actionpack 4.1.16 → 4.2.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (99) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +163 -690
  3. data/README.rdoc +7 -2
  4. data/lib/abstract_controller/base.rb +16 -6
  5. data/lib/abstract_controller/callbacks.rb +28 -51
  6. data/lib/abstract_controller/helpers.rb +0 -3
  7. data/lib/abstract_controller/railties/routes_helpers.rb +3 -3
  8. data/lib/abstract_controller/rendering.rb +1 -7
  9. data/lib/abstract_controller/url_for.rb +1 -1
  10. data/lib/action_controller.rb +1 -0
  11. data/lib/action_controller/base.rb +2 -1
  12. data/lib/action_controller/caching.rb +1 -1
  13. data/lib/action_controller/caching/fragments.rb +7 -1
  14. data/lib/action_controller/log_subscriber.rb +26 -25
  15. data/lib/action_controller/metal.rb +11 -7
  16. data/lib/action_controller/metal/conditional_get.rb +31 -6
  17. data/lib/action_controller/metal/etag_with_template_digest.rb +50 -0
  18. data/lib/action_controller/metal/force_ssl.rb +1 -1
  19. data/lib/action_controller/metal/head.rb +2 -0
  20. data/lib/action_controller/metal/http_authentication.rb +3 -15
  21. data/lib/action_controller/metal/instrumentation.rb +4 -7
  22. data/lib/action_controller/metal/live.rb +57 -6
  23. data/lib/action_controller/metal/mime_responds.rb +17 -227
  24. data/lib/action_controller/metal/redirecting.rb +14 -8
  25. data/lib/action_controller/metal/renderers.rb +19 -3
  26. data/lib/action_controller/metal/rendering.rb +2 -6
  27. data/lib/action_controller/metal/request_forgery_protection.rb +75 -7
  28. data/lib/action_controller/metal/streaming.rb +1 -1
  29. data/lib/action_controller/metal/strong_parameters.rb +111 -11
  30. data/lib/action_controller/metal/url_for.rb +11 -12
  31. data/lib/action_controller/model_naming.rb +1 -1
  32. data/lib/action_controller/railtie.rb +4 -0
  33. data/lib/action_controller/test_case.rb +87 -75
  34. data/lib/action_dispatch/http/cache.rb +1 -1
  35. data/lib/action_dispatch/http/filter_parameters.rb +2 -2
  36. data/lib/action_dispatch/http/headers.rb +43 -9
  37. data/lib/action_dispatch/http/mime_negotiation.rb +10 -4
  38. data/lib/action_dispatch/http/mime_type.rb +2 -16
  39. data/lib/action_dispatch/http/parameter_filter.rb +1 -1
  40. data/lib/action_dispatch/http/parameters.rb +11 -26
  41. data/lib/action_dispatch/http/request.rb +30 -10
  42. data/lib/action_dispatch/http/response.rb +52 -17
  43. data/lib/action_dispatch/http/upload.rb +3 -8
  44. data/lib/action_dispatch/http/url.rb +87 -70
  45. data/lib/action_dispatch/journey/formatter.rb +18 -17
  46. data/lib/action_dispatch/journey/gtg/builder.rb +3 -3
  47. data/lib/action_dispatch/journey/gtg/simulator.rb +10 -7
  48. data/lib/action_dispatch/journey/gtg/transition_table.rb +18 -26
  49. data/lib/action_dispatch/journey/nfa/dot.rb +2 -2
  50. data/lib/action_dispatch/journey/nfa/simulator.rb +1 -1
  51. data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -5
  52. data/lib/action_dispatch/journey/nodes/node.rb +4 -0
  53. data/lib/action_dispatch/journey/parser.rb +52 -60
  54. data/lib/action_dispatch/journey/parser.y +11 -10
  55. data/lib/action_dispatch/journey/path/pattern.rb +16 -19
  56. data/lib/action_dispatch/journey/route.rb +3 -18
  57. data/lib/action_dispatch/journey/router.rb +34 -65
  58. data/lib/action_dispatch/journey/router/strexp.rb +9 -6
  59. data/lib/action_dispatch/journey/routes.rb +0 -4
  60. data/lib/action_dispatch/journey/visitors.rb +81 -92
  61. data/lib/action_dispatch/journey/visualizer/index.html.erb +2 -2
  62. data/lib/action_dispatch/middleware/cookies.rb +27 -31
  63. data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -3
  64. data/lib/action_dispatch/middleware/exception_wrapper.rb +19 -17
  65. data/lib/action_dispatch/middleware/flash.rb +7 -4
  66. data/lib/action_dispatch/middleware/public_exceptions.rb +13 -8
  67. data/lib/action_dispatch/middleware/remote_ip.rb +3 -3
  68. data/lib/action_dispatch/middleware/request_id.rb +1 -1
  69. data/lib/action_dispatch/middleware/session/cookie_store.rb +1 -1
  70. data/lib/action_dispatch/middleware/show_exceptions.rb +1 -0
  71. data/lib/action_dispatch/middleware/static.rb +22 -23
  72. data/lib/action_dispatch/middleware/templates/rescues/_source.erb +22 -18
  73. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +36 -8
  74. data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb +2 -8
  75. data/lib/action_dispatch/middleware/templates/rescues/{diagnostics.erb → diagnostics.html.erb} +0 -0
  76. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +9 -0
  77. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +6 -0
  78. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -24
  79. data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +0 -1
  80. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +119 -63
  81. data/lib/action_dispatch/routing/endpoint.rb +10 -0
  82. data/lib/action_dispatch/routing/inspector.rb +4 -11
  83. data/lib/action_dispatch/routing/mapper.rb +399 -278
  84. data/lib/action_dispatch/routing/polymorphic_routes.rb +190 -78
  85. data/lib/action_dispatch/routing/redirection.rb +10 -12
  86. data/lib/action_dispatch/routing/route_set.rb +224 -177
  87. data/lib/action_dispatch/routing/url_for.rb +9 -4
  88. data/lib/action_dispatch/testing/assertions.rb +11 -7
  89. data/lib/action_dispatch/testing/assertions/dom.rb +2 -26
  90. data/lib/action_dispatch/testing/assertions/response.rb +2 -7
  91. data/lib/action_dispatch/testing/assertions/routing.rb +9 -9
  92. data/lib/action_dispatch/testing/assertions/selector.rb +2 -429
  93. data/lib/action_dispatch/testing/assertions/tag.rb +2 -134
  94. data/lib/action_dispatch/testing/integration.rb +15 -18
  95. data/lib/action_dispatch/testing/test_request.rb +1 -1
  96. data/lib/action_dispatch/testing/test_response.rb +5 -1
  97. data/lib/action_pack/gem_version.rb +3 -3
  98. metadata +57 -15
  99. data/lib/action_controller/metal/responder.rb +0 -297
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: fe62013e39e8b46771939c7bd21df2fc811979ac
4
- data.tar.gz: a4cb179e0f663accf69a8af04968a6a96d26b865
3
+ metadata.gz: 6d649528dc6dcae47651b64c5dfe0e92989d3fb9
4
+ data.tar.gz: 4cd8d6dd611b187e5005aa4ecbe4f766c574da5e
5
5
  SHA512:
6
- metadata.gz: 39f9f06ffc9546b0870246bb5c4987db9ff77a80cfe5d61bc640aea28d35ae14a03dd327f829644d3a2f7469b5d9441d423f27230ad2d75da44aa1587c828066
7
- data.tar.gz: 7c22ac5277518b7dedb9c1d433d8e59b032ec36a267047a790dab5a12b4e4853bedee5a997b6b29fccd9009f7477de99efc3e5aee9c29ef180b7264d479dfcd4
6
+ metadata.gz: 7670d5691189a68b9a041ebd58916056febb4e71a8a2b4871edf78ba6b5cbdc18472f7e1026c76a8f6f179efdbe282ce801387887267e0d9f03cbad4193e134a
7
+ data.tar.gz: 6f2c063b5f9f67661c316081daf87ee7300647d54a43c2179712f69765f79472e83fe3d4457944f4d064f9c4475d0cf5a8502cc1457aeeb433336eb2a71fe671
@@ -1,135 +1,126 @@
1
- ## Rails 4.1.16 (July 12, 2016) ##
1
+ * `ActionController::Parameters` will stop inheriting from `Hash` and
2
+ `HashWithIndifferentAccess` in the next major release. If you use any method
3
+ that is not available on `ActionController::Parameters` you should consider
4
+ calling `#to_h` to convert it to a `Hash` first before calling that method.
2
5
 
3
- * No changes.
4
-
5
-
6
- ## Rails 4.1.15 (March 07, 2016) ##
7
-
8
- * No changes.
9
-
10
-
11
- ## Rails 4.1.14.2 (February 26, 2016) ##
12
-
13
- * Do not allow render with unpermitted parameter.
14
-
15
- Fixes CVE-2016-2098.
16
-
17
- *Arthur Neves*
18
-
19
-
20
- ## Rails 4.1.14.1 (January 25, 2015) ##
21
-
22
- * No changes.
23
-
24
-
25
- ## Rails 4.1.14 (November 12, 2015) ##
26
-
27
- * No changes.
28
-
29
-
30
- ## Rails 4.1.13 (August 24, 2015) ##
31
-
32
- * No changes.
33
-
34
-
35
- ## Rails 4.1.12 (June 25, 2015) ##
36
-
37
- * Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
38
-
39
- Previously, an empty X_FORWARDED_HOST header would cause
40
- Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
41
- Actiondispatch::Http:URL.host to raise a NoMethodError.
42
-
43
- *Adam Forsyth*
6
+ *Prem Sichanugrist*
44
7
 
45
- * Fix regression in functional tests. Responses should have default headers
46
- assigned.
8
+ * `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
9
+ keys removed. This change is to reflect on a security concern where some
10
+ method performed on an `ActionController::Parameters` may yield a `Hash`
11
+ object which does not maintain `permitted?` status. If you would like to
12
+ get a `Hash` with all the keys intact, duplicate and mark it as permitted
13
+ before calling `#to_h`.
47
14
 
48
- See #18423.
15
+ params = ActionController::Parameters.new({
16
+ name: 'Senjougahara Hitagi',
17
+ oddity: 'Heavy stone crab'
18
+ })
19
+ params.to_h
20
+ # => {}
49
21
 
50
- *Jeremy Kemper*, *Yves Senn*
22
+ unsafe_params = params.dup.permit!
23
+ unsafe_params.to_h
24
+ # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
51
25
 
26
+ safe_params = params.permit(:name)
27
+ safe_params.to_h
28
+ # => {"name"=>"Senjougahara Hitagi"}
52
29
 
53
- ## Rails 4.1.11 (June 16, 2015) ##
30
+ This change is consider a stopgap as we cannot change the code to stop
31
+ `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
32
+ in the next minor release.
54
33
 
55
- * No changes.
34
+ *Prem Sichanugrist*
56
35
 
36
+ * Deprecated TagAssertions.
57
37
 
58
- ## Rails 4.1.10 (March 19, 2015) ##
38
+ *Kasper Timm Hansen*
59
39
 
60
- * Preserve default format when generating URLs
40
+ * Use the Active Support JSON encoder for cookie jars using the `:json` or
41
+ `:hybrid` serializer. This allows you to serialize custom Ruby objects into
42
+ cookies by defining the `#as_json` hook on such objects.
61
43
 
62
- Fixes an issue that would cause the format set in default_url_options to be
63
- lost when generating URLs with fewer positional arguments than parameters in
64
- the route definition.
44
+ Fixes #16520.
65
45
 
66
- Backport of #18627
46
+ *Godfrey Chan*
67
47
 
68
- *Tekin Suleyman*, *Dominic Baggott*
48
+ * Add `config.action_dispatch.cookies_digest` option for setting custom
49
+ digest. The default remains the same - 'SHA1'.
69
50
 
70
- * Default headers, removed in controller actions, are no longer reapplied on
71
- the test response.
51
+ *Łukasz Strzałkowski*
72
52
 
73
- *Jonas Baumann*
53
+ * Move `respond_with` (and the class-level `respond_to`) to
54
+ the `responders` gem.
74
55
 
75
- * Ensure `append_info_to_payload` is called even if an exception is raised.
56
+ *José Valim*
76
57
 
77
- Fixes an issue where when an exception is raised in the request the additonal
78
- payload data is not available.
58
+ * When your templates change, browser caches bust automatically.
79
59
 
80
- See:
81
- * #14903
82
- * https://github.com/roidrage/lograge/issues/37
60
+ New default: the template digest is automatically included in your ETags.
61
+ When you call `fresh_when @post`, the digest for `posts/show.html.erb`
62
+ is mixed in so future changes to the HTML will blow HTTP caches for you.
63
+ This makes it easy to HTTP-cache many more of your actions.
83
64
 
84
- *Dieter Komendera*, *Margus Pärt*
65
+ If you render a different template, you can now pass the `:template`
66
+ option to include its digest instead:
85
67
 
68
+ fresh_when @post, template: 'widgets/show'
86
69
 
87
- ## Rails 4.1.9 (January 6, 2015) ##
70
+ Pass `template: false` to skip the lookup. To turn this off entirely, set:
88
71
 
89
- * Fixed handling of positional url helper arguments when `format: false`.
72
+ config.action_controller.etag_with_template_digest = false
90
73
 
91
- Fixes #17819.
74
+ *Jeremy Kemper*
92
75
 
93
- *Andrew White*, *Tatiana Soukiassian*
76
+ * Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
77
+ in favor of `AbstractController::Helpers::MissingHelperError`.
94
78
 
95
- * Restore handling of a bare `Authorization` header, without `token=`
96
- prefix.
79
+ *Yves Senn*
97
80
 
98
- Fixes #17108.
81
+ * Fix `assert_template` not being able to assert that no files were rendered.
99
82
 
100
83
  *Guo Xiang Tan*
101
84
 
85
+ * Extract source code for the entire exception stack trace for
86
+ better debugging and diagnosis.
102
87
 
103
- ## Rails 4.1.8 (November 16, 2014) ##
104
-
105
- * Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
106
-
107
- fixes #17035.
88
+ *Ryan Dao*
108
89
 
109
- *arthurnn*
90
+ * Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
91
+ loopback address.
110
92
 
111
- * Fix a bug where malformed query strings lead to 500.
93
+ *Earl St Sauver*, *Sven Riedel*
112
94
 
113
- fixes #11502.
95
+ * Preserve original path in `ShowExceptions` middleware by stashing it as
96
+ `env["action_dispatch.original_path"]`
114
97
 
115
- *Yuki Nishijima*
98
+ `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
99
+ for the exception defined in `ExceptionWrapper`, so the path
100
+ the user was visiting when an exception occurred was not previously
101
+ available to any custom exceptions_app. The original `PATH_INFO` is now
102
+ stashed in `env["action_dispatch.original_path"]`.
116
103
 
104
+ *Grey Baker*
117
105
 
118
- ## Rails 4.1.7.1 (November 19, 2014) ##
106
+ * Use `String#bytesize` instead of `String#size` when checking for cookie
107
+ overflow.
119
108
 
120
- * Fix arbitrary file existence disclosure in Action Pack.
109
+ *Agis Anastasopoulos*
121
110
 
122
- CVE-2014-7829.
111
+ * `render nothing: true` or rendering a `nil` body no longer add a single
112
+ space to the response body.
123
113
 
114
+ The old behavior was added as a workaround for a bug in an early version of
115
+ Safari, where the HTTP headers are not returned correctly if the response
116
+ body has a 0-length. This is been fixed since and the workaround is no
117
+ longer necessary.
124
118
 
125
- ## Rails 4.1.7 (October 29, 2014) ##
119
+ Use `render body: ' '` if the old behavior is desired.
126
120
 
127
- * Fix arbitrary file existence disclosure in Action Pack.
121
+ See #14883 for details.
128
122
 
129
- CVE-2014-7818.
130
-
131
-
132
- ## Rails 4.1.6 (September 11, 2014) ##
123
+ *Godfrey Chan*
133
124
 
134
125
  * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
135
126
  ("Rosetta Flash")
@@ -158,6 +149,12 @@
158
149
 
159
150
  *Lucas Mazza*
160
151
 
152
+ * Add `config.action_controller.always_permitted_parameters` to configure which
153
+ parameters are permitted globally. The default value of this configuration is
154
+ `['controller', 'action']`.
155
+
156
+ *Gary S. Weaver*, *Rafael Chacon*
157
+
161
158
  * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
162
159
 
163
160
  Fixes #15511.
@@ -177,50 +174,45 @@
177
174
 
178
175
  *Larry Lv*
179
176
 
177
+ * Ensure the controller is always notified as soon as the client disconnects
178
+ during live streaming, even when the controller is blocked on a write.
180
179
 
181
- ## Rails 4.1.4 (July 2, 2014) ##
180
+ *Nicholas Jakobsen*, *Matthew Draper*
182
181
 
183
- * No changes.
182
+ * Routes specifying 'to:' must be a string that contains a "#" or a rack
183
+ application. Use of a symbol should be replaced with `action: symbol`.
184
+ Use of a string without a "#" should be replaced with `controller: string`.
184
185
 
185
-
186
- ## Rails 4.1.3 (July 2, 2014) ##
187
-
188
- * No changes.
189
-
190
-
191
- ## Rails 4.1.2 (June 26, 2014) ##
186
+ *Aaron Patterson*
192
187
 
193
188
  * Fix URL generation with `:trailing_slash` such that it does not add
194
189
  a trailing slash after `.:format`
195
190
 
196
191
  *Dan Langevin*
197
192
 
198
- * Fix an issue with migrating legacy json cookies.
193
+ * Build full URI as string when processing path in integration tests for
194
+ performance reasons.
199
195
 
200
- Previously, the `VerifyAndUpgradeLegacySignedMessage` assumed all incoming
201
- cookies were marshal-encoded. This was not the case when `secret_token` was
202
- used in conjunction with the `:json` or `:hybrid` serializer.
203
-
204
- In those cases, when upgrading to use `secret_key_base`, this would cause a
205
- `TypeError: incompatible marshal file format` and a 500 error for the user.
196
+ *Guo Xiang Tan*
206
197
 
207
- Fixes #14774.
198
+ * Fix `'Stack level too deep'` when rendering `head :ok` in an action method
199
+ called 'status' in a controller.
208
200
 
209
- *Godfrey Chan*
201
+ Fixes #13905.
210
202
 
211
- * `http_basic_authenticate_with` only checks the authentication if the schema is
212
- `Basic`.
203
+ *Christiaan Van den Poel*
213
204
 
214
- Fixes #10257.
205
+ * Add MKCALENDAR HTTP method (RFC 4791).
215
206
 
216
- *tomykaira*
207
+ *Sergey Karpesh*
217
208
 
218
- * Fix `'Stack level too deep'` when rendering `head :ok` in an action method
219
- called 'status' in a controller.
209
+ * Instrument fragment cache metrics.
220
210
 
221
- Fixes #13905.
211
+ Adds `:controller`: and `:action` keys to the instrumentation payload
212
+ for the `*_fragment.action_controller` notifications. This allows tracking
213
+ e.g. the fragment cache hit rates for each controller action.
222
214
 
223
- *Christiaan Van den Poel*
215
+ *Daniel Schierbeck*
224
216
 
225
217
  * Always use the provided port if the protocol is relative.
226
218
 
@@ -228,9 +220,40 @@
228
220
 
229
221
  *Guilherme Cavalcanti*, *Andrew White*
230
222
 
231
- * Append a link in the backtrace to the bad code when a `SyntaxError` exception occurs.
223
+ * Moved `params[request_forgery_protection_token]` into its own method
224
+ and improved tests.
232
225
 
233
- *Boris Kuznetsov*
226
+ Fixes #11316.
227
+
228
+ *Tom Kadwill*
229
+
230
+ * Added verification of route constraints given as a Proc or an object responding
231
+ to `:matches?`. Previously, when given an non-complying object, it would just
232
+ silently fail to enforce the constraint. It will now raise an `ArgumentError`
233
+ when setting up the routes.
234
+
235
+ *Xavier Defrang*
236
+
237
+ * Properly treat the entire IPv6 User Local Address space as private for
238
+ purposes of remote IP detection. Also handle uppercase private IPv6
239
+ addresses.
240
+
241
+ Fixes #12638.
242
+
243
+ *Caleb Spare*
244
+
245
+ * Fixed an issue with migrating legacy json cookies.
246
+
247
+ Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
248
+ cookies are marshal-encoded. This is not the case when `secret_token` is
249
+ used in conjunction with the `:json` or `:hybrid` serializer.
250
+
251
+ In those case, when upgrading to use `secret_key_base`, this would cause a
252
+ `TypeError: incompatible marshal file format` and a 500 error for the user.
253
+
254
+ Fixes #14774.
255
+
256
+ *Godfrey Chan*
234
257
 
235
258
  * Make URL escaping more consistent:
236
259
 
@@ -248,41 +271,40 @@
248
271
 
249
272
  *Andrew White*, *Edho Arief*
250
273
 
251
- * Returns a null type format when the format is not known and the controller is using an
252
- `any` format block.
274
+ * Add alias `ActionDispatch::Http::UploadedFile#to_io` to
275
+ `ActionDispatch::Http::UploadedFile#tempfile`.
253
276
 
254
- Fixes #14462.
277
+ *Tim Linquist*
255
278
 
256
- *Rafael Mendonça França*
257
-
258
- * Only make deeply nested routes shallow when the parent is shallow.
279
+ * Returns null type format when format is not know and controller is using `any`
280
+ format block.
259
281
 
260
- Fixes #14684.
261
-
262
- *Andrew White*, *James Coglan*
282
+ Fixes #14462.
263
283
 
284
+ *Rafael Mendonça França*
264
285
 
265
- ## Rails 4.1.1 (May 6, 2014) ##
286
+ * Improve routing error page with fuzzy matching search.
266
287
 
267
- * Only accept actions without `File::SEPARATOR` in the name.
288
+ *Winston*
268
289
 
269
- This will avoid directory traversal in implicit render.
290
+ * Only make deeply nested routes shallow when parent is shallow.
270
291
 
271
- Fixes: CVE-2014-0130
292
+ Fixes #14684.
272
293
 
273
- *Rafael Mendonça França*
294
+ *Andrew White*, *James Coglan*
274
295
 
296
+ * Append link to bad code to backtrace when exception is `SyntaxError`.
275
297
 
276
- ## Rails 4.1.0 (April 8, 2014) ##
298
+ *Boris Kuznetsov*
277
299
 
278
- * Swap the parameters of assert_equal in `assert_select` so that the
279
- proper values are printed correctly
300
+ * Swapped the parameters of assert_equal in `assert_select` so that the
301
+ proper values were printed correctly.
280
302
 
281
303
  Fixes #14422.
282
304
 
283
305
  *Vishal Lal*
284
306
 
285
- * The method `shallow?` returns false if the parent resource is a singleton, so
307
+ * The method `shallow?` returns false if the parent resource is a singleton so
286
308
  we need to check if we're not inside a nested scope before copying the :path
287
309
  and :as options to their shallow equivalents.
288
310
 
@@ -290,564 +312,15 @@
290
312
 
291
313
  *Andrew White*
292
314
 
315
+ * Make logging of CSRF failures optional (but on by default) with the
316
+ `log_warning_on_csrf_failure` configuration setting in
317
+ `ActionController::RequestForgeryProtection`.
293
318
 
294
- ## Rails 4.1.0 (April 8, 2014) ##
319
+ *John Barton*
295
320
 
296
321
  * Fix URL generation in controller tests with request-dependent
297
322
  `default_url_options` methods.
298
323
 
299
324
  *Tony Wooster*
300
325
 
301
- * Introduce `render :html` as an option to render HTML content with a content
302
- type of `text/html`. This rendering option calls `ERB::Util.html_escape`
303
- internally to escape unsafe HTML strings, so you will need to mark a
304
- string as `html_safe` if it contains any HTML tag.
305
-
306
- See #14062, #12374.
307
-
308
- *Prem Sichanugrist*
309
-
310
- * Introduce `render :plain` as an option to render content with a content type
311
- of `text/plain`. This is the preferred option if you are planning to render
312
- a plain text content.
313
-
314
- See #14062, #12374.
315
-
316
- *Prem Sichanugrist*
317
-
318
- * Introduce `render :body` as an option for sending a raw content back to
319
- browser. Note that this rendering option does not include "Content-Type"
320
- header back in the response.
321
-
322
- You should only use this option if you don't care about the content type
323
- of the response. More information on "Content-Type" header can be found
324
- on RFC 2616, section 7.2.1.
325
-
326
- See #14062, #12374.
327
-
328
- *Prem Sichanugrist*
329
-
330
- * Set stream status to 500 (or 400 on BadRequest) when an error is thrown
331
- before committing.
332
-
333
- Fixes #12552.
334
-
335
- *Kevin Casey*
336
-
337
- * Add a new config option `config.action_dispatch.cookies_serializer` for
338
- specifying a serializer for the signed and encrypted cookie jars.
339
-
340
- The possible values are:
341
-
342
- * `:json` - serialize cookie values with `JSON`
343
- * `:marshal` - serialize cookie values with `Marshal`
344
- * `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
345
-
346
- For new apps the `:json` option is added by default and `:marshal` is used
347
- when no option is specified to maintain backwards compatibility.
348
-
349
- *Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
350
-
351
- * `FlashHash` now behaves like a `HashWithIndifferentAccess`.
352
-
353
- *Guillermo Iguaran*
354
-
355
- * Set the `:shallow_path` scope option as each scope is generated rather than
356
- waiting until the `shallow` option is set. Also make the behavior of the
357
- `:shallow` resource option consistent with the behavior of the `shallow` method.
358
-
359
- Fixes #12498.
360
-
361
- *Andrew White*, *Aleksi Aalto*
362
-
363
- * Properly require `action_view` in `AbstractController::Rendering` to prevent
364
- an uninitialized constant error for `ENCODING_FLAG`.
365
-
366
- *Philipe Fatio*
367
-
368
- * Do not discard query parameters that form a hash with the same root key as
369
- the `wrapper_key` for a request using `wrap_parameters`.
370
-
371
- *Josh Jordan*
372
-
373
- * Ensure that `request.filtered_parameters` is reset between calls to `process`
374
- in `ActionController::TestCase`.
375
-
376
- Fixes #13803.
377
-
378
- *Andrew White*
379
-
380
- * Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
381
-
382
- Fixes #13810.
383
-
384
- *Maurizio De Santis*
385
-
386
- * Log which keys were affected by deep munge.
387
-
388
- Deep munge solves the CVE-2013-0155 security vulnerability, but its
389
- behaviour is confusing. With this commit, the information about which
390
- key values were set to nil is now visible in logs.
391
-
392
- *Łukasz Sarnacki*
393
-
394
- * Automatically convert dashes to underscores for shorthand routes, e.g:
395
-
396
- get '/our-work/latest'
397
-
398
- When running `rake routes` you will get the following output:
399
-
400
- Prefix Verb URI Pattern Controller#Action
401
- our_work_latest GET /our-work/latest(.:format) our_work#latest
402
-
403
- *Mikko Johansson*
404
-
405
- * Automatically convert dashes to underscores for url helpers, e.g:
406
-
407
- get '/contact-us' => 'pages#contact'
408
- get '/about-us' => 'pages#about_us'
409
-
410
- When running `rake routes` you will get the following output:
411
-
412
- Prefix Verb URI Pattern Controller#Action
413
- contact_us GET /contact-us(.:format) pages#contact
414
- about_us GET /about-us(.:format) pages#about_us
415
-
416
- *Amr Tamimi*
417
-
418
- * Fix stream closing when sending file with `ActionController::Live` included.
419
-
420
- Fixes #12381.
421
-
422
- *Alessandro Diaferia*
423
-
424
- * Allow an absolute controller path inside a module scope. Fixes #12777.
425
-
426
- Example:
427
-
428
- namespace :foo do
429
- # will route to BarController without the namespace.
430
- get '/special', to: '/bar#index'
431
- end
432
-
433
-
434
- * Unique the segment keys array for non-optimized url helpers
435
-
436
- In Rails 3.2 you only needed to pass an argument for a dynamic segment
437
- once so unique the segment keys array to match the number of args. Since
438
- the number of args is less than the required parts, the non-optimized code
439
- path is selected. To benefit from optimized url generation, the arg needs
440
- to be specified as many times as it appears in the path.
441
-
442
- Fixes #12808.
443
-
444
- *Andrew White*
445
-
446
- * Show full route constraints in error message.
447
-
448
- When an optimized helper fails to generate, show the full route constraints
449
- in the error message. Previously it would only show the contraints that were
450
- required as part of the path.
451
-
452
- Fixes #13592.
453
-
454
- *Andrew White*
455
-
456
- * Use a custom route visitor for optimized url generation. Fixes #13349.
457
-
458
- *Andrew White*
459
-
460
- * Allow engine root relative redirects using an empty string.
461
-
462
- Example:
463
-
464
- # application routes.rb
465
- mount BlogEngine => '/blog'
466
-
467
- # engine routes.rb
468
- get '/welcome' => redirect('')
469
-
470
- This now redirects to the path `/blog`, whereas before it would redirect
471
- to the application root path. In the case of a path redirect or a custom
472
- redirect, if the path returned contains a host then the path is treated as
473
- absolute. Similarly for option redirects, if the options hash returned
474
- contains a `:host` or `:domain` key then the path is treated as absolute.
475
-
476
- Fixes #7977.
477
-
478
- *Andrew White*
479
-
480
- * Fix `Encoding::CompatibilityError` when public path is UTF-8
481
-
482
- In #5337 we forced the path encoding to ASCII-8BIT to prevent static file
483
- handling from blowing up before an application has had a chance to deal
484
- with possibly invalid urls. However this has a negative side effect of
485
- making it an incompatible encoding if the application's public path has
486
- UTF-8 characters in it.
487
-
488
- To work around the problem we check to see if the path has a valid encoding once
489
- it has been unescaped. If it is not valid then we can return early since it will
490
- not match any file anyway.
491
-
492
- Fixes #13518.
493
-
494
- *Andrew White*
495
-
496
- * `ActionController::Parameters#permit!` permits hashes in array values.
497
-
498
- *Xavier Noria*
499
-
500
- * Converts hashes in arrays of unfiltered params to unpermitted params.
501
-
502
- Fixes #13382.
503
-
504
- *Xavier Noria*
505
-
506
- * New config option to opt out of params "deep munging" that was used to
507
- address the security vulnerability CVE-2013-0155. In your app config:
508
-
509
- config.action_dispatch.perform_deep_munge = false
510
-
511
- Take care to understand the security risk involved before disabling this.
512
- [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
513
-
514
- *Bernard Potocki*
515
-
516
- * `rake routes` shows routes defined under assets prefix.
517
-
518
- *Ryunosuke SATO*
519
-
520
- * Extend cross-site request forgery (CSRF) protection to GET requests with
521
- JavaScript responses, protecting apps from cross-origin `<script>` tags.
522
-
523
- *Jeremy Kemper*
524
-
525
- * Fix generating a path for an engine inside a resources block.
526
-
527
- Fixes #8533.
528
-
529
- *Piotr Sarnacki*
530
-
531
- * Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
532
-
533
- *DHH*
534
-
535
- * Remove deprecated `ActionController::RecordIdentifier`, use
536
- `ActionView::RecordIdentifier` instead.
537
-
538
- *kennyj*
539
-
540
- * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
541
- `options[:raise]`.
542
-
543
- This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
544
-
545
- *Shota Fukumori (sora_h)*
546
-
547
- * Introducing Variants
548
-
549
- We often want to render different html/json/xml templates for phones,
550
- tablets, and desktop browsers. Variants make it easy.
551
-
552
- The request variant is a specialization of the request format, like `:tablet`,
553
- `:phone`, or `:desktop`.
554
-
555
- You can set the variant in a `before_action`:
556
-
557
- request.variant = :tablet if request.user_agent =~ /iPad/
558
-
559
- Respond to variants in the action just like you respond to formats:
560
-
561
- respond_to do |format|
562
- format.html do |html|
563
- html.tablet # renders app/views/projects/show.html+tablet.erb
564
- html.phone { extra_setup; render ... }
565
- end
566
- end
567
-
568
- Provide separate templates for each format and variant:
569
-
570
- app/views/projects/show.html.erb
571
- app/views/projects/show.html+tablet.erb
572
- app/views/projects/show.html+phone.erb
573
-
574
- You can also simplify the variants definition using the inline syntax:
575
-
576
- respond_to do |format|
577
- format.js { render "trash" }
578
- format.html.phone { redirect_to progress_path }
579
- format.html.none { render "trash" }
580
- end
581
-
582
- Variants also support the common `any`/`all` block that formats have.
583
-
584
- It works for both inline:
585
-
586
- respond_to do |format|
587
- format.html.any { render text: "any" }
588
- format.html.phone { render text: "phone" }
589
- end
590
-
591
- and block syntax:
592
-
593
- respond_to do |format|
594
- format.html do |variant|
595
- variant.any(:tablet, :phablet){ render text: "any" }
596
- variant.phone { render text: "phone" }
597
- end
598
- end
599
-
600
- *Łukasz Strzałkowski*
601
-
602
- * Fix rendering localized templates without an explicit format using wrong
603
- content header and not passing correct formats to template due to the
604
- introduction of the `NullType` for mimes.
605
-
606
- Templates like `hello.it.erb` were subject to this issue.
607
-
608
- Fixes #13064.
609
-
610
- *Angelo Capilleri*, *Carlos Antonio da Silva*
611
-
612
- * Try to escape each part of a url correctly when using a redirect route.
613
-
614
- Fixes #13110.
615
-
616
- *Andrew White*
617
-
618
- * Better error message for typos in assert_response arguments.
619
-
620
- When the response type argument to `assert_response` is not a known
621
- response type, `assert_response` now throws an ArgumentError with a clear
622
- message. This is intended to help debug typos in the response type.
623
-
624
- *Victor Costan*
625
-
626
- * Fix formatting for `rake routes` when a section is shorter than a header.
627
-
628
- *Sıtkı Bağdat*
629
-
630
- * Accept an options hash inside the array in `#url_for`.
631
-
632
- Example:
633
-
634
- url_for [:new, :admin, :post, { param: 'value' }]
635
- # => http://example.com/admin/posts/new?param=value
636
-
637
- *Andrey Ognevsky*
638
-
639
- * Add `session#fetch` method
640
-
641
- fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
642
- It returns a value from the hash for the given key.
643
- If the key can’t be found, there are several options:
644
-
645
- * With no other arguments, it will raise a KeyError exception.
646
- * If a default value is given, then it will be returned.
647
- * If the optional code block is specified, then it will be run and its result returned.
648
-
649
- *Damien Mathieu*
650
-
651
- * Don't let strong parameters mutate the given hash via `fetch`
652
-
653
- Create a new instance if the given parameter is a `Hash` instead of
654
- passing it to the `convert_hashes_to_parameters` method since it is
655
- overriding its default value.
656
-
657
- *Brendon Murphy*, *Doug Cole*
658
-
659
- * Add a `params` option to the `button_to` form helper which renders
660
- the given hash as hidden form fields.
661
-
662
- *Andy Waite*
663
-
664
- * Enable assets helpers to work in the controllers like they do in the views.
665
-
666
- Example:
667
-
668
- # config/application.rb
669
- config.asset_host = 'http://mycdn.com'
670
-
671
- ActionController::Base.helpers.asset_path('fallback.png')
672
- # => http://mycdn.com/assets/fallback.png
673
-
674
- Fixes #10051.
675
-
676
- *Tima Maslyuchenko*
677
-
678
- * Respect `SCRIPT_NAME` when using `redirect` with a relative path
679
-
680
- Example:
681
-
682
- # application routes.rb
683
- mount BlogEngine => '/blog'
684
-
685
- # engine routes.rb
686
- get '/admin' => redirect('admin/dashboard')
687
-
688
- This now redirects to the path `/blog/admin/dashboard`, whereas before it would
689
- have generated an invalid url because there would be no slash between the host name
690
- and the path. It also allows redirects to work when the application is deployed
691
- to a subdirectory of a website.
692
-
693
- Fixes #7977.
694
-
695
- *Andrew White*
696
-
697
- * Fixing `repond_with` working directly on the options hash
698
- This fixes an issue where the `respond_with` worked directly with the given
699
- options hash, so that if a user relied on it after calling `respond_with`,
700
- the hash wouldn't be the same.
701
-
702
- Fixes #12029.
703
-
704
- *bluehotdog*
705
-
706
- * Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
707
- attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
708
-
709
- Fixes #10844.
710
-
711
- *Tamir Duberstein*
712
-
713
- * Strong parameters should permit a nested number to be a key.
714
-
715
- Fixes #12293.
716
-
717
- *kennyj*
718
-
719
- * Fix the regex used to detect URI schemes in `redirect_to`, to be consistent
720
- with RFC 3986.
721
-
722
- *Derek Prior*
723
-
724
- * Fix incorrect `assert_redirected_to` failure message for protocol-relative
725
- URLs.
726
-
727
- *Derek Prior*
728
-
729
- * Fix an issue where the router could not recognize a downcased url encoding path.
730
-
731
- Fixes #12269.
732
-
733
- *kennyj*
734
-
735
- * Fix custom flash type definition. Misuse of the `_flash_types` class variable
736
- caused an error when reloading controllers with custom flash types.
737
-
738
- Fixes #12057.
739
-
740
- *Ricardo de Cillo*
741
-
742
- * Do not break params filtering on `nil` values.
743
-
744
- Fixes #12149.
745
-
746
- *Vasiliy Ermolovich*
747
-
748
- * Development mode exceptions are rendered in text format in case of
749
- an XHR request.
750
-
751
- *Kir Shatrov*
752
-
753
- * Fix an issue where :if and :unless controller action procs were being run
754
- before checking for the correct action in the :only and :unless options.
755
-
756
- Fixes #11799.
757
-
758
- *Nicholas Jakobsen*
759
-
760
- * Fix an issue where `assert_dom_equal` and `assert_dom_not_equal` were
761
- ignoring the passed failure message argument.
762
-
763
- Fixes #11751.
764
-
765
- *Ryan McGeary*
766
-
767
- * Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from
768
- the environment passed into `ActionDispatch::TestRequest.new`.
769
-
770
- Fixes #11590.
771
-
772
- *Andrew White*
773
-
774
- * Fix an issue where Journey was failing to clear the named routes hash when the
775
- routes were reloaded and since it doesn't overwrite existing routes then if a
776
- route changed but wasn't renamed it kept the old definition. This was being
777
- masked by the optimised url helpers so it only became apparent when passing an
778
- options hash to the url helper.
779
-
780
- *Andrew White*
781
-
782
- * Skip routes pointing to a redirect or mounted application when generating urls
783
- using an options hash as they aren't relevant and generate incorrect urls.
784
-
785
- Fixes #8018.
786
-
787
- *Andrew White*
788
-
789
- * Move `MissingHelperError` out of the `ClassMethods` module.
790
-
791
- *Yves Senn*
792
-
793
- * Fix an issue where Rails raised an exception about a missing helper when
794
- it should have thrown a `LoadError` instead. When the helper file exists
795
- and only the loaded file from the helper does not exist, Rails should now
796
- throw a `LoadError` instead of a `MissingHelperError`.
797
-
798
- *Piotr Niełacny*
799
-
800
- * Fix `ActionDispatch::ParamsParser#parse_formatted_parameters` to rewind
801
- body input stream on parsing json params.
802
-
803
- Fixes #11345.
804
-
805
- *Yuri Bol*, *Paul Nikitochkin*
806
-
807
- * Ignore spaces around delimiters in the Set-Cookie header.
808
-
809
- *Yamagishi Kazutoshi*
810
-
811
- * Remove deprecated Rails application fallback for integration testing.
812
- Set `ActionDispatch.test_app` instead.
813
-
814
- *Carlos Antonio da Silva*
815
-
816
- * Remove deprecated `page_cache_extension` config.
817
-
818
- *Francesco Rodriguez*
819
-
820
- * Remove deprecated constants from Action Controller:
821
-
822
- ActionController::AbstractRequest => ActionDispatch::Request
823
- ActionController::Request => ActionDispatch::Request
824
- ActionController::AbstractResponse => ActionDispatch::Response
825
- ActionController::Response => ActionDispatch::Response
826
- ActionController::Routing => ActionDispatch::Routing
827
- ActionController::Integration => ActionDispatch::Integration
828
- ActionController::IntegrationTest => ActionDispatch::IntegrationTest
829
-
830
- *Carlos Antonio da Silva*
831
-
832
- * Fix `Mime::Type.parse` when a bad accepts header is looked up.
833
- Previously, it was setting `request.formats` with an array containing a
834
- `nil` value, which raised an error when setting the controller formats.
835
-
836
- Fixes #10965.
837
-
838
- *Becker*
839
-
840
- * Merge `:action` from routing scope and assign endpoint if both `:controller`
841
- and `:action` are present. The endpoint assignment only occurs if there is
842
- no `:to` present in the options hash, so should only affect routes using the
843
- shorthand syntax (i.e. endpoint is inferred from the path).
844
-
845
- Fixes #9856.
846
-
847
- *Yves Senn*, *Andrew White*
848
-
849
- * Action View extracted from Action Pack.
850
-
851
- *Piotr Sarnacki*, *Łukasz Strzałkowski*
852
-
853
- Please check [4-0-stable](https://github.com/rails/rails/blob/4-0-stable/actionpack/CHANGELOG.md) for previous changes.
326
+ Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.