actionpack 8.0.0.rc1 → 8.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cbf30070e8c7658bcda189e9c07184b10bfdeb1ae28ae9b7c6e354189e96eac6
-  data.tar.gz: c21576442cf2c2e3ef1cf7e36f5e412349b6f933c651cca641a9afe48229cd96
+  metadata.gz: 239a368486048f1afb68d3463355a6a9cde859c5cbe2199a708a35cb538d5dbb
+  data.tar.gz: 4d16e862e97e3348f81b68a966747a220543cbac4a2ec0a3a804318dda76ce09
 SHA512:
-  metadata.gz: 8d09731d99912ded6338f7a0fcc0d98706efbf4721f26d35edcede064e240d607f6ddc5ed43a979ebe3c8d6c1e9b90347d84725c6b504c91c79fb9821edca478
-  data.tar.gz: 5b981e0db05e7d35cda56797acbf513050fd099bb3778ec2247012e1a338dec2b1fe608a6653a4dbe54c621de63f576588b98b8d77b172f9456b78e2e9a7cd9b
+  metadata.gz: ddabd2752f936c6a8ef53d0ba4d077b9a28e8a4ef079ba45a0c3b3878ae21dc75675c8d36a16a05ac3f21f20ceae9e38b0f62049abadee67d4b2d15e6eb54b43
+  data.tar.gz: cfddc2490012b49d47458e41211d17e577b6e748a87e5b9c43a011c3312398a8b00faee7ba283e78bdc2082df3fe116896bfe05b9daf55962596f94c31afaa10

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## Rails 8.0.0 (November 07, 2024) ##
+
+*   No changes.
+
+
+## Rails 8.0.0.rc2 (October 30, 2024) ##
+
+*   Fix routes with `::` in the path.
+
+    *Rafael Mendonça França*
+
+*   Maintain Rack 2 parameter parsing behaviour.
+
+    *Matthew Draper*
+
+
 ## Rails 8.0.0.rc1 (October 19, 2024) ##
 
 *   Remove `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.

data/lib/action_controller/base.rb

@@ -266,7 +266,7 @@ module ActionController
       ParamsWrapper
     ]
 
-    # Note: Documenting these severely degrates the performance of rdoc
+    # Note: Documenting these severely degrades the performance of rdoc
     # :stopdoc:
     include AbstractController::Rendering
     include AbstractController::Translation

data/lib/action_controller/metal/http_authentication.rb

@@ -513,14 +513,11 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
-      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
-      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
-
       # This method takes an authorization body and splits up the key-value pairs by
       # the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)

data/lib/action_controller/metal/redirecting.rb

@@ -106,13 +106,14 @@ module ActionController
 
       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
 
-      self.status = _extract_redirect_to_status(options, response_options)
+      proposed_status = _extract_redirect_to_status(options, response_options)
 
       redirect_to_location = _compute_redirect_to_location(request, options)
       _ensure_url_is_http_header_safe(redirect_to_location)
 
       self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
       self.response_body = ""
+      self.status        = proposed_status
     end
 
     # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`

data/lib/action_controller/metal/streaming.rb

@@ -171,7 +171,7 @@ module ActionController # :nodoc:
       # Call render_body if we are streaming instead of usual `render`.
       def _render_template(options)
         if options.delete(:stream)
-          # It shoudn't be necessary to set this.
+          # It shouldn't be necessary to set this.
           headers["cache-control"] ||= "no-cache"
 
           view_renderer.render_body(view_context, options)

data/lib/action_controller/metal/strong_parameters.rb

@@ -95,6 +95,8 @@ module ActionController
   # *   `permit` to filter params for mass assignment.
   # *   `require` to require a parameter or raise an error.
   #
+  # Examples:
+  #
   #     params = ActionController::Parameters.new({
   #       person: {
   #         name: "Francesco",
@@ -109,7 +111,7 @@ module ActionController
   #     Person.first.update!(permitted)
   #     # => #<Person id: 1, name: "Francesco", age: 22, role: "user">
   #
-  # Paramaters provides two options that control the top-level behavior of new
+  # Parameters provides two options that control the top-level behavior of new
   # instances:
   #
   # *   `permit_all_parameters` - If it's `true`, all the parameters will be

data/lib/action_dispatch/http/filter_parameters.rb

@@ -68,12 +68,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -37,9 +37,16 @@ module ActionDispatch
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          uri.query.gsub!(FilterParameters::PAIR_RE) do
-            request.parameter_filter.filter($1 => $2).first.join("=")
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
           end
+          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error

data/lib/action_dispatch/http/param_builder.rb

@@ -2,6 +2,10 @@
 
 module ActionDispatch
   class ParamBuilder
+    # --
+    # This implementation is based on Rack::QueryParser,
+    # Copyright (C) 2007-2021 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
+
     def self.make_default(param_depth_limit)
       new param_depth_limit
     end
@@ -12,6 +16,10 @@ module ActionDispatch
       @param_depth_limit = param_depth_limit
     end
 
+    cattr_accessor :ignore_leading_brackets
+
+    LEADING_BRACKETS_COMPAT = defined?(::Rack::RELEASE) && ::Rack::RELEASE.to_s.start_with?("2.")
+
     cattr_accessor :default
     self.default = make_default(100)
 
@@ -61,15 +69,30 @@ module ActionDispatch
           # nil name, treat same as empty string (required by tests)
           k = after = ""
         elsif depth == 0
-          # Start of parsing, don't treat [] or [ at start of string specially
-          if start = name.index("[", 1)
-            # Start of parameter nesting, use part before brackets as key
-            k = name[0, start]
-            after = name[start, name.length]
+          if ignore_leading_brackets || (ignore_leading_brackets.nil? && LEADING_BRACKETS_COMPAT)
+            # Rack 2 compatible behavior, ignore leading brackets
+            if name =~ /\A[\[\]]*([^\[\]]+)\]*/
+              k = $1
+              after = $' || ""
+
+              if !ignore_leading_brackets && (k != $& || !after.empty? && !after.start_with?("["))
+                ActionDispatch.deprecator.warn("Skipping over leading brackets in parameter name #{name.inspect} is deprecated and will parse differently in Rails 8.1 or Rack 3.0.")
+              end
+            else
+              k = name
+              after = ""
+            end
           else
-            # Plain parameter with no nesting
-            k = name
-            after = ""
+            # Start of parsing, don't treat [] or [ at start of string specially
+            if start = name.index("[", 1)
+              # Start of parameter nesting, use part before brackets as key
+              k = name[0, start]
+              after = name[start, name.length]
+            else
+              # Plain parameter with no nesting
+              k = name
+              after = ""
+            end
           end
         elsif name.start_with?("[]")
           # Array nesting

data/lib/action_dispatch/http/query_parser.rb

@@ -1,11 +1,17 @@
 # frozen_string_literal: true
 
 require "uri"
+require "rack"
 
 module ActionDispatch
   class QueryParser
     DEFAULT_SEP = /& */n
-    COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n }
+    COMPAT_SEP = /[&;] */n
+    COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n, "&;" => /[&;] */n }
+
+    cattr_accessor :strict_query_string_separator
+
+    SEMICOLON_COMPAT = defined?(::Rack::QueryParser::DEFAULT_SEP) && ::Rack::QueryParser::DEFAULT_SEP.to_s.include?(";")
 
     #--
     # Note this departs from WHATWG's specified parsing algorithm by
@@ -14,7 +20,23 @@ module ActionDispatch
     def self.each_pair(s, separator = nil)
       return enum_for(:each_pair, s, separator) unless block_given?
 
-      (s || "").split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |part|
+      s ||= ""
+
+      splitter =
+        if separator
+          COMMON_SEP[separator] || /[#{separator}] */n
+        elsif strict_query_string_separator
+          DEFAULT_SEP
+        elsif SEMICOLON_COMPAT && s.include?(";")
+          if strict_query_string_separator.nil?
+            ActionDispatch.deprecator.warn("Using semicolon as a query string separator is deprecated and will not be supported in Rails 8.1 or Rack 3.0. Use `&` instead.")
+          end
+          COMPAT_SEP
+        else
+          DEFAULT_SEP
+        end
+
+      s.split(splitter).each do |part|
         next if part.empty?
 
         k, v = part.split("=", 2)

data/lib/action_dispatch/journey/scanner.rb

@@ -55,7 +55,7 @@ module ActionDispatch
         def scan
           next_byte = @scanner.peek_byte
           case
-          when (token = STATIC_TOKENS[next_byte])
+          when (token = STATIC_TOKENS[next_byte]) && (token != :SYMBOL || next_byte_is_not_a_token?)
             @scanner.pos += 1
             @length = @scanner.skip(/\w+/).to_i + 1 if token == :SYMBOL || token == :STAR
             token
@@ -65,6 +65,10 @@ module ActionDispatch
             :LITERAL
           end
         end
+
+        def next_byte_is_not_a_token?
+          !STATIC_TOKENS[@scanner.string.getbyte(@scanner.pos + 1)]
+        end
     end
   end
 end

data/lib/action_dispatch/railtie.rb

@@ -31,6 +31,9 @@ module ActionDispatch
     config.action_dispatch.debug_exception_log_level = :fatal
     config.action_dispatch.strict_freshness = false
 
+    config.action_dispatch.ignore_leading_brackets = nil
+    config.action_dispatch.strict_query_string_separator = nil
+
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
       "X-XSS-Protection" => "1; mode=block",
@@ -52,6 +55,9 @@ module ActionDispatch
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
 
+      ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
+      ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
+
       ActiveSupport.on_load(:action_dispatch_request) do
         self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
         ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge

data/lib/action_pack/gem_version.rb

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 8
     MINOR = 0
     TINY  = 0
-    PRE   = "rc1"
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 8.0.0.rc1
+  version: 8.0.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-19 00:00:00.000000000 Z
+date: 2024-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.rc1
+        version: 8.0.0
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -350,10 +350,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.rc1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.0.0.rc1/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.0/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.0/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.rc1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.0/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
@@ -371,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).