Hara*
|
158
157
|
|
158
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
159
159
|
|
160
|
-
|
160
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
161
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
161
162
|
|
162
|
-
*
|
163
|
+
*Keenan Brock*
|
163
164
|
|
165
|
+
* Fix possible information leak / session hijacking vulnerability.
|
164
166
|
|
165
|
-
|
167
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
168
|
+
gem dalli to be updated as well.
|
166
169
|
|
167
|
-
|
170
|
+
CVE-2019-16782.
|
168
171
|
|
169
|
-
|
172
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
170
173
|
|
171
|
-
|
172
|
-
|
174
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
175
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
176
|
+
from being correctly counted and reported.
|
173
177
|
|
174
|
-
|
178
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
179
|
+
root session.
|
175
180
|
|
181
|
+
Fixes #32142.
|
176
182
|
|
177
|
-
|
183
|
+
*Sam Bostock*
|
178
184
|
|
179
|
-
*
|
185
|
+
* Add SameSite protection to every written cookie.
|
180
186
|
|
181
|
-
|
187
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
188
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
182
189
|
|
183
|
-
|
190
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
184
191
|
|
185
|
-
|
186
|
-
`#successful?`, `not_found?` and `server_error?`.
|
192
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
187
193
|
|
188
|
-
|
194
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
189
195
|
|
190
|
-
|
196
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
191
197
|
|
192
|
-
|
193
|
-
explicitly permitting the hosts a request can be made to.
|
198
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
194
199
|
|
195
|
-
|
196
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
200
|
+
*Cédric Fabianski*
|
197
201
|
|
198
|
-
|
202
|
+
* Bring back the feature that allows loading external route files from the router.
|
199
203
|
|
200
|
-
|
204
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
205
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
206
|
+
that this wasn't fully the case and loading external route files from the router
|
207
|
+
can be helpful for applications with a really large set of routes.
|
208
|
+
Without this feature, application needs to implement routes reloading
|
209
|
+
themselves and it's not straightforward.
|
201
210
|
|
202
|
-
|
203
|
-
|
211
|
+
```ruby
|
212
|
+
# config/routes.rb
|
204
213
|
|
205
|
-
|
206
|
-
|
207
|
-
def test_some_action
|
208
|
-
post :action, body: { foo: 'bar' }
|
209
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
210
|
-
end
|
214
|
+
Rails.application.routes.draw do
|
215
|
+
draw(:admin)
|
211
216
|
end
|
212
|
-
```
|
213
217
|
|
214
|
-
|
218
|
+
# config/routes/admin.rb
|
215
219
|
|
216
|
-
|
217
|
-
|
218
|
-
* Raise an error on root route naming conflicts.
|
219
|
-
|
220
|
-
Raises an `ArgumentError` when multiple root routes are defined in the
|
221
|
-
same context instead of assigning nil names to subsequent roots.
|
222
|
-
|
223
|
-
*Gannon McGibbon*
|
220
|
+
get :foo, to: 'foo#bar'
|
221
|
+
```
|
224
222
|
|
225
|
-
*
|
223
|
+
*Yehuda Katz*, *Edouard Chin*
|
226
224
|
|
227
|
-
|
228
|
-
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
229
|
-
head :unauthorized
|
230
|
-
end
|
231
|
-
```
|
225
|
+
* Fix system test driver option initialization for non-headless browsers.
|
232
226
|
|
233
|
-
*
|
227
|
+
*glaszig*
|
234
228
|
|
235
|
-
*
|
229
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
230
|
+
their payloads as `:request`.
|
236
231
|
|
237
|
-
|
238
|
-
in system test `after_teardown`.
|
232
|
+
*Austin Story*
|
239
233
|
|
240
|
-
|
234
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
235
|
+
request format but based on the block given.
|
241
236
|
|
242
|
-
|
237
|
+
Example:
|
243
238
|
|
244
|
-
|
245
|
-
|
246
|
-
|
239
|
+
```ruby
|
240
|
+
def my_action
|
241
|
+
respond_to do |format|
|
242
|
+
format.any { render(json: { foo: 'bar' }) }
|
243
|
+
end
|
244
|
+
end
|
247
245
|
|
248
|
-
|
246
|
+
get('my_action.csv')
|
247
|
+
```
|
249
248
|
|
250
|
-
|
249
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
250
|
+
is inaccurate since a JSON response is being rendered.
|
251
251
|
|
252
|
-
|
252
|
+
Now it correctly returns a `application/json` Content-Type.
|
253
253
|
|
254
|
-
|
255
|
-
would be converted to a string implicitly, e.g:
|
254
|
+
*Edouard Chin*
|
256
255
|
|
257
|
-
|
256
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
258
257
|
|
259
|
-
would
|
258
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
259
|
+
nested directory, causing issues with `tmp:clear`.
|
260
260
|
|
261
|
-
|
261
|
+
*Damir Zekic*
|
262
262
|
|
263
|
-
|
263
|
+
* Add `params.member?` to mimic Hash behavior.
|
264
264
|
|
265
|
-
|
265
|
+
*Younes Serraj*
|
266
266
|
|
267
|
-
|
267
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
268
268
|
|
269
|
-
*
|
269
|
+
* `:request` - the `ActionDispatch::Request`
|
270
|
+
* `:response` - the `ActionDispatch::Response`
|
270
271
|
|
271
|
-
*
|
272
|
+
*George Claghorn*
|
272
273
|
|
273
|
-
*
|
274
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
275
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
276
|
+
from.
|
274
277
|
|
275
|
-
|
278
|
+
Fixes #37383.
|
276
279
|
|
277
|
-
*
|
278
|
-
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
279
|
-
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
280
|
-
garbled.
|
281
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
282
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
283
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
284
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
285
|
-
converted name.
|
280
|
+
*Norm Provost*
|
286
281
|
|
287
|
-
|
282
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
288
283
|
|
289
|
-
|
290
|
-
|
284
|
+
```ruby
|
285
|
+
# Use the debug level if a particular cookie is set.
|
286
|
+
class ApplicationController < ActionController::Base
|
287
|
+
log_at :debug, if: -> { cookies[:debug] }
|
288
|
+
end
|
289
|
+
```
|
291
290
|
|
292
|
-
*
|
291
|
+
*George Claghorn*
|
293
292
|
|
294
|
-
*
|
293
|
+
* Allow system test screen shots to be taken more than once in
|
294
|
+
a test by prefixing the file name with an incrementing counter.
|
295
295
|
|
296
|
-
|
297
|
-
|
296
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
297
|
+
enable saving of HTML during a screenshot in addition to the image.
|
298
|
+
This uses the same image name, with the extension replaced with `.html`
|
298
299
|
|
299
|
-
|
300
|
-
then signed/encrypted along with the cookie value. Then, on a server-side
|
301
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
300
|
+
*Tom Fakes*
|
302
301
|
|
303
|
-
|
304
|
-
writes cookies with the new purpose and expiry metadata embedded.
|
302
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
305
303
|
|
306
|
-
|
304
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
305
|
+
header to determine what to return. And if we don't add `Vary`
|
306
|
+
in the response header, browsers might accidentally cache different
|
307
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
308
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
309
|
+
in these types of requests. For more detailed problem description, please read:
|
307
310
|
|
308
|
-
|
311
|
+
https://github.com/rails/rails/pull/36213
|
309
312
|
|
310
|
-
|
311
|
-
multiple invocations are made and the types do not match:
|
313
|
+
Fixes #25842.
|
312
314
|
|
313
|
-
|
314
|
-
outer_type.js do
|
315
|
-
respond_to do |inner_type|
|
316
|
-
inner_type.html { render body: "HTML" }
|
317
|
-
end
|
318
|
-
end
|
319
|
-
end
|
315
|
+
*Stan Lo*
|
320
316
|
|
321
|
-
|
317
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
318
|
+
a 307 redirection.
|
322
319
|
|
323
|
-
*
|
320
|
+
*Edouard Chin*
|
324
321
|
|
325
|
-
|
326
|
-
without raising a `TypeError`:
|
322
|
+
* System tests require Capybara 3.26 or newer.
|
327
323
|
|
328
|
-
|
329
|
-
File.read(uploaded_file)
|
324
|
+
*George Claghorn*
|
330
325
|
|
331
|
-
|
326
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
332
327
|
|
333
|
-
*
|
328
|
+
*Alberto Fernández-Capel*
|
334
329
|
|
335
|
-
|
336
|
-
`get` method. This for example allows to set custom headers for the
|
337
|
-
redirection request to the server.
|
330
|
+
* Add DSL for configuring HTTP Feature Policy.
|
338
331
|
|
339
|
-
|
332
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
333
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
334
|
+
specification and guidelines can be found at MDN:
|
340
335
|
|
341
|
-
|
336
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
342
337
|
|
343
|
-
|
338
|
+
Example global policy:
|
344
339
|
|
345
|
-
|
346
|
-
|
340
|
+
```ruby
|
341
|
+
Rails.application.config.feature_policy do |f|
|
342
|
+
f.camera :none
|
343
|
+
f.gyroscope :none
|
344
|
+
f.microphone :none
|
345
|
+
f.usb :none
|
346
|
+
f.fullscreen :self
|
347
|
+
f.payment :self, "https://secure.example.com"
|
348
|
+
end
|
349
|
+
```
|
347
350
|
|
348
|
-
|
351
|
+
Example controller level policy:
|
349
352
|
|
350
|
-
|
353
|
+
```ruby
|
354
|
+
class PagesController < ApplicationController
|
355
|
+
feature_policy do |p|
|
356
|
+
p.geolocation "https://example.com"
|
357
|
+
end
|
358
|
+
end
|
359
|
+
```
|
351
360
|
|
352
|
-
|
353
|
-
`.register_interceptor` method to get the processed exception, instead of
|
354
|
-
monkey patching DebugExceptions.
|
361
|
+
*Jacob Bednarz*
|
355
362
|
|
356
|
-
|
357
|
-
HypoteticalPlugin.capture_exception(request, exception)
|
358
|
-
end
|
363
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
359
364
|
|
360
|
-
|
365
|
+
Fixes #35137.
|
361
366
|
|
362
|
-
*
|
367
|
+
*Yuji Yaginuma*
|
363
368
|
|
364
|
-
|
369
|
+
* Keep part when scope option has value.
|
365
370
|
|
366
|
-
|
371
|
+
When a route was defined within an optional scope, if that route didn't
|
372
|
+
take parameters the scope was lost when using path helpers. This commit
|
373
|
+
ensures scope is kept both when the route takes parameters or when it
|
374
|
+
doesn't.
|
367
375
|
|
368
|
-
|
376
|
+
Fixes #33219.
|
369
377
|
|
370
|
-
*
|
378
|
+
*Alberto Almagro*
|
371
379
|
|
372
|
-
*
|
380
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
373
381
|
|
374
|
-
*
|
382
|
+
*Gustavo Gutierrez*
|
375
383
|
|
376
|
-
*
|
377
|
-
|
384
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
385
|
+
an enumerator for the parameters instead of the underlying hash.
|
378
386
|
|
379
|
-
*
|
387
|
+
*Eugene Kenny*
|
380
388
|
|
381
|
-
*
|
389
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
390
|
+
It should only block invalid key's values instead.
|
382
391
|
|
383
|
-
*
|
392
|
+
*Stan Lo*
|
384
393
|
|
385
394
|
|
386
|
-
Please check [
|
395
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|