actionpack 7.0.0.rc2 → 7.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/MIT-LICENSE +1 -1
- data/lib/action_controller/metal/helpers.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +10 -1
- data/lib/action_controller/metal/strong_parameters.rb +4 -4
- data/lib/action_controller/metal/testing.rb +9 -0
- data/lib/action_controller/test_case.rb +6 -0
- data/lib/action_dispatch/http/parameters.rb +1 -1
- data/lib/action_dispatch/middleware/host_authorization.rb +29 -8
- data/lib/action_dispatch/routing/route_set.rb +2 -2
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +1 -1
- data/lib/action_dispatch.rb +1 -1
- data/lib/action_pack/gem_version.rb +2 -2
- data/lib/action_pack.rb +1 -1
- metadata +17 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 14ae32d28d0aba5f71f808a53ff96e6fda6a169c1c81928c7e045dc7a05282da
|
4
|
+
data.tar.gz: 8c2dc4cf28689200036dad8a838e81469f61a58994e9e96f85426b0776b76ca4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b72cfbbee4548cac05daa8e4b575e1b5e84dbb1b01ddb6da4876a02c5c7a1ec18712d6f4092e7cfe7634d6347b88de68059b0147a768bf87fc8954138cd44095
|
7
|
+
data.tar.gz: 5e30f0f96847a0d01a671f2f0eec3913901d07317f8c94220f62b49925f1227f5ab1f0248ebbd8b85ada29b05d23967da78b8bb87890e18950120598548958f4
|
data/CHANGELOG.md
CHANGED
@@ -1,7 +1,42 @@
|
|
1
|
+
## Rails 7.0.2 (February 08, 2022) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 7.0.1 (January 06, 2022) ##
|
7
|
+
|
8
|
+
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
9
|
+
of the original object.
|
10
|
+
|
11
|
+
*Yutaka Kamei*
|
12
|
+
|
13
|
+
|
14
|
+
## Rails 7.0.0 (December 15, 2021) ##
|
15
|
+
|
16
|
+
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
17
|
+
|
18
|
+
*Étienne Barrié*
|
19
|
+
|
20
|
+
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
21
|
+
|
22
|
+
This means if you make multiple requests in the same test, instance variables set in the first request will
|
23
|
+
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
24
|
+
|
25
|
+
*Alex Ghiculescu*
|
26
|
+
|
27
|
+
|
28
|
+
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
29
|
+
|
30
|
+
* No changes.
|
31
|
+
|
32
|
+
|
1
33
|
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
2
34
|
|
3
35
|
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
4
36
|
|
37
|
+
|
38
|
+
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
39
|
+
|
5
40
|
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
6
41
|
|
7
42
|
This helps to better simulate request or job local state being reset between requests and prevent state
|
data/MIT-LICENSE
CHANGED
@@ -26,7 +26,7 @@ module ActionController
|
|
26
26
|
#
|
27
27
|
# module FormattedTimeHelper
|
28
28
|
# def format_time(time, format=:long, blank_message=" ")
|
29
|
-
# time.blank? ? blank_message : time.
|
29
|
+
# time.blank? ? blank_message : time.to_fs(format)
|
30
30
|
# end
|
31
31
|
# end
|
32
32
|
#
|
@@ -92,7 +92,16 @@ module ActionController # :nodoc:
|
|
92
92
|
|
93
93
|
# Controls whether URL-safe CSRF tokens are generated.
|
94
94
|
config_accessor :urlsafe_csrf_tokens, instance_writer: false
|
95
|
-
self.urlsafe_csrf_tokens =
|
95
|
+
self.urlsafe_csrf_tokens = true
|
96
|
+
|
97
|
+
singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
|
98
|
+
if urlsafe_csrf_tokens
|
99
|
+
ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
|
100
|
+
else
|
101
|
+
ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
|
102
|
+
end
|
103
|
+
config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
|
104
|
+
end
|
96
105
|
|
97
106
|
helper_method :form_authenticity_token
|
98
107
|
helper_method :protect_against_forgery?
|
@@ -910,7 +910,7 @@ module ActionController
|
|
910
910
|
|
911
911
|
# Returns duplicate of object including all parameters.
|
912
912
|
def deep_dup
|
913
|
-
self.class.new(@parameters.deep_dup).tap do |duplicate|
|
913
|
+
self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
|
914
914
|
duplicate.permitted = @permitted
|
915
915
|
end
|
916
916
|
end
|
@@ -932,7 +932,7 @@ module ActionController
|
|
932
932
|
|
933
933
|
private
|
934
934
|
def new_instance_with_inherited_permitted_status(hash)
|
935
|
-
self.class.new(hash).tap do |new_instance|
|
935
|
+
self.class.new(hash, @logging_context).tap do |new_instance|
|
936
936
|
new_instance.permitted = @permitted
|
937
937
|
end
|
938
938
|
end
|
@@ -963,10 +963,10 @@ module ActionController
|
|
963
963
|
when Array
|
964
964
|
return value if converted_arrays.member?(value)
|
965
965
|
converted = value.map { |_| convert_value_to_parameters(_) }
|
966
|
-
converted_arrays << converted
|
966
|
+
converted_arrays << converted.dup
|
967
967
|
converted
|
968
968
|
when Hash
|
969
|
-
self.class.new(value)
|
969
|
+
self.class.new(value, @logging_context)
|
970
970
|
else
|
971
971
|
value
|
972
972
|
end
|
@@ -4,6 +4,15 @@ module ActionController
|
|
4
4
|
module Testing
|
5
5
|
# Behavior specific to functional tests
|
6
6
|
module Functional # :nodoc:
|
7
|
+
def clear_instance_variables_between_requests
|
8
|
+
if defined?(@_ivars)
|
9
|
+
new_ivars = instance_variables - @_ivars
|
10
|
+
new_ivars.each { |ivar| remove_instance_variable(ivar) }
|
11
|
+
end
|
12
|
+
|
13
|
+
@_ivars = instance_variables
|
14
|
+
end
|
15
|
+
|
7
16
|
def recycle!
|
8
17
|
@_url_options = nil
|
9
18
|
self.formats = nil
|
@@ -465,9 +465,15 @@ module ActionController
|
|
465
465
|
# prefer using #get, #post, #patch, #put, #delete and #head methods
|
466
466
|
# respectively which will make tests more expressive.
|
467
467
|
#
|
468
|
+
# It's not recommended to make more than one request in the same test. Instance
|
469
|
+
# variables that are set in one request will not persist to the next request,
|
470
|
+
# but it's not guaranteed that all Rails internal state will be reset. Prefer
|
471
|
+
# ActionDispatch::IntegrationTest for making multiple requests in the same test.
|
472
|
+
#
|
468
473
|
# Note that the request method is not verified.
|
469
474
|
def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
|
470
475
|
check_required_ivars
|
476
|
+
@controller.clear_instance_variables_between_requests
|
471
477
|
|
472
478
|
action = +action.to_s
|
473
479
|
http_method = method.to_s.upcase
|
@@ -78,7 +78,7 @@ module ActionDispatch
|
|
78
78
|
# Returns a hash with the \parameters used to form the \path of the request.
|
79
79
|
# Returned hash keys are strings:
|
80
80
|
#
|
81
|
-
# {
|
81
|
+
# { action: "my_action", controller: "my_controller" }
|
82
82
|
def path_parameters
|
83
83
|
get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
|
84
84
|
end
|
@@ -16,6 +16,17 @@ module ActionDispatch
|
|
16
16
|
# responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
|
17
17
|
# if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
|
18
18
|
class HostAuthorization
|
19
|
+
ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
|
20
|
+
PORT_REGEX = /(?::\d+)/ # :nodoc:
|
21
|
+
IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
|
22
|
+
IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
|
23
|
+
IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
|
24
|
+
VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
|
25
|
+
/\A#{IPV4_HOSTNAME}\z/,
|
26
|
+
/\A#{IPV6_HOSTNAME}\z/,
|
27
|
+
/\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
|
28
|
+
)
|
29
|
+
|
19
30
|
class Permissions # :nodoc:
|
20
31
|
def initialize(hosts)
|
21
32
|
@hosts = sanitize_hosts(hosts)
|
@@ -27,11 +38,17 @@ module ActionDispatch
|
|
27
38
|
|
28
39
|
def allows?(host)
|
29
40
|
@hosts.any? do |allowed|
|
30
|
-
allowed
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
41
|
+
if allowed.is_a?(IPAddr)
|
42
|
+
begin
|
43
|
+
allowed === extract_hostname(host)
|
44
|
+
rescue
|
45
|
+
# IPAddr#=== raises an error if you give it a hostname instead of
|
46
|
+
# IP. Treat similar errors as blocked access.
|
47
|
+
false
|
48
|
+
end
|
49
|
+
else
|
50
|
+
allowed === host
|
51
|
+
end
|
35
52
|
end
|
36
53
|
end
|
37
54
|
|
@@ -47,16 +64,20 @@ module ActionDispatch
|
|
47
64
|
end
|
48
65
|
|
49
66
|
def sanitize_regexp(host)
|
50
|
-
/\A#{host}
|
67
|
+
/\A#{host}#{PORT_REGEX}?\z/
|
51
68
|
end
|
52
69
|
|
53
70
|
def sanitize_string(host)
|
54
71
|
if host.start_with?(".")
|
55
|
-
/\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}
|
72
|
+
/\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
|
56
73
|
else
|
57
|
-
/\A#{Regexp.escape host}
|
74
|
+
/\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
|
58
75
|
end
|
59
76
|
end
|
77
|
+
|
78
|
+
def extract_hostname(host)
|
79
|
+
host.slice(VALID_IP_HOSTNAME, "host") || host
|
80
|
+
end
|
60
81
|
end
|
61
82
|
|
62
83
|
class DefaultResponseApp # :nodoc:
|
@@ -596,14 +596,14 @@ module ActionDispatch
|
|
596
596
|
if route.segment_keys.include?(:controller)
|
597
597
|
ActiveSupport::Deprecation.warn(<<-MSG.squish)
|
598
598
|
Using a dynamic :controller segment in a route is deprecated and
|
599
|
-
will be removed in Rails 7.
|
599
|
+
will be removed in Rails 7.1.
|
600
600
|
MSG
|
601
601
|
end
|
602
602
|
|
603
603
|
if route.segment_keys.include?(:action)
|
604
604
|
ActiveSupport::Deprecation.warn(<<-MSG.squish)
|
605
605
|
Using a dynamic :action segment in a route is deprecated and
|
606
|
-
will be removed in Rails 7.
|
606
|
+
will be removed in Rails 7.1.
|
607
607
|
MSG
|
608
608
|
end
|
609
609
|
|
@@ -42,7 +42,7 @@ module ActionDispatch
|
|
42
42
|
#
|
43
43
|
# +take_failed_screenshot+ is called during system test teardown.
|
44
44
|
def take_failed_screenshot
|
45
|
-
take_screenshot if failed? && supports_screenshot?
|
45
|
+
take_screenshot if failed? && supports_screenshot? && Capybara::Session.instance_created?
|
46
46
|
end
|
47
47
|
|
48
48
|
private
|
data/lib/action_dispatch.rb
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
#--
|
4
|
-
# Copyright (c) 2004-
|
4
|
+
# Copyright (c) 2004-2022 David Heinemeier Hansson
|
5
5
|
#
|
6
6
|
# Permission is hereby granted, free of charge, to any person obtaining
|
7
7
|
# a copy of this software and associated documentation files (the
|
data/lib/action_pack.rb
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
#--
|
4
|
-
# Copyright (c) 2004-
|
4
|
+
# Copyright (c) 2004-2022 David Heinemeier Hansson
|
5
5
|
#
|
6
6
|
# Permission is hereby granted, free of charge, to any person obtaining
|
7
7
|
# a copy of this software and associated documentation files (the
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 7.0.
|
4
|
+
version: 7.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.
|
19
|
+
version: 7.0.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.
|
26
|
+
version: 7.0.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 7.0.
|
101
|
+
version: 7.0.2
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 7.0.
|
108
|
+
version: 7.0.2
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 7.0.
|
115
|
+
version: 7.0.2
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 7.0.
|
122
|
+
version: 7.0.2
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -310,12 +310,12 @@ licenses:
|
|
310
310
|
- MIT
|
311
311
|
metadata:
|
312
312
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
313
|
-
changelog_uri: https://github.com/rails/rails/blob/v7.0.
|
314
|
-
documentation_uri: https://api.rubyonrails.org/v7.0.
|
313
|
+
changelog_uri: https://github.com/rails/rails/blob/v7.0.2/actionpack/CHANGELOG.md
|
314
|
+
documentation_uri: https://api.rubyonrails.org/v7.0.2/
|
315
315
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
316
|
-
source_code_uri: https://github.com/rails/rails/tree/v7.0.
|
316
|
+
source_code_uri: https://github.com/rails/rails/tree/v7.0.2/actionpack
|
317
317
|
rubygems_mfa_required: 'true'
|
318
|
-
post_install_message:
|
318
|
+
post_install_message:
|
319
319
|
rdoc_options: []
|
320
320
|
require_paths:
|
321
321
|
- lib
|
@@ -326,13 +326,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
326
326
|
version: 2.7.0
|
327
327
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
328
328
|
requirements:
|
329
|
-
- - "
|
329
|
+
- - ">="
|
330
330
|
- !ruby/object:Gem::Version
|
331
|
-
version:
|
331
|
+
version: '0'
|
332
332
|
requirements:
|
333
333
|
- none
|
334
|
-
rubygems_version: 3.2.
|
335
|
-
signing_key:
|
334
|
+
rubygems_version: 3.2.32
|
335
|
+
signing_key:
|
336
336
|
specification_version: 4
|
337
337
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
338
338
|
test_files: []
|