actionpack 6.1.7.5 → 7.0.8
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +319 -401
- data/MIT-LICENSE +1 -0
- data/README.rdoc +4 -5
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +13 -26
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +21 -7
- data/lib/abstract_controller/collector.rb +2 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +17 -12
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/rendering.rb +9 -11
- data/lib/abstract_controller/translation.rb +5 -4
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +7 -7
- data/lib/action_controller/base.rb +5 -4
- data/lib/action_controller/form_builder.rb +2 -2
- data/lib/action_controller/log_subscriber.rb +4 -3
- data/lib/action_controller/metal/basic_implicit_render.rb +3 -1
- data/lib/action_controller/metal/conditional_get.rb +137 -102
- data/lib/action_controller/metal/content_security_policy.rb +36 -2
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +23 -31
- data/lib/action_controller/metal/etag_with_flash.rb +1 -1
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/head.rb +1 -1
- data/lib/action_controller/metal/helpers.rb +2 -2
- data/lib/action_controller/metal/http_authentication.rb +66 -39
- data/lib/action_controller/metal/instrumentation.rb +57 -52
- data/lib/action_controller/metal/live.rb +43 -2
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +20 -11
- data/lib/action_controller/metal/permissions_policy.rb +19 -28
- data/lib/action_controller/metal/redirecting.rb +95 -22
- data/lib/action_controller/metal/renderers.rb +12 -13
- data/lib/action_controller/metal/rendering.rb +121 -9
- data/lib/action_controller/metal/request_forgery_protection.rb +83 -32
- data/lib/action_controller/metal/rescue.rb +5 -4
- data/lib/action_controller/metal/streaming.rb +7 -9
- data/lib/action_controller/metal/strong_parameters.rb +138 -115
- data/lib/action_controller/metal/testing.rb +9 -2
- data/lib/action_controller/metal/url_for.rb +3 -5
- data/lib/action_controller/metal.rb +10 -13
- data/lib/action_controller/railtie.rb +50 -6
- data/lib/action_controller/renderer.rb +1 -20
- data/lib/action_controller/test_case.rb +28 -7
- data/lib/action_controller.rb +2 -5
- data/lib/action_dispatch/http/cache.rb +20 -13
- data/lib/action_dispatch/http/content_security_policy.rb +113 -36
- data/lib/action_dispatch/http/filter_parameters.rb +4 -19
- data/lib/action_dispatch/http/headers.rb +1 -1
- data/lib/action_dispatch/http/mime_negotiation.rb +15 -5
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +5 -5
- data/lib/action_dispatch/http/permissions_policy.rb +17 -1
- data/lib/action_dispatch/http/request.rb +27 -37
- data/lib/action_dispatch/http/response.rb +3 -20
- data/lib/action_dispatch/http/upload.rb +13 -2
- data/lib/action_dispatch/http/url.rb +11 -19
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +6 -13
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +20 -13
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/executor.rb +3 -0
- data/lib/action_dispatch/middleware/flash.rb +17 -18
- data/lib/action_dispatch/middleware/host_authorization.rb +13 -17
- data/lib/action_dispatch/middleware/remote_ip.rb +20 -8
- data/lib/action_dispatch/middleware/request_id.rb +3 -3
- data/lib/action_dispatch/middleware/server_timing.rb +76 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/session/cookie_store.rb +9 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +17 -16
- data/lib/action_dispatch/middleware/stack.rb +27 -9
- data/lib/action_dispatch/middleware/static.rb +5 -9
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +10 -5
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +7 -3
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +22 -22
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/inspector.rb +1 -1
- data/lib/action_dispatch/routing/mapper.rb +82 -83
- data/lib/action_dispatch/routing/redirection.rb +5 -2
- data/lib/action_dispatch/routing/route_set.rb +17 -7
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +24 -25
- data/lib/action_dispatch/routing.rb +5 -6
- data/lib/action_dispatch/system_test_case.rb +5 -5
- data/lib/action_dispatch/system_testing/browser.rb +3 -13
- data/lib/action_dispatch/system_testing/driver.rb +34 -10
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +11 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
- data/lib/action_dispatch/testing/assertions/response.rb +1 -1
- data/lib/action_dispatch/testing/assertions/routing.rb +3 -2
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +3 -29
- data/lib/action_dispatch/testing/test_response.rb +20 -2
- data/lib/action_dispatch.rb +1 -0
- data/lib/action_pack/gem_version.rb +5 -5
- data/lib/action_pack/version.rb +1 -1
- metadata +16 -15
data/CHANGELOG.md
CHANGED
@@ -1,673 +1,591 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 7.0.8 (September 09, 2023) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 6.1.7.4 (June 26, 2023) ##
|
3
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
4
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
7
5
|
|
8
|
-
*
|
9
|
-
[CVE-2023-28362]
|
6
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
10
7
|
|
11
|
-
*Zack Deveau*
|
12
8
|
|
13
|
-
## Rails
|
9
|
+
## Rails 7.0.7.2 (August 22, 2023) ##
|
14
10
|
|
15
11
|
* No changes.
|
16
12
|
|
17
13
|
|
18
|
-
## Rails
|
19
|
-
|
20
|
-
* Fix `domain: :all` for two letter TLD
|
21
|
-
|
22
|
-
This fixes a compatibility issue introduced in our previous security
|
23
|
-
release when using `domain: :all` with a two letter but single level top
|
24
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
25
|
-
|
26
|
-
|
27
|
-
## Rails 6.1.7.1 (January 17, 2023) ##
|
28
|
-
|
29
|
-
* Avoid regex backtracking on If-None-Match header
|
30
|
-
|
31
|
-
[CVE-2023-22795]
|
32
|
-
|
33
|
-
* Use string#split instead of regex for domain parts
|
34
|
-
|
35
|
-
[CVE-2023-22792]
|
36
|
-
|
37
|
-
|
38
|
-
## Rails 6.1.7 (September 09, 2022) ##
|
14
|
+
## Rails 7.0.7.1 (August 22, 2023) ##
|
39
15
|
|
40
16
|
* No changes.
|
41
17
|
|
42
18
|
|
43
|
-
## Rails
|
19
|
+
## Rails 7.0.7 (August 09, 2023) ##
|
44
20
|
|
45
21
|
* No changes.
|
46
22
|
|
47
23
|
|
48
|
-
## Rails
|
24
|
+
## Rails 7.0.6 (June 29, 2023) ##
|
49
25
|
|
50
26
|
* No changes.
|
51
27
|
|
52
28
|
|
53
|
-
## Rails
|
54
|
-
|
55
|
-
* Allow Content Security Policy DSL to generate for API responses.
|
56
|
-
|
57
|
-
*Tim Wade*
|
58
|
-
|
59
|
-
## Rails 6.1.5 (March 09, 2022) ##
|
29
|
+
## Rails 7.0.5.1 (June 26, 2023) ##
|
60
30
|
|
61
|
-
*
|
62
|
-
|
63
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
64
|
-
single quoted when the directive was the result of calling a lambda
|
65
|
-
returning an array.
|
31
|
+
* Raise an exception if illegal characters are provide to redirect_to
|
32
|
+
[CVE-2023-28362]
|
66
33
|
|
67
|
-
|
68
|
-
content_security_policy do |policy|
|
69
|
-
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
70
|
-
end
|
71
|
-
```
|
34
|
+
*Zack Deveau*
|
72
35
|
|
73
|
-
|
36
|
+
## Rails 7.0.5 (May 24, 2023) ##
|
74
37
|
|
75
|
-
|
38
|
+
* Do not return CSP headers for 304 Not Modified responses.
|
76
39
|
|
77
|
-
*
|
78
|
-
when `config.consider_all_requests_local` is set to true.
|
40
|
+
*Tobias Kraze*
|
79
41
|
|
80
|
-
|
42
|
+
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
81
43
|
|
82
|
-
|
44
|
+
*fatkodima*
|
83
45
|
|
84
|
-
|
46
|
+
* Fix content-type header with `send_stream`.
|
85
47
|
|
86
|
-
*
|
48
|
+
*Elliot Crosby-McCullough*
|
87
49
|
|
88
|
-
|
50
|
+
* Address Selenium `:capabilities` deprecation warning.
|
89
51
|
|
90
|
-
*
|
52
|
+
*Ron Shinall*
|
91
53
|
|
92
|
-
*
|
54
|
+
* Fix cookie domain for domain: all on two letter single level TLD.
|
93
55
|
|
94
|
-
*
|
56
|
+
*John Hawthorn*
|
95
57
|
|
96
|
-
*
|
58
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
97
59
|
|
98
|
-
|
60
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
61
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
62
|
+
This bug has been fixed.
|
99
63
|
|
100
64
|
*Alex Ghiculescu*
|
101
65
|
|
102
|
-
*
|
66
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
103
67
|
|
104
|
-
|
68
|
+
*Nikita Vasilevsky*
|
105
69
|
|
106
|
-
|
70
|
+
* Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
|
107
71
|
|
108
|
-
|
72
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
73
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
74
|
+
clear the cookie and force app users to manually clear it in their browser.
|
109
75
|
|
110
|
-
|
76
|
+
(See #45127 for original bug discussion)
|
111
77
|
|
78
|
+
*Nathan Bardoux*
|
112
79
|
|
113
|
-
## Rails
|
80
|
+
## Rails 7.0.4.3 (March 13, 2023) ##
|
114
81
|
|
115
82
|
* No changes.
|
116
83
|
|
117
84
|
|
118
|
-
## Rails
|
85
|
+
## Rails 7.0.4.2 (January 24, 2023) ##
|
119
86
|
|
120
|
-
*
|
121
|
-
|
122
|
-
|
123
|
-
## Rails 6.1.4.5 (February 11, 2022) ##
|
87
|
+
* Fix `domain: :all` for two letter TLD
|
124
88
|
|
125
|
-
|
126
|
-
|
127
|
-
|
89
|
+
This fixes a compatibility issue introduced in our previous security
|
90
|
+
release when using `domain: :all` with a two letter but single level top
|
91
|
+
level domain domain (like `.ca`, rather than `.co.uk`).
|
128
92
|
|
129
|
-
[CVE-2022-23633]
|
130
93
|
|
94
|
+
## Rails 7.0.4.1 (January 17, 2023) ##
|
131
95
|
|
132
|
-
|
96
|
+
* Fix sec issue with _url_host_allowed?
|
133
97
|
|
134
|
-
|
98
|
+
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
99
|
+
to malicious sites.
|
135
100
|
|
101
|
+
[CVE-2023-22797]
|
136
102
|
|
137
|
-
|
103
|
+
* Avoid regex backtracking on If-None-Match header
|
138
104
|
|
139
|
-
|
105
|
+
[CVE-2023-22795]
|
140
106
|
|
107
|
+
* Use string#split instead of regex for domain parts
|
141
108
|
|
142
|
-
|
109
|
+
[CVE-2023-22792]
|
143
110
|
|
144
|
-
|
111
|
+
## Rails 7.0.4 (September 09, 2022) ##
|
145
112
|
|
146
|
-
|
113
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
147
114
|
|
148
|
-
|
115
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
116
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
149
117
|
|
150
|
-
|
151
|
-
"allowed host" formats can cause the Host Authorization middleware in Action
|
152
|
-
Pack to redirect users to a malicious website.
|
118
|
+
*Jakub Malinowski*
|
153
119
|
|
154
|
-
## Rails 6.1.4 (June 24, 2021) ##
|
155
120
|
|
156
|
-
|
121
|
+
## Rails 7.0.3.1 (July 12, 2022) ##
|
157
122
|
|
158
|
-
|
123
|
+
* No changes.
|
159
124
|
|
160
|
-
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
161
125
|
|
162
|
-
|
126
|
+
## Rails 7.0.3 (May 09, 2022) ##
|
163
127
|
|
164
|
-
*
|
128
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled.
|
165
129
|
|
166
|
-
|
167
|
-
of the path as parameter for example:
|
130
|
+
*Tom Hughes*
|
168
131
|
|
169
|
-
|
170
|
-
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
171
|
-
things_path(optional_id: false) # => /things?optional_id=false
|
172
|
-
```
|
132
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
173
133
|
|
174
|
-
|
134
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
175
135
|
|
176
|
-
```
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
that_path(my_bool: false) # => `/this/false/that`
|
136
|
+
```ruby
|
137
|
+
authenticate_with_http_basic do |token, _|
|
138
|
+
ApiClient.authenticate(token)
|
139
|
+
end
|
181
140
|
```
|
182
141
|
|
183
|
-
|
142
|
+
This ability is restored.
|
184
143
|
|
185
|
-
*
|
144
|
+
*Jean Boussier*
|
186
145
|
|
187
|
-
|
146
|
+
* Fix `content_security_policy` returning invalid directives.
|
188
147
|
|
189
|
-
|
148
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
149
|
+
single quoted when the directive was the result of calling a lambda
|
150
|
+
returning an array.
|
190
151
|
|
152
|
+
```ruby
|
153
|
+
content_security_policy do |policy|
|
154
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
155
|
+
end
|
156
|
+
```
|
191
157
|
|
192
|
-
|
158
|
+
With this fix the policy generated from above will now be valid.
|
193
159
|
|
194
|
-
*
|
195
|
-
CVE-2021-22903
|
160
|
+
*Edouard Chin*
|
196
161
|
|
197
|
-
*
|
198
|
-
|
162
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
163
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
164
|
+
defined callback.
|
199
165
|
|
200
|
-
|
201
|
-
|
166
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
167
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
202
168
|
|
203
|
-
*
|
169
|
+
*Brad Trick*
|
204
170
|
|
205
|
-
|
206
|
-
of arguments (usually symbols and records). If a developer passes a
|
207
|
-
user input array, strings can result in unwanted route helper calls.
|
171
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
208
172
|
|
209
|
-
|
173
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
174
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
210
175
|
|
211
|
-
|
176
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
177
|
+
`ActionController::Live` controllers.
|
212
178
|
|
213
|
-
|
179
|
+
*Jean Boussier*
|
214
180
|
|
215
|
-
*
|
181
|
+
* Fix setting `trailing_slash: true` in route definition.
|
216
182
|
|
183
|
+
```ruby
|
184
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
217
185
|
|
218
|
-
|
186
|
+
test_path() # => "/test/"
|
187
|
+
```
|
219
188
|
|
220
|
-
*
|
189
|
+
*Jean Boussier*
|
221
190
|
|
222
|
-
|
191
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
223
192
|
|
193
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
224
194
|
|
225
|
-
|
195
|
+
*Tim Wade*
|
226
196
|
|
227
|
-
|
197
|
+
## Rails 7.0.2.3 (March 08, 2022) ##
|
228
198
|
|
229
|
-
|
199
|
+
* No changes.
|
230
200
|
|
231
|
-
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
|
232
|
-
issue and the patch!
|
233
201
|
|
234
|
-
|
202
|
+
## Rails 7.0.2.2 (February 11, 2022) ##
|
235
203
|
|
204
|
+
* No changes.
|
236
205
|
|
237
|
-
## Rails 6.1.2 (February 09, 2021) ##
|
238
206
|
|
239
|
-
|
207
|
+
## Rails 7.0.2.1 (February 11, 2022) ##
|
240
208
|
|
241
|
-
|
209
|
+
* Under certain circumstances, the middleware isn't informed that the
|
210
|
+
response body has been fully closed which result in request state not
|
211
|
+
being fully reset before the next request
|
242
212
|
|
243
|
-
|
213
|
+
[CVE-2022-23633]
|
244
214
|
|
245
|
-
*Eugene Kenny*
|
246
215
|
|
216
|
+
## Rails 7.0.2 (February 08, 2022) ##
|
247
217
|
|
248
|
-
|
218
|
+
* No changes.
|
249
219
|
|
250
|
-
* Fix nil translation key lookup in controllers/
|
251
220
|
|
252
|
-
|
221
|
+
## Rails 7.0.1 (January 06, 2022) ##
|
253
222
|
|
254
|
-
*
|
223
|
+
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
224
|
+
of the original object.
|
255
225
|
|
256
|
-
*
|
226
|
+
*Yutaka Kamei*
|
257
227
|
|
258
|
-
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
259
228
|
|
260
|
-
|
229
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
261
230
|
|
231
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
262
232
|
|
263
|
-
|
233
|
+
*Étienne Barrié*
|
264
234
|
|
265
|
-
*
|
266
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
235
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
267
236
|
|
268
|
-
|
269
|
-
|
270
|
-
p.camera :none
|
271
|
-
p.gyroscope :none
|
272
|
-
p.microphone :none
|
273
|
-
p.usb :none
|
274
|
-
p.fullscreen :self
|
275
|
-
p.payment :self, "https://secure-example.com"
|
276
|
-
end
|
277
|
-
```
|
237
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
238
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
278
239
|
|
279
|
-
*
|
240
|
+
*Alex Ghiculescu*
|
280
241
|
|
281
|
-
* Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
|
282
242
|
|
283
|
-
|
243
|
+
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
284
244
|
|
285
|
-
|
245
|
+
* No changes.
|
286
246
|
|
287
|
-
* Add `config.action_dispatch.request_id_header` to allow changing the name of
|
288
|
-
the unique X-Request-Id header
|
289
247
|
|
290
|
-
|
248
|
+
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
291
249
|
|
292
|
-
*
|
250
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
293
251
|
|
294
|
-
*Rafael Mendonça França*
|
295
252
|
|
296
|
-
|
253
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
297
254
|
|
298
|
-
|
255
|
+
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
299
256
|
|
300
|
-
|
257
|
+
This helps to better simulate request or job local state being reset between requests and prevent state
|
258
|
+
leaking from one request to another.
|
301
259
|
|
302
|
-
|
260
|
+
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
303
261
|
|
304
|
-
*
|
262
|
+
*Alex Ghiculescu*
|
305
263
|
|
306
|
-
|
264
|
+
* Consider onion services secure for cookies.
|
307
265
|
|
308
|
-
*
|
266
|
+
*Justin Tracey*
|
309
267
|
|
310
|
-
*
|
268
|
+
* Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
|
311
269
|
|
312
|
-
|
313
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
270
|
+
*Rafael Mendonça França*
|
314
271
|
|
315
|
-
|
272
|
+
* Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
|
316
273
|
|
317
|
-
*
|
274
|
+
*Rafael Mendonça França*
|
318
275
|
|
319
|
-
|
276
|
+
* Remove deprecated `ActionDispatch::SystemTestCase#host!`.
|
320
277
|
|
321
|
-
*
|
278
|
+
*Rafael Mendonça França*
|
322
279
|
|
323
|
-
|
280
|
+
* Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
|
324
281
|
|
325
|
-
*
|
326
|
-
a 308 redirection.
|
282
|
+
*Rafael Mendonça França*
|
327
283
|
|
328
|
-
|
284
|
+
* Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
|
329
285
|
|
330
|
-
*
|
331
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
286
|
+
*Rafael Mendonça França*
|
332
287
|
|
333
|
-
|
288
|
+
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
334
289
|
|
335
|
-
|
290
|
+
This allows `rescue_from` to be used to add a default fallback route:
|
336
291
|
|
337
|
-
|
338
|
-
|
292
|
+
```ruby
|
293
|
+
rescue_from ActionController::Redirecting::UnsafeRedirectError do
|
294
|
+
redirect_to root_url
|
295
|
+
end
|
296
|
+
```
|
339
297
|
|
340
|
-
|
341
|
-
we check for public/some.js.br and serve that file, if present, with
|
342
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
298
|
+
*Kasper Timm Hansen*, *Chris Oliver*
|
343
299
|
|
344
|
-
|
300
|
+
* Add `url_from` to verify a redirect location is internal.
|
345
301
|
|
346
|
-
|
302
|
+
Takes the open redirect protection from `redirect_to` so users can wrap a
|
303
|
+
param, and fall back to an alternate redirect URL when the param provided
|
304
|
+
one is unsafe.
|
347
305
|
|
348
|
-
|
349
|
-
|
350
|
-
|
306
|
+
```ruby
|
307
|
+
def create
|
308
|
+
redirect_to url_from(params[:redirect_url]) || root_url
|
309
|
+
end
|
310
|
+
```
|
351
311
|
|
352
|
-
*
|
312
|
+
*dmcge*, *Kasper Timm Hansen*
|
353
313
|
|
354
|
-
*
|
314
|
+
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
355
315
|
|
356
|
-
|
316
|
+
Allow users to prevent conflicts among drivers that use the same driver
|
317
|
+
type (selenium, poltergeist, webkit, rack test).
|
357
318
|
|
358
|
-
|
359
|
-
without passing a block now returns an enumerator.
|
319
|
+
Fixes #42502
|
360
320
|
|
361
|
-
*
|
321
|
+
*Chris LaRose*
|
362
322
|
|
363
|
-
*
|
323
|
+
* Allow multiline to be passed in routes when using wildcard segments.
|
364
324
|
|
365
|
-
Previously
|
366
|
-
|
325
|
+
Previously routes with newlines weren't detected when using wildcard segments, returning
|
326
|
+
a `No route matches` error.
|
327
|
+
After this change, routes with newlines are detected on wildcard segments. Example
|
367
328
|
|
368
329
|
```ruby
|
369
|
-
|
370
|
-
|
330
|
+
draw do
|
331
|
+
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
332
|
+
end
|
371
333
|
|
372
|
-
|
373
|
-
|
334
|
+
# After the change, the path matches.
|
335
|
+
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
374
336
|
```
|
375
337
|
|
376
|
-
|
338
|
+
Fixes #39103
|
377
339
|
|
378
|
-
*
|
340
|
+
*Ignacio Chiazzo*
|
379
341
|
|
380
|
-
|
342
|
+
* Treat html suffix in controller translation.
|
381
343
|
|
382
|
-
*
|
383
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
344
|
+
*Rui Onodera*, *Gavin Miller*
|
384
345
|
|
385
|
-
|
386
|
-
always pass a module object:
|
346
|
+
* Allow permitting numeric params.
|
387
347
|
|
348
|
+
Previously it was impossible to permit different fields on numeric parameters.
|
349
|
+
After this change you can specify different fields for each numbered parameter.
|
350
|
+
For example params like,
|
388
351
|
```ruby
|
389
|
-
|
352
|
+
book: {
|
353
|
+
authors_attributes: {
|
354
|
+
'0': { name: "William Shakespeare", age_of_death: "52" },
|
355
|
+
'1': { name: "Unattributed Assistant" },
|
356
|
+
'2': "Not a hash",
|
357
|
+
'new_record': { name: "Some name" }
|
358
|
+
}
|
359
|
+
}
|
390
360
|
```
|
391
361
|
|
392
|
-
|
393
|
-
|
394
|
-
that same module object.
|
362
|
+
Before you could permit name on each author with,
|
363
|
+
`permit book: { authors_attributes: [ :name ] }`
|
395
364
|
|
396
|
-
|
365
|
+
After this change you can permit different keys on each numbered element,
|
366
|
+
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
397
367
|
|
398
|
-
|
368
|
+
Fixes #41625
|
399
369
|
|
400
|
-
*
|
370
|
+
*Adam Hess*
|
401
371
|
|
402
|
-
* `
|
403
|
-
`
|
372
|
+
* Update `HostAuthorization` middleware to render debug info only
|
373
|
+
when `config.consider_all_requests_local` is set to true.
|
404
374
|
|
405
|
-
|
375
|
+
Also, blocked host info is always logged with level `error`.
|
406
376
|
|
407
|
-
|
377
|
+
Fixes #42813
|
408
378
|
|
409
|
-
|
410
|
-
them difficult to deal with. For example, the common practice of sending
|
411
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
412
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
379
|
+
*Nikita Vyrko*
|
413
380
|
|
414
|
-
|
415
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
416
|
-
for backwards compatibility.
|
381
|
+
* Add Server-Timing middleware
|
417
382
|
|
418
|
-
|
383
|
+
Server-Timing specification defines how the server can communicate to browsers performance metrics
|
384
|
+
about the request it is responding to.
|
419
385
|
|
420
|
-
|
386
|
+
The ServerTiming middleware is enabled by default on `development` environment by default using the
|
387
|
+
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
421
388
|
|
422
|
-
|
423
|
-
both old and new instances during deployment. Users may be served by a
|
424
|
-
new instance and then by an old instance.
|
389
|
+
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
425
390
|
|
426
|
-
|
427
|
-
to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
|
428
|
-
from `false` to `true`, users may lose their sessions if they access the
|
429
|
-
server during deployment.
|
391
|
+
*Sebastian Sogamoso*, *Guillermo Iguaran*
|
430
392
|
|
431
|
-
We added fallbacks to downgrade the cookie format when necessary during
|
432
|
-
deployment, ensuring compatibility on both old and new instances.
|
433
393
|
|
434
|
-
|
394
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
435
395
|
|
436
|
-
*
|
396
|
+
* No changes.
|
437
397
|
|
438
|
-
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
439
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
440
398
|
|
441
|
-
|
399
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
442
400
|
|
443
|
-
*
|
401
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
402
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
403
|
+
malformed JSON.
|
444
404
|
|
445
|
-
|
446
|
-
gem dalli to be updated as well.
|
405
|
+
Fixes #41145
|
447
406
|
|
448
|
-
|
407
|
+
*Aaron Lahey*
|
449
408
|
|
450
|
-
*
|
409
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
451
410
|
|
452
|
-
`
|
453
|
-
|
454
|
-
from being correctly counted and reported.
|
411
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
412
|
+
raise an error if the middleware isn't found.
|
455
413
|
|
456
|
-
|
457
|
-
root session.
|
414
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
458
415
|
|
459
|
-
|
416
|
+
* Raise error on unpermitted open redirects.
|
460
417
|
|
461
|
-
|
418
|
+
Add `allow_other_host` options to `redirect_to`.
|
419
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
462
420
|
|
463
|
-
*
|
421
|
+
*Gannon McGibbon*
|
464
422
|
|
465
|
-
|
466
|
-
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
423
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
467
424
|
|
468
|
-
|
425
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
469
426
|
|
470
|
-
|
427
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
471
428
|
|
472
|
-
|
429
|
+
*Yusuke Iwaki*
|
473
430
|
|
474
|
-
|
431
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
475
432
|
|
476
|
-
|
433
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
434
|
+
are not listed as actions on that controller.
|
477
435
|
|
478
|
-
|
436
|
+
class MyController < ApplicationController
|
437
|
+
add_flash_types :hype
|
438
|
+
end
|
479
439
|
|
480
|
-
|
440
|
+
MyController.action_methods.include?('hype') # => false
|
481
441
|
|
482
|
-
|
483
|
-
https://github.com/rails/routing_concerns was a better approach. Turned out
|
484
|
-
that this wasn't fully the case and loading external route files from the router
|
485
|
-
can be helpful for applications with a really large set of routes.
|
486
|
-
Without this feature, application needs to implement routes reloading
|
487
|
-
themselves and it's not straightforward.
|
442
|
+
*Gavin Morrice*
|
488
443
|
|
489
|
-
|
490
|
-
# config/routes.rb
|
444
|
+
* OpenSSL constants are now used for Digest computations.
|
491
445
|
|
492
|
-
|
493
|
-
draw(:admin)
|
494
|
-
end
|
446
|
+
*Dirkjan Bussink*
|
495
447
|
|
496
|
-
|
448
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
497
449
|
|
498
|
-
|
499
|
-
```
|
500
|
-
|
501
|
-
*Yehuda Katz*, *Edouard Chin*
|
502
|
-
|
503
|
-
* Fix system test driver option initialization for non-headless browsers.
|
450
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
504
451
|
|
505
|
-
*
|
452
|
+
*Tadas Sasnauskas*
|
506
453
|
|
507
|
-
*
|
508
|
-
|
454
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
455
|
+
present in `rescued_responses`.
|
509
456
|
|
510
|
-
|
457
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
458
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
459
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
460
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
511
461
|
|
512
|
-
*
|
513
|
-
request format but based on the block given.
|
462
|
+
*Alexander Azarov*, *Mike Dalessio*
|
514
463
|
|
515
|
-
|
464
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
516
465
|
|
517
|
-
|
518
|
-
def my_action
|
519
|
-
respond_to do |format|
|
520
|
-
format.any { render(json: { foo: 'bar' }) }
|
521
|
-
end
|
522
|
-
end
|
466
|
+
*Kevin Sjöberg*
|
523
467
|
|
524
|
-
|
525
|
-
```
|
468
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
526
469
|
|
527
|
-
|
528
|
-
is inaccurate since a JSON response is being rendered.
|
470
|
+
*Dylan Thacker-Smith*
|
529
471
|
|
530
|
-
|
472
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
531
473
|
|
532
|
-
*
|
474
|
+
*Tadas Sasnauskas*
|
533
475
|
|
534
|
-
*
|
476
|
+
* Drop support for the `SERVER_ADDR` header.
|
535
477
|
|
536
|
-
|
537
|
-
nested directory, causing issues with `tmp:clear`.
|
478
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
538
479
|
|
539
|
-
*
|
480
|
+
*Ricardo Díaz*
|
540
481
|
|
541
|
-
*
|
482
|
+
* Set session options when initializing a basic session.
|
542
483
|
|
543
|
-
*
|
544
|
-
|
545
|
-
* `process_action.action_controller` notifications now include the following in their payloads:
|
484
|
+
*Gannon McGibbon*
|
546
485
|
|
547
|
-
|
548
|
-
* `:response` - the `ActionDispatch::Response`
|
486
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
549
487
|
|
550
|
-
|
488
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
551
489
|
|
552
|
-
*
|
553
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
554
|
-
from.
|
490
|
+
*Jacopo Beschi*
|
555
491
|
|
556
|
-
|
492
|
+
* Writing into a disabled session will now raise an error.
|
557
493
|
|
558
|
-
|
494
|
+
Previously when no session store was set, writing into the session would silently fail.
|
559
495
|
|
560
|
-
*
|
496
|
+
*Jean Boussier*
|
561
497
|
|
562
|
-
|
563
|
-
# Use the debug level if a particular cookie is set.
|
564
|
-
class ApplicationController < ActionController::Base
|
565
|
-
log_at :debug, if: -> { cookies[:debug] }
|
566
|
-
end
|
567
|
-
```
|
498
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
568
499
|
|
569
|
-
|
500
|
+
Fixes #42034.
|
570
501
|
|
571
|
-
*
|
572
|
-
a test by prefixing the file name with an incrementing counter.
|
502
|
+
*lfalcao*
|
573
503
|
|
574
|
-
|
575
|
-
enable saving of HTML during a screenshot in addition to the image.
|
576
|
-
This uses the same image name, with the extension replaced with `.html`
|
504
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
577
505
|
|
578
|
-
*
|
506
|
+
*Jacob Herrington*
|
579
507
|
|
580
|
-
* Add
|
508
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
581
509
|
|
582
|
-
|
583
|
-
header to determine what to return. And if we don't add `Vary`
|
584
|
-
in the response header, browsers might accidentally cache different
|
585
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
586
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
587
|
-
in these types of requests. For more detailed problem description, please read:
|
510
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
588
511
|
|
589
|
-
|
512
|
+
*Alex Smith*
|
590
513
|
|
591
|
-
|
514
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
515
|
+
know which controller action received unpermitted parameters.
|
592
516
|
|
593
|
-
*
|
517
|
+
*bbuchalter*
|
594
518
|
|
595
|
-
*
|
596
|
-
a 307 redirection.
|
519
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
597
520
|
|
598
|
-
|
521
|
+
```ruby
|
522
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
523
|
+
stream.writeln "email_address,updated_at"
|
599
524
|
|
600
|
-
|
525
|
+
@subscribers.find_each do |subscriber|
|
526
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
527
|
+
end
|
528
|
+
end
|
529
|
+
```
|
601
530
|
|
602
|
-
*
|
531
|
+
*DHH*
|
603
532
|
|
604
|
-
*
|
533
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
605
534
|
|
606
|
-
*
|
535
|
+
*DHH*
|
607
536
|
|
608
|
-
*
|
537
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
609
538
|
|
610
|
-
|
611
|
-
|
612
|
-
specification and guidelines can be found at MDN:
|
539
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
540
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
613
541
|
|
614
|
-
|
542
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
615
543
|
|
616
|
-
|
544
|
+
Before:
|
617
545
|
|
618
546
|
```ruby
|
619
|
-
|
620
|
-
|
621
|
-
f.gyroscope :none
|
622
|
-
f.microphone :none
|
623
|
-
f.usb :none
|
624
|
-
f.fullscreen :self
|
625
|
-
f.payment :self, "https://secure.example.com"
|
626
|
-
end
|
547
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
548
|
+
request.content_type #=> "text/csv"
|
627
549
|
```
|
628
550
|
|
629
|
-
|
551
|
+
After:
|
630
552
|
|
631
553
|
```ruby
|
632
|
-
|
633
|
-
|
634
|
-
|
635
|
-
end
|
636
|
-
end
|
554
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
555
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
556
|
+
request.media_type #=> "text/csv"
|
637
557
|
```
|
638
558
|
|
639
|
-
*
|
559
|
+
*Rafael Mendonça França*
|
640
560
|
|
641
|
-
*
|
561
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
642
562
|
|
643
|
-
|
563
|
+
*Rafael Mendonça França*
|
644
564
|
|
645
|
-
|
565
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
646
566
|
|
647
|
-
*
|
567
|
+
*Janko Marohnić*
|
648
568
|
|
649
|
-
|
650
|
-
take parameters the scope was lost when using path helpers. This commit
|
651
|
-
ensures scope is kept both when the route takes parameters or when it
|
652
|
-
doesn't.
|
569
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
653
570
|
|
654
|
-
|
571
|
+
*ojab*
|
655
572
|
|
656
|
-
|
573
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
657
574
|
|
658
|
-
*
|
575
|
+
*Alex Robbin*
|
659
576
|
|
660
|
-
|
577
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
578
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
579
|
+
with a single value or an enumerable.
|
661
580
|
|
662
|
-
|
663
|
-
an enumerator for the parameters instead of the underlying hash.
|
581
|
+
Fixes #40772.
|
664
582
|
|
665
|
-
*
|
583
|
+
*Christian Sutter*
|
666
584
|
|
667
|
-
*
|
668
|
-
|
585
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
586
|
+
The old method name is retained without explicit deprecation.
|
669
587
|
|
670
|
-
*
|
588
|
+
*DHH*
|
671
589
|
|
672
590
|
|
673
|
-
Please check [6-
|
591
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|