actionpack 6.0.5.1 → 6.1.7.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +407 -253
- data/MIT-LICENSE +1 -2
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal/conditional_get.rb +11 -3
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +5 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +10 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +104 -16
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/renderer.rb +23 -13
- data/lib/action_controller/test_case.rb +65 -56
- data/lib/action_controller.rb +2 -3
- data/lib/action_dispatch/http/cache.rb +18 -17
- data/lib/action_dispatch/http/content_security_policy.rb +6 -1
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
- data/lib/action_dispatch/http/mime_type.rb +29 -16
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +24 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey/formatter.rb +55 -30
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +89 -46
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
- data/lib/action_dispatch/middleware/host_authorization.rb +63 -14
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +12 -0
- data/lib/action_dispatch/middleware/ssl.rb +12 -7
- data/lib/action_dispatch/middleware/stack.rb +19 -1
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/system_test_case.rb +35 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +40 -29
- data/lib/action_dispatch/testing/test_process.rb +32 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_pack/gem_version.rb +3 -3
- data/lib/action_pack.rb +1 -1
- metadata +18 -19
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md
CHANGED
@@ -1,30 +1,114 @@
|
|
1
|
-
## Rails 6.
|
1
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
2
2
|
|
3
3
|
* No changes.
|
4
4
|
|
5
5
|
|
6
|
-
## Rails 6.
|
6
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
7
|
+
|
8
|
+
* Fix `domain: :all` for two letter TLD
|
9
|
+
|
10
|
+
This fixes a compatibility issue introduced in our previous security
|
11
|
+
release when using `domain: :all` with a two letter but single level top
|
12
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
13
|
+
|
14
|
+
|
15
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
16
|
+
|
17
|
+
* Avoid regex backtracking on If-None-Match header
|
18
|
+
|
19
|
+
[CVE-2023-22795]
|
20
|
+
|
21
|
+
* Use string#split instead of regex for domain parts
|
22
|
+
|
23
|
+
[CVE-2023-22792]
|
24
|
+
|
25
|
+
|
26
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
27
|
+
|
28
|
+
* No changes.
|
29
|
+
|
30
|
+
|
31
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
7
32
|
|
8
33
|
* No changes.
|
9
34
|
|
10
35
|
|
11
|
-
## Rails 6.
|
36
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
37
|
+
|
38
|
+
* No changes.
|
39
|
+
|
40
|
+
|
41
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
12
42
|
|
13
43
|
* Allow Content Security Policy DSL to generate for API responses.
|
14
44
|
|
15
45
|
*Tim Wade*
|
16
46
|
|
17
|
-
## Rails 6.
|
47
|
+
## Rails 6.1.5 (March 09, 2022) ##
|
48
|
+
|
49
|
+
* Fix `content_security_policy` returning invalid directives.
|
50
|
+
|
51
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
52
|
+
single quoted when the directive was the result of calling a lambda
|
53
|
+
returning an array.
|
54
|
+
|
55
|
+
```ruby
|
56
|
+
content_security_policy do |policy|
|
57
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
58
|
+
end
|
59
|
+
```
|
60
|
+
|
61
|
+
With this fix the policy generated from above will now be valid.
|
62
|
+
|
63
|
+
*Edouard Chin*
|
64
|
+
|
65
|
+
* Update `HostAuthorization` middleware to render debug info only
|
66
|
+
when `config.consider_all_requests_local` is set to true.
|
67
|
+
|
68
|
+
Also, blocked host info is always logged with level `error`.
|
69
|
+
|
70
|
+
Fixes #42813.
|
71
|
+
|
72
|
+
*Nikita Vyrko*
|
73
|
+
|
74
|
+
* Dup arrays that get "converted".
|
75
|
+
|
76
|
+
Fixes #43681.
|
77
|
+
|
78
|
+
*Aaron Patterson*
|
79
|
+
|
80
|
+
* Don't show deprecation warning for equal paths.
|
81
|
+
|
82
|
+
*Anton Rieder*
|
83
|
+
|
84
|
+
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
|
85
|
+
|
86
|
+
Fixes #43094.
|
87
|
+
|
88
|
+
*Alex Ghiculescu*
|
89
|
+
|
90
|
+
* Add fallback host for SystemTestCase driven by RackTest.
|
91
|
+
|
92
|
+
Fixes #42780.
|
93
|
+
|
94
|
+
*Petrik de Heus*
|
95
|
+
|
96
|
+
* Add more detail about what hosts are allowed.
|
97
|
+
|
98
|
+
*Alex Ghiculescu*
|
99
|
+
|
100
|
+
|
101
|
+
## Rails 6.1.4.7 (March 08, 2022) ##
|
18
102
|
|
19
103
|
* No changes.
|
20
104
|
|
21
105
|
|
22
|
-
## Rails 6.
|
106
|
+
## Rails 6.1.4.6 (February 11, 2022) ##
|
23
107
|
|
24
108
|
* No changes.
|
25
109
|
|
26
110
|
|
27
|
-
## Rails 6.
|
111
|
+
## Rails 6.1.4.5 (February 11, 2022) ##
|
28
112
|
|
29
113
|
* Under certain circumstances, the middleware isn't informed that the
|
30
114
|
response body has been fully closed which result in request state not
|
@@ -33,17 +117,17 @@
|
|
33
117
|
[CVE-2022-23633]
|
34
118
|
|
35
119
|
|
36
|
-
## Rails 6.
|
120
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
37
121
|
|
38
122
|
* Fix issue with host protection not allowing host with port in development.
|
39
123
|
|
40
124
|
|
41
|
-
## Rails 6.
|
125
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
42
126
|
|
43
|
-
*
|
127
|
+
* Fix issue with host protection not allowing localhost in development.
|
44
128
|
|
45
129
|
|
46
|
-
## Rails 6.
|
130
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
47
131
|
|
48
132
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
49
133
|
|
@@ -55,35 +139,48 @@
|
|
55
139
|
"allowed host" formats can cause the Host Authorization middleware in Action
|
56
140
|
Pack to redirect users to a malicious website.
|
57
141
|
|
58
|
-
## Rails 6.
|
142
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
59
143
|
|
60
|
-
*
|
144
|
+
* Ignore file fixtures on `db:fixtures:load`
|
61
145
|
|
62
|
-
|
63
|
-
them difficult to deal with. For example, the common practice of sending
|
64
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
65
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
146
|
+
*Kevin Sjöberg*
|
66
147
|
|
67
|
-
|
68
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
69
|
-
tokens for backwards compatibility.
|
148
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
70
149
|
|
71
|
-
|
72
|
-
|
150
|
+
*Dylan Thacker-Smith*
|
151
|
+
|
152
|
+
* Correctly place optional path parameter booleans.
|
153
|
+
|
154
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
155
|
+
of the path as parameter for example:
|
73
156
|
|
74
|
-
```ruby
|
75
|
-
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
76
157
|
```
|
158
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
159
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
160
|
+
```
|
161
|
+
|
162
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
163
|
+
|
164
|
+
```
|
165
|
+
get '(this/:my_bool)/that' as: :that
|
166
|
+
|
167
|
+
that_path(my_bool: true) # => `/this/true/that`
|
168
|
+
that_path(my_bool: false) # => `/this/false/that`
|
169
|
+
```
|
170
|
+
|
171
|
+
*Adam Hess*
|
172
|
+
|
173
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
77
174
|
|
78
|
-
|
175
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
79
176
|
|
80
|
-
*
|
81
|
-
`action_dispatch.use_cookies_with_metadata` is enabled.
|
177
|
+
*Alex Smith*
|
82
178
|
|
83
|
-
*Rolandas Barysas*
|
84
179
|
|
180
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
85
181
|
|
86
|
-
|
182
|
+
* Prevent open redirects by correctly escaping the host allow list
|
183
|
+
CVE-2021-22903
|
87
184
|
|
88
185
|
* Prevent catastrophic backtracking during mime parsing
|
89
186
|
CVE-2021-22902
|
@@ -101,12 +198,19 @@
|
|
101
198
|
|
102
199
|
*Gannon McGibbon*
|
103
200
|
|
104
|
-
## Rails 6.
|
201
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
105
202
|
|
106
203
|
* No changes.
|
107
204
|
|
108
205
|
|
109
|
-
## Rails 6.
|
206
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
207
|
+
|
208
|
+
* Re-define routes when not set correctly via inheritance.
|
209
|
+
|
210
|
+
*John Hawthorn*
|
211
|
+
|
212
|
+
|
213
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
110
214
|
|
111
215
|
* Prevent open redirect when allowed host starts with a dot
|
112
216
|
|
@@ -118,390 +222,440 @@
|
|
118
222
|
*Aaron Patterson*
|
119
223
|
|
120
224
|
|
121
|
-
## Rails 6.
|
225
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
122
226
|
|
123
|
-
*
|
227
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
124
228
|
|
229
|
+
*Janko Marohnić*
|
125
230
|
|
126
|
-
|
231
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
127
232
|
|
128
|
-
*
|
233
|
+
*Eugene Kenny*
|
129
234
|
|
130
235
|
|
131
|
-
## Rails 6.
|
236
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
132
237
|
|
133
|
-
*
|
238
|
+
* Fix nil translation key lookup in controllers/
|
134
239
|
|
135
|
-
|
240
|
+
*Jan Klimo*
|
136
241
|
|
137
|
-
*
|
242
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
138
243
|
|
139
|
-
*
|
244
|
+
*Alex Robbin*
|
140
245
|
|
246
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
141
247
|
|
142
|
-
|
248
|
+
*Alex Robbin*
|
143
249
|
|
144
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
145
250
|
|
146
|
-
|
147
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
148
|
-
from being correctly counted and reported.
|
251
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
149
252
|
|
150
|
-
|
151
|
-
|
253
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
254
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
152
255
|
|
153
|
-
|
256
|
+
```ruby
|
257
|
+
Rails.application.config.permissions_policy do |p|
|
258
|
+
p.camera :none
|
259
|
+
p.gyroscope :none
|
260
|
+
p.microphone :none
|
261
|
+
p.usb :none
|
262
|
+
p.fullscreen :self
|
263
|
+
p.payment :self, "https://secure-example.com"
|
264
|
+
end
|
265
|
+
```
|
154
266
|
|
155
|
-
*
|
267
|
+
*Julien Grillot*
|
156
268
|
|
269
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
157
270
|
|
158
|
-
|
271
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
159
272
|
|
160
|
-
*
|
273
|
+
*Chris Bisnett*
|
161
274
|
|
275
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
276
|
+
the unique X-Request-Id header
|
162
277
|
|
163
|
-
|
278
|
+
*Arlston Fernandes*
|
164
279
|
|
165
|
-
*
|
280
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
166
281
|
|
167
|
-
|
168
|
-
gem dalli to be updated as well.
|
282
|
+
*Rafael Mendonça França*
|
169
283
|
|
170
|
-
|
284
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
171
285
|
|
286
|
+
*Rafael Mendonça França*
|
172
287
|
|
173
|
-
|
288
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
174
289
|
|
175
|
-
*
|
290
|
+
*Rafael Mendonça França*
|
176
291
|
|
177
|
-
|
292
|
+
* Added support for exclusive no-store Cache-Control header.
|
178
293
|
|
294
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
179
295
|
|
180
|
-
|
296
|
+
*Chris Kruger*
|
181
297
|
|
182
|
-
*
|
183
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
184
|
-
system tests.
|
298
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
185
299
|
|
186
|
-
|
300
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
301
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
187
302
|
|
188
|
-
*
|
303
|
+
*Adrianna Chang*
|
189
304
|
|
190
|
-
|
191
|
-
Mime::Type.register "text/html; fragment", :html_fragment
|
192
|
-
```
|
305
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
193
306
|
|
194
|
-
*
|
307
|
+
*Gannon McGibbon*
|
195
308
|
|
309
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
196
310
|
|
197
|
-
|
311
|
+
*Alan Tan*, *Oz Ben-David*
|
198
312
|
|
199
|
-
*
|
313
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
314
|
+
a 308 redirection.
|
200
315
|
|
316
|
+
*Alan Tan*
|
201
317
|
|
202
|
-
|
318
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
319
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
203
320
|
|
204
|
-
*
|
321
|
+
*Jonathan Hefner*
|
205
322
|
|
206
|
-
|
323
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
207
324
|
|
208
|
-
|
325
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
326
|
+
Brotli files are preferred due to much better compression.
|
209
327
|
|
210
|
-
|
328
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
329
|
+
we check for public/some.js.br and serve that file, if present, with
|
330
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
211
331
|
|
212
|
-
|
213
|
-
take parameters the scope was lost when using path helpers. This commit
|
214
|
-
ensures scope is kept both when the route takes parameters or when it
|
215
|
-
doesn't.
|
332
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
216
333
|
|
217
|
-
|
334
|
+
* Add raise_on_missing_translations support for controllers.
|
218
335
|
|
219
|
-
|
336
|
+
This configuration determines whether an error should be raised for missing translations.
|
337
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
338
|
+
configuration also affects raising error for missing translations in views.
|
220
339
|
|
221
|
-
*
|
340
|
+
*fatkodima*
|
222
341
|
|
223
|
-
|
224
|
-
contain charset part. This behavior changed to returned Content-Type header
|
225
|
-
containing charset part as it is.
|
342
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
226
343
|
|
227
|
-
|
228
|
-
instead.
|
344
|
+
*Eugene Kenny*
|
229
345
|
|
230
|
-
|
231
|
-
|
232
|
-
value as before version, but its behavior is deprecate.
|
346
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
347
|
+
without passing a block now returns an enumerator.
|
233
348
|
|
234
|
-
*
|
349
|
+
*Eugene Kenny*
|
235
350
|
|
236
|
-
*
|
237
|
-
an enumerator for the parameters instead of the underlying hash.
|
351
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
238
352
|
|
239
|
-
|
353
|
+
Previously the path had to be relative to `fixture_path`.
|
354
|
+
You can change your existing code as follow:
|
240
355
|
|
241
|
-
|
356
|
+
```ruby
|
357
|
+
# Before
|
358
|
+
fixture_file_upload('files/dog.png')
|
242
359
|
|
243
|
-
|
360
|
+
# After
|
361
|
+
fixture_file_upload('dog.png')
|
362
|
+
```
|
244
363
|
|
364
|
+
*Edouard Chin*
|
245
365
|
|
246
|
-
|
366
|
+
* Remove deprecated `force_ssl` at the controller level.
|
247
367
|
|
248
|
-
*
|
249
|
-
rather than an `after_teardown` hook.
|
368
|
+
*Rafael Mendonça França*
|
250
369
|
|
251
|
-
|
252
|
-
|
253
|
-
been dynamically updated after the assertion failed).
|
370
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
371
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
254
372
|
|
255
|
-
|
373
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
374
|
+
always pass a module object:
|
256
375
|
|
257
|
-
|
376
|
+
```ruby
|
377
|
+
helper UtilsHelper
|
378
|
+
```
|
258
379
|
|
259
|
-
|
260
|
-
|
380
|
+
which is recommended because it is simple and direct. When a string/symbol
|
381
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
382
|
+
that same module object.
|
261
383
|
|
262
|
-
|
384
|
+
*Xavier Noria*, *Jean Boussier*
|
263
385
|
|
264
|
-
|
386
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
265
387
|
|
266
|
-
*
|
388
|
+
*Nick Soracco*
|
267
389
|
|
268
|
-
|
390
|
+
* `url_for` will now use "https://" as the default protocol when
|
391
|
+
`Rails.application.config.force_ssl` is set to true.
|
269
392
|
|
270
|
-
|
271
|
-
routes.draw do
|
272
|
-
resources :users, param: 'name/:sneaky'
|
273
|
-
end
|
274
|
-
```
|
393
|
+
*Jonathan Hefner*
|
275
394
|
|
276
|
-
|
395
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
277
396
|
|
278
|
-
|
397
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
398
|
+
them difficult to deal with. For example, the common practice of sending
|
399
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
400
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
279
401
|
|
402
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
403
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
404
|
+
for backwards compatibility.
|
280
405
|
|
281
|
-
|
406
|
+
*Scott Blum*
|
282
407
|
|
283
|
-
*
|
408
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
284
409
|
|
410
|
+
In a distributed configuration like rolling update, users may observe
|
411
|
+
both old and new instances during deployment. Users may be served by a
|
412
|
+
new instance and then by an old instance.
|
285
413
|
|
286
|
-
|
414
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
415
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
416
|
+
from `false` to `true`, users may lose their sessions if they access the
|
417
|
+
server during deployment.
|
287
418
|
|
288
|
-
|
419
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
420
|
+
deployment, ensuring compatibility on both old and new instances.
|
289
421
|
|
290
|
-
*
|
422
|
+
*Masaki Hara*
|
291
423
|
|
292
|
-
* `ActionDispatch::
|
293
|
-
to define specific browser capabilities.
|
424
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
294
425
|
|
295
|
-
|
426
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
427
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
296
428
|
|
429
|
+
*Keenan Brock*
|
297
430
|
|
298
|
-
|
431
|
+
* Fix possible information leak / session hijacking vulnerability.
|
299
432
|
|
300
|
-
|
433
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
434
|
+
gem dalli to be updated as well.
|
301
435
|
|
302
|
-
|
436
|
+
CVE-2019-16782.
|
303
437
|
|
304
|
-
*
|
438
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
305
439
|
|
306
|
-
|
307
|
-
|
440
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
441
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
442
|
+
from being correctly counted and reported.
|
308
443
|
|
309
|
-
|
444
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
445
|
+
root session.
|
310
446
|
|
311
|
-
|
447
|
+
Fixes #32142.
|
312
448
|
|
313
|
-
|
314
|
-
explicitly permitting the hosts a request can be made to.
|
449
|
+
*Sam Bostock*
|
315
450
|
|
316
|
-
|
317
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
451
|
+
* Add SameSite protection to every written cookie.
|
318
452
|
|
319
|
-
|
453
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
454
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
320
455
|
|
321
|
-
|
456
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
322
457
|
|
323
|
-
|
324
|
-
`parsed_body` in `ActionController::TestCase`:
|
458
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
325
459
|
|
326
|
-
|
327
|
-
class SomeControllerTest < ActionController::TestCase
|
328
|
-
def test_some_action
|
329
|
-
post :action, body: { foo: 'bar' }
|
330
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
331
|
-
end
|
332
|
-
end
|
333
|
-
```
|
460
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
334
461
|
|
335
|
-
|
462
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
336
463
|
|
337
|
-
|
464
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
338
465
|
|
339
|
-
*
|
466
|
+
*Cédric Fabianski*
|
340
467
|
|
341
|
-
|
342
|
-
same context instead of assigning nil names to subsequent roots.
|
468
|
+
* Bring back the feature that allows loading external route files from the router.
|
343
469
|
|
344
|
-
|
470
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
471
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
472
|
+
that this wasn't fully the case and loading external route files from the router
|
473
|
+
can be helpful for applications with a really large set of routes.
|
474
|
+
Without this feature, application needs to implement routes reloading
|
475
|
+
themselves and it's not straightforward.
|
345
476
|
|
346
|
-
|
477
|
+
```ruby
|
478
|
+
# config/routes.rb
|
347
479
|
|
348
|
-
|
349
|
-
|
350
|
-
head :unauthorized
|
480
|
+
Rails.application.routes.draw do
|
481
|
+
draw(:admin)
|
351
482
|
end
|
483
|
+
|
484
|
+
# config/routes/admin.rb
|
485
|
+
|
486
|
+
get :foo, to: 'foo#bar'
|
352
487
|
```
|
353
488
|
|
354
|
-
*
|
489
|
+
*Yehuda Katz*, *Edouard Chin*
|
355
490
|
|
356
|
-
*
|
491
|
+
* Fix system test driver option initialization for non-headless browsers.
|
357
492
|
|
358
|
-
|
359
|
-
in system test `after_teardown`.
|
493
|
+
*glaszig*
|
360
494
|
|
361
|
-
|
495
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
496
|
+
their payloads as `:request`.
|
362
497
|
|
363
|
-
*
|
498
|
+
*Austin Story*
|
364
499
|
|
365
|
-
|
366
|
-
|
367
|
-
when resolving dynamic CSP sources in this scenario.
|
500
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
501
|
+
request format but based on the block given.
|
368
502
|
|
369
|
-
|
503
|
+
Example:
|
370
504
|
|
371
|
-
|
505
|
+
```ruby
|
506
|
+
def my_action
|
507
|
+
respond_to do |format|
|
508
|
+
format.any { render(json: { foo: 'bar' }) }
|
509
|
+
end
|
510
|
+
end
|
511
|
+
|
512
|
+
get('my_action.csv')
|
513
|
+
```
|
372
514
|
|
373
|
-
|
515
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
516
|
+
is inaccurate since a JSON response is being rendered.
|
374
517
|
|
375
|
-
|
376
|
-
would be converted to a string implicitly, e.g:
|
518
|
+
Now it correctly returns a `application/json` Content-Type.
|
377
519
|
|
378
|
-
|
520
|
+
*Edouard Chin*
|
379
521
|
|
380
|
-
|
522
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
381
523
|
|
382
|
-
|
524
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
525
|
+
nested directory, causing issues with `tmp:clear`.
|
383
526
|
|
384
|
-
|
527
|
+
*Damir Zekic*
|
385
528
|
|
386
|
-
|
529
|
+
* Add `params.member?` to mimic Hash behavior.
|
387
530
|
|
388
|
-
*
|
531
|
+
*Younes Serraj*
|
389
532
|
|
390
|
-
*
|
533
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
391
534
|
|
392
|
-
*
|
535
|
+
* `:request` - the `ActionDispatch::Request`
|
536
|
+
* `:response` - the `ActionDispatch::Response`
|
393
537
|
|
394
|
-
*
|
538
|
+
*George Claghorn*
|
395
539
|
|
396
|
-
|
540
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
541
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
542
|
+
from.
|
397
543
|
|
398
|
-
|
399
|
-
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
400
|
-
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
401
|
-
garbled.
|
402
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
403
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
404
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
405
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
406
|
-
converted name.
|
544
|
+
Fixes #37383.
|
407
545
|
|
408
|
-
*
|
546
|
+
*Norm Provost*
|
409
547
|
|
410
|
-
*
|
411
|
-
keys without allocating an array.
|
548
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
412
549
|
|
413
|
-
|
550
|
+
```ruby
|
551
|
+
# Use the debug level if a particular cookie is set.
|
552
|
+
class ApplicationController < ActionController::Base
|
553
|
+
log_at :debug, if: -> { cookies[:debug] }
|
554
|
+
end
|
555
|
+
```
|
414
556
|
|
415
|
-
*
|
557
|
+
*George Claghorn*
|
416
558
|
|
417
|
-
|
418
|
-
|
559
|
+
* Allow system test screen shots to be taken more than once in
|
560
|
+
a test by prefixing the file name with an incrementing counter.
|
419
561
|
|
420
|
-
|
421
|
-
|
422
|
-
|
562
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
563
|
+
enable saving of HTML during a screenshot in addition to the image.
|
564
|
+
This uses the same image name, with the extension replaced with `.html`
|
423
565
|
|
424
|
-
|
425
|
-
writes cookies with the new purpose and expiry metadata embedded.
|
566
|
+
*Tom Fakes*
|
426
567
|
|
427
|
-
|
568
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
428
569
|
|
429
|
-
|
570
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
571
|
+
header to determine what to return. And if we don't add `Vary`
|
572
|
+
in the response header, browsers might accidentally cache different
|
573
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
574
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
575
|
+
in these types of requests. For more detailed problem description, please read:
|
430
576
|
|
431
|
-
|
432
|
-
multiple invocations are made and the types do not match:
|
577
|
+
https://github.com/rails/rails/pull/36213
|
433
578
|
|
434
|
-
|
435
|
-
outer_type.js do
|
436
|
-
respond_to do |inner_type|
|
437
|
-
inner_type.html { render body: "HTML" }
|
438
|
-
end
|
439
|
-
end
|
440
|
-
end
|
579
|
+
Fixes #25842.
|
441
580
|
|
442
|
-
*
|
581
|
+
*Stan Lo*
|
443
582
|
|
444
|
-
*
|
583
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
584
|
+
a 307 redirection.
|
445
585
|
|
446
|
-
|
447
|
-
without raising a `TypeError`:
|
586
|
+
*Edouard Chin*
|
448
587
|
|
449
|
-
|
450
|
-
File.read(uploaded_file)
|
588
|
+
* System tests require Capybara 3.26 or newer.
|
451
589
|
|
452
|
-
*
|
590
|
+
*George Claghorn*
|
453
591
|
|
454
|
-
*
|
592
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
455
593
|
|
456
|
-
|
457
|
-
`get` method. This for example allows to set custom headers for the
|
458
|
-
redirection request to the server.
|
594
|
+
*Alberto Fernández-Capel*
|
459
595
|
|
460
|
-
|
596
|
+
* Add DSL for configuring HTTP Feature Policy.
|
461
597
|
|
462
|
-
|
598
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
599
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
600
|
+
specification and guidelines can be found at MDN:
|
463
601
|
|
464
|
-
|
602
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
465
603
|
|
466
|
-
|
467
|
-
one informative page.
|
604
|
+
Example global policy:
|
468
605
|
|
469
|
-
|
606
|
+
```ruby
|
607
|
+
Rails.application.config.feature_policy do |f|
|
608
|
+
f.camera :none
|
609
|
+
f.gyroscope :none
|
610
|
+
f.microphone :none
|
611
|
+
f.usb :none
|
612
|
+
f.fullscreen :self
|
613
|
+
f.payment :self, "https://secure.example.com"
|
614
|
+
end
|
615
|
+
```
|
470
616
|
|
471
|
-
|
617
|
+
Example controller level policy:
|
472
618
|
|
473
|
-
|
474
|
-
|
475
|
-
|
619
|
+
```ruby
|
620
|
+
class PagesController < ApplicationController
|
621
|
+
feature_policy do |p|
|
622
|
+
p.geolocation "https://example.com"
|
623
|
+
end
|
624
|
+
end
|
625
|
+
```
|
476
626
|
|
477
|
-
|
478
|
-
HypoteticalPlugin.capture_exception(request, exception)
|
479
|
-
end
|
627
|
+
*Jacob Bednarz*
|
480
628
|
|
481
|
-
|
629
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
482
630
|
|
483
|
-
|
631
|
+
Fixes #35137.
|
484
632
|
|
485
|
-
|
633
|
+
*Yuji Yaginuma*
|
634
|
+
|
635
|
+
* Keep part when scope option has value.
|
486
636
|
|
487
|
-
|
637
|
+
When a route was defined within an optional scope, if that route didn't
|
638
|
+
take parameters the scope was lost when using path helpers. This commit
|
639
|
+
ensures scope is kept both when the route takes parameters or when it
|
640
|
+
doesn't.
|
488
641
|
|
489
|
-
|
642
|
+
Fixes #33219.
|
490
643
|
|
491
|
-
*
|
644
|
+
*Alberto Almagro*
|
492
645
|
|
493
|
-
*
|
646
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
494
647
|
|
495
|
-
*
|
648
|
+
*Gustavo Gutierrez*
|
496
649
|
|
497
|
-
*
|
498
|
-
|
650
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
651
|
+
an enumerator for the parameters instead of the underlying hash.
|
499
652
|
|
500
|
-
*
|
653
|
+
*Eugene Kenny*
|
501
654
|
|
502
|
-
*
|
655
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
656
|
+
It should only block invalid key's values instead.
|
503
657
|
|
504
|
-
*
|
658
|
+
*Stan Lo*
|
505
659
|
|
506
660
|
|
507
|
-
Please check [
|
661
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|