actionpack 6.1.4 → 7.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +189 -372
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -3
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +7 -21
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +21 -7
- data/lib/abstract_controller/collector.rb +4 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +3 -2
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/translation.rb +3 -2
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +4 -3
- data/lib/action_controller/metal/conditional_get.rb +38 -1
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +5 -13
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/helpers.rb +1 -1
- data/lib/action_controller/metal/http_authentication.rb +17 -16
- data/lib/action_controller/metal/instrumentation.rb +57 -52
- data/lib/action_controller/metal/live.rb +42 -2
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +20 -11
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +86 -16
- data/lib/action_controller/metal/rendering.rb +7 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +64 -24
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +1 -3
- data/lib/action_controller/metal/strong_parameters.rb +84 -47
- data/lib/action_controller/metal/testing.rb +0 -2
- data/lib/action_controller/metal.rb +7 -10
- data/lib/action_controller/railtie.rb +49 -6
- data/lib/action_controller/test_case.rb +19 -4
- data/lib/action_controller.rb +1 -5
- data/lib/action_dispatch/http/cache.rb +13 -6
- data/lib/action_dispatch/http/content_security_policy.rb +39 -35
- data/lib/action_dispatch/http/filter_parameters.rb +5 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +13 -3
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +4 -4
- data/lib/action_dispatch/http/permissions_policy.rb +1 -1
- data/lib/action_dispatch/http/request.rb +10 -19
- data/lib/action_dispatch/http/response.rb +1 -13
- data/lib/action_dispatch/http/url.rb +11 -19
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +6 -13
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +8 -4
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/executor.rb +3 -0
- data/lib/action_dispatch/middleware/flash.rb +9 -11
- data/lib/action_dispatch/middleware/host_authorization.rb +49 -37
- data/lib/action_dispatch/middleware/remote_ip.rb +16 -4
- data/lib/action_dispatch/middleware/server_timing.rb +33 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +17 -9
- data/lib/action_dispatch/middleware/stack.rb +27 -9
- data/lib/action_dispatch/middleware/static.rb +2 -6
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +4 -3
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +3 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +5 -14
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/inspector.rb +1 -1
- data/lib/action_dispatch/routing/mapper.rb +54 -78
- data/lib/action_dispatch/routing/redirection.rb +0 -2
- data/lib/action_dispatch/routing/route_set.rb +14 -6
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +1 -2
- data/lib/action_dispatch/routing.rb +2 -2
- data/lib/action_dispatch/system_test_case.rb +12 -6
- data/lib/action_dispatch/system_testing/browser.rb +2 -12
- data/lib/action_dispatch/system_testing/driver.rb +35 -11
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +10 -6
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +3 -26
- data/lib/action_dispatch.rb +2 -1
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +19 -17
data/CHANGELOG.md
CHANGED
@@ -1,520 +1,337 @@
|
|
1
|
-
|
1
|
+
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
*Kevin Sjöberg*
|
6
|
-
|
7
|
-
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
8
|
-
|
9
|
-
*Dylan Thacker-Smith*
|
10
|
-
|
11
|
-
* Correctly place optional path parameter booleans.
|
12
|
-
|
13
|
-
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
14
|
-
of the path as parameter for example:
|
15
|
-
|
16
|
-
```
|
17
|
-
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
18
|
-
things_path(optional_id: false) # => /things?optional_id=false
|
19
|
-
```
|
20
|
-
|
21
|
-
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
22
|
-
|
23
|
-
```
|
24
|
-
get '(this/:my_bool)/that' as: :that
|
25
|
-
|
26
|
-
that_path(my_bool: true) # => `/this/true/that`
|
27
|
-
that_path(my_bool: false) # => `/this/false/that`
|
28
|
-
```
|
29
|
-
|
30
|
-
*Adam Hess*
|
31
|
-
|
32
|
-
* Add support for 'private, no-store' Cache-Control headers.
|
33
|
-
|
34
|
-
Previously, 'no-store' was exclusive; no other directives could be specified.
|
35
|
-
|
36
|
-
*Alex Smith*
|
37
|
-
|
38
|
-
|
39
|
-
## Rails 6.1.3.2 (May 05, 2021) ##
|
40
|
-
|
41
|
-
* Prevent open redirects by correctly escaping the host allow list
|
42
|
-
CVE-2021-22903
|
43
|
-
|
44
|
-
* Prevent catastrophic backtracking during mime parsing
|
45
|
-
CVE-2021-22902
|
46
|
-
|
47
|
-
* Prevent regex DoS in HTTP token authentication
|
48
|
-
CVE-2021-22904
|
49
|
-
|
50
|
-
* Prevent string polymorphic route arguments.
|
51
|
-
|
52
|
-
`url_for` supports building polymorphic URLs via an array
|
53
|
-
of arguments (usually symbols and records). If a developer passes a
|
54
|
-
user input array, strings can result in unwanted route helper calls.
|
55
|
-
|
56
|
-
CVE-2021-22885
|
57
|
-
|
58
|
-
*Gannon McGibbon*
|
59
|
-
|
60
|
-
## Rails 6.1.3.1 (March 26, 2021) ##
|
61
|
-
|
62
|
-
* No changes.
|
63
|
-
|
64
|
-
|
65
|
-
## Rails 6.1.3 (February 17, 2021) ##
|
66
|
-
|
67
|
-
* Re-define routes when not set correctly via inheritance.
|
68
|
-
|
69
|
-
*John Hawthorn*
|
70
|
-
|
71
|
-
|
72
|
-
## Rails 6.1.2.1 (February 10, 2021) ##
|
73
|
-
|
74
|
-
* Prevent open redirect when allowed host starts with a dot
|
75
|
-
|
76
|
-
[CVE-2021-22881]
|
77
|
-
|
78
|
-
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
79
|
-
issue and the patch!
|
80
|
-
|
81
|
-
*Aaron Patterson*
|
82
|
-
|
83
|
-
|
84
|
-
## Rails 6.1.2 (February 09, 2021) ##
|
85
|
-
|
86
|
-
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
87
|
-
|
88
|
-
*Janko Marohnić*
|
89
|
-
|
90
|
-
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
91
|
-
|
92
|
-
*Eugene Kenny*
|
93
|
-
|
94
|
-
|
95
|
-
## Rails 6.1.1 (January 07, 2021) ##
|
96
|
-
|
97
|
-
* Fix nil translation key lookup in controllers/
|
98
|
-
|
99
|
-
*Jan Klimo*
|
100
|
-
|
101
|
-
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
102
|
-
|
103
|
-
*Alex Robbin*
|
104
|
-
|
105
|
-
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
106
|
-
|
107
|
-
*Alex Robbin*
|
3
|
+
This helps to better simulate request or job local state being reset between requests and prevent state
|
4
|
+
leaking from one request to another.
|
108
5
|
|
6
|
+
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
109
7
|
|
110
|
-
|
8
|
+
*Alex Ghiculescu*
|
111
9
|
|
112
|
-
*
|
113
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
10
|
+
* Consider onion services secure for cookies.
|
114
11
|
|
115
|
-
|
116
|
-
Rails.application.config.permissions_policy do |p|
|
117
|
-
p.camera :none
|
118
|
-
p.gyroscope :none
|
119
|
-
p.microphone :none
|
120
|
-
p.usb :none
|
121
|
-
p.fullscreen :self
|
122
|
-
p.payment :self, "https://secure-example.com"
|
123
|
-
end
|
124
|
-
```
|
125
|
-
|
126
|
-
*Julien Grillot*
|
127
|
-
|
128
|
-
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
129
|
-
|
130
|
-
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
131
|
-
|
132
|
-
*Chris Bisnett*
|
133
|
-
|
134
|
-
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
135
|
-
the unique X-Request-Id header
|
136
|
-
|
137
|
-
*Arlston Fernandes*
|
12
|
+
*Justin Tracey*
|
138
13
|
|
139
|
-
*
|
14
|
+
* Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
|
140
15
|
|
141
16
|
*Rafael Mendonça França*
|
142
17
|
|
143
|
-
*
|
18
|
+
* Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
|
144
19
|
|
145
20
|
*Rafael Mendonça França*
|
146
21
|
|
147
|
-
* Remove deprecated `ActionDispatch::
|
22
|
+
* Remove deprecated `ActionDispatch::SystemTestCase#host!`.
|
148
23
|
|
149
24
|
*Rafael Mendonça França*
|
150
25
|
|
151
|
-
*
|
152
|
-
|
153
|
-
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
154
|
-
|
155
|
-
*Chris Kruger*
|
156
|
-
|
157
|
-
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
158
|
-
|
159
|
-
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
160
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
161
|
-
|
162
|
-
*Adrianna Chang*
|
163
|
-
|
164
|
-
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
165
|
-
|
166
|
-
*Gannon McGibbon*
|
26
|
+
* Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
|
167
27
|
|
168
|
-
*
|
169
|
-
|
170
|
-
*Alan Tan*, *Oz Ben-David*
|
171
|
-
|
172
|
-
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
173
|
-
a 308 redirection.
|
28
|
+
*Rafael Mendonça França*
|
174
29
|
|
175
|
-
|
30
|
+
* Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
|
176
31
|
|
177
|
-
*
|
178
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
32
|
+
*Rafael Mendonça França*
|
179
33
|
|
180
|
-
|
34
|
+
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
181
35
|
|
182
|
-
|
36
|
+
This allows `rescue_from` to be used to add a default fallback route:
|
183
37
|
|
184
|
-
|
185
|
-
|
38
|
+
```ruby
|
39
|
+
rescue_from ActionController::Redirecting::UnsafeRedirectError do
|
40
|
+
redirect_to root_url
|
41
|
+
end
|
42
|
+
```
|
186
43
|
|
187
|
-
|
188
|
-
we check for public/some.js.br and serve that file, if present, with
|
189
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
44
|
+
*Kasper Timm Hansen*, *Chris Oliver*
|
190
45
|
|
191
|
-
|
46
|
+
* Add `url_from` to verify a redirect location is internal.
|
192
47
|
|
193
|
-
|
48
|
+
Takes the open redirect protection from `redirect_to` so users can wrap a
|
49
|
+
param, and fall back to an alternate redirect URL when the param provided
|
50
|
+
one is unsafe.
|
194
51
|
|
195
|
-
|
196
|
-
|
197
|
-
|
52
|
+
```ruby
|
53
|
+
def create
|
54
|
+
redirect_to url_from(params[:redirect_url]) || root_url
|
55
|
+
end
|
56
|
+
```
|
198
57
|
|
199
|
-
*
|
58
|
+
*dmcge*, *Kasper Timm Hansen*
|
200
59
|
|
201
|
-
*
|
60
|
+
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
202
61
|
|
203
|
-
|
62
|
+
Allow users to prevent conflicts among drivers that use the same driver
|
63
|
+
type (selenium, poltergeist, webkit, rack test).
|
204
64
|
|
205
|
-
|
206
|
-
without passing a block now returns an enumerator.
|
65
|
+
Fixes #42502
|
207
66
|
|
208
|
-
*
|
67
|
+
*Chris LaRose*
|
209
68
|
|
210
|
-
*
|
69
|
+
* Allow multiline to be passed in routes when using wildcard segments.
|
211
70
|
|
212
|
-
Previously
|
213
|
-
|
71
|
+
Previously routes with newlines weren't detected when using wildcard segments, returning
|
72
|
+
a `No route matches` error.
|
73
|
+
After this change, routes with newlines are detected on wildcard segments. Example
|
214
74
|
|
215
75
|
```ruby
|
216
|
-
|
217
|
-
|
76
|
+
draw do
|
77
|
+
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
78
|
+
end
|
218
79
|
|
219
|
-
|
220
|
-
|
80
|
+
# After the change, the path matches.
|
81
|
+
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
221
82
|
```
|
222
83
|
|
223
|
-
|
84
|
+
Fixes #39103
|
224
85
|
|
225
|
-
*
|
86
|
+
*Ignacio Chiazzo*
|
226
87
|
|
227
|
-
|
88
|
+
* Treat html suffix in controller translation.
|
228
89
|
|
229
|
-
*
|
230
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
90
|
+
*Rui Onodera*, *Gavin Miller*
|
231
91
|
|
232
|
-
|
233
|
-
always pass a module object:
|
92
|
+
* Allow permitting numeric params.
|
234
93
|
|
94
|
+
Previously it was impossible to permit different fields on numeric parameters.
|
95
|
+
After this change you can specify different fields for each numbered parameter.
|
96
|
+
For example params like,
|
235
97
|
```ruby
|
236
|
-
|
98
|
+
book: {
|
99
|
+
authors_attributes: {
|
100
|
+
'0': { name: "William Shakespeare", age_of_death: "52" },
|
101
|
+
'1': { name: "Unattributed Assistant" },
|
102
|
+
'2': "Not a hash",
|
103
|
+
'new_record': { name: "Some name" }
|
104
|
+
}
|
105
|
+
}
|
237
106
|
```
|
238
107
|
|
239
|
-
|
240
|
-
|
241
|
-
that same module object.
|
108
|
+
Before you could permit name on each author with,
|
109
|
+
`permit book: { authors_attributes: [ :name ] }`
|
242
110
|
|
243
|
-
|
111
|
+
After this change you can permit different keys on each numbered element,
|
112
|
+
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
244
113
|
|
245
|
-
|
114
|
+
Fixes #41625
|
246
115
|
|
247
|
-
*
|
248
|
-
|
249
|
-
* `url_for` will now use "https://" as the default protocol when
|
250
|
-
`Rails.application.config.force_ssl` is set to true.
|
251
|
-
|
252
|
-
*Jonathan Hefner*
|
253
|
-
|
254
|
-
* Accept and default to base64_urlsafe CSRF tokens.
|
116
|
+
*Adam Hess*
|
255
117
|
|
256
|
-
|
257
|
-
|
258
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
259
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
118
|
+
* Update `HostAuthorization` middleware to render debug info only
|
119
|
+
when `config.consider_all_requests_local` is set to true.
|
260
120
|
|
261
|
-
|
262
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
263
|
-
for backwards compatibility.
|
121
|
+
Also, blocked host info is always logged with level `error`.
|
264
122
|
|
265
|
-
|
123
|
+
Fixes #42813
|
266
124
|
|
267
|
-
*
|
125
|
+
*Nikita Vyrko*
|
268
126
|
|
269
|
-
|
270
|
-
both old and new instances during deployment. Users may be served by a
|
271
|
-
new instance and then by an old instance.
|
127
|
+
* Add Server-Timing middleware
|
272
128
|
|
273
|
-
|
274
|
-
|
275
|
-
from `false` to `true`, users may lose their sessions if they access the
|
276
|
-
server during deployment.
|
129
|
+
Server-Timing specification defines how the server can communicate to browsers performance metrics
|
130
|
+
about the request it is responding to.
|
277
131
|
|
278
|
-
|
279
|
-
|
132
|
+
The ServerTiming middleware is enabled by default on `development` environment by default using the
|
133
|
+
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
280
134
|
|
281
|
-
|
135
|
+
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
282
136
|
|
283
|
-
*
|
137
|
+
*Sebastian Sogamoso*, *Guillermo Iguaran*
|
284
138
|
|
285
|
-
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
286
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
287
139
|
|
288
|
-
|
140
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
289
141
|
|
290
|
-
*
|
142
|
+
* No changes.
|
291
143
|
|
292
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
293
|
-
gem dalli to be updated as well.
|
294
144
|
|
295
|
-
|
145
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
296
146
|
|
297
|
-
*
|
147
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
148
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
149
|
+
malformed JSON.
|
298
150
|
|
299
|
-
|
300
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
301
|
-
from being correctly counted and reported.
|
151
|
+
Fixes #41145
|
302
152
|
|
303
|
-
|
304
|
-
root session.
|
153
|
+
*Aaron Lahey*
|
305
154
|
|
306
|
-
|
155
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
307
156
|
|
308
|
-
|
157
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
158
|
+
raise an error if the middleware isn't found.
|
309
159
|
|
310
|
-
*
|
160
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
311
161
|
|
312
|
-
|
313
|
-
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
162
|
+
* Raise error on unpermitted open redirects.
|
314
163
|
|
315
|
-
|
164
|
+
Add `allow_other_host` options to `redirect_to`.
|
165
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
316
166
|
|
317
|
-
|
167
|
+
*Gannon McGibbon*
|
318
168
|
|
319
|
-
|
169
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
320
170
|
|
321
|
-
|
171
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
322
172
|
|
323
|
-
|
173
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
324
174
|
|
325
|
-
*
|
175
|
+
*Yusuke Iwaki*
|
326
176
|
|
327
|
-
*
|
177
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
328
178
|
|
329
|
-
|
330
|
-
|
331
|
-
that this wasn't fully the case and loading external route files from the router
|
332
|
-
can be helpful for applications with a really large set of routes.
|
333
|
-
Without this feature, application needs to implement routes reloading
|
334
|
-
themselves and it's not straightforward.
|
179
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
180
|
+
are not listed as actions on that controller.
|
335
181
|
|
336
|
-
|
337
|
-
|
182
|
+
class MyController < ApplicationController
|
183
|
+
add_flash_types :hype
|
184
|
+
end
|
338
185
|
|
339
|
-
|
340
|
-
draw(:admin)
|
341
|
-
end
|
186
|
+
MyController.action_methods.include?('hype') # => false
|
342
187
|
|
343
|
-
|
188
|
+
*Gavin Morrice*
|
344
189
|
|
345
|
-
|
346
|
-
```
|
190
|
+
* OpenSSL constants are now used for Digest computations.
|
347
191
|
|
348
|
-
*
|
192
|
+
*Dirkjan Bussink*
|
349
193
|
|
350
|
-
*
|
194
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
351
195
|
|
352
|
-
|
196
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
353
197
|
|
354
|
-
*
|
355
|
-
their payloads as `:request`.
|
198
|
+
*Tadas Sasnauskas*
|
356
199
|
|
357
|
-
|
200
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
201
|
+
present in `rescued_responses`.
|
358
202
|
|
359
|
-
|
360
|
-
|
203
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
204
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
205
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
206
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
361
207
|
|
362
|
-
|
208
|
+
*Alexander Azarov*, *Mike Dalessio*
|
363
209
|
|
364
|
-
|
365
|
-
def my_action
|
366
|
-
respond_to do |format|
|
367
|
-
format.any { render(json: { foo: 'bar' }) }
|
368
|
-
end
|
369
|
-
end
|
210
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
370
211
|
|
371
|
-
|
372
|
-
```
|
212
|
+
*Kevin Sjöberg*
|
373
213
|
|
374
|
-
|
375
|
-
is inaccurate since a JSON response is being rendered.
|
214
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
376
215
|
|
377
|
-
|
216
|
+
*Dylan Thacker-Smith*
|
378
217
|
|
379
|
-
|
218
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
380
219
|
|
381
|
-
*
|
220
|
+
*Tadas Sasnauskas*
|
382
221
|
|
383
|
-
|
384
|
-
nested directory, causing issues with `tmp:clear`.
|
222
|
+
* Drop support for the `SERVER_ADDR` header.
|
385
223
|
|
386
|
-
|
224
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
387
225
|
|
388
|
-
*
|
226
|
+
*Ricardo Díaz*
|
389
227
|
|
390
|
-
|
228
|
+
* Set session options when initializing a basic session.
|
391
229
|
|
392
|
-
*
|
230
|
+
*Gannon McGibbon*
|
393
231
|
|
394
|
-
|
395
|
-
* `:response` - the `ActionDispatch::Response`
|
232
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
396
233
|
|
397
|
-
|
234
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
398
235
|
|
399
|
-
*
|
400
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
401
|
-
from.
|
236
|
+
*Jacopo Beschi*
|
402
237
|
|
403
|
-
|
238
|
+
* Writing into a disabled session will now raise an error.
|
404
239
|
|
405
|
-
|
240
|
+
Previously when no session store was set, writing into the session would silently fail.
|
406
241
|
|
407
|
-
*
|
242
|
+
*Jean Boussier*
|
408
243
|
|
409
|
-
|
410
|
-
# Use the debug level if a particular cookie is set.
|
411
|
-
class ApplicationController < ActionController::Base
|
412
|
-
log_at :debug, if: -> { cookies[:debug] }
|
413
|
-
end
|
414
|
-
```
|
244
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
415
245
|
|
416
|
-
|
246
|
+
Fixes #42034.
|
417
247
|
|
418
|
-
*
|
419
|
-
a test by prefixing the file name with an incrementing counter.
|
248
|
+
*lfalcao*
|
420
249
|
|
421
|
-
|
422
|
-
enable saving of HTML during a screenshot in addition to the image.
|
423
|
-
This uses the same image name, with the extension replaced with `.html`
|
250
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
424
251
|
|
425
|
-
*
|
252
|
+
*Jacob Herrington*
|
426
253
|
|
427
|
-
* Add
|
254
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
428
255
|
|
429
|
-
|
430
|
-
header to determine what to return. And if we don't add `Vary`
|
431
|
-
in the response header, browsers might accidentally cache different
|
432
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
433
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
434
|
-
in these types of requests. For more detailed problem description, please read:
|
256
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
435
257
|
|
436
|
-
|
258
|
+
*Alex Smith*
|
437
259
|
|
438
|
-
|
260
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
261
|
+
know which controller action received unpermitted parameters.
|
439
262
|
|
440
|
-
*
|
263
|
+
*bbuchalter*
|
441
264
|
|
442
|
-
*
|
443
|
-
a 307 redirection.
|
265
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
444
266
|
|
445
|
-
|
267
|
+
```ruby
|
268
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
269
|
+
stream.writeln "email_address,updated_at"
|
446
270
|
|
447
|
-
|
271
|
+
@subscribers.find_each do |subscriber|
|
272
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
273
|
+
end
|
274
|
+
end
|
275
|
+
```
|
448
276
|
|
449
|
-
*
|
277
|
+
*DHH*
|
450
278
|
|
451
|
-
*
|
279
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
452
280
|
|
453
|
-
*
|
281
|
+
*DHH*
|
454
282
|
|
455
|
-
*
|
283
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
456
284
|
|
457
|
-
|
458
|
-
|
459
|
-
specification and guidelines can be found at MDN:
|
285
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
286
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
460
287
|
|
461
|
-
|
288
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
462
289
|
|
463
|
-
|
290
|
+
Before:
|
464
291
|
|
465
292
|
```ruby
|
466
|
-
|
467
|
-
|
468
|
-
f.gyroscope :none
|
469
|
-
f.microphone :none
|
470
|
-
f.usb :none
|
471
|
-
f.fullscreen :self
|
472
|
-
f.payment :self, "https://secure.example.com"
|
473
|
-
end
|
293
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
294
|
+
request.content_type #=> "text/csv"
|
474
295
|
```
|
475
296
|
|
476
|
-
|
297
|
+
After:
|
477
298
|
|
478
299
|
```ruby
|
479
|
-
|
480
|
-
|
481
|
-
|
482
|
-
end
|
483
|
-
end
|
300
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
301
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
302
|
+
request.media_type #=> "text/csv"
|
484
303
|
```
|
485
304
|
|
486
|
-
*
|
305
|
+
*Rafael Mendonça França*
|
487
306
|
|
488
|
-
*
|
307
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
489
308
|
|
490
|
-
|
309
|
+
*Rafael Mendonça França*
|
491
310
|
|
492
|
-
|
311
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
493
312
|
|
494
|
-
*
|
313
|
+
*Janko Marohnić*
|
495
314
|
|
496
|
-
|
497
|
-
take parameters the scope was lost when using path helpers. This commit
|
498
|
-
ensures scope is kept both when the route takes parameters or when it
|
499
|
-
doesn't.
|
315
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
500
316
|
|
501
|
-
|
317
|
+
*ojab*
|
502
318
|
|
503
|
-
|
319
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
504
320
|
|
505
|
-
*
|
321
|
+
*Alex Robbin*
|
506
322
|
|
507
|
-
|
323
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
324
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
325
|
+
with a single value or an enumerable.
|
508
326
|
|
509
|
-
|
510
|
-
an enumerator for the parameters instead of the underlying hash.
|
327
|
+
Fixes #40772.
|
511
328
|
|
512
|
-
*
|
329
|
+
*Christian Sutter*
|
513
330
|
|
514
|
-
*
|
515
|
-
|
331
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
332
|
+
The old method name is retained without explicit deprecation.
|
516
333
|
|
517
|
-
*
|
334
|
+
*DHH*
|
518
335
|
|
519
336
|
|
520
|
-
Please check [6-
|
337
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|