actionpack 6.0.3.4 → 6.1.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +274 -223
- data/MIT-LICENSE +1 -1
- data/README.rdoc +1 -1
- data/lib/abstract_controller.rb +1 -0
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/action_controller.rb +2 -3
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/metal/conditional_get.rb +11 -3
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +4 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +1 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +48 -24
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +103 -15
- data/lib/action_controller/renderer.rb +24 -13
- data/lib/action_controller/test_case.rb +62 -56
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_dispatch/http/cache.rb +12 -10
- data/lib/action_dispatch/http/content_disposition.rb +2 -2
- data/lib/action_dispatch/http/content_security_policy.rb +5 -1
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +20 -8
- data/lib/action_dispatch/http/mime_type.rb +28 -15
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +26 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/journey/formatter.rb +53 -28
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +2 -2
- data/lib/action_dispatch/middleware/cookies.rb +74 -33
- data/lib/action_dispatch/middleware/debug_exceptions.rb +10 -17
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +29 -17
- data/lib/action_dispatch/middleware/host_authorization.rb +25 -5
- data/lib/action_dispatch/middleware/public_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +2 -0
- data/lib/action_dispatch/middleware/ssl.rb +12 -7
- data/lib/action_dispatch/middleware/stack.rb +18 -0
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +3 -3
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/routing/url_for.rb +1 -0
- data/lib/action_dispatch/system_test_case.rb +29 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/integration.rb +38 -27
- data/lib/action_dispatch/testing/test_process.rb +29 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_pack.rb +1 -1
- data/lib/action_pack/gem_version.rb +3 -3
- metadata +18 -19
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3e18f4e0dba4fd1daa12ad504b7846ed7c35d319d793d8a999719c5f454a3a55
|
4
|
+
data.tar.gz: 34eca75e2ce98348b71a0138e46ff0bcbd3b2bd26888eff928c15cb5b20779a7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 73a46bd410d9b4d54b56d19c0f0ac5d47ac799566ba950af6bfeff17cdc370336cccd9c4b46ab8ab8dc9fca16d30b808193d496f05374f1dfd78fdd5b3b5753f
|
7
|
+
data.tar.gz: ce290325486805965e58919f0aabc7a702604a0495eb7028eb94be089b82ec9684eec54472842a72eabc9b79656f0012887cf217f82cf4ca0bf2e546634adadc
|
data/CHANGELOG.md
CHANGED
@@ -1,386 +1,437 @@
|
|
1
|
-
## Rails 6.
|
1
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
4
4
|
|
5
|
+
*Janko Marohnić*
|
5
6
|
|
6
|
-
|
7
|
-
|
8
|
-
* No changes.
|
7
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
9
8
|
|
9
|
+
*Eugene Kenny*
|
10
10
|
|
11
|
-
## Rails 6.0.3.2 (June 17, 2020) ##
|
12
11
|
|
13
|
-
|
12
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
14
13
|
|
15
|
-
|
14
|
+
* Fix nil translation key lookup in controllers/
|
16
15
|
|
17
|
-
*
|
16
|
+
*Jan Klimo*
|
18
17
|
|
19
|
-
*
|
18
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
20
19
|
|
21
|
-
|
20
|
+
*Alex Robbin*
|
22
21
|
|
23
|
-
*
|
22
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
24
23
|
|
25
|
-
|
26
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
27
|
-
from being correctly counted and reported.
|
24
|
+
*Alex Robbin*
|
28
25
|
|
29
|
-
Child sessions now have their `attr_accessor` overriden to delegate to the
|
30
|
-
root session.
|
31
26
|
|
32
|
-
|
27
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
33
28
|
|
34
|
-
|
29
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
30
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
35
31
|
|
32
|
+
```ruby
|
33
|
+
Rails.application.config.permissions_policy do |p|
|
34
|
+
p.camera :none
|
35
|
+
p.gyroscope :none
|
36
|
+
p.microphone :none
|
37
|
+
p.usb :none
|
38
|
+
p.fullscreen :self
|
39
|
+
p.payment :self, "https://secure-example.com"
|
40
|
+
end
|
41
|
+
```
|
36
42
|
|
37
|
-
|
43
|
+
*Julien Grillot*
|
38
44
|
|
39
|
-
*
|
45
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
40
46
|
|
47
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
41
48
|
|
42
|
-
|
49
|
+
*Chris Bisnett*
|
43
50
|
|
44
|
-
*
|
51
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
52
|
+
the unique X-Request-Id header
|
45
53
|
|
46
|
-
|
47
|
-
gem dalli to be updated as well.
|
54
|
+
*Arlston Fernandes*
|
48
55
|
|
49
|
-
|
56
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
50
57
|
|
58
|
+
*Rafael Mendonça França*
|
51
59
|
|
52
|
-
|
60
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
53
61
|
|
54
|
-
*
|
62
|
+
*Rafael Mendonça França*
|
55
63
|
|
56
|
-
|
64
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
57
65
|
|
66
|
+
*Rafael Mendonça França*
|
58
67
|
|
59
|
-
|
68
|
+
* Added support for exclusive no-store Cache-Control header.
|
60
69
|
|
61
|
-
|
62
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
63
|
-
system tests.
|
70
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
64
71
|
|
65
|
-
*
|
72
|
+
*Chris Kruger*
|
66
73
|
|
67
|
-
*
|
74
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
68
75
|
|
69
|
-
|
70
|
-
|
71
|
-
```
|
76
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
77
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
72
78
|
|
73
|
-
*
|
79
|
+
*Adrianna Chang*
|
74
80
|
|
81
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
75
82
|
|
76
|
-
|
83
|
+
*Gannon McGibbon*
|
77
84
|
|
78
|
-
*
|
85
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
79
86
|
|
87
|
+
*Alan Tan*, *Oz Ben-David*
|
80
88
|
|
81
|
-
|
89
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
90
|
+
a 308 redirection.
|
82
91
|
|
83
|
-
*
|
92
|
+
*Alan Tan*
|
84
93
|
|
85
|
-
|
94
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
95
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
86
96
|
|
87
|
-
*
|
97
|
+
*Jonathan Hefner*
|
88
98
|
|
89
|
-
*
|
99
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
90
100
|
|
91
|
-
|
92
|
-
|
93
|
-
ensures scope is kept both when the route takes parameters or when it
|
94
|
-
doesn't.
|
101
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
102
|
+
Brotli files are preferred due to much better compression.
|
95
103
|
|
96
|
-
|
104
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
105
|
+
we check for public/some.js.br and serve that file, if present, with
|
106
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
97
107
|
|
98
|
-
*
|
108
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
99
109
|
|
100
|
-
*
|
110
|
+
* Add raise_on_missing_translations support for controllers.
|
101
111
|
|
102
|
-
|
103
|
-
|
104
|
-
|
112
|
+
This configuration determines whether an error should be raised for missing translations.
|
113
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
114
|
+
configuration also affects raising error for missing translations in views.
|
105
115
|
|
106
|
-
|
107
|
-
instead.
|
116
|
+
*fatkodima*
|
108
117
|
|
109
|
-
|
110
|
-
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
111
|
-
value as before version, but its behavior is deprecate.
|
118
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
112
119
|
|
113
|
-
*
|
120
|
+
*Eugene Kenny*
|
114
121
|
|
115
|
-
* Calling `
|
116
|
-
|
122
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
123
|
+
without passing a block now returns an enumerator.
|
117
124
|
|
118
125
|
*Eugene Kenny*
|
119
126
|
|
120
|
-
*
|
127
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
121
128
|
|
122
|
-
|
129
|
+
Previously the path had to be relative to `fixture_path`.
|
130
|
+
You can change your existing code as follow:
|
123
131
|
|
132
|
+
```ruby
|
133
|
+
# Before
|
134
|
+
fixture_file_upload('files/dog.png')
|
124
135
|
|
125
|
-
|
136
|
+
# After
|
137
|
+
fixture_file_upload('dog.png')
|
138
|
+
```
|
126
139
|
|
127
|
-
*
|
128
|
-
rather than an `after_teardown` hook.
|
140
|
+
*Edouard Chin*
|
129
141
|
|
130
|
-
|
131
|
-
the screenshot is taken (reducing the time in which the page could have
|
132
|
-
been dynamically updated after the assertion failed).
|
142
|
+
* Remove deprecated `force_ssl` at the controller level.
|
133
143
|
|
134
|
-
*
|
144
|
+
*Rafael Mendonça França*
|
135
145
|
|
136
|
-
*
|
146
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
147
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
137
148
|
|
138
|
-
|
139
|
-
|
149
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
150
|
+
always pass a module object:
|
140
151
|
|
141
|
-
|
152
|
+
```ruby
|
153
|
+
helper UtilsHelper
|
154
|
+
```
|
142
155
|
|
143
|
-
|
156
|
+
which is recommended because it is simple and direct. When a string/symbol
|
157
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
158
|
+
that same module object.
|
144
159
|
|
145
|
-
*
|
160
|
+
*Xavier Noria*, *Jean Boussier*
|
146
161
|
|
147
|
-
|
162
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
148
163
|
|
149
|
-
|
150
|
-
routes.draw do
|
151
|
-
resources :users, param: 'name/:sneaky'
|
152
|
-
end
|
153
|
-
```
|
164
|
+
*Nick Soracco*
|
154
165
|
|
155
|
-
|
166
|
+
* `url_for` will now use "https://" as the default protocol when
|
167
|
+
`Rails.application.config.force_ssl` is set to true.
|
156
168
|
|
157
|
-
*
|
169
|
+
*Jonathan Hefner*
|
158
170
|
|
171
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
159
172
|
|
160
|
-
|
173
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
174
|
+
them difficult to deal with. For example, the common practice of sending
|
175
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
176
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
161
177
|
|
162
|
-
|
178
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
179
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
180
|
+
for backwards compatibility.
|
163
181
|
|
182
|
+
*Scott Blum*
|
164
183
|
|
165
|
-
|
184
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
166
185
|
|
167
|
-
|
186
|
+
In a distributed configuration like rolling update, users may observe
|
187
|
+
both old and new instances during deployment. Users may be served by a
|
188
|
+
new instance and then by an old instance.
|
168
189
|
|
169
|
-
|
190
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
191
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
192
|
+
from `false` to `true`, users may lose their sessions if they access the
|
193
|
+
server during deployment.
|
170
194
|
|
171
|
-
|
172
|
-
|
195
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
196
|
+
deployment, ensuring compatibility on both old and new instances.
|
173
197
|
|
174
|
-
*
|
198
|
+
*Masaki Hara*
|
175
199
|
|
200
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
176
201
|
|
177
|
-
|
202
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
203
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
178
204
|
|
179
|
-
*
|
205
|
+
*Keenan Brock*
|
180
206
|
|
181
|
-
|
207
|
+
* Fix possible information leak / session hijacking vulnerability.
|
182
208
|
|
183
|
-
|
209
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
210
|
+
gem dalli to be updated as well.
|
184
211
|
|
185
|
-
|
186
|
-
`#successful?`, `not_found?` and `server_error?`.
|
212
|
+
CVE-2019-16782.
|
187
213
|
|
188
|
-
|
214
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
189
215
|
|
190
|
-
|
216
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
217
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
218
|
+
from being correctly counted and reported.
|
191
219
|
|
192
|
-
|
193
|
-
|
220
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
221
|
+
root session.
|
194
222
|
|
195
|
-
|
196
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
223
|
+
Fixes #32142.
|
197
224
|
|
198
|
-
*
|
225
|
+
*Sam Bostock*
|
199
226
|
|
200
|
-
*
|
227
|
+
* Add SameSite protection to every written cookie.
|
201
228
|
|
202
|
-
|
203
|
-
|
229
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
230
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
204
231
|
|
205
|
-
|
206
|
-
class SomeControllerTest < ActionController::TestCase
|
207
|
-
def test_some_action
|
208
|
-
post :action, body: { foo: 'bar' }
|
209
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
210
|
-
end
|
211
|
-
end
|
212
|
-
```
|
232
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
213
233
|
|
214
|
-
|
234
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
215
235
|
|
216
|
-
|
236
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
217
237
|
|
218
|
-
|
238
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
219
239
|
|
220
|
-
|
221
|
-
same context instead of assigning nil names to subsequent roots.
|
240
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
222
241
|
|
223
|
-
*
|
242
|
+
*Cédric Fabianski*
|
224
243
|
|
225
|
-
*
|
244
|
+
* Bring back the feature that allows loading external route files from the router.
|
226
245
|
|
227
|
-
|
228
|
-
|
229
|
-
|
246
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
247
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
248
|
+
that this wasn't fully the case and loading external route files from the router
|
249
|
+
can be helpful for applications with a really large set of routes.
|
250
|
+
Without this feature, application needs to implement routes reloading
|
251
|
+
themselves and it's not straightforward.
|
252
|
+
|
253
|
+
```ruby
|
254
|
+
# config/routes.rb
|
255
|
+
|
256
|
+
Rails.application.routes.draw do
|
257
|
+
draw(:admin)
|
230
258
|
end
|
259
|
+
|
260
|
+
# config/routes/admin.rb
|
261
|
+
|
262
|
+
get :foo, to: 'foo#bar'
|
231
263
|
```
|
232
264
|
|
233
|
-
*
|
265
|
+
*Yehuda Katz*, *Edouard Chin*
|
234
266
|
|
235
|
-
*
|
267
|
+
* Fix system test driver option initialization for non-headless browsers.
|
236
268
|
|
237
|
-
|
238
|
-
in system test `after_teardown`.
|
269
|
+
*glaszig*
|
239
270
|
|
240
|
-
|
271
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
272
|
+
their payloads as `:request`.
|
241
273
|
|
242
|
-
*
|
274
|
+
*Austin Story*
|
243
275
|
|
244
|
-
|
245
|
-
|
246
|
-
when resolving dynamic CSP sources in this scenario.
|
276
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
277
|
+
request format but based on the block given.
|
247
278
|
|
248
|
-
|
279
|
+
Example:
|
249
280
|
|
250
|
-
|
281
|
+
```ruby
|
282
|
+
def my_action
|
283
|
+
respond_to do |format|
|
284
|
+
format.any { render(json: { foo: 'bar' }) }
|
285
|
+
end
|
286
|
+
end
|
251
287
|
|
252
|
-
|
288
|
+
get('my_action.csv')
|
289
|
+
```
|
253
290
|
|
254
|
-
|
255
|
-
|
291
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
292
|
+
is inaccurate since a JSON response is being rendered.
|
256
293
|
|
257
|
-
|
294
|
+
Now it correctly returns a `application/json` Content-Type.
|
258
295
|
|
259
|
-
|
296
|
+
*Edouard Chin*
|
260
297
|
|
261
|
-
|
298
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
262
299
|
|
263
|
-
|
300
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
301
|
+
nested directory, causing issues with `tmp:clear`.
|
264
302
|
|
265
|
-
|
303
|
+
*Damir Zekic*
|
266
304
|
|
267
|
-
|
305
|
+
* Add `params.member?` to mimic Hash behavior.
|
268
306
|
|
269
|
-
*
|
307
|
+
*Younes Serraj*
|
270
308
|
|
271
|
-
|
309
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
272
310
|
|
273
|
-
*
|
311
|
+
* `:request` - the `ActionDispatch::Request`
|
312
|
+
* `:response` - the `ActionDispatch::Response`
|
274
313
|
|
275
|
-
*
|
314
|
+
*George Claghorn*
|
276
315
|
|
277
|
-
*
|
278
|
-
|
279
|
-
|
280
|
-
garbled.
|
281
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
282
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
283
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
284
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
285
|
-
converted name.
|
316
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
317
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
318
|
+
from.
|
286
319
|
|
287
|
-
|
320
|
+
Fixes #37383.
|
288
321
|
|
289
|
-
*
|
290
|
-
keys without allocating an array.
|
322
|
+
*Norm Provost*
|
291
323
|
|
292
|
-
|
324
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
293
325
|
|
294
|
-
|
326
|
+
```ruby
|
327
|
+
# Use the debug level if a particular cookie is set.
|
328
|
+
class ApplicationController < ActionController::Base
|
329
|
+
log_at :debug, if: -> { cookies[:debug] }
|
330
|
+
end
|
331
|
+
```
|
295
332
|
|
296
|
-
|
297
|
-
of a cookie and use it as the value of another cookie.
|
333
|
+
*George Claghorn*
|
298
334
|
|
299
|
-
|
300
|
-
|
301
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
335
|
+
* Allow system test screen shots to be taken more than once in
|
336
|
+
a test by prefixing the file name with an incrementing counter.
|
302
337
|
|
303
|
-
|
304
|
-
|
338
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
339
|
+
enable saving of HTML during a screenshot in addition to the image.
|
340
|
+
This uses the same image name, with the extension replaced with `.html`
|
305
341
|
|
306
|
-
*
|
342
|
+
*Tom Fakes*
|
307
343
|
|
308
|
-
*
|
344
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
309
345
|
|
310
|
-
|
311
|
-
|
346
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
347
|
+
header to determine what to return. And if we don't add `Vary`
|
348
|
+
in the response header, browsers might accidentally cache different
|
349
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
350
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
351
|
+
in these types of requests. For more detailed problem description, please read:
|
312
352
|
|
313
|
-
|
314
|
-
outer_type.js do
|
315
|
-
respond_to do |inner_type|
|
316
|
-
inner_type.html { render body: "HTML" }
|
317
|
-
end
|
318
|
-
end
|
319
|
-
end
|
353
|
+
https://github.com/rails/rails/pull/36213
|
320
354
|
|
321
|
-
|
355
|
+
Fixes #25842.
|
322
356
|
|
323
|
-
*
|
357
|
+
*Stan Lo*
|
324
358
|
|
325
|
-
|
326
|
-
|
359
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
360
|
+
a 307 redirection.
|
327
361
|
|
328
|
-
|
329
|
-
File.read(uploaded_file)
|
362
|
+
*Edouard Chin*
|
330
363
|
|
331
|
-
|
364
|
+
* System tests require Capybara 3.26 or newer.
|
332
365
|
|
333
|
-
*
|
366
|
+
*George Claghorn*
|
334
367
|
|
335
|
-
|
336
|
-
`get` method. This for example allows to set custom headers for the
|
337
|
-
redirection request to the server.
|
368
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
338
369
|
|
339
|
-
|
370
|
+
*Alberto Fernández-Capel*
|
340
371
|
|
341
|
-
|
372
|
+
* Add DSL for configuring HTTP Feature Policy.
|
342
373
|
|
343
|
-
|
374
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
375
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
376
|
+
specification and guidelines can be found at MDN:
|
344
377
|
|
345
|
-
|
346
|
-
one informative page.
|
378
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
347
379
|
|
348
|
-
|
380
|
+
Example global policy:
|
349
381
|
|
350
|
-
|
382
|
+
```ruby
|
383
|
+
Rails.application.config.feature_policy do |f|
|
384
|
+
f.camera :none
|
385
|
+
f.gyroscope :none
|
386
|
+
f.microphone :none
|
387
|
+
f.usb :none
|
388
|
+
f.fullscreen :self
|
389
|
+
f.payment :self, "https://secure.example.com"
|
390
|
+
end
|
391
|
+
```
|
351
392
|
|
352
|
-
|
353
|
-
`.register_interceptor` method to get the processed exception, instead of
|
354
|
-
monkey patching DebugExceptions.
|
393
|
+
Example controller level policy:
|
355
394
|
|
356
|
-
|
357
|
-
|
358
|
-
|
395
|
+
```ruby
|
396
|
+
class PagesController < ApplicationController
|
397
|
+
feature_policy do |p|
|
398
|
+
p.geolocation "https://example.com"
|
399
|
+
end
|
400
|
+
end
|
401
|
+
```
|
359
402
|
|
360
|
-
*
|
403
|
+
*Jacob Bednarz*
|
361
404
|
|
362
|
-
*
|
405
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
363
406
|
|
364
|
-
Fixes #
|
407
|
+
Fixes #35137.
|
365
408
|
|
366
|
-
*
|
409
|
+
*Yuji Yaginuma*
|
367
410
|
|
368
|
-
*
|
411
|
+
* Keep part when scope option has value.
|
369
412
|
|
370
|
-
|
413
|
+
When a route was defined within an optional scope, if that route didn't
|
414
|
+
take parameters the scope was lost when using path helpers. This commit
|
415
|
+
ensures scope is kept both when the route takes parameters or when it
|
416
|
+
doesn't.
|
371
417
|
|
372
|
-
|
418
|
+
Fixes #33219.
|
373
419
|
|
374
|
-
*
|
420
|
+
*Alberto Almagro*
|
421
|
+
|
422
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
375
423
|
|
376
|
-
*
|
377
|
-
`config.force_ssl`.
|
424
|
+
*Gustavo Gutierrez*
|
378
425
|
|
379
|
-
|
426
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
427
|
+
an enumerator for the parameters instead of the underlying hash.
|
428
|
+
|
429
|
+
*Eugene Kenny*
|
380
430
|
|
381
|
-
*
|
431
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
432
|
+
It should only block invalid key's values instead.
|
382
433
|
|
383
|
-
*
|
434
|
+
*Stan Lo*
|
384
435
|
|
385
436
|
|
386
|
-
Please check [
|
437
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|