actionpack 7.0.0.rc2 → 7.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 372781a07c265daab499383ce1e623018448f5bec28cc20962e1a17f77fb07e8
-  data.tar.gz: a3354d53f62901144799dfae0f3bb4e641801205a1a9b5221614699fb77f6bc8
+  metadata.gz: 14ae32d28d0aba5f71f808a53ff96e6fda6a169c1c81928c7e045dc7a05282da
+  data.tar.gz: 8c2dc4cf28689200036dad8a838e81469f61a58994e9e96f85426b0776b76ca4
 SHA512:
-  metadata.gz: 51f7f747ecbf598093154bea8274b8b5df37274d2d125b5c32f1e7a4d656e246477dbe6322d8b16c14af55c858482ae928c0c5c811f36ea3ed76067cc4802c99
-  data.tar.gz: 4ab94ed159cc5d6742fde69bdeda56f922f93a168cc83a09100fc11bbf073f7ad98f2f3e5814c9d465cb72fd75aa7e71a69a3055e0ab58ce15c6ab185f68111b
+  metadata.gz: b72cfbbee4548cac05daa8e4b575e1b5e84dbb1b01ddb6da4876a02c5c7a1ec18712d6f4092e7cfe7634d6347b88de68059b0147a768bf87fc8954138cd44095
+  data.tar.gz: 5e30f0f96847a0d01a671f2f0eec3913901d07317f8c94220f62b49925f1227f5ab1f0248ebbd8b85ada29b05d23967da78b8bb87890e18950120598548958f4

data/CHANGELOG.md

@@ -1,7 +1,42 @@
+## Rails 7.0.2 (February 08, 2022) ##
+
+*   No changes.
+
+
+## Rails 7.0.1 (January 06, 2022) ##
+
+*   Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
+    of the original object.
+
+    *Yutaka Kamei*
+
+
+## Rails 7.0.0 (December 15, 2021) ##
+
+*   Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
+
+    *Étienne Barrié*
+
+*   Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
+
+    This means if you make multiple requests in the same test, instance variables set in the first request will
+    not persist into the second one. (It's not recommended to make multiple requests in the same test.)
+
+    *Alex Ghiculescu*
+
+
+## Rails 7.0.0.rc3 (December 14, 2021) ##
+
+*   No changes.
+
+
 ## Rails 7.0.0.rc2 (December 14, 2021) ##
 
 *   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
 
+
+## Rails 7.0.0.rc1 (December 06, 2021) ##
+
 *   `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
 
     This helps to better simulate request or job local state being reset between requests and prevent state

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2021 David Heinemeier Hansson
+Copyright (c) 2004-2022 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/lib/action_controller/metal/helpers.rb

@@ -26,7 +26,7 @@ module ActionController
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message=" ")
-  #       time.blank? ? blank_message : time.to_formatted_s(format)
+  #       time.blank? ? blank_message : time.to_fs(format)
   #     end
   #   end
   #

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -92,7 +92,16 @@ module ActionController # :nodoc:
 
       # Controls whether URL-safe CSRF tokens are generated.
       config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = false
+      self.urlsafe_csrf_tokens = true
+
+      singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
+        if urlsafe_csrf_tokens
+          ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
+        else
+          ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
+        end
+        config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
+      end
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?

data/lib/action_controller/metal/strong_parameters.rb

@@ -910,7 +910,7 @@ module ActionController
 
     # Returns duplicate of object including all parameters.
     def deep_dup
-      self.class.new(@parameters.deep_dup).tap do |duplicate|
+      self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
         duplicate.permitted = @permitted
       end
     end
@@ -932,7 +932,7 @@ module ActionController
 
     private
       def new_instance_with_inherited_permitted_status(hash)
-        self.class.new(hash).tap do |new_instance|
+        self.class.new(hash, @logging_context).tap do |new_instance|
           new_instance.permitted = @permitted
         end
       end
@@ -963,10 +963,10 @@ module ActionController
         when Array
           return value if converted_arrays.member?(value)
           converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
+          converted_arrays << converted.dup
           converted
         when Hash
-          self.class.new(value)
+          self.class.new(value, @logging_context)
         else
           value
         end

data/lib/action_controller/metal/testing.rb

@@ -4,6 +4,15 @@ module ActionController
   module Testing
     # Behavior specific to functional tests
     module Functional # :nodoc:
+      def clear_instance_variables_between_requests
+        if defined?(@_ivars)
+          new_ivars = instance_variables - @_ivars
+          new_ivars.each { |ivar| remove_instance_variable(ivar) }
+        end
+
+        @_ivars = instance_variables
+      end
+
       def recycle!
         @_url_options = nil
         self.formats = nil

data/lib/action_controller/test_case.rb

@@ -465,9 +465,15 @@ module ActionController
       # prefer using #get, #post, #patch, #put, #delete and #head methods
       # respectively which will make tests more expressive.
       #
+      # It's not recommended to make more than one request in the same test. Instance
+      # variables that are set in one request will not persist to the next request,
+      # but it's not guaranteed that all Rails internal state will be reset. Prefer
+      # ActionDispatch::IntegrationTest for making multiple requests in the same test.
+      #
       # Note that the request method is not verified.
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
+        @controller.clear_instance_variables_between_requests
 
         action = +action.to_s
         http_method = method.to_s.upcase

data/lib/action_dispatch/http/parameters.rb

@@ -78,7 +78,7 @@ module ActionDispatch
       # Returns a hash with the \parameters used to form the \path of the request.
       # Returned hash keys are strings:
       #
-      #   {'action' => 'my_action', 'controller' => 'my_controller'}
+      #   { action: "my_action", controller: "my_controller" }
       def path_parameters
         get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -16,6 +16,17 @@ module ActionDispatch
   # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
   # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    PORT_REGEX = /(?::\d+)/ # :nodoc:
+    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+      /\A#{IPV4_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+    )
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -27,11 +38,17 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          allowed === host
-        rescue
-          # IPAddr#=== raises an error if you give it a hostname instead of
-          # IP. Treat similar errors as blocked access.
-          false
+          if allowed.is_a?(IPAddr)
+            begin
+              allowed === extract_hostname(host)
+            rescue
+              # IPAddr#=== raises an error if you give it a hostname instead of
+              # IP. Treat similar errors as blocked access.
+              false
+            end
+          else
+            allowed === host
+          end
         end
       end
 
@@ -47,16 +64,20 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}\z/
+          /\A#{host}#{PORT_REGEX}?\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
-            /\A#{Regexp.escape host}\z/i
+            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
         end
+
+        def extract_hostname(host)
+          host.slice(VALID_IP_HOSTNAME, "host") || host
+        end
     end
 
     class DefaultResponseApp # :nodoc:

data/lib/action_dispatch/routing/route_set.rb

@@ -596,14 +596,14 @@ module ActionDispatch
         if route.segment_keys.include?(:controller)
           ActiveSupport::Deprecation.warn(<<-MSG.squish)
             Using a dynamic :controller segment in a route is deprecated and
-            will be removed in Rails 7.0.
+            will be removed in Rails 7.1.
           MSG
         end
 
         if route.segment_keys.include?(:action)
           ActiveSupport::Deprecation.warn(<<-MSG.squish)
             Using a dynamic :action segment in a route is deprecated and
-            will be removed in Rails 7.0.
+            will be removed in Rails 7.1.
           MSG
         end
 

data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb

@@ -42,7 +42,7 @@ module ActionDispatch
         #
         # +take_failed_screenshot+ is called during system test teardown.
         def take_failed_screenshot
-          take_screenshot if failed? && supports_screenshot?
+          take_screenshot if failed? && supports_screenshot? && Capybara::Session.instance_created?
         end
 
         private

data/lib/action_dispatch.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2021 David Heinemeier Hansson
+# Copyright (c) 2004-2022 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 0
-    TINY  = 0
-    PRE   = "rc2"
+    TINY  = 2
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_pack.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2021 David Heinemeier Hansson
+# Copyright (c) 2004-2022 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.0.0.rc2
+  version: 7.0.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-14 00:00:00.000000000 Z
+date: 2022-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.0.rc2
+        version: 7.0.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,12 +310,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.0.rc2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.0.rc2/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.0.rc2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.2/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -326,13 +326,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements:
 - none
-rubygems_version: 3.2.15
-signing_key:
+rubygems_version: 3.2.32
+signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []