actionpack 6.0.5.1 → 6.1.7.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (116) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +393 -253
  3. data/MIT-LICENSE +1 -2
  4. data/lib/abstract_controller/base.rb +35 -2
  5. data/lib/abstract_controller/callbacks.rb +2 -2
  6. data/lib/abstract_controller/collector.rb +4 -2
  7. data/lib/abstract_controller/helpers.rb +105 -90
  8. data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
  9. data/lib/abstract_controller/rendering.rb +9 -9
  10. data/lib/abstract_controller/translation.rb +8 -2
  11. data/lib/abstract_controller.rb +1 -0
  12. data/lib/action_controller/api.rb +2 -2
  13. data/lib/action_controller/base.rb +4 -2
  14. data/lib/action_controller/caching.rb +0 -1
  15. data/lib/action_controller/log_subscriber.rb +3 -3
  16. data/lib/action_controller/metal/conditional_get.rb +11 -3
  17. data/lib/action_controller/metal/content_security_policy.rb +1 -1
  18. data/lib/action_controller/metal/cookies.rb +3 -1
  19. data/lib/action_controller/metal/data_streaming.rb +1 -1
  20. data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
  21. data/lib/action_controller/metal/exceptions.rb +33 -0
  22. data/lib/action_controller/metal/head.rb +7 -4
  23. data/lib/action_controller/metal/helpers.rb +11 -1
  24. data/lib/action_controller/metal/http_authentication.rb +5 -2
  25. data/lib/action_controller/metal/implicit_render.rb +1 -1
  26. data/lib/action_controller/metal/instrumentation.rb +11 -9
  27. data/lib/action_controller/metal/live.rb +10 -1
  28. data/lib/action_controller/metal/logging.rb +20 -0
  29. data/lib/action_controller/metal/mime_responds.rb +6 -2
  30. data/lib/action_controller/metal/parameter_encoding.rb +35 -4
  31. data/lib/action_controller/metal/params_wrapper.rb +14 -8
  32. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  33. data/lib/action_controller/metal/redirecting.rb +1 -1
  34. data/lib/action_controller/metal/rendering.rb +6 -0
  35. data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
  36. data/lib/action_controller/metal/rescue.rb +1 -1
  37. data/lib/action_controller/metal/strong_parameters.rb +104 -16
  38. data/lib/action_controller/metal.rb +2 -2
  39. data/lib/action_controller/renderer.rb +23 -13
  40. data/lib/action_controller/test_case.rb +65 -56
  41. data/lib/action_controller.rb +2 -3
  42. data/lib/action_dispatch/http/cache.rb +18 -17
  43. data/lib/action_dispatch/http/content_security_policy.rb +6 -1
  44. data/lib/action_dispatch/http/filter_parameters.rb +1 -1
  45. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  46. data/lib/action_dispatch/http/headers.rb +3 -2
  47. data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
  48. data/lib/action_dispatch/http/mime_type.rb +29 -16
  49. data/lib/action_dispatch/http/parameters.rb +1 -19
  50. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  51. data/lib/action_dispatch/http/request.rb +24 -8
  52. data/lib/action_dispatch/http/response.rb +17 -16
  53. data/lib/action_dispatch/http/url.rb +3 -2
  54. data/lib/action_dispatch/journey/formatter.rb +55 -30
  55. data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
  56. data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
  57. data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
  58. data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
  59. data/lib/action_dispatch/journey/nodes/node.rb +4 -3
  60. data/lib/action_dispatch/journey/parser.rb +13 -13
  61. data/lib/action_dispatch/journey/parser.y +1 -1
  62. data/lib/action_dispatch/journey/path/pattern.rb +13 -18
  63. data/lib/action_dispatch/journey/route.rb +7 -18
  64. data/lib/action_dispatch/journey/router/utils.rb +6 -4
  65. data/lib/action_dispatch/journey/router.rb +26 -30
  66. data/lib/action_dispatch/journey/visitors.rb +1 -1
  67. data/lib/action_dispatch/journey.rb +0 -2
  68. data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
  69. data/lib/action_dispatch/middleware/cookies.rb +89 -46
  70. data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
  71. data/lib/action_dispatch/middleware/debug_view.rb +1 -1
  72. data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
  73. data/lib/action_dispatch/middleware/host_authorization.rb +63 -14
  74. data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
  75. data/lib/action_dispatch/middleware/request_id.rb +4 -5
  76. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
  77. data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
  78. data/lib/action_dispatch/middleware/show_exceptions.rb +12 -0
  79. data/lib/action_dispatch/middleware/ssl.rb +12 -7
  80. data/lib/action_dispatch/middleware/stack.rb +19 -1
  81. data/lib/action_dispatch/middleware/static.rb +154 -93
  82. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  83. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  86. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
  87. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  88. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
  89. data/lib/action_dispatch/railtie.rb +3 -2
  90. data/lib/action_dispatch/request/session.rb +2 -8
  91. data/lib/action_dispatch/request/utils.rb +26 -2
  92. data/lib/action_dispatch/routing/inspector.rb +8 -7
  93. data/lib/action_dispatch/routing/mapper.rb +102 -71
  94. data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
  95. data/lib/action_dispatch/routing/redirection.rb +4 -4
  96. data/lib/action_dispatch/routing/route_set.rb +49 -41
  97. data/lib/action_dispatch/system_test_case.rb +35 -24
  98. data/lib/action_dispatch/system_testing/browser.rb +33 -27
  99. data/lib/action_dispatch/system_testing/driver.rb +6 -7
  100. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
  101. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
  102. data/lib/action_dispatch/testing/assertions/response.rb +2 -4
  103. data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
  104. data/lib/action_dispatch/testing/assertions.rb +1 -1
  105. data/lib/action_dispatch/testing/integration.rb +40 -29
  106. data/lib/action_dispatch/testing/test_process.rb +32 -4
  107. data/lib/action_dispatch/testing/test_request.rb +3 -3
  108. data/lib/action_dispatch.rb +3 -2
  109. data/lib/action_pack/gem_version.rb +2 -2
  110. data/lib/action_pack.rb +1 -1
  111. metadata +18 -19
  112. data/lib/action_controller/metal/force_ssl.rb +0 -58
  113. data/lib/action_dispatch/http/parameter_filter.rb +0 -12
  114. data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
  115. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
  116. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md CHANGED
@@ -1,30 +1,100 @@
1
- ## Rails 6.0.5.1 (July 12, 2022) ##
1
+ ## Rails 6.1.7.1 (January 17, 2023) ##
2
+
3
+ * Avoid regex backtracking on If-None-Match header
4
+
5
+ [CVE-2023-22795]
6
+
7
+ * Use string#split instead of regex for domain parts
8
+
9
+ [CVE-2023-22792]
10
+
11
+
12
+ ## Rails 6.1.7 (September 09, 2022) ##
2
13
 
3
14
  * No changes.
4
15
 
5
16
 
6
- ## Rails 6.0.5 (May 09, 2022) ##
17
+ ## Rails 6.1.6.1 (July 12, 2022) ##
7
18
 
8
19
  * No changes.
9
20
 
10
21
 
11
- ## Rails 6.0.4.8 (April 26, 2022) ##
22
+ ## Rails 6.1.6 (May 09, 2022) ##
23
+
24
+ * No changes.
25
+
26
+
27
+ ## Rails 6.1.5.1 (April 26, 2022) ##
12
28
 
13
29
  * Allow Content Security Policy DSL to generate for API responses.
14
30
 
15
31
  *Tim Wade*
16
32
 
17
- ## Rails 6.0.4.7 (March 08, 2022) ##
33
+ ## Rails 6.1.5 (March 09, 2022) ##
34
+
35
+ * Fix `content_security_policy` returning invalid directives.
36
+
37
+ Directives such as `self`, `unsafe-eval` and few others were not
38
+ single quoted when the directive was the result of calling a lambda
39
+ returning an array.
40
+
41
+ ```ruby
42
+ content_security_policy do |policy|
43
+ policy.frame_ancestors lambda { [:self, "https://example.com"] }
44
+ end
45
+ ```
46
+
47
+ With this fix the policy generated from above will now be valid.
48
+
49
+ *Edouard Chin*
50
+
51
+ * Update `HostAuthorization` middleware to render debug info only
52
+ when `config.consider_all_requests_local` is set to true.
53
+
54
+ Also, blocked host info is always logged with level `error`.
55
+
56
+ Fixes #42813.
57
+
58
+ *Nikita Vyrko*
59
+
60
+ * Dup arrays that get "converted".
61
+
62
+ Fixes #43681.
63
+
64
+ *Aaron Patterson*
65
+
66
+ * Don't show deprecation warning for equal paths.
67
+
68
+ *Anton Rieder*
69
+
70
+ * Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
71
+
72
+ Fixes #43094.
73
+
74
+ *Alex Ghiculescu*
75
+
76
+ * Add fallback host for SystemTestCase driven by RackTest.
77
+
78
+ Fixes #42780.
79
+
80
+ *Petrik de Heus*
81
+
82
+ * Add more detail about what hosts are allowed.
83
+
84
+ *Alex Ghiculescu*
85
+
86
+
87
+ ## Rails 6.1.4.7 (March 08, 2022) ##
18
88
 
19
89
  * No changes.
20
90
 
21
91
 
22
- ## Rails 6.0.4.6 (February 11, 2022) ##
92
+ ## Rails 6.1.4.6 (February 11, 2022) ##
23
93
 
24
94
  * No changes.
25
95
 
26
96
 
27
- ## Rails 6.0.4.5 (February 11, 2022) ##
97
+ ## Rails 6.1.4.5 (February 11, 2022) ##
28
98
 
29
99
  * Under certain circumstances, the middleware isn't informed that the
30
100
  response body has been fully closed which result in request state not
@@ -33,17 +103,17 @@
33
103
  [CVE-2022-23633]
34
104
 
35
105
 
36
- ## Rails 6.0.4.4 (December 15, 2021) ##
106
+ ## Rails 6.1.4.4 (December 15, 2021) ##
37
107
 
38
108
  * Fix issue with host protection not allowing host with port in development.
39
109
 
40
110
 
41
- ## Rails 6.0.4.3 (December 14, 2021) ##
111
+ ## Rails 6.1.4.3 (December 14, 2021) ##
42
112
 
43
- * Fix issue with host protection not allowing localhost in development.
113
+ * Fix issue with host protection not allowing localhost in development.
44
114
 
45
115
 
46
- ## Rails 6.0.4.2 (December 14, 2021) ##
116
+ ## Rails 6.1.4.2 (December 14, 2021) ##
47
117
 
48
118
  * Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
49
119
 
@@ -55,35 +125,48 @@
55
125
  "allowed host" formats can cause the Host Authorization middleware in Action
56
126
  Pack to redirect users to a malicious website.
57
127
 
58
- ## Rails 6.0.4 (June 15, 2021) ##
128
+ ## Rails 6.1.4 (June 24, 2021) ##
59
129
 
60
- * Accept base64_urlsafe CSRF tokens to make forward compatible.
130
+ * Ignore file fixtures on `db:fixtures:load`
61
131
 
62
- Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
63
- them difficult to deal with. For example, the common practice of sending
64
- the CSRF token to a browser in a client-readable cookie does not work properly
65
- out of the box: the value has to be url-encoded and decoded to survive transport.
132
+ *Kevin Sjöberg*
66
133
 
67
- In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
68
- safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
69
- tokens for backwards compatibility.
134
+ * Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
70
135
 
71
- In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
72
- If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
136
+ *Dylan Thacker-Smith*
73
137
 
74
- ```ruby
75
- Rails.application.config.action_controller.urlsafe_csrf_tokens = true
138
+ * Correctly place optional path parameter booleans.
139
+
140
+ Previously, if you specify a url parameter that is part of the path as false it would include that part
141
+ of the path as parameter for example:
142
+
143
+ ```
144
+ get "(/optional/:optional_id)/things" => "foo#foo", as: :things
145
+ things_path(optional_id: false) # => /things?optional_id=false
146
+ ```
147
+
148
+ After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
149
+
150
+ ```
151
+ get '(this/:my_bool)/that' as: :that
152
+
153
+ that_path(my_bool: true) # => `/this/true/that`
154
+ that_path(my_bool: false) # => `/this/false/that`
76
155
  ```
77
156
 
78
- *Scott Blum*, *Étienne Barrié*
157
+ *Adam Hess*
158
+
159
+ * Add support for 'private, no-store' Cache-Control headers.
160
+
161
+ Previously, 'no-store' was exclusive; no other directives could be specified.
79
162
 
80
- * Signed and encrypted cookies can now store `false` as their value when
81
- `action_dispatch.use_cookies_with_metadata` is enabled.
163
+ *Alex Smith*
82
164
 
83
- *Rolandas Barysas*
84
165
 
166
+ ## Rails 6.1.3.2 (May 05, 2021) ##
85
167
 
86
- ## Rails 6.0.3.7 (May 05, 2021) ##
168
+ * Prevent open redirects by correctly escaping the host allow list
169
+ CVE-2021-22903
87
170
 
88
171
  * Prevent catastrophic backtracking during mime parsing
89
172
  CVE-2021-22902
@@ -101,12 +184,19 @@
101
184
 
102
185
  *Gannon McGibbon*
103
186
 
104
- ## Rails 6.0.3.6 (March 26, 2021) ##
187
+ ## Rails 6.1.3.1 (March 26, 2021) ##
105
188
 
106
189
  * No changes.
107
190
 
108
191
 
109
- ## Rails 6.0.3.5 (February 10, 2021) ##
192
+ ## Rails 6.1.3 (February 17, 2021) ##
193
+
194
+ * Re-define routes when not set correctly via inheritance.
195
+
196
+ *John Hawthorn*
197
+
198
+
199
+ ## Rails 6.1.2.1 (February 10, 2021) ##
110
200
 
111
201
  * Prevent open redirect when allowed host starts with a dot
112
202
 
@@ -118,390 +208,440 @@
118
208
  *Aaron Patterson*
119
209
 
120
210
 
121
- ## Rails 6.0.3.4 (October 07, 2020) ##
211
+ ## Rails 6.1.2 (February 09, 2021) ##
122
212
 
123
- * [CVE-2020-8264] Prevent XSS in Actionable Exceptions
213
+ * Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
124
214
 
215
+ *Janko Marohnić*
125
216
 
126
- ## Rails 6.0.3.3 (September 09, 2020) ##
217
+ * Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
127
218
 
128
- * No changes.
219
+ *Eugene Kenny*
129
220
 
130
221
 
131
- ## Rails 6.0.3.2 (June 17, 2020) ##
222
+ ## Rails 6.1.1 (January 07, 2021) ##
132
223
 
133
- * [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
224
+ * Fix nil translation key lookup in controllers/
134
225
 
135
- ## Rails 6.0.3.1 (May 18, 2020) ##
226
+ *Jan Klimo*
136
227
 
137
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
228
+ * Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
138
229
 
139
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
230
+ *Alex Robbin*
140
231
 
232
+ * Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
141
233
 
142
- ## Rails 6.0.3 (May 06, 2020) ##
234
+ *Alex Robbin*
143
235
 
144
- * Include child session assertion count in ActionDispatch::IntegrationTest
145
236
 
146
- `IntegrationTest#open_session` uses `dup` to create the new session, which
147
- meant it had its own copy of `@assertions`. This prevented the assertions
148
- from being correctly counted and reported.
237
+ ## Rails 6.1.0 (December 09, 2020) ##
149
238
 
150
- Child sessions now have their `attr_accessor` overriden to delegate to the
151
- root session.
239
+ * Support for the HTTP header `Feature-Policy` has been revised to reflect
240
+ its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
152
241
 
153
- Fixes #32142
242
+ ```ruby
243
+ Rails.application.config.permissions_policy do |p|
244
+ p.camera :none
245
+ p.gyroscope :none
246
+ p.microphone :none
247
+ p.usb :none
248
+ p.fullscreen :self
249
+ p.payment :self, "https://secure-example.com"
250
+ end
251
+ ```
154
252
 
155
- *Sam Bostock*
253
+ *Julien Grillot*
156
254
 
255
+ * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
157
256
 
158
- ## Rails 6.0.2.2 (March 19, 2020) ##
257
+ Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
159
258
 
160
- * No changes.
259
+ *Chris Bisnett*
161
260
 
261
+ * Add `config.action_dispatch.request_id_header` to allow changing the name of
262
+ the unique X-Request-Id header
162
263
 
163
- ## Rails 6.0.2.1 (December 18, 2019) ##
264
+ *Arlston Fernandes*
164
265
 
165
- * Fix possible information leak / session hijacking vulnerability.
266
+ * Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
166
267
 
167
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
168
- gem dalli to be updated as well.
268
+ *Rafael Mendonça França*
169
269
 
170
- CVE-2019-16782.
270
+ * Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
171
271
 
272
+ *Rafael Mendonça França*
172
273
 
173
- ## Rails 6.0.2 (December 13, 2019) ##
274
+ * Remove deprecated `ActionDispatch::Http::ParameterFilter`.
174
275
 
175
- * Allow using mountable engine route helpers in System Tests.
276
+ *Rafael Mendonça França*
176
277
 
177
- *Chalo Fernandez*
278
+ * Added support for exclusive no-store Cache-Control header.
178
279
 
280
+ If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
179
281
 
180
- ## Rails 6.0.1 (November 5, 2019) ##
282
+ *Chris Kruger*
181
283
 
182
- * `ActionDispatch::SystemTestCase` now inherits from `ActiveSupport::TestCase`
183
- rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
184
- system tests.
284
+ * Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
185
285
 
186
- *George Claghorn*, *Edouard Chin*
286
+ Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
287
+ `ActionDispatch::Http::Request#POST` prior to validating encoding.
187
288
 
188
- * Registered MIME types may contain extra flags:
289
+ *Adrianna Chang*
189
290
 
190
- ```ruby
191
- Mime::Type.register "text/html; fragment", :html_fragment
192
- ```
291
+ * Allow `assert_recognizes` routing assertions to work on mounted root routes.
193
292
 
194
- *Aaron Patterson*
293
+ *Gannon McGibbon*
195
294
 
295
+ * Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
196
296
 
197
- ## Rails 6.0.0 (August 16, 2019) ##
297
+ *Alan Tan*, *Oz Ben-David*
198
298
 
199
- * No changes.
299
+ * Fix `follow_redirect!` to follow redirection with same HTTP verb when following
300
+ a 308 redirection.
200
301
 
302
+ *Alan Tan*
201
303
 
202
- ## Rails 6.0.0.rc2 (July 22, 2019) ##
304
+ * When multiple domains are specified for a cookie, a domain will now be
305
+ chosen only if it is equal to or is a superdomain of the request host.
203
306
 
204
- * Add the ability to set the CSP nonce only to the specified directives.
307
+ *Jonathan Hefner*
205
308
 
206
- Fixes #35137.
309
+ * `ActionDispatch::Static` handles precompiled Brotli (.br) files.
207
310
 
208
- *Yuji Yaginuma*
311
+ Adds to existing support for precompiled gzip (.gz) files.
312
+ Brotli files are preferred due to much better compression.
209
313
 
210
- * Keep part when scope option has value.
314
+ When the browser requests /some.js with `Accept-Encoding: br`,
315
+ we check for public/some.js.br and serve that file, if present, with
316
+ `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
211
317
 
212
- When a route was defined within an optional scope, if that route didn't
213
- take parameters the scope was lost when using path helpers. This commit
214
- ensures scope is kept both when the route takes parameters or when it
215
- doesn't.
318
+ *Ryan Edward Hall*, *Jeremy Daer*
216
319
 
217
- Fixes #33219
320
+ * Add raise_on_missing_translations support for controllers.
218
321
 
219
- *Alberto Almagro*
322
+ This configuration determines whether an error should be raised for missing translations.
323
+ It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
324
+ configuration also affects raising error for missing translations in views.
220
325
 
221
- * Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
326
+ *fatkodima*
222
327
 
223
- Previously, `ActionDispatch::Response#content_type` returned value does NOT
224
- contain charset part. This behavior changed to returned Content-Type header
225
- containing charset part as it is.
328
+ * Added `compact` and `compact!` to `ActionController::Parameters`.
226
329
 
227
- If you want just MIME type, please use `ActionDispatch::Response#media_type`
228
- instead.
330
+ *Eugene Kenny*
229
331
 
230
- Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
231
- If not enabled, `ActionDispatch::Response#content_type` returns the same
232
- value as before version, but its behavior is deprecate.
332
+ * Calling `each_pair` or `each_value` on an `ActionController::Parameters`
333
+ without passing a block now returns an enumerator.
233
334
 
234
- *Yuji Yaginuma*
335
+ *Eugene Kenny*
235
336
 
236
- * Calling `ActionController::Parameters#transform_keys/!` without a block now returns
237
- an enumerator for the parameters instead of the underlying hash.
337
+ * `fixture_file_upload` now uses path relative to `file_fixture_path`
238
338
 
239
- *Eugene Kenny*
339
+ Previously the path had to be relative to `fixture_path`.
340
+ You can change your existing code as follow:
240
341
 
241
- * Fix a bug where DebugExceptions throws an error when malformed query parameters are provided
342
+ ```ruby
343
+ # Before
344
+ fixture_file_upload('files/dog.png')
242
345
 
243
- *Yuki Nishijima*, *Stan Lo*
346
+ # After
347
+ fixture_file_upload('dog.png')
348
+ ```
244
349
 
350
+ *Edouard Chin*
245
351
 
246
- ## Rails 6.0.0.rc1 (April 24, 2019) ##
352
+ * Remove deprecated `force_ssl` at the controller level.
247
353
 
248
- * Make system tests take a failed screenshot in a `before_teardown` hook
249
- rather than an `after_teardown` hook.
354
+ *Rafael Mendonça França*
250
355
 
251
- This helps minimize the time gap between when an assertion fails and when
252
- the screenshot is taken (reducing the time in which the page could have
253
- been dynamically updated after the assertion failed).
356
+ * The +helper+ class method for controllers loads helper modules specified as
357
+ strings/symbols with `String#constantize` instead of `require_dependency`.
254
358
 
255
- *Richard Macklin*
359
+ Remember that support for strings/symbols is only a convenient API. You can
360
+ always pass a module object:
256
361
 
257
- * Introduce `ActionDispatch::ActionableExceptions`.
362
+ ```ruby
363
+ helper UtilsHelper
364
+ ```
258
365
 
259
- The `ActionDispatch::ActionableExceptions` middleware dispatches actions
260
- from `ActiveSupport::ActionableError` descendants.
366
+ which is recommended because it is simple and direct. When a string/symbol
367
+ is received, `helper` just manipulates and inflects the argument to obtain
368
+ that same module object.
261
369
 
262
- Actionable errors let's you dispatch actions from Rails' error pages.
370
+ *Xavier Noria*, *Jean Boussier*
263
371
 
264
- *Vipul A M*, *Yao Jie*, *Genadi Samokovarov*
372
+ * Correctly identify the entire localhost IPv4 range as trusted proxy.
265
373
 
266
- * Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
374
+ *Nick Soracco*
267
375
 
268
- After this change it's not possible anymore to configure routes like this:
376
+ * `url_for` will now use "https://" as the default protocol when
377
+ `Rails.application.config.force_ssl` is set to true.
269
378
 
270
- ```
271
- routes.draw do
272
- resources :users, param: 'name/:sneaky'
273
- end
274
- ```
379
+ *Jonathan Hefner*
275
380
 
276
- Fixes #30467.
381
+ * Accept and default to base64_urlsafe CSRF tokens.
277
382
 
278
- *Josua Schmid*
383
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
384
+ them difficult to deal with. For example, the common practice of sending
385
+ the CSRF token to a browser in a client-readable cookie does not work properly
386
+ out of the box: the value has to be url-encoded and decoded to survive transport.
279
387
 
388
+ Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
389
+ to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
390
+ for backwards compatibility.
280
391
 
281
- ## Rails 6.0.0.beta3 (March 11, 2019) ##
392
+ *Scott Blum*
282
393
 
283
- * No changes.
394
+ * Support rolling deploys for cookie serialization/encryption changes.
284
395
 
396
+ In a distributed configuration like rolling update, users may observe
397
+ both old and new instances during deployment. Users may be served by a
398
+ new instance and then by an old instance.
285
399
 
286
- ## Rails 6.0.0.beta2 (February 25, 2019) ##
400
+ That means when the server changes `cookies_serializer` from `:marshal`
401
+ to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
402
+ from `false` to `true`, users may lose their sessions if they access the
403
+ server during deployment.
287
404
 
288
- * Make debug exceptions works in an environment where ActiveStorage is not loaded.
405
+ We added fallbacks to downgrade the cookie format when necessary during
406
+ deployment, ensuring compatibility on both old and new instances.
289
407
 
290
- *Tomoyuki Kurosawa*
408
+ *Masaki Hara*
291
409
 
292
- * `ActionDispatch::SystemTestCase.driven_by` can now be called with a block
293
- to define specific browser capabilities.
410
+ * `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
294
411
 
295
- *Edouard Chin*
412
+ Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
413
+ Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
296
414
 
415
+ *Keenan Brock*
297
416
 
298
- ## Rails 6.0.0.beta1 (January 18, 2019) ##
417
+ * Fix possible information leak / session hijacking vulnerability.
299
418
 
300
- * Remove deprecated `fragment_cache_key` helper in favor of `combined_fragment_cache_key`.
419
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
420
+ gem dalli to be updated as well.
301
421
 
302
- *Rafael Mendonça França*
422
+ CVE-2019-16782.
303
423
 
304
- * Remove deprecated methods in `ActionDispatch::TestResponse`.
424
+ * Include child session assertion count in ActionDispatch::IntegrationTest.
305
425
 
306
- `#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
307
- `#successful?`, `not_found?` and `server_error?`.
426
+ `IntegrationTest#open_session` uses `dup` to create the new session, which
427
+ meant it had its own copy of `@assertions`. This prevented the assertions
428
+ from being correctly counted and reported.
308
429
 
309
- *Rafael Mendonça França*
430
+ Child sessions now have their `attr_accessor` overridden to delegate to the
431
+ root session.
310
432
 
311
- * Introduce `ActionDispatch::HostAuthorization`.
433
+ Fixes #32142.
312
434
 
313
- This is a new middleware that guards against DNS rebinding attacks by
314
- explicitly permitting the hosts a request can be made to.
435
+ *Sam Bostock*
315
436
 
316
- Each host is checked with the case operator (`#===`) to support `Regexp`,
317
- `Proc`, `IPAddr` and custom objects as host allowances.
437
+ * Add SameSite protection to every written cookie.
318
438
 
319
- *Genadi Samokovarov*
439
+ Enabling `SameSite` cookie protection is an addition to CSRF protection,
440
+ where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
320
441
 
321
- * Allow using `parsed_body` in `ActionController::TestCase`.
442
+ `:strict` disables cookies being sent in cross-site GET or POST requests.
322
443
 
323
- In addition to `ActionDispatch::IntegrationTest`, allow using
324
- `parsed_body` in `ActionController::TestCase`:
444
+ Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
325
445
 
326
- ```
327
- class SomeControllerTest < ActionController::TestCase
328
- def test_some_action
329
- post :action, body: { foo: 'bar' }
330
- assert_equal({ "foo" => "bar" }, response.parsed_body)
331
- end
332
- end
333
- ```
446
+ See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
334
447
 
335
- Fixes #34676.
448
+ More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
336
449
 
337
- *Tobias Bühlmann*
450
+ _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
338
451
 
339
- * Raise an error on root route naming conflicts.
452
+ *Cédric Fabianski*
340
453
 
341
- Raises an `ArgumentError` when multiple root routes are defined in the
342
- same context instead of assigning nil names to subsequent roots.
454
+ * Bring back the feature that allows loading external route files from the router.
343
455
 
344
- *Gannon McGibbon*
456
+ This feature existed back in 2012 but got reverted with the incentive that
457
+ https://github.com/rails/routing_concerns was a better approach. Turned out
458
+ that this wasn't fully the case and loading external route files from the router
459
+ can be helpful for applications with a really large set of routes.
460
+ Without this feature, application needs to implement routes reloading
461
+ themselves and it's not straightforward.
345
462
 
346
- * Allow rescue from parameter parse errors:
463
+ ```ruby
464
+ # config/routes.rb
347
465
 
348
- ```
349
- rescue_from ActionDispatch::Http::Parameters::ParseError do
350
- head :unauthorized
466
+ Rails.application.routes.draw do
467
+ draw(:admin)
351
468
  end
469
+
470
+ # config/routes/admin.rb
471
+
472
+ get :foo, to: 'foo#bar'
352
473
  ```
353
474
 
354
- *Gannon McGibbon*, *Josh Cheek*
475
+ *Yehuda Katz*, *Edouard Chin*
476
+
477
+ * Fix system test driver option initialization for non-headless browsers.
355
478
 
356
- * Reset Capybara sessions if failed system test screenshot raising an exception.
479
+ *glaszig*
357
480
 
358
- Reset Capybara sessions if `take_failed_screenshot` raise exception
359
- in system test `after_teardown`.
481
+ * `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
482
+ their payloads as `:request`.
360
483
 
361
- *Maxim Perepelitsa*
484
+ *Austin Story*
362
485
 
363
- * Use request object for context if there's no controller
486
+ * `respond_to#any` no longer returns a response's Content-Type based on the
487
+ request format but based on the block given.
364
488
 
365
- There is no controller instance when using a redirect route or a
366
- mounted rack application so pass the request object as the context
367
- when resolving dynamic CSP sources in this scenario.
489
+ Example:
368
490
 
369
- Fixes #34200.
491
+ ```ruby
492
+ def my_action
493
+ respond_to do |format|
494
+ format.any { render(json: { foo: 'bar' }) }
495
+ end
496
+ end
497
+
498
+ get('my_action.csv')
499
+ ```
370
500
 
371
- *Andrew White*
501
+ The previous behaviour was to respond with a `text/csv` Content-Type which
502
+ is inaccurate since a JSON response is being rendered.
372
503
 
373
- * Apply mapping to symbols returned from dynamic CSP sources
504
+ Now it correctly returns a `application/json` Content-Type.
374
505
 
375
- Previously if a dynamic source returned a symbol such as :self it
376
- would be converted to a string implicitly, e.g:
506
+ *Edouard Chin*
377
507
 
378
- policy.default_src -> { :self }
508
+ * Replaces (back)slashes in failure screenshot image paths with dashes.
379
509
 
380
- would generate the header:
510
+ If a failed test case contained a slash or a backslash, a screenshot would be created in a
511
+ nested directory, causing issues with `tmp:clear`.
381
512
 
382
- Content-Security-Policy: default-src self
513
+ *Damir Zekic*
383
514
 
384
- and now it generates:
515
+ * Add `params.member?` to mimic Hash behavior.
385
516
 
386
- Content-Security-Policy: default-src 'self'
517
+ *Younes Serraj*
387
518
 
388
- *Andrew White*
519
+ * `process_action.action_controller` notifications now include the following in their payloads:
389
520
 
390
- * Add `ActionController::Parameters#each_value`.
521
+ * `:request` - the `ActionDispatch::Request`
522
+ * `:response` - the `ActionDispatch::Response`
391
523
 
392
- *Lukáš Zapletal*
524
+ *George Claghorn*
393
525
 
394
- * Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
526
+ * Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
527
+ `remote_ip` to `nil` before setting the header that the value is derived
528
+ from.
395
529
 
396
- *Yoshiyuki Kinjo*
530
+ Fixes #37383.
397
531
 
398
- * Encode Content-Disposition filenames on `send_data` and `send_file`.
399
- Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
400
- `"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
401
- garbled.
402
- Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
403
- [RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
404
- `"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
405
- Most browsers can find filename correctly and old browsers fallback to ASCII
406
- converted name.
532
+ *Norm Provost*
407
533
 
408
- *Fumiaki Matsushima*
534
+ * `ActionController::Base.log_at` allows setting a different log level per request.
409
535
 
410
- * Expose `ActionController::Parameters#each_key` which allows iterating over
411
- keys without allocating an array.
536
+ ```ruby
537
+ # Use the debug level if a particular cookie is set.
538
+ class ApplicationController < ActionController::Base
539
+ log_at :debug, if: -> { cookies[:debug] }
540
+ end
541
+ ```
412
542
 
413
- *Richard Schneeman*
543
+ *George Claghorn*
414
544
 
415
- * Purpose metadata for signed/encrypted cookies.
545
+ * Allow system test screen shots to be taken more than once in
546
+ a test by prefixing the file name with an incrementing counter.
416
547
 
417
- Rails can now thwart attacks that attempt to copy signed/encrypted value
418
- of a cookie and use it as the value of another cookie.
548
+ Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
549
+ enable saving of HTML during a screenshot in addition to the image.
550
+ This uses the same image name, with the extension replaced with `.html`
419
551
 
420
- It does so by stashing the cookie-name in the purpose field which is
421
- then signed/encrypted along with the cookie value. Then, on a server-side
422
- read, we verify the cookie-names and discard any attacked cookies.
552
+ *Tom Fakes*
423
553
 
424
- Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
425
- writes cookies with the new purpose and expiry metadata embedded.
554
+ * Add `Vary: Accept` header when using `Accept` header for response.
426
555
 
427
- *Assain Jaleel*
556
+ For some requests like `/users/1`, Rails uses requests' `Accept`
557
+ header to determine what to return. And if we don't add `Vary`
558
+ in the response header, browsers might accidentally cache different
559
+ types of content, which would cause issues: e.g. javascript got displayed
560
+ instead of html content. This PR fixes these issues by adding `Vary: Accept`
561
+ in these types of requests. For more detailed problem description, please read:
428
562
 
429
- * Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
563
+ https://github.com/rails/rails/pull/36213
430
564
 
431
- `respond_to` can match multiple types and lead to undefined behavior when
432
- multiple invocations are made and the types do not match:
565
+ Fixes #25842.
433
566
 
434
- respond_to do |outer_type|
435
- outer_type.js do
436
- respond_to do |inner_type|
437
- inner_type.html { render body: "HTML" }
438
- end
439
- end
440
- end
567
+ *Stan Lo*
441
568
 
442
- *Patrick Toomey*
569
+ * Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
570
+ a 307 redirection.
443
571
 
444
- * `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
572
+ *Edouard Chin*
445
573
 
446
- This allows uploaded file objects to be passed directly to `File.read`
447
- without raising a `TypeError`:
574
+ * System tests require Capybara 3.26 or newer.
448
575
 
449
- uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
450
- File.read(uploaded_file)
576
+ *George Claghorn*
451
577
 
452
- *Aaron Kromer*
578
+ * Reduced log noise handling ActionController::RoutingErrors.
453
579
 
454
- * Pass along arguments to underlying `get` method in `follow_redirect!`
580
+ *Alberto Fernández-Capel*
455
581
 
456
- Now all arguments passed to `follow_redirect!` are passed to the underlying
457
- `get` method. This for example allows to set custom headers for the
458
- redirection request to the server.
582
+ * Add DSL for configuring HTTP Feature Policy.
459
583
 
460
- follow_redirect!(params: { foo: :bar })
584
+ This new DSL provides a way to configure an HTTP Feature Policy at a
585
+ global or per-controller level. Full details of HTTP Feature Policy
586
+ specification and guidelines can be found at MDN:
461
587
 
462
- *Remo Fritzsche*
588
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
463
589
 
464
- * Introduce a new error page to when the implicit render page is accessed in the browser.
590
+ Example global policy:
465
591
 
466
- Now instead of showing an error page that with exception and backtraces we now show only
467
- one informative page.
592
+ ```ruby
593
+ Rails.application.config.feature_policy do |f|
594
+ f.camera :none
595
+ f.gyroscope :none
596
+ f.microphone :none
597
+ f.usb :none
598
+ f.fullscreen :self
599
+ f.payment :self, "https://secure.example.com"
600
+ end
601
+ ```
468
602
 
469
- *Vinicius Stock*
603
+ Example controller level policy:
470
604
 
471
- * Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
605
+ ```ruby
606
+ class PagesController < ApplicationController
607
+ feature_policy do |p|
608
+ p.geolocation "https://example.com"
609
+ end
610
+ end
611
+ ```
472
612
 
473
- Exception aware plugin authors can use the newly introduced
474
- `.register_interceptor` method to get the processed exception, instead of
475
- monkey patching DebugExceptions.
613
+ *Jacob Bednarz*
476
614
 
477
- ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
478
- HypoteticalPlugin.capture_exception(request, exception)
479
- end
615
+ * Add the ability to set the CSP nonce only to the specified directives.
480
616
 
481
- *Genadi Samokovarov*
617
+ Fixes #35137.
482
618
 
483
- * Output only one Content-Security-Policy nonce header value per request.
619
+ *Yuji Yaginuma*
484
620
 
485
- Fixes #32597.
621
+ * Keep part when scope option has value.
486
622
 
487
- *Andrey Novikov*, *Andrew White*
623
+ When a route was defined within an optional scope, if that route didn't
624
+ take parameters the scope was lost when using path helpers. This commit
625
+ ensures scope is kept both when the route takes parameters or when it
626
+ doesn't.
488
627
 
489
- * Move default headers configuration into their own module that can be included in controllers.
628
+ Fixes #33219.
490
629
 
491
- *Kevin Deisz*
630
+ *Alberto Almagro*
492
631
 
493
- * Add method `dig` to `session`.
632
+ * Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
494
633
 
495
- *claudiob*, *Takumi Shotoku*
634
+ *Gustavo Gutierrez*
496
635
 
497
- * Controller level `force_ssl` has been deprecated in favor of
498
- `config.force_ssl`.
636
+ * Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
637
+ an enumerator for the parameters instead of the underlying hash.
499
638
 
500
- *Derek Prior*
639
+ *Eugene Kenny*
501
640
 
502
- * Rails 6 requires Ruby 2.5.0 or newer.
641
+ * Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
642
+ It should only block invalid key's values instead.
503
643
 
504
- *Jeremy Daer*, *Kasper Timm Hansen*
644
+ *Stan Lo*
505
645
 
506
646
 
507
- Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
647
+ Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.