actionpack 6.1.7.3 → 7.0.8
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +320 -390
- data/MIT-LICENSE +1 -0
- data/README.rdoc +4 -5
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +13 -26
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +21 -7
- data/lib/abstract_controller/collector.rb +2 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +17 -12
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/rendering.rb +9 -11
- data/lib/abstract_controller/translation.rb +5 -4
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +7 -7
- data/lib/action_controller/base.rb +5 -4
- data/lib/action_controller/form_builder.rb +2 -2
- data/lib/action_controller/log_subscriber.rb +4 -3
- data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
- data/lib/action_controller/metal/conditional_get.rb +137 -102
- data/lib/action_controller/metal/content_security_policy.rb +36 -2
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +23 -31
- data/lib/action_controller/metal/etag_with_flash.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +2 -2
- data/lib/action_controller/metal/http_authentication.rb +66 -39
- data/lib/action_controller/metal/instrumentation.rb +57 -52
- data/lib/action_controller/metal/live.rb +43 -2
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +20 -11
- data/lib/action_controller/metal/permissions_policy.rb +19 -28
- data/lib/action_controller/metal/redirecting.rb +111 -19
- data/lib/action_controller/metal/renderers.rb +12 -13
- data/lib/action_controller/metal/rendering.rb +121 -9
- data/lib/action_controller/metal/request_forgery_protection.rb +83 -32
- data/lib/action_controller/metal/rescue.rb +5 -4
- data/lib/action_controller/metal/streaming.rb +7 -9
- data/lib/action_controller/metal/strong_parameters.rb +138 -115
- data/lib/action_controller/metal/testing.rb +9 -2
- data/lib/action_controller/metal/url_for.rb +3 -5
- data/lib/action_controller/metal.rb +10 -13
- data/lib/action_controller/railtie.rb +50 -6
- data/lib/action_controller/renderer.rb +1 -20
- data/lib/action_controller/test_case.rb +28 -7
- data/lib/action_controller.rb +2 -5
- data/lib/action_dispatch/http/cache.rb +20 -13
- data/lib/action_dispatch/http/content_security_policy.rb +113 -36
- data/lib/action_dispatch/http/filter_parameters.rb +4 -19
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +15 -5
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +5 -5
- data/lib/action_dispatch/http/permissions_policy.rb +17 -1
- data/lib/action_dispatch/http/request.rb +27 -37
- data/lib/action_dispatch/http/response.rb +3 -20
- data/lib/action_dispatch/http/upload.rb +13 -2
- data/lib/action_dispatch/http/url.rb +11 -19
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +6 -13
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +20 -13
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/executor.rb +3 -0
- data/lib/action_dispatch/middleware/flash.rb +17 -18
- data/lib/action_dispatch/middleware/host_authorization.rb +13 -17
- data/lib/action_dispatch/middleware/remote_ip.rb +20 -8
- data/lib/action_dispatch/middleware/request_id.rb +3 -3
- data/lib/action_dispatch/middleware/server_timing.rb +76 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/session/cookie_store.rb +9 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +17 -16
- data/lib/action_dispatch/middleware/stack.rb +27 -9
- data/lib/action_dispatch/middleware/static.rb +5 -9
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +10 -5
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +7 -3
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +22 -22
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/inspector.rb +1 -1
- data/lib/action_dispatch/routing/mapper.rb +82 -83
- data/lib/action_dispatch/routing/redirection.rb +5 -2
- data/lib/action_dispatch/routing/route_set.rb +17 -7
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +24 -25
- data/lib/action_dispatch/routing.rb +5 -6
- data/lib/action_dispatch/system_test_case.rb +5 -5
- data/lib/action_dispatch/system_testing/browser.rb +3 -13
- data/lib/action_dispatch/system_testing/driver.rb +34 -10
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +11 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
- data/lib/action_dispatch/testing/assertions/response.rb +1 -1
- data/lib/action_dispatch/testing/assertions/routing.rb +3 -2
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +3 -29
- data/lib/action_dispatch/testing/test_response.rb +20 -2
- data/lib/action_dispatch.rb +1 -0
- data/lib/action_pack/gem_version.rb +5 -5
- data/lib/action_pack/version.rb +1 -1
- metadata +16 -15
data/CHANGELOG.md
CHANGED
@@ -1,661 +1,591 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 7.0.8 (September 09, 2023) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 6.1.7.2 (January 24, 2023) ##
|
7
|
-
|
8
|
-
* Fix `domain: :all` for two letter TLD
|
9
|
-
|
10
|
-
This fixes a compatibility issue introduced in our previous security
|
11
|
-
release when using `domain: :all` with a two letter but single level top
|
12
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
13
|
-
|
14
|
-
|
15
|
-
## Rails 6.1.7.1 (January 17, 2023) ##
|
3
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
4
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
16
5
|
|
17
|
-
*
|
6
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
18
7
|
|
19
|
-
[CVE-2023-22795]
|
20
8
|
|
21
|
-
|
9
|
+
## Rails 7.0.7.2 (August 22, 2023) ##
|
22
10
|
|
23
|
-
|
11
|
+
* No changes.
|
24
12
|
|
25
13
|
|
26
|
-
## Rails
|
14
|
+
## Rails 7.0.7.1 (August 22, 2023) ##
|
27
15
|
|
28
16
|
* No changes.
|
29
17
|
|
30
18
|
|
31
|
-
## Rails
|
19
|
+
## Rails 7.0.7 (August 09, 2023) ##
|
32
20
|
|
33
21
|
* No changes.
|
34
22
|
|
35
23
|
|
36
|
-
## Rails
|
24
|
+
## Rails 7.0.6 (June 29, 2023) ##
|
37
25
|
|
38
26
|
* No changes.
|
39
27
|
|
40
28
|
|
41
|
-
## Rails
|
29
|
+
## Rails 7.0.5.1 (June 26, 2023) ##
|
42
30
|
|
43
|
-
*
|
31
|
+
* Raise an exception if illegal characters are provide to redirect_to
|
32
|
+
[CVE-2023-28362]
|
44
33
|
|
45
|
-
*
|
34
|
+
*Zack Deveau*
|
46
35
|
|
47
|
-
## Rails
|
36
|
+
## Rails 7.0.5 (May 24, 2023) ##
|
48
37
|
|
49
|
-
*
|
38
|
+
* Do not return CSP headers for 304 Not Modified responses.
|
50
39
|
|
51
|
-
|
52
|
-
single quoted when the directive was the result of calling a lambda
|
53
|
-
returning an array.
|
40
|
+
*Tobias Kraze*
|
54
41
|
|
55
|
-
|
56
|
-
content_security_policy do |policy|
|
57
|
-
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
58
|
-
end
|
59
|
-
```
|
42
|
+
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
60
43
|
|
61
|
-
|
62
|
-
|
63
|
-
*Edouard Chin*
|
64
|
-
|
65
|
-
* Update `HostAuthorization` middleware to render debug info only
|
66
|
-
when `config.consider_all_requests_local` is set to true.
|
67
|
-
|
68
|
-
Also, blocked host info is always logged with level `error`.
|
69
|
-
|
70
|
-
Fixes #42813.
|
44
|
+
*fatkodima*
|
71
45
|
|
72
|
-
|
46
|
+
* Fix content-type header with `send_stream`.
|
73
47
|
|
74
|
-
*
|
48
|
+
*Elliot Crosby-McCullough*
|
75
49
|
|
76
|
-
|
50
|
+
* Address Selenium `:capabilities` deprecation warning.
|
77
51
|
|
78
|
-
*
|
52
|
+
*Ron Shinall*
|
79
53
|
|
80
|
-
*
|
54
|
+
* Fix cookie domain for domain: all on two letter single level TLD.
|
81
55
|
|
82
|
-
*
|
56
|
+
*John Hawthorn*
|
83
57
|
|
84
|
-
*
|
58
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
85
59
|
|
86
|
-
|
60
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
61
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
62
|
+
This bug has been fixed.
|
87
63
|
|
88
64
|
*Alex Ghiculescu*
|
89
65
|
|
90
|
-
*
|
66
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
91
67
|
|
92
|
-
|
68
|
+
*Nikita Vasilevsky*
|
93
69
|
|
94
|
-
|
70
|
+
* Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
|
95
71
|
|
96
|
-
|
72
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
73
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
74
|
+
clear the cookie and force app users to manually clear it in their browser.
|
97
75
|
|
98
|
-
|
76
|
+
(See #45127 for original bug discussion)
|
99
77
|
|
78
|
+
*Nathan Bardoux*
|
100
79
|
|
101
|
-
## Rails
|
80
|
+
## Rails 7.0.4.3 (March 13, 2023) ##
|
102
81
|
|
103
82
|
* No changes.
|
104
83
|
|
105
84
|
|
106
|
-
## Rails
|
107
|
-
|
108
|
-
* No changes.
|
109
|
-
|
85
|
+
## Rails 7.0.4.2 (January 24, 2023) ##
|
110
86
|
|
111
|
-
|
87
|
+
* Fix `domain: :all` for two letter TLD
|
112
88
|
|
113
|
-
|
114
|
-
|
115
|
-
|
89
|
+
This fixes a compatibility issue introduced in our previous security
|
90
|
+
release when using `domain: :all` with a two letter but single level top
|
91
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
116
92
|
|
117
|
-
[CVE-2022-23633]
|
118
93
|
|
94
|
+
## Rails 7.0.4.1 (January 17, 2023) ##
|
119
95
|
|
120
|
-
|
96
|
+
* Fix sec issue with _url_host_allowed?
|
121
97
|
|
122
|
-
|
98
|
+
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
99
|
+
to malicious sites.
|
123
100
|
|
101
|
+
[CVE-2023-22797]
|
124
102
|
|
125
|
-
|
103
|
+
* Avoid regex backtracking on If-None-Match header
|
126
104
|
|
127
|
-
|
105
|
+
[CVE-2023-22795]
|
128
106
|
|
107
|
+
* Use string#split instead of regex for domain parts
|
129
108
|
|
130
|
-
|
109
|
+
[CVE-2023-22792]
|
131
110
|
|
132
|
-
|
111
|
+
## Rails 7.0.4 (September 09, 2022) ##
|
133
112
|
|
134
|
-
|
113
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
135
114
|
|
136
|
-
|
115
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
116
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
137
117
|
|
138
|
-
|
139
|
-
"allowed host" formats can cause the Host Authorization middleware in Action
|
140
|
-
Pack to redirect users to a malicious website.
|
118
|
+
*Jakub Malinowski*
|
141
119
|
|
142
|
-
## Rails 6.1.4 (June 24, 2021) ##
|
143
120
|
|
144
|
-
|
121
|
+
## Rails 7.0.3.1 (July 12, 2022) ##
|
145
122
|
|
146
|
-
|
123
|
+
* No changes.
|
147
124
|
|
148
|
-
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
149
125
|
|
150
|
-
|
126
|
+
## Rails 7.0.3 (May 09, 2022) ##
|
151
127
|
|
152
|
-
*
|
128
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled.
|
153
129
|
|
154
|
-
|
155
|
-
of the path as parameter for example:
|
130
|
+
*Tom Hughes*
|
156
131
|
|
157
|
-
|
158
|
-
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
159
|
-
things_path(optional_id: false) # => /things?optional_id=false
|
160
|
-
```
|
132
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
161
133
|
|
162
|
-
|
134
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
163
135
|
|
136
|
+
```ruby
|
137
|
+
authenticate_with_http_basic do |token, _|
|
138
|
+
ApiClient.authenticate(token)
|
139
|
+
end
|
164
140
|
```
|
165
|
-
get '(this/:my_bool)/that' as: :that
|
166
141
|
|
167
|
-
|
168
|
-
that_path(my_bool: false) # => `/this/false/that`
|
169
|
-
```
|
142
|
+
This ability is restored.
|
170
143
|
|
171
|
-
*
|
144
|
+
*Jean Boussier*
|
172
145
|
|
173
|
-
*
|
146
|
+
* Fix `content_security_policy` returning invalid directives.
|
174
147
|
|
175
|
-
|
148
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
149
|
+
single quoted when the directive was the result of calling a lambda
|
150
|
+
returning an array.
|
176
151
|
|
177
|
-
|
152
|
+
```ruby
|
153
|
+
content_security_policy do |policy|
|
154
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
155
|
+
end
|
156
|
+
```
|
178
157
|
|
158
|
+
With this fix the policy generated from above will now be valid.
|
179
159
|
|
180
|
-
|
160
|
+
*Edouard Chin*
|
181
161
|
|
182
|
-
*
|
183
|
-
|
162
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
163
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
164
|
+
defined callback.
|
184
165
|
|
185
|
-
|
186
|
-
|
166
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
167
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
187
168
|
|
188
|
-
*
|
189
|
-
CVE-2021-22904
|
169
|
+
*Brad Trick*
|
190
170
|
|
191
|
-
*
|
171
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
192
172
|
|
193
|
-
`
|
194
|
-
|
195
|
-
user input array, strings can result in unwanted route helper calls.
|
173
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
174
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
196
175
|
|
197
|
-
|
176
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
177
|
+
`ActionController::Live` controllers.
|
198
178
|
|
199
|
-
*
|
179
|
+
*Jean Boussier*
|
200
180
|
|
201
|
-
|
181
|
+
* Fix setting `trailing_slash: true` in route definition.
|
202
182
|
|
203
|
-
|
183
|
+
```ruby
|
184
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
204
185
|
|
186
|
+
test_path() # => "/test/"
|
187
|
+
```
|
205
188
|
|
206
|
-
|
189
|
+
*Jean Boussier*
|
207
190
|
|
208
|
-
|
209
|
-
|
210
|
-
*John Hawthorn*
|
191
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
211
192
|
|
193
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
212
194
|
|
213
|
-
|
195
|
+
*Tim Wade*
|
214
196
|
|
215
|
-
|
197
|
+
## Rails 7.0.2.3 (March 08, 2022) ##
|
216
198
|
|
217
|
-
|
199
|
+
* No changes.
|
218
200
|
|
219
|
-
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
220
|
-
issue and the patch!
|
221
201
|
|
222
|
-
|
202
|
+
## Rails 7.0.2.2 (February 11, 2022) ##
|
223
203
|
|
204
|
+
* No changes.
|
224
205
|
|
225
|
-
## Rails 6.1.2 (February 09, 2021) ##
|
226
206
|
|
227
|
-
|
207
|
+
## Rails 7.0.2.1 (February 11, 2022) ##
|
228
208
|
|
229
|
-
|
209
|
+
* Under certain circumstances, the middleware isn't informed that the
|
210
|
+
response body has been fully closed which result in request state not
|
211
|
+
being fully reset before the next request
|
230
212
|
|
231
|
-
|
213
|
+
[CVE-2022-23633]
|
232
214
|
|
233
|
-
*Eugene Kenny*
|
234
215
|
|
216
|
+
## Rails 7.0.2 (February 08, 2022) ##
|
235
217
|
|
236
|
-
|
218
|
+
* No changes.
|
237
219
|
|
238
|
-
* Fix nil translation key lookup in controllers/
|
239
220
|
|
240
|
-
|
221
|
+
## Rails 7.0.1 (January 06, 2022) ##
|
241
222
|
|
242
|
-
*
|
223
|
+
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
224
|
+
of the original object.
|
243
225
|
|
244
|
-
*
|
226
|
+
*Yutaka Kamei*
|
245
227
|
|
246
|
-
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
247
228
|
|
248
|
-
|
229
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
249
230
|
|
231
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
250
232
|
|
251
|
-
|
233
|
+
*Étienne Barrié*
|
252
234
|
|
253
|
-
*
|
254
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
235
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
255
236
|
|
256
|
-
|
257
|
-
|
258
|
-
p.camera :none
|
259
|
-
p.gyroscope :none
|
260
|
-
p.microphone :none
|
261
|
-
p.usb :none
|
262
|
-
p.fullscreen :self
|
263
|
-
p.payment :self, "https://secure-example.com"
|
264
|
-
end
|
265
|
-
```
|
237
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
238
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
266
239
|
|
267
|
-
*
|
240
|
+
*Alex Ghiculescu*
|
268
241
|
|
269
|
-
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
270
242
|
|
271
|
-
|
243
|
+
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
272
244
|
|
273
|
-
|
245
|
+
* No changes.
|
274
246
|
|
275
|
-
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
276
|
-
the unique X-Request-Id header
|
277
247
|
|
278
|
-
|
248
|
+
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
279
249
|
|
280
|
-
*
|
250
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
281
251
|
|
282
|
-
*Rafael Mendonça França*
|
283
252
|
|
284
|
-
|
253
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
285
254
|
|
286
|
-
|
255
|
+
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
287
256
|
|
288
|
-
|
257
|
+
This helps to better simulate request or job local state being reset between requests and prevent state
|
258
|
+
leaking from one request to another.
|
289
259
|
|
290
|
-
|
260
|
+
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
291
261
|
|
292
|
-
*
|
262
|
+
*Alex Ghiculescu*
|
293
263
|
|
294
|
-
|
264
|
+
* Consider onion services secure for cookies.
|
295
265
|
|
296
|
-
*
|
266
|
+
*Justin Tracey*
|
297
267
|
|
298
|
-
*
|
268
|
+
* Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
|
299
269
|
|
300
|
-
|
301
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
270
|
+
*Rafael Mendonça França*
|
302
271
|
|
303
|
-
|
272
|
+
* Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
|
304
273
|
|
305
|
-
*
|
274
|
+
*Rafael Mendonça França*
|
306
275
|
|
307
|
-
|
276
|
+
* Remove deprecated `ActionDispatch::SystemTestCase#host!`.
|
308
277
|
|
309
|
-
*
|
278
|
+
*Rafael Mendonça França*
|
310
279
|
|
311
|
-
|
280
|
+
* Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
|
312
281
|
|
313
|
-
*
|
314
|
-
a 308 redirection.
|
282
|
+
*Rafael Mendonça França*
|
315
283
|
|
316
|
-
|
284
|
+
* Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
|
317
285
|
|
318
|
-
*
|
319
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
286
|
+
*Rafael Mendonça França*
|
320
287
|
|
321
|
-
|
288
|
+
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
322
289
|
|
323
|
-
|
290
|
+
This allows `rescue_from` to be used to add a default fallback route:
|
324
291
|
|
325
|
-
|
326
|
-
|
292
|
+
```ruby
|
293
|
+
rescue_from ActionController::Redirecting::UnsafeRedirectError do
|
294
|
+
redirect_to root_url
|
295
|
+
end
|
296
|
+
```
|
327
297
|
|
328
|
-
|
329
|
-
we check for public/some.js.br and serve that file, if present, with
|
330
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
298
|
+
*Kasper Timm Hansen*, *Chris Oliver*
|
331
299
|
|
332
|
-
|
300
|
+
* Add `url_from` to verify a redirect location is internal.
|
333
301
|
|
334
|
-
|
302
|
+
Takes the open redirect protection from `redirect_to` so users can wrap a
|
303
|
+
param, and fall back to an alternate redirect URL when the param provided
|
304
|
+
one is unsafe.
|
335
305
|
|
336
|
-
|
337
|
-
|
338
|
-
|
306
|
+
```ruby
|
307
|
+
def create
|
308
|
+
redirect_to url_from(params[:redirect_url]) || root_url
|
309
|
+
end
|
310
|
+
```
|
339
311
|
|
340
|
-
*
|
312
|
+
*dmcge*, *Kasper Timm Hansen*
|
341
313
|
|
342
|
-
*
|
314
|
+
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
343
315
|
|
344
|
-
|
316
|
+
Allow users to prevent conflicts among drivers that use the same driver
|
317
|
+
type (selenium, poltergeist, webkit, rack test).
|
345
318
|
|
346
|
-
|
347
|
-
without passing a block now returns an enumerator.
|
319
|
+
Fixes #42502
|
348
320
|
|
349
|
-
*
|
321
|
+
*Chris LaRose*
|
350
322
|
|
351
|
-
*
|
323
|
+
* Allow multiline to be passed in routes when using wildcard segments.
|
352
324
|
|
353
|
-
Previously
|
354
|
-
|
325
|
+
Previously routes with newlines weren't detected when using wildcard segments, returning
|
326
|
+
a `No route matches` error.
|
327
|
+
After this change, routes with newlines are detected on wildcard segments. Example
|
355
328
|
|
356
329
|
```ruby
|
357
|
-
|
358
|
-
|
330
|
+
draw do
|
331
|
+
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
332
|
+
end
|
359
333
|
|
360
|
-
|
361
|
-
|
334
|
+
# After the change, the path matches.
|
335
|
+
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
362
336
|
```
|
363
337
|
|
364
|
-
|
338
|
+
Fixes #39103
|
365
339
|
|
366
|
-
*
|
340
|
+
*Ignacio Chiazzo*
|
367
341
|
|
368
|
-
|
342
|
+
* Treat html suffix in controller translation.
|
369
343
|
|
370
|
-
*
|
371
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
344
|
+
*Rui Onodera*, *Gavin Miller*
|
372
345
|
|
373
|
-
|
374
|
-
always pass a module object:
|
346
|
+
* Allow permitting numeric params.
|
375
347
|
|
348
|
+
Previously it was impossible to permit different fields on numeric parameters.
|
349
|
+
After this change you can specify different fields for each numbered parameter.
|
350
|
+
For example params like,
|
376
351
|
```ruby
|
377
|
-
|
352
|
+
book: {
|
353
|
+
authors_attributes: {
|
354
|
+
'0': { name: "William Shakespeare", age_of_death: "52" },
|
355
|
+
'1': { name: "Unattributed Assistant" },
|
356
|
+
'2': "Not a hash",
|
357
|
+
'new_record': { name: "Some name" }
|
358
|
+
}
|
359
|
+
}
|
378
360
|
```
|
379
361
|
|
380
|
-
|
381
|
-
|
382
|
-
that same module object.
|
383
|
-
|
384
|
-
*Xavier Noria*, *Jean Boussier*
|
362
|
+
Before you could permit name on each author with,
|
363
|
+
`permit book: { authors_attributes: [ :name ] }`
|
385
364
|
|
386
|
-
|
365
|
+
After this change you can permit different keys on each numbered element,
|
366
|
+
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
387
367
|
|
388
|
-
|
368
|
+
Fixes #41625
|
389
369
|
|
390
|
-
*
|
391
|
-
`Rails.application.config.force_ssl` is set to true.
|
370
|
+
*Adam Hess*
|
392
371
|
|
393
|
-
|
372
|
+
* Update `HostAuthorization` middleware to render debug info only
|
373
|
+
when `config.consider_all_requests_local` is set to true.
|
394
374
|
|
395
|
-
|
375
|
+
Also, blocked host info is always logged with level `error`.
|
396
376
|
|
397
|
-
|
398
|
-
them difficult to deal with. For example, the common practice of sending
|
399
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
400
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
377
|
+
Fixes #42813
|
401
378
|
|
402
|
-
|
403
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
404
|
-
for backwards compatibility.
|
379
|
+
*Nikita Vyrko*
|
405
380
|
|
406
|
-
|
381
|
+
* Add Server-Timing middleware
|
407
382
|
|
408
|
-
|
383
|
+
Server-Timing specification defines how the server can communicate to browsers performance metrics
|
384
|
+
about the request it is responding to.
|
409
385
|
|
410
|
-
|
411
|
-
|
412
|
-
new instance and then by an old instance.
|
386
|
+
The ServerTiming middleware is enabled by default on `development` environment by default using the
|
387
|
+
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
413
388
|
|
414
|
-
|
415
|
-
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
416
|
-
from `false` to `true`, users may lose their sessions if they access the
|
417
|
-
server during deployment.
|
389
|
+
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
418
390
|
|
419
|
-
|
420
|
-
deployment, ensuring compatibility on both old and new instances.
|
391
|
+
*Sebastian Sogamoso*, *Guillermo Iguaran*
|
421
392
|
|
422
|
-
*Masaki Hara*
|
423
393
|
|
424
|
-
|
394
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
425
395
|
|
426
|
-
|
427
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
396
|
+
* No changes.
|
428
397
|
|
429
|
-
*Keenan Brock*
|
430
398
|
|
431
|
-
|
399
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
432
400
|
|
433
|
-
|
434
|
-
|
401
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
402
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
403
|
+
malformed JSON.
|
435
404
|
|
436
|
-
|
405
|
+
Fixes #41145
|
437
406
|
|
438
|
-
*
|
407
|
+
*Aaron Lahey*
|
439
408
|
|
440
|
-
|
441
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
442
|
-
from being correctly counted and reported.
|
409
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
443
410
|
|
444
|
-
|
445
|
-
|
411
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
412
|
+
raise an error if the middleware isn't found.
|
446
413
|
|
447
|
-
|
414
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
448
415
|
|
449
|
-
|
416
|
+
* Raise error on unpermitted open redirects.
|
450
417
|
|
451
|
-
|
418
|
+
Add `allow_other_host` options to `redirect_to`.
|
419
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
452
420
|
|
453
|
-
|
454
|
-
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
421
|
+
*Gannon McGibbon*
|
455
422
|
|
456
|
-
|
423
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
457
424
|
|
458
|
-
|
425
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
459
426
|
|
460
|
-
|
427
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
461
428
|
|
462
|
-
|
429
|
+
*Yusuke Iwaki*
|
463
430
|
|
464
|
-
|
431
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
465
432
|
|
466
|
-
|
433
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
434
|
+
are not listed as actions on that controller.
|
467
435
|
|
468
|
-
|
436
|
+
class MyController < ApplicationController
|
437
|
+
add_flash_types :hype
|
438
|
+
end
|
469
439
|
|
470
|
-
|
471
|
-
https://github.com/rails/routing_concerns was a better approach. Turned out
|
472
|
-
that this wasn't fully the case and loading external route files from the router
|
473
|
-
can be helpful for applications with a really large set of routes.
|
474
|
-
Without this feature, application needs to implement routes reloading
|
475
|
-
themselves and it's not straightforward.
|
440
|
+
MyController.action_methods.include?('hype') # => false
|
476
441
|
|
477
|
-
|
478
|
-
# config/routes.rb
|
442
|
+
*Gavin Morrice*
|
479
443
|
|
480
|
-
|
481
|
-
draw(:admin)
|
482
|
-
end
|
444
|
+
* OpenSSL constants are now used for Digest computations.
|
483
445
|
|
484
|
-
|
446
|
+
*Dirkjan Bussink*
|
485
447
|
|
486
|
-
|
487
|
-
```
|
448
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
488
449
|
|
489
|
-
|
450
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
490
451
|
|
491
|
-
*
|
452
|
+
*Tadas Sasnauskas*
|
492
453
|
|
493
|
-
|
454
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
455
|
+
present in `rescued_responses`.
|
494
456
|
|
495
|
-
|
496
|
-
|
457
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
458
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
459
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
460
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
497
461
|
|
498
|
-
*
|
462
|
+
*Alexander Azarov*, *Mike Dalessio*
|
499
463
|
|
500
|
-
*
|
501
|
-
request format but based on the block given.
|
464
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
502
465
|
|
503
|
-
|
504
|
-
|
505
|
-
```ruby
|
506
|
-
def my_action
|
507
|
-
respond_to do |format|
|
508
|
-
format.any { render(json: { foo: 'bar' }) }
|
509
|
-
end
|
510
|
-
end
|
511
|
-
|
512
|
-
get('my_action.csv')
|
513
|
-
```
|
466
|
+
*Kevin Sjöberg*
|
514
467
|
|
515
|
-
|
516
|
-
is inaccurate since a JSON response is being rendered.
|
468
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
517
469
|
|
518
|
-
|
470
|
+
*Dylan Thacker-Smith*
|
519
471
|
|
520
|
-
|
472
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
521
473
|
|
522
|
-
*
|
474
|
+
*Tadas Sasnauskas*
|
523
475
|
|
524
|
-
|
525
|
-
nested directory, causing issues with `tmp:clear`.
|
476
|
+
* Drop support for the `SERVER_ADDR` header.
|
526
477
|
|
527
|
-
|
478
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
528
479
|
|
529
|
-
*
|
480
|
+
*Ricardo Díaz*
|
530
481
|
|
531
|
-
|
482
|
+
* Set session options when initializing a basic session.
|
532
483
|
|
533
|
-
*
|
484
|
+
*Gannon McGibbon*
|
534
485
|
|
535
|
-
|
536
|
-
* `:response` - the `ActionDispatch::Response`
|
486
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
537
487
|
|
538
|
-
|
488
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
539
489
|
|
540
|
-
*
|
541
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
542
|
-
from.
|
490
|
+
*Jacopo Beschi*
|
543
491
|
|
544
|
-
|
492
|
+
* Writing into a disabled session will now raise an error.
|
545
493
|
|
546
|
-
|
494
|
+
Previously when no session store was set, writing into the session would silently fail.
|
547
495
|
|
548
|
-
*
|
496
|
+
*Jean Boussier*
|
549
497
|
|
550
|
-
|
551
|
-
# Use the debug level if a particular cookie is set.
|
552
|
-
class ApplicationController < ActionController::Base
|
553
|
-
log_at :debug, if: -> { cookies[:debug] }
|
554
|
-
end
|
555
|
-
```
|
498
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
556
499
|
|
557
|
-
|
500
|
+
Fixes #42034.
|
558
501
|
|
559
|
-
*
|
560
|
-
a test by prefixing the file name with an incrementing counter.
|
502
|
+
*lfalcao*
|
561
503
|
|
562
|
-
|
563
|
-
enable saving of HTML during a screenshot in addition to the image.
|
564
|
-
This uses the same image name, with the extension replaced with `.html`
|
504
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
565
505
|
|
566
|
-
*
|
506
|
+
*Jacob Herrington*
|
567
507
|
|
568
|
-
* Add
|
508
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
569
509
|
|
570
|
-
|
571
|
-
header to determine what to return. And if we don't add `Vary`
|
572
|
-
in the response header, browsers might accidentally cache different
|
573
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
574
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
575
|
-
in these types of requests. For more detailed problem description, please read:
|
510
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
576
511
|
|
577
|
-
|
512
|
+
*Alex Smith*
|
578
513
|
|
579
|
-
|
514
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
515
|
+
know which controller action received unpermitted parameters.
|
580
516
|
|
581
|
-
*
|
517
|
+
*bbuchalter*
|
582
518
|
|
583
|
-
*
|
584
|
-
a 307 redirection.
|
519
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
585
520
|
|
586
|
-
|
521
|
+
```ruby
|
522
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
523
|
+
stream.writeln "email_address,updated_at"
|
587
524
|
|
588
|
-
|
525
|
+
@subscribers.find_each do |subscriber|
|
526
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
527
|
+
end
|
528
|
+
end
|
529
|
+
```
|
589
530
|
|
590
|
-
*
|
531
|
+
*DHH*
|
591
532
|
|
592
|
-
*
|
533
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
593
534
|
|
594
|
-
*
|
535
|
+
*DHH*
|
595
536
|
|
596
|
-
*
|
537
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
597
538
|
|
598
|
-
|
599
|
-
|
600
|
-
specification and guidelines can be found at MDN:
|
539
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
540
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
601
541
|
|
602
|
-
|
542
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
603
543
|
|
604
|
-
|
544
|
+
Before:
|
605
545
|
|
606
546
|
```ruby
|
607
|
-
|
608
|
-
|
609
|
-
f.gyroscope :none
|
610
|
-
f.microphone :none
|
611
|
-
f.usb :none
|
612
|
-
f.fullscreen :self
|
613
|
-
f.payment :self, "https://secure.example.com"
|
614
|
-
end
|
547
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
548
|
+
request.content_type #=> "text/csv"
|
615
549
|
```
|
616
550
|
|
617
|
-
|
551
|
+
After:
|
618
552
|
|
619
553
|
```ruby
|
620
|
-
|
621
|
-
|
622
|
-
|
623
|
-
end
|
624
|
-
end
|
554
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
555
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
556
|
+
request.media_type #=> "text/csv"
|
625
557
|
```
|
626
558
|
|
627
|
-
*
|
559
|
+
*Rafael Mendonça França*
|
628
560
|
|
629
|
-
*
|
561
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
630
562
|
|
631
|
-
|
563
|
+
*Rafael Mendonça França*
|
632
564
|
|
633
|
-
|
565
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
634
566
|
|
635
|
-
*
|
567
|
+
*Janko Marohnić*
|
636
568
|
|
637
|
-
|
638
|
-
take parameters the scope was lost when using path helpers. This commit
|
639
|
-
ensures scope is kept both when the route takes parameters or when it
|
640
|
-
doesn't.
|
569
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
641
570
|
|
642
|
-
|
571
|
+
*ojab*
|
643
572
|
|
644
|
-
|
573
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
645
574
|
|
646
|
-
*
|
575
|
+
*Alex Robbin*
|
647
576
|
|
648
|
-
|
577
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
578
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
579
|
+
with a single value or an enumerable.
|
649
580
|
|
650
|
-
|
651
|
-
an enumerator for the parameters instead of the underlying hash.
|
581
|
+
Fixes #40772.
|
652
582
|
|
653
|
-
*
|
583
|
+
*Christian Sutter*
|
654
584
|
|
655
|
-
*
|
656
|
-
|
585
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
586
|
+
The old method name is retained without explicit deprecation.
|
657
587
|
|
658
|
-
*
|
588
|
+
*DHH*
|
659
589
|
|
660
590
|
|
661
|
-
Please check [6-
|
591
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|