actionpack 6.1.7 → 7.0.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +269 -406
- data/MIT-LICENSE +1 -0
- data/README.rdoc +2 -3
- data/lib/abstract_controller/asset_paths.rb +1 -1
- data/lib/abstract_controller/base.rb +13 -26
- data/lib/abstract_controller/caching/fragments.rb +2 -2
- data/lib/abstract_controller/caching.rb +1 -1
- data/lib/abstract_controller/callbacks.rb +21 -7
- data/lib/abstract_controller/collector.rb +2 -2
- data/lib/abstract_controller/error.rb +1 -1
- data/lib/abstract_controller/helpers.rb +4 -3
- data/lib/abstract_controller/logger.rb +1 -1
- data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
- data/lib/abstract_controller/translation.rb +3 -2
- data/lib/abstract_controller/url_for.rb +4 -6
- data/lib/action_controller/api.rb +6 -6
- data/lib/action_controller/base.rb +5 -4
- data/lib/action_controller/form_builder.rb +2 -2
- data/lib/action_controller/log_subscriber.rb +4 -3
- data/lib/action_controller/metal/conditional_get.rb +39 -2
- data/lib/action_controller/metal/content_security_policy.rb +36 -2
- data/lib/action_controller/metal/cookies.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +5 -13
- data/lib/action_controller/metal/exceptions.rb +19 -30
- data/lib/action_controller/metal/flash.rb +6 -2
- data/lib/action_controller/metal/helpers.rb +2 -2
- data/lib/action_controller/metal/http_authentication.rb +66 -39
- data/lib/action_controller/metal/instrumentation.rb +57 -52
- data/lib/action_controller/metal/live.rb +43 -2
- data/lib/action_controller/metal/mime_responds.rb +3 -3
- data/lib/action_controller/metal/params_wrapper.rb +20 -11
- data/lib/action_controller/metal/permissions_policy.rb +19 -28
- data/lib/action_controller/metal/redirecting.rb +93 -18
- data/lib/action_controller/metal/renderers.rb +10 -11
- data/lib/action_controller/metal/rendering.rb +8 -8
- data/lib/action_controller/metal/request_forgery_protection.rb +78 -29
- data/lib/action_controller/metal/rescue.rb +1 -1
- data/lib/action_controller/metal/streaming.rb +6 -8
- data/lib/action_controller/metal/strong_parameters.rb +100 -54
- data/lib/action_controller/metal/testing.rb +9 -2
- data/lib/action_controller/metal/url_for.rb +3 -3
- data/lib/action_controller/metal.rb +10 -13
- data/lib/action_controller/railtie.rb +49 -6
- data/lib/action_controller/renderer.rb +1 -1
- data/lib/action_controller/test_case.rb +28 -7
- data/lib/action_controller.rb +2 -5
- data/lib/action_dispatch/http/cache.rb +14 -7
- data/lib/action_dispatch/http/content_security_policy.rb +108 -35
- data/lib/action_dispatch/http/filter_parameters.rb +5 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +15 -5
- data/lib/action_dispatch/http/mime_type.rb +9 -11
- data/lib/action_dispatch/http/parameters.rb +5 -5
- data/lib/action_dispatch/http/permissions_policy.rb +17 -1
- data/lib/action_dispatch/http/request.rb +12 -21
- data/lib/action_dispatch/http/response.rb +3 -16
- data/lib/action_dispatch/http/url.rb +11 -19
- data/lib/action_dispatch/journey/gtg/builder.rb +11 -12
- data/lib/action_dispatch/journey/gtg/simulator.rb +10 -4
- data/lib/action_dispatch/journey/gtg/transition_table.rb +77 -21
- data/lib/action_dispatch/journey/nodes/node.rb +70 -5
- data/lib/action_dispatch/journey/path/pattern.rb +22 -13
- data/lib/action_dispatch/journey/route.rb +6 -13
- data/lib/action_dispatch/journey/router/utils.rb +2 -2
- data/lib/action_dispatch/journey/router.rb +1 -1
- data/lib/action_dispatch/journey/routes.rb +3 -3
- data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
- data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +0 -1
- data/lib/action_dispatch/middleware/cookies.rb +42 -27
- data/lib/action_dispatch/middleware/debug_exceptions.rb +6 -4
- data/lib/action_dispatch/middleware/debug_locks.rb +3 -3
- data/lib/action_dispatch/middleware/exception_wrapper.rb +4 -0
- data/lib/action_dispatch/middleware/executor.rb +3 -0
- data/lib/action_dispatch/middleware/flash.rb +17 -18
- data/lib/action_dispatch/middleware/host_authorization.rb +1 -12
- data/lib/action_dispatch/middleware/remote_ip.rb +16 -4
- data/lib/action_dispatch/middleware/request_id.rb +1 -1
- data/lib/action_dispatch/middleware/server_timing.rb +76 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +1 -1
- data/lib/action_dispatch/middleware/session/cookie_store.rb +9 -9
- data/lib/action_dispatch/middleware/show_exceptions.rb +7 -9
- data/lib/action_dispatch/middleware/stack.rb +27 -9
- data/lib/action_dispatch/middleware/static.rb +2 -6
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -11
- data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +3 -2
- data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +2 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +28 -18
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +5 -14
- data/lib/action_dispatch/railtie.rb +8 -2
- data/lib/action_dispatch/request/session.rb +43 -13
- data/lib/action_dispatch/routing/inspector.rb +1 -1
- data/lib/action_dispatch/routing/mapper.rb +59 -83
- data/lib/action_dispatch/routing/redirection.rb +5 -2
- data/lib/action_dispatch/routing/route_set.rb +17 -7
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +4 -5
- data/lib/action_dispatch/routing.rb +5 -6
- data/lib/action_dispatch/system_test_case.rb +5 -5
- data/lib/action_dispatch/system_testing/browser.rb +2 -12
- data/lib/action_dispatch/system_testing/driver.rb +35 -11
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +11 -7
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +0 -8
- data/lib/action_dispatch/testing/assertions/routing.rb +3 -2
- data/lib/action_dispatch/testing/assertions.rb +2 -5
- data/lib/action_dispatch/testing/integration.rb +6 -8
- data/lib/action_dispatch/testing/test_process.rb +3 -29
- data/lib/action_dispatch/testing/test_response.rb +20 -2
- data/lib/action_dispatch.rb +1 -0
- data/lib/action_pack/gem_version.rb +5 -5
- data/lib/action_pack/version.rb +1 -1
- metadata +16 -15
data/CHANGELOG.md
CHANGED
@@ -1,25 +1,55 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 7.0.4.1 (January 17, 2023) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* Fix sec issue with _url_host_allowed?
|
4
4
|
|
5
|
+
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
|
6
|
+
to malicious sites.
|
5
7
|
|
6
|
-
|
8
|
+
[CVE-2023-22797]
|
9
|
+
|
10
|
+
* Avoid regex backtracking on If-None-Match header
|
11
|
+
|
12
|
+
[CVE-2023-22795]
|
13
|
+
|
14
|
+
* Use string#split instead of regex for domain parts
|
15
|
+
|
16
|
+
[CVE-2023-22792]
|
7
17
|
|
8
|
-
* No changes.
|
9
18
|
|
19
|
+
## Rails 7.0.4 (September 09, 2022) ##
|
10
20
|
|
11
|
-
|
21
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
22
|
+
|
23
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
24
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
25
|
+
|
26
|
+
*Jakub Malinowski*
|
27
|
+
|
28
|
+
|
29
|
+
## Rails 7.0.3.1 (July 12, 2022) ##
|
12
30
|
|
13
31
|
* No changes.
|
14
32
|
|
15
33
|
|
16
|
-
## Rails
|
34
|
+
## Rails 7.0.3 (May 09, 2022) ##
|
17
35
|
|
18
|
-
* Allow
|
36
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled.
|
19
37
|
|
20
|
-
*
|
38
|
+
*Tom Hughes*
|
39
|
+
|
40
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
41
|
+
|
42
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
43
|
+
|
44
|
+
```ruby
|
45
|
+
authenticate_with_http_basic do |token, _|
|
46
|
+
ApiClient.authenticate(token)
|
47
|
+
end
|
48
|
+
```
|
49
|
+
|
50
|
+
This ability is restored.
|
21
51
|
|
22
|
-
|
52
|
+
*Jean Boussier*
|
23
53
|
|
24
54
|
* Fix `content_security_policy` returning invalid directives.
|
25
55
|
|
@@ -37,53 +67,52 @@
|
|
37
67
|
|
38
68
|
*Edouard Chin*
|
39
69
|
|
40
|
-
*
|
41
|
-
|
42
|
-
|
43
|
-
Also, blocked host info is always logged with level `error`.
|
44
|
-
|
45
|
-
Fixes #42813.
|
70
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
71
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
72
|
+
defined callback.
|
46
73
|
|
47
|
-
|
48
|
-
|
49
|
-
* Dup arrays that get "converted".
|
74
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
75
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
50
76
|
|
51
|
-
|
77
|
+
*Brad Trick*
|
52
78
|
|
53
|
-
|
79
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
54
80
|
|
55
|
-
|
81
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
82
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
56
83
|
|
57
|
-
|
84
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
85
|
+
`ActionController::Live` controllers.
|
58
86
|
|
59
|
-
*
|
87
|
+
*Jean Boussier*
|
60
88
|
|
61
|
-
|
89
|
+
* Fix setting `trailing_slash: true` in route definition.
|
62
90
|
|
63
|
-
|
64
|
-
|
65
|
-
* Add fallback host for SystemTestCase driven by RackTest.
|
91
|
+
```ruby
|
92
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
66
93
|
|
67
|
-
|
94
|
+
test_path() # => "/test/"
|
95
|
+
```
|
68
96
|
|
69
|
-
*
|
97
|
+
*Jean Boussier*
|
70
98
|
|
71
|
-
|
99
|
+
## Rails 7.0.2.4 (April 26, 2022) ##
|
72
100
|
|
73
|
-
|
101
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
74
102
|
|
103
|
+
*Tim Wade*
|
75
104
|
|
76
|
-
## Rails
|
105
|
+
## Rails 7.0.2.3 (March 08, 2022) ##
|
77
106
|
|
78
107
|
* No changes.
|
79
108
|
|
80
109
|
|
81
|
-
## Rails
|
110
|
+
## Rails 7.0.2.2 (February 11, 2022) ##
|
82
111
|
|
83
112
|
* No changes.
|
84
113
|
|
85
114
|
|
86
|
-
## Rails
|
115
|
+
## Rails 7.0.2.1 (February 11, 2022) ##
|
87
116
|
|
88
117
|
* Under certain circumstances, the middleware isn't informed that the
|
89
118
|
response body has been fully closed which result in request state not
|
@@ -92,545 +121,379 @@
|
|
92
121
|
[CVE-2022-23633]
|
93
122
|
|
94
123
|
|
95
|
-
## Rails
|
96
|
-
|
97
|
-
* Fix issue with host protection not allowing host with port in development.
|
98
|
-
|
99
|
-
|
100
|
-
## Rails 6.1.4.3 (December 14, 2021) ##
|
101
|
-
|
102
|
-
* Fix issue with host protection not allowing localhost in development.
|
103
|
-
|
104
|
-
|
105
|
-
## Rails 6.1.4.2 (December 14, 2021) ##
|
106
|
-
|
107
|
-
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
108
|
-
|
109
|
-
## Rails 6.1.4.1 (August 19, 2021) ##
|
110
|
-
|
111
|
-
* [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
|
112
|
-
|
113
|
-
Specially crafted "X-Forwarded-Host" headers in combination with certain
|
114
|
-
"allowed host" formats can cause the Host Authorization middleware in Action
|
115
|
-
Pack to redirect users to a malicious website.
|
116
|
-
|
117
|
-
## Rails 6.1.4 (June 24, 2021) ##
|
118
|
-
|
119
|
-
* Ignore file fixtures on `db:fixtures:load`
|
120
|
-
|
121
|
-
*Kevin Sjöberg*
|
122
|
-
|
123
|
-
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
124
|
-
|
125
|
-
*Dylan Thacker-Smith*
|
126
|
-
|
127
|
-
* Correctly place optional path parameter booleans.
|
128
|
-
|
129
|
-
Previously, if you specify a url parameter that is part of the path as false it would include that part
|
130
|
-
of the path as parameter for example:
|
131
|
-
|
132
|
-
```
|
133
|
-
get "(/optional/:optional_id)/things" => "foo#foo", as: :things
|
134
|
-
things_path(optional_id: false) # => /things?optional_id=false
|
135
|
-
```
|
136
|
-
|
137
|
-
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
|
138
|
-
|
139
|
-
```
|
140
|
-
get '(this/:my_bool)/that' as: :that
|
141
|
-
|
142
|
-
that_path(my_bool: true) # => `/this/true/that`
|
143
|
-
that_path(my_bool: false) # => `/this/false/that`
|
144
|
-
```
|
145
|
-
|
146
|
-
*Adam Hess*
|
147
|
-
|
148
|
-
* Add support for 'private, no-store' Cache-Control headers.
|
149
|
-
|
150
|
-
Previously, 'no-store' was exclusive; no other directives could be specified.
|
151
|
-
|
152
|
-
*Alex Smith*
|
153
|
-
|
154
|
-
|
155
|
-
## Rails 6.1.3.2 (May 05, 2021) ##
|
156
|
-
|
157
|
-
* Prevent open redirects by correctly escaping the host allow list
|
158
|
-
CVE-2021-22903
|
159
|
-
|
160
|
-
* Prevent catastrophic backtracking during mime parsing
|
161
|
-
CVE-2021-22902
|
162
|
-
|
163
|
-
* Prevent regex DoS in HTTP token authentication
|
164
|
-
CVE-2021-22904
|
165
|
-
|
166
|
-
* Prevent string polymorphic route arguments.
|
167
|
-
|
168
|
-
`url_for` supports building polymorphic URLs via an array
|
169
|
-
of arguments (usually symbols and records). If a developer passes a
|
170
|
-
user input array, strings can result in unwanted route helper calls.
|
171
|
-
|
172
|
-
CVE-2021-22885
|
173
|
-
|
174
|
-
*Gannon McGibbon*
|
175
|
-
|
176
|
-
## Rails 6.1.3.1 (March 26, 2021) ##
|
124
|
+
## Rails 7.0.2 (February 08, 2022) ##
|
177
125
|
|
178
126
|
* No changes.
|
179
127
|
|
180
128
|
|
181
|
-
## Rails
|
182
|
-
|
183
|
-
* Re-define routes when not set correctly via inheritance.
|
184
|
-
|
185
|
-
*John Hawthorn*
|
129
|
+
## Rails 7.0.1 (January 06, 2022) ##
|
186
130
|
|
131
|
+
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
132
|
+
of the original object.
|
187
133
|
|
188
|
-
|
134
|
+
*Yutaka Kamei*
|
189
135
|
|
190
|
-
* Prevent open redirect when allowed host starts with a dot
|
191
136
|
|
192
|
-
|
137
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
193
138
|
|
194
|
-
|
195
|
-
issue and the patch!
|
139
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
196
140
|
|
197
|
-
|
141
|
+
*Étienne Barrié*
|
198
142
|
|
143
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
199
144
|
|
200
|
-
|
145
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
146
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
201
147
|
|
202
|
-
*
|
203
|
-
|
204
|
-
*Janko Marohnić*
|
205
|
-
|
206
|
-
* Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
|
207
|
-
|
208
|
-
*Eugene Kenny*
|
209
|
-
|
210
|
-
|
211
|
-
## Rails 6.1.1 (January 07, 2021) ##
|
212
|
-
|
213
|
-
* Fix nil translation key lookup in controllers/
|
214
|
-
|
215
|
-
*Jan Klimo*
|
148
|
+
*Alex Ghiculescu*
|
216
149
|
|
217
|
-
* Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
|
218
150
|
|
219
|
-
|
151
|
+
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
220
152
|
|
221
|
-
*
|
153
|
+
* No changes.
|
222
154
|
|
223
|
-
*Alex Robbin*
|
224
155
|
|
156
|
+
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
225
157
|
|
226
|
-
|
158
|
+
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
227
159
|
|
228
|
-
* Support for the HTTP header `Feature-Policy` has been revised to reflect
|
229
|
-
its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
|
230
160
|
|
231
|
-
|
232
|
-
Rails.application.config.permissions_policy do |p|
|
233
|
-
p.camera :none
|
234
|
-
p.gyroscope :none
|
235
|
-
p.microphone :none
|
236
|
-
p.usb :none
|
237
|
-
p.fullscreen :self
|
238
|
-
p.payment :self, "https://secure-example.com"
|
239
|
-
end
|
240
|
-
```
|
161
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
241
162
|
|
242
|
-
|
163
|
+
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
243
164
|
|
244
|
-
|
165
|
+
This helps to better simulate request or job local state being reset between requests and prevent state
|
166
|
+
leaking from one request to another.
|
245
167
|
|
246
|
-
|
168
|
+
To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
|
247
169
|
|
248
|
-
*
|
170
|
+
*Alex Ghiculescu*
|
249
171
|
|
250
|
-
*
|
251
|
-
the unique X-Request-Id header
|
172
|
+
* Consider onion services secure for cookies.
|
252
173
|
|
253
|
-
*
|
174
|
+
*Justin Tracey*
|
254
175
|
|
255
|
-
*
|
176
|
+
* Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
|
256
177
|
|
257
178
|
*Rafael Mendonça França*
|
258
179
|
|
259
|
-
*
|
180
|
+
* Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
|
260
181
|
|
261
182
|
*Rafael Mendonça França*
|
262
183
|
|
263
|
-
* Remove deprecated `ActionDispatch::
|
184
|
+
* Remove deprecated `ActionDispatch::SystemTestCase#host!`.
|
264
185
|
|
265
186
|
*Rafael Mendonça França*
|
266
187
|
|
267
|
-
*
|
268
|
-
|
269
|
-
If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
|
270
|
-
|
271
|
-
*Chris Kruger*
|
188
|
+
* Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
|
272
189
|
|
273
|
-
*
|
274
|
-
|
275
|
-
Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
|
276
|
-
`ActionDispatch::Http::Request#POST` prior to validating encoding.
|
277
|
-
|
278
|
-
*Adrianna Chang*
|
279
|
-
|
280
|
-
* Allow `assert_recognizes` routing assertions to work on mounted root routes.
|
281
|
-
|
282
|
-
*Gannon McGibbon*
|
283
|
-
|
284
|
-
* Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
|
285
|
-
|
286
|
-
*Alan Tan*, *Oz Ben-David*
|
287
|
-
|
288
|
-
* Fix `follow_redirect!` to follow redirection with same HTTP verb when following
|
289
|
-
a 308 redirection.
|
190
|
+
*Rafael Mendonça França*
|
290
191
|
|
291
|
-
|
192
|
+
* Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
|
292
193
|
|
293
|
-
*
|
294
|
-
chosen only if it is equal to or is a superdomain of the request host.
|
194
|
+
*Rafael Mendonça França*
|
295
195
|
|
296
|
-
|
196
|
+
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
297
197
|
|
298
|
-
|
198
|
+
This allows `rescue_from` to be used to add a default fallback route:
|
299
199
|
|
300
|
-
|
301
|
-
|
200
|
+
```ruby
|
201
|
+
rescue_from ActionController::Redirecting::UnsafeRedirectError do
|
202
|
+
redirect_to root_url
|
203
|
+
end
|
204
|
+
```
|
302
205
|
|
303
|
-
|
304
|
-
we check for public/some.js.br and serve that file, if present, with
|
305
|
-
`Content-Encoding: br` and `Vary: Accept-Encoding` headers.
|
206
|
+
*Kasper Timm Hansen*, *Chris Oliver*
|
306
207
|
|
307
|
-
|
208
|
+
* Add `url_from` to verify a redirect location is internal.
|
308
209
|
|
309
|
-
|
210
|
+
Takes the open redirect protection from `redirect_to` so users can wrap a
|
211
|
+
param, and fall back to an alternate redirect URL when the param provided
|
212
|
+
one is unsafe.
|
310
213
|
|
311
|
-
|
312
|
-
|
313
|
-
|
214
|
+
```ruby
|
215
|
+
def create
|
216
|
+
redirect_to url_from(params[:redirect_url]) || root_url
|
217
|
+
end
|
218
|
+
```
|
314
219
|
|
315
|
-
*
|
220
|
+
*dmcge*, *Kasper Timm Hansen*
|
316
221
|
|
317
|
-
*
|
222
|
+
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
318
223
|
|
319
|
-
|
224
|
+
Allow users to prevent conflicts among drivers that use the same driver
|
225
|
+
type (selenium, poltergeist, webkit, rack test).
|
320
226
|
|
321
|
-
|
322
|
-
without passing a block now returns an enumerator.
|
227
|
+
Fixes #42502
|
323
228
|
|
324
|
-
*
|
229
|
+
*Chris LaRose*
|
325
230
|
|
326
|
-
*
|
231
|
+
* Allow multiline to be passed in routes when using wildcard segments.
|
327
232
|
|
328
|
-
Previously
|
329
|
-
|
233
|
+
Previously routes with newlines weren't detected when using wildcard segments, returning
|
234
|
+
a `No route matches` error.
|
235
|
+
After this change, routes with newlines are detected on wildcard segments. Example
|
330
236
|
|
331
237
|
```ruby
|
332
|
-
|
333
|
-
|
238
|
+
draw do
|
239
|
+
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
240
|
+
end
|
334
241
|
|
335
|
-
|
336
|
-
|
242
|
+
# After the change, the path matches.
|
243
|
+
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
337
244
|
```
|
338
245
|
|
339
|
-
|
246
|
+
Fixes #39103
|
340
247
|
|
341
|
-
*
|
248
|
+
*Ignacio Chiazzo*
|
342
249
|
|
343
|
-
|
250
|
+
* Treat html suffix in controller translation.
|
344
251
|
|
345
|
-
*
|
346
|
-
strings/symbols with `String#constantize` instead of `require_dependency`.
|
252
|
+
*Rui Onodera*, *Gavin Miller*
|
347
253
|
|
348
|
-
|
349
|
-
always pass a module object:
|
254
|
+
* Allow permitting numeric params.
|
350
255
|
|
256
|
+
Previously it was impossible to permit different fields on numeric parameters.
|
257
|
+
After this change you can specify different fields for each numbered parameter.
|
258
|
+
For example params like,
|
351
259
|
```ruby
|
352
|
-
|
260
|
+
book: {
|
261
|
+
authors_attributes: {
|
262
|
+
'0': { name: "William Shakespeare", age_of_death: "52" },
|
263
|
+
'1': { name: "Unattributed Assistant" },
|
264
|
+
'2': "Not a hash",
|
265
|
+
'new_record': { name: "Some name" }
|
266
|
+
}
|
267
|
+
}
|
353
268
|
```
|
354
269
|
|
355
|
-
|
356
|
-
|
357
|
-
that same module object.
|
358
|
-
|
359
|
-
*Xavier Noria*, *Jean Boussier*
|
360
|
-
|
361
|
-
* Correctly identify the entire localhost IPv4 range as trusted proxy.
|
270
|
+
Before you could permit name on each author with,
|
271
|
+
`permit book: { authors_attributes: [ :name ] }`
|
362
272
|
|
363
|
-
|
273
|
+
After this change you can permit different keys on each numbered element,
|
274
|
+
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
364
275
|
|
365
|
-
|
366
|
-
`Rails.application.config.force_ssl` is set to true.
|
276
|
+
Fixes #41625
|
367
277
|
|
368
|
-
*
|
278
|
+
*Adam Hess*
|
369
279
|
|
370
|
-
*
|
280
|
+
* Update `HostAuthorization` middleware to render debug info only
|
281
|
+
when `config.consider_all_requests_local` is set to true.
|
371
282
|
|
372
|
-
|
373
|
-
them difficult to deal with. For example, the common practice of sending
|
374
|
-
the CSRF token to a browser in a client-readable cookie does not work properly
|
375
|
-
out of the box: the value has to be url-encoded and decoded to survive transport.
|
283
|
+
Also, blocked host info is always logged with level `error`.
|
376
284
|
|
377
|
-
|
378
|
-
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
|
379
|
-
for backwards compatibility.
|
285
|
+
Fixes #42813
|
380
286
|
|
381
|
-
*
|
287
|
+
*Nikita Vyrko*
|
382
288
|
|
383
|
-
*
|
289
|
+
* Add Server-Timing middleware
|
384
290
|
|
385
|
-
|
386
|
-
|
387
|
-
new instance and then by an old instance.
|
291
|
+
Server-Timing specification defines how the server can communicate to browsers performance metrics
|
292
|
+
about the request it is responding to.
|
388
293
|
|
389
|
-
|
390
|
-
|
391
|
-
from `false` to `true`, users may lose their sessions if they access the
|
392
|
-
server during deployment.
|
294
|
+
The ServerTiming middleware is enabled by default on `development` environment by default using the
|
295
|
+
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
393
296
|
|
394
|
-
|
395
|
-
deployment, ensuring compatibility on both old and new instances.
|
297
|
+
The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
|
396
298
|
|
397
|
-
|
299
|
+
*Sebastian Sogamoso*, *Guillermo Iguaran*
|
398
300
|
|
399
|
-
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
400
301
|
|
401
|
-
|
402
|
-
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
302
|
+
## Rails 7.0.0.alpha2 (September 15, 2021) ##
|
403
303
|
|
404
|
-
|
304
|
+
* No changes.
|
405
305
|
|
406
|
-
* Fix possible information leak / session hijacking vulnerability.
|
407
306
|
|
408
|
-
|
409
|
-
gem dalli to be updated as well.
|
307
|
+
## Rails 7.0.0.alpha1 (September 15, 2021) ##
|
410
308
|
|
411
|
-
|
309
|
+
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
|
310
|
+
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
311
|
+
malformed JSON.
|
412
312
|
|
413
|
-
|
313
|
+
Fixes #41145
|
414
314
|
|
415
|
-
|
416
|
-
meant it had its own copy of `@assertions`. This prevented the assertions
|
417
|
-
from being correctly counted and reported.
|
315
|
+
*Aaron Lahey*
|
418
316
|
|
419
|
-
|
420
|
-
root session.
|
317
|
+
* Add `Middleware#delete!` to delete middleware or raise if not found.
|
421
318
|
|
422
|
-
|
319
|
+
`Middleware#delete!` works just like `Middleware#delete` but will
|
320
|
+
raise an error if the middleware isn't found.
|
423
321
|
|
424
|
-
*
|
322
|
+
*Alex Ghiculescu*, *Petrik de Heus*, *Junichi Sato*
|
425
323
|
|
426
|
-
*
|
324
|
+
* Raise error on unpermitted open redirects.
|
427
325
|
|
428
|
-
|
429
|
-
|
326
|
+
Add `allow_other_host` options to `redirect_to`.
|
327
|
+
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
430
328
|
|
431
|
-
|
329
|
+
*Gannon McGibbon*
|
432
330
|
|
433
|
-
|
331
|
+
* Deprecate `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Add `cuprite` instead.
|
434
332
|
|
435
|
-
|
333
|
+
[Poltergeist](https://github.com/teampoltergeist/poltergeist) and [capybara-webkit](https://github.com/thoughtbot/capybara-webkit) are already not maintained. These usage in Rails are removed for avoiding confusing users.
|
436
334
|
|
437
|
-
|
335
|
+
[Cuprite](https://github.com/rubycdp/cuprite) is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
|
438
336
|
|
439
|
-
|
337
|
+
*Yusuke Iwaki*
|
440
338
|
|
441
|
-
|
339
|
+
* Exclude additional flash types from `ActionController::Base.action_methods`.
|
442
340
|
|
443
|
-
|
341
|
+
Ensures that additional flash types defined on ActionController::Base subclasses
|
342
|
+
are not listed as actions on that controller.
|
444
343
|
|
445
|
-
|
446
|
-
|
447
|
-
|
448
|
-
can be helpful for applications with a really large set of routes.
|
449
|
-
Without this feature, application needs to implement routes reloading
|
450
|
-
themselves and it's not straightforward.
|
344
|
+
class MyController < ApplicationController
|
345
|
+
add_flash_types :hype
|
346
|
+
end
|
451
347
|
|
452
|
-
|
453
|
-
# config/routes.rb
|
348
|
+
MyController.action_methods.include?('hype') # => false
|
454
349
|
|
455
|
-
|
456
|
-
draw(:admin)
|
457
|
-
end
|
350
|
+
*Gavin Morrice*
|
458
351
|
|
459
|
-
|
352
|
+
* OpenSSL constants are now used for Digest computations.
|
460
353
|
|
461
|
-
|
462
|
-
```
|
354
|
+
*Dirkjan Bussink*
|
463
355
|
|
464
|
-
|
356
|
+
* Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
|
465
357
|
|
466
|
-
|
358
|
+
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
|
467
359
|
|
468
|
-
*
|
360
|
+
*Tadas Sasnauskas*
|
469
361
|
|
470
|
-
*
|
471
|
-
|
362
|
+
* Configuration setting to skip logging an uncaught exception backtrace when the exception is
|
363
|
+
present in `rescued_responses`.
|
472
364
|
|
473
|
-
|
365
|
+
It may be too noisy to get all backtraces logged for applications that manage uncaught
|
366
|
+
exceptions via `rescued_responses` and `exceptions_app`.
|
367
|
+
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
368
|
+
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
474
369
|
|
475
|
-
*
|
476
|
-
request format but based on the block given.
|
370
|
+
*Alexander Azarov*, *Mike Dalessio*
|
477
371
|
|
478
|
-
|
372
|
+
* Ignore file fixtures on `db:fixtures:load`.
|
479
373
|
|
480
|
-
|
481
|
-
def my_action
|
482
|
-
respond_to do |format|
|
483
|
-
format.any { render(json: { foo: 'bar' }) }
|
484
|
-
end
|
485
|
-
end
|
374
|
+
*Kevin Sjöberg*
|
486
375
|
|
487
|
-
|
488
|
-
```
|
376
|
+
* Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
|
489
377
|
|
490
|
-
|
491
|
-
is inaccurate since a JSON response is being rendered.
|
378
|
+
*Dylan Thacker-Smith*
|
492
379
|
|
493
|
-
|
380
|
+
* New `ActionController::ConditionalGet#no_store` method to set HTTP cache control `no-store` directive.
|
494
381
|
|
495
|
-
*
|
382
|
+
*Tadas Sasnauskas*
|
496
383
|
|
497
|
-
*
|
384
|
+
* Drop support for the `SERVER_ADDR` header.
|
498
385
|
|
499
|
-
|
500
|
-
nested directory, causing issues with `tmp:clear`.
|
386
|
+
Following up https://github.com/rack/rack/pull/1573 and https://github.com/rails/rails/pull/42349.
|
501
387
|
|
502
|
-
*
|
388
|
+
*Ricardo Díaz*
|
503
389
|
|
504
|
-
*
|
390
|
+
* Set session options when initializing a basic session.
|
505
391
|
|
506
|
-
*
|
392
|
+
*Gannon McGibbon*
|
507
393
|
|
508
|
-
* `
|
394
|
+
* Add `cache_control: {}` option to `fresh_when` and `stale?`.
|
509
395
|
|
510
|
-
|
511
|
-
* `:response` - the `ActionDispatch::Response`
|
396
|
+
Works as a shortcut to set `response.cache_control` with the above methods.
|
512
397
|
|
513
|
-
*
|
398
|
+
*Jacopo Beschi*
|
514
399
|
|
515
|
-
*
|
516
|
-
`remote_ip` to `nil` before setting the header that the value is derived
|
517
|
-
from.
|
400
|
+
* Writing into a disabled session will now raise an error.
|
518
401
|
|
519
|
-
|
402
|
+
Previously when no session store was set, writing into the session would silently fail.
|
520
403
|
|
521
|
-
*
|
404
|
+
*Jean Boussier*
|
522
405
|
|
523
|
-
*
|
406
|
+
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
524
407
|
|
525
|
-
|
526
|
-
# Use the debug level if a particular cookie is set.
|
527
|
-
class ApplicationController < ActionController::Base
|
528
|
-
log_at :debug, if: -> { cookies[:debug] }
|
529
|
-
end
|
530
|
-
```
|
531
|
-
|
532
|
-
*George Claghorn*
|
408
|
+
Fixes #42034.
|
533
409
|
|
534
|
-
*
|
535
|
-
a test by prefixing the file name with an incrementing counter.
|
410
|
+
*lfalcao*
|
536
411
|
|
537
|
-
|
538
|
-
enable saving of HTML during a screenshot in addition to the image.
|
539
|
-
This uses the same image name, with the extension replaced with `.html`
|
412
|
+
* Remove inline styles and address basic accessibility issues on rescue templates.
|
540
413
|
|
541
|
-
*
|
414
|
+
*Jacob Herrington*
|
542
415
|
|
543
|
-
* Add
|
416
|
+
* Add support for 'private, no-store' Cache-Control headers.
|
544
417
|
|
545
|
-
|
546
|
-
header to determine what to return. And if we don't add `Vary`
|
547
|
-
in the response header, browsers might accidentally cache different
|
548
|
-
types of content, which would cause issues: e.g. javascript got displayed
|
549
|
-
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
550
|
-
in these types of requests. For more detailed problem description, please read:
|
418
|
+
Previously, 'no-store' was exclusive; no other directives could be specified.
|
551
419
|
|
552
|
-
|
420
|
+
*Alex Smith*
|
553
421
|
|
554
|
-
|
422
|
+
* Expand payload of `unpermitted_parameters.action_controller` instrumentation to allow subscribers to
|
423
|
+
know which controller action received unpermitted parameters.
|
555
424
|
|
556
|
-
*
|
425
|
+
*bbuchalter*
|
557
426
|
|
558
|
-
*
|
559
|
-
a 307 redirection.
|
427
|
+
* Add `ActionController::Live#send_stream` that makes it more convenient to send generated streams:
|
560
428
|
|
561
|
-
|
429
|
+
```ruby
|
430
|
+
send_stream(filename: "subscribers.csv") do |stream|
|
431
|
+
stream.writeln "email_address,updated_at"
|
562
432
|
|
563
|
-
|
433
|
+
@subscribers.find_each do |subscriber|
|
434
|
+
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
435
|
+
end
|
436
|
+
end
|
437
|
+
```
|
564
438
|
|
565
|
-
*
|
439
|
+
*DHH*
|
566
440
|
|
567
|
-
*
|
441
|
+
* Add `ActionController::Live::Buffer#writeln` to write a line to the stream with a newline included.
|
568
442
|
|
569
|
-
*
|
443
|
+
*DHH*
|
570
444
|
|
571
|
-
*
|
445
|
+
* `ActionDispatch::Request#content_type` now returned Content-Type header as it is.
|
572
446
|
|
573
|
-
|
574
|
-
|
575
|
-
specification and guidelines can be found at MDN:
|
447
|
+
Previously, `ActionDispatch::Request#content_type` returned value does NOT contain charset part.
|
448
|
+
This behavior changed to returned Content-Type header containing charset part as it is.
|
576
449
|
|
577
|
-
|
450
|
+
If you want just MIME type, please use `ActionDispatch::Request#media_type` instead.
|
578
451
|
|
579
|
-
|
452
|
+
Before:
|
580
453
|
|
581
454
|
```ruby
|
582
|
-
|
583
|
-
|
584
|
-
f.gyroscope :none
|
585
|
-
f.microphone :none
|
586
|
-
f.usb :none
|
587
|
-
f.fullscreen :self
|
588
|
-
f.payment :self, "https://secure.example.com"
|
589
|
-
end
|
455
|
+
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
456
|
+
request.content_type #=> "text/csv"
|
590
457
|
```
|
591
458
|
|
592
|
-
|
459
|
+
After:
|
593
460
|
|
594
461
|
```ruby
|
595
|
-
|
596
|
-
|
597
|
-
|
598
|
-
end
|
599
|
-
end
|
462
|
+
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
463
|
+
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
464
|
+
request.media_type #=> "text/csv"
|
600
465
|
```
|
601
466
|
|
602
|
-
*
|
467
|
+
*Rafael Mendonça França*
|
603
468
|
|
604
|
-
*
|
469
|
+
* Change `ActionDispatch::Request#media_type` to return `nil` when the request don't have a `Content-Type` header.
|
605
470
|
|
606
|
-
|
471
|
+
*Rafael Mendonça França*
|
607
472
|
|
608
|
-
|
473
|
+
* Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
|
609
474
|
|
610
|
-
*
|
475
|
+
*Janko Marohnić*
|
611
476
|
|
612
|
-
|
613
|
-
take parameters the scope was lost when using path helpers. This commit
|
614
|
-
ensures scope is kept both when the route takes parameters or when it
|
615
|
-
doesn't.
|
477
|
+
* Allow anything with `#to_str` (like `Addressable::URI`) as a `redirect_to` location.
|
616
478
|
|
617
|
-
|
479
|
+
*ojab*
|
618
480
|
|
619
|
-
|
481
|
+
* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
|
620
482
|
|
621
|
-
*
|
483
|
+
*Alex Robbin*
|
622
484
|
|
623
|
-
|
485
|
+
* Deprecate the ability to assign a single value to `config.action_dispatch.trusted_proxies`
|
486
|
+
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
487
|
+
with a single value or an enumerable.
|
624
488
|
|
625
|
-
|
626
|
-
an enumerator for the parameters instead of the underlying hash.
|
489
|
+
Fixes #40772.
|
627
490
|
|
628
|
-
*
|
491
|
+
*Christian Sutter*
|
629
492
|
|
630
|
-
*
|
631
|
-
|
493
|
+
* Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`.
|
494
|
+
The old method name is retained without explicit deprecation.
|
632
495
|
|
633
|
-
*
|
496
|
+
*DHH*
|
634
497
|
|
635
498
|
|
636
|
-
Please check [6-
|
499
|
+
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionpack/CHANGELOG.md) for previous changes.
|