actionpack 6.0.3 → 6.1.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (115) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +260 -215
  3. data/MIT-LICENSE +1 -1
  4. data/lib/abstract_controller.rb +1 -0
  5. data/lib/abstract_controller/base.rb +35 -2
  6. data/lib/abstract_controller/callbacks.rb +2 -2
  7. data/lib/abstract_controller/helpers.rb +105 -90
  8. data/lib/abstract_controller/rendering.rb +9 -9
  9. data/lib/abstract_controller/translation.rb +8 -2
  10. data/lib/action_controller.rb +2 -3
  11. data/lib/action_controller/api.rb +2 -2
  12. data/lib/action_controller/base.rb +4 -2
  13. data/lib/action_controller/caching.rb +0 -1
  14. data/lib/action_controller/log_subscriber.rb +3 -3
  15. data/lib/action_controller/metal.rb +2 -2
  16. data/lib/action_controller/metal/conditional_get.rb +10 -2
  17. data/lib/action_controller/metal/content_security_policy.rb +1 -1
  18. data/lib/action_controller/metal/cookies.rb +3 -1
  19. data/lib/action_controller/metal/data_streaming.rb +1 -1
  20. data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
  21. data/lib/action_controller/metal/exceptions.rb +33 -0
  22. data/lib/action_controller/metal/head.rb +7 -4
  23. data/lib/action_controller/metal/helpers.rb +11 -1
  24. data/lib/action_controller/metal/http_authentication.rb +4 -2
  25. data/lib/action_controller/metal/implicit_render.rb +1 -1
  26. data/lib/action_controller/metal/instrumentation.rb +11 -9
  27. data/lib/action_controller/metal/live.rb +1 -1
  28. data/lib/action_controller/metal/logging.rb +20 -0
  29. data/lib/action_controller/metal/mime_responds.rb +6 -2
  30. data/lib/action_controller/metal/parameter_encoding.rb +35 -4
  31. data/lib/action_controller/metal/params_wrapper.rb +14 -8
  32. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  33. data/lib/action_controller/metal/redirecting.rb +1 -1
  34. data/lib/action_controller/metal/rendering.rb +6 -0
  35. data/lib/action_controller/metal/request_forgery_protection.rb +74 -30
  36. data/lib/action_controller/metal/rescue.rb +1 -1
  37. data/lib/action_controller/metal/strong_parameters.rb +107 -15
  38. data/lib/action_controller/renderer.rb +24 -13
  39. data/lib/action_controller/test_case.rb +62 -56
  40. data/lib/action_dispatch.rb +3 -2
  41. data/lib/action_dispatch/http/cache.rb +12 -10
  42. data/lib/action_dispatch/http/content_disposition.rb +2 -2
  43. data/lib/action_dispatch/http/content_security_policy.rb +5 -1
  44. data/lib/action_dispatch/http/filter_parameters.rb +1 -1
  45. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  46. data/lib/action_dispatch/http/headers.rb +3 -2
  47. data/lib/action_dispatch/http/mime_negotiation.rb +20 -8
  48. data/lib/action_dispatch/http/mime_type.rb +28 -15
  49. data/lib/action_dispatch/http/parameters.rb +1 -19
  50. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  51. data/lib/action_dispatch/http/request.rb +26 -8
  52. data/lib/action_dispatch/http/response.rb +17 -16
  53. data/lib/action_dispatch/http/url.rb +3 -2
  54. data/lib/action_dispatch/journey.rb +0 -2
  55. data/lib/action_dispatch/journey/formatter.rb +53 -28
  56. data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
  57. data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
  58. data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
  59. data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
  60. data/lib/action_dispatch/journey/nodes/node.rb +4 -3
  61. data/lib/action_dispatch/journey/parser.rb +13 -13
  62. data/lib/action_dispatch/journey/parser.y +1 -1
  63. data/lib/action_dispatch/journey/path/pattern.rb +13 -18
  64. data/lib/action_dispatch/journey/route.rb +7 -18
  65. data/lib/action_dispatch/journey/router.rb +26 -30
  66. data/lib/action_dispatch/journey/router/utils.rb +6 -4
  67. data/lib/action_dispatch/middleware/actionable_exceptions.rb +9 -2
  68. data/lib/action_dispatch/middleware/cookies.rb +74 -33
  69. data/lib/action_dispatch/middleware/debug_exceptions.rb +10 -17
  70. data/lib/action_dispatch/middleware/debug_view.rb +1 -1
  71. data/lib/action_dispatch/middleware/exception_wrapper.rb +29 -17
  72. data/lib/action_dispatch/middleware/host_authorization.rb +25 -5
  73. data/lib/action_dispatch/middleware/public_exceptions.rb +1 -1
  74. data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
  75. data/lib/action_dispatch/middleware/request_id.rb +4 -5
  76. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
  77. data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
  78. data/lib/action_dispatch/middleware/ssl.rb +9 -6
  79. data/lib/action_dispatch/middleware/stack.rb +18 -0
  80. data/lib/action_dispatch/middleware/static.rb +154 -93
  81. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
  86. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  87. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +12 -1
  88. data/lib/action_dispatch/railtie.rb +3 -2
  89. data/lib/action_dispatch/request/session.rb +2 -8
  90. data/lib/action_dispatch/request/utils.rb +26 -2
  91. data/lib/action_dispatch/routing/inspector.rb +8 -7
  92. data/lib/action_dispatch/routing/mapper.rb +102 -71
  93. data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
  94. data/lib/action_dispatch/routing/redirection.rb +3 -3
  95. data/lib/action_dispatch/routing/route_set.rb +49 -41
  96. data/lib/action_dispatch/routing/url_for.rb +1 -0
  97. data/lib/action_dispatch/system_test_case.rb +29 -24
  98. data/lib/action_dispatch/system_testing/browser.rb +33 -27
  99. data/lib/action_dispatch/system_testing/driver.rb +6 -7
  100. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
  101. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
  102. data/lib/action_dispatch/testing/assertions.rb +1 -1
  103. data/lib/action_dispatch/testing/assertions/response.rb +2 -4
  104. data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
  105. data/lib/action_dispatch/testing/integration.rb +38 -27
  106. data/lib/action_dispatch/testing/test_process.rb +29 -4
  107. data/lib/action_dispatch/testing/test_request.rb +3 -3
  108. data/lib/action_pack.rb +1 -1
  109. data/lib/action_pack/gem_version.rb +2 -2
  110. metadata +18 -19
  111. data/lib/action_controller/metal/force_ssl.rb +0 -58
  112. data/lib/action_dispatch/http/parameter_filter.rb +0 -12
  113. data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
  114. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
  115. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 83e2bf0b5fc55b0a124c11102a56872aee141828a3cfe5cd23ed4fade856a989
4
- data.tar.gz: 3b647d17bd0ed5076ac0a12966cdfa271b1a4e67a680df373c0553beeaab83c3
3
+ metadata.gz: f5c07812b199dbd709dd68cf20c6fc356ba02969718d9f943e8f568615563592
4
+ data.tar.gz: ecd71be0281fdc31cafb3ab68a0dadf5eeee2bacd5ea4a88251b96823e18a866
5
5
  SHA512:
6
- metadata.gz: c7ff17b8e1abc4205e8c52f741a09b77cac48df7343db0d5c76d8946e47ac51d41b182b464e19e3c3de2004e558dd5161bbbb1c8c45f33efeda0ab1037d28111
7
- data.tar.gz: be46931210b005daf32e2c9f7408a050e41806d554d1b5d24056557a84bd76ebc20911a83ef1c8e727c43798f4ff3836acd03d82a4f07ae3562be52346a051a8
6
+ metadata.gz: e2d28b6ede8bab6b1b59aedc9224a1a33d12c9a1c4f8b6a37acbe9ea1918a531801735483767df679c32dee43410d43d6e1128a35c863171b4c2ab228ddda9f1
7
+ data.tar.gz: 5a4e97d5960a4529644ff60a2c30a87f9ff40135da46f22950ee5e7d58ac7d1d62936be19155e05a07e81914464581c35bf6e1810dc60721e12f12f2d834292a
data/CHANGELOG.md CHANGED
@@ -1,366 +1,411 @@
1
- ## Rails 6.0.3 (May 06, 2020) ##
1
+ ## Rails 6.1.0 (December 09, 2020) ##
2
2
 
3
- * Include child session assertion count in ActionDispatch::IntegrationTest
3
+ * Support for the HTTP header `Feature-Policy` has been revised to reflect
4
+ its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
4
5
 
5
- `IntegrationTest#open_session` uses `dup` to create the new session, which
6
- meant it had its own copy of `@assertions`. This prevented the assertions
7
- from being correctly counted and reported.
6
+ ```ruby
7
+ Rails.application.config.permissions_policy do |p|
8
+ p.camera :none
9
+ p.gyroscope :none
10
+ p.microphone :none
11
+ p.usb :none
12
+ p.fullscreen :self
13
+ p.payment :self, "https://secure-example.com"
14
+ end
15
+ ```
8
16
 
9
- Child sessions now have their `attr_accessor` overriden to delegate to the
10
- root session.
17
+ *Julien Grillot*
11
18
 
12
- Fixes #32142
19
+ * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
13
20
 
14
- *Sam Bostock*
21
+ Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
15
22
 
23
+ *Chris Bisnett*
16
24
 
17
- ## Rails 6.0.2.2 (March 19, 2020) ##
25
+ * Add `config.action_dispatch.request_id_header` to allow changing the name of
26
+ the unique X-Request-Id header
18
27
 
19
- * No changes.
28
+ *Arlston Fernandes*
20
29
 
30
+ * Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
21
31
 
22
- ## Rails 6.0.2.1 (December 18, 2019) ##
32
+ *Rafael Mendonça França*
23
33
 
24
- * Fix possible information leak / session hijacking vulnerability.
34
+ * Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
25
35
 
26
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
27
- gem dalli to be updated as well.
36
+ *Rafael Mendonça França*
28
37
 
29
- CVE-2019-16782.
38
+ * Remove deprecated `ActionDispatch::Http::ParameterFilter`.
30
39
 
40
+ *Rafael Mendonça França*
31
41
 
32
- ## Rails 6.0.2 (December 13, 2019) ##
42
+ * Added support for exclusive no-store Cache-Control header.
33
43
 
34
- * Allow using mountable engine route helpers in System Tests.
44
+ If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
35
45
 
36
- *Chalo Fernandez*
46
+ *Chris Kruger*
37
47
 
48
+ * Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
38
49
 
39
- ## Rails 6.0.1 (November 5, 2019) ##
50
+ Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
51
+ `ActionDispatch::Http::Request#POST` prior to validating encoding.
40
52
 
41
- * `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
42
- rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
43
- system tests.
53
+ *Adrianna Chang*
44
54
 
45
- *George Claghorn*, *Edouard Chin*
55
+ * Allow `assert_recognizes` routing assertions to work on mounted root routes.
46
56
 
47
- * Registered MIME types may contain extra flags:
57
+ *Gannon McGibbon*
48
58
 
49
- ```ruby
50
- Mime::Type.register "text/html; fragment", :html_fragment
51
- ```
59
+ * Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
52
60
 
53
- *Aaron Patterson*
61
+ *Alan Tan*, *Oz Ben-David*
54
62
 
63
+ * Fix `follow_redirect!` to follow redirection with same HTTP verb when following
64
+ a 308 redirection.
55
65
 
56
- ## Rails 6.0.0 (August 16, 2019) ##
66
+ *Alan Tan*
57
67
 
58
- * No changes.
68
+ * When multiple domains are specified for a cookie, a domain will now be
69
+ chosen only if it is equal to or is a superdomain of the request host.
59
70
 
71
+ *Jonathan Hefner*
60
72
 
61
- ## Rails 6.0.0.rc2 (July 22, 2019) ##
73
+ * `ActionDispatch::Static` handles precompiled Brotli (.br) files.
62
74
 
63
- * Add the ability to set the CSP nonce only to the specified directives.
75
+ Adds to existing support for precompiled gzip (.gz) files.
76
+ Brotli files are preferred due to much better compression.
64
77
 
65
- Fixes #35137.
78
+ When the browser requests /some.js with `Accept-Encoding: br`,
79
+ we check for public/some.js.br and serve that file, if present, with
80
+ `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
66
81
 
67
- *Yuji Yaginuma*
82
+ *Ryan Edward Hall*, *Jeremy Daer*
68
83
 
69
- * Keep part when scope option has value.
84
+ * Add raise_on_missing_translations support for controllers.
70
85
 
71
- When a route was defined within an optional scope, if that route didn't
72
- take parameters the scope was lost when using path helpers. This commit
73
- ensures scope is kept both when the route takes parameters or when it
74
- doesn't.
86
+ This configuration determines whether an error should be raised for missing translations.
87
+ It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
88
+ configuration also affects raising error for missing translations in views.
75
89
 
76
- Fixes #33219
90
+ *fatkodima*
77
91
 
78
- *Alberto Almagro*
92
+ * Added `compact` and `compact!` to `ActionController::Parameters`.
79
93
 
80
- * Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
94
+ *Eugene Kenny*
81
95
 
82
- Previously, `ActionDispatch::Response#content_type` returned value does NOT
83
- contain charset part. This behavior changed to returned Content-Type header
84
- containing charset part as it is.
96
+ * Calling `each_pair` or `each_value` on an `ActionController::Parameters`
97
+ without passing a block now returns an enumerator.
85
98
 
86
- If you want just MIME type, please use `ActionDispatch::Response#media_type`
87
- instead.
99
+ *Eugene Kenny*
88
100
 
89
- Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
90
- If not enabled, `ActionDispatch::Response#content_type` returns the same
91
- value as before version, but its behavior is deprecate.
101
+ * `fixture_file_upload` now uses path relative to `file_fixture_path`
92
102
 
93
- *Yuji Yaginuma*
103
+ Previously the path had to be relative to `fixture_path`.
104
+ You can change your existing code as follow:
94
105
 
95
- * Calling `ActionController::Parameters#transform_keys/!` without a block now returns
96
- an enumerator for the parameters instead of the underlying hash.
106
+ ```ruby
107
+ # Before
108
+ fixture_file_upload('files/dog.png')
97
109
 
98
- *Eugene Kenny*
110
+ # After
111
+ fixture_file_upload('dog.png')
112
+ ```
99
113
 
100
- * Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
114
+ *Edouard Chin*
101
115
 
102
- *Yuki Nishijima*, *Stan Lo*
116
+ * Remove deprecated `force_ssl` at the controller level.
103
117
 
118
+ *Rafael Mendonça França*
104
119
 
105
- ## Rails 6.0.0.rc1 (April 24, 2019) ##
120
+ * The +helper+ class method for controllers loads helper modules specified as
121
+ strings/symbols with `String#constantize` instead of `require_dependency`.
106
122
 
107
- * Make system tests take a failed screenshot in a `before_teardown` hook
108
- rather than an `after_teardown` hook.
123
+ Remember that support for strings/symbols is only a convenient API. You can
124
+ always pass a module object:
109
125
 
110
- This helps minimize the time gap between when an assertion fails and when
111
- the screenshot is taken (reducing the time in which the page could have
112
- been dynamically updated after the assertion failed).
126
+ ```ruby
127
+ helper UtilsHelper
128
+ ```
113
129
 
114
- *Richard Macklin*
130
+ which is recommended because it is simple and direct. When a string/symbol
131
+ is received, `helper` just manipulates and inflects the argument to obtain
132
+ that same module object.
115
133
 
116
- * Introduce `ActionDispatch::ActionableExceptions`.
134
+ *Xavier Noria*, *Jean Boussier*
117
135
 
118
- The `ActionDispatch::ActionableExceptions` middleware dispatches actions
119
- from `ActiveSupport::ActionableError` descendants.
136
+ * Correctly identify the entire localhost IPv4 range as trusted proxy.
120
137
 
121
- Actionable errors let's you dispatch actions from Rails' error pages.
138
+ *Nick Soracco*
122
139
 
123
- *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
140
+ * `url_for` will now use "https://" as the default protocol when
141
+ `Rails.application.config.force_ssl` is set to true.
124
142
 
125
- * Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
143
+ *Jonathan Hefner*
126
144
 
127
- After this change it's not possible anymore to configure routes like this:
145
+ * Accept and default to base64_urlsafe CSRF tokens.
128
146
 
129
- ```
130
- routes.draw do
131
- resources :users, param: 'name/:sneaky'
132
- end
133
- ```
147
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
148
+ them difficult to deal with. For example, the common practice of sending
149
+ the CSRF token to a browser in a client-readable cookie does not work properly
150
+ out of the box: the value has to be url-encoded and decoded to survive transport.
134
151
 
135
- Fixes #30467.
152
+ Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
153
+ to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
154
+ for backwards compatibility.
136
155
 
137
- *Josua Schmid*
156
+ *Scott Blum*
138
157
 
158
+ * Support rolling deploys for cookie serialization/encryption changes.
139
159
 
140
- ## Rails 6.0.0.beta3 (March 11, 2019) ##
160
+ In a distributed configuration like rolling update, users may observe
161
+ both old and new instances during deployment. Users may be served by a
162
+ new instance and then by an old instance.
141
163
 
142
- * No changes.
164
+ That means when the server changes `cookies_serializer` from `:marshal`
165
+ to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
166
+ from `false` to `true`, users may lose their sessions if they access the
167
+ server during deployment.
143
168
 
169
+ We added fallbacks to downgrade the cookie format when necessary during
170
+ deployment, ensuring compatibility on both old and new instances.
144
171
 
145
- ## Rails 6.0.0.beta2 (February 25, 2019) ##
172
+ *Masaki Hara*
146
173
 
147
- * Make debug exceptions works in an environment where ActiveStorage is not loaded.
174
+ * `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
148
175
 
149
- *Tomoyuki Kurosawa*
176
+ Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
177
+ Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
150
178
 
151
- * `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
152
- to define specific browser capabilities.
179
+ *Keenan Brock*
153
180
 
154
- *Edouard Chin*
181
+ * Fix possible information leak / session hijacking vulnerability.
155
182
 
183
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
184
+ gem dalli to be updated as well.
156
185
 
157
- ## Rails 6.0.0.beta1 (January 18, 2019) ##
186
+ CVE-2019-16782.
158
187
 
159
- * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
188
+ * Include child session assertion count in ActionDispatch::IntegrationTest.
160
189
 
161
- *Rafael Mendonça França*
190
+ `IntegrationTest#open_session` uses `dup` to create the new session, which
191
+ meant it had its own copy of `@assertions`. This prevented the assertions
192
+ from being correctly counted and reported.
162
193
 
163
- * Remove deprecated methods in `ActionDispatch::TestResponse`.
194
+ Child sessions now have their `attr_accessor` overridden to delegate to the
195
+ root session.
164
196
 
165
- `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
166
- `#successful?`, `not_found?` and `server_error?`.
197
+ Fixes #32142.
167
198
 
168
- *Rafael Mendonça França*
199
+ *Sam Bostock*
169
200
 
170
- * Introduce `ActionDispatch::HostAuthorization`.
201
+ * Add SameSite protection to every written cookie.
171
202
 
172
- This is a new middleware that guards against DNS rebinding attacks by
173
- explicitly permitting the hosts a request can be made to.
203
+ Enabling `SameSite` cookie protection is an addition to CSRF protection,
204
+ where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
174
205
 
175
- Each host is checked with the case operator (`#===`) to support `Regexp`,
176
- `Proc`, `IPAddr` and custom objects as host allowances.
206
+ `:strict` disables cookies being sent in cross-site GET or POST requests.
177
207
 
178
- *Genadi Samokovarov*
208
+ Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
179
209
 
180
- * Allow using `parsed_body` in `ActionController::TestCase`.
210
+ See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
181
211
 
182
- In addition to `ActionDispatch::IntegrationTest`, allow using
183
- `parsed_body` in `ActionController::TestCase`:
212
+ More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
184
213
 
185
- ```
186
- class SomeControllerTest < ActionController::TestCase
187
- def test_some_action
188
- post :action, body: { foo: 'bar' }
189
- assert_equal({ "foo" => "bar" }, response.parsed_body)
190
- end
191
- end
192
- ```
214
+ _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
193
215
 
194
- Fixes #34676.
216
+ *Cédric Fabianski*
195
217
 
196
- *Tobias Bühlmann*
218
+ * Bring back the feature that allows loading external route files from the router.
197
219
 
198
- * Raise an error on root route naming conflicts.
220
+ This feature existed back in 2012 but got reverted with the incentive that
221
+ https://github.com/rails/routing_concerns was a better approach. Turned out
222
+ that this wasn't fully the case and loading external route files from the router
223
+ can be helpful for applications with a really large set of routes.
224
+ Without this feature, application needs to implement routes reloading
225
+ themselves and it's not straightforward.
199
226
 
200
- Raises an `ArgumentError` when multiple root routes are defined in the
201
- same context instead of assigning nil names to subsequent roots.
227
+ ```ruby
228
+ # config/routes.rb
202
229
 
203
- *Gannon McGibbon*
230
+ Rails.application.routes.draw do
231
+ draw(:admin)
232
+ end
204
233
 
205
- * Allow rescue from parameter parse errors:
234
+ # config/routes/admin.rb
206
235
 
207
- ```
208
- rescue_from ActionDispatch::Http::Parameters::ParseError do
209
- head :unauthorized
210
- end
236
+ get :foo, to: 'foo#bar'
211
237
  ```
212
238
 
213
- *Gannon McGibbon*, *Josh Cheek*
239
+ *Yehuda Katz*, *Edouard Chin*
214
240
 
215
- * Reset Capybara sessions if failed system test screenshot raising an exception.
241
+ * Fix system test driver option initialization for non-headless browsers.
216
242
 
217
- Reset Capybara sessions if `take_failed_screenshot` raise exception
218
- in system test `after_teardown`.
243
+ *glaszig*
219
244
 
220
- *Maxim Perepelitsa*
245
+ * `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
246
+ their payloads as `:request`.
221
247
 
222
- * Use request object for context if there's no controller
248
+ *Austin Story*
223
249
 
224
- There is no controller instance when using a redirect route or a
225
- mounted rack application so pass the request object as the context
226
- when resolving dynamic CSP sources in this scenario.
250
+ * `respond_to#any` no longer returns a response's Content-Type based on the
251
+ request format but based on the block given.
227
252
 
228
- Fixes #34200.
253
+ Example:
229
254
 
230
- *Andrew White*
255
+ ```ruby
256
+ def my_action
257
+ respond_to do |format|
258
+ format.any { render(json: { foo: 'bar' }) }
259
+ end
260
+ end
231
261
 
232
- * Apply mapping to symbols returned from dynamic CSP sources
262
+ get('my_action.csv')
263
+ ```
264
+
265
+ The previous behaviour was to respond with a `text/csv` Content-Type which
266
+ is inaccurate since a JSON response is being rendered.
233
267
 
234
- Previously if a dynamic source returned a symbol such as :self it
235
- would be converted to a string implicitly, e.g:
268
+ Now it correctly returns a `application/json` Content-Type.
236
269
 
237
- policy.default_src -> { :self }
270
+ *Edouard Chin*
238
271
 
239
- would generate the header:
272
+ * Replaces (back)slashes in failure screenshot image paths with dashes.
240
273
 
241
- Content-Security-Policy: default-src self
274
+ If a failed test case contained a slash or a backslash, a screenshot would be created in a
275
+ nested directory, causing issues with `tmp:clear`.
242
276
 
243
- and now it generates:
277
+ *Damir Zekic*
244
278
 
245
- Content-Security-Policy: default-src 'self'
279
+ * Add `params.member?` to mimic Hash behavior.
246
280
 
247
- *Andrew White*
281
+ *Younes Serraj*
248
282
 
249
- * Add `ActionController::Parameters#each_value`.
283
+ * `process_action.action_controller` notifications now include the following in their payloads:
250
284
 
251
- *Lukáš Zapletal*
285
+ * `:request` - the `ActionDispatch::Request`
286
+ * `:response` - the `ActionDispatch::Response`
252
287
 
253
- * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
288
+ *George Claghorn*
254
289
 
255
- *Yoshiyuki Kinjo*
290
+ * Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
291
+ `remote_ip` to `nil` before setting the header that the value is derived
292
+ from.
256
293
 
257
- * Encode Content-Disposition filenames on `send_data` and `send_file`.
258
- Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
259
- `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
260
- garbled.
261
- Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
262
- [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
263
- `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
264
- Most browsers can find filename correctly and old browsers fallback to ASCII
265
- converted name.
294
+ Fixes #37383.
266
295
 
267
- *Fumiaki Matsushima*
296
+ *Norm Provost*
268
297
 
269
- * Expose `ActionController::Parameters#each_key` which allows iterating over
270
- keys without allocating an array.
298
+ * `ActionController::Base.log_at` allows setting a different log level per request.
299
+
300
+ ```ruby
301
+ # Use the debug level if a particular cookie is set.
302
+ class ApplicationController < ActionController::Base
303
+ log_at :debug, if: -> { cookies[:debug] }
304
+ end
305
+ ```
271
306
 
272
- *Richard Schneeman*
307
+ *George Claghorn*
273
308
 
274
- * Purpose metadata for signed/encrypted cookies.
309
+ * Allow system test screen shots to be taken more than once in
310
+ a test by prefixing the file name with an incrementing counter.
275
311
 
276
- Rails can now thwart attacks that attempt to copy signed/encrypted value
277
- of a cookie and use it as the value of another cookie.
312
+ Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
313
+ enable saving of HTML during a screenshot in addition to the image.
314
+ This uses the same image name, with the extension replaced with `.html`
278
315
 
279
- It does so by stashing the cookie-name in the purpose field which is
280
- then signed/encrypted along with the cookie value. Then, on a server-side
281
- read, we verify the cookie-names and discard any attacked cookies.
316
+ *Tom Fakes*
282
317
 
283
- Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
284
- writes cookies with the new purpose and expiry metadata embedded.
318
+ * Add `Vary: Accept` header when using `Accept` header for response.
285
319
 
286
- *Assain Jaleel*
320
+ For some requests like `/users/1`, Rails uses requests' `Accept`
321
+ header to determine what to return. And if we don't add `Vary`
322
+ in the response header, browsers might accidentally cache different
323
+ types of content, which would cause issues: e.g. javascript got displayed
324
+ instead of html content. This PR fixes these issues by adding `Vary: Accept`
325
+ in these types of requests. For more detailed problem description, please read:
287
326
 
288
- * Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
327
+ https://github.com/rails/rails/pull/36213
289
328
 
290
- `respond_to` can match multiple types and lead to undefined behavior when
291
- multiple invocations are made and the types do not match:
329
+ Fixes #25842.
292
330
 
293
- respond_to do |outer_type|
294
- outer_type.js do
295
- respond_to do |inner_type|
296
- inner_type.html { render body: "HTML" }
297
- end
298
- end
299
- end
331
+ *Stan Lo*
300
332
 
301
- *Patrick Toomey*
333
+ * Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
334
+ a 307 redirection.
302
335
 
303
- * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
336
+ *Edouard Chin*
304
337
 
305
- This allows uploaded file objects to be passed directly to `File.read`
306
- without raising a `TypeError`:
338
+ * System tests require Capybara 3.26 or newer.
307
339
 
308
- uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
309
- File.read(uploaded_file)
340
+ *George Claghorn*
310
341
 
311
- *Aaron Kromer*
342
+ * Reduced log noise handling ActionController::RoutingErrors.
312
343
 
313
- * Pass along arguments to underlying `get` method in `follow_redirect!`
344
+ *Alberto Fernández-Capel*
314
345
 
315
- Now all arguments passed to `follow_redirect!` are passed to the underlying
316
- `get` method. This for example allows to set custom headers for the
317
- redirection request to the server.
346
+ * Add DSL for configuring HTTP Feature Policy.
318
347
 
319
- follow_redirect!(params: { foo: :bar })
348
+ This new DSL provides a way to configure an HTTP Feature Policy at a
349
+ global or per-controller level. Full details of HTTP Feature Policy
350
+ specification and guidelines can be found at MDN:
320
351
 
321
- *Remo Fritzsche*
352
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
322
353
 
323
- * Introduce a new error page to when the implicit render page is accessed in the browser.
354
+ Example global policy:
324
355
 
325
- Now instead of showing an error page that with exception and backtraces we now show only
326
- one informative page.
356
+ ```ruby
357
+ Rails.application.config.feature_policy do |f|
358
+ f.camera :none
359
+ f.gyroscope :none
360
+ f.microphone :none
361
+ f.usb :none
362
+ f.fullscreen :self
363
+ f.payment :self, "https://secure.example.com"
364
+ end
365
+ ```
327
366
 
328
- *Vinicius Stock*
367
+ Example controller level policy:
329
368
 
330
- * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
369
+ ```ruby
370
+ class PagesController < ApplicationController
371
+ feature_policy do |p|
372
+ p.geolocation "https://example.com"
373
+ end
374
+ end
375
+ ```
331
376
 
332
- Exception aware plugin authors can use the newly introduced
333
- `.register_interceptor` method to get the processed exception, instead of
334
- monkey patching DebugExceptions.
377
+ *Jacob Bednarz*
335
378
 
336
- ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
337
- HypoteticalPlugin.capture_exception(request, exception)
338
- end
379
+ * Add the ability to set the CSP nonce only to the specified directives.
339
380
 
340
- *Genadi Samokovarov*
381
+ Fixes #35137.
341
382
 
342
- * Output only one Content-Security-Policy nonce header value per request.
383
+ *Yuji Yaginuma*
343
384
 
344
- Fixes #32597.
385
+ * Keep part when scope option has value.
345
386
 
346
- *Andrey Novikov*, *Andrew White*
387
+ When a route was defined within an optional scope, if that route didn't
388
+ take parameters the scope was lost when using path helpers. This commit
389
+ ensures scope is kept both when the route takes parameters or when it
390
+ doesn't.
347
391
 
348
- * Move default headers configuration into their own module that can be included in controllers.
392
+ Fixes #33219.
349
393
 
350
- *Kevin Deisz*
394
+ *Alberto Almagro*
351
395
 
352
- * Add method `dig` to `session`.
396
+ * Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
353
397
 
354
- *claudiob*, *Takumi Shotoku*
398
+ *Gustavo Gutierrez*
355
399
 
356
- * Controller level `force_ssl` has been deprecated in favor of
357
- `config.force_ssl`.
400
+ * Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
401
+ an enumerator for the parameters instead of the underlying hash.
358
402
 
359
- *Derek Prior*
403
+ *Eugene Kenny*
360
404
 
361
- * Rails 6 requires Ruby 2.5.0 or newer.
405
+ * Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
406
+ It should only block invalid key's values instead.
362
407
 
363
- *Jeremy Daer*, *Kasper Timm Hansen*
408
+ *Stan Lo*
364
409
 
365
410
 
366
- Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
411
+ Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.