actionpack 8.0.0.rc1 → 8.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/lib/action_controller/base.rb +1 -1
- data/lib/action_controller/metal/http_authentication.rb +1 -4
- data/lib/action_controller/metal/redirecting.rb +2 -1
- data/lib/action_controller/metal/streaming.rb +1 -1
- data/lib/action_controller/metal/strong_parameters.rb +3 -1
- data/lib/action_dispatch/http/filter_parameters.rb +9 -4
- data/lib/action_dispatch/http/filter_redirect.rb +9 -2
- data/lib/action_dispatch/http/param_builder.rb +31 -8
- data/lib/action_dispatch/http/query_parser.rb +24 -2
- data/lib/action_dispatch/journey/scanner.rb +5 -1
- data/lib/action_dispatch/railtie.rb +6 -0
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +12 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 239a368486048f1afb68d3463355a6a9cde859c5cbe2199a708a35cb538d5dbb
|
4
|
+
data.tar.gz: 4d16e862e97e3348f81b68a966747a220543cbac4a2ec0a3a804318dda76ce09
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ddabd2752f936c6a8ef53d0ba4d077b9a28e8a4ef079ba45a0c3b3878ae21dc75675c8d36a16a05ac3f21f20ceae9e38b0f62049abadee67d4b2d15e6eb54b43
|
7
|
+
data.tar.gz: cfddc2490012b49d47458e41211d17e577b6e748a87e5b9c43a011c3312398a8b00faee7ba283e78bdc2082df3fe116896bfe05b9daf55962596f94c31afaa10
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,19 @@
|
|
1
|
+
## Rails 8.0.0 (November 07, 2024) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
|
6
|
+
## Rails 8.0.0.rc2 (October 30, 2024) ##
|
7
|
+
|
8
|
+
* Fix routes with `::` in the path.
|
9
|
+
|
10
|
+
*Rafael Mendonça França*
|
11
|
+
|
12
|
+
* Maintain Rack 2 parameter parsing behaviour.
|
13
|
+
|
14
|
+
*Matthew Draper*
|
15
|
+
|
16
|
+
|
1
17
|
## Rails 8.0.0.rc1 (October 19, 2024) ##
|
2
18
|
|
3
19
|
* Remove `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
|
@@ -266,7 +266,7 @@ module ActionController
|
|
266
266
|
ParamsWrapper
|
267
267
|
]
|
268
268
|
|
269
|
-
# Note: Documenting these severely
|
269
|
+
# Note: Documenting these severely degrades the performance of rdoc
|
270
270
|
# :stopdoc:
|
271
271
|
include AbstractController::Rendering
|
272
272
|
include AbstractController::Translation
|
@@ -513,14 +513,11 @@ module ActionController
|
|
513
513
|
array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
|
514
514
|
end
|
515
515
|
|
516
|
-
WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
|
517
|
-
private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
|
518
|
-
|
519
516
|
# This method takes an authorization body and splits up the key-value pairs by
|
520
517
|
# the standardized `:`, `;`, or `\t` delimiters defined in
|
521
518
|
# `AUTHN_PAIR_DELIMITERS`.
|
522
519
|
def raw_params(auth)
|
523
|
-
_raw_params = auth.sub(TOKEN_REGEX, "").split(
|
520
|
+
_raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
|
524
521
|
_raw_params.reject!(&:empty?)
|
525
522
|
|
526
523
|
if !_raw_params.first&.start_with?(TOKEN_KEY)
|
@@ -106,13 +106,14 @@ module ActionController
|
|
106
106
|
|
107
107
|
allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
|
108
108
|
|
109
|
-
|
109
|
+
proposed_status = _extract_redirect_to_status(options, response_options)
|
110
110
|
|
111
111
|
redirect_to_location = _compute_redirect_to_location(request, options)
|
112
112
|
_ensure_url_is_http_header_safe(redirect_to_location)
|
113
113
|
|
114
114
|
self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
|
115
115
|
self.response_body = ""
|
116
|
+
self.status = proposed_status
|
116
117
|
end
|
117
118
|
|
118
119
|
# Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
|
@@ -171,7 +171,7 @@ module ActionController # :nodoc:
|
|
171
171
|
# Call render_body if we are streaming instead of usual `render`.
|
172
172
|
def _render_template(options)
|
173
173
|
if options.delete(:stream)
|
174
|
-
# It
|
174
|
+
# It shouldn't be necessary to set this.
|
175
175
|
headers["cache-control"] ||= "no-cache"
|
176
176
|
|
177
177
|
view_renderer.render_body(view_context, options)
|
@@ -95,6 +95,8 @@ module ActionController
|
|
95
95
|
# * `permit` to filter params for mass assignment.
|
96
96
|
# * `require` to require a parameter or raise an error.
|
97
97
|
#
|
98
|
+
# Examples:
|
99
|
+
#
|
98
100
|
# params = ActionController::Parameters.new({
|
99
101
|
# person: {
|
100
102
|
# name: "Francesco",
|
@@ -109,7 +111,7 @@ module ActionController
|
|
109
111
|
# Person.first.update!(permitted)
|
110
112
|
# # => #<Person id: 1, name: "Francesco", age: 22, role: "user">
|
111
113
|
#
|
112
|
-
#
|
114
|
+
# Parameters provides two options that control the top-level behavior of new
|
113
115
|
# instances:
|
114
116
|
#
|
115
117
|
# * `permit_all_parameters` - If it's `true`, all the parameters will be
|
@@ -68,12 +68,17 @@ module ActionDispatch
|
|
68
68
|
ActiveSupport::ParameterFilter.new(filters)
|
69
69
|
end
|
70
70
|
|
71
|
-
KV_RE = "[^&;=]+"
|
72
|
-
PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
|
73
71
|
def filtered_query_string # :doc:
|
74
|
-
query_string.
|
75
|
-
|
72
|
+
parts = query_string.split(/([&;])/)
|
73
|
+
filtered_parts = parts.map do |part|
|
74
|
+
if part.include?("=")
|
75
|
+
key, value = part.split("=", 2)
|
76
|
+
parameter_filter.filter(key => value).first.join("=")
|
77
|
+
else
|
78
|
+
part
|
79
|
+
end
|
76
80
|
end
|
81
|
+
filtered_parts.join("")
|
77
82
|
end
|
78
83
|
end
|
79
84
|
end
|
@@ -37,9 +37,16 @@ module ActionDispatch
|
|
37
37
|
def parameter_filtered_location
|
38
38
|
uri = URI.parse(location)
|
39
39
|
unless uri.query.nil? || uri.query.empty?
|
40
|
-
uri.query.
|
41
|
-
|
40
|
+
parts = uri.query.split(/([&;])/)
|
41
|
+
filtered_parts = parts.map do |part|
|
42
|
+
if part.include?("=")
|
43
|
+
key, value = part.split("=", 2)
|
44
|
+
request.parameter_filter.filter(key => value).first.join("=")
|
45
|
+
else
|
46
|
+
part
|
47
|
+
end
|
42
48
|
end
|
49
|
+
uri.query = filtered_parts.join("")
|
43
50
|
end
|
44
51
|
uri.to_s
|
45
52
|
rescue URI::Error
|
@@ -2,6 +2,10 @@
|
|
2
2
|
|
3
3
|
module ActionDispatch
|
4
4
|
class ParamBuilder
|
5
|
+
# --
|
6
|
+
# This implementation is based on Rack::QueryParser,
|
7
|
+
# Copyright (C) 2007-2021 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
|
8
|
+
|
5
9
|
def self.make_default(param_depth_limit)
|
6
10
|
new param_depth_limit
|
7
11
|
end
|
@@ -12,6 +16,10 @@ module ActionDispatch
|
|
12
16
|
@param_depth_limit = param_depth_limit
|
13
17
|
end
|
14
18
|
|
19
|
+
cattr_accessor :ignore_leading_brackets
|
20
|
+
|
21
|
+
LEADING_BRACKETS_COMPAT = defined?(::Rack::RELEASE) && ::Rack::RELEASE.to_s.start_with?("2.")
|
22
|
+
|
15
23
|
cattr_accessor :default
|
16
24
|
self.default = make_default(100)
|
17
25
|
|
@@ -61,15 +69,30 @@ module ActionDispatch
|
|
61
69
|
# nil name, treat same as empty string (required by tests)
|
62
70
|
k = after = ""
|
63
71
|
elsif depth == 0
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
72
|
+
if ignore_leading_brackets || (ignore_leading_brackets.nil? && LEADING_BRACKETS_COMPAT)
|
73
|
+
# Rack 2 compatible behavior, ignore leading brackets
|
74
|
+
if name =~ /\A[\[\]]*([^\[\]]+)\]*/
|
75
|
+
k = $1
|
76
|
+
after = $' || ""
|
77
|
+
|
78
|
+
if !ignore_leading_brackets && (k != $& || !after.empty? && !after.start_with?("["))
|
79
|
+
ActionDispatch.deprecator.warn("Skipping over leading brackets in parameter name #{name.inspect} is deprecated and will parse differently in Rails 8.1 or Rack 3.0.")
|
80
|
+
end
|
81
|
+
else
|
82
|
+
k = name
|
83
|
+
after = ""
|
84
|
+
end
|
69
85
|
else
|
70
|
-
#
|
71
|
-
|
72
|
-
|
86
|
+
# Start of parsing, don't treat [] or [ at start of string specially
|
87
|
+
if start = name.index("[", 1)
|
88
|
+
# Start of parameter nesting, use part before brackets as key
|
89
|
+
k = name[0, start]
|
90
|
+
after = name[start, name.length]
|
91
|
+
else
|
92
|
+
# Plain parameter with no nesting
|
93
|
+
k = name
|
94
|
+
after = ""
|
95
|
+
end
|
73
96
|
end
|
74
97
|
elsif name.start_with?("[]")
|
75
98
|
# Array nesting
|
@@ -1,11 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "uri"
|
4
|
+
require "rack"
|
4
5
|
|
5
6
|
module ActionDispatch
|
6
7
|
class QueryParser
|
7
8
|
DEFAULT_SEP = /& */n
|
8
|
-
|
9
|
+
COMPAT_SEP = /[&;] */n
|
10
|
+
COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n, "&;" => /[&;] */n }
|
11
|
+
|
12
|
+
cattr_accessor :strict_query_string_separator
|
13
|
+
|
14
|
+
SEMICOLON_COMPAT = defined?(::Rack::QueryParser::DEFAULT_SEP) && ::Rack::QueryParser::DEFAULT_SEP.to_s.include?(";")
|
9
15
|
|
10
16
|
#--
|
11
17
|
# Note this departs from WHATWG's specified parsing algorithm by
|
@@ -14,7 +20,23 @@ module ActionDispatch
|
|
14
20
|
def self.each_pair(s, separator = nil)
|
15
21
|
return enum_for(:each_pair, s, separator) unless block_given?
|
16
22
|
|
17
|
-
|
23
|
+
s ||= ""
|
24
|
+
|
25
|
+
splitter =
|
26
|
+
if separator
|
27
|
+
COMMON_SEP[separator] || /[#{separator}] */n
|
28
|
+
elsif strict_query_string_separator
|
29
|
+
DEFAULT_SEP
|
30
|
+
elsif SEMICOLON_COMPAT && s.include?(";")
|
31
|
+
if strict_query_string_separator.nil?
|
32
|
+
ActionDispatch.deprecator.warn("Using semicolon as a query string separator is deprecated and will not be supported in Rails 8.1 or Rack 3.0. Use `&` instead.")
|
33
|
+
end
|
34
|
+
COMPAT_SEP
|
35
|
+
else
|
36
|
+
DEFAULT_SEP
|
37
|
+
end
|
38
|
+
|
39
|
+
s.split(splitter).each do |part|
|
18
40
|
next if part.empty?
|
19
41
|
|
20
42
|
k, v = part.split("=", 2)
|
@@ -55,7 +55,7 @@ module ActionDispatch
|
|
55
55
|
def scan
|
56
56
|
next_byte = @scanner.peek_byte
|
57
57
|
case
|
58
|
-
when (token = STATIC_TOKENS[next_byte])
|
58
|
+
when (token = STATIC_TOKENS[next_byte]) && (token != :SYMBOL || next_byte_is_not_a_token?)
|
59
59
|
@scanner.pos += 1
|
60
60
|
@length = @scanner.skip(/\w+/).to_i + 1 if token == :SYMBOL || token == :STAR
|
61
61
|
token
|
@@ -65,6 +65,10 @@ module ActionDispatch
|
|
65
65
|
:LITERAL
|
66
66
|
end
|
67
67
|
end
|
68
|
+
|
69
|
+
def next_byte_is_not_a_token?
|
70
|
+
!STATIC_TOKENS[@scanner.string.getbyte(@scanner.pos + 1)]
|
71
|
+
end
|
68
72
|
end
|
69
73
|
end
|
70
74
|
end
|
@@ -31,6 +31,9 @@ module ActionDispatch
|
|
31
31
|
config.action_dispatch.debug_exception_log_level = :fatal
|
32
32
|
config.action_dispatch.strict_freshness = false
|
33
33
|
|
34
|
+
config.action_dispatch.ignore_leading_brackets = nil
|
35
|
+
config.action_dispatch.strict_query_string_separator = nil
|
36
|
+
|
34
37
|
config.action_dispatch.default_headers = {
|
35
38
|
"X-Frame-Options" => "SAMEORIGIN",
|
36
39
|
"X-XSS-Protection" => "1; mode=block",
|
@@ -52,6 +55,9 @@ module ActionDispatch
|
|
52
55
|
ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
|
53
56
|
ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
|
54
57
|
|
58
|
+
ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
|
59
|
+
ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
|
60
|
+
|
55
61
|
ActiveSupport.on_load(:action_dispatch_request) do
|
56
62
|
self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
|
57
63
|
ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 8.0.0
|
4
|
+
version: 8.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-11-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 8.0.0
|
19
|
+
version: 8.0.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 8.0.0
|
26
|
+
version: 8.0.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,28 +128,28 @@ dependencies:
|
|
128
128
|
requirements:
|
129
129
|
- - '='
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 8.0.0
|
131
|
+
version: 8.0.0
|
132
132
|
type: :runtime
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - '='
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 8.0.0
|
138
|
+
version: 8.0.0
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: activemodel
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - '='
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 8.0.0
|
145
|
+
version: 8.0.0
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - '='
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 8.0.0
|
152
|
+
version: 8.0.0
|
153
153
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
154
154
|
testing MVC web applications. Works with any Rack-compatible server.
|
155
155
|
email: david@loudthinking.com
|
@@ -350,10 +350,10 @@ licenses:
|
|
350
350
|
- MIT
|
351
351
|
metadata:
|
352
352
|
bug_tracker_uri: https://github.com/rails/rails/issues
|
353
|
-
changelog_uri: https://github.com/rails/rails/blob/v8.0.0
|
354
|
-
documentation_uri: https://api.rubyonrails.org/v8.0.0
|
353
|
+
changelog_uri: https://github.com/rails/rails/blob/v8.0.0/actionpack/CHANGELOG.md
|
354
|
+
documentation_uri: https://api.rubyonrails.org/v8.0.0/
|
355
355
|
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
|
356
|
-
source_code_uri: https://github.com/rails/rails/tree/v8.0.0
|
356
|
+
source_code_uri: https://github.com/rails/rails/tree/v8.0.0/actionpack
|
357
357
|
rubygems_mfa_required: 'true'
|
358
358
|
post_install_message:
|
359
359
|
rdoc_options: []
|
@@ -371,7 +371,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
371
371
|
version: '0'
|
372
372
|
requirements:
|
373
373
|
- none
|
374
|
-
rubygems_version: 3.5.
|
374
|
+
rubygems_version: 3.5.22
|
375
375
|
signing_key:
|
376
376
|
specification_version: 4
|
377
377
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|