actionpack 7.2.1.1 → 7.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa5e422c3ae8a04f0fac4410c72203218277a1b813047ad3ce5aa3274eac5a0e
-  data.tar.gz: 19620a0b88f940ae2a3183dbf20828228ae3f8fb567d32e715ba92fd9ea29db8
+  metadata.gz: 805d9e62e9937e7cd8f12e22e2b806035577bd452e5ce321f75372c7f152edd7
+  data.tar.gz: 0fb9629eae17852ae5eb92ad885f79a6938e36e8b72dfe4ce775920d8d0c153c
 SHA512:
-  metadata.gz: 27b3549782fe4594a04571356362c11a03a1bf9e368fbf49662a1514cc170ec01f85be5085ffe77e62e57435702637db27f0502c118b7084d90d05f00e0d7a1a
-  data.tar.gz: d8ba844e9b95cf76ebcbc899678b2752f5f3ddbf3cb81a4ac94c86ed1f4bb5d3fd471f701e69779f9aee99bbd0612f5aa2ddf79e75d32735aab436f58ef99cb7
+  metadata.gz: ed08caeeb60bf9f444ddca5eafb519eab94c8475e0452ba146b98585d3f426f0444730e05f5a1e40583b5237e1ef535cad62c8d92bc96ac62e73987c19aed8a8
+  data.tar.gz: 85304714962564e3997fad42e395efe05061bf95d5cc9ef89394d53f99e899862f93a7ff38d12e16c232d7b7ab39ea012268b3f0b7214ed373c9fd39c5608e91

data/CHANGELOG.md

@@ -1,13 +1,30 @@
+## Rails 7.2.2 (October 30, 2024) ##
+
+*   Fix non-GET requests not updating cookies in `ActionController::TestCase`.
+
+    *Jon Moss*, *Hartley McGuire*
+
+
+## Rails 7.2.1.2 (October 23, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.2.1.1 (October 15, 2024) ##
 
 *   Avoid regex backtracking in HTTP Token authentication
 
     [CVE-2024-47887]
 
+    *John Hawthorn*
+
 *   Avoid regex backtracking in query parameter filtering
 
     [CVE-2024-41128]
 
+    *John Hawthorn*
+
+
 ## Rails 7.2.1 (August 22, 2024) ##
 
 *   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.

data/lib/abstract_controller/helpers.rb

@@ -104,6 +104,7 @@ module AbstractController
       # Declare a controller method as a helper. For example, the following
       # makes the `current_user` and `logged_in?` controller methods available
       # to the view:
+      #
       #     class ApplicationController < ActionController::Base
       #       helper_method :current_user, :logged_in?
       #
@@ -118,6 +119,7 @@ module AbstractController
       #     end
       #
       # In a view:
+      #
       #     <% if logged_in? -%>Welcome, <%= current_user.name %><% end -%>
       #
       # #### Parameters

data/lib/action_controller/api.rb

@@ -123,6 +123,7 @@ module ActionController
       BasicImplicitRender,
       StrongParameters,
       RateLimiting,
+      Caching,
 
       DataStreaming,
       DefaultHeaders,

data/lib/action_controller/metal/allow_browser.rb

@@ -60,7 +60,7 @@ module ActionController # :nodoc:
         end
       end
 
-      class BrowserBlocker
+      class BrowserBlocker # :nodoc:
         SETS = {
           modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
         }

data/lib/action_controller/metal/conditional_get.rb

@@ -76,8 +76,7 @@ module ActionController
     # `:cache_control`
     # :   When given, will overwrite an existing `Cache-Control` header. For a list
     #     of `Cache-Control` directives, see the [article on
-    #     MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Contr
-    #     ol).
+    #     MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control).
     #
     # `:template`
     # :   By default, the template digest for the current controller/action is

data/lib/action_controller/metal/http_authentication.rb

@@ -211,7 +211,7 @@ module ActionController
         end
       end
 
-      # Returns false on a valid response, true otherwise.
+      # Returns true on a valid response, false otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -431,7 +431,7 @@ module ActionController
       module ControllerMethods
         # Authenticate using an HTTP Bearer token, or otherwise render an HTTP header
         # requesting the client to send a Bearer token. For the authentication to be
-        # considered successful, `login_procedure` should return a non-nil value.
+        # considered successful, `login_procedure` must not return a false value.
         # Typically, the authenticated user is returned.
         #
         # See ActionController::HttpAuthentication::Token for example usage.

data/lib/action_controller/metal/live.rb

@@ -77,12 +77,15 @@ module ActionController
     # Writing an object will convert it into standard SSE format with whatever
     # options you have configured. You may choose to set the following options:
     #
-    #     1) Event. If specified, an event with this name will be dispatched on
-    #     the browser.
-    #     2) Retry. The reconnection time in milliseconds used when attempting
-    #     to send the event.
-    #     3) Id. If the connection dies while sending an SSE to the browser, then
-    #     the server will receive a +Last-Event-ID+ header with value equal to +id+.
+    # `:event`
+    # :   If specified, an event with this name will be dispatched on the browser.
+    #
+    # `:retry`
+    # :   The reconnection time in milliseconds used when attempting to send the event.
+    #
+    # `:id`
+    # :   If the connection dies while sending an SSE to the browser, then the
+    #     server will receive a `Last-Event-ID` header with value equal to `id`.
     #
     # After setting an option in the constructor of the SSE object, all future SSEs
     # sent across the stream will use those options unless overridden.

data/lib/action_controller/test_case.rb

@@ -427,9 +427,7 @@ module ActionController
       # Note that the request method is not verified. The different methods are
       # available to make the tests more expressive.
       def get(action, **args)
-        res = process(action, method: "GET", **args)
-        cookies.update res.cookies
-        res
+        process(action, method: "GET", **args)
       end
 
       # Simulate a POST request with the given parameters and set/volley the response.
@@ -637,6 +635,7 @@ module ActionController
               unless @request.cookie_jar.committed?
                 @request.cookie_jar.write(@response)
                 cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
+                cookies.update(@response.cookies)
               end
             end
             @response.prepare!

data/lib/action_dispatch/http/content_security_policy.rb

@@ -8,8 +8,7 @@ require "active_support/core_ext/array/wrap"
 module ActionDispatch # :nodoc:
   # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP [Content-Security-Policy]
-  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
   # response header to help protect against XSS and
   # injection attacks.
   #
@@ -226,8 +225,7 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the [report-uri]
-    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
     # directive. Violation reports will be sent to the
     # specified URI:
     #
@@ -237,8 +235,7 @@ module ActionDispatch # :nodoc:
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which [Subresource Integrity]
-    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
+    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
     #     policy.require_sri_for :script, :style
     #
@@ -254,8 +251,7 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a [sandbox]
-    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
+    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
     #     policy.sandbox

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -18,8 +18,8 @@ module ActionDispatch
   # 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
   # Some Rack servers simply drop preceding headers, and only report the value
   # that was [given in the last
-  # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-server
-  # s). If you are behind multiple proxy servers (like NGINX to HAProxy to
+  # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers).
+  # If you are behind multiple proxy servers (like NGINX to HAProxy to
   # Unicorn) then you should test your Rack server to make sure your data is good.
   #
   # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
@@ -117,10 +117,9 @@ module ActionDispatch
       # instead, so we check that too.
       #
       # As discussed in [this post about Rails IP
-      # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.c
-      # om/2012/rails-ip-spoofing-vulnerabilities-and-protection/), while the first IP
-      # in the list is likely to be the "originating" IP, it could also have been set
-      # by the client maliciously.
+      # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/),
+      # while the first IP in the list is likely to be the "originating" IP, it
+      # could also have been set by the client maliciously.
       #
       # In order to find the first address that is (probably) accurate, we take the
       # list of IPs, remove known and trusted proxies, and then take the last address

data/lib/action_dispatch/middleware/ssl.rb

@@ -17,7 +17,7 @@ module ActionDispatch
   #
   #     Requests can opt-out of redirection with `exclude`:
   #
-  #         config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
+  #         config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
   #
   #     Cookies will not be flagged as secure for excluded requests.
   #

data/lib/action_dispatch/routing/inspector.rb

@@ -101,7 +101,7 @@ module ActionDispatch
             { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
           elsif filter[:grep]
             grep_pattern = Regexp.new(filter[:grep])
-            path = URI::DEFAULT_PARSER.escape(filter[:grep])
+            path = RFC2396_PARSER.escape(filter[:grep])
             normalized_path = ("/" + path).squeeze("/")
 
             {

data/lib/action_dispatch/routing/mapper.rb

@@ -1048,6 +1048,7 @@ module ActionDispatch
         end
 
         # Allows you to set default parameters for a route, such as this:
+        #
         #     defaults id: 'home' do
         #       match 'scoped_pages/(:id)', to: 'pages#show'
         #     end
@@ -2024,7 +2025,7 @@ module ActionDispatch
               name_for_action(options.delete(:as), action)
             end
 
-            path = Mapping.normalize_path URI::DEFAULT_PARSER.escape(path), formatted
+            path = Mapping.normalize_path RFC2396_PARSER.escape(path), formatted
             ast = Journey::Parser.parse path
 
             mapping = Mapping.build(@scope, @set, ast, controller, default_action, to, via, formatted, options_constraints, anchor, options)

data/lib/action_dispatch/routing/route_set.rb

@@ -917,7 +917,7 @@ module ActionDispatch
           params.each do |key, value|
             if value.is_a?(String)
               value = value.dup.force_encoding(Encoding::BINARY)
-              params[key] = URI::DEFAULT_PARSER.unescape(value)
+              params[key] = RFC2396_PARSER.unescape(value)
             end
           end
           req.path_parameters = params

data/lib/action_dispatch.rb

@@ -30,6 +30,7 @@ require "active_support/core_ext/module/attribute_accessors"
 
 require "action_pack"
 require "rack"
+require "uri"
 require "action_dispatch/deprecator"
 
 module Rack # :nodoc:
@@ -47,6 +48,9 @@ end
 module ActionDispatch
   extend ActiveSupport::Autoload
 
+  RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
+  private_constant :RFC2396_PARSER
+
   class MissingController < NameError
   end
 

data/lib/action_pack/gem_version.rb

@@ -11,8 +11,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 2
-    TINY  = 1
-    PRE   = "1"
+    TINY  = 2
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.2.1.1
+  version: 7.2.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-15 00:00:00.000000000 Z
+date: 2024-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.1.1
+        version: 7.2.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -369,10 +369,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.1.1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.1.1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.2.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.2.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.1.1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.2.2/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []