actionpack 6.1.5 → 7.0.0.alpha1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +99 -521
- data/MIT-LICENSE +2 -1
- data/README.rdoc +2 -3
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +7 -21
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +9 -8
- data/lib/abstract_controller/collector.rb +2 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +3 -2
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/translation.rb +0 -2
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +1 -1
- data/lib/action_controller/log_subscriber.rb +3 -1
- data/lib/action_controller/metal/conditional_get.rb +38 -1
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +5 -13
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/http_authentication.rb +15 -16
- data/lib/action_controller/metal/instrumentation.rb +55 -52
- data/lib/action_controller/metal/live.rb +42 -2
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +7 -7
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/query_tags.rb +16 -0
- data/lib/action_controller/metal/redirecting.rb +50 -16
- data/lib/action_controller/metal/rendering.rb +7 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +64 -20
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +1 -3
- data/lib/action_controller/metal/strong_parameters.rb +25 -29
- data/lib/action_controller/metal/testing.rb +0 -2
- data/lib/action_controller/metal.rb +7 -10
- data/lib/action_controller/railtie.rb +42 -5
- data/lib/action_controller/test_case.rb +6 -2
- data/lib/action_controller.rb +2 -5
- data/lib/action_dispatch/http/cache.rb +13 -6
- data/lib/action_dispatch/http/content_security_policy.rb +40 -37
- data/lib/action_dispatch/http/filter_parameters.rb +5 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +13 -3
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +4 -4
- data/lib/action_dispatch/http/permissions_policy.rb +1 -1
- data/lib/action_dispatch/http/request.rb +10 -19
- data/lib/action_dispatch/http/response.rb +3 -3
- data/lib/action_dispatch/http/url.rb +9 -10
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +5 -12
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +7 -3
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +9 -11
- data/lib/action_dispatch/middleware/host_authorization.rb +25 -73
- data/lib/action_dispatch/middleware/remote_ip.rb +16 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +6 -18
- data/lib/action_dispatch/middleware/stack.rb +50 -9
- data/lib/action_dispatch/middleware/static.rb +2 -5
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +5 -14
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/mapper.rb +44 -72
- data/lib/action_dispatch/routing/redirection.rb +0 -2
- data/lib/action_dispatch/routing/route_set.rb +7 -4
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +1 -2
- data/lib/action_dispatch/routing.rb +2 -2
- data/lib/action_dispatch/system_test_case.rb +6 -12
- data/lib/action_dispatch/system_testing/driver.rb +24 -4
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +10 -6
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +2 -2
- data/lib/action_dispatch.rb +1 -1
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack.rb +1 -1
- metadata +18 -18
data/CHANGELOG.md
CHANGED
@@ -1,101 +1,69 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
4
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
5
|
+
malformed JSON.
|
4
6
|
|
5
|
-
|
6
|
-
single quoted when the directive was the result of calling a lambda
|
7
|
-
returning an array.
|
7
|
+
Fixes #41145
|
8
8
|
|
9
|
-
|
10
|
-
content_security_policy do |policy|
|
11
|
-
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
12
|
-
end
|
13
|
-
```
|
14
|
-
|
15
|
-
With this fix the policy generated from above will now be valid.
|
16
|
-
|
17
|
-
*Edouard Chin*
|
18
|
-
|
19
|
-
* Update `HostAuthorization` middleware to render debug info only
|
20
|
-
when `config.consider_all_requests_local` is set to true.
|
21
|
-
|
22
|
-
Also, blocked host info is always logged with level `error`.
|
23
|
-
|
24
|
-
Fixes #42813.
|
25
|
-
|
26
|
-
*Nikita Vyrko*
|
27
|
-
|
28
|
-
* Dup arrays that get "converted".
|
29
|
-
|
30
|
-
Fixes #43681.
|
31
|
-
|
32
|
-
*Aaron Patterson*
|
33
|
-
|
34
|
-
* Don't show deprecation warning for equal paths.
|
35
|
-
|
36
|
-
*Anton Rieder*
|
9
|
+
*Aaron Lahey*
|
37
10
|
|
38
|
-
*
|
11
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
39
12
|
|
40
|
-
|
13
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
14
|
+
raise an error if the middleware isn't found.
|
41
15
|
|
42
|
-
*Alex Ghiculescu*
|
16
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
43
17
|
|
44
|
-
*
|
18
|
+
* Raise error on unpermitted open redirects.
|
45
19
|
|
46
|
-
|
20
|
+
Add `allow_other_host` options to `redirect_to`.
|
21
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
47
22
|
|
48
|
-
*
|
49
|
-
|
50
|
-
* Add more detail about what hosts are allowed.
|
51
|
-
|
52
|
-
*Alex Ghiculescu*
|
53
|
-
|
54
|
-
|
55
|
-
## Rails 6.1.4.7 (March 08, 2022) ##
|
56
|
-
|
57
|
-
* No changes.
|
58
|
-
|
59
|
-
|
60
|
-
## Rails 6.1.4.6 (February 11, 2022) ##
|
61
|
-
|
62
|
-
* No changes.
|
23
|
+
*Gannon McGibbon*
|
63
24
|
|
25
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
64
26
|
|
65
|
-
|
27
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
66
28
|
|
67
|
-
|
68
|
-
response body has been fully closed which result in request state not
|
69
|
-
being fully reset before the next request
|
29
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
70
30
|
|
71
|
-
|
31
|
+
*Yusuke Iwaki*
|
72
32
|
|
33
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
73
34
|
|
74
|
-
|
35
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
36
|
+
are not listed as actions on that controller.
|
75
37
|
|
76
|
-
|
38
|
+
class MyController < ApplicationController
|
39
|
+
add_flash_types :hype
|
40
|
+
end
|
77
41
|
|
42
|
+
MyController.action_methods.include?('hype') # => false
|
78
43
|
|
79
|
-
|
44
|
+
*Gavin Morrice*
|
80
45
|
|
81
|
-
*
|
46
|
+
* OpenSSL constants are now used for Digest computations.
|
82
47
|
|
48
|
+
*Dirkjan Bussink*
|
83
49
|
|
84
|
-
|
50
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
85
51
|
|
86
|
-
|
52
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
87
53
|
|
88
|
-
|
54
|
+
*Tadas Sasnauskas*
|
89
55
|
|
90
|
-
*
|
56
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
57
|
+
present in `rescued_responses`.
|
91
58
|
|
92
|
-
|
93
|
-
|
94
|
-
|
59
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
60
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
61
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
62
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
95
63
|
|
96
|
-
|
64
|
+
*Alexander Azarov*, *Mike Dalessio*
|
97
65
|
|
98
|
-
* Ignore file fixtures on `db:fixtures:load
|
66
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
99
67
|
|
100
68
|
*Kevin Sjöberg*
|
101
69
|
|
@@ -103,513 +71,123 @@
|
|
103
71
|
|
104
72
|
*Dylan Thacker-Smith*
|
105
73
|
|
106
|
-
*
|
107
|
-
|
108
|
-
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
109
|
-
of the path as parameter for example:
|
110
|
-
|
111
|
-
```
|
112
|
-
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
113
|
-
things_path(optional_id: false) # => /things?optional_id=false
|
114
|
-
```
|
115
|
-
|
116
|
-
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
117
|
-
|
118
|
-
```
|
119
|
-
get '(this/:my_bool)/that' as: :that
|
120
|
-
|
121
|
-
that_path(my_bool: true) # => `/this/true/that`
|
122
|
-
that_path(my_bool: false) # => `/this/false/that`
|
123
|
-
```
|
124
|
-
|
125
|
-
*Adam Hess*
|
126
|
-
|
127
|
-
* Add support for 'private, no-store' Cache-Control headers.
|
128
|
-
|
129
|
-
Previously, 'no-store' was exclusive; no other directives could be specified.
|
130
|
-
|
131
|
-
*Alex Smith*
|
132
|
-
|
74
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
133
75
|
|
134
|
-
|
76
|
+
*Tadas Sasnauskas*
|
135
77
|
|
136
|
-
*
|
137
|
-
CVE-2021-22903
|
78
|
+
* Drop support for the `SERVER_ADDR` header.
|
138
79
|
|
139
|
-
|
140
|
-
CVE-2021-22902
|
80
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
141
81
|
|
142
|
-
*
|
143
|
-
CVE-2021-22904
|
82
|
+
*Ricardo Díaz*
|
144
83
|
|
145
|
-
*
|
146
|
-
|
147
|
-
`url_for` supports building polymorphic URLs via an array
|
148
|
-
of arguments (usually symbols and records). If a developer passes a
|
149
|
-
user input array, strings can result in unwanted route helper calls.
|
150
|
-
|
151
|
-
CVE-2021-22885
|
84
|
+
* Set session options when initializing a basic session.
|
152
85
|
|
153
86
|
*Gannon McGibbon*
|
154
87
|
|
155
|
-
|
156
|
-
|
157
|
-
* No changes.
|
158
|
-
|
159
|
-
|
160
|
-
## Rails 6.1.3 (February 17, 2021) ##
|
161
|
-
|
162
|
-
* Re-define routes when not set correctly via inheritance.
|
163
|
-
|
164
|
-
*John Hawthorn*
|
165
|
-
|
166
|
-
|
167
|
-
## Rails 6.1.2.1 (February 10, 2021) ##
|
168
|
-
|
169
|
-
* Prevent open redirect when allowed host starts with a dot
|
170
|
-
|
171
|
-
[CVE-2021-22881]
|
172
|
-
|
173
|
-
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
174
|
-
issue and the patch!
|
175
|
-
|
176
|
-
*Aaron Patterson*
|
177
|
-
|
178
|
-
|
179
|
-
## Rails 6.1.2 (February 09, 2021) ##
|
180
|
-
|
181
|
-
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
182
|
-
|
183
|
-
*Janko Marohnić*
|
184
|
-
|
185
|
-
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
186
|
-
|
187
|
-
*Eugene Kenny*
|
188
|
-
|
189
|
-
|
190
|
-
## Rails 6.1.1 (January 07, 2021) ##
|
191
|
-
|
192
|
-
* Fix nil translation key lookup in controllers/
|
193
|
-
|
194
|
-
*Jan Klimo*
|
195
|
-
|
196
|
-
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
197
|
-
|
198
|
-
*Alex Robbin*
|
199
|
-
|
200
|
-
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
201
|
-
|
202
|
-
*Alex Robbin*
|
203
|
-
|
204
|
-
|
205
|
-
## Rails 6.1.0 (December 09, 2020) ##
|
206
|
-
|
207
|
-
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
208
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
209
|
-
|
210
|
-
```ruby
|
211
|
-
Rails.application.config.permissions_policy do |p|
|
212
|
-
p.camera :none
|
213
|
-
p.gyroscope :none
|
214
|
-
p.microphone :none
|
215
|
-
p.usb :none
|
216
|
-
p.fullscreen :self
|
217
|
-
p.payment :self, "https://secure-example.com"
|
218
|
-
end
|
219
|
-
```
|
220
|
-
|
221
|
-
*Julien Grillot*
|
222
|
-
|
223
|
-
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
224
|
-
|
225
|
-
Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
|
226
|
-
|
227
|
-
*Chris Bisnett*
|
228
|
-
|
229
|
-
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
230
|
-
the unique X-Request-Id header
|
231
|
-
|
232
|
-
*Arlston Fernandes*
|
233
|
-
|
234
|
-
* Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
|
235
|
-
|
236
|
-
*Rafael Mendonça França*
|
237
|
-
|
238
|
-
* Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
|
239
|
-
|
240
|
-
*Rafael Mendonça França*
|
241
|
-
|
242
|
-
* Remove deprecated `ActionDispatch::Http::ParameterFilter`.
|
243
|
-
|
244
|
-
*Rafael Mendonça França*
|
245
|
-
|
246
|
-
* Added support for exclusive no-store Cache-Control header.
|
247
|
-
|
248
|
-
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
249
|
-
|
250
|
-
*Chris Kruger*
|
251
|
-
|
252
|
-
* Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
|
253
|
-
|
254
|
-
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
255
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
256
|
-
|
257
|
-
*Adrianna Chang*
|
258
|
-
|
259
|
-
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
260
|
-
|
261
|
-
*Gannon McGibbon*
|
262
|
-
|
263
|
-
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
264
|
-
|
265
|
-
*Alan Tan*, *Oz Ben-David*
|
266
|
-
|
267
|
-
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
268
|
-
a 308 redirection.
|
88
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
269
89
|
|
270
|
-
|
90
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
271
91
|
|
272
|
-
*
|
273
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
92
|
+
*Jacopo Beschi*
|
274
93
|
|
275
|
-
|
94
|
+
* Writing into a disabled session will now raise an error.
|
276
95
|
|
277
|
-
|
96
|
+
Previously when no session store was set, writing into the session would silently fail.
|
278
97
|
|
279
|
-
|
280
|
-
Brotli files are preferred due to much better compression.
|
98
|
+
*Jean Boussier*
|
281
99
|
|
282
|
-
|
283
|
-
we check for public/some.js.br and serve that file, if present, with
|
284
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
100
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
285
101
|
|
286
|
-
|
102
|
+
Fixes #42034.
|
287
103
|
|
288
|
-
*
|
104
|
+
*lfalcao*
|
289
105
|
|
290
|
-
|
291
|
-
It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
|
292
|
-
configuration also affects raising error for missing translations in views.
|
106
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
293
107
|
|
294
|
-
*
|
108
|
+
*Jacob Herrington*
|
295
109
|
|
296
|
-
*
|
297
|
-
|
298
|
-
*Eugene Kenny*
|
299
|
-
|
300
|
-
* Calling `each_pair` or `each_value` on an `ActionController::Parameters`
|
301
|
-
without passing a block now returns an enumerator.
|
302
|
-
|
303
|
-
*Eugene Kenny*
|
304
|
-
|
305
|
-
* `fixture_file_upload` now uses path relative to `file_fixture_path`
|
306
|
-
|
307
|
-
Previously the path had to be relative to `fixture_path`.
|
308
|
-
You can change your existing code as follow:
|
309
|
-
|
310
|
-
```ruby
|
311
|
-
# Before
|
312
|
-
fixture_file_upload('files/dog.png')
|
313
|
-
|
314
|
-
# After
|
315
|
-
fixture_file_upload('dog.png')
|
316
|
-
```
|
317
|
-
|
318
|
-
*Edouard Chin*
|
319
|
-
|
320
|
-
* Remove deprecated `force_ssl` at the controller level.
|
321
|
-
|
322
|
-
*Rafael Mendonça França*
|
323
|
-
|
324
|
-
* The +helper+ class method for controllers loads helper modules specified as
|
325
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
326
|
-
|
327
|
-
Remember that support for strings/symbols is only a convenient API. You can
|
328
|
-
always pass a module object:
|
329
|
-
|
330
|
-
```ruby
|
331
|
-
helper UtilsHelper
|
332
|
-
```
|
333
|
-
|
334
|
-
which is recommended because it is simple and direct. When a string/symbol
|
335
|
-
is received, `helper` just manipulates and inflects the argument to obtain
|
336
|
-
that same module object.
|
337
|
-
|
338
|
-
*Xavier Noria*, *Jean Boussier*
|
339
|
-
|
340
|
-
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
341
|
-
|
342
|
-
*Nick Soracco*
|
343
|
-
|
344
|
-
* `url_for` will now use "https://" as the default protocol when
|
345
|
-
`Rails.application.config.force_ssl` is set to true.
|
346
|
-
|
347
|
-
*Jonathan Hefner*
|
348
|
-
|
349
|
-
* Accept and default to base64_urlsafe CSRF tokens.
|
350
|
-
|
351
|
-
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
352
|
-
them difficult to deal with. For example, the common practice of sending
|
353
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
354
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
355
|
-
|
356
|
-
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
|
357
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
358
|
-
for backwards compatibility.
|
359
|
-
|
360
|
-
*Scott Blum*
|
361
|
-
|
362
|
-
* Support rolling deploys for cookie serialization/encryption changes.
|
363
|
-
|
364
|
-
In a distributed configuration like rolling update, users may observe
|
365
|
-
both old and new instances during deployment. Users may be served by a
|
366
|
-
new instance and then by an old instance.
|
367
|
-
|
368
|
-
That means when the server changes `cookies_serializer` from `:marshal`
|
369
|
-
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
370
|
-
from `false` to `true`, users may lose their sessions if they access the
|
371
|
-
server during deployment.
|
372
|
-
|
373
|
-
We added fallbacks to downgrade the cookie format when necessary during
|
374
|
-
deployment, ensuring compatibility on both old and new instances.
|
375
|
-
|
376
|
-
*Masaki Hara*
|
377
|
-
|
378
|
-
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
379
|
-
|
380
|
-
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
381
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
382
|
-
|
383
|
-
*Keenan Brock*
|
384
|
-
|
385
|
-
* Fix possible information leak / session hijacking vulnerability.
|
386
|
-
|
387
|
-
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
388
|
-
gem dalli to be updated as well.
|
389
|
-
|
390
|
-
CVE-2019-16782.
|
391
|
-
|
392
|
-
* Include child session assertion count in ActionDispatch::IntegrationTest.
|
393
|
-
|
394
|
-
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
395
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
396
|
-
from being correctly counted and reported.
|
397
|
-
|
398
|
-
Child sessions now have their `attr_accessor` overridden to delegate to the
|
399
|
-
root session.
|
400
|
-
|
401
|
-
Fixes #32142.
|
402
|
-
|
403
|
-
*Sam Bostock*
|
404
|
-
|
405
|
-
* Add SameSite protection to every written cookie.
|
406
|
-
|
407
|
-
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
408
|
-
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
409
|
-
|
410
|
-
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
411
|
-
|
412
|
-
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
413
|
-
|
414
|
-
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
110
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
415
111
|
|
416
|
-
|
112
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
417
113
|
|
418
|
-
|
114
|
+
*Alex Smith*
|
419
115
|
|
420
|
-
|
116
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
117
|
+
know which controller action received unpermitted parameters.
|
421
118
|
|
422
|
-
*
|
119
|
+
*bbuchalter*
|
423
120
|
|
424
|
-
|
425
|
-
https://github.com/rails/routing_concerns was a better approach. Turned out
|
426
|
-
that this wasn't fully the case and loading external route files from the router
|
427
|
-
can be helpful for applications with a really large set of routes.
|
428
|
-
Without this feature, application needs to implement routes reloading
|
429
|
-
themselves and it's not straightforward.
|
121
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
430
122
|
|
431
123
|
```ruby
|
432
|
-
|
433
|
-
|
434
|
-
Rails.application.routes.draw do
|
435
|
-
draw(:admin)
|
436
|
-
end
|
437
|
-
|
438
|
-
# config/routes/admin.rb
|
439
|
-
|
440
|
-
get :foo, to: 'foo#bar'
|
441
|
-
```
|
442
|
-
|
443
|
-
*Yehuda Katz*, *Edouard Chin*
|
444
|
-
|
445
|
-
* Fix system test driver option initialization for non-headless browsers.
|
446
|
-
|
447
|
-
*glaszig*
|
124
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
125
|
+
stream.writeln "email_address,updated_at"
|
448
126
|
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
*Austin Story*
|
453
|
-
|
454
|
-
* `respond_to#any` no longer returns a response's Content-Type based on the
|
455
|
-
request format but based on the block given.
|
456
|
-
|
457
|
-
Example:
|
458
|
-
|
459
|
-
```ruby
|
460
|
-
def my_action
|
461
|
-
respond_to do |format|
|
462
|
-
format.any { render(json: { foo: 'bar' }) }
|
463
|
-
end
|
127
|
+
@subscribers.find_each do |subscriber|
|
128
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
464
129
|
end
|
465
|
-
|
466
|
-
get('my_action.csv')
|
467
|
-
```
|
468
|
-
|
469
|
-
The previous behaviour was to respond with a `text/csv` Content-Type which
|
470
|
-
is inaccurate since a JSON response is being rendered.
|
471
|
-
|
472
|
-
Now it correctly returns a `application/json` Content-Type.
|
473
|
-
|
474
|
-
*Edouard Chin*
|
475
|
-
|
476
|
-
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
477
|
-
|
478
|
-
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
479
|
-
nested directory, causing issues with `tmp:clear`.
|
480
|
-
|
481
|
-
*Damir Zekic*
|
482
|
-
|
483
|
-
* Add `params.member?` to mimic Hash behavior.
|
484
|
-
|
485
|
-
*Younes Serraj*
|
486
|
-
|
487
|
-
* `process_action.action_controller` notifications now include the following in their payloads:
|
488
|
-
|
489
|
-
* `:request` - the `ActionDispatch::Request`
|
490
|
-
* `:response` - the `ActionDispatch::Response`
|
491
|
-
|
492
|
-
*George Claghorn*
|
493
|
-
|
494
|
-
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
495
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
496
|
-
from.
|
497
|
-
|
498
|
-
Fixes #37383.
|
499
|
-
|
500
|
-
*Norm Provost*
|
501
|
-
|
502
|
-
* `ActionController::Base.log_at` allows setting a different log level per request.
|
503
|
-
|
504
|
-
```ruby
|
505
|
-
# Use the debug level if a particular cookie is set.
|
506
|
-
class ApplicationController < ActionController::Base
|
507
|
-
log_at :debug, if: -> { cookies[:debug] }
|
508
130
|
end
|
509
131
|
```
|
510
132
|
|
511
|
-
*
|
512
|
-
|
513
|
-
* Allow system test screen shots to be taken more than once in
|
514
|
-
a test by prefixing the file name with an incrementing counter.
|
515
|
-
|
516
|
-
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
517
|
-
enable saving of HTML during a screenshot in addition to the image.
|
518
|
-
This uses the same image name, with the extension replaced with `.html`
|
519
|
-
|
520
|
-
*Tom Fakes*
|
521
|
-
|
522
|
-
* Add `Vary: Accept` header when using `Accept` header for response.
|
523
|
-
|
524
|
-
For some requests like `/users/1`, Rails uses requests' `Accept`
|
525
|
-
header to determine what to return. And if we don't add `Vary`
|
526
|
-
in the response header, browsers might accidentally cache different
|
527
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
528
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
529
|
-
in these types of requests. For more detailed problem description, please read:
|
530
|
-
|
531
|
-
https://github.com/rails/rails/pull/36213
|
532
|
-
|
533
|
-
Fixes #25842.
|
534
|
-
|
535
|
-
*Stan Lo*
|
133
|
+
*DHH*
|
536
134
|
|
537
|
-
*
|
538
|
-
a 307 redirection.
|
135
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
539
136
|
|
540
|
-
*
|
137
|
+
*DHH*
|
541
138
|
|
542
|
-
*
|
139
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
543
140
|
|
544
|
-
|
141
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
142
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
545
143
|
|
546
|
-
|
144
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
547
145
|
|
548
|
-
|
549
|
-
|
550
|
-
* Add DSL for configuring HTTP Feature Policy.
|
551
|
-
|
552
|
-
This new DSL provides a way to configure an HTTP Feature Policy at a
|
553
|
-
global or per-controller level. Full details of HTTP Feature Policy
|
554
|
-
specification and guidelines can be found at MDN:
|
555
|
-
|
556
|
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
557
|
-
|
558
|
-
Example global policy:
|
146
|
+
Before:
|
559
147
|
|
560
148
|
```ruby
|
561
|
-
|
562
|
-
|
563
|
-
f.gyroscope :none
|
564
|
-
f.microphone :none
|
565
|
-
f.usb :none
|
566
|
-
f.fullscreen :self
|
567
|
-
f.payment :self, "https://secure.example.com"
|
568
|
-
end
|
149
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
150
|
+
request.content_type #=> "text/csv"
|
569
151
|
```
|
570
152
|
|
571
|
-
|
153
|
+
After:
|
572
154
|
|
573
155
|
```ruby
|
574
|
-
|
575
|
-
|
576
|
-
|
577
|
-
end
|
578
|
-
end
|
156
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
157
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
158
|
+
request.media_type #=> "text/csv"
|
579
159
|
```
|
580
160
|
|
581
|
-
*
|
161
|
+
*Rafael Mendonça França*
|
582
162
|
|
583
|
-
*
|
163
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
584
164
|
|
585
|
-
|
165
|
+
*Rafael Mendonça França*
|
586
166
|
|
587
|
-
|
167
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
588
168
|
|
589
|
-
*
|
169
|
+
*Janko Marohnić*
|
590
170
|
|
591
|
-
|
592
|
-
take parameters the scope was lost when using path helpers. This commit
|
593
|
-
ensures scope is kept both when the route takes parameters or when it
|
594
|
-
doesn't.
|
171
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
595
172
|
|
596
|
-
|
173
|
+
*ojab*
|
597
174
|
|
598
|
-
|
175
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
599
176
|
|
600
|
-
*
|
177
|
+
*Alex Robbin*
|
601
178
|
|
602
|
-
|
179
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
180
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
181
|
+
with a single value or an enumerable.
|
603
182
|
|
604
|
-
|
605
|
-
an enumerator for the parameters instead of the underlying hash.
|
183
|
+
Fixes #40772.
|
606
184
|
|
607
|
-
*
|
185
|
+
*Christian Sutter*
|
608
186
|
|
609
|
-
*
|
610
|
-
|
187
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
188
|
+
The old method name is retained without explicit deprecation.
|
611
189
|
|
612
|
-
*
|
190
|
+
*DHH*
|
613
191
|
|
614
192
|
|
615
|
-
Please check [6-
|
193
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|