actionpack 7.0.8 → 7.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +327 -371
- data/MIT-LICENSE +1 -1
- data/README.rdoc +2 -2
- data/lib/abstract_controller/base.rb +20 -11
- data/lib/abstract_controller/caching/fragments.rb +2 -0
- data/lib/abstract_controller/callbacks.rb +31 -6
- data/lib/abstract_controller/deprecator.rb +7 -0
- data/lib/abstract_controller/helpers.rb +61 -18
- data/lib/abstract_controller/railties/routes_helpers.rb +1 -16
- data/lib/abstract_controller/rendering.rb +3 -3
- data/lib/abstract_controller/translation.rb +1 -5
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +6 -0
- data/lib/action_controller/api.rb +5 -3
- data/lib/action_controller/base.rb +3 -17
- data/lib/action_controller/caching.rb +2 -0
- data/lib/action_controller/deprecator.rb +7 -0
- data/lib/action_controller/form_builder.rb +2 -0
- data/lib/action_controller/log_subscriber.rb +16 -4
- data/lib/action_controller/metal/content_security_policy.rb +1 -1
- data/lib/action_controller/metal/data_streaming.rb +2 -0
- data/lib/action_controller/metal/default_headers.rb +2 -0
- data/lib/action_controller/metal/etag_with_flash.rb +2 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
- data/lib/action_controller/metal/exceptions.rb +8 -0
- data/lib/action_controller/metal/head.rb +8 -6
- data/lib/action_controller/metal/helpers.rb +3 -14
- data/lib/action_controller/metal/http_authentication.rb +16 -7
- data/lib/action_controller/metal/implicit_render.rb +5 -3
- data/lib/action_controller/metal/instrumentation.rb +8 -1
- data/lib/action_controller/metal/live.rb +24 -0
- data/lib/action_controller/metal/mime_responds.rb +2 -2
- data/lib/action_controller/metal/params_wrapper.rb +3 -1
- data/lib/action_controller/metal/permissions_policy.rb +1 -1
- data/lib/action_controller/metal/redirecting.rb +6 -6
- data/lib/action_controller/metal/renderers.rb +2 -2
- data/lib/action_controller/metal/rendering.rb +0 -7
- data/lib/action_controller/metal/request_forgery_protection.rb +139 -50
- data/lib/action_controller/metal/rescue.rb +2 -0
- data/lib/action_controller/metal/streaming.rb +70 -30
- data/lib/action_controller/metal/strong_parameters.rb +126 -52
- data/lib/action_controller/metal/url_for.rb +7 -0
- data/lib/action_controller/metal.rb +79 -21
- data/lib/action_controller/railtie.rb +22 -9
- data/lib/action_controller/renderer.rb +98 -65
- data/lib/action_controller/test_case.rb +15 -5
- data/lib/action_controller.rb +8 -1
- data/lib/action_dispatch/constants.rb +32 -0
- data/lib/action_dispatch/deprecator.rb +7 -0
- data/lib/action_dispatch/http/cache.rb +1 -3
- data/lib/action_dispatch/http/content_security_policy.rb +9 -8
- data/lib/action_dispatch/http/filter_parameters.rb +11 -5
- data/lib/action_dispatch/http/headers.rb +2 -0
- data/lib/action_dispatch/http/mime_negotiation.rb +21 -21
- data/lib/action_dispatch/http/mime_type.rb +35 -12
- data/lib/action_dispatch/http/mime_types.rb +3 -1
- data/lib/action_dispatch/http/parameters.rb +1 -1
- data/lib/action_dispatch/http/permissions_policy.rb +39 -17
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +48 -14
- data/lib/action_dispatch/http/response.rb +78 -59
- data/lib/action_dispatch/http/upload.rb +2 -0
- data/lib/action_dispatch/journey/formatter.rb +8 -2
- data/lib/action_dispatch/journey/path/pattern.rb +14 -14
- data/lib/action_dispatch/journey/route.rb +3 -2
- data/lib/action_dispatch/journey/router.rb +9 -8
- data/lib/action_dispatch/journey/routes.rb +2 -2
- data/lib/action_dispatch/log_subscriber.rb +23 -0
- data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -6
- data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
- data/lib/action_dispatch/middleware/callbacks.rb +2 -0
- data/lib/action_dispatch/middleware/cookies.rb +81 -98
- data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -25
- data/lib/action_dispatch/middleware/debug_locks.rb +4 -1
- data/lib/action_dispatch/middleware/debug_view.rb +7 -2
- data/lib/action_dispatch/middleware/exception_wrapper.rb +181 -27
- data/lib/action_dispatch/middleware/executor.rb +1 -1
- data/lib/action_dispatch/middleware/flash.rb +7 -0
- data/lib/action_dispatch/middleware/host_authorization.rb +6 -3
- data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
- data/lib/action_dispatch/middleware/reloader.rb +7 -5
- data/lib/action_dispatch/middleware/remote_ip.rb +17 -16
- data/lib/action_dispatch/middleware/request_id.rb +2 -0
- data/lib/action_dispatch/middleware/server_timing.rb +4 -4
- data/lib/action_dispatch/middleware/session/abstract_store.rb +5 -0
- data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
- data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -5
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
- data/lib/action_dispatch/middleware/show_exceptions.rb +19 -15
- data/lib/action_dispatch/middleware/ssl.rb +18 -6
- data/lib/action_dispatch/middleware/stack.rb +7 -2
- data/lib/action_dispatch/middleware/static.rb +12 -8
- data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +7 -7
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +17 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +16 -12
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +46 -37
- data/lib/action_dispatch/railtie.rb +14 -4
- data/lib/action_dispatch/request/session.rb +16 -6
- data/lib/action_dispatch/request/utils.rb +8 -3
- data/lib/action_dispatch/routing/inspector.rb +54 -6
- data/lib/action_dispatch/routing/mapper.rb +26 -14
- data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
- data/lib/action_dispatch/routing/redirection.rb +15 -6
- data/lib/action_dispatch/routing/route_set.rb +52 -22
- data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
- data/lib/action_dispatch/routing/url_for.rb +5 -1
- data/lib/action_dispatch/routing.rb +4 -4
- data/lib/action_dispatch/system_test_case.rb +3 -3
- data/lib/action_dispatch/system_testing/browser.rb +5 -6
- data/lib/action_dispatch/system_testing/driver.rb +13 -21
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +27 -16
- data/lib/action_dispatch/testing/assertions/response.rb +13 -6
- data/lib/action_dispatch/testing/assertions/routing.rb +67 -28
- data/lib/action_dispatch/testing/assertions.rb +3 -1
- data/lib/action_dispatch/testing/integration.rb +27 -17
- data/lib/action_dispatch/testing/request_encoder.rb +4 -1
- data/lib/action_dispatch/testing/test_process.rb +4 -3
- data/lib/action_dispatch/testing/test_request.rb +1 -1
- data/lib/action_dispatch/testing/test_response.rb +23 -9
- data/lib/action_dispatch.rb +37 -4
- data/lib/action_pack/gem_version.rb +3 -3
- data/lib/action_pack/version.rb +1 -1
- data/lib/action_pack.rb +1 -1
- metadata +49 -27
data/CHANGELOG.md
CHANGED
@@ -1,591 +1,547 @@
|
|
1
|
-
## Rails 7.
|
2
|
-
|
3
|
-
* Fix `HostAuthorization` potentially displaying the value of the
|
4
|
-
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
5
|
-
|
6
|
-
*Hartley McGuire*, *Daniel Schlosser*
|
7
|
-
|
8
|
-
|
9
|
-
## Rails 7.0.7.2 (August 22, 2023) ##
|
1
|
+
## Rails 7.1.1 (October 11, 2023) ##
|
10
2
|
|
11
3
|
* No changes.
|
12
4
|
|
13
5
|
|
14
|
-
## Rails 7.0
|
6
|
+
## Rails 7.1.0 (October 05, 2023) ##
|
15
7
|
|
16
8
|
* No changes.
|
17
9
|
|
18
10
|
|
19
|
-
## Rails 7.0.
|
11
|
+
## Rails 7.1.0.rc2 (October 01, 2023) ##
|
20
12
|
|
21
13
|
* No changes.
|
22
14
|
|
23
15
|
|
24
|
-
## Rails 7.0.
|
25
|
-
|
26
|
-
* No changes.
|
27
|
-
|
28
|
-
|
29
|
-
## Rails 7.0.5.1 (June 26, 2023) ##
|
30
|
-
|
31
|
-
* Raise an exception if illegal characters are provide to redirect_to
|
32
|
-
[CVE-2023-28362]
|
33
|
-
|
34
|
-
*Zack Deveau*
|
35
|
-
|
36
|
-
## Rails 7.0.5 (May 24, 2023) ##
|
37
|
-
|
38
|
-
* Do not return CSP headers for 304 Not Modified responses.
|
16
|
+
## Rails 7.1.0.rc1 (September 27, 2023) ##
|
39
17
|
|
40
|
-
|
18
|
+
* Add support for `#deep_merge` and `#deep_merge!` to
|
19
|
+
`ActionController::Parameters`.
|
41
20
|
|
42
|
-
*
|
21
|
+
*Sean Doyle*
|
43
22
|
|
44
|
-
*fatkodima*
|
45
23
|
|
46
|
-
|
24
|
+
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
47
25
|
|
48
|
-
|
26
|
+
* `AbstractController::Translation.raise_on_missing_translations` removed
|
49
27
|
|
50
|
-
|
51
|
-
|
52
|
-
*Ron Shinall*
|
53
|
-
|
54
|
-
* Fix cookie domain for domain: all on two letter single level TLD.
|
55
|
-
|
56
|
-
*John Hawthorn*
|
57
|
-
|
58
|
-
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
59
|
-
|
60
|
-
Previously if you set `config.active_record.query_log_tags` to an array that included
|
61
|
-
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
62
|
-
This bug has been fixed.
|
28
|
+
This was a private API, and has been removed in favour of a more broadly applicable
|
29
|
+
`config.i18n.raise_on_missing_translations`. See the upgrading guide for more information.
|
63
30
|
|
64
31
|
*Alex Ghiculescu*
|
65
32
|
|
66
|
-
*
|
33
|
+
* Add `ActionController::Parameters#extract_value` method to allow extracting serialized values from params
|
67
34
|
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
74
|
-
clear the cookie and force app users to manually clear it in their browser.
|
75
|
-
|
76
|
-
(See #45127 for original bug discussion)
|
77
|
-
|
78
|
-
*Nathan Bardoux*
|
79
|
-
|
80
|
-
## Rails 7.0.4.3 (March 13, 2023) ##
|
81
|
-
|
82
|
-
* No changes.
|
35
|
+
```ruby
|
36
|
+
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
|
37
|
+
params.extract_value(:id) # => ["1", "123"]
|
38
|
+
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
|
39
|
+
```
|
83
40
|
|
41
|
+
*Nikita Vasilevsky*
|
84
42
|
|
85
|
-
|
43
|
+
* Parse JSON `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`
|
86
44
|
|
87
|
-
|
45
|
+
Integrate with Minitest's new `assert_pattern` by parsing the JSON contents
|
46
|
+
of `response.parsed_body` with `ActiveSupport::HashWithIndifferentAccess`, so
|
47
|
+
that it's pattern-matching compatible.
|
88
48
|
|
89
|
-
|
90
|
-
release when using `domain: :all` with a two letter but single level top
|
91
|
-
level domain domain (like `.ca`, rather than `.co.uk`).
|
49
|
+
*Sean Doyle*
|
92
50
|
|
51
|
+
* Add support for Playwright as a driver for system tests.
|
93
52
|
|
94
|
-
|
53
|
+
*Yuki Nishijima*
|
95
54
|
|
96
|
-
* Fix
|
55
|
+
* Fix `HostAuthorization` potentially displaying the value of the
|
56
|
+
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
|
97
57
|
|
98
|
-
|
99
|
-
to malicious sites.
|
58
|
+
*Hartley McGuire*, *Daniel Schlosser*
|
100
59
|
|
101
|
-
|
60
|
+
* Rename `fixture_file_upload` method to `file_fixture_upload`
|
102
61
|
|
103
|
-
|
62
|
+
Declare an alias to preserve the backwards compatibility of `fixture_file_upload`
|
104
63
|
|
105
|
-
|
64
|
+
*Sean Doyle*
|
106
65
|
|
107
|
-
*
|
66
|
+
* `ActionDispatch::SystemTesting::TestHelpers::ScreenshotHelper` saves the screenshot path in test metadata on failure.
|
108
67
|
|
109
|
-
|
68
|
+
*Matija Čupić*
|
110
69
|
|
111
|
-
|
70
|
+
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
71
|
+
`ActionDispatch::Assertions#html_document`.
|
112
72
|
|
113
|
-
|
73
|
+
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
74
|
+
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
75
|
+
Nokogiri's HTML4 parser.
|
114
76
|
|
115
|
-
|
116
|
-
it would overwritten by `ActionDispatch::ServerTiming`.
|
77
|
+
*Mike Dalessio*
|
117
78
|
|
118
|
-
|
79
|
+
* The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
|
80
|
+
be setup before each test, and reset after every test. For example:
|
119
81
|
|
82
|
+
```ruby
|
83
|
+
class RoutingTest < ActionController::TestCase
|
84
|
+
with_routing do |routes|
|
85
|
+
routes.draw do
|
86
|
+
resources :articles
|
87
|
+
resources :authors
|
88
|
+
end
|
89
|
+
end
|
120
90
|
|
121
|
-
|
91
|
+
def test_articles_route
|
92
|
+
assert_routing("/articles", controller: "articles", action: "index")
|
93
|
+
end
|
122
94
|
|
123
|
-
|
95
|
+
def test_authors_route
|
96
|
+
assert_routing("/authors", controller: "authors", action: "index")
|
97
|
+
end
|
98
|
+
end
|
99
|
+
```
|
124
100
|
|
101
|
+
*Andrew Novoselac*
|
125
102
|
|
126
|
-
|
103
|
+
* The `Mime::Type` now supports handling types with parameters and correctly handles quotes.
|
104
|
+
When parsing the accept header, the parameters before the q-parameter are kept and if a matching mime-type exists it is used.
|
105
|
+
To keep the current functionality, a fallback is created to look for the media-type without the parameters.
|
127
106
|
|
128
|
-
|
107
|
+
This change allows for custom MIME-types that are more complex like `application/vnd.api+json; profile="https://jsonapi.org/profiles/ethanresnick/cursor-pagination/" ext="https://jsonapi.org/ext/atomic"` for the [JSON API](https://jsonapi.org/).
|
129
108
|
|
130
|
-
*
|
109
|
+
*Nicolas Erni*
|
131
110
|
|
132
|
-
*
|
111
|
+
* The url_for helpers now support a new option called `path_params`.
|
112
|
+
This is very useful in situations where you only want to add a required param that is part of the route's URL but for other route not append an extraneous query param.
|
133
113
|
|
134
|
-
|
114
|
+
Given the following router...
|
135
115
|
|
136
116
|
```ruby
|
137
|
-
|
138
|
-
|
117
|
+
Rails.application.routes.draw do
|
118
|
+
scope ":account_id" do
|
119
|
+
get "dashboard" => "pages#dashboard", as: :dashboard
|
120
|
+
get "search/:term" => "search#search", as: :search
|
121
|
+
end
|
122
|
+
delete "signout" => "sessions#destroy", as: :signout
|
139
123
|
end
|
140
124
|
```
|
141
125
|
|
142
|
-
|
143
|
-
|
144
|
-
*Jean Boussier*
|
145
|
-
|
146
|
-
* Fix `content_security_policy` returning invalid directives.
|
147
|
-
|
148
|
-
Directives such as `self`, `unsafe-eval` and few others were not
|
149
|
-
single quoted when the directive was the result of calling a lambda
|
150
|
-
returning an array.
|
126
|
+
And given the following `ApplicationController`
|
151
127
|
|
152
128
|
```ruby
|
153
|
-
|
154
|
-
|
129
|
+
class ApplicationController < ActionController::Base
|
130
|
+
def default_url_options
|
131
|
+
{ path_params: { account_id: "foo" } }
|
132
|
+
end
|
155
133
|
end
|
156
134
|
```
|
157
135
|
|
158
|
-
|
159
|
-
|
160
|
-
*Edouard Chin*
|
161
|
-
|
162
|
-
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
163
|
-
protection has not been enabled / `verify_authenticity_token` is not a
|
164
|
-
defined callback.
|
165
|
-
|
166
|
-
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
167
|
-
`ArgumentError` if `default_protect_from_forgery` is false.
|
168
|
-
|
169
|
-
*Brad Trick*
|
170
|
-
|
171
|
-
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
172
|
-
|
173
|
-
Since its inception `ActionController::Live` has been copying thread local variables
|
174
|
-
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
175
|
-
|
176
|
-
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
177
|
-
`ActionController::Live` controllers.
|
178
|
-
|
179
|
-
*Jean Boussier*
|
180
|
-
|
181
|
-
* Fix setting `trailing_slash: true` in route definition.
|
136
|
+
The standard url_for helper and friends will now behave as follows:
|
182
137
|
|
183
138
|
```ruby
|
184
|
-
|
139
|
+
dashboard_path # => /foo/dashboard
|
140
|
+
dashboard_path(account_id: "bar") # => /bar/dashboard
|
185
141
|
|
186
|
-
|
142
|
+
signout_path # => /signout
|
143
|
+
signout_path(account_id: "bar") # => /signout?account_id=bar
|
144
|
+
signout_path(account_id: "bar", path_params: { account_id: "baz" }) # => /signout?account_id=bar
|
145
|
+
search_path("quin") # => /foo/search/quin
|
187
146
|
```
|
188
147
|
|
189
|
-
*
|
190
|
-
|
191
|
-
## Rails 7.0.2.4 (April 26, 2022) ##
|
192
|
-
|
193
|
-
* Allow Content Security Policy DSL to generate for API responses.
|
194
|
-
|
195
|
-
*Tim Wade*
|
196
|
-
|
197
|
-
## Rails 7.0.2.3 (March 08, 2022) ##
|
198
|
-
|
199
|
-
* No changes.
|
148
|
+
*Jason Meller, Jeremy Beker*
|
200
149
|
|
150
|
+
* Change `action_dispatch.show_exceptions` to one of `:all`, `:rescuable`, or
|
151
|
+
`:none`. `:all` and `:none` behave the same as the previous `true` and
|
152
|
+
`false` respectively. The new `:rescuable` option will only show exceptions
|
153
|
+
that can be rescued (e.g. `ActiveRecord::RecordNotFound`). `:rescuable` is
|
154
|
+
now the default for the test environment.
|
201
155
|
|
202
|
-
|
203
|
-
|
204
|
-
* No changes.
|
156
|
+
*Jon Dufresne*
|
205
157
|
|
158
|
+
* `config.action_dispatch.cookies_serializer` now accepts `:message_pack` and
|
159
|
+
`:message_pack_allow_marshal` as serializers. These serializers require the
|
160
|
+
[`msgpack` gem](https://rubygems.org/gems/msgpack) (>= 1.7.0).
|
206
161
|
|
207
|
-
|
162
|
+
The Message Pack format can provide improved performance and smaller payload
|
163
|
+
sizes. It also supports roundtripping some Ruby types that are not supported
|
164
|
+
by JSON. For example:
|
208
165
|
|
209
|
-
|
210
|
-
|
211
|
-
being fully reset before the next request
|
166
|
+
```ruby
|
167
|
+
cookies.encrypted[:foo] = [{ a: 1 }, { b: 2 }.with_indifferent_access, 1.to_d, Time.at(0, 123)]
|
212
168
|
|
213
|
-
|
169
|
+
# BEFORE with config.action_dispatch.cookies_serializer = :json
|
170
|
+
cookies.encrypted[:foo]
|
171
|
+
# => [{"a"=>1}, {"b"=>2}, "1.0", "1969-12-31T18:00:00.000-06:00"]
|
172
|
+
cookies.encrypted[:foo].map(&:class)
|
173
|
+
# => [Hash, Hash, String, String]
|
214
174
|
|
175
|
+
# AFTER with config.action_dispatch.cookies_serializer = :message_pack
|
176
|
+
cookies.encrypted[:foo]
|
177
|
+
# => [{:a=>1}, {"b"=>2}, 0.1e1, 1969-12-31 18:00:00.000123 -0600]
|
178
|
+
cookies.encrypted[:foo].map(&:class)
|
179
|
+
# => [Hash, ActiveSupport::HashWithIndifferentAccess, BigDecimal, Time]
|
180
|
+
```
|
215
181
|
|
216
|
-
|
217
|
-
|
218
|
-
|
219
|
-
|
182
|
+
The `:message_pack` serializer can fall back to deserializing with
|
183
|
+
`ActiveSupport::JSON` when necessary, and the `:message_pack_allow_marshal`
|
184
|
+
serializer can fall back to deserializing with `Marshal` as well as
|
185
|
+
`ActiveSupport::JSON`. Additionally, the `:marshal`, `:json`, and
|
186
|
+
`:json_allow_marshal` (AKA `:hybrid`) serializers can now fall back to
|
187
|
+
deserializing with `ActiveSupport::MessagePack` when necessary. These
|
188
|
+
behaviors ensure old cookies can still be read so that migration is easier.
|
220
189
|
|
221
|
-
|
190
|
+
*Jonathan Hefner*
|
222
191
|
|
223
|
-
*
|
224
|
-
of the original object.
|
192
|
+
* Remove leading dot from domains on cookies set with `domain: :all`, to meet RFC6265 requirements
|
225
193
|
|
226
|
-
*
|
194
|
+
*Gareth Adams*
|
227
195
|
|
196
|
+
* Include source location in routes extended view.
|
228
197
|
|
229
|
-
|
198
|
+
```bash
|
199
|
+
$ bin/rails routes --expanded
|
230
200
|
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
*Alex Ghiculescu*
|
241
|
-
|
242
|
-
|
243
|
-
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
244
|
-
|
245
|
-
* No changes.
|
246
|
-
|
247
|
-
|
248
|
-
## Rails 7.0.0.rc2 (December 14, 2021) ##
|
249
|
-
|
250
|
-
* Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
|
251
|
-
|
252
|
-
|
253
|
-
## Rails 7.0.0.rc1 (December 06, 2021) ##
|
254
|
-
|
255
|
-
* `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
|
201
|
+
...
|
202
|
+
--[ Route 14 ]----------
|
203
|
+
Prefix | new_gist
|
204
|
+
Verb | GET
|
205
|
+
URI | /gist(.:format)
|
206
|
+
Controller#Action | gists/gists#new
|
207
|
+
Source Location | config/routes/gist.rb:3
|
208
|
+
```
|
256
209
|
|
257
|
-
|
258
|
-
leaking from one request to another.
|
210
|
+
*Luan Vieira, John Hawthorn and Daniel Colson*
|
259
211
|
|
260
|
-
|
212
|
+
* Add `without` as an alias of `except` on `ActiveController::Parameters`.
|
261
213
|
|
262
|
-
*
|
214
|
+
*Hidde-Jan Jongsma*
|
263
215
|
|
264
|
-
*
|
216
|
+
* Expand search field on `rails/info/routes` to also search **route name**, **http verb** and **controller#action**.
|
265
217
|
|
266
|
-
*
|
218
|
+
*Jason Kotchoff*
|
267
219
|
|
268
|
-
* Remove deprecated `
|
220
|
+
* Remove deprecated `poltergeist` and `webkit` (capybara-webkit) driver registration for system testing.
|
269
221
|
|
270
222
|
*Rafael Mendonça França*
|
271
223
|
|
272
|
-
* Remove deprecated
|
224
|
+
* Remove deprecated ability to assign a single value to `config.action_dispatch.trusted_proxies`.
|
273
225
|
|
274
226
|
*Rafael Mendonça França*
|
275
227
|
|
276
|
-
*
|
228
|
+
* Deprecate `config.action_dispatch.return_only_request_media_type_on_content_type`.
|
277
229
|
|
278
230
|
*Rafael Mendonça França*
|
279
231
|
|
280
|
-
* Remove deprecated `
|
232
|
+
* Remove deprecated behavior on `Request#content_type`.
|
281
233
|
|
282
234
|
*Rafael Mendonça França*
|
283
235
|
|
284
|
-
*
|
285
|
-
|
286
|
-
*Rafael Mendonça França*
|
287
|
-
|
288
|
-
* Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
|
289
|
-
|
290
|
-
This allows `rescue_from` to be used to add a default fallback route:
|
236
|
+
* Change `ActionController::Instrumentation` to pass `filtered_path` instead of `fullpath` in the event payload to filter sensitive query params
|
291
237
|
|
292
238
|
```ruby
|
293
|
-
|
294
|
-
|
295
|
-
|
239
|
+
get "/posts?password=test"
|
240
|
+
request.fullpath # => "/posts?password=test"
|
241
|
+
request.filtered_path # => "/posts?password=[FILTERED]"
|
296
242
|
```
|
297
243
|
|
298
|
-
*
|
244
|
+
*Ritikesh G*
|
299
245
|
|
300
|
-
*
|
246
|
+
* Deprecate `AbstractController::Helpers::MissingHelperError`
|
301
247
|
|
302
|
-
|
303
|
-
|
304
|
-
|
248
|
+
*Hartley McGuire*
|
249
|
+
|
250
|
+
* Change `ActionDispatch::Testing::TestResponse#parsed_body` to parse HTML as
|
251
|
+
a Nokogiri document
|
305
252
|
|
306
253
|
```ruby
|
307
|
-
|
308
|
-
|
309
|
-
|
254
|
+
get "/posts"
|
255
|
+
response.content_type # => "text/html; charset=utf-8"
|
256
|
+
response.parsed_body.class # => Nokogiri::HTML5::Document
|
257
|
+
response.parsed_body.to_html # => "<!DOCTYPE html>\n<html>\n..."
|
310
258
|
```
|
311
259
|
|
312
|
-
*
|
260
|
+
*Sean Doyle*
|
313
261
|
|
314
|
-
*
|
262
|
+
* Deprecate `ActionDispatch::IllegalStateError`.
|
315
263
|
|
316
|
-
|
317
|
-
type (selenium, poltergeist, webkit, rack test).
|
264
|
+
*Samuel Williams*
|
318
265
|
|
319
|
-
|
266
|
+
* Add HTTP::Request#route_uri_pattern that returns URI pattern of matched route.
|
320
267
|
|
321
|
-
*
|
268
|
+
*Joel Hawksley*, *Kate Higa*
|
322
269
|
|
323
|
-
*
|
270
|
+
* Add `ActionDispatch::AssumeSSL` middleware that can be turned on via `config.assume_ssl`.
|
271
|
+
It makes the application believe that all requests are arriving over SSL. This is useful
|
272
|
+
when proxying through a load balancer that terminates SSL, the forwarded request will appear
|
273
|
+
as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
|
274
|
+
security target HTTP instead of HTTPS. This middleware makes the server assume that the
|
275
|
+
proxy already terminated SSL, and that the request really is HTTPS.
|
324
276
|
|
325
|
-
|
326
|
-
a `No route matches` error.
|
327
|
-
After this change, routes with newlines are detected on wildcard segments. Example
|
328
|
-
|
329
|
-
```ruby
|
330
|
-
draw do
|
331
|
-
get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
|
332
|
-
end
|
333
|
-
|
334
|
-
# After the change, the path matches.
|
335
|
-
assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
|
336
|
-
```
|
277
|
+
*DHH*
|
337
278
|
|
338
|
-
|
279
|
+
* Only use HostAuthorization middleware if `config.hosts` is not empty
|
339
280
|
|
340
|
-
*
|
281
|
+
*Hartley McGuire*
|
341
282
|
|
342
|
-
*
|
283
|
+
* Allow raising an error when a callback's only/unless symbols aren't existing methods.
|
343
284
|
|
344
|
-
|
285
|
+
When `before_action :callback, only: :action_name` is declared on a controller that doesn't respond to `action_name`, raise an exception at request time. This is a safety measure to ensure that typos or forgetfulness don't prevent a crucial callback from being run when it should.
|
345
286
|
|
346
|
-
|
287
|
+
For new applications, raising an error for undefined actions is turned on by default. If you do not want to opt-in to this behavior set `config.action_controller.raise_on_missing_callback_actions` to `false` in your application configuration. See #43487 for more details.
|
347
288
|
|
348
|
-
|
349
|
-
After this change you can specify different fields for each numbered parameter.
|
350
|
-
For example params like,
|
351
|
-
```ruby
|
352
|
-
book: {
|
353
|
-
authors_attributes: {
|
354
|
-
'0': { name: "William Shakespeare", age_of_death: "52" },
|
355
|
-
'1': { name: "Unattributed Assistant" },
|
356
|
-
'2': "Not a hash",
|
357
|
-
'new_record': { name: "Some name" }
|
358
|
-
}
|
359
|
-
}
|
360
|
-
```
|
289
|
+
*Jess Bees*
|
361
290
|
|
362
|
-
|
363
|
-
`permit book: { authors_attributes: [ :name ] }`
|
291
|
+
* Allow cookie options[:domain] to accept a proc to set the cookie domain on a more flexible per-request basis
|
364
292
|
|
365
|
-
|
366
|
-
`permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
|
293
|
+
*RobL*
|
367
294
|
|
368
|
-
|
295
|
+
* When a host is not specified for an `ActionController::Renderer`'s env,
|
296
|
+
the host and related options will now be derived from the routes'
|
297
|
+
`default_url_options` and `ActionDispatch::Http::URL.secure_protocol`.
|
369
298
|
|
370
|
-
|
299
|
+
This means that for an application with a configuration like:
|
371
300
|
|
372
|
-
|
373
|
-
|
301
|
+
```ruby
|
302
|
+
Rails.application.default_url_options = { host: "rubyonrails.org" }
|
303
|
+
Rails.application.config.force_ssl = true
|
304
|
+
```
|
374
305
|
|
375
|
-
|
306
|
+
rendering a URL like:
|
376
307
|
|
377
|
-
|
308
|
+
```ruby
|
309
|
+
ApplicationController.renderer.render inline: "<%= blog_url %>"
|
310
|
+
```
|
378
311
|
|
379
|
-
|
312
|
+
will now return `"https://rubyonrails.org/blog"` instead of
|
313
|
+
`"http://example.org/blog"`.
|
380
314
|
|
381
|
-
*
|
315
|
+
*Jonathan Hefner*
|
382
316
|
|
383
|
-
|
384
|
-
about the request it is responding to.
|
317
|
+
* Add details of cookie name and size to `CookieOverflow` exception.
|
385
318
|
|
386
|
-
|
387
|
-
`config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
|
319
|
+
*Andy Waite*
|
388
320
|
|
389
|
-
|
321
|
+
* Don't double log the `controller`, `action`, or `namespaced_controller` when using `ActiveRecord::QueryLog`
|
390
322
|
|
391
|
-
|
323
|
+
Previously if you set `config.active_record.query_log_tags` to an array that included
|
324
|
+
`:controller`, `:namespaced_controller`, or `:action`, that item would get logged twice.
|
325
|
+
This bug has been fixed.
|
392
326
|
|
327
|
+
*Alex Ghiculescu*
|
393
328
|
|
394
|
-
|
329
|
+
* Add the following permissions policy directives: `hid`, `idle-detection`, `screen-wake-lock`,
|
330
|
+
`serial`, `sync-xhr`, `web-share`.
|
395
331
|
|
396
|
-
*
|
332
|
+
*Guillaume Cabanel*
|
397
333
|
|
334
|
+
* The `speaker`, `vibrate`, and `vr` permissions policy directives are now
|
335
|
+
deprecated.
|
398
336
|
|
399
|
-
|
337
|
+
There is no browser support for these directives, and no plan for browser
|
338
|
+
support in the future. You can just remove these directives from your
|
339
|
+
application.
|
400
340
|
|
401
|
-
*
|
402
|
-
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
|
403
|
-
malformed JSON.
|
341
|
+
*Jonathan Hefner*
|
404
342
|
|
405
|
-
|
343
|
+
* Added the `:status` option to `assert_redirected_to` to specify the precise
|
344
|
+
HTTP status of the redirect. Defaults to `:redirect` for backwards
|
345
|
+
compatibility.
|
406
346
|
|
407
|
-
*
|
347
|
+
*Jon Dufresne*
|
408
348
|
|
409
|
-
*
|
349
|
+
* Rescue `JSON::ParserError` in Cookies JSON deserializer to discards marshal dumps:
|
410
350
|
|
411
|
-
|
412
|
-
|
351
|
+
Without this change, if `action_dispatch.cookies_serializer` is set to `:json` and
|
352
|
+
the app tries to read a `:marshal` serialized cookie, it would error out which wouldn't
|
353
|
+
clear the cookie and force app users to manually clear it in their browser.
|
413
354
|
|
414
|
-
|
355
|
+
(See #45127 for original bug discussion)
|
415
356
|
|
416
|
-
*
|
357
|
+
*Nathan Bardoux*
|
417
358
|
|
418
|
-
|
419
|
-
Opt in to this behaviour with `ActionController::Base.raise_on_open_redirects = true`.
|
359
|
+
* Add `HTTP_REFERER` when following redirects on integration tests
|
420
360
|
|
421
|
-
|
361
|
+
This makes `follow_redirect!` a closer simulation of what happens in a real browser
|
422
362
|
|
423
|
-
*
|
363
|
+
*Felipe Sateler*
|
424
364
|
|
425
|
-
|
365
|
+
* Added `exclude?` method to `ActionController::Parameters`.
|
426
366
|
|
427
|
-
|
367
|
+
*Ian Neubert*
|
428
368
|
|
429
|
-
|
369
|
+
* Rescue `EOFError` exception from `rack` on a multipart request.
|
430
370
|
|
431
|
-
*
|
371
|
+
*Nikita Vasilevsky*
|
432
372
|
|
433
|
-
|
434
|
-
are not listed as actions on that controller.
|
373
|
+
* Log redirects from routes the same way as redirects from controllers.
|
435
374
|
|
436
|
-
|
437
|
-
add_flash_types :hype
|
438
|
-
end
|
375
|
+
*Dennis Paagman*
|
439
376
|
|
440
|
-
|
377
|
+
* Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
|
378
|
+
Previously, if another middleware down the chain set `Server-Timing` header,
|
379
|
+
it would overwritten by `ActionDispatch::ServerTiming`.
|
441
380
|
|
442
|
-
*
|
381
|
+
*Jakub Malinowski*
|
443
382
|
|
444
|
-
*
|
383
|
+
* Allow opting out of the `SameSite` cookie attribute when setting a cookie.
|
445
384
|
|
446
|
-
|
385
|
+
You can opt out of `SameSite` by passing `same_site: nil`.
|
447
386
|
|
448
|
-
|
387
|
+
`cookies[:foo] = { value: "bar", same_site: nil }`
|
449
388
|
|
450
|
-
|
389
|
+
Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
|
451
390
|
|
452
|
-
*
|
391
|
+
*Alex Ghiculescu*
|
453
392
|
|
454
|
-
*
|
455
|
-
present in `rescued_responses`.
|
393
|
+
* Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
|
456
394
|
|
457
|
-
|
458
|
-
|
459
|
-
`config.action_dispatch.log_rescued_responses` (defaults to `true`) can be set to `false` in
|
460
|
-
this case, so that only exceptions not found in `rescued_responses` will be logged.
|
395
|
+
Previously you could access basic helpers (defined in helper modules), but not
|
396
|
+
helper methods defined using `helper_method`. Now you can use either.
|
461
397
|
|
462
|
-
|
398
|
+
```ruby
|
399
|
+
content_security_policy do |p|
|
400
|
+
p.default_src "https://example.com"
|
401
|
+
p.script_src "https://example.com" if helpers.script_csp?
|
402
|
+
end
|
403
|
+
```
|
463
404
|
|
464
|
-
*
|
405
|
+
*Alex Ghiculescu*
|
465
406
|
|
466
|
-
|
407
|
+
* Reimplement `ActionController::Parameters#has_value?` and `#value?` to avoid parameters and hashes comparison.
|
467
408
|
|
468
|
-
|
409
|
+
Deprecated equality between parameters and hashes is going to be removed in Rails 7.2.
|
410
|
+
The new implementation takes care of conversions.
|
469
411
|
|
470
|
-
*
|
412
|
+
*Seva Stefkin*
|
471
413
|
|
472
|
-
*
|
414
|
+
* Allow only String and Symbol keys in `ActionController::Parameters`.
|
415
|
+
Raise `ActionController::InvalidParameterKey` when initializing Parameters
|
416
|
+
with keys that aren't strings or symbols.
|
473
417
|
|
474
|
-
*
|
418
|
+
*Seva Stefkin*
|
475
419
|
|
476
|
-
*
|
420
|
+
* Add the ability to use custom logic for storing and retrieving CSRF tokens.
|
477
421
|
|
478
|
-
|
422
|
+
By default, the token will be stored in the session. Custom classes can be
|
423
|
+
defined to specify arbitrary behavior, but the ability to store them in
|
424
|
+
encrypted cookies is built in.
|
479
425
|
|
480
|
-
*
|
426
|
+
*Andrew Kowpak*
|
481
427
|
|
482
|
-
*
|
428
|
+
* Make ActionController::Parameters#values cast nested hashes into parameters.
|
483
429
|
|
484
430
|
*Gannon McGibbon*
|
485
431
|
|
486
|
-
*
|
432
|
+
* Introduce `html:` and `screenshot:` kwargs for system test screenshot helper
|
487
433
|
|
488
|
-
|
434
|
+
Use these as an alternative to the already-available environment variables.
|
489
435
|
|
490
|
-
|
436
|
+
For example, this will display a screenshot in iTerm, save the HTML, and output
|
437
|
+
its path.
|
491
438
|
|
492
|
-
|
439
|
+
```ruby
|
440
|
+
take_screenshot(html: true, screenshot: "inline")
|
441
|
+
```
|
493
442
|
|
494
|
-
|
443
|
+
*Alex Ghiculescu*
|
495
444
|
|
496
|
-
|
445
|
+
* Allow `ActionController::Parameters#to_h` to receive a block.
|
497
446
|
|
498
|
-
*
|
447
|
+
*Bob Farrell*
|
499
448
|
|
500
|
-
|
449
|
+
* Allow relative redirects when `raise_on_open_redirects` is enabled
|
501
450
|
|
502
|
-
*
|
451
|
+
*Tom Hughes*
|
503
452
|
|
504
|
-
*
|
453
|
+
* Allow Content Security Policy DSL to generate for API responses.
|
454
|
+
|
455
|
+
*Tim Wade*
|
505
456
|
|
506
|
-
|
457
|
+
* Fix `authenticate_with_http_basic` to allow for missing password.
|
507
458
|
|
508
|
-
|
459
|
+
Before Rails 7.0 it was possible to handle basic authentication with only a username.
|
509
460
|
|
510
|
-
|
461
|
+
```ruby
|
462
|
+
authenticate_with_http_basic do |token, _|
|
463
|
+
ApiClient.authenticate(token)
|
464
|
+
end
|
465
|
+
```
|
511
466
|
|
512
|
-
|
467
|
+
This ability is restored.
|
513
468
|
|
514
|
-
*
|
515
|
-
know which controller action received unpermitted parameters.
|
469
|
+
*Jean Boussier*
|
516
470
|
|
517
|
-
|
471
|
+
* Fix `content_security_policy` returning invalid directives.
|
518
472
|
|
519
|
-
|
473
|
+
Directives such as `self`, `unsafe-eval` and few others were not
|
474
|
+
single quoted when the directive was the result of calling a lambda
|
475
|
+
returning an array.
|
520
476
|
|
521
477
|
```ruby
|
522
|
-
|
523
|
-
|
524
|
-
|
525
|
-
@subscribers.find_each do |subscriber|
|
526
|
-
stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",")
|
527
|
-
end
|
478
|
+
content_security_policy do |policy|
|
479
|
+
policy.frame_ancestors lambda { [:self, "https://example.com"] }
|
528
480
|
end
|
529
481
|
```
|
530
482
|
|
531
|
-
|
483
|
+
With this fix the policy generated from above will now be valid.
|
532
484
|
|
533
|
-
*
|
485
|
+
*Edouard Chin*
|
534
486
|
|
535
|
-
|
487
|
+
* Fix `skip_forgery_protection` to run without raising an error if forgery
|
488
|
+
protection has not been enabled / `verify_authenticity_token` is not a
|
489
|
+
defined callback.
|
536
490
|
|
537
|
-
|
491
|
+
This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
|
492
|
+
`ArgumentError` if `default_protect_from_forgery` is false.
|
538
493
|
|
539
|
-
|
540
|
-
This behavior changed to returned Content-Type header containing charset part as it is.
|
494
|
+
*Brad Trick*
|
541
495
|
|
542
|
-
|
496
|
+
* Make `redirect_to` return an empty response body.
|
543
497
|
|
544
|
-
|
498
|
+
Application controllers that wish to add a response body after calling
|
499
|
+
`redirect_to` can continue to do so.
|
545
500
|
|
546
|
-
|
547
|
-
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
548
|
-
request.content_type #=> "text/csv"
|
549
|
-
```
|
501
|
+
*Jon Dufresne*
|
550
502
|
|
551
|
-
|
503
|
+
* Use non-capturing group for subdomain matching in `ActionDispatch::HostAuthorization`
|
552
504
|
|
553
|
-
|
554
|
-
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET")
|
555
|
-
request.content_type #=> "text/csv; header=present; charset=utf-16"
|
556
|
-
request.media_type #=> "text/csv"
|
557
|
-
```
|
505
|
+
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
|
558
506
|
|
559
|
-
*
|
507
|
+
*Sam Bostock*
|
560
508
|
|
561
|
-
*
|
509
|
+
* Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
|
562
510
|
|
563
|
-
|
511
|
+
Since its inception `ActionController::Live` has been copying thread local variables
|
512
|
+
to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
|
564
513
|
|
565
|
-
|
514
|
+
With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
|
515
|
+
`ActionController::Live` controllers.
|
566
516
|
|
567
|
-
*
|
517
|
+
*Jean Boussier*
|
568
518
|
|
569
|
-
*
|
519
|
+
* Fix setting `trailing_slash: true` in route definition.
|
520
|
+
|
521
|
+
```ruby
|
522
|
+
get '/test' => "test#index", as: :test, trailing_slash: true
|
570
523
|
|
571
|
-
|
524
|
+
test_path() # => "/test/"
|
525
|
+
```
|
572
526
|
|
573
|
-
*
|
527
|
+
*Jean Boussier*
|
574
528
|
|
575
|
-
|
529
|
+
* Make `Session#merge!` stringify keys.
|
576
530
|
|
577
|
-
|
578
|
-
as `RemoteIp` middleware behaves inconsistently depending on whether this is configured
|
579
|
-
with a single value or an enumerable.
|
531
|
+
Previously `Session#update` would, but `merge!` wouldn't.
|
580
532
|
|
581
|
-
|
533
|
+
*Drew Bragg*
|
582
534
|
|
583
|
-
|
535
|
+
* Add `:unsafe_hashes` mapping for `content_security_policy`
|
584
536
|
|
585
|
-
|
586
|
-
|
537
|
+
```ruby
|
538
|
+
# Before
|
539
|
+
policy.script_src :strict_dynamic, "'unsafe-hashes'", "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
587
540
|
|
588
|
-
|
541
|
+
# After
|
542
|
+
policy.script_src :strict_dynamic, :unsafe_hashes, "'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU='"
|
543
|
+
```
|
589
544
|
|
545
|
+
*Igor Morozov*
|
590
546
|
|
591
|
-
Please check [
|
547
|
+
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md) for previous changes.
|