actionpack 6.0.5.1 → 6.1.7.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +393 -253
- data/MIT-LICENSE +1 -2
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal/conditional_get.rb +11 -3
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +5 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +10 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +104 -16
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/renderer.rb +23 -13
- data/lib/action_controller/test_case.rb +65 -56
- data/lib/action_controller.rb +2 -3
- data/lib/action_dispatch/http/cache.rb +18 -17
- data/lib/action_dispatch/http/content_security_policy.rb +6 -1
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
- data/lib/action_dispatch/http/mime_type.rb +29 -16
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +24 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey/formatter.rb +55 -30
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +89 -46
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
- data/lib/action_dispatch/middleware/host_authorization.rb +63 -14
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +12 -0
- data/lib/action_dispatch/middleware/ssl.rb +12 -7
- data/lib/action_dispatch/middleware/stack.rb +19 -1
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/system_test_case.rb +35 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +40 -29
- data/lib/action_dispatch/testing/test_process.rb +32 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_pack/gem_version.rb +2 -2
- data/lib/action_pack.rb +1 -1
- metadata +18 -19
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md
CHANGED
@@ -1,30 +1,100 @@
|
|
1
|
-
## Rails 6.
|
1
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
2
|
+
|
3
|
+
* Avoid regex backtracking on If-None-Match header
|
4
|
+
|
5
|
+
[CVE-2023-22795]
|
6
|
+
|
7
|
+
* Use string#split instead of regex for domain parts
|
8
|
+
|
9
|
+
[CVE-2023-22792]
|
10
|
+
|
11
|
+
|
12
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
2
13
|
|
3
14
|
* No changes.
|
4
15
|
|
5
16
|
|
6
|
-
## Rails 6.
|
17
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
7
18
|
|
8
19
|
* No changes.
|
9
20
|
|
10
21
|
|
11
|
-
## Rails 6.
|
22
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
23
|
+
|
24
|
+
* No changes.
|
25
|
+
|
26
|
+
|
27
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
12
28
|
|
13
29
|
* Allow Content Security Policy DSL to generate for API responses.
|
14
30
|
|
15
31
|
*Tim Wade*
|
16
32
|
|
17
|
-
## Rails 6.
|
33
|
+
## Rails 6.1.5 (March 09, 2022) ##
|
34
|
+
|
35
|
+
* Fix `content_security_policy` returning invalid directives.
|
36
|
+
|
37
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
38
|
+
single quoted when the directive was the result of calling a lambda
|
39
|
+
returning an array.
|
40
|
+
|
41
|
+
```ruby
|
42
|
+
content_security_policy do |policy|
|
43
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
44
|
+
end
|
45
|
+
```
|
46
|
+
|
47
|
+
With this fix the policy generated from above will now be valid.
|
48
|
+
|
49
|
+
*Edouard Chin*
|
50
|
+
|
51
|
+
* Update `HostAuthorization` middleware to render debug info only
|
52
|
+
when `config.consider_all_requests_local` is set to true.
|
53
|
+
|
54
|
+
Also, blocked host info is always logged with level `error`.
|
55
|
+
|
56
|
+
Fixes #42813.
|
57
|
+
|
58
|
+
*Nikita Vyrko*
|
59
|
+
|
60
|
+
* Dup arrays that get "converted".
|
61
|
+
|
62
|
+
Fixes #43681.
|
63
|
+
|
64
|
+
*Aaron Patterson*
|
65
|
+
|
66
|
+
* Don't show deprecation warning for equal paths.
|
67
|
+
|
68
|
+
*Anton Rieder*
|
69
|
+
|
70
|
+
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
|
71
|
+
|
72
|
+
Fixes #43094.
|
73
|
+
|
74
|
+
*Alex Ghiculescu*
|
75
|
+
|
76
|
+
* Add fallback host for SystemTestCase driven by RackTest.
|
77
|
+
|
78
|
+
Fixes #42780.
|
79
|
+
|
80
|
+
*Petrik de Heus*
|
81
|
+
|
82
|
+
* Add more detail about what hosts are allowed.
|
83
|
+
|
84
|
+
*Alex Ghiculescu*
|
85
|
+
|
86
|
+
|
87
|
+
## Rails 6.1.4.7 (March 08, 2022) ##
|
18
88
|
|
19
89
|
* No changes.
|
20
90
|
|
21
91
|
|
22
|
-
## Rails 6.
|
92
|
+
## Rails 6.1.4.6 (February 11, 2022) ##
|
23
93
|
|
24
94
|
* No changes.
|
25
95
|
|
26
96
|
|
27
|
-
## Rails 6.
|
97
|
+
## Rails 6.1.4.5 (February 11, 2022) ##
|
28
98
|
|
29
99
|
* Under certain circumstances, the middleware isn't informed that the
|
30
100
|
response body has been fully closed which result in request state not
|
@@ -33,17 +103,17 @@
|
|
33
103
|
[CVE-2022-23633]
|
34
104
|
|
35
105
|
|
36
|
-
## Rails 6.
|
106
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
37
107
|
|
38
108
|
* Fix issue with host protection not allowing host with port in development.
|
39
109
|
|
40
110
|
|
41
|
-
## Rails 6.
|
111
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
42
112
|
|
43
|
-
*
|
113
|
+
* Fix issue with host protection not allowing localhost in development.
|
44
114
|
|
45
115
|
|
46
|
-
## Rails 6.
|
116
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
47
117
|
|
48
118
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
49
119
|
|
@@ -55,35 +125,48 @@
|
|
55
125
|
"allowed host" formats can cause the Host Authorization middleware in Action
|
56
126
|
Pack to redirect users to a malicious website.
|
57
127
|
|
58
|
-
## Rails 6.
|
128
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
59
129
|
|
60
|
-
*
|
130
|
+
* Ignore file fixtures on `db:fixtures:load`
|
61
131
|
|
62
|
-
|
63
|
-
them difficult to deal with. For example, the common practice of sending
|
64
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
65
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
132
|
+
*Kevin Sjöberg*
|
66
133
|
|
67
|
-
|
68
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
69
|
-
tokens for backwards compatibility.
|
134
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
70
135
|
|
71
|
-
|
72
|
-
If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
|
136
|
+
*Dylan Thacker-Smith*
|
73
137
|
|
74
|
-
|
75
|
-
|
138
|
+
* Correctly place optional path parameter booleans.
|
139
|
+
|
140
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
141
|
+
of the path as parameter for example:
|
142
|
+
|
143
|
+
```
|
144
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
145
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
146
|
+
```
|
147
|
+
|
148
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
149
|
+
|
150
|
+
```
|
151
|
+
get '(this/:my_bool)/that' as: :that
|
152
|
+
|
153
|
+
that_path(my_bool: true) # => `/this/true/that`
|
154
|
+
that_path(my_bool: false) # => `/this/false/that`
|
76
155
|
```
|
77
156
|
|
78
|
-
*
|
157
|
+
*Adam Hess*
|
158
|
+
|
159
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
160
|
+
|
161
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
79
162
|
|
80
|
-
*
|
81
|
-
`action_dispatch.use_cookies_with_metadata` is enabled.
|
163
|
+
*Alex Smith*
|
82
164
|
|
83
|
-
*Rolandas Barysas*
|
84
165
|
|
166
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
85
167
|
|
86
|
-
|
168
|
+
* Prevent open redirects by correctly escaping the host allow list
|
169
|
+
CVE-2021-22903
|
87
170
|
|
88
171
|
* Prevent catastrophic backtracking during mime parsing
|
89
172
|
CVE-2021-22902
|
@@ -101,12 +184,19 @@
|
|
101
184
|
|
102
185
|
*Gannon McGibbon*
|
103
186
|
|
104
|
-
## Rails 6.
|
187
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
105
188
|
|
106
189
|
* No changes.
|
107
190
|
|
108
191
|
|
109
|
-
## Rails 6.
|
192
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
193
|
+
|
194
|
+
* Re-define routes when not set correctly via inheritance.
|
195
|
+
|
196
|
+
*John Hawthorn*
|
197
|
+
|
198
|
+
|
199
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
110
200
|
|
111
201
|
* Prevent open redirect when allowed host starts with a dot
|
112
202
|
|
@@ -118,390 +208,440 @@
|
|
118
208
|
*Aaron Patterson*
|
119
209
|
|
120
210
|
|
121
|
-
## Rails 6.
|
211
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
122
212
|
|
123
|
-
*
|
213
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
124
214
|
|
215
|
+
*Janko Marohnić*
|
125
216
|
|
126
|
-
|
217
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
127
218
|
|
128
|
-
*
|
219
|
+
*Eugene Kenny*
|
129
220
|
|
130
221
|
|
131
|
-
## Rails 6.
|
222
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
132
223
|
|
133
|
-
*
|
224
|
+
* Fix nil translation key lookup in controllers/
|
134
225
|
|
135
|
-
|
226
|
+
*Jan Klimo*
|
136
227
|
|
137
|
-
*
|
228
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
138
229
|
|
139
|
-
*
|
230
|
+
*Alex Robbin*
|
140
231
|
|
232
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
141
233
|
|
142
|
-
|
234
|
+
*Alex Robbin*
|
143
235
|
|
144
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
145
236
|
|
146
|
-
|
147
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
148
|
-
from being correctly counted and reported.
|
237
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
149
238
|
|
150
|
-
|
151
|
-
|
239
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
240
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
152
241
|
|
153
|
-
|
242
|
+
```ruby
|
243
|
+
Rails.application.config.permissions_policy do |p|
|
244
|
+
p.camera :none
|
245
|
+
p.gyroscope :none
|
246
|
+
p.microphone :none
|
247
|
+
p.usb :none
|
248
|
+
p.fullscreen :self
|
249
|
+
p.payment :self, "https://secure-example.com"
|
250
|
+
end
|
251
|
+
```
|
154
252
|
|
155
|
-
*
|
253
|
+
*Julien Grillot*
|
156
254
|
|
255
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
157
256
|
|
158
|
-
|
257
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
159
258
|
|
160
|
-
*
|
259
|
+
*Chris Bisnett*
|
161
260
|
|
261
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
262
|
+
the unique X-Request-Id header
|
162
263
|
|
163
|
-
|
264
|
+
*Arlston Fernandes*
|
164
265
|
|
165
|
-
*
|
266
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
166
267
|
|
167
|
-
|
168
|
-
gem dalli to be updated as well.
|
268
|
+
*Rafael Mendonça França*
|
169
269
|
|
170
|
-
|
270
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
171
271
|
|
272
|
+
*Rafael Mendonça França*
|
172
273
|
|
173
|
-
|
274
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
174
275
|
|
175
|
-
*
|
276
|
+
*Rafael Mendonça França*
|
176
277
|
|
177
|
-
|
278
|
+
* Added support for exclusive no-store Cache-Control header.
|
178
279
|
|
280
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
179
281
|
|
180
|
-
|
282
|
+
*Chris Kruger*
|
181
283
|
|
182
|
-
*
|
183
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
184
|
-
system tests.
|
284
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
185
285
|
|
186
|
-
|
286
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
287
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
187
288
|
|
188
|
-
*
|
289
|
+
*Adrianna Chang*
|
189
290
|
|
190
|
-
|
191
|
-
Mime::Type.register "text/html; fragment", :html_fragment
|
192
|
-
```
|
291
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
193
292
|
|
194
|
-
*
|
293
|
+
*Gannon McGibbon*
|
195
294
|
|
295
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
196
296
|
|
197
|
-
|
297
|
+
*Alan Tan*, *Oz Ben-David*
|
198
298
|
|
199
|
-
*
|
299
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
300
|
+
a 308 redirection.
|
200
301
|
|
302
|
+
*Alan Tan*
|
201
303
|
|
202
|
-
|
304
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
305
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
203
306
|
|
204
|
-
*
|
307
|
+
*Jonathan Hefner*
|
205
308
|
|
206
|
-
|
309
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
207
310
|
|
208
|
-
|
311
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
312
|
+
Brotli files are preferred due to much better compression.
|
209
313
|
|
210
|
-
|
314
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
315
|
+
we check for public/some.js.br and serve that file, if present, with
|
316
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
211
317
|
|
212
|
-
|
213
|
-
take parameters the scope was lost when using path helpers. This commit
|
214
|
-
ensures scope is kept both when the route takes parameters or when it
|
215
|
-
doesn't.
|
318
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
216
319
|
|
217
|
-
|
320
|
+
* Add raise_on_missing_translations support for controllers.
|
218
321
|
|
219
|
-
|
322
|
+
This configuration determines whether an error should be raised for missing translations.
|
323
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
324
|
+
configuration also affects raising error for missing translations in views.
|
220
325
|
|
221
|
-
*
|
326
|
+
*fatkodima*
|
222
327
|
|
223
|
-
|
224
|
-
contain charset part. This behavior changed to returned Content-Type header
|
225
|
-
containing charset part as it is.
|
328
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
226
329
|
|
227
|
-
|
228
|
-
instead.
|
330
|
+
*Eugene Kenny*
|
229
331
|
|
230
|
-
|
231
|
-
|
232
|
-
value as before version, but its behavior is deprecate.
|
332
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
333
|
+
without passing a block now returns an enumerator.
|
233
334
|
|
234
|
-
*
|
335
|
+
*Eugene Kenny*
|
235
336
|
|
236
|
-
*
|
237
|
-
an enumerator for the parameters instead of the underlying hash.
|
337
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
238
338
|
|
239
|
-
|
339
|
+
Previously the path had to be relative to `fixture_path`.
|
340
|
+
You can change your existing code as follow:
|
240
341
|
|
241
|
-
|
342
|
+
```ruby
|
343
|
+
# Before
|
344
|
+
fixture_file_upload('files/dog.png')
|
242
345
|
|
243
|
-
|
346
|
+
# After
|
347
|
+
fixture_file_upload('dog.png')
|
348
|
+
```
|
244
349
|
|
350
|
+
*Edouard Chin*
|
245
351
|
|
246
|
-
|
352
|
+
* Remove deprecated `force_ssl` at the controller level.
|
247
353
|
|
248
|
-
*
|
249
|
-
rather than an `after_teardown` hook.
|
354
|
+
*Rafael Mendonça França*
|
250
355
|
|
251
|
-
|
252
|
-
|
253
|
-
been dynamically updated after the assertion failed).
|
356
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
357
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
254
358
|
|
255
|
-
|
359
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
360
|
+
always pass a module object:
|
256
361
|
|
257
|
-
|
362
|
+
```ruby
|
363
|
+
helper UtilsHelper
|
364
|
+
```
|
258
365
|
|
259
|
-
|
260
|
-
|
366
|
+
which is recommended because it is simple and direct. When a string/symbol
|
367
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
368
|
+
that same module object.
|
261
369
|
|
262
|
-
|
370
|
+
*Xavier Noria*, *Jean Boussier*
|
263
371
|
|
264
|
-
|
372
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
265
373
|
|
266
|
-
*
|
374
|
+
*Nick Soracco*
|
267
375
|
|
268
|
-
|
376
|
+
* `url_for` will now use "https://" as the default protocol when
|
377
|
+
`Rails.application.config.force_ssl` is set to true.
|
269
378
|
|
270
|
-
|
271
|
-
routes.draw do
|
272
|
-
resources :users, param: 'name/:sneaky'
|
273
|
-
end
|
274
|
-
```
|
379
|
+
*Jonathan Hefner*
|
275
380
|
|
276
|
-
|
381
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
277
382
|
|
278
|
-
|
383
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
384
|
+
them difficult to deal with. For example, the common practice of sending
|
385
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
386
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
279
387
|
|
388
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
389
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
390
|
+
for backwards compatibility.
|
280
391
|
|
281
|
-
|
392
|
+
*Scott Blum*
|
282
393
|
|
283
|
-
*
|
394
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
284
395
|
|
396
|
+
In a distributed configuration like rolling update, users may observe
|
397
|
+
both old and new instances during deployment. Users may be served by a
|
398
|
+
new instance and then by an old instance.
|
285
399
|
|
286
|
-
|
400
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
401
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
402
|
+
from `false` to `true`, users may lose their sessions if they access the
|
403
|
+
server during deployment.
|
287
404
|
|
288
|
-
|
405
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
406
|
+
deployment, ensuring compatibility on both old and new instances.
|
289
407
|
|
290
|
-
*
|
408
|
+
*Masaki Hara*
|
291
409
|
|
292
|
-
* `ActionDispatch::
|
293
|
-
to define specific browser capabilities.
|
410
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
294
411
|
|
295
|
-
|
412
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
413
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
296
414
|
|
415
|
+
*Keenan Brock*
|
297
416
|
|
298
|
-
|
417
|
+
* Fix possible information leak / session hijacking vulnerability.
|
299
418
|
|
300
|
-
|
419
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
420
|
+
gem dalli to be updated as well.
|
301
421
|
|
302
|
-
|
422
|
+
CVE-2019-16782.
|
303
423
|
|
304
|
-
*
|
424
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
305
425
|
|
306
|
-
|
307
|
-
|
426
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
427
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
428
|
+
from being correctly counted and reported.
|
308
429
|
|
309
|
-
|
430
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
431
|
+
root session.
|
310
432
|
|
311
|
-
|
433
|
+
Fixes #32142.
|
312
434
|
|
313
|
-
|
314
|
-
explicitly permitting the hosts a request can be made to.
|
435
|
+
*Sam Bostock*
|
315
436
|
|
316
|
-
|
317
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
437
|
+
* Add SameSite protection to every written cookie.
|
318
438
|
|
319
|
-
|
439
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
440
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
320
441
|
|
321
|
-
|
442
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
322
443
|
|
323
|
-
|
324
|
-
`parsed_body` in `ActionController::TestCase`:
|
444
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
325
445
|
|
326
|
-
|
327
|
-
class SomeControllerTest < ActionController::TestCase
|
328
|
-
def test_some_action
|
329
|
-
post :action, body: { foo: 'bar' }
|
330
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
331
|
-
end
|
332
|
-
end
|
333
|
-
```
|
446
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
334
447
|
|
335
|
-
|
448
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
336
449
|
|
337
|
-
|
450
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
338
451
|
|
339
|
-
*
|
452
|
+
*Cédric Fabianski*
|
340
453
|
|
341
|
-
|
342
|
-
same context instead of assigning nil names to subsequent roots.
|
454
|
+
* Bring back the feature that allows loading external route files from the router.
|
343
455
|
|
344
|
-
|
456
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
457
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
458
|
+
that this wasn't fully the case and loading external route files from the router
|
459
|
+
can be helpful for applications with a really large set of routes.
|
460
|
+
Without this feature, application needs to implement routes reloading
|
461
|
+
themselves and it's not straightforward.
|
345
462
|
|
346
|
-
|
463
|
+
```ruby
|
464
|
+
# config/routes.rb
|
347
465
|
|
348
|
-
|
349
|
-
|
350
|
-
head :unauthorized
|
466
|
+
Rails.application.routes.draw do
|
467
|
+
draw(:admin)
|
351
468
|
end
|
469
|
+
|
470
|
+
# config/routes/admin.rb
|
471
|
+
|
472
|
+
get :foo, to: 'foo#bar'
|
352
473
|
```
|
353
474
|
|
354
|
-
*
|
475
|
+
*Yehuda Katz*, *Edouard Chin*
|
476
|
+
|
477
|
+
* Fix system test driver option initialization for non-headless browsers.
|
355
478
|
|
356
|
-
*
|
479
|
+
*glaszig*
|
357
480
|
|
358
|
-
|
359
|
-
|
481
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
482
|
+
their payloads as `:request`.
|
360
483
|
|
361
|
-
*
|
484
|
+
*Austin Story*
|
362
485
|
|
363
|
-
*
|
486
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
487
|
+
request format but based on the block given.
|
364
488
|
|
365
|
-
|
366
|
-
mounted rack application so pass the request object as the context
|
367
|
-
when resolving dynamic CSP sources in this scenario.
|
489
|
+
Example:
|
368
490
|
|
369
|
-
|
491
|
+
```ruby
|
492
|
+
def my_action
|
493
|
+
respond_to do |format|
|
494
|
+
format.any { render(json: { foo: 'bar' }) }
|
495
|
+
end
|
496
|
+
end
|
497
|
+
|
498
|
+
get('my_action.csv')
|
499
|
+
```
|
370
500
|
|
371
|
-
|
501
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
502
|
+
is inaccurate since a JSON response is being rendered.
|
372
503
|
|
373
|
-
|
504
|
+
Now it correctly returns a `application/json` Content-Type.
|
374
505
|
|
375
|
-
|
376
|
-
would be converted to a string implicitly, e.g:
|
506
|
+
*Edouard Chin*
|
377
507
|
|
378
|
-
|
508
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
379
509
|
|
380
|
-
would
|
510
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
511
|
+
nested directory, causing issues with `tmp:clear`.
|
381
512
|
|
382
|
-
|
513
|
+
*Damir Zekic*
|
383
514
|
|
384
|
-
|
515
|
+
* Add `params.member?` to mimic Hash behavior.
|
385
516
|
|
386
|
-
|
517
|
+
*Younes Serraj*
|
387
518
|
|
388
|
-
|
519
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
389
520
|
|
390
|
-
*
|
521
|
+
* `:request` - the `ActionDispatch::Request`
|
522
|
+
* `:response` - the `ActionDispatch::Response`
|
391
523
|
|
392
|
-
*
|
524
|
+
*George Claghorn*
|
393
525
|
|
394
|
-
*
|
526
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
527
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
528
|
+
from.
|
395
529
|
|
396
|
-
|
530
|
+
Fixes #37383.
|
397
531
|
|
398
|
-
*
|
399
|
-
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
400
|
-
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
401
|
-
garbled.
|
402
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
403
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
404
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
405
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
406
|
-
converted name.
|
532
|
+
*Norm Provost*
|
407
533
|
|
408
|
-
|
534
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
409
535
|
|
410
|
-
|
411
|
-
|
536
|
+
```ruby
|
537
|
+
# Use the debug level if a particular cookie is set.
|
538
|
+
class ApplicationController < ActionController::Base
|
539
|
+
log_at :debug, if: -> { cookies[:debug] }
|
540
|
+
end
|
541
|
+
```
|
412
542
|
|
413
|
-
*
|
543
|
+
*George Claghorn*
|
414
544
|
|
415
|
-
*
|
545
|
+
* Allow system test screen shots to be taken more than once in
|
546
|
+
a test by prefixing the file name with an incrementing counter.
|
416
547
|
|
417
|
-
|
418
|
-
|
548
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
549
|
+
enable saving of HTML during a screenshot in addition to the image.
|
550
|
+
This uses the same image name, with the extension replaced with `.html`
|
419
551
|
|
420
|
-
|
421
|
-
then signed/encrypted along with the cookie value. Then, on a server-side
|
422
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
552
|
+
*Tom Fakes*
|
423
553
|
|
424
|
-
|
425
|
-
writes cookies with the new purpose and expiry metadata embedded.
|
554
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
426
555
|
|
427
|
-
|
556
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
557
|
+
header to determine what to return. And if we don't add `Vary`
|
558
|
+
in the response header, browsers might accidentally cache different
|
559
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
560
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
561
|
+
in these types of requests. For more detailed problem description, please read:
|
428
562
|
|
429
|
-
|
563
|
+
https://github.com/rails/rails/pull/36213
|
430
564
|
|
431
|
-
|
432
|
-
multiple invocations are made and the types do not match:
|
565
|
+
Fixes #25842.
|
433
566
|
|
434
|
-
|
435
|
-
outer_type.js do
|
436
|
-
respond_to do |inner_type|
|
437
|
-
inner_type.html { render body: "HTML" }
|
438
|
-
end
|
439
|
-
end
|
440
|
-
end
|
567
|
+
*Stan Lo*
|
441
568
|
|
442
|
-
|
569
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
570
|
+
a 307 redirection.
|
443
571
|
|
444
|
-
*
|
572
|
+
*Edouard Chin*
|
445
573
|
|
446
|
-
|
447
|
-
without raising a `TypeError`:
|
574
|
+
* System tests require Capybara 3.26 or newer.
|
448
575
|
|
449
|
-
|
450
|
-
File.read(uploaded_file)
|
576
|
+
*George Claghorn*
|
451
577
|
|
452
|
-
|
578
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
453
579
|
|
454
|
-
*
|
580
|
+
*Alberto Fernández-Capel*
|
455
581
|
|
456
|
-
|
457
|
-
`get` method. This for example allows to set custom headers for the
|
458
|
-
redirection request to the server.
|
582
|
+
* Add DSL for configuring HTTP Feature Policy.
|
459
583
|
|
460
|
-
|
584
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
585
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
586
|
+
specification and guidelines can be found at MDN:
|
461
587
|
|
462
|
-
|
588
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
463
589
|
|
464
|
-
|
590
|
+
Example global policy:
|
465
591
|
|
466
|
-
|
467
|
-
|
592
|
+
```ruby
|
593
|
+
Rails.application.config.feature_policy do |f|
|
594
|
+
f.camera :none
|
595
|
+
f.gyroscope :none
|
596
|
+
f.microphone :none
|
597
|
+
f.usb :none
|
598
|
+
f.fullscreen :self
|
599
|
+
f.payment :self, "https://secure.example.com"
|
600
|
+
end
|
601
|
+
```
|
468
602
|
|
469
|
-
|
603
|
+
Example controller level policy:
|
470
604
|
|
471
|
-
|
605
|
+
```ruby
|
606
|
+
class PagesController < ApplicationController
|
607
|
+
feature_policy do |p|
|
608
|
+
p.geolocation "https://example.com"
|
609
|
+
end
|
610
|
+
end
|
611
|
+
```
|
472
612
|
|
473
|
-
|
474
|
-
`.register_interceptor` method to get the processed exception, instead of
|
475
|
-
monkey patching DebugExceptions.
|
613
|
+
*Jacob Bednarz*
|
476
614
|
|
477
|
-
|
478
|
-
HypoteticalPlugin.capture_exception(request, exception)
|
479
|
-
end
|
615
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
480
616
|
|
481
|
-
|
617
|
+
Fixes #35137.
|
482
618
|
|
483
|
-
*
|
619
|
+
*Yuji Yaginuma*
|
484
620
|
|
485
|
-
|
621
|
+
* Keep part when scope option has value.
|
486
622
|
|
487
|
-
|
623
|
+
When a route was defined within an optional scope, if that route didn't
|
624
|
+
take parameters the scope was lost when using path helpers. This commit
|
625
|
+
ensures scope is kept both when the route takes parameters or when it
|
626
|
+
doesn't.
|
488
627
|
|
489
|
-
|
628
|
+
Fixes #33219.
|
490
629
|
|
491
|
-
*
|
630
|
+
*Alberto Almagro*
|
492
631
|
|
493
|
-
*
|
632
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
494
633
|
|
495
|
-
*
|
634
|
+
*Gustavo Gutierrez*
|
496
635
|
|
497
|
-
*
|
498
|
-
|
636
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
637
|
+
an enumerator for the parameters instead of the underlying hash.
|
499
638
|
|
500
|
-
*
|
639
|
+
*Eugene Kenny*
|
501
640
|
|
502
|
-
*
|
641
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
642
|
+
It should only block invalid key's values instead.
|
503
643
|
|
504
|
-
*
|
644
|
+
*Stan Lo*
|
505
645
|
|
506
646
|
|
507
|
-
Please check [
|
647
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|