actionpack 6.1.7.5 → 7.0.8

data/CHANGELOG.md

@@ -1,673 +1,591 @@
-## Rails 6.1.7.5 (August 22, 2023) ##
+## Rails 7.0.8 (September 09, 2023) ##
 
-*   No changes.
-
-
-## Rails 6.1.7.4 (June 26, 2023) ##
+*   Fix `HostAuthorization` potentially displaying the value of the
+    X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
 
-*   Raise an exception if illegal characters are provide to redirect_to
-    [CVE-2023-28362]
+    *Hartley McGuire*, *Daniel Schlosser*
 
-    *Zack Deveau*
 
-## Rails 6.1.7.3 (March 13, 2023) ##
+## Rails 7.0.7.2 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.1.7.2 (January 24, 2023) ##
-
-*   Fix `domain: :all` for two letter TLD
-
-    This fixes a compatibility issue introduced in our previous security
-    release when using `domain: :all` with a two letter but single level top
-    level domain domain (like `.ca`, rather than `.co.uk`).
-
-
-## Rails 6.1.7.1 (January 17, 2023) ##
-
-*   Avoid regex backtracking on If-None-Match header
-
-    [CVE-2023-22795]
-
-*   Use string#split instead of regex for domain parts
-
-    [CVE-2023-22792]
-
-
-## Rails 6.1.7 (September 09, 2022) ##
+## Rails 7.0.7.1 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.1.6.1 (July 12, 2022) ##
+## Rails 7.0.7 (August 09, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.1.6 (May 09, 2022) ##
+## Rails 7.0.6 (June 29, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.1.5.1 (April 26, 2022) ##
-
-*   Allow Content Security Policy DSL to generate for API responses.
-
-    *Tim Wade*
-
-## Rails 6.1.5 (March 09, 2022) ##
+## Rails 7.0.5.1 (June 26, 2023) ##
 
-*   Fix `content_security_policy` returning invalid directives.
-
-    Directives such as `self`, `unsafe-eval` and few others were not
-    single quoted when the directive was the result of calling a lambda
-    returning an array.
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
 
-    ```ruby
-    content_security_policy do |policy|
-      policy.frame_ancestors lambda { [:self, "https://example.com"] }
-    end
-    ```
+    *Zack Deveau*
 
-    With this fix the policy generated from above will now be valid.
+## Rails 7.0.5 (May 24, 2023) ##
 
-    *Edouard Chin*
+*   Do not return CSP headers for 304 Not Modified responses.
 
-*   Update `HostAuthorization` middleware to render debug info only
-    when `config.consider_all_requests_local` is set to true.
+    *Tobias Kraze*
 
-    Also, blocked host info is always logged with level `error`.
+*   Fix `EtagWithFlash` when there is no `Flash` middleware available.
 
-    Fixes #42813.
+    *fatkodima*
 
-    *Nikita Vyrko*
+*   Fix content-type header with `send_stream`.
 
-*   Dup arrays that get "converted".
+    *Elliot Crosby-McCullough*
 
-    Fixes #43681.
+*   Address Selenium `:capabilities` deprecation warning.
 
-    *Aaron Patterson*
+    *Ron Shinall*
 
-*   Don't show deprecation warning for equal paths.
+*   Fix cookie domain for domain: all on two letter single level TLD.
 
-    *Anton Rieder*
+    *John Hawthorn*
 
-*   Fix crash in `ActionController::Instrumentation` with invalid HTTP formats.
+*   Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
 
-    Fixes #43094.
+    Previously if you set `config.active_record.query_log_tags` to an array that included
+    `:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
+    This bug has been fixed.
 
     *Alex Ghiculescu*
 
-*   Add fallback host for SystemTestCase driven by RackTest.
+*   Rescue `EOFError` exception from `rack` on a multipart request.
 
-    Fixes #42780.
+    *Nikita Vasilevsky*
 
-    *Petrik de Heus*
+*   Rescue `JSON::ParserError` in Cookies json deserializer to discards marshal dumps:
 
-*   Add more detail about what hosts are allowed.
+    Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
+    the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
+    clear the cookie and force app users to manually clear it in their browser.
 
-    *Alex Ghiculescu*
+    (See #45127 for original bug discussion)
 
+    *Nathan Bardoux*
 
-## Rails 6.1.4.7 (March 08, 2022) ##
+## Rails 7.0.4.3 (March 13, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.1.4.6 (February 11, 2022) ##
+## Rails 7.0.4.2 (January 24, 2023) ##
 
-*   No changes.
-
-
-## Rails 6.1.4.5 (February 11, 2022) ##
+*   Fix `domain: :all` for two letter TLD
 
-*   Under certain circumstances, the middleware isn't informed that the
-    response body has been fully closed which result in request state not
-    being fully reset before the next request
+    This fixes a compatibility issue introduced in our previous security
+    release when using `domain: :all` with a two letter but single level top
+    level domain domain (like `.ca`, rather than `.co.uk`).
 
-    [CVE-2022-23633]
 
+## Rails 7.0.4.1 (January 17, 2023) ##
 
-## Rails 6.1.4.4 (December 15, 2021) ##
+*   Fix sec issue with _url_host_allowed?
 
-*   Fix issue with host protection not allowing host with port in development.
+    Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+    to malicious sites.
 
+    [CVE-2023-22797]
 
-## Rails 6.1.4.3 (December 14, 2021) ##
+*   Avoid regex backtracking on If-None-Match header
 
-*    Fix issue with host protection not allowing localhost in development.
+    [CVE-2023-22795]
 
+*   Use string#split instead of regex for domain parts
 
-## Rails 6.1.4.2 (December 14, 2021) ##
+    [CVE-2023-22792]
 
-*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
+## Rails 7.0.4 (September 09, 2022) ##
 
-## Rails 6.1.4.1 (August 19, 2021) ##
+*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
 
-*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
+    Previously, if another middleware down the chain set `Server-Timing` header,
+    it would overwritten by `ActionDispatch::ServerTiming`.
 
-    Specially crafted "X-Forwarded-Host" headers in combination with certain
-    "allowed host" formats can cause the Host Authorization middleware in Action
-    Pack to redirect users to a malicious website.
+    *Jakub Malinowski*
 
-## Rails 6.1.4 (June 24, 2021) ##
 
-*   Ignore file fixtures on `db:fixtures:load`
+## Rails 7.0.3.1 (July 12, 2022) ##
 
-    *Kevin Sjöberg*
+*   No changes.
 
-*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
 
-    *Dylan Thacker-Smith*
+## Rails 7.0.3 (May 09, 2022) ##
 
-*   Correctly place optional path parameter booleans.
+*   Allow relative redirects when `raise_on_open_redirects` is enabled.
 
-    Previously, if you specify a url parameter that is part of the path as false it would include that part
-    of the path as parameter for example:
+    *Tom Hughes*
 
-    ```
-    get "(/optional/:optional_id)/things" => "foo#foo", as: :things
-    things_path(optional_id: false) # => /things?optional_id=false
-    ```
+*   Fix `authenticate_with_http_basic` to allow for missing password.
 
-    After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
+    Before Rails 7.0 it was possible to handle basic authentication with only a username.
 
-    ```
-    get '(this/:my_bool)/that' as: :that
-
-    that_path(my_bool: true) # => `/this/true/that`
-    that_path(my_bool: false) # => `/this/false/that`
+    ```ruby
+    authenticate_with_http_basic do |token, _|
+      ApiClient.authenticate(token)
+    end
     ```
 
-    *Adam Hess*
+    This ability is restored.
 
-*   Add support for 'private, no-store' Cache-Control headers.
+    *Jean Boussier*
 
-    Previously, 'no-store' was exclusive; no other directives could be specified.
+*   Fix `content_security_policy` returning invalid directives.
 
-    *Alex Smith*
+    Directives such as `self`, `unsafe-eval` and few others were not
+    single quoted when the directive was the result of calling a lambda
+    returning an array.
 
+    ```ruby
+    content_security_policy do |policy|
+      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    end
+    ```
 
-## Rails 6.1.3.2 (May 05, 2021) ##
+    With this fix the policy generated from above will now be valid.
 
-*   Prevent open redirects by correctly escaping the host allow list
-    CVE-2021-22903
+    *Edouard Chin*
 
-*   Prevent catastrophic backtracking during mime parsing
-    CVE-2021-22902
+*   Fix `skip_forgery_protection` to run without raising an error if forgery
+    protection has not been enabled / `verify_authenticity_token` is not a
+    defined callback.
 
-*   Prevent regex DoS in HTTP token authentication
-    CVE-2021-22904
+    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+    `ArgumentError` if `default_protect_from_forgery` is false.
 
-*   Prevent string polymorphic route arguments.
+    *Brad Trick*
 
-    `url_for` supports building polymorphic URLs via an array
-    of arguments (usually symbols and records). If a developer passes a
-    user input array, strings can result in unwanted route helper calls.
+*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
 
-    CVE-2021-22885
+    Since its inception `ActionController::Live` has been copying thread local variables
+    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
 
-    *Gannon McGibbon*
+    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
+    `ActionController::Live` controllers.
 
-## Rails 6.1.3.1 (March 26, 2021) ##
+    *Jean Boussier*
 
-*   No changes.
+*   Fix setting `trailing_slash: true` in route definition.
 
+    ```ruby
+    get '/test' => "test#index", as: :test, trailing_slash: true
 
-## Rails 6.1.3 (February 17, 2021) ##
+    test_path() # => "/test/"
+    ```
 
-*   Re-define routes when not set correctly via inheritance.
+    *Jean Boussier*
 
-    *John Hawthorn*
+## Rails 7.0.2.4 (April 26, 2022) ##
 
+*   Allow Content Security Policy DSL to generate for API responses.
 
-## Rails 6.1.2.1 (February 10, 2021) ##
+    *Tim Wade*
 
-*   Prevent open redirect when allowed host starts with a dot
+## Rails 7.0.2.3 (March 08, 2022) ##
 
-    [CVE-2021-22881]
+*   No changes.
 
-    Thanks to @tktech (https://hackerone.com/tktech) for reporting this
-    issue and the patch!
 
-    *Aaron Patterson*
+## Rails 7.0.2.2 (February 11, 2022) ##
 
+*   No changes.
 
-## Rails 6.1.2 (February 09, 2021) ##
 
-*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
+## Rails 7.0.2.1 (February 11, 2022) ##
 
-    *Janko Marohnić*
+*   Under certain circumstances, the middleware isn't informed that the
+    response body has been fully closed which result in request state not
+    being fully reset before the next request
 
-*   Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
+    [CVE-2022-23633]
 
-    *Eugene Kenny*
 
+## Rails 7.0.2 (February 08, 2022) ##
 
-## Rails 6.1.1 (January 07, 2021) ##
+*   No changes.
 
-*   Fix nil translation key lookup in controllers/
 
-    *Jan Klimo*
+## Rails 7.0.1 (January 06, 2022) ##
 
-*   Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
+*   Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
+    of the original object.
 
-    *Alex Robbin*
+    *Yutaka Kamei*
 
-*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
 
-    *Alex Robbin*
+## Rails 7.0.0 (December 15, 2021) ##
 
+*   Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
 
-## Rails 6.1.0 (December 09, 2020) ##
+    *Étienne Barrié*
 
-*   Support for the HTTP header `Feature-Policy` has been revised to reflect
-    its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
+*   Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
 
-    ```ruby
-    Rails.application.config.permissions_policy do |p|
-      p.camera     :none
-      p.gyroscope  :none
-      p.microphone :none
-      p.usb        :none
-      p.fullscreen :self
-      p.payment    :self, "https://secure-example.com"
-    end
-    ```
+    This means if you make multiple requests in the same test, instance variables set in the first request will
+    not persist into the second one. (It's not recommended to make multiple requests in the same test.)
 
-    *Julien Grillot*
+    *Alex Ghiculescu*
 
-*   Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
 
-    Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
+## Rails 7.0.0.rc3 (December 14, 2021) ##
 
-    *Chris Bisnett*
+*   No changes.
 
-*   Add `config.action_dispatch.request_id_header` to allow changing the name of
-    the unique X-Request-Id header
 
-    *Arlston Fernandes*
+## Rails 7.0.0.rc2 (December 14, 2021) ##
 
-*   Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
 
-    *Rafael Mendonça França*
 
-*   Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
+## Rails 7.0.0.rc1 (December 06, 2021) ##
 
-    *Rafael Mendonça França*
+*   `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
 
-*   Remove deprecated `ActionDispatch::Http::ParameterFilter`.
+    This helps to better simulate request or job local state being reset between requests and prevent state
+    leaking from one request to another.
 
-    *Rafael Mendonça França*
+    To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
 
-*   Added support for exclusive no-store Cache-Control header.
+    *Alex Ghiculescu*
 
-    If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
+*   Consider onion services secure for cookies.
 
-    *Chris Kruger*
+    *Justin Tracey*
 
-*   Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
+*   Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
 
-    Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
-    `ActionDispatch::Http::Request#POST` prior to validating encoding.
+    *Rafael Mendonça França*
 
-    *Adrianna Chang*
+*   Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
 
-*   Allow `assert_recognizes` routing assertions to work on mounted root routes.
+    *Rafael Mendonça França*
 
-    *Gannon McGibbon*
+*   Remove deprecated `ActionDispatch::SystemTestCase#host!`.
 
-*   Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
+    *Rafael Mendonça França*
 
-    *Alan Tan*, *Oz Ben-David*
+*   Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
 
-*   Fix `follow_redirect!` to follow redirection with same HTTP verb when following
-    a 308 redirection.
+    *Rafael Mendonça França*
 
-    *Alan Tan*
+*   Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
 
-*   When multiple domains are specified for a cookie, a domain will now be
-    chosen only if it is equal to or is a superdomain of the request host.
+    *Rafael Mendonça França*
 
-    *Jonathan Hefner*
+*   Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
 
-*   `ActionDispatch::Static` handles precompiled Brotli (.br) files.
+    This allows `rescue_from` to be used to add a default fallback route:
 
-    Adds to existing support for precompiled gzip (.gz) files.
-    Brotli files are preferred due to much better compression.
+    ```ruby
+    rescue_from ActionController::Redirecting::UnsafeRedirectError do
+      redirect_to root_url
+    end
+    ```
 
-    When the browser requests /some.js with `Accept-Encoding: br`,
-    we check for public/some.js.br and serve that file, if present, with
-    `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
+    *Kasper Timm Hansen*, *Chris Oliver*
 
-    *Ryan Edward Hall*, *Jeremy Daer*
+*   Add `url_from` to verify a redirect location is internal.
 
-*   Add raise_on_missing_translations support for controllers.
+    Takes the open redirect protection from `redirect_to` so users can wrap a
+    param, and fall back to an alternate redirect URL when the param provided
+    one is unsafe.
 
-    This configuration determines whether an error should be raised for missing translations.
-    It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
-    configuration also affects raising error for missing translations in views.
+    ```ruby
+    def create
+      redirect_to url_from(params[:redirect_url]) || root_url
+    end
+    ```
 
-    *fatkodima*
+    *dmcge*, *Kasper Timm Hansen*
 
-*   Added `compact` and `compact!` to `ActionController::Parameters`.
+*   Allow Capybara driver name overrides in `SystemTestCase::driven_by`
 
-    *Eugene Kenny*
+    Allow users to prevent conflicts among drivers that use the same driver
+    type (selenium, poltergeist, webkit, rack test).
 
-*   Calling `each_pair` or `each_value` on an `ActionController::Parameters`
-    without passing a block now returns an enumerator.
+    Fixes #42502
 
-    *Eugene Kenny*
+    *Chris LaRose*
 
-*   `fixture_file_upload` now uses path relative to `file_fixture_path`
+*   Allow multiline to be passed in routes when using wildcard segments.
 
-    Previously the path had to be relative to `fixture_path`.
-    You can change your existing code as follow:
+    Previously routes with newlines weren't detected when using wildcard segments, returning
+    a `No route matches` error.
+    After this change, routes with newlines are detected on wildcard segments. Example
 
     ```ruby
-    # Before
-    fixture_file_upload('files/dog.png')
+      draw do
+        get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
+      end
 
-    # After
-    fixture_file_upload('dog.png')
+      # After the change, the path matches.
+      assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
     ```
 
-    *Edouard Chin*
+    Fixes #39103
 
-*   Remove deprecated `force_ssl` at the controller level.
+    *Ignacio Chiazzo*
 
-    *Rafael Mendonça França*
+*   Treat html suffix in controller translation.
 
-*   The +helper+ class method for controllers loads helper modules specified as
-    strings/symbols with `String#constantize` instead of `require_dependency`.
+    *Rui Onodera*, *Gavin Miller*
 
-    Remember that support for strings/symbols is only a convenient API. You can
-    always pass a module object:
+*   Allow permitting numeric params.
 
+    Previously it was impossible to permit different fields on numeric parameters.
+    After this change you can specify different fields for each numbered parameter.
+    For example params like,
     ```ruby
-    helper UtilsHelper
+    book: {
+            authors_attributes: {
+              '0': { name: "William Shakespeare", age_of_death: "52" },
+              '1': { name: "Unattributed Assistant" },
+              '2': "Not a hash",
+              'new_record': { name: "Some name" }
+            }
+          }
     ```
 
-    which is recommended because it is simple and direct. When a string/symbol
-    is received, `helper` just manipulates and inflects the argument to obtain
-    that same module object.
+    Before you could permit name on each author with,
+    `permit book: { authors_attributes: [ :name ] }`
 
-    *Xavier Noria*, *Jean Boussier*
+    After this change you can permit different keys on each numbered element,
+    `permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
 
-*   Correctly identify the entire localhost IPv4 range as trusted proxy.
+    Fixes #41625
 
-    *Nick Soracco*
+    *Adam Hess*
 
-*   `url_for` will now use "https://" as the default protocol when
-    `Rails.application.config.force_ssl` is set to true.
+*   Update `HostAuthorization` middleware to render debug info only
+    when `config.consider_all_requests_local` is set to true.
 
-    *Jonathan Hefner*
+    Also, blocked host info is always logged with level `error`.
 
-*   Accept and default to base64_urlsafe CSRF tokens.
+    Fixes #42813
 
-    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
-    them difficult to deal with. For example, the common practice of sending
-    the CSRF token to a browser in a client-readable cookie does not work properly
-    out of the box: the value has to be url-encoded and decoded to survive transport.
+    *Nikita Vyrko*
 
-    Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
-    to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
-    for backwards compatibility.
+*  Add Server-Timing middleware
 
-    *Scott Blum*
+   Server-Timing specification defines how the server can communicate to browsers performance metrics
+   about the request it is responding to.
 
-*   Support rolling deploys for cookie serialization/encryption changes.
+   The ServerTiming middleware is enabled by default on `development` environment by default using the
+   `config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
 
-    In a distributed configuration like rolling update, users may observe
-    both old and new instances during deployment. Users may be served by a
-    new instance and then by an old instance.
+   The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
 
-    That means when the server changes `cookies_serializer` from `:marshal`
-    to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
-    from `false` to `true`, users may lose their sessions if they access the
-    server during deployment.
+   *Sebastian Sogamoso*, *Guillermo Iguaran*
 
-    We added fallbacks to downgrade the cookie format when necessary during
-    deployment, ensuring compatibility on both old and new instances.
 
-    *Masaki Hara*
+## Rails 7.0.0.alpha2 (September 15, 2021) ##
 
-*   `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
+*   No changes.
 
-    Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
-    Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
 
-    *Keenan Brock*
+## Rails 7.0.0.alpha1 (September 15, 2021) ##
 
-*   Fix possible information leak / session hijacking vulnerability.
+*   Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
+    to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
+    malformed JSON.
 
-    The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
-    gem dalli to be updated as well.
+    Fixes #41145
 
-    CVE-2019-16782.
+    *Aaron Lahey*
 
-*   Include child session assertion count in ActionDispatch::IntegrationTest.
+*   Add `Middleware#delete!` to delete middleware or raise if not found.
 
-    `IntegrationTest#open_session` uses `dup` to create the new session, which
-    meant it had its own copy of `@assertions`. This prevented the assertions
-    from being correctly counted and reported.
+    `Middleware#delete!` works just like `Middleware#delete` but will
+    raise an error if the middleware isn't found.
 
-    Child sessions now have their `attr_accessor` overridden to delegate to the
-    root session.
+    *Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
 
-    Fixes #32142.
+*   Raise error on unpermitted open redirects.
 
-    *Sam Bostock*
+    Add `allow_other_host` options to `redirect_to`.
+    Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
 
-*   Add SameSite protection to every written cookie.
+    *Gannon McGibbon*
 
-    Enabling `SameSite` cookie protection is an addition to CSRF protection,
-    where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
+*   Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
 
-    `:strict` disables cookies being sent in cross-site GET or POST requests.
+    [Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
 
-    Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
+    [Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
 
-    See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
+    *Yusuke Iwaki*
 
-    More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
+*   Exclude additional flash types from `ActionController::Base.action_methods`.
 
-    _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
+    Ensures that additional flash types defined on ActionController::Base subclasses
+    are not listed as actions on that controller.
 
-    *Cédric Fabianski*
+        class MyController < ApplicationController
+          add_flash_types :hype
+        end
 
-*   Bring back the feature that allows loading external route files from the router.
+        MyController.action_methods.include?('hype') # => false
 
-    This feature existed back in 2012 but got reverted with the incentive that
-    https://github.com/rails/routing_concerns was a better approach. Turned out
-    that this wasn't fully the case and loading external route files from the router
-    can be helpful for applications with a really large set of routes.
-    Without this feature, application needs to implement routes reloading
-    themselves and it's not straightforward.
+    *Gavin Morrice*
 
-    ```ruby
-    # config/routes.rb
+*   OpenSSL constants are now used for Digest computations.
 
-    Rails.application.routes.draw do
-      draw(:admin)
-    end
+    *Dirkjan Bussink*
 
-    # config/routes/admin.rb
+*   Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
 
-    get :foo, to: 'foo#bar'
-    ```
-
-    *Yehuda Katz*, *Edouard Chin*
-
-*   Fix system test driver option initialization for non-headless browsers.
+    Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
 
-    *glaszig*
+    *Tadas Sasnauskas*
 
-*   `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
-    their payloads as `:request`.
+*   Configuration setting to skip logging an uncaught exception backtrace when the exception is
+    present in `rescued_responses`.
 
-    *Austin Story*
+    It may be too noisy to get all backtraces logged for applications that manage uncaught
+    exceptions via `rescued_responses` and `exceptions_app`.
+    `config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
+    this case, so that only exceptions not found in `rescued_responses` will be logged.
 
-*   `respond_to#any` no longer returns a response's Content-Type based on the
-    request format but based on the block given.
+    *Alexander Azarov*, *Mike Dalessio*
 
-    Example:
+*   Ignore file fixtures on `db:fixtures:load`.
 
-    ```ruby
-      def my_action
-        respond_to do |format|
-          format.any { render(json: { foo: 'bar' }) }
-        end
-      end
+    *Kevin Sjöberg*
 
-      get('my_action.csv')
-    ```
+*   Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
 
-    The previous behaviour was to respond with a `text/csv` Content-Type which
-    is inaccurate since a JSON response is being rendered.
+    *Dylan Thacker-Smith*
 
-    Now it correctly returns a `application/json` Content-Type.
+*   New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
 
-    *Edouard Chin*
+    *Tadas Sasnauskas*
 
-*   Replaces (back)slashes in failure screenshot image paths with dashes.
+*   Drop support for the `SERVER_ADDR` header.
 
-    If a failed test case contained a slash or a backslash, a screenshot would be created in a
-    nested directory, causing issues with `tmp:clear`.
+    Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
 
-    *Damir Zekic*
+    *Ricardo Díaz*
 
-*   Add `params.member?` to mimic Hash behavior.
+*   Set session options when initializing a basic session.
 
-    *Younes Serraj*
-
-*   `process_action.action_controller` notifications now include the following in their payloads:
+    *Gannon McGibbon*
 
-    * `:request` - the `ActionDispatch::Request`
-    * `:response` - the `ActionDispatch::Response`
+*   Add `cache_control: {}` option to `fresh_when` and `stale?`.
 
-    *George Claghorn*
+    Works as a shortcut to set `response.cache_control` with the above methods.
 
-*   Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
-    `remote_ip` to `nil` before setting the header that the value is derived
-    from.
+    *Jacopo Beschi*
 
-    Fixes #37383.
+*   Writing into a disabled session will now raise an error.
 
-    *Norm Provost*
+    Previously when no session store was set, writing into the session would silently fail.
 
-*   `ActionController::Base.log_at` allows setting a different log level per request.
+    *Jean Boussier*
 
-    ```ruby
-    # Use the debug level if a particular cookie is set.
-    class ApplicationController < ActionController::Base
-      log_at :debug, if: -> { cookies[:debug] }
-    end
-    ```
+*   Add support for 'require-trusted-types-for' and 'trusted-types' headers.
 
-    *George Claghorn*
+    Fixes #42034.
 
-*   Allow system test screen shots to be taken more than once in
-    a test by prefixing the file name with an incrementing counter.
+    *lfalcao*
 
-    Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
-    enable saving of HTML during a screenshot in addition to the image.
-    This uses the same image name, with the extension replaced with `.html`
+*   Remove inline styles and address basic accessibility issues on rescue templates.
 
-    *Tom Fakes*
+    *Jacob Herrington*
 
-*   Add `Vary: Accept` header when using `Accept` header for response.
+*   Add support for 'private, no-store' Cache-Control headers.
 
-    For some requests like `/users/1`, Rails uses requests' `Accept`
-    header to determine what to return. And if we don't add `Vary`
-    in the response header, browsers might accidentally cache different
-    types of content, which would cause issues: e.g. javascript got displayed
-    instead of html content. This PR fixes these issues by adding `Vary: Accept`
-    in these types of requests. For more detailed problem description, please read:
+    Previously, 'no-store' was exclusive; no other directives could be specified.
 
-    https://github.com/rails/rails/pull/36213
+    *Alex Smith*
 
-    Fixes #25842.
+*   Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
+    know which controller action received unpermitted parameters.
 
-    *Stan Lo*
+    *bbuchalter*
 
-*   Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
-    a 307 redirection.
+*   Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
 
-    *Edouard Chin*
+    ```ruby
+    send_stream(filename: "subscribers.csv") do |stream|
+      stream.writeln "email_address,updated_at"
 
-*   System tests require Capybara 3.26 or newer.
+      @subscribers.find_each do |subscriber|
+        stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
+      end
+    end
+    ```
 
-    *George Claghorn*
+    *DHH*
 
-*   Reduced log noise handling ActionController::RoutingErrors.
+*   Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
 
-    *Alberto Fernández-Capel*
+    *DHH*
 
-*   Add DSL for configuring HTTP Feature Policy.
+*   `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
 
-    This new DSL provides a way to configure an HTTP Feature Policy at a
-    global or per-controller level. Full details of HTTP Feature Policy
-    specification and guidelines can be found at MDN:
+    Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
+    This behavior changed to returned Content-Type header containing charset part as it is.
 
-    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+    If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
 
-    Example global policy:
+    Before:
 
     ```ruby
-    Rails.application.config.feature_policy do |f|
-      f.camera      :none
-      f.gyroscope   :none
-      f.microphone  :none
-      f.usb         :none
-      f.fullscreen  :self
-      f.payment     :self, "https://secure.example.com"
-    end
+    request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
+    request.content_type #=> "text/csv"
     ```
 
-    Example controller level policy:
+    After:
 
     ```ruby
-    class PagesController < ApplicationController
-      feature_policy do |p|
-        p.geolocation "https://example.com"
-      end
-    end
+    request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
+    request.content_type #=> "text/csv; header=present; charset=utf-16"
+    request.media_type   #=> "text/csv"
     ```
 
-    *Jacob Bednarz*
+    *Rafael Mendonça França*
 
-*   Add the ability to set the CSP nonce only to the specified directives.
+*   Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
 
-    Fixes #35137.
+    *Rafael Mendonça França*
 
-    *Yuji Yaginuma*
+*   Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
 
-*   Keep part when scope option has value.
+    *Janko Marohnić*
 
-    When a route was defined within an optional scope, if that route didn't
-    take parameters the scope was lost when using path helpers. This commit
-    ensures scope is kept both when the route takes parameters or when it
-    doesn't.
+*   Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
 
-    Fixes #33219.
+    *ojab*
 
-    *Alberto Almagro*
+*   Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
 
-*   Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
+    *Alex Robbin*
 
-    *Gustavo Gutierrez*
+*   Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
+    as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
+    with a single value or an enumerable.
 
-*   Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
-    an enumerator for the parameters instead of the underlying hash.
+    Fixes #40772.
 
-    *Eugene Kenny*
+    *Christian Sutter*
 
-*   Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
-    It should only block invalid key's values instead.
+*   Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
+    The old method name is retained without explicit deprecation.
 
-    *Stan Lo*
+    *DHH*
 
 
-Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.