actionpack 6.0.6.1 → 6.1.7.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +399 -255
- data/MIT-LICENSE +1 -2
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal/conditional_get.rb +11 -3
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +5 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +10 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +104 -16
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/renderer.rb +23 -13
- data/lib/action_controller/test_case.rb +65 -56
- data/lib/action_controller.rb +2 -3
- data/lib/action_dispatch/http/cache.rb +18 -17
- data/lib/action_dispatch/http/content_security_policy.rb +6 -1
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
- data/lib/action_dispatch/http/mime_type.rb +29 -16
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +24 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey/formatter.rb +55 -30
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +89 -46
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
- data/lib/action_dispatch/middleware/host_authorization.rb +63 -14
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +12 -0
- data/lib/action_dispatch/middleware/ssl.rb +12 -7
- data/lib/action_dispatch/middleware/stack.rb +19 -1
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/system_test_case.rb +35 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +40 -29
- data/lib/action_dispatch/testing/test_process.rb +32 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_pack/gem_version.rb +3 -3
- data/lib/action_pack.rb +1 -1
- metadata +17 -18
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md
CHANGED
@@ -1,40 +1,114 @@
|
|
1
|
-
## Rails 6.
|
1
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
2
2
|
|
3
3
|
* No changes.
|
4
4
|
|
5
5
|
|
6
|
-
## Rails 6.
|
6
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
7
|
+
|
8
|
+
* Fix `domain: :all` for two letter TLD
|
9
|
+
|
10
|
+
This fixes a compatibility issue introduced in our previous security
|
11
|
+
release when using `domain: :all` with a two letter but single level top
|
12
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
13
|
+
|
14
|
+
|
15
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
16
|
+
|
17
|
+
* Avoid regex backtracking on If-None-Match header
|
18
|
+
|
19
|
+
[CVE-2023-22795]
|
20
|
+
|
21
|
+
* Use string#split instead of regex for domain parts
|
22
|
+
|
23
|
+
[CVE-2023-22792]
|
24
|
+
|
25
|
+
|
26
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
7
27
|
|
8
28
|
* No changes.
|
9
29
|
|
10
30
|
|
11
|
-
## Rails 6.
|
31
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
12
32
|
|
13
33
|
* No changes.
|
14
34
|
|
15
35
|
|
16
|
-
## Rails 6.
|
36
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
17
37
|
|
18
38
|
* No changes.
|
19
39
|
|
20
40
|
|
21
|
-
## Rails 6.
|
41
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
22
42
|
|
23
43
|
* Allow Content Security Policy DSL to generate for API responses.
|
24
44
|
|
25
45
|
*Tim Wade*
|
26
46
|
|
27
|
-
## Rails 6.
|
47
|
+
## Rails 6.1.5 (March 09, 2022) ##
|
48
|
+
|
49
|
+
* Fix `content_security_policy` returning invalid directives.
|
50
|
+
|
51
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
52
|
+
single quoted when the directive was the result of calling a lambda
|
53
|
+
returning an array.
|
54
|
+
|
55
|
+
```ruby
|
56
|
+
content_security_policy do |policy|
|
57
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
58
|
+
end
|
59
|
+
```
|
60
|
+
|
61
|
+
With this fix the policy generated from above will now be valid.
|
62
|
+
|
63
|
+
*Edouard Chin*
|
64
|
+
|
65
|
+
* Update `HostAuthorization` middleware to render debug info only
|
66
|
+
when `config.consider_all_requests_local` is set to true.
|
67
|
+
|
68
|
+
Also, blocked host info is always logged with level `error`.
|
69
|
+
|
70
|
+
Fixes #42813.
|
71
|
+
|
72
|
+
*Nikita Vyrko*
|
73
|
+
|
74
|
+
* Dup arrays that get "converted".
|
75
|
+
|
76
|
+
Fixes #43681.
|
77
|
+
|
78
|
+
*Aaron Patterson*
|
79
|
+
|
80
|
+
* Don't show deprecation warning for equal paths.
|
81
|
+
|
82
|
+
*Anton Rieder*
|
83
|
+
|
84
|
+
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
|
85
|
+
|
86
|
+
Fixes #43094.
|
87
|
+
|
88
|
+
*Alex Ghiculescu*
|
89
|
+
|
90
|
+
* Add fallback host for SystemTestCase driven by RackTest.
|
91
|
+
|
92
|
+
Fixes #42780.
|
93
|
+
|
94
|
+
*Petrik de Heus*
|
95
|
+
|
96
|
+
* Add more detail about what hosts are allowed.
|
97
|
+
|
98
|
+
*Alex Ghiculescu*
|
99
|
+
|
100
|
+
|
101
|
+
## Rails 6.1.4.7 (March 08, 2022) ##
|
28
102
|
|
29
103
|
* No changes.
|
30
104
|
|
31
105
|
|
32
|
-
## Rails 6.
|
106
|
+
## Rails 6.1.4.6 (February 11, 2022) ##
|
33
107
|
|
34
108
|
* No changes.
|
35
109
|
|
36
110
|
|
37
|
-
## Rails 6.
|
111
|
+
## Rails 6.1.4.5 (February 11, 2022) ##
|
38
112
|
|
39
113
|
* Under certain circumstances, the middleware isn't informed that the
|
40
114
|
response body has been fully closed which result in request state not
|
@@ -43,17 +117,17 @@
|
|
43
117
|
[CVE-2022-23633]
|
44
118
|
|
45
119
|
|
46
|
-
## Rails 6.
|
120
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
47
121
|
|
48
122
|
* Fix issue with host protection not allowing host with port in development.
|
49
123
|
|
50
124
|
|
51
|
-
## Rails 6.
|
125
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
52
126
|
|
53
|
-
*
|
127
|
+
* Fix issue with host protection not allowing localhost in development.
|
54
128
|
|
55
129
|
|
56
|
-
## Rails 6.
|
130
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
57
131
|
|
58
132
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
59
133
|
|
@@ -65,35 +139,48 @@
|
|
65
139
|
"allowed host" formats can cause the Host Authorization middleware in Action
|
66
140
|
Pack to redirect users to a malicious website.
|
67
141
|
|
68
|
-
## Rails 6.
|
142
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
69
143
|
|
70
|
-
*
|
144
|
+
* Ignore file fixtures on `db:fixtures:load`
|
71
145
|
|
72
|
-
|
73
|
-
them difficult to deal with. For example, the common practice of sending
|
74
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
75
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
146
|
+
*Kevin Sjöberg*
|
76
147
|
|
77
|
-
|
78
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
79
|
-
tokens for backwards compatibility.
|
148
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
80
149
|
|
81
|
-
|
82
|
-
If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
|
150
|
+
*Dylan Thacker-Smith*
|
83
151
|
|
84
|
-
|
85
|
-
|
152
|
+
* Correctly place optional path parameter booleans.
|
153
|
+
|
154
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
155
|
+
of the path as parameter for example:
|
156
|
+
|
157
|
+
```
|
158
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
159
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
160
|
+
```
|
161
|
+
|
162
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
163
|
+
|
164
|
+
```
|
165
|
+
get '(this/:my_bool)/that' as: :that
|
166
|
+
|
167
|
+
that_path(my_bool: true) # => `/this/true/that`
|
168
|
+
that_path(my_bool: false) # => `/this/false/that`
|
86
169
|
```
|
87
170
|
|
88
|
-
*
|
171
|
+
*Adam Hess*
|
172
|
+
|
173
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
174
|
+
|
175
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
89
176
|
|
90
|
-
*
|
91
|
-
`action_dispatch.use_cookies_with_metadata` is enabled.
|
177
|
+
*Alex Smith*
|
92
178
|
|
93
|
-
*Rolandas Barysas*
|
94
179
|
|
180
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
95
181
|
|
96
|
-
|
182
|
+
* Prevent open redirects by correctly escaping the host allow list
|
183
|
+
CVE-2021-22903
|
97
184
|
|
98
185
|
* Prevent catastrophic backtracking during mime parsing
|
99
186
|
CVE-2021-22902
|
@@ -111,12 +198,19 @@
|
|
111
198
|
|
112
199
|
*Gannon McGibbon*
|
113
200
|
|
114
|
-
## Rails 6.
|
201
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
115
202
|
|
116
203
|
* No changes.
|
117
204
|
|
118
205
|
|
119
|
-
## Rails 6.
|
206
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
207
|
+
|
208
|
+
* Re-define routes when not set correctly via inheritance.
|
209
|
+
|
210
|
+
*John Hawthorn*
|
211
|
+
|
212
|
+
|
213
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
120
214
|
|
121
215
|
* Prevent open redirect when allowed host starts with a dot
|
122
216
|
|
@@ -128,390 +222,440 @@
|
|
128
222
|
*Aaron Patterson*
|
129
223
|
|
130
224
|
|
131
|
-
## Rails 6.
|
225
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
132
226
|
|
133
|
-
*
|
227
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
134
228
|
|
229
|
+
*Janko Marohnić*
|
135
230
|
|
136
|
-
|
231
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
137
232
|
|
138
|
-
*
|
233
|
+
*Eugene Kenny*
|
139
234
|
|
140
235
|
|
141
|
-
## Rails 6.
|
236
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
142
237
|
|
143
|
-
*
|
238
|
+
* Fix nil translation key lookup in controllers/
|
144
239
|
|
145
|
-
|
240
|
+
*Jan Klimo*
|
146
241
|
|
147
|
-
*
|
242
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
148
243
|
|
149
|
-
*
|
244
|
+
*Alex Robbin*
|
150
245
|
|
246
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
151
247
|
|
152
|
-
|
248
|
+
*Alex Robbin*
|
153
249
|
|
154
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
155
250
|
|
156
|
-
|
157
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
158
|
-
from being correctly counted and reported.
|
251
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
159
252
|
|
160
|
-
|
161
|
-
|
253
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
254
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
162
255
|
|
163
|
-
|
256
|
+
```ruby
|
257
|
+
Rails.application.config.permissions_policy do |p|
|
258
|
+
p.camera :none
|
259
|
+
p.gyroscope :none
|
260
|
+
p.microphone :none
|
261
|
+
p.usb :none
|
262
|
+
p.fullscreen :self
|
263
|
+
p.payment :self, "https://secure-example.com"
|
264
|
+
end
|
265
|
+
```
|
164
266
|
|
165
|
-
*
|
267
|
+
*Julien Grillot*
|
166
268
|
|
269
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
167
270
|
|
168
|
-
|
271
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
169
272
|
|
170
|
-
*
|
273
|
+
*Chris Bisnett*
|
171
274
|
|
275
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
276
|
+
the unique X-Request-Id header
|
172
277
|
|
173
|
-
|
278
|
+
*Arlston Fernandes*
|
174
279
|
|
175
|
-
*
|
280
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
176
281
|
|
177
|
-
|
178
|
-
gem dalli to be updated as well.
|
282
|
+
*Rafael Mendonça França*
|
179
283
|
|
180
|
-
|
284
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
181
285
|
|
286
|
+
*Rafael Mendonça França*
|
182
287
|
|
183
|
-
|
288
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
184
289
|
|
185
|
-
*
|
290
|
+
*Rafael Mendonça França*
|
186
291
|
|
187
|
-
|
292
|
+
* Added support for exclusive no-store Cache-Control header.
|
188
293
|
|
294
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
189
295
|
|
190
|
-
|
296
|
+
*Chris Kruger*
|
191
297
|
|
192
|
-
*
|
193
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
194
|
-
system tests.
|
298
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
195
299
|
|
196
|
-
|
300
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
301
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
197
302
|
|
198
|
-
*
|
303
|
+
*Adrianna Chang*
|
199
304
|
|
200
|
-
|
201
|
-
Mime::Type.register "text/html; fragment", :html_fragment
|
202
|
-
```
|
305
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
203
306
|
|
204
|
-
*
|
307
|
+
*Gannon McGibbon*
|
205
308
|
|
309
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
206
310
|
|
207
|
-
|
311
|
+
*Alan Tan*, *Oz Ben-David*
|
208
312
|
|
209
|
-
*
|
313
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
314
|
+
a 308 redirection.
|
210
315
|
|
316
|
+
*Alan Tan*
|
211
317
|
|
212
|
-
|
318
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
319
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
213
320
|
|
214
|
-
*
|
321
|
+
*Jonathan Hefner*
|
215
322
|
|
216
|
-
|
323
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
217
324
|
|
218
|
-
|
325
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
326
|
+
Brotli files are preferred due to much better compression.
|
219
327
|
|
220
|
-
|
328
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
329
|
+
we check for public/some.js.br and serve that file, if present, with
|
330
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
221
331
|
|
222
|
-
|
223
|
-
take parameters the scope was lost when using path helpers. This commit
|
224
|
-
ensures scope is kept both when the route takes parameters or when it
|
225
|
-
doesn't.
|
332
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
226
333
|
|
227
|
-
|
334
|
+
* Add raise_on_missing_translations support for controllers.
|
228
335
|
|
229
|
-
|
336
|
+
This configuration determines whether an error should be raised for missing translations.
|
337
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
338
|
+
configuration also affects raising error for missing translations in views.
|
230
339
|
|
231
|
-
*
|
340
|
+
*fatkodima*
|
232
341
|
|
233
|
-
|
234
|
-
contain charset part. This behavior changed to returned Content-Type header
|
235
|
-
containing charset part as it is.
|
342
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
236
343
|
|
237
|
-
|
238
|
-
instead.
|
344
|
+
*Eugene Kenny*
|
239
345
|
|
240
|
-
|
241
|
-
|
242
|
-
value as before version, but its behavior is deprecate.
|
346
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
347
|
+
without passing a block now returns an enumerator.
|
243
348
|
|
244
|
-
*
|
349
|
+
*Eugene Kenny*
|
245
350
|
|
246
|
-
*
|
247
|
-
an enumerator for the parameters instead of the underlying hash.
|
351
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
248
352
|
|
249
|
-
|
353
|
+
Previously the path had to be relative to `fixture_path`.
|
354
|
+
You can change your existing code as follow:
|
250
355
|
|
251
|
-
|
356
|
+
```ruby
|
357
|
+
# Before
|
358
|
+
fixture_file_upload('files/dog.png')
|
252
359
|
|
253
|
-
|
360
|
+
# After
|
361
|
+
fixture_file_upload('dog.png')
|
362
|
+
```
|
254
363
|
|
364
|
+
*Edouard Chin*
|
255
365
|
|
256
|
-
|
366
|
+
* Remove deprecated `force_ssl` at the controller level.
|
257
367
|
|
258
|
-
*
|
259
|
-
rather than an `after_teardown` hook.
|
368
|
+
*Rafael Mendonça França*
|
260
369
|
|
261
|
-
|
262
|
-
|
263
|
-
been dynamically updated after the assertion failed).
|
370
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
371
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
264
372
|
|
265
|
-
|
373
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
374
|
+
always pass a module object:
|
266
375
|
|
267
|
-
|
376
|
+
```ruby
|
377
|
+
helper UtilsHelper
|
378
|
+
```
|
268
379
|
|
269
|
-
|
270
|
-
|
380
|
+
which is recommended because it is simple and direct. When a string/symbol
|
381
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
382
|
+
that same module object.
|
271
383
|
|
272
|
-
|
384
|
+
*Xavier Noria*, *Jean Boussier*
|
273
385
|
|
274
|
-
|
386
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
275
387
|
|
276
|
-
*
|
388
|
+
*Nick Soracco*
|
277
389
|
|
278
|
-
|
390
|
+
* `url_for` will now use "https://" as the default protocol when
|
391
|
+
`Rails.application.config.force_ssl` is set to true.
|
279
392
|
|
280
|
-
|
281
|
-
routes.draw do
|
282
|
-
resources :users, param: 'name/:sneaky'
|
283
|
-
end
|
284
|
-
```
|
393
|
+
*Jonathan Hefner*
|
285
394
|
|
286
|
-
|
395
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
287
396
|
|
288
|
-
|
397
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
398
|
+
them difficult to deal with. For example, the common practice of sending
|
399
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
400
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
289
401
|
|
402
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
403
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
404
|
+
for backwards compatibility.
|
290
405
|
|
291
|
-
|
406
|
+
*Scott Blum*
|
292
407
|
|
293
|
-
*
|
408
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
294
409
|
|
410
|
+
In a distributed configuration like rolling update, users may observe
|
411
|
+
both old and new instances during deployment. Users may be served by a
|
412
|
+
new instance and then by an old instance.
|
295
413
|
|
296
|
-
|
414
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
415
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
416
|
+
from `false` to `true`, users may lose their sessions if they access the
|
417
|
+
server during deployment.
|
297
418
|
|
298
|
-
|
419
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
420
|
+
deployment, ensuring compatibility on both old and new instances.
|
299
421
|
|
300
|
-
*
|
422
|
+
*Masaki Hara*
|
301
423
|
|
302
|
-
* `ActionDispatch::
|
303
|
-
to define specific browser capabilities.
|
424
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
304
425
|
|
305
|
-
|
426
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
427
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
306
428
|
|
429
|
+
*Keenan Brock*
|
307
430
|
|
308
|
-
|
431
|
+
* Fix possible information leak / session hijacking vulnerability.
|
309
432
|
|
310
|
-
|
433
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
434
|
+
gem dalli to be updated as well.
|
311
435
|
|
312
|
-
|
436
|
+
CVE-2019-16782.
|
313
437
|
|
314
|
-
*
|
438
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
315
439
|
|
316
|
-
|
317
|
-
|
440
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
441
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
442
|
+
from being correctly counted and reported.
|
318
443
|
|
319
|
-
|
444
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
445
|
+
root session.
|
320
446
|
|
321
|
-
|
447
|
+
Fixes #32142.
|
322
448
|
|
323
|
-
|
324
|
-
explicitly permitting the hosts a request can be made to.
|
449
|
+
*Sam Bostock*
|
325
450
|
|
326
|
-
|
327
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
451
|
+
* Add SameSite protection to every written cookie.
|
328
452
|
|
329
|
-
|
453
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
454
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
330
455
|
|
331
|
-
|
456
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
332
457
|
|
333
|
-
|
334
|
-
`parsed_body` in `ActionController::TestCase`:
|
458
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
335
459
|
|
336
|
-
|
337
|
-
class SomeControllerTest < ActionController::TestCase
|
338
|
-
def test_some_action
|
339
|
-
post :action, body: { foo: 'bar' }
|
340
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
341
|
-
end
|
342
|
-
end
|
343
|
-
```
|
460
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
344
461
|
|
345
|
-
|
462
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
346
463
|
|
347
|
-
|
464
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
348
465
|
|
349
|
-
*
|
466
|
+
*Cédric Fabianski*
|
350
467
|
|
351
|
-
|
352
|
-
same context instead of assigning nil names to subsequent roots.
|
468
|
+
* Bring back the feature that allows loading external route files from the router.
|
353
469
|
|
354
|
-
|
470
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
471
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
472
|
+
that this wasn't fully the case and loading external route files from the router
|
473
|
+
can be helpful for applications with a really large set of routes.
|
474
|
+
Without this feature, application needs to implement routes reloading
|
475
|
+
themselves and it's not straightforward.
|
355
476
|
|
356
|
-
|
477
|
+
```ruby
|
478
|
+
# config/routes.rb
|
357
479
|
|
358
|
-
|
359
|
-
|
360
|
-
head :unauthorized
|
480
|
+
Rails.application.routes.draw do
|
481
|
+
draw(:admin)
|
361
482
|
end
|
483
|
+
|
484
|
+
# config/routes/admin.rb
|
485
|
+
|
486
|
+
get :foo, to: 'foo#bar'
|
362
487
|
```
|
363
488
|
|
364
|
-
*
|
489
|
+
*Yehuda Katz*, *Edouard Chin*
|
490
|
+
|
491
|
+
* Fix system test driver option initialization for non-headless browsers.
|
365
492
|
|
366
|
-
*
|
493
|
+
*glaszig*
|
367
494
|
|
368
|
-
|
369
|
-
|
495
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
496
|
+
their payloads as `:request`.
|
370
497
|
|
371
|
-
*
|
498
|
+
*Austin Story*
|
372
499
|
|
373
|
-
*
|
500
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
501
|
+
request format but based on the block given.
|
374
502
|
|
375
|
-
|
376
|
-
mounted rack application so pass the request object as the context
|
377
|
-
when resolving dynamic CSP sources in this scenario.
|
503
|
+
Example:
|
378
504
|
|
379
|
-
|
505
|
+
```ruby
|
506
|
+
def my_action
|
507
|
+
respond_to do |format|
|
508
|
+
format.any { render(json: { foo: 'bar' }) }
|
509
|
+
end
|
510
|
+
end
|
511
|
+
|
512
|
+
get('my_action.csv')
|
513
|
+
```
|
380
514
|
|
381
|
-
|
515
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
516
|
+
is inaccurate since a JSON response is being rendered.
|
382
517
|
|
383
|
-
|
518
|
+
Now it correctly returns a `application/json` Content-Type.
|
384
519
|
|
385
|
-
|
386
|
-
would be converted to a string implicitly, e.g:
|
520
|
+
*Edouard Chin*
|
387
521
|
|
388
|
-
|
522
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
389
523
|
|
390
|
-
would
|
524
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
525
|
+
nested directory, causing issues with `tmp:clear`.
|
391
526
|
|
392
|
-
|
527
|
+
*Damir Zekic*
|
393
528
|
|
394
|
-
|
529
|
+
* Add `params.member?` to mimic Hash behavior.
|
395
530
|
|
396
|
-
|
531
|
+
*Younes Serraj*
|
397
532
|
|
398
|
-
|
533
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
399
534
|
|
400
|
-
*
|
535
|
+
* `:request` - the `ActionDispatch::Request`
|
536
|
+
* `:response` - the `ActionDispatch::Response`
|
401
537
|
|
402
|
-
*
|
538
|
+
*George Claghorn*
|
403
539
|
|
404
|
-
*
|
540
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
541
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
542
|
+
from.
|
405
543
|
|
406
|
-
|
544
|
+
Fixes #37383.
|
407
545
|
|
408
|
-
*
|
409
|
-
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
410
|
-
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
411
|
-
garbled.
|
412
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
413
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
414
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
415
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
416
|
-
converted name.
|
546
|
+
*Norm Provost*
|
417
547
|
|
418
|
-
|
548
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
419
549
|
|
420
|
-
|
421
|
-
|
550
|
+
```ruby
|
551
|
+
# Use the debug level if a particular cookie is set.
|
552
|
+
class ApplicationController < ActionController::Base
|
553
|
+
log_at :debug, if: -> { cookies[:debug] }
|
554
|
+
end
|
555
|
+
```
|
422
556
|
|
423
|
-
*
|
557
|
+
*George Claghorn*
|
424
558
|
|
425
|
-
*
|
559
|
+
* Allow system test screen shots to be taken more than once in
|
560
|
+
a test by prefixing the file name with an incrementing counter.
|
426
561
|
|
427
|
-
|
428
|
-
|
562
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
563
|
+
enable saving of HTML during a screenshot in addition to the image.
|
564
|
+
This uses the same image name, with the extension replaced with `.html`
|
429
565
|
|
430
|
-
|
431
|
-
then signed/encrypted along with the cookie value. Then, on a server-side
|
432
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
566
|
+
*Tom Fakes*
|
433
567
|
|
434
|
-
|
435
|
-
writes cookies with the new purpose and expiry metadata embedded.
|
568
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
436
569
|
|
437
|
-
|
570
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
571
|
+
header to determine what to return. And if we don't add `Vary`
|
572
|
+
in the response header, browsers might accidentally cache different
|
573
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
574
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
575
|
+
in these types of requests. For more detailed problem description, please read:
|
438
576
|
|
439
|
-
|
577
|
+
https://github.com/rails/rails/pull/36213
|
440
578
|
|
441
|
-
|
442
|
-
multiple invocations are made and the types do not match:
|
579
|
+
Fixes #25842.
|
443
580
|
|
444
|
-
|
445
|
-
outer_type.js do
|
446
|
-
respond_to do |inner_type|
|
447
|
-
inner_type.html { render body: "HTML" }
|
448
|
-
end
|
449
|
-
end
|
450
|
-
end
|
581
|
+
*Stan Lo*
|
451
582
|
|
452
|
-
|
583
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
584
|
+
a 307 redirection.
|
453
585
|
|
454
|
-
*
|
586
|
+
*Edouard Chin*
|
455
587
|
|
456
|
-
|
457
|
-
without raising a `TypeError`:
|
588
|
+
* System tests require Capybara 3.26 or newer.
|
458
589
|
|
459
|
-
|
460
|
-
File.read(uploaded_file)
|
590
|
+
*George Claghorn*
|
461
591
|
|
462
|
-
|
592
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
463
593
|
|
464
|
-
*
|
594
|
+
*Alberto Fernández-Capel*
|
465
595
|
|
466
|
-
|
467
|
-
`get` method. This for example allows to set custom headers for the
|
468
|
-
redirection request to the server.
|
596
|
+
* Add DSL for configuring HTTP Feature Policy.
|
469
597
|
|
470
|
-
|
598
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
599
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
600
|
+
specification and guidelines can be found at MDN:
|
471
601
|
|
472
|
-
|
602
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
473
603
|
|
474
|
-
|
604
|
+
Example global policy:
|
475
605
|
|
476
|
-
|
477
|
-
|
606
|
+
```ruby
|
607
|
+
Rails.application.config.feature_policy do |f|
|
608
|
+
f.camera :none
|
609
|
+
f.gyroscope :none
|
610
|
+
f.microphone :none
|
611
|
+
f.usb :none
|
612
|
+
f.fullscreen :self
|
613
|
+
f.payment :self, "https://secure.example.com"
|
614
|
+
end
|
615
|
+
```
|
478
616
|
|
479
|
-
|
617
|
+
Example controller level policy:
|
480
618
|
|
481
|
-
|
619
|
+
```ruby
|
620
|
+
class PagesController < ApplicationController
|
621
|
+
feature_policy do |p|
|
622
|
+
p.geolocation "https://example.com"
|
623
|
+
end
|
624
|
+
end
|
625
|
+
```
|
482
626
|
|
483
|
-
|
484
|
-
`.register_interceptor` method to get the processed exception, instead of
|
485
|
-
monkey patching DebugExceptions.
|
627
|
+
*Jacob Bednarz*
|
486
628
|
|
487
|
-
|
488
|
-
HypoteticalPlugin.capture_exception(request, exception)
|
489
|
-
end
|
629
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
490
630
|
|
491
|
-
|
631
|
+
Fixes #35137.
|
492
632
|
|
493
|
-
*
|
633
|
+
*Yuji Yaginuma*
|
494
634
|
|
495
|
-
|
635
|
+
* Keep part when scope option has value.
|
496
636
|
|
497
|
-
|
637
|
+
When a route was defined within an optional scope, if that route didn't
|
638
|
+
take parameters the scope was lost when using path helpers. This commit
|
639
|
+
ensures scope is kept both when the route takes parameters or when it
|
640
|
+
doesn't.
|
498
641
|
|
499
|
-
|
642
|
+
Fixes #33219.
|
500
643
|
|
501
|
-
*
|
644
|
+
*Alberto Almagro*
|
502
645
|
|
503
|
-
*
|
646
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
504
647
|
|
505
|
-
*
|
648
|
+
*Gustavo Gutierrez*
|
506
649
|
|
507
|
-
*
|
508
|
-
|
650
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
651
|
+
an enumerator for the parameters instead of the underlying hash.
|
509
652
|
|
510
|
-
*
|
653
|
+
*Eugene Kenny*
|
511
654
|
|
512
|
-
*
|
655
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
656
|
+
It should only block invalid key's values instead.
|
513
657
|
|
514
|
-
*
|
658
|
+
*Stan Lo*
|
515
659
|
|
516
660
|
|
517
|
-
Please check [
|
661
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|