actionpack 7.0.8.1 → 7.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +320 -393
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -2
- data/lib/abstract_controller/base.rb +19 -10
- data/lib/abstract_controller/caching/fragments.rb +2 -0
- data/lib/abstract_controller/callbacks.rb +31 -6
- data/lib/abstract_controller/deprecator.rb +7 -0
- data/lib/abstract_controller/helpers.rb +61 -18
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -16
- data/lib/abstract_controller/rendering.rb +3 -3
- data/lib/abstract_controller/translation.rb +1 -27
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +6 -0
- data/lib/action_controller/api.rb +5 -3
- data/lib/action_controller/base.rb +3 -17
- data/lib/action_controller/caching.rb +2 -0
- data/lib/action_controller/deprecator.rb +7 -0
- data/lib/action_controller/form_builder.rb +2 -0
- data/lib/action_controller/log_subscriber.rb +16 -4
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +2 -0
- data/lib/action_controller/metal/default_headers.rb +2 -0
- data/lib/action_controller/metal/etag_with_flash.rb +2 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
- data/lib/action_controller/metal/exceptions.rb +8 -0
- data/lib/action_controller/metal/head.rb +8 -6
- data/lib/action_controller/metal/helpers.rb +3 -14
- data/lib/action_controller/metal/http_authentication.rb +11 -4
- data/lib/action_controller/metal/implicit_render.rb +5 -3
- data/lib/action_controller/metal/instrumentation.rb +8 -1
- data/lib/action_controller/metal/live.rb +24 -0
- data/lib/action_controller/metal/mime_responds.rb +2 -2
- data/lib/action_controller/metal/params_wrapper.rb +3 -1
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +2 -2
- data/lib/action_controller/metal/rendering.rb +0 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +138 -50
- data/lib/action_controller/metal/rescue.rb +2 -0
- data/lib/action_controller/metal/streaming.rb +70 -30
- data/lib/action_controller/metal/strong_parameters.rb +89 -50
- data/lib/action_controller/metal/url_for.rb +7 -0
- data/lib/action_controller/metal.rb +79 -21
- data/lib/action_controller/railtie.rb +22 -9
- data/lib/action_controller/renderer.rb +98 -65
- data/lib/action_controller/test_case.rb +15 -5
- data/lib/action_controller.rb +8 -1
- data/lib/action_dispatch/constants.rb +32 -0
- data/lib/action_dispatch/deprecator.rb +7 -0
- data/lib/action_dispatch/http/cache.rb +1 -3
- data/lib/action_dispatch/http/content_security_policy.rb +9 -8
- data/lib/action_dispatch/http/filter_parameters.rb +11 -5
- data/lib/action_dispatch/http/headers.rb +2 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +21 -21
- data/lib/action_dispatch/http/mime_type.rb +35 -12
- data/lib/action_dispatch/http/mime_types.rb +3 -1
- data/lib/action_dispatch/http/parameters.rb +1 -1
- data/lib/action_dispatch/http/permissions_policy.rb +39 -17
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +48 -14
- data/lib/action_dispatch/http/response.rb +78 -59
- data/lib/action_dispatch/http/upload.rb +2 -0
- data/lib/action_dispatch/journey/formatter.rb +8 -2
- data/lib/action_dispatch/journey/path/pattern.rb +14 -14
- data/lib/action_dispatch/journey/route.rb +3 -2
- data/lib/action_dispatch/journey/router.rb +5 -4
- data/lib/action_dispatch/journey/routes.rb +2 -2
- data/lib/action_dispatch/log_subscriber.rb +23 -0
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -6
- data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -0
- data/lib/action_dispatch/middleware/cookies.rb +81 -98
- data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -25
- data/lib/action_dispatch/middleware/debug_locks.rb +4 -1
- data/lib/action_dispatch/middleware/debug_view.rb +7 -2
- data/lib/action_dispatch/middleware/exception_wrapper.rb +181 -27
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +7 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +6 -3
- data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
- data/lib/action_dispatch/middleware/reloader.rb +7 -5
- data/lib/action_dispatch/middleware/remote_ip.rb +17 -16
- data/lib/action_dispatch/middleware/request_id.rb +2 -0
- data/lib/action_dispatch/middleware/server_timing.rb +4 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +5 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
- data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -5
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +19 -15
- data/lib/action_dispatch/middleware/ssl.rb +18 -6
- data/lib/action_dispatch/middleware/stack.rb +7 -2
- data/lib/action_dispatch/middleware/static.rb +12 -8
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +7 -7
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +17 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +16 -12
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +46 -37
- data/lib/action_dispatch/railtie.rb +14 -4
- data/lib/action_dispatch/request/session.rb +16 -6
- data/lib/action_dispatch/request/utils.rb +8 -3
- data/lib/action_dispatch/routing/inspector.rb +54 -6
- data/lib/action_dispatch/routing/mapper.rb +26 -14
- data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
- data/lib/action_dispatch/routing/redirection.rb +15 -6
- data/lib/action_dispatch/routing/route_set.rb +52 -22
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +5 -1
- data/lib/action_dispatch/routing.rb +4 -4
- data/lib/action_dispatch/system_test_case.rb +3 -3
- data/lib/action_dispatch/system_testing/browser.rb +5 -6
- data/lib/action_dispatch/system_testing/driver.rb +13 -21
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +27 -16
- data/lib/action_dispatch/testing/assertions/response.rb +13 -6
- data/lib/action_dispatch/testing/assertions/routing.rb +67 -28
- data/lib/action_dispatch/testing/assertions.rb +3 -1
- data/lib/action_dispatch/testing/integration.rb +27 -17
- data/lib/action_dispatch/testing/request_encoder.rb +4 -1
- data/lib/action_dispatch/testing/test_process.rb +4 -3
- data/lib/action_dispatch/testing/test_request.rb +1 -1
- data/lib/action_dispatch/testing/test_response.rb +23 -9
- data/lib/action_dispatch.rb +37 -4
- data/lib/action_pack/gem_version.rb +4 -4
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_pack.rb +1 -1
- metadata +52 -30
data/CHANGELOG.md
CHANGED
@@ -1,597 +1,524 @@
|
|
1
|
-
## Rails 7.0.
|
1
|
+
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
2
2
|
|
3
|
-
*
|
3
|
+
* `AbstractController::Translation.raise_on_missing_translations` removed
|
4
4
|
|
5
|
-
|
6
|
-
|
7
|
-
## Rails 7.0.8 (September 09, 2023) ##
|
8
|
-
|
9
|
-
* Fix `HostAuthorization` potentially displaying the value of the
|
10
|
-
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
11
|
-
|
12
|
-
*Hartley McGuire*, *Daniel Schlosser*
|
13
|
-
|
14
|
-
|
15
|
-
## Rails 7.0.7.2 (August 22, 2023) ##
|
16
|
-
|
17
|
-
* No changes.
|
18
|
-
|
19
|
-
|
20
|
-
## Rails 7.0.7.1 (August 22, 2023) ##
|
21
|
-
|
22
|
-
* No changes.
|
23
|
-
|
24
|
-
|
25
|
-
## Rails 7.0.7 (August 09, 2023) ##
|
26
|
-
|
27
|
-
* No changes.
|
28
|
-
|
29
|
-
|
30
|
-
## Rails 7.0.6 (June 29, 2023) ##
|
31
|
-
|
32
|
-
* No changes.
|
33
|
-
|
34
|
-
|
35
|
-
## Rails 7.0.5.1 (June 26, 2023) ##
|
36
|
-
|
37
|
-
* Raise an exception if illegal characters are provide to redirect_to
|
38
|
-
[CVE-2023-28362]
|
39
|
-
|
40
|
-
*Zack Deveau*
|
41
|
-
|
42
|
-
## Rails 7.0.5 (May 24, 2023) ##
|
43
|
-
|
44
|
-
* Do not return CSP headers for 304 Not Modified responses.
|
45
|
-
|
46
|
-
*Tobias Kraze*
|
47
|
-
|
48
|
-
* Fix `EtagWithFlash` when there is no `Flash` middleware available.
|
49
|
-
|
50
|
-
*fatkodima*
|
51
|
-
|
52
|
-
* Fix content-type header with `send_stream`.
|
53
|
-
|
54
|
-
*Elliot Crosby-McCullough*
|
55
|
-
|
56
|
-
* Address Selenium `:capabilities` deprecation warning.
|
57
|
-
|
58
|
-
*Ron Shinall*
|
59
|
-
|
60
|
-
* Fix cookie domain for domain: all on two letter single level TLD.
|
61
|
-
|
62
|
-
*John Hawthorn*
|
63
|
-
|
64
|
-
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
65
|
-
|
66
|
-
Previously if you set `config.active_record.query_log_tags` to an array that included
|
67
|
-
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
68
|
-
This bug has been fixed.
|
5
|
+
This was a private API, and has been removed in favour of a more broadly applicable
|
6
|
+
`config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
|
69
7
|
|
70
8
|
*Alex Ghiculescu*
|
71
9
|
|
72
|
-
*
|
73
|
-
|
74
|
-
*Nikita Vasilevsky*
|
10
|
+
* Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
|
75
11
|
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
(See #45127 for original bug discussion)
|
83
|
-
|
84
|
-
*Nathan Bardoux*
|
85
|
-
|
86
|
-
## Rails 7.0.4.3 (March 13, 2023) ##
|
87
|
-
|
88
|
-
* No changes.
|
12
|
+
```ruby
|
13
|
+
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
|
14
|
+
params.extract_value(:id) # => ["1", "123"]
|
15
|
+
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
|
16
|
+
```
|
89
17
|
|
18
|
+
*Nikita Vasilevsky*
|
90
19
|
|
91
|
-
|
20
|
+
* Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
|
92
21
|
|
93
|
-
|
22
|
+
Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
|
23
|
+
of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
|
24
|
+
that it's pattern-matching compatible.
|
94
25
|
|
95
|
-
|
96
|
-
release when using `domain: :all` with a two letter but single level top
|
97
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
26
|
+
*Sean Doyle*
|
98
27
|
|
28
|
+
* Add support for Playwright as a driver for system tests.
|
99
29
|
|
100
|
-
|
30
|
+
*Yuki Nishijima*
|
101
31
|
|
102
|
-
* Fix
|
32
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
33
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
103
34
|
|
104
|
-
|
105
|
-
to malicious sites.
|
35
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
106
36
|
|
107
|
-
|
37
|
+
* Rename `fixture_file_upload` method to `file_fixture_upload`
|
108
38
|
|
109
|
-
|
39
|
+
Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
|
110
40
|
|
111
|
-
|
41
|
+
*Sean Doyle*
|
112
42
|
|
113
|
-
*
|
43
|
+
* `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
|
114
44
|
|
115
|
-
|
45
|
+
*Matija Čupić*
|
116
46
|
|
117
|
-
|
47
|
+
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
48
|
+
`ActionDispatch::Assertions#html_document`.
|
118
49
|
|
119
|
-
|
50
|
+
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
51
|
+
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
52
|
+
Nokogiri's HTML4 parser.
|
120
53
|
|
121
|
-
|
122
|
-
it would overwritten by `ActionDispatch::ServerTiming`.
|
54
|
+
*Mike Dalessio*
|
123
55
|
|
124
|
-
|
56
|
+
* The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
|
57
|
+
be setup before each test, and reset after every test. For example:
|
125
58
|
|
59
|
+
```ruby
|
60
|
+
class RoutingTest < ActionController::TestCase
|
61
|
+
with_routing do |routes|
|
62
|
+
routes.draw do
|
63
|
+
resources :articles
|
64
|
+
resources :authors
|
65
|
+
end
|
66
|
+
end
|
126
67
|
|
127
|
-
|
68
|
+
def test_articles_route
|
69
|
+
assert_routing("/articles", controller: "articles", action: "index")
|
70
|
+
end
|
128
71
|
|
129
|
-
|
72
|
+
def test_authors_route
|
73
|
+
assert_routing("/authors", controller: "authors", action: "index")
|
74
|
+
end
|
75
|
+
end
|
76
|
+
```
|
130
77
|
|
78
|
+
*Andrew Novoselac*
|
131
79
|
|
132
|
-
|
80
|
+
* The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
|
81
|
+
When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
|
82
|
+
To keep the current functionality, a fallback is created to look for the media-type without the parameters.
|
133
83
|
|
134
|
-
|
84
|
+
This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
|
135
85
|
|
136
|
-
*
|
86
|
+
*Nicolas Erni*
|
137
87
|
|
138
|
-
*
|
88
|
+
* The url_for helpers now support a new option called `path_params`.
|
89
|
+
This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
|
139
90
|
|
140
|
-
|
91
|
+
Given the following router...
|
141
92
|
|
142
93
|
```ruby
|
143
|
-
|
144
|
-
|
94
|
+
Rails.application.routes.draw do
|
95
|
+
scope ":account_id" do
|
96
|
+
get "dashboard" => "pages#dashboard", as: :dashboard
|
97
|
+
get "search/:term" => "search#search", as: :search
|
98
|
+
end
|
99
|
+
delete "signout" => "sessions#destroy", as: :signout
|
145
100
|
end
|
146
101
|
```
|
147
102
|
|
148
|
-
|
149
|
-
|
150
|
-
*Jean Boussier*
|
151
|
-
|
152
|
-
* Fix `content_security_policy` returning invalid directives.
|
153
|
-
|
154
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
155
|
-
single quoted when the directive was the result of calling a lambda
|
156
|
-
returning an array.
|
103
|
+
And given the following `ApplicationController`
|
157
104
|
|
158
105
|
```ruby
|
159
|
-
|
160
|
-
|
106
|
+
class ApplicationController < ActionController::Base
|
107
|
+
def default_url_options
|
108
|
+
{ path_params: { account_id: "foo" } }
|
109
|
+
end
|
161
110
|
end
|
162
111
|
```
|
163
112
|
|
164
|
-
|
165
|
-
|
166
|
-
*Edouard Chin*
|
167
|
-
|
168
|
-
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
169
|
-
protection has not been enabled / `verify_authenticity_token` is not a
|
170
|
-
defined callback.
|
171
|
-
|
172
|
-
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
173
|
-
`ArgumentError` if `default_protect_from_forgery` is false.
|
174
|
-
|
175
|
-
*Brad Trick*
|
176
|
-
|
177
|
-
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
178
|
-
|
179
|
-
Since its inception `ActionController::Live` has been copying thread local variables
|
180
|
-
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
181
|
-
|
182
|
-
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
183
|
-
`ActionController::Live` controllers.
|
184
|
-
|
185
|
-
*Jean Boussier*
|
186
|
-
|
187
|
-
* Fix setting `trailing_slash: true` in route definition.
|
113
|
+
The standard url_for helper and friends will now behave as follows:
|
188
114
|
|
189
115
|
```ruby
|
190
|
-
|
116
|
+
dashboard_path # => /foo/dashboard
|
117
|
+
dashboard_path(account_id: "bar") # => /bar/dashboard
|
191
118
|
|
192
|
-
|
119
|
+
signout_path # => /signout
|
120
|
+
signout_path(account_id: "bar") # => /signout?account_id=bar
|
121
|
+
signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
|
122
|
+
search_path("quin") # => /foo/search/quin
|
193
123
|
```
|
194
124
|
|
195
|
-
*
|
196
|
-
|
197
|
-
## Rails 7.0.2.4 (April 26, 2022) ##
|
125
|
+
*Jason Meller, Jeremy Beker*
|
198
126
|
|
199
|
-
*
|
200
|
-
|
201
|
-
|
127
|
+
* Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
|
128
|
+
`:none`. `:all` and `:none` behave the same as the previous `true` and
|
129
|
+
`false` respectively. The new `:rescuable` option will only show exceptions
|
130
|
+
that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
|
131
|
+
now the default for the test environment.
|
202
132
|
|
203
|
-
|
133
|
+
*Jon Dufresne*
|
204
134
|
|
205
|
-
*
|
135
|
+
* `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
|
136
|
+
`:message_pack_allow_marshal` as serializers. These serializers require the
|
137
|
+
[`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
|
206
138
|
|
139
|
+
The Message Pack format can provide improved performance and smaller payload
|
140
|
+
sizes. It also supports roundtripping some Ruby types that are not supported
|
141
|
+
by JSON. For example:
|
207
142
|
|
208
|
-
|
143
|
+
```ruby
|
144
|
+
cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
|
209
145
|
|
210
|
-
|
146
|
+
# BEFORE with config.action_dispatch.cookies_serializer = :json
|
147
|
+
cookies.encrypted[:foo]
|
148
|
+
# => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
|
149
|
+
cookies.encrypted[:foo].map(&:class)
|
150
|
+
# => [Hash, Hash, String, String]
|
211
151
|
|
152
|
+
# AFTER with config.action_dispatch.cookies_serializer = :message_pack
|
153
|
+
cookies.encrypted[:foo]
|
154
|
+
# => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
|
155
|
+
cookies.encrypted[:foo].map(&:class)
|
156
|
+
# => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
|
157
|
+
```
|
212
158
|
|
213
|
-
|
159
|
+
The `:message_pack` serializer can fall back to deserializing with
|
160
|
+
`ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
|
161
|
+
serializer can fall back to deserializing with `Marshal` as well as
|
162
|
+
`ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
|
163
|
+
`:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
|
164
|
+
deserializing with `ActiveSupport::MessagePack` when necessary. These
|
165
|
+
behaviors ensure old cookies can still be read so that migration is easier.
|
214
166
|
|
215
|
-
*
|
216
|
-
response body has been fully closed which result in request state not
|
217
|
-
being fully reset before the next request
|
167
|
+
*Jonathan Hefner*
|
218
168
|
|
219
|
-
|
169
|
+
* Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
|
220
170
|
|
171
|
+
*Gareth Adams*
|
221
172
|
|
222
|
-
|
173
|
+
* Include source location in routes extended view.
|
223
174
|
|
224
|
-
|
175
|
+
```bash
|
176
|
+
$ bin/rails routes --expanded
|
225
177
|
|
178
|
+
...
|
179
|
+
--[ Route 14 ]----------
|
180
|
+
Prefix | new_gist
|
181
|
+
Verb | GET
|
182
|
+
URI | /gist(.:format)
|
183
|
+
Controller#Action | gists/gists#new
|
184
|
+
Source Location | config/routes/gist.rb:3
|
185
|
+
```
|
226
186
|
|
227
|
-
|
228
|
-
|
229
|
-
* Fix `ActionController::Parameters` methods to keep the original logger context when creating a new copy
|
230
|
-
of the original object.
|
231
|
-
|
232
|
-
*Yutaka Kamei*
|
233
|
-
|
234
|
-
|
235
|
-
## Rails 7.0.0 (December 15, 2021) ##
|
236
|
-
|
237
|
-
* Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
|
238
|
-
|
239
|
-
*Étienne Barrié*
|
240
|
-
|
241
|
-
* Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
|
242
|
-
|
243
|
-
This means if you make multiple requests in the same test, instance variables set in the first request will
|
244
|
-
not persist into the second one. (It's not recommended to make multiple requests in the same test.)
|
245
|
-
|
246
|
-
*Alex Ghiculescu*
|
247
|
-
|
248
|
-
|
249
|
-
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
250
|
-
|
251
|
-
* No changes.
|
252
|
-
|
253
|
-
|
254
|
-
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
255
|
-
|
256
|
-
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
257
|
-
|
258
|
-
|
259
|
-
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
260
|
-
|
261
|
-
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
262
|
-
|
263
|
-
This helps to better simulate request or job local state being reset between requests and prevent state
|
264
|
-
leaking from one request to another.
|
187
|
+
*Luan Vieira, John Hawthorn and Daniel Colson*
|
265
188
|
|
266
|
-
|
189
|
+
* Add `without` as an alias of `except` on `ActiveController::Parameters`.
|
267
190
|
|
268
|
-
*
|
191
|
+
*Hidde-Jan Jongsma*
|
269
192
|
|
270
|
-
*
|
193
|
+
* Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
|
271
194
|
|
272
|
-
*
|
195
|
+
*Jason Kotchoff*
|
273
196
|
|
274
|
-
* Remove deprecated `
|
197
|
+
* Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
|
275
198
|
|
276
199
|
*Rafael Mendonça França*
|
277
200
|
|
278
|
-
* Remove deprecated
|
201
|
+
* Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
|
279
202
|
|
280
203
|
*Rafael Mendonça França*
|
281
204
|
|
282
|
-
*
|
205
|
+
* Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
|
283
206
|
|
284
207
|
*Rafael Mendonça França*
|
285
208
|
|
286
|
-
* Remove deprecated `
|
209
|
+
* Remove deprecated behavior on `Request#content_type`.
|
287
210
|
|
288
211
|
*Rafael Mendonça França*
|
289
212
|
|
290
|
-
*
|
291
|
-
|
292
|
-
*Rafael Mendonça França*
|
293
|
-
|
294
|
-
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
295
|
-
|
296
|
-
This allows `rescue_from` to be used to add a default fallback route:
|
213
|
+
* Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
|
297
214
|
|
298
215
|
```ruby
|
299
|
-
|
300
|
-
|
301
|
-
|
216
|
+
get "/posts?password=test"
|
217
|
+
request.fullpath # => "/posts?password=test"
|
218
|
+
request.filtered_path # => "/posts?password=[FILTERED]"
|
302
219
|
```
|
303
220
|
|
304
|
-
*
|
221
|
+
*Ritikesh G*
|
305
222
|
|
306
|
-
*
|
223
|
+
* Deprecate `AbstractController::Helpers::MissingHelperError`
|
307
224
|
|
308
|
-
|
309
|
-
|
310
|
-
|
225
|
+
*Hartley McGuire*
|
226
|
+
|
227
|
+
* Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
|
228
|
+
a Nokogiri document
|
311
229
|
|
312
230
|
```ruby
|
313
|
-
|
314
|
-
|
315
|
-
|
231
|
+
get "/posts"
|
232
|
+
response.content_type # => "text/html; charset=utf-8"
|
233
|
+
response.parsed_body.class # => Nokogiri::HTML5::Document
|
234
|
+
response.parsed_body.to_html # => "<!DOCTYPE html>\n<html>\n..."
|
316
235
|
```
|
317
236
|
|
318
|
-
*
|
319
|
-
|
320
|
-
* Allow Capybara driver name overrides in `SystemTestCase::driven_by`
|
237
|
+
*Sean Doyle*
|
321
238
|
|
322
|
-
|
323
|
-
type (selenium, poltergeist, webkit, rack test).
|
239
|
+
* Deprecate `ActionDispatch::IllegalStateError`.
|
324
240
|
|
325
|
-
|
241
|
+
*Samuel Williams*
|
326
242
|
|
327
|
-
|
243
|
+
* Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
|
328
244
|
|
329
|
-
*
|
245
|
+
*Joel Hawksley*, *Kate Higa*
|
330
246
|
|
331
|
-
|
332
|
-
|
333
|
-
|
247
|
+
* Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
|
248
|
+
It makes the application believe that all requests are arriving over SSL. This is useful
|
249
|
+
when proxying through a load balancer that terminates SSL, the forwarded request will appear
|
250
|
+
as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
|
251
|
+
security target HTTP instead of HTTPS. This middleware makes the server assume that the
|
252
|
+
proxy already terminated SSL, and that the request really is HTTPS.
|
334
253
|
|
335
|
-
|
336
|
-
draw do
|
337
|
-
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
338
|
-
end
|
339
|
-
|
340
|
-
# After the change, the path matches.
|
341
|
-
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
342
|
-
```
|
254
|
+
*DHH*
|
343
255
|
|
344
|
-
|
256
|
+
* Only use HostAuthorization middleware if `config.hosts` is not empty
|
345
257
|
|
346
|
-
*
|
258
|
+
*Hartley McGuire*
|
347
259
|
|
348
|
-
*
|
260
|
+
* Allow raising an error when a callback's only/unless symbols aren't existing methods.
|
349
261
|
|
350
|
-
|
262
|
+
When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
|
351
263
|
|
352
|
-
|
264
|
+
For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_pack.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
|
353
265
|
|
354
|
-
|
355
|
-
After this change you can specify different fields for each numbered parameter.
|
356
|
-
For example params like,
|
357
|
-
```ruby
|
358
|
-
book: {
|
359
|
-
authors_attributes: {
|
360
|
-
'0': { name: "William Shakespeare", age_of_death: "52" },
|
361
|
-
'1': { name: "Unattributed Assistant" },
|
362
|
-
'2': "Not a hash",
|
363
|
-
'new_record': { name: "Some name" }
|
364
|
-
}
|
365
|
-
}
|
366
|
-
```
|
266
|
+
*Jess Bees*
|
367
267
|
|
368
|
-
|
369
|
-
`permit book: { authors_attributes: [ :name ] }`
|
268
|
+
* Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
|
370
269
|
|
371
|
-
|
372
|
-
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
270
|
+
*RobL*
|
373
271
|
|
374
|
-
|
272
|
+
* When a host is not specified for an `ActionController::Renderer`'s env,
|
273
|
+
the host and related options will now be derived from the routes'
|
274
|
+
`default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
|
375
275
|
|
376
|
-
|
276
|
+
This means that for an application with a configuration like:
|
377
277
|
|
378
|
-
|
379
|
-
|
278
|
+
```ruby
|
279
|
+
Rails.application.default_url_options = { host: "rubyonrails.org" }
|
280
|
+
Rails.application.config.force_ssl = true
|
281
|
+
```
|
380
282
|
|
381
|
-
|
283
|
+
rendering a URL like:
|
382
284
|
|
383
|
-
|
285
|
+
```ruby
|
286
|
+
ApplicationController.renderer.render inline: "<%= blog_url %>"
|
287
|
+
```
|
384
288
|
|
385
|
-
|
289
|
+
will now return `"https://rubyonrails.org/blog"` instead of
|
290
|
+
`"http://example.org/blog"`.
|
386
291
|
|
387
|
-
*
|
292
|
+
*Jonathan Hefner*
|
388
293
|
|
389
|
-
|
390
|
-
about the request it is responding to.
|
294
|
+
* Add details of cookie name and size to `CookieOverflow` exception.
|
391
295
|
|
392
|
-
|
393
|
-
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
296
|
+
*Andy Waite*
|
394
297
|
|
395
|
-
|
298
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
396
299
|
|
397
|
-
|
300
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
301
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
302
|
+
This bug has been fixed.
|
398
303
|
|
304
|
+
*Alex Ghiculescu*
|
399
305
|
|
400
|
-
|
306
|
+
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
307
|
+
`serial`, `sync-xhr`, `web-share`.
|
401
308
|
|
402
|
-
*
|
309
|
+
*Guillaume Cabanel*
|
403
310
|
|
311
|
+
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
312
|
+
deprecated.
|
404
313
|
|
405
|
-
|
314
|
+
There is no browser support for these directives, and no plan for browser
|
315
|
+
support in the future. You can just remove these directives from your
|
316
|
+
application.
|
406
317
|
|
407
|
-
*
|
408
|
-
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
409
|
-
malformed JSON.
|
318
|
+
*Jonathan Hefner*
|
410
319
|
|
411
|
-
|
320
|
+
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
321
|
+
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
322
|
+
compatibility.
|
412
323
|
|
413
|
-
*
|
324
|
+
*Jon Dufresne*
|
414
325
|
|
415
|
-
*
|
326
|
+
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
416
327
|
|
417
|
-
|
418
|
-
|
328
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
329
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
330
|
+
clear the cookie and force app users to manually clear it in their browser.
|
419
331
|
|
420
|
-
|
332
|
+
(See #45127 for original bug discussion)
|
421
333
|
|
422
|
-
*
|
334
|
+
*Nathan Bardoux*
|
423
335
|
|
424
|
-
|
425
|
-
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
336
|
+
* Add `HTTP_REFERER` when following redirects on integration tests
|
426
337
|
|
427
|
-
|
338
|
+
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
428
339
|
|
429
|
-
*
|
340
|
+
*Felipe Sateler*
|
430
341
|
|
431
|
-
|
342
|
+
* Added `exclude?` method to `ActionController::Parameters`.
|
432
343
|
|
433
|
-
|
344
|
+
*Ian Neubert*
|
434
345
|
|
435
|
-
|
346
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
436
347
|
|
437
|
-
*
|
348
|
+
*Nikita Vasilevsky*
|
438
349
|
|
439
|
-
|
440
|
-
are not listed as actions on that controller.
|
350
|
+
* Log redirects from routes the same way as redirects from controllers.
|
441
351
|
|
442
|
-
|
443
|
-
add_flash_types :hype
|
444
|
-
end
|
352
|
+
*Dennis Paagman*
|
445
353
|
|
446
|
-
|
354
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
355
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
356
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
447
357
|
|
448
|
-
*
|
358
|
+
*Jakub Malinowski*
|
449
359
|
|
450
|
-
*
|
360
|
+
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
451
361
|
|
452
|
-
|
362
|
+
You can opt out of `SameSite` by passing `same_site: nil`.
|
453
363
|
|
454
|
-
|
364
|
+
`cookies[:foo] = { value: "bar", same_site: nil }`
|
455
365
|
|
456
|
-
|
366
|
+
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
457
367
|
|
458
|
-
*
|
368
|
+
*Alex Ghiculescu*
|
459
369
|
|
460
|
-
*
|
461
|
-
present in `rescued_responses`.
|
370
|
+
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
462
371
|
|
463
|
-
|
464
|
-
|
465
|
-
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
466
|
-
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
372
|
+
Previously you could access basic helpers (defined in helper modules), but not
|
373
|
+
helper methods defined using `helper_method`. Now you can use either.
|
467
374
|
|
468
|
-
|
375
|
+
```ruby
|
376
|
+
content_security_policy do |p|
|
377
|
+
p.default_src "https://example.com"
|
378
|
+
p.script_src "https://example.com" if helpers.script_csp?
|
379
|
+
end
|
380
|
+
```
|
469
381
|
|
470
|
-
*
|
382
|
+
*Alex Ghiculescu*
|
471
383
|
|
472
|
-
|
384
|
+
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
473
385
|
|
474
|
-
|
386
|
+
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
387
|
+
The new implementation takes care of conversions.
|
475
388
|
|
476
|
-
*
|
389
|
+
*Seva Stefkin*
|
477
390
|
|
478
|
-
*
|
391
|
+
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
392
|
+
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
393
|
+
with keys that aren't strings or symbols.
|
479
394
|
|
480
|
-
*
|
395
|
+
*Seva Stefkin*
|
481
396
|
|
482
|
-
*
|
397
|
+
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
483
398
|
|
484
|
-
|
399
|
+
By default, the token will be stored in the session. Custom classes can be
|
400
|
+
defined to specify arbitrary behavior, but the ability to store them in
|
401
|
+
encrypted cookies is built in.
|
485
402
|
|
486
|
-
*
|
403
|
+
*Andrew Kowpak*
|
487
404
|
|
488
|
-
*
|
405
|
+
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
489
406
|
|
490
407
|
*Gannon McGibbon*
|
491
408
|
|
492
|
-
*
|
409
|
+
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
493
410
|
|
494
|
-
|
411
|
+
Use these as an alternative to the already-available environment variables.
|
495
412
|
|
496
|
-
|
413
|
+
For example, this will display a screenshot in iTerm, save the HTML, and output
|
414
|
+
its path.
|
497
415
|
|
498
|
-
|
416
|
+
```ruby
|
417
|
+
take_screenshot(html: true, screenshot: "inline")
|
418
|
+
```
|
499
419
|
|
500
|
-
|
420
|
+
*Alex Ghiculescu*
|
501
421
|
|
502
|
-
|
422
|
+
* Allow `ActionController::Parameters#to_h` to receive a block.
|
503
423
|
|
504
|
-
*
|
424
|
+
*Bob Farrell*
|
505
425
|
|
506
|
-
|
426
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
507
427
|
|
508
|
-
*
|
428
|
+
*Tom Hughes*
|
509
429
|
|
510
|
-
*
|
430
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
511
431
|
|
512
|
-
*
|
432
|
+
*Tim Wade*
|
513
433
|
|
514
|
-
*
|
434
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
515
435
|
|
516
|
-
|
436
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
517
437
|
|
518
|
-
|
438
|
+
```ruby
|
439
|
+
authenticate_with_http_basic do |token, _|
|
440
|
+
ApiClient.authenticate(token)
|
441
|
+
end
|
442
|
+
```
|
519
443
|
|
520
|
-
|
521
|
-
know which controller action received unpermitted parameters.
|
444
|
+
This ability is restored.
|
522
445
|
|
523
|
-
*
|
446
|
+
*Jean Boussier*
|
524
447
|
|
525
|
-
*
|
448
|
+
* Fix `content_security_policy` returning invalid directives.
|
526
449
|
|
527
|
-
|
528
|
-
|
529
|
-
|
450
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
451
|
+
single quoted when the directive was the result of calling a lambda
|
452
|
+
returning an array.
|
530
453
|
|
531
|
-
|
532
|
-
|
533
|
-
|
454
|
+
```ruby
|
455
|
+
content_security_policy do |policy|
|
456
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
534
457
|
end
|
535
458
|
```
|
536
459
|
|
537
|
-
|
460
|
+
With this fix the policy generated from above will now be valid.
|
461
|
+
|
462
|
+
*Edouard Chin*
|
538
463
|
|
539
|
-
*
|
464
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
465
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
466
|
+
defined callback.
|
540
467
|
|
541
|
-
|
468
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
469
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
542
470
|
|
543
|
-
*
|
471
|
+
*Brad Trick*
|
544
472
|
|
545
|
-
|
546
|
-
This behavior changed to returned Content-Type header containing charset part as it is.
|
473
|
+
* Make `redirect_to` return an empty response body.
|
547
474
|
|
548
|
-
|
475
|
+
Application controllers that wish to add a response body after calling
|
476
|
+
`redirect_to` can continue to do so.
|
549
477
|
|
550
|
-
|
478
|
+
*Jon Dufresne*
|
551
479
|
|
552
|
-
|
553
|
-
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
554
|
-
request.content_type #=> "text/csv"
|
555
|
-
```
|
480
|
+
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
556
481
|
|
557
|
-
|
482
|
+
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
558
483
|
|
559
|
-
|
560
|
-
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
561
|
-
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
562
|
-
request.media_type #=> "text/csv"
|
563
|
-
```
|
484
|
+
*Sam Bostock*
|
564
485
|
|
565
|
-
|
486
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
566
487
|
|
567
|
-
|
488
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
489
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
568
490
|
|
569
|
-
|
491
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
492
|
+
`ActionController::Live` controllers.
|
570
493
|
|
571
|
-
*
|
494
|
+
*Jean Boussier*
|
572
495
|
|
573
|
-
|
496
|
+
* Fix setting `trailing_slash: true` in route definition.
|
574
497
|
|
575
|
-
|
498
|
+
```ruby
|
499
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
576
500
|
|
577
|
-
|
501
|
+
test_path() # => "/test/"
|
502
|
+
```
|
578
503
|
|
579
|
-
*
|
504
|
+
*Jean Boussier*
|
580
505
|
|
581
|
-
|
506
|
+
* Make `Session#merge!` stringify keys.
|
582
507
|
|
583
|
-
|
584
|
-
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
585
|
-
with a single value or an enumerable.
|
508
|
+
Previously `Session#update` would, but `merge!` wouldn't.
|
586
509
|
|
587
|
-
|
510
|
+
*Drew Bragg*
|
588
511
|
|
589
|
-
|
512
|
+
* Add `:unsafe_hashes` mapping for `content_security_policy`
|
590
513
|
|
591
|
-
|
592
|
-
|
514
|
+
```ruby
|
515
|
+
# Before
|
516
|
+
policy.script_src :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
593
517
|
|
594
|
-
|
518
|
+
# After
|
519
|
+
policy.script_src :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
520
|
+
```
|
595
521
|
|
522
|
+
*Igor Morozov*
|
596
523
|
|
597
|
-
Please check [
|
524
|
+
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|