actionpack 6.0.6 → 6.1.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +233 -350
- data/MIT-LICENSE +1 -1
- data/README.rdoc +1 -1
- data/lib/abstract_controller/base.rb +35 -2
- data/lib/abstract_controller/callbacks.rb +2 -2
- data/lib/abstract_controller/helpers.rb +105 -90
- data/lib/abstract_controller/rendering.rb +9 -9
- data/lib/abstract_controller/translation.rb +8 -2
- data/lib/abstract_controller.rb +1 -0
- data/lib/action_controller/api.rb +2 -2
- data/lib/action_controller/base.rb +4 -2
- data/lib/action_controller/caching.rb +0 -1
- data/lib/action_controller/log_subscriber.rb +3 -3
- data/lib/action_controller/metal/conditional_get.rb +10 -2
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +1 -1
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -4
- data/lib/action_controller/metal/exceptions.rb +33 -0
- data/lib/action_controller/metal/feature_policy.rb +46 -0
- data/lib/action_controller/metal/head.rb +7 -4
- data/lib/action_controller/metal/helpers.rb +11 -1
- data/lib/action_controller/metal/http_authentication.rb +5 -3
- data/lib/action_controller/metal/implicit_render.rb +1 -1
- data/lib/action_controller/metal/instrumentation.rb +11 -9
- data/lib/action_controller/metal/live.rb +1 -1
- data/lib/action_controller/metal/logging.rb +20 -0
- data/lib/action_controller/metal/mime_responds.rb +6 -2
- data/lib/action_controller/metal/parameter_encoding.rb +35 -4
- data/lib/action_controller/metal/params_wrapper.rb +16 -11
- data/lib/action_controller/metal/redirecting.rb +1 -1
- data/lib/action_controller/metal/rendering.rb +6 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +1 -1
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +103 -15
- data/lib/action_controller/metal.rb +2 -2
- data/lib/action_controller/renderer.rb +23 -13
- data/lib/action_controller/test_case.rb +62 -56
- data/lib/action_controller.rb +2 -3
- data/lib/action_dispatch/http/cache.rb +12 -10
- data/lib/action_dispatch/http/content_security_policy.rb +11 -0
- data/lib/action_dispatch/http/feature_policy.rb +168 -0
- data/lib/action_dispatch/http/filter_parameters.rb +1 -1
- data/lib/action_dispatch/http/filter_redirect.rb +1 -1
- data/lib/action_dispatch/http/headers.rb +3 -2
- data/lib/action_dispatch/http/mime_negotiation.rb +14 -8
- data/lib/action_dispatch/http/mime_type.rb +29 -16
- data/lib/action_dispatch/http/parameters.rb +1 -19
- data/lib/action_dispatch/http/request.rb +24 -8
- data/lib/action_dispatch/http/response.rb +17 -16
- data/lib/action_dispatch/http/url.rb +3 -2
- data/lib/action_dispatch/journey/formatter.rb +53 -28
- data/lib/action_dispatch/journey/gtg/builder.rb +22 -36
- data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
- data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -4
- data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
- data/lib/action_dispatch/journey/nodes/node.rb +4 -3
- data/lib/action_dispatch/journey/parser.rb +13 -13
- data/lib/action_dispatch/journey/parser.y +1 -1
- data/lib/action_dispatch/journey/path/pattern.rb +13 -18
- data/lib/action_dispatch/journey/route.rb +7 -18
- data/lib/action_dispatch/journey/router/utils.rb +6 -4
- data/lib/action_dispatch/journey/router.rb +26 -30
- data/lib/action_dispatch/journey.rb +0 -2
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +1 -1
- data/lib/action_dispatch/middleware/cookies.rb +67 -32
- data/lib/action_dispatch/middleware/debug_exceptions.rb +8 -15
- data/lib/action_dispatch/middleware/debug_view.rb +1 -1
- data/lib/action_dispatch/middleware/exception_wrapper.rb +28 -16
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +35 -35
- data/lib/action_dispatch/middleware/remote_ip.rb +5 -4
- data/lib/action_dispatch/middleware/request_id.rb +4 -5
- data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -2
- data/lib/action_dispatch/middleware/session/cookie_store.rb +2 -2
- data/lib/action_dispatch/middleware/ssl.rb +9 -6
- data/lib/action_dispatch/middleware/stack.rb +18 -0
- data/lib/action_dispatch/middleware/static.rb +154 -93
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +18 -0
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +88 -8
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +12 -1
- data/lib/action_dispatch/railtie.rb +3 -2
- data/lib/action_dispatch/request/session.rb +2 -8
- data/lib/action_dispatch/request/utils.rb +26 -2
- data/lib/action_dispatch/routing/inspector.rb +8 -7
- data/lib/action_dispatch/routing/mapper.rb +102 -71
- data/lib/action_dispatch/routing/polymorphic_routes.rb +16 -19
- data/lib/action_dispatch/routing/redirection.rb +3 -3
- data/lib/action_dispatch/routing/route_set.rb +49 -41
- data/lib/action_dispatch/system_test_case.rb +29 -24
- data/lib/action_dispatch/system_testing/browser.rb +33 -27
- data/lib/action_dispatch/system_testing/driver.rb +6 -7
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +47 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +4 -7
- data/lib/action_dispatch/testing/assertions/response.rb +2 -4
- data/lib/action_dispatch/testing/assertions/routing.rb +5 -5
- data/lib/action_dispatch/testing/assertions.rb +1 -1
- data/lib/action_dispatch/testing/integration.rb +38 -27
- data/lib/action_dispatch/testing/test_process.rb +29 -4
- data/lib/action_dispatch/testing/test_request.rb +3 -3
- data/lib/action_dispatch.rb +3 -2
- data/lib/action_pack/gem_version.rb +3 -3
- data/lib/action_pack.rb +1 -1
- metadata +23 -25
- data/lib/action_controller/metal/force_ssl.rb +0 -58
- data/lib/action_dispatch/http/parameter_filter.rb +0 -12
- data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
- data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
- data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -119
data/CHANGELOG.md
CHANGED
@@ -1,512 +1,395 @@
|
|
1
|
-
## Rails 6.0.
|
1
|
+
## Rails 6.1.0.rc1 (November 02, 2020) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
4
4
|
|
5
|
+
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
5
6
|
|
6
|
-
|
7
|
+
*Chris Bisnett*
|
7
8
|
|
8
|
-
*
|
9
|
+
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
10
|
+
the unique X-Request-Id header
|
9
11
|
|
12
|
+
*Arlston Fernandes*
|
10
13
|
|
11
|
-
|
14
|
+
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
12
15
|
|
13
|
-
*
|
14
|
-
|
15
|
-
|
16
|
-
## Rails 6.0.4.8 (April 26, 2022) ##
|
16
|
+
*Rafael Mendonça França*
|
17
17
|
|
18
|
-
*
|
18
|
+
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
19
19
|
|
20
|
-
*
|
20
|
+
*Rafael Mendonça França*
|
21
21
|
|
22
|
-
|
22
|
+
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
23
23
|
|
24
|
-
*
|
24
|
+
*Rafael Mendonça França*
|
25
25
|
|
26
|
+
* Added support for exclusive no-store Cache-Control header.
|
26
27
|
|
27
|
-
|
28
|
+
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
28
29
|
|
29
|
-
*
|
30
|
+
*Chris Kruger*
|
30
31
|
|
32
|
+
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
31
33
|
|
32
|
-
|
34
|
+
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
35
|
+
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
33
36
|
|
34
|
-
*
|
35
|
-
response body has been fully closed which result in request state not
|
36
|
-
being fully reset before the next request
|
37
|
+
*Adrianna Chang*
|
37
38
|
|
38
|
-
|
39
|
+
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
39
40
|
|
41
|
+
*Gannon McGibbon*
|
40
42
|
|
41
|
-
|
43
|
+
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
42
44
|
|
43
|
-
*
|
45
|
+
*Alan Tan*, *Oz Ben-David*
|
44
46
|
|
47
|
+
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
48
|
+
a 308 redirection.
|
45
49
|
|
46
|
-
|
50
|
+
*Alan Tan*
|
47
51
|
|
48
|
-
*
|
52
|
+
* When multiple domains are specified for a cookie, a domain will now be
|
53
|
+
chosen only if it is equal to or is a superdomain of the request host.
|
49
54
|
|
55
|
+
*Jonathan Hefner*
|
50
56
|
|
51
|
-
|
57
|
+
* `ActionDispatch::Static` handles precompiled Brotli (.br) files.
|
52
58
|
|
53
|
-
|
59
|
+
Adds to existing support for precompiled gzip (.gz) files.
|
60
|
+
Brotli files are preferred due to much better compression.
|
54
61
|
|
55
|
-
|
62
|
+
When the browser requests /some.js with `Accept-Encoding: br`,
|
63
|
+
we check for public/some.js.br and serve that file, if present, with
|
64
|
+
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
56
65
|
|
57
|
-
*
|
66
|
+
*Ryan Edward Hall*, *Jeremy Daer*
|
58
67
|
|
59
|
-
|
60
|
-
"allowed host" formats can cause the Host Authorization middleware in Action
|
61
|
-
Pack to redirect users to a malicious website.
|
68
|
+
* Add raise_on_missing_translations support for controllers.
|
62
69
|
|
63
|
-
|
70
|
+
This configuration determines whether an error should be raised for missing translations.
|
71
|
+
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
72
|
+
configuration also affects raising error for missing translations in views.
|
64
73
|
|
65
|
-
*
|
74
|
+
*fatkodima*
|
66
75
|
|
67
|
-
|
68
|
-
them difficult to deal with. For example, the common practice of sending
|
69
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
70
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
76
|
+
* Added `compact` and `compact!` to `ActionController::Parameters`.
|
71
77
|
|
72
|
-
|
73
|
-
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
74
|
-
tokens for backwards compatibility.
|
75
|
-
|
76
|
-
In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
|
77
|
-
If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
|
78
|
-
|
79
|
-
```ruby
|
80
|
-
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
81
|
-
```
|
78
|
+
*Eugene Kenny*
|
82
79
|
|
83
|
-
|
80
|
+
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
81
|
+
without passing a block now returns an enumerator.
|
84
82
|
|
85
|
-
*
|
86
|
-
`action_dispatch.use_cookies_with_metadata` is enabled.
|
83
|
+
*Eugene Kenny*
|
87
84
|
|
88
|
-
|
85
|
+
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
89
86
|
|
87
|
+
Previously the path had to be relative to `fixture_path`.
|
88
|
+
You can change your existing code as follow:
|
90
89
|
|
91
|
-
|
90
|
+
```ruby
|
91
|
+
# Before
|
92
|
+
fixture_file_upload('files/dog.png')
|
92
93
|
|
93
|
-
|
94
|
-
|
94
|
+
# After
|
95
|
+
fixture_file_upload('dog.png')
|
96
|
+
```
|
95
97
|
|
96
|
-
*
|
97
|
-
CVE-2021-22904
|
98
|
+
*Edouard Chin*
|
98
99
|
|
99
|
-
*
|
100
|
+
* Remove deprecated `force_ssl` at the controller level.
|
100
101
|
|
101
|
-
|
102
|
-
of arguments (usually symbols and records). If a developer passes a
|
103
|
-
user input array, strings can result in unwanted route helper calls.
|
102
|
+
*Rafael Mendonça França*
|
104
103
|
|
105
|
-
|
104
|
+
* The +helper+ class method for controllers loads helper modules specified as
|
105
|
+
strings/symbols with `String#constantize` instead of `require_dependency`.
|
106
106
|
|
107
|
-
|
107
|
+
Remember that support for strings/symbols is only a convenient API. You can
|
108
|
+
always pass a module object:
|
108
109
|
|
109
|
-
|
110
|
+
```ruby
|
111
|
+
helper UtilsHelper
|
112
|
+
```
|
110
113
|
|
111
|
-
|
114
|
+
which is recommended because it is simple and direct. When a string/symbol
|
115
|
+
is received, `helper` just manipulates and inflects the argument to obtain
|
116
|
+
that same module object.
|
112
117
|
|
118
|
+
*Xavier Noria*, *Jean Boussier*
|
113
119
|
|
114
|
-
|
120
|
+
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
115
121
|
|
116
|
-
*
|
122
|
+
*Nick Soracco*
|
117
123
|
|
118
|
-
|
124
|
+
* `url_for` will now use "https://" as the default protocol when
|
125
|
+
`Rails.application.config.force_ssl` is set to true.
|
119
126
|
|
120
|
-
|
121
|
-
issue and the patch!
|
127
|
+
*Jonathan Hefner*
|
122
128
|
|
123
|
-
|
129
|
+
* Accept and default to base64_urlsafe CSRF tokens.
|
124
130
|
|
131
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
132
|
+
them difficult to deal with. For example, the common practice of sending
|
133
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
134
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
125
135
|
|
126
|
-
|
136
|
+
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
137
|
+
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
138
|
+
for backwards compatibility.
|
127
139
|
|
128
|
-
*
|
140
|
+
*Scott Blum*
|
129
141
|
|
142
|
+
* Support rolling deploys for cookie serialization/encryption changes.
|
130
143
|
|
131
|
-
|
144
|
+
In a distributed configuration like rolling update, users may observe
|
145
|
+
both old and new instances during deployment. Users may be served by a
|
146
|
+
new instance and then by an old instance.
|
132
147
|
|
133
|
-
|
148
|
+
That means when the server changes `cookies_serializer` from `:marshal`
|
149
|
+
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
150
|
+
from `false` to `true`, users may lose their sessions if they access the
|
151
|
+
server during deployment.
|
134
152
|
|
153
|
+
We added fallbacks to downgrade the cookie format when necessary during
|
154
|
+
deployment, ensuring compatibility on both old and new instances.
|
135
155
|
|
136
|
-
|
156
|
+
*Masaki Hara*
|
137
157
|
|
138
|
-
*
|
158
|
+
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
139
159
|
|
140
|
-
|
160
|
+
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
161
|
+
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
141
162
|
|
142
|
-
*
|
163
|
+
*Keenan Brock*
|
143
164
|
|
144
|
-
*
|
165
|
+
* Fix possible information leak / session hijacking vulnerability.
|
145
166
|
|
167
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
168
|
+
gem dalli to be updated as well.
|
146
169
|
|
147
|
-
|
170
|
+
CVE-2019-16782.
|
148
171
|
|
149
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest
|
172
|
+
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
150
173
|
|
151
174
|
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
152
175
|
meant it had its own copy of `@assertions`. This prevented the assertions
|
153
176
|
from being correctly counted and reported.
|
154
177
|
|
155
|
-
Child sessions now have their `attr_accessor`
|
178
|
+
Child sessions now have their `attr_accessor` overridden to delegate to the
|
156
179
|
root session.
|
157
180
|
|
158
|
-
Fixes #32142
|
181
|
+
Fixes #32142.
|
159
182
|
|
160
183
|
*Sam Bostock*
|
161
184
|
|
185
|
+
* Add SameSite protection to every written cookie.
|
162
186
|
|
163
|
-
|
164
|
-
|
165
|
-
* No changes.
|
166
|
-
|
167
|
-
|
168
|
-
## Rails 6.0.2.1 (December 18, 2019) ##
|
169
|
-
|
170
|
-
* Fix possible information leak / session hijacking vulnerability.
|
171
|
-
|
172
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
173
|
-
gem dalli to be updated as well.
|
174
|
-
|
175
|
-
CVE-2019-16782.
|
176
|
-
|
187
|
+
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
188
|
+
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
177
189
|
|
178
|
-
|
190
|
+
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
179
191
|
|
180
|
-
|
192
|
+
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
181
193
|
|
182
|
-
|
194
|
+
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
183
195
|
|
196
|
+
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
184
197
|
|
185
|
-
|
198
|
+
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
186
199
|
|
187
|
-
*
|
188
|
-
rather than `ActionDispatch::IntegrationTest`. This permits running jobs in
|
189
|
-
system tests.
|
200
|
+
*Cédric Fabianski*
|
190
201
|
|
191
|
-
|
202
|
+
* Bring back the feature that allows loading external route files from the router.
|
192
203
|
|
193
|
-
|
204
|
+
This feature existed back in 2012 but got reverted with the incentive that
|
205
|
+
https://github.com/rails/routing_concerns was a better approach. Turned out
|
206
|
+
that this wasn't fully the case and loading external route files from the router
|
207
|
+
can be helpful for applications with a really large set of routes.
|
208
|
+
Without this feature, application needs to implement routes reloading
|
209
|
+
themselves and it's not straightforward.
|
194
210
|
|
195
211
|
```ruby
|
196
|
-
|
197
|
-
```
|
212
|
+
# config/routes.rb
|
198
213
|
|
199
|
-
|
214
|
+
Rails.application.routes.draw do
|
215
|
+
draw(:admin)
|
216
|
+
end
|
200
217
|
|
218
|
+
# config/routes/admin.rb
|
201
219
|
|
202
|
-
|
220
|
+
get :foo, to: 'foo#bar'
|
221
|
+
```
|
203
222
|
|
204
|
-
*
|
223
|
+
*Yehuda Katz*, *Edouard Chin*
|
205
224
|
|
225
|
+
* Fix system test driver option initialization for non-headless browsers.
|
206
226
|
|
207
|
-
|
227
|
+
*glaszig*
|
208
228
|
|
209
|
-
*
|
229
|
+
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
230
|
+
their payloads as `:request`.
|
210
231
|
|
211
|
-
|
232
|
+
*Austin Story*
|
212
233
|
|
213
|
-
|
234
|
+
* `respond_to#any` no longer returns a response's Content-Type based on the
|
235
|
+
request format but based on the block given.
|
214
236
|
|
215
|
-
|
237
|
+
Example:
|
216
238
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
*Alberto Almagro*
|
225
|
-
|
226
|
-
* Change `ActionDispatch::Response#content_type` to return Content-Type header as it is.
|
227
|
-
|
228
|
-
Previously, `ActionDispatch::Response#content_type` returned value does NOT
|
229
|
-
contain charset part. This behavior changed to returned Content-Type header
|
230
|
-
containing charset part as it is.
|
231
|
-
|
232
|
-
If you want just MIME type, please use `ActionDispatch::Response#media_type`
|
233
|
-
instead.
|
234
|
-
|
235
|
-
Enable `action_dispatch.return_only_media_type_on_content_type` to use this change.
|
236
|
-
If not enabled, `ActionDispatch::Response#content_type` returns the same
|
237
|
-
value as before version, but its behavior is deprecate.
|
239
|
+
```ruby
|
240
|
+
def my_action
|
241
|
+
respond_to do |format|
|
242
|
+
format.any { render(json: { foo: 'bar' }) }
|
243
|
+
end
|
244
|
+
end
|
238
245
|
|
239
|
-
|
246
|
+
get('my_action.csv')
|
247
|
+
```
|
240
248
|
|
241
|
-
|
242
|
-
|
249
|
+
The previous behaviour was to respond with a `text/csv` Content-Type which
|
250
|
+
is inaccurate since a JSON response is being rendered.
|
243
251
|
|
244
|
-
|
252
|
+
Now it correctly returns a `application/json` Content-Type.
|
245
253
|
|
246
|
-
*
|
254
|
+
*Edouard Chin*
|
247
255
|
|
248
|
-
|
256
|
+
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
249
257
|
|
258
|
+
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
259
|
+
nested directory, causing issues with `tmp:clear`.
|
250
260
|
|
251
|
-
|
261
|
+
*Damir Zekic*
|
252
262
|
|
253
|
-
*
|
254
|
-
rather than an `after_teardown` hook.
|
263
|
+
* Add `params.member?` to mimic Hash behavior.
|
255
264
|
|
256
|
-
|
257
|
-
the screenshot is taken (reducing the time in which the page could have
|
258
|
-
been dynamically updated after the assertion failed).
|
265
|
+
*Younes Serraj*
|
259
266
|
|
260
|
-
|
267
|
+
* `process_action.action_controller` notifications now include the following in their payloads:
|
261
268
|
|
262
|
-
*
|
269
|
+
* `:request` - the `ActionDispatch::Request`
|
270
|
+
* `:response` - the `ActionDispatch::Response`
|
263
271
|
|
264
|
-
|
265
|
-
from `ActiveSupport::ActionableError` descendants.
|
272
|
+
*George Claghorn*
|
266
273
|
|
267
|
-
|
274
|
+
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
275
|
+
`remote_ip` to `nil` before setting the header that the value is derived
|
276
|
+
from.
|
268
277
|
|
269
|
-
|
278
|
+
Fixes #37383.
|
270
279
|
|
271
|
-
*
|
280
|
+
*Norm Provost*
|
272
281
|
|
273
|
-
|
282
|
+
* `ActionController::Base.log_at` allows setting a different log level per request.
|
274
283
|
|
275
|
-
```
|
276
|
-
|
277
|
-
|
284
|
+
```ruby
|
285
|
+
# Use the debug level if a particular cookie is set.
|
286
|
+
class ApplicationController < ActionController::Base
|
287
|
+
log_at :debug, if: -> { cookies[:debug] }
|
278
288
|
end
|
279
289
|
```
|
280
290
|
|
281
|
-
|
291
|
+
*George Claghorn*
|
282
292
|
|
283
|
-
|
293
|
+
* Allow system test screen shots to be taken more than once in
|
294
|
+
a test by prefixing the file name with an incrementing counter.
|
284
295
|
|
296
|
+
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
297
|
+
enable saving of HTML during a screenshot in addition to the image.
|
298
|
+
This uses the same image name, with the extension replaced with `.html`
|
285
299
|
|
286
|
-
|
300
|
+
*Tom Fakes*
|
287
301
|
|
288
|
-
*
|
302
|
+
* Add `Vary: Accept` header when using `Accept` header for response.
|
289
303
|
|
304
|
+
For some requests like `/users/1`, Rails uses requests' `Accept`
|
305
|
+
header to determine what to return. And if we don't add `Vary`
|
306
|
+
in the response header, browsers might accidentally cache different
|
307
|
+
types of content, which would cause issues: e.g. javascript got displayed
|
308
|
+
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
309
|
+
in these types of requests. For more detailed problem description, please read:
|
290
310
|
|
291
|
-
|
311
|
+
https://github.com/rails/rails/pull/36213
|
292
312
|
|
293
|
-
|
313
|
+
Fixes #25842.
|
294
314
|
|
295
|
-
*
|
315
|
+
*Stan Lo*
|
296
316
|
|
297
|
-
* `
|
298
|
-
|
317
|
+
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
318
|
+
a 307 redirection.
|
299
319
|
|
300
320
|
*Edouard Chin*
|
301
321
|
|
322
|
+
* System tests require Capybara 3.26 or newer.
|
302
323
|
|
303
|
-
|
324
|
+
*George Claghorn*
|
304
325
|
|
305
|
-
*
|
326
|
+
* Reduced log noise handling ActionController::RoutingErrors.
|
306
327
|
|
307
|
-
*
|
308
|
-
|
309
|
-
* Remove deprecated methods in `ActionDispatch::TestResponse`.
|
328
|
+
*Alberto Fernández-Capel*
|
310
329
|
|
311
|
-
|
312
|
-
`#successful?`, `not_found?` and `server_error?`.
|
313
|
-
|
314
|
-
*Rafael Mendonça França*
|
330
|
+
* Add DSL for configuring HTTP Feature Policy.
|
315
331
|
|
316
|
-
|
332
|
+
This new DSL provides a way to configure an HTTP Feature Policy at a
|
333
|
+
global or per-controller level. Full details of HTTP Feature Policy
|
334
|
+
specification and guidelines can be found at MDN:
|
317
335
|
|
318
|
-
|
319
|
-
explicitly permitting the hosts a request can be made to.
|
336
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
320
337
|
|
321
|
-
|
322
|
-
`Proc`, `IPAddr` and custom objects as host allowances.
|
338
|
+
Example global policy:
|
323
339
|
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
332
|
-
class SomeControllerTest < ActionController::TestCase
|
333
|
-
def test_some_action
|
334
|
-
post :action, body: { foo: 'bar' }
|
335
|
-
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
336
|
-
end
|
340
|
+
```ruby
|
341
|
+
Rails.application.config.feature_policy do |f|
|
342
|
+
f.camera :none
|
343
|
+
f.gyroscope :none
|
344
|
+
f.microphone :none
|
345
|
+
f.usb :none
|
346
|
+
f.fullscreen :self
|
347
|
+
f.payment :self, "https://secure.example.com"
|
337
348
|
end
|
338
349
|
```
|
339
350
|
|
340
|
-
|
341
|
-
|
342
|
-
*Tobias Bühlmann*
|
343
|
-
|
344
|
-
* Raise an error on root route naming conflicts.
|
351
|
+
Example controller level policy:
|
345
352
|
|
346
|
-
|
347
|
-
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
* Allow rescue from parameter parse errors:
|
352
|
-
|
353
|
-
```
|
354
|
-
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
355
|
-
head :unauthorized
|
353
|
+
```ruby
|
354
|
+
class PagesController < ApplicationController
|
355
|
+
feature_policy do |p|
|
356
|
+
p.geolocation "https://example.com"
|
357
|
+
end
|
356
358
|
end
|
357
359
|
```
|
358
360
|
|
359
|
-
*
|
360
|
-
|
361
|
-
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
362
|
-
|
363
|
-
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
364
|
-
in system test `after_teardown`.
|
365
|
-
|
366
|
-
*Maxim Perepelitsa*
|
367
|
-
|
368
|
-
* Use request object for context if there's no controller
|
369
|
-
|
370
|
-
There is no controller instance when using a redirect route or a
|
371
|
-
mounted rack application so pass the request object as the context
|
372
|
-
when resolving dynamic CSP sources in this scenario.
|
373
|
-
|
374
|
-
Fixes #34200.
|
375
|
-
|
376
|
-
*Andrew White*
|
377
|
-
|
378
|
-
* Apply mapping to symbols returned from dynamic CSP sources
|
379
|
-
|
380
|
-
Previously if a dynamic source returned a symbol such as :self it
|
381
|
-
would be converted to a string implicitly, e.g:
|
382
|
-
|
383
|
-
policy.default_src -> { :self }
|
384
|
-
|
385
|
-
would generate the header:
|
386
|
-
|
387
|
-
Content-Security-Policy: default-src self
|
388
|
-
|
389
|
-
and now it generates:
|
390
|
-
|
391
|
-
Content-Security-Policy: default-src 'self'
|
392
|
-
|
393
|
-
*Andrew White*
|
394
|
-
|
395
|
-
* Add `ActionController::Parameters#each_value`.
|
396
|
-
|
397
|
-
*Lukáš Zapletal*
|
398
|
-
|
399
|
-
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
400
|
-
|
401
|
-
*Yoshiyuki Kinjo*
|
402
|
-
|
403
|
-
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
404
|
-
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
405
|
-
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
406
|
-
garbled.
|
407
|
-
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
408
|
-
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
409
|
-
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
410
|
-
Most browsers can find filename correctly and old browsers fallback to ASCII
|
411
|
-
converted name.
|
412
|
-
|
413
|
-
*Fumiaki Matsushima*
|
414
|
-
|
415
|
-
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
416
|
-
keys without allocating an array.
|
361
|
+
*Jacob Bednarz*
|
417
362
|
|
418
|
-
|
419
|
-
|
420
|
-
* Purpose metadata for signed/encrypted cookies.
|
421
|
-
|
422
|
-
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
423
|
-
of a cookie and use it as the value of another cookie.
|
424
|
-
|
425
|
-
It does so by stashing the cookie-name in the purpose field which is
|
426
|
-
then signed/encrypted along with the cookie value. Then, on a server-side
|
427
|
-
read, we verify the cookie-names and discard any attacked cookies.
|
428
|
-
|
429
|
-
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
430
|
-
writes cookies with the new purpose and expiry metadata embedded.
|
431
|
-
|
432
|
-
*Assain Jaleel*
|
433
|
-
|
434
|
-
* Raises `ActionController::RespondToMismatchError` with conflicting `respond_to` invocations.
|
435
|
-
|
436
|
-
`respond_to` can match multiple types and lead to undefined behavior when
|
437
|
-
multiple invocations are made and the types do not match:
|
438
|
-
|
439
|
-
respond_to do |outer_type|
|
440
|
-
outer_type.js do
|
441
|
-
respond_to do |inner_type|
|
442
|
-
inner_type.html { render body: "HTML" }
|
443
|
-
end
|
444
|
-
end
|
445
|
-
end
|
446
|
-
|
447
|
-
*Patrick Toomey*
|
448
|
-
|
449
|
-
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
450
|
-
|
451
|
-
This allows uploaded file objects to be passed directly to `File.read`
|
452
|
-
without raising a `TypeError`:
|
453
|
-
|
454
|
-
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
455
|
-
File.read(uploaded_file)
|
456
|
-
|
457
|
-
*Aaron Kromer*
|
458
|
-
|
459
|
-
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
460
|
-
|
461
|
-
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
462
|
-
`get` method. This for example allows to set custom headers for the
|
463
|
-
redirection request to the server.
|
464
|
-
|
465
|
-
follow_redirect!(params: { foo: :bar })
|
466
|
-
|
467
|
-
*Remo Fritzsche*
|
468
|
-
|
469
|
-
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
470
|
-
|
471
|
-
Now instead of showing an error page that with exception and backtraces we now show only
|
472
|
-
one informative page.
|
473
|
-
|
474
|
-
*Vinicius Stock*
|
475
|
-
|
476
|
-
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
477
|
-
|
478
|
-
Exception aware plugin authors can use the newly introduced
|
479
|
-
`.register_interceptor` method to get the processed exception, instead of
|
480
|
-
monkey patching DebugExceptions.
|
481
|
-
|
482
|
-
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
483
|
-
HypoteticalPlugin.capture_exception(request, exception)
|
484
|
-
end
|
363
|
+
* Add the ability to set the CSP nonce only to the specified directives.
|
485
364
|
|
486
|
-
|
365
|
+
Fixes #35137.
|
487
366
|
|
488
|
-
*
|
367
|
+
*Yuji Yaginuma*
|
489
368
|
|
490
|
-
|
369
|
+
* Keep part when scope option has value.
|
491
370
|
|
492
|
-
|
371
|
+
When a route was defined within an optional scope, if that route didn't
|
372
|
+
take parameters the scope was lost when using path helpers. This commit
|
373
|
+
ensures scope is kept both when the route takes parameters or when it
|
374
|
+
doesn't.
|
493
375
|
|
494
|
-
|
376
|
+
Fixes #33219.
|
495
377
|
|
496
|
-
*
|
378
|
+
*Alberto Almagro*
|
497
379
|
|
498
|
-
*
|
380
|
+
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
499
381
|
|
500
|
-
*
|
382
|
+
*Gustavo Gutierrez*
|
501
383
|
|
502
|
-
*
|
503
|
-
|
384
|
+
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
385
|
+
an enumerator for the parameters instead of the underlying hash.
|
504
386
|
|
505
|
-
*
|
387
|
+
*Eugene Kenny*
|
506
388
|
|
507
|
-
*
|
389
|
+
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
390
|
+
It should only block invalid key's values instead.
|
508
391
|
|
509
|
-
*
|
392
|
+
*Stan Lo*
|
510
393
|
|
511
394
|
|
512
|
-
Please check [
|
395
|
+
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|