actionpack 6.0.6.1 → 6.1.7.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +416 -255
- data/MIT-LICENSE +1 -2
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/railties/routes_helpers.rb +17 -1
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal/conditional_get.rb +11 -3
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +3 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +5 -2
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +10 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +14 -8
- data/lib/action_controller/metal/permissions_policy.rb +46 -0
- data/lib/action_controller/metal/redirecting.rb +21 -2
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +104 -16
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/renderer.rb +23 -13
- data/lib/action_controller/test_case.rb +65 -56
- data/lib/action_controller.rb +2 -3
- data/lib/action_dispatch/http/cache.rb +18 -17
- data/lib/action_dispatch/http/content_security_policy.rb +6 -1
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
- data/lib/action_dispatch/http/mime_type.rb +29 -16
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/permissions_policy.rb +173 -0
- data/lib/action_dispatch/http/request.rb +24 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey/formatter.rb +55 -30
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey/visitors.rb +1 -1
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +89 -46
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
- data/lib/action_dispatch/middleware/host_authorization.rb +63 -14
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +12 -0
- data/lib/action_dispatch/middleware/ssl.rb +12 -7
- data/lib/action_dispatch/middleware/stack.rb +19 -1
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +100 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +21 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +12 -11
- data/lib/action_dispatch/routing/redirection.rb +4 -4
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/system_test_case.rb +35 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +40 -29
- data/lib/action_dispatch/testing/test_process.rb +32 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_pack/gem_version.rb +3 -3
- data/lib/action_pack.rb +1 -1
- metadata +18 -19
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md
CHANGED
@@ -1,40 +1,131 @@
|
|
1
|
-
## Rails 6.
|
1
|
+
## Rails 6.1.7.6 (August 22, 2023) ##
|
2
2
|
|
3
3
|
* No changes.
|
4
4
|
|
5
5
|
|
6
|
-
## Rails 6.
|
6
|
+
## Rails 6.1.7.5 (August 22, 2023) ##
|
7
7
|
|
8
8
|
* No changes.
|
9
9
|
|
10
10
|
|
11
|
-
## Rails 6.
|
11
|
+
## Rails 6.1.7.4 (June 26, 2023) ##
|
12
|
+
|
13
|
+
* Raise an exception if illegal characters are provide to redirect_to
|
14
|
+
[CVE-2023-28362]
|
15
|
+
|
16
|
+
*Zack Deveau*
|
17
|
+
|
18
|
+
## Rails 6.1.7.3 (March 13, 2023) ##
|
19
|
+
|
20
|
+
* No changes.
|
21
|
+
|
22
|
+
|
23
|
+
## Rails 6.1.7.2 (January 24, 2023) ##
|
24
|
+
|
25
|
+
* Fix `domain: :all` for two letter TLD
|
26
|
+
|
27
|
+
This fixes a compatibility issue introduced in our previous security
|
28
|
+
release when using `domain: :all` with a two letter but single level top
|
29
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
30
|
+
|
31
|
+
|
32
|
+
## Rails 6.1.7.1 (January 17, 2023) ##
|
33
|
+
|
34
|
+
* Avoid regex backtracking on If-None-Match header
|
35
|
+
|
36
|
+
[CVE-2023-22795]
|
37
|
+
|
38
|
+
* Use string#split instead of regex for domain parts
|
39
|
+
|
40
|
+
[CVE-2023-22792]
|
41
|
+
|
42
|
+
|
43
|
+
## Rails 6.1.7 (September 09, 2022) ##
|
12
44
|
|
13
45
|
* No changes.
|
14
46
|
|
15
47
|
|
16
|
-
## Rails 6.
|
48
|
+
## Rails 6.1.6.1 (July 12, 2022) ##
|
17
49
|
|
18
50
|
* No changes.
|
19
51
|
|
20
52
|
|
21
|
-
## Rails 6.
|
53
|
+
## Rails 6.1.6 (May 09, 2022) ##
|
54
|
+
|
55
|
+
* No changes.
|
56
|
+
|
57
|
+
|
58
|
+
## Rails 6.1.5.1 (April 26, 2022) ##
|
22
59
|
|
23
60
|
* Allow Content Security Policy DSL to generate for API responses.
|
24
61
|
|
25
62
|
*Tim Wade*
|
26
63
|
|
27
|
-
## Rails 6.
|
64
|
+
## Rails 6.1.5 (March 09, 2022) ##
|
65
|
+
|
66
|
+
* Fix `content_security_policy` returning invalid directives.
|
67
|
+
|
68
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
69
|
+
single quoted when the directive was the result of calling a lambda
|
70
|
+
returning an array.
|
71
|
+
|
72
|
+
```ruby
|
73
|
+
content_security_policy do |policy|
|
74
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
75
|
+
end
|
76
|
+
```
|
77
|
+
|
78
|
+
With this fix the policy generated from above will now be valid.
|
79
|
+
|
80
|
+
*Edouard Chin*
|
81
|
+
|
82
|
+
* Update `HostAuthorization` middleware to render debug info only
|
83
|
+
when `config.consider_all_requests_local` is set to true.
|
84
|
+
|
85
|
+
Also, blocked host info is always logged with level `error`.
|
86
|
+
|
87
|
+
Fixes #42813.
|
88
|
+
|
89
|
+
*Nikita Vyrko*
|
90
|
+
|
91
|
+
* Dup arrays that get "converted".
|
92
|
+
|
93
|
+
Fixes #43681.
|
94
|
+
|
95
|
+
*Aaron Patterson*
|
96
|
+
|
97
|
+
* Don't show deprecation warning for equal paths.
|
98
|
+
|
99
|
+
*Anton Rieder*
|
100
|
+
|
101
|
+
* Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
|
102
|
+
|
103
|
+
Fixes #43094.
|
104
|
+
|
105
|
+
*Alex Ghiculescu*
|
106
|
+
|
107
|
+
* Add fallback host for SystemTestCase driven by RackTest.
|
108
|
+
|
109
|
+
Fixes #42780.
|
110
|
+
|
111
|
+
*Petrik de Heus*
|
112
|
+
|
113
|
+
* Add more detail about what hosts are allowed.
|
114
|
+
|
115
|
+
*Alex Ghiculescu*
|
116
|
+
|
117
|
+
|
118
|
+
## Rails 6.1.4.7 (March 08, 2022) ##
|
28
119
|
|
29
120
|
* No changes.
|
30
121
|
|
31
122
|
|
32
|
-
## Rails 6.
|
123
|
+
## Rails 6.1.4.6 (February 11, 2022) ##
|
33
124
|
|
34
125
|
* No changes.
|
35
126
|
|
36
127
|
|
37
|
-
## Rails 6.
|
128
|
+
## Rails 6.1.4.5 (February 11, 2022) ##
|
38
129
|
|
39
130
|
* Under certain circumstances, the middleware isn't informed that the
|
40
131
|
response body has been fully closed which result in request state not
|
@@ -43,17 +134,17 @@
|
|
43
134
|
[CVE-2022-23633]
|
44
135
|
|
45
136
|
|
46
|
-
## Rails 6.
|
137
|
+
## Rails 6.1.4.4 (December 15, 2021) ##
|
47
138
|
|
48
139
|
* Fix issue with host protection not allowing host with port in development.
|
49
140
|
|
50
141
|
|
51
|
-
## Rails 6.
|
142
|
+
## Rails 6.1.4.3 (December 14, 2021) ##
|
52
143
|
|
53
|
-
*
|
144
|
+
* Fix issue with host protection not allowing localhost in development.
|
54
145
|
|
55
146
|
|
56
|
-
## Rails 6.
|
147
|
+
## Rails 6.1.4.2 (December 14, 2021) ##
|
57
148
|
|
58
149
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
59
150
|
|
@@ -65,35 +156,48 @@
|
|
65
156
|
"allowed host" formats can cause the Host Authorization middleware in Action
|
66
157
|
Pack to redirect users to a malicious website.
|
67
158
|
|
68
|
-
## Rails 6.
|
159
|
+
## Rails 6.1.4 (June 24, 2021) ##
|
69
160
|
|
70
|
-
*
|
161
|
+
* Ignore file fixtures on `db:fixtures:load`
|
71
162
|
|
72
|
-
|
73
|
-
them difficult to deal with. For example, the common practice of sending
|
74
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
75
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
163
|
+
*Kevin Sjöberg*
|
76
164
|
|
77
|
-
|
78
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
79
|
-
tokens for backwards compatibility.
|
165
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
80
166
|
|
81
|
-
|
82
|
-
|
167
|
+
*Dylan Thacker-Smith*
|
168
|
+
|
169
|
+
* Correctly place optional path parameter booleans.
|
170
|
+
|
171
|
+
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
172
|
+
of the path as parameter for example:
|
83
173
|
|
84
|
-
```ruby
|
85
|
-
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
86
174
|
```
|
175
|
+
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
176
|
+
things_path(optional_id: false) # => /things?optional_id=false
|
177
|
+
```
|
178
|
+
|
179
|
+
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
180
|
+
|
181
|
+
```
|
182
|
+
get '(this/:my_bool)/that' as: :that
|
183
|
+
|
184
|
+
that_path(my_bool: true) # => `/this/true/that`
|
185
|
+
that_path(my_bool: false) # => `/this/false/that`
|
186
|
+
```
|
187
|
+
|
188
|
+
*Adam Hess*
|
189
|
+
|
190
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
87
191
|
|
88
|
-
|
192
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
89
193
|
|
90
|
-
*
|
91
|
-
`action_dispatch.use_cookies_with_metadata` is enabled.
|
194
|
+
*Alex Smith*
|
92
195
|
|
93
|
-
*Rolandas Barysas*
|
94
196
|
|
197
|
+
## Rails 6.1.3.2 (May 05, 2021) ##
|
95
198
|
|
96
|
-
|
199
|
+
* Prevent open redirects by correctly escaping the host allow list
|
200
|
+
CVE-2021-22903
|
97
201
|
|
98
202
|
* Prevent catastrophic backtracking during mime parsing
|
99
203
|
CVE-2021-22902
|
@@ -111,12 +215,19 @@
|
|
111
215
|
|
112
216
|
*Gannon McGibbon*
|
113
217
|
|
114
|
-
## Rails 6.
|
218
|
+
## Rails 6.1.3.1 (March 26, 2021) ##
|
115
219
|
|
116
220
|
* No changes.
|
117
221
|
|
118
222
|
|
119
|
-
## Rails 6.
|
223
|
+
## Rails 6.1.3 (February 17, 2021) ##
|
224
|
+
|
225
|
+
* Re-define routes when not set correctly via inheritance.
|
226
|
+
|
227
|
+
*John Hawthorn*
|
228
|
+
|
229
|
+
|
230
|
+
## Rails 6.1.2.1 (February 10, 2021) ##
|
120
231
|
|
121
232
|
* Prevent open redirect when allowed host starts with a dot
|
122
233
|
|
@@ -128,390 +239,440 @@
|
|
128
239
|
*Aaron Patterson*
|
129
240
|
|
130
241
|
|
131
|
-
## Rails 6.
|
242
|
+
## Rails 6.1.2 (February 09, 2021) ##
|
132
243
|
|
133
|
-
*
|
244
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
134
245
|
|
246
|
+
*Janko Marohnić*
|
135
247
|
|
136
|
-
|
248
|
+
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
137
249
|
|
138
|
-
*
|
250
|
+
*Eugene Kenny*
|
139
251
|
|
140
252
|
|
141
|
-
## Rails 6.
|
253
|
+
## Rails 6.1.1 (January 07, 2021) ##
|
142
254
|
|
143
|
-
*
|
255
|
+
* Fix nil translation key lookup in controllers/
|
144
256
|
|
145
|
-
|
257
|
+
*Jan Klimo*
|
146
258
|
|
147
|
-
*
|
259
|
+
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
148
260
|
|
149
|
-
*
|
261
|
+
*Alex Robbin*
|
150
262
|
|
263
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
151
264
|
|
152
|
-
|
265
|
+
*Alex Robbin*
|
153
266
|
|
154
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
155
267
|
|
156
|
-
|
157
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
158
|
-
from being correctly counted and reported.
|
268
|
+
## Rails 6.1.0 (December 09, 2020) ##
|
159
269
|
|
160
|
-
|
161
|
-
|
270
|
+
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
271
|
+
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
162
272
|
|
163
|
-
|
273
|
+
```ruby
|
274
|
+
Rails.application.config.permissions_policy do |p|
|
275
|
+
p.camera :none
|
276
|
+
p.gyroscope :none
|
277
|
+
p.microphone :none
|
278
|
+
p.usb :none
|
279
|
+
p.fullscreen :self
|
280
|
+
p.payment :self, "https://secure-example.com"
|
281
|
+
end
|
282
|
+
```
|
164
283
|
|
165
|
-
*
|
284
|
+
*Julien Grillot*
|
166
285
|
|
286
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
167
287
|
|
168
|
-
|
288
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
169
289
|
|
170
|
-
*
|
290
|
+
*Chris Bisnett*
|
171
291
|
|
292
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
293
|
+
the unique X-Request-Id header
|
172
294
|
|
173
|
-
|
295
|
+
*Arlston Fernandes*
|
174
296
|
|
175
|
-
*
|
297
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
176
298
|
|
177
|
-
|
178
|
-
gem dalli to be updated as well.
|
299
|
+
*Rafael Mendonça França*
|
179
300
|
|
180
|
-
|
301
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
181
302
|
|
303
|
+
*Rafael Mendonça França*
|
182
304
|
|
183
|
-
|
305
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
184
306
|
|
185
|
-
*
|
307
|
+
*Rafael Mendonça França*
|
186
308
|
|
187
|
-
|
309
|
+
* Added support for exclusive no-store Cache-Control header.
|
188
310
|
|
311
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
189
312
|
|
190
|
-
|
313
|
+
*Chris Kruger*
|
191
314
|
|
192
|
-
*
|
193
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
194
|
-
system tests.
|
315
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
195
316
|
|
196
|
-
|
317
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
318
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
197
319
|
|
198
|
-
*
|
320
|
+
*Adrianna Chang*
|
199
321
|
|
200
|
-
|
201
|
-
Mime::Type.register "text/html; fragment", :html_fragment
|
202
|
-
```
|
322
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
203
323
|
|
204
|
-
*
|
324
|
+
*Gannon McGibbon*
|
205
325
|
|
326
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
206
327
|
|
207
|
-
|
328
|
+
*Alan Tan*, *Oz Ben-David*
|
208
329
|
|
209
|
-
*
|
330
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
331
|
+
a 308 redirection.
|
210
332
|
|
333
|
+
*Alan Tan*
|
211
334
|
|
212
|
-
|
335
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
336
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
213
337
|
|
214
|
-
*
|
338
|
+
*Jonathan Hefner*
|
215
339
|
|
216
|
-
|
340
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
217
341
|
|
218
|
-
|
342
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
343
|
+
Brotli files are preferred due to much better compression.
|
219
344
|
|
220
|
-
|
345
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
346
|
+
we check for public/some.js.br and serve that file, if present, with
|
347
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
221
348
|
|
222
|
-
|
223
|
-
take parameters the scope was lost when using path helpers. This commit
|
224
|
-
ensures scope is kept both when the route takes parameters or when it
|
225
|
-
doesn't.
|
349
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
226
350
|
|
227
|
-
|
351
|
+
* Add raise_on_missing_translations support for controllers.
|
228
352
|
|
229
|
-
|
353
|
+
This configuration determines whether an error should be raised for missing translations.
|
354
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
355
|
+
configuration also affects raising error for missing translations in views.
|
230
356
|
|
231
|
-
*
|
357
|
+
*fatkodima*
|
232
358
|
|
233
|
-
|
234
|
-
contain charset part. This behavior changed to returned Content-Type header
|
235
|
-
containing charset part as it is.
|
359
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
236
360
|
|
237
|
-
|
238
|
-
instead.
|
361
|
+
*Eugene Kenny*
|
239
362
|
|
240
|
-
|
241
|
-
|
242
|
-
value as before version, but its behavior is deprecate.
|
363
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
364
|
+
without passing a block now returns an enumerator.
|
243
365
|
|
244
|
-
*
|
366
|
+
*Eugene Kenny*
|
245
367
|
|
246
|
-
*
|
247
|
-
an enumerator for the parameters instead of the underlying hash.
|
368
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
248
369
|
|
249
|
-
|
370
|
+
Previously the path had to be relative to `fixture_path`.
|
371
|
+
You can change your existing code as follow:
|
250
372
|
|
251
|
-
|
373
|
+
```ruby
|
374
|
+
# Before
|
375
|
+
fixture_file_upload('files/dog.png')
|
252
376
|
|
253
|
-
|
377
|
+
# After
|
378
|
+
fixture_file_upload('dog.png')
|
379
|
+
```
|
254
380
|
|
381
|
+
*Edouard Chin*
|
255
382
|
|
256
|
-
|
383
|
+
* Remove deprecated `force_ssl` at the controller level.
|
257
384
|
|
258
|
-
*
|
259
|
-
rather than an `after_teardown` hook.
|
385
|
+
*Rafael Mendonça França*
|
260
386
|
|
261
|
-
|
262
|
-
|
263
|
-
been dynamically updated after the assertion failed).
|
387
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
388
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
264
389
|
|
265
|
-
|
390
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
391
|
+
always pass a module object:
|
266
392
|
|
267
|
-
|
393
|
+
```ruby
|
394
|
+
helper UtilsHelper
|
395
|
+
```
|
268
396
|
|
269
|
-
|
270
|
-
|
397
|
+
which is recommended because it is simple and direct. When a string/symbol
|
398
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
399
|
+
that same module object.
|
271
400
|
|
272
|
-
|
401
|
+
*Xavier Noria*, *Jean Boussier*
|
273
402
|
|
274
|
-
|
403
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
275
404
|
|
276
|
-
*
|
405
|
+
*Nick Soracco*
|
277
406
|
|
278
|
-
|
407
|
+
* `url_for` will now use "https://" as the default protocol when
|
408
|
+
`Rails.application.config.force_ssl` is set to true.
|
279
409
|
|
280
|
-
|
281
|
-
routes.draw do
|
282
|
-
resources :users, param: 'name/:sneaky'
|
283
|
-
end
|
284
|
-
```
|
410
|
+
*Jonathan Hefner*
|
285
411
|
|
286
|
-
|
412
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
287
413
|
|
288
|
-
|
414
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
415
|
+
them difficult to deal with. For example, the common practice of sending
|
416
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
417
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
289
418
|
|
419
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
420
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
421
|
+
for backwards compatibility.
|
290
422
|
|
291
|
-
|
423
|
+
*Scott Blum*
|
292
424
|
|
293
|
-
*
|
425
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
294
426
|
|
427
|
+
In a distributed configuration like rolling update, users may observe
|
428
|
+
both old and new instances during deployment. Users may be served by a
|
429
|
+
new instance and then by an old instance.
|
295
430
|
|
296
|
-
|
431
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
432
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
433
|
+
from `false` to `true`, users may lose their sessions if they access the
|
434
|
+
server during deployment.
|
297
435
|
|
298
|
-
|
436
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
437
|
+
deployment, ensuring compatibility on both old and new instances.
|
299
438
|
|
300
|
-
*
|
439
|
+
*Masaki Hara*
|
301
440
|
|
302
|
-
* `ActionDispatch::
|
303
|
-
to define specific browser capabilities.
|
441
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
304
442
|
|
305
|
-
|
443
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
444
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
306
445
|
|
446
|
+
*Keenan Brock*
|
307
447
|
|
308
|
-
|
448
|
+
* Fix possible information leak / session hijacking vulnerability.
|
309
449
|
|
310
|
-
|
450
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
451
|
+
gem dalli to be updated as well.
|
311
452
|
|
312
|
-
|
453
|
+
CVE-2019-16782.
|
313
454
|
|
314
|
-
*
|
455
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
315
456
|
|
316
|
-
|
317
|
-
|
457
|
+
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
458
|
+
meant it had its own copy of `@assertions`. This prevented the assertions
|
459
|
+
from being correctly counted and reported.
|
318
460
|
|
319
|
-
|
461
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
462
|
+
root session.
|
320
463
|
|
321
|
-
|
464
|
+
Fixes #32142.
|
322
465
|
|
323
|
-
|
324
|
-
explicitly permitting the hosts a request can be made to.
|
466
|
+
*Sam Bostock*
|
325
467
|
|
326
|
-
|
327
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
468
|
+
* Add SameSite protection to every written cookie.
|
328
469
|
|
329
|
-
|
470
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
471
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
330
472
|
|
331
|
-
|
473
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
332
474
|
|
333
|
-
|
334
|
-
`parsed_body` in `ActionController::TestCase`:
|
475
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
335
476
|
|
336
|
-
|
337
|
-
class SomeControllerTest < ActionController::TestCase
|
338
|
-
def test_some_action
|
339
|
-
post :action, body: { foo: 'bar' }
|
340
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
341
|
-
end
|
342
|
-
end
|
343
|
-
```
|
477
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
344
478
|
|
345
|
-
|
479
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
346
480
|
|
347
|
-
|
481
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
348
482
|
|
349
|
-
*
|
483
|
+
*Cédric Fabianski*
|
350
484
|
|
351
|
-
|
352
|
-
same context instead of assigning nil names to subsequent roots.
|
485
|
+
* Bring back the feature that allows loading external route files from the router.
|
353
486
|
|
354
|
-
|
487
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
488
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
489
|
+
that this wasn't fully the case and loading external route files from the router
|
490
|
+
can be helpful for applications with a really large set of routes.
|
491
|
+
Without this feature, application needs to implement routes reloading
|
492
|
+
themselves and it's not straightforward.
|
355
493
|
|
356
|
-
|
494
|
+
```ruby
|
495
|
+
# config/routes.rb
|
357
496
|
|
358
|
-
|
359
|
-
|
360
|
-
head :unauthorized
|
497
|
+
Rails.application.routes.draw do
|
498
|
+
draw(:admin)
|
361
499
|
end
|
500
|
+
|
501
|
+
# config/routes/admin.rb
|
502
|
+
|
503
|
+
get :foo, to: 'foo#bar'
|
362
504
|
```
|
363
505
|
|
364
|
-
*
|
506
|
+
*Yehuda Katz*, *Edouard Chin*
|
365
507
|
|
366
|
-
*
|
508
|
+
* Fix system test driver option initialization for non-headless browsers.
|
367
509
|
|
368
|
-
|
369
|
-
in system test `after_teardown`.
|
510
|
+
*glaszig*
|
370
511
|
|
371
|
-
|
512
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
513
|
+
their payloads as `:request`.
|
372
514
|
|
373
|
-
*
|
515
|
+
*Austin Story*
|
374
516
|
|
375
|
-
|
376
|
-
|
377
|
-
when resolving dynamic CSP sources in this scenario.
|
517
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
518
|
+
request format but based on the block given.
|
378
519
|
|
379
|
-
|
520
|
+
Example:
|
380
521
|
|
381
|
-
|
522
|
+
```ruby
|
523
|
+
def my_action
|
524
|
+
respond_to do |format|
|
525
|
+
format.any { render(json: { foo: 'bar' }) }
|
526
|
+
end
|
527
|
+
end
|
382
528
|
|
383
|
-
|
529
|
+
get('my_action.csv')
|
530
|
+
```
|
384
531
|
|
385
|
-
|
386
|
-
|
532
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
533
|
+
is inaccurate since a JSON response is being rendered.
|
387
534
|
|
388
|
-
|
535
|
+
Now it correctly returns a `application/json` Content-Type.
|
389
536
|
|
390
|
-
|
537
|
+
*Edouard Chin*
|
391
538
|
|
392
|
-
|
539
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
393
540
|
|
394
|
-
|
541
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
542
|
+
nested directory, causing issues with `tmp:clear`.
|
395
543
|
|
396
|
-
|
544
|
+
*Damir Zekic*
|
397
545
|
|
398
|
-
|
546
|
+
* Add `params.member?` to mimic Hash behavior.
|
399
547
|
|
400
|
-
*
|
548
|
+
*Younes Serraj*
|
401
549
|
|
402
|
-
|
550
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
403
551
|
|
404
|
-
*
|
552
|
+
* `:request` - the `ActionDispatch::Request`
|
553
|
+
* `:response` - the `ActionDispatch::Response`
|
405
554
|
|
406
|
-
*
|
555
|
+
*George Claghorn*
|
407
556
|
|
408
|
-
*
|
409
|
-
|
410
|
-
|
411
|
-
garbled.
|
412
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
413
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
414
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
415
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
416
|
-
converted name.
|
557
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
558
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
559
|
+
from.
|
417
560
|
|
418
|
-
|
561
|
+
Fixes #37383.
|
419
562
|
|
420
|
-
*
|
421
|
-
keys without allocating an array.
|
563
|
+
*Norm Provost*
|
422
564
|
|
423
|
-
|
565
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
424
566
|
|
425
|
-
|
567
|
+
```ruby
|
568
|
+
# Use the debug level if a particular cookie is set.
|
569
|
+
class ApplicationController < ActionController::Base
|
570
|
+
log_at :debug, if: -> { cookies[:debug] }
|
571
|
+
end
|
572
|
+
```
|
426
573
|
|
427
|
-
|
428
|
-
of a cookie and use it as the value of another cookie.
|
574
|
+
*George Claghorn*
|
429
575
|
|
430
|
-
|
431
|
-
|
432
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
576
|
+
* Allow system test screen shots to be taken more than once in
|
577
|
+
a test by prefixing the file name with an incrementing counter.
|
433
578
|
|
434
|
-
|
435
|
-
|
579
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
580
|
+
enable saving of HTML during a screenshot in addition to the image.
|
581
|
+
This uses the same image name, with the extension replaced with `.html`
|
436
582
|
|
437
|
-
*
|
583
|
+
*Tom Fakes*
|
438
584
|
|
439
|
-
*
|
585
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
440
586
|
|
441
|
-
|
442
|
-
|
587
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
588
|
+
header to determine what to return. And if we don't add `Vary`
|
589
|
+
in the response header, browsers might accidentally cache different
|
590
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
591
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
592
|
+
in these types of requests. For more detailed problem description, please read:
|
443
593
|
|
444
|
-
|
445
|
-
outer_type.js do
|
446
|
-
respond_to do |inner_type|
|
447
|
-
inner_type.html { render body: "HTML" }
|
448
|
-
end
|
449
|
-
end
|
450
|
-
end
|
594
|
+
https://github.com/rails/rails/pull/36213
|
451
595
|
|
452
|
-
|
596
|
+
Fixes #25842.
|
453
597
|
|
454
|
-
*
|
598
|
+
*Stan Lo*
|
455
599
|
|
456
|
-
|
457
|
-
|
600
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
601
|
+
a 307 redirection.
|
458
602
|
|
459
|
-
|
460
|
-
File.read(uploaded_file)
|
603
|
+
*Edouard Chin*
|
461
604
|
|
462
|
-
|
605
|
+
* System tests require Capybara 3.26 or newer.
|
463
606
|
|
464
|
-
*
|
607
|
+
*George Claghorn*
|
465
608
|
|
466
|
-
|
467
|
-
`get` method. This for example allows to set custom headers for the
|
468
|
-
redirection request to the server.
|
609
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
469
610
|
|
470
|
-
|
611
|
+
*Alberto Fernández-Capel*
|
471
612
|
|
472
|
-
|
613
|
+
* Add DSL for configuring HTTP Feature Policy.
|
473
614
|
|
474
|
-
|
615
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
616
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
617
|
+
specification and guidelines can be found at MDN:
|
475
618
|
|
476
|
-
|
477
|
-
one informative page.
|
619
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
478
620
|
|
479
|
-
|
621
|
+
Example global policy:
|
480
622
|
|
481
|
-
|
623
|
+
```ruby
|
624
|
+
Rails.application.config.feature_policy do |f|
|
625
|
+
f.camera :none
|
626
|
+
f.gyroscope :none
|
627
|
+
f.microphone :none
|
628
|
+
f.usb :none
|
629
|
+
f.fullscreen :self
|
630
|
+
f.payment :self, "https://secure.example.com"
|
631
|
+
end
|
632
|
+
```
|
482
633
|
|
483
|
-
|
484
|
-
`.register_interceptor` method to get the processed exception, instead of
|
485
|
-
monkey patching DebugExceptions.
|
634
|
+
Example controller level policy:
|
486
635
|
|
487
|
-
|
488
|
-
|
489
|
-
|
636
|
+
```ruby
|
637
|
+
class PagesController < ApplicationController
|
638
|
+
feature_policy do |p|
|
639
|
+
p.geolocation "https://example.com"
|
640
|
+
end
|
641
|
+
end
|
642
|
+
```
|
490
643
|
|
491
|
-
*
|
644
|
+
*Jacob Bednarz*
|
492
645
|
|
493
|
-
*
|
646
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
494
647
|
|
495
|
-
Fixes #
|
648
|
+
Fixes #35137.
|
496
649
|
|
497
|
-
*
|
650
|
+
*Yuji Yaginuma*
|
498
651
|
|
499
|
-
*
|
652
|
+
* Keep part when scope option has value.
|
653
|
+
|
654
|
+
When a route was defined within an optional scope, if that route didn't
|
655
|
+
take parameters the scope was lost when using path helpers. This commit
|
656
|
+
ensures scope is kept both when the route takes parameters or when it
|
657
|
+
doesn't.
|
500
658
|
|
501
|
-
|
659
|
+
Fixes #33219.
|
502
660
|
|
503
|
-
*
|
661
|
+
*Alberto Almagro*
|
504
662
|
|
505
|
-
|
663
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
506
664
|
|
507
|
-
*
|
508
|
-
`config.force_ssl`.
|
665
|
+
*Gustavo Gutierrez*
|
509
666
|
|
510
|
-
|
667
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
668
|
+
an enumerator for the parameters instead of the underlying hash.
|
669
|
+
|
670
|
+
*Eugene Kenny*
|
511
671
|
|
512
|
-
*
|
672
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
673
|
+
It should only block invalid key's values instead.
|
513
674
|
|
514
|
-
*
|
675
|
+
*Stan Lo*
|
515
676
|
|
516
677
|
|
517
|
-
Please check [
|
678
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|