actionpack 4.2.11.3 → 5.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 7b149e341681eb3597a0f7d84b4e79752c9158dcf7d37304ef2c62fe533a8d78
-  data.tar.gz: a0247c959d61ccdee256a600caca6032894ceac1494ce4c2f7e9167a682079a1
+SHA1:
+  metadata.gz: b8eece084b0d46f0491133f5962fe75948897d38
+  data.tar.gz: 85bc45eacfb08495798916de51388ed289fd8c4c
 SHA512:
-  metadata.gz: e9e77c79a89b8de26559b2468cf53ca02df390ef6ec0c88a9b8b7cbb356f2e0a0e1c530bc1cd5f4ab62b429425d23f2efb4fafd2d1349c6dcf77546d76ddb2aa
-  data.tar.gz: 9ce00ebedd2d8cb7219031fc7fad0c2bc2f0cb31230cc898f04a7e410f4ac9b2562603d8590de2eb50d875ba1bcce1fe1c82ddb1861ce0f707029e39f0dc7fc6
+  metadata.gz: fa4d4c43da0d0c86b545b6cb81da6363c3a8a9576d475550d1637de0b9f0d18bc59542680d7be1459a205ffe9ca25d8184f944c990e4ad3f354331dc2ca0efc8
+  data.tar.gz: cf96d44d85b60080df44c3c0d8a8d5526879afbcfcb685758ebeb822268a7c8e27654560aa9a68034ce1ca87a71eccf739de2958680eb674af5b1912e2635abe

data/CHANGELOG.md

@@ -1,121 +1,186 @@
-## Rails 4.2.11.3 (May 15, 2020) ##
+## Rails 5.0.0.beta1 (December 18, 2015) ##
 
 *   No changes.
 
 
-## Rails 4.2.11.2 (May 15, 2020) ##
+*   Deprecate `redirect_to :back` in favor of `redirect_back`, which accepts a
+    required `fallback_location` argument, thus eliminating the possibility of a
+    `RedirectBackError`.
 
-*   No changes.
+    *Derek Prior*
 
+*   Add `redirect_back` method to `ActionController::Redirecting` to provide a
+    way to safely redirect to the `HTTP_REFERER` if it is present, falling back
+    to a provided redirect otherwise.
 
-## Rails 4.2.11.1 (March 11, 2019) ##
+    *Derek Prior*
 
-*   No changes.
+*   `ActionController::TestCase` will be moved to it's own gem in Rails 5.1
 
+    With the speed improvements made to `ActionDispatch::IntegrationTest` we no
+    longer need to keep two separate code bases for testing controllers. In
+    Rails 5.1 `ActionController::TestCase` will be deprecated and moved into a
+    gem outside of Rails source.
 
-## Rails 4.2.11 (November 27, 2018) ##
+    This is a documentation deprecation so that going forward so new tests will use
+    `ActionDispatch::IntegrationTest` instead of `ActionController::TestCase`.
 
-*   No changes.
+    *Eileen M. Uchitelle*
 
+*   Add a `response_format` option to `ActionDispatch::DebugExceptions`
+    to configure the format of the response when errors occur in
+    development mode.
 
-## Rails 4.2.10 (September 27, 2017) ##
+    If `response_format` is `:default` the debug info will be rendered
+    in an HTML page. In the other hand, if the provided value is `:api`
+    the debug info will be rendered in the original response format.
 
-*   Fix regression in behavior of `normalize_path`.
+    *Jorge Bejar*
 
-    In Rails 5 there was a change to ensure the encoding of the original string
-    in a path was maintained. This was incorrectly backported to Rails 4.2 which
-    caused a regression.
+*   Change the `protect_from_forgery` prepend default to `false`
 
-    *Eileen M. Uchitelle*
+    Per this comment
+    https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
+    `protect_from_forgery` to default to `prepend: false`.
 
-## Rails 4.2.9 (June 26, 2017) ##
+    `protect_from_forgery` will now be insterted into the callback chain at the
+    point it is called in your application. This is useful for cases where you
+    want to `protect_from_forgery` after you perform required authentication
+    callbacks or other callbacks that are required to run after forgery protection.
 
-*   Use more specific check for :format in route path
+    If you want `protect_from_forgery` callbacks to always run first, regardless of
+    position they are called in your application then you can add `prepend: true`
+    to your `protect_from_forgery` call.
 
-    The current check for whether to add an optional format to the path is very lax
-    and will match things like `:format_id` where there are nested resources, e.g:
+    Example:
 
-    ``` ruby
-    resources :formats do
-      resources :items
-    end
+    ```ruby
+    protect_from_forgery prepend: true
     ```
 
-    Fix this by using a more restrictive regex pattern that looks for the patterns
-    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
-    allow for multiple closing parenthesis since the route may be of this form:
-
-    ``` ruby
-    get "/books(/:action(.:format))", controller: "books"
-    ```
+    *Eileen M. Uchitelle*
 
-    This probably isn't what's intended since it means that the default index action
-    route doesn't support a format but we have a test for it so we need to allow it.
+*   In url_for, never append a question mark to the URL when the query string
+    is empty anyway.  (It used to do that when called like `url_for(controller:
+    'x', action: 'y', q: {})`.)
 
-    Fixes #28517.
+    *Paul Grayson*
 
-    *Andrew White*
+*   Catch invalid UTF-8 querystring values and respond with BadRequest
 
+    Check querystring params for invalid UTF-8 characters, and raise an
+    ActionController::BadRequest error if present. Previously these strings
+    would typically trigger errors further down the stack.
 
-## Rails 4.2.8 (February 21, 2017) ##
+    *Grey Baker*
 
-*   No changes.
+*   Parse RSS/ATOM responses as XML, not HTML.
 
+    *Alexander Kaupanin*
 
-## Rails 4.2.7 (July 12, 2016) ##
+*   Show helpful message in `BadRequest` exceptions due to invalid path
+    parameter encodings.
 
-*   No changes.
+    Fixes #21923.
 
+    *Agis Anastasopoulos*
 
-## Rails 4.2.6 (March 07, 2016) ##
+*   Add the ability of returning arbitrary headers to ActionDispatch::Static
 
-*   No changes.
+    Now ActionDispatch::Static can accept HTTP headers so that developers
+    will have control of returning arbitrary headers like
+    'Access-Control-Allow-Origin' when a response is delivered. They can be
+    configured with `#config`:
 
+      config.public_file_server.headers = {
+        "Cache-Control"               => "public, max-age=60",
+        "Access-Control-Allow-Origin" => "http://rubyonrails.org"
+      }
 
-## Rails 4.2.5.2 (February 26, 2016) ##
+    *Yuki Nishijima*
 
-*   Do not allow render with unpermitted parameter.
+*   Allow multiple `root` routes in same scope level. Example:
 
-    Fixes CVE-2016-2098.
+    ```ruby
+    root 'blog#show', constraints: ->(req) { Hostname.blog_site?(req.host) }
+    root 'landing#show'
+    ```
+    *Rafael Sales*
 
-    *Arthur Neves*
+*   Fix regression in mounted engine named routes generation for app deployed to
+    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
+    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
 
+    Fixes #20920. Fixes #21459.
 
-## Rails 4.2.5.1 (January 25, 2015) ##
+    *Matthew Erhard*
 
-*   No changes.
+*   ActionDispatch::Response#new no longer applies default headers.  If you want
+    default headers applied to the response object, then call
+    `ActionDispatch::Response.create`.  This change only impacts people who are
+    directly constructing an `ActionDispatch::Response` object.
 
+*   Accessing mime types via constants like `Mime::HTML` is deprecated.  Please
+    change code like this:
 
-## Rails 4.2.5 (November 12, 2015) ##
+      Mime::HTML
 
-*   `ActionController::TestCase` can teardown gracefully if an error is raised
-    early in the `setup` chain.
+    To this:
 
-    *Yves Senn*
+      Mime[:html]
 
-*   Parse RSS/ATOM responses as XML, not HTML.
+    This change is so that Rails will not manage a list of constants, and fixes
+    an issue where if a type isn't registered you could possibly get the wrong
+    object.
 
-    *Alexander Kaupanin*
-
-*   Fix regression in mounted engine named routes generation for app deployed to
-    a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
-    "/subdir/subdir/engine_path" instead of "/subdir/engine_path")
-
-    Fixes #20920. Fixes #21459.
-
-    *Matthew Erhard*
+    `Mime[:html]` is available in older versions of Rails, too, so you can
+    safely change libraries and plugins and maintain compatibility with
+    multiple versions of Rails.
 
 *   `url_for` does not modify its arguments when generating polymorphic URLs.
 
     *Bernerd Schaefer*
 
+*   Make it easier to opt in to `config.force_ssl` and `config.ssl_options` by
+    making them less dangerous to try and easier to disable.
+
+    SSL redirect:
+      * Move `:host` and `:port` options within `redirect: { … }`. Deprecate.
+      * Introduce `:status` and `:body` to customize the redirect response.
+        The 301 permanent default makes it difficult to test the redirect and
+        back out of it since browsers remember the 301. Test with a 302 or 307
+        instead, then switch to 301 once you're confident that all is well.
+
+    HTTP Strict Transport Security (HSTS):
+      * Shorter max-age. Shorten the default max-age from 1 year to 180 days,
+        the low end for https://www.ssllabs.com/ssltest/ grading and greater
+        than the 18-week minimum to qualify for browser preload lists.
+      * Disabling HSTS. Setting `hsts: false` now sets `hsts { expires: 0 }`
+        instead of omitting the header. Omitting does nothing to disable HSTS
+        since browsers hang on to your previous settings until they expire.
+        Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and
+        actually disables HSTS:
+          http://tools.ietf.org/html/rfc6797#section-6.1.1
+      * HSTS Preload. Introduce `preload: true` to set the `preload` flag,
+        indicating that your site may be included in browser preload lists,
+        including Chrome, Firefox, Safari, IE11, and Edge. Submit your site:
+          https://hstspreload.appspot.com
+
+    *Jeremy Daer*
+
 *   Update `ActionController::TestSession#fetch` to behave more like
     `ActionDispatch::Request::Session#fetch` when using non-string keys.
 
     *Jeremy Friesen*
 
+*   Using strings or symbols for middleware class names is deprecated.  Convert
+    things like this:
+
+      middleware.use "Foo::Bar"
+
+    to this:
 
-## Rails 4.2.4 (August 24, 2015) ##
+      middleware.use Foo::Bar
 
 *   ActionController::TestSession now accepts a default value as well as
     a block for generating a default value based off the key provided.
@@ -126,565 +191,417 @@
 
     *Matthew Gerrior*
 
-*   Fix to keep original header instance in `ActionDispatch::SSL`
+*   Fix `ActionController::Parameters#fetch` overwriting `KeyError` returned by
+    default block.
 
-    `ActionDispatch::SSL` changes headers to `Hash`.
-    So some headers will be broken if there are some middlewares
-    on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
+    *Jonas Schuber Erlandsson*, *Roque Pinel*
 
-    *Fumiaki Matsushima*
+*   `ActionController::Parameters` no longer inherits from
+    `HashWithIndifferentAccess`
 
+    Inheriting from `HashWithIndifferentAccess` allowed users to call any
+    enumerable methods on `Parameters` object, resulting in a risk of losing the
+    `permitted?` status or even getting back a pure `Hash` object instead of
+    a `Parameters` object with proper sanitization.
 
-## Rails 4.2.3 (June 25, 2015) ##
+    By not inheriting from `HashWithIndifferentAccess`, we are able to make
+    sure that all methods that are defined in `Parameters` object will return
+    a proper `Parameters` object with a correct `permitted?` flag.
 
-*   Fix rake routes not showing the right format when
-    nesting multiple routes.
-
-    See #18373.
-
-    *Ravil Bayramgalin*
-
-*   Fix regression where a gzip file response would have a Content-type,
-    even when it was a 304 status code.
+    *Prem Sichanugrist*
 
-    See #19271.
+*   Replaced `ActiveSupport::Concurrency::Latch` with `Concurrent::CountDownLatch`
+    from the concurrent-ruby gem.
 
-    *Kohei Suzuki*
+    *Jerry D'Antonio*
 
-*   Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
+*   Add ability to filter parameters based on parent keys.
 
-    Previously, an empty X_FORWARDED_HOST header would cause
-    Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
-    Actiondispatch::Http:URL.host to raise a NoMethodError.
+        # matches {credit_card: {code: "xxxx"}}
+        # doesn't match {file: { code: "xxxx"}}
+        config.filter_parameters += [ "credit_card.code" ]
 
-    *Adam Forsyth*
-
-*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
+    See #13897.
 
-    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
-    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
-    is set, it takes precedence.
+    *Guillaume Malette*
 
-    Fixes #5122.
+*   Deprecate passing first parameter as `Hash` and default status code for `head` method.
 
-    *Yasyf Mohamedali*
+    *Mehmet Emin İNAÇ*
 
-*   Fix regression in functional tests. Responses should have default headers
-    assigned.
+*   Adds`Rack::Utils::ParameterTypeError` and `Rack::Utils::InvalidParameterError`
+    to the rescue_responses hash in `ExceptionWrapper` (Rack recommends
+    integrators serve 400s for both of these).
 
-    See #18423.
+    *Grey Baker*
 
-    *Jeremy Kemper*, *Yves Senn*
+*   Add support for API only apps.
+    ActionController::API is added as a replacement of
+    ActionController::Base for this kind of applications.
 
+    *Santiago Pastorino & Jorge Bejar*
 
-## Rails 4.2.2 (June 16, 2015) ##
+*   Remove `assigns` and `assert_template`. Both methods have been extracted
+    into a gem at https://github.com/rails/rails-controller-testing.
 
-* No Changes *
+    See #18950.
 
+    *Alan Guo Xiang Tan*
 
-## Rails 4.2.1 (March 19, 2015) ##
+*   `FileHandler` and `Static` middleware initializers accept `index` argument
+    to configure the directory index file name. Defaults to `index` (as in
+    `index.html`).
 
-*   Non-string authenticity tokens do not raise NoMethodError when decoding
-    the masked token.
+    See #20017.
 
-    *Ville Lautanala*
+    *Eliot Sykes*
 
-*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
+*   Deprecate `:nothing` option for `render` method.
 
-    Fixes an issue where a mounted rack app at root would intercept the HEAD
-    request causing an incorrect behavior during the fall back to GET requests.
+    *Mehmet Emin İNAÇ*
 
-    Example:
-    ```ruby
-    draw do
-        get '/home' => 'test#index'
-        mount rack_app, at: '/'
-    end
-    head '/home'
-    assert_response :success
-    ```
-    In this case, a HEAD request runs through the routes the first time and fails
-    to match anything. Then, it runs through the list with the fallback and matches
-    `get '/home'`. The original behavior would match the rack app in the first pass.
+*   Fix `rake routes` not showing the right format when
+    nesting multiple routes.
 
-    *Terence Sun*
+    See #18373.
 
-*   Preserve default format when generating URLs
+    *Ravil Bayramgalin*
 
-    Fixes an issue that would cause the format set in default_url_options to be
-    lost when generating URLs with fewer positional arguments than parameters in
-    the route definition.
+*   Add ability to override default form builder for a controller.
 
-    Backport of #18627
+        class AdminController < ApplicationController
+          default_form_builder AdminFormBuilder
+        end
 
-    *Tekin Suleyman*, *Dominic Baggott*
+    *Kevin McPhillips*
 
-*   Default headers, removed in controller actions, are no longer reapplied on
-    the test response.
+*   For actions with no corresponding templates, render `head :no_content`
+    instead of raising an error. This allows for slimmer API controller
+    methods that simply work, without needing further instructions.
 
-    *Jonas Baumann*
+    See #19036.
 
-*   Ensure `append_info_to_payload` is called even if an exception is raised.
+    *Stephen Bussey*
 
-    Fixes an issue where when an exception is raised in the request the additonal
-    payload data is not available.
+*   Provide friendlier access to request variants.
 
-    See:
-    * #14903
-    * https://github.com/roidrage/lograge/issues/37
+        request.variant = :phone
+        request.variant.phone?  # true
+        request.variant.tablet? # false
 
-    *Dieter Komendera*, *Margus Pärt*
+        request.variant = [:phone, :tablet]
+        request.variant.phone?                  # true
+        request.variant.desktop?                # false
+        request.variant.any?(:phone, :desktop)  # true
+        request.variant.any?(:desktop, :watch)  # false
 
-*   Correctly rely on the response's status code to handle calls to `head`.
+    *George Claghorn*
 
-    *Robin Dupret*
+*   Fix regression where a gzip file response would have a Content-type,
+    even when it was a 304 status code.
 
-*   Using `head` method returns empty response_body instead
-    of returning a single space " ".
+    See #19271.
 
-    The old behavior was added as a workaround for a bug in an early
-    version of Safari, where the HTTP headers are not returned correctly
-    if the response body has a 0-length. This is been fixed since and
-    the workaround is no longer necessary.
+    *Kohei Suzuki*
 
-    Fixes #18253.
+*   Fix handling of empty `X_FORWARDED_HOST` header in `raw_host_with_port`.
 
-    *Prathamesh Sonpatki*
+    Previously, an empty `X_FORWARDED_HOST` header would cause
+    `Actiondispatch::Http:URL.raw_host_with_port` to return `nil`, causing
+    `Actiondispatch::Http:URL.host` to raise a `NoMethodError`.
 
-*   Fix how polymorphic routes works with objects that implement `to_model`.
+    *Adam Forsyth*
 
-    *Travis Grathwell*
+*   Allow `Bearer` as token-keyword in `Authorization-Header`.
 
-*   Fixed handling of positional url helper arguments when `format: false`.
+    Aditionally to `Token`, the keyword `Bearer` is acceptable as a keyword
+    for the auth-token. The `Bearer` keyword is described in the original
+    OAuth RFC and used in libraries like Angular-JWT.
 
-    Fixes #17819.
+    See #19094.
 
-    *Andrew White*, *Tatiana Soukiassian*
+    *Peter Schröder*
 
-*   Fixed usage of optional scopes in URL helpers.
+*   Drop request class from RouteSet constructor.
 
-    *Alex Robbin*
+    If you would like to use a custom request class, please subclass and implement
+    the `request_class` method.
 
+    *tenderlove@ruby-lang.org*
 
-## Rails 4.2.0 (December 20, 2014) ##
+*   Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
 
-*   Add `ActionController::Parameters#to_unsafe_h` to return an unfiltered
-    `Hash` representation of Parameters object. This is now a preferred way to
-    retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
-    object in Rails 5.0.
+    Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
+    prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
+    is set, it takes precedence.
 
-    *Prem Sichanugrist*
+    Fixes #5122.
 
-*   Restore handling of a bare `Authorization` header, without `token=`
-    prefix.
+    *Yasyf Mohamedali*
 
-    Fixes #17108.
+*   Partitioning of routes is now done when the routes are being drawn. This
+    helps to decrease the time spent filtering the routes during the first request.
 
     *Guo Xiang Tan*
 
-*   Deprecate use of string keys in URL helpers.
-
-    Use symbols instead.
-    Fixes #16958.
+*   Fix regression in functional tests. Responses should have default headers
+    assigned.
 
-    *Byron Bischoff*, *Melanie Gilman*
+    See #18423.
 
-*   Deprecate the `only_path` option on `*_path` helpers.
+    *Jeremy Kemper*, *Yves Senn*
 
-    In cases where this option is set to `true`, the option is redundant and can
-    be safely removed; otherwise, the corresponding `*_url` helper should be
-    used instead.
+*   Deprecate AbstractController#skip_action_callback in favor of individual skip_callback methods
+    (which can be made to raise an error if no callback was removed).
 
-    Fixes #17294.
+    *Iain Beeston*
 
-    *Dan Olson*, *Godfrey Chan*
+*   Alias the `ActionDispatch::Request#uuid` method to `ActionDispatch::Request#request_id`.
+    Due to implementation, `config.log_tags = [:request_id]` also works in substitute
+    for `config.log_tags = [:uuid]`.
 
-*   Improve Journey compliance to RFC 3986.
+    *David Ilizarov*
 
-    The scanner in Journey failed to recognize routes that use literals
-    from the sub-delims section of RFC 3986. It's now able to parse those
-    authorized delimiters and route as expected.
+*   Change filter on /rails/info/routes to use an actual path regexp from rails
+    and not approximate javascript version. Oniguruma supports much more
+    extensive list of features than javascript regexp engine.
 
-    Fixes #17212.
+    Fixes #18402.
 
-    *Nicolas Cavigneaux*
+    *Ravil Bayramgalin*
 
-*   Deprecate implicit Array conversion for Response objects. It was added
-    (using `#to_ary`) so we could conveniently use implicit splatting:
+*   Non-string authenticity tokens do not raise NoMethodError when decoding
+    the masked token.
 
-        status, headers, body = response
+    *Ville Lautanala*
 
-    But it also means `response + response` works and `[response].flatten`
-    cascades down to the Rack body. Nonsense behavior. Instead, rely on
-    explicit conversion and splatting with `#to_a`:
+*   Add `http_cache_forever` to Action Controller, so we can cache a response
+    that never gets expired.
 
-        status, header, body = *response
+    *arthurnn*
 
-    *Jeremy Kemper*
+*   `ActionController#translate` supports symbols as shortcuts.
+    When a shortcut is given it also performs the lookup without the action
+    name.
 
-*   Don't rescue `IPAddr::InvalidAddressError`.
+    *Max Melentiev*
 
-    `IPAddr::InvalidAddressError` does not exist in Ruby 1.9.3
-    and fails for JRuby in 1.9 mode.
+*   Expand `ActionController::ConditionalGet#fresh_when` and `stale?` to also
+    accept a collection of records as the first argument, so that the
+    following code can be written in a shorter form.
 
-    *Peter Suschlik*
+        # Before
+        def index
+          @articles = Article.all
+          fresh_when(etag: @articles, last_modified: @articles.maximum(:updated_at))
+        end
 
-*   Fix bug where the router would ignore any constraints added to redirect
-    routes.
+        # After
+        def index
+          @articles = Article.all
+          fresh_when(@articles)
+        end
 
-    Fixes #16605.
+    *claudiob*
 
-    *Agis Anastasopoulos*
+*   Explicitly ignored wildcard verbs when searching for HEAD routes before fallback
 
-*   Allow `config.action_dispatch.trusted_proxies` to accept an IPAddr object.
+    Fixes an issue where a mounted rack app at root would intercept the HEAD
+    request causing an incorrect behavior during the fall back to GET requests.
 
     Example:
 
-        # config/environments/production.rb
-        config.action_dispatch.trusted_proxies = IPAddr.new('4.8.15.0/16')
-
-    *Sam Aarons*
-
-*   Avoid duplicating routes for HEAD requests.
-
-    Instead of duplicating the routes, we will first match the HEAD request to
-    HEAD routes. If no match is found, we will then map the HEAD request to
-    GET routes.
-
-    *Guo Xiang Tan*, *Andrew White*
-
-*   Requests that hit `ActionDispatch::Static` can now take advantage
-    of gzipped assets on disk. By default a gzip asset will be served if
-    the client supports gzip and a compressed file is on disk.
-
-    *Richard Schneeman*
-
-*   `ActionController::Parameters` will stop inheriting from `Hash` and
-    `HashWithIndifferentAccess` in the next major release. If you use any method
-    that is not available on `ActionController::Parameters` you should consider
-    calling `#to_h` to convert it to a `Hash` first before calling that method.
-
-    *Prem Sichanugrist*
-
-*   `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted
-    keys removed. This change is to reflect on a security concern where some
-    method performed on an `ActionController::Parameters` may yield a `Hash`
-    object which does not maintain `permitted?` status. If you would like to
-    get a `Hash` with all the keys intact, duplicate and mark it as permitted
-    before calling `#to_h`.
-
-        params = ActionController::Parameters.new({
-          name: 'Senjougahara Hitagi',
-          oddity: 'Heavy stone crab'
-        })
-        params.to_h
-        # => {}
-
-        unsafe_params = params.dup.permit!
-        unsafe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
-
-        safe_params = params.permit(:name)
-        safe_params.to_h
-        # => {"name"=>"Senjougahara Hitagi"}
-
-    This change is consider a stopgap as we cannot change the code to stop
-    `ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
-    in the next minor release.
-
-    *Prem Sichanugrist*
-
-*   Deprecated `TagAssertions`.
-
-    *Kasper Timm Hansen*
-
-*   Use the Active Support JSON encoder for cookie jars using the `:json` or
-    `:hybrid` serializer. This allows you to serialize custom Ruby objects into
-    cookies by defining the `#as_json` hook on such objects.
-
-    Fixes #16520.
-
-    *Godfrey Chan*
-
-*   Add `config.action_dispatch.cookies_digest` option for setting custom
-    digest. The default remains the same - 'SHA1'.
-
-    *Łukasz Strzałkowski*
-
-*   Move `respond_with` (and the class-level `respond_to`) to
-    the `responders` gem.
-
-    *José Valim*
-
-*   When your templates change, browser caches bust automatically.
-
-    New default: the template digest is automatically included in your ETags.
-    When you call `fresh_when @post`, the digest for `posts/show.html.erb`
-    is mixed in so future changes to the HTML will blow HTTP caches for you.
-    This makes it easy to HTTP-cache many more of your actions.
-
-    If you render a different template, you can now pass the `:template`
-    option to include its digest instead:
-
-        fresh_when @post, template: 'widgets/show'
-
-    Pass `template: false` to skip the lookup. To turn this off entirely, set:
-
-        config.action_controller.etag_with_template_digest = false
-
-    *Jeremy Kemper*
-
-*   Remove deprecated `AbstractController::Helpers::ClassMethods::MissingHelperError`
-    in favor of `AbstractController::Helpers::MissingHelperError`.
-
-    *Yves Senn*
-
-*   Fix `assert_template` not being able to assert that no files were rendered.
-
-    *Guo Xiang Tan*
-
-*   Extract source code for the entire exception stack trace for
-    better debugging and diagnosis.
-
-    *Ryan Dao*
-
-*   Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
-    loopback address.
-
-    *Earl St Sauver*, *Sven Riedel*
-
-*   Preserve original path in `ShowExceptions` middleware by stashing it as
-    `env["action_dispatch.original_path"]`
-
-    `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
-    for the exception defined in `ExceptionWrapper`, so the path
-    the user was visiting when an exception occurred was not previously
-    available to any custom exceptions_app. The original `PATH_INFO` is now
-    stashed in `env["action_dispatch.original_path"]`.
-
-    *Grey Baker*
-
-*   Use `String#bytesize` instead of `String#size` when checking for cookie
-    overflow.
-
-    *Agis Anastasopoulos*
-
-*   `render nothing: true` or rendering a `nil` body no longer add a single
-    space to the response body.
-
-    The old behavior was added as a workaround for a bug in an early version of
-    Safari, where the HTTP headers are not returned correctly if the response
-    body has a 0-length. This is been fixed since and the workaround is no
-    longer necessary.
-
-    Use `render body: ' '` if the old behavior is desired.
-
-    See #14883 for details.
-
-    *Godfrey Chan*
-
-*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
-    ("Rosetta Flash").
-
-    *Greg Campbell*
+        draw do
+            get '/home' => 'test#index'
+            mount rack_app, at: '/'
+        end
+        head '/home'
+        assert_response :success
 
-*   Because URI paths may contain non US-ASCII characters we need to force
-    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
-    This essentially replicates the functionality of the monkey patch to
-    URI.parser.unescape in active_support/core_ext/uri.rb.
-
-    Fixes #16104.
-
-    *Karl Entwistle*
-
-*   Generate shallow paths for all children of shallow resources.
-
-    Fixes #15783.
+    In this case, a HEAD request runs through the routes the first time and fails
+    to match anything. Then, it runs through the list with the fallback and matches
+    `get '/home'`. The original behavior would match the rack app in the first pass.
 
-    *Seb Jacobs*
+    *Terence Sun*
 
-*   JSONP responses are now rendered with the `text/javascript` content type
-    when rendering through a `respond_to` block.
+*   Migrating xhr methods to keyword arguments syntax
+    in `ActionController::TestCase` and `ActionDispatch::Integration`
 
-    Fixes #15081.
+    Old syntax:
 
-    *Lucas Mazza*
+        xhr :get, :create, params: { id: 1 }
 
-*   Add `config.action_controller.always_permitted_parameters` to configure which
-    parameters are permitted globally. The default value of this configuration is
-    `['controller', 'action']`.
+    New syntax example:
 
-    *Gary S. Weaver*, *Rafael Chacon*
+        get :create, params: { id: 1 }, xhr: true
 
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+    *Kir Shatrov*
 
-    Fixes #15511.
+*   Migrating to keyword arguments syntax in `ActionController::TestCase` and
+    `ActionDispatch::Integration` HTTP request methods.
 
-    *Larry Lv*
+    Example:
 
-*   ActionController::Parameters#require now accepts `false` values.
+        post :create, params: { y: x }, session: { a: 'b' }
+        get :view, params: { id: 1 }
+        get :view, params: { id: 1 }, format: :json
 
-    Fixes #15685.
+    *Kir Shatrov*
 
-    *Sergio Romano*
+*   Preserve default url options when generating URLs.
 
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
+    Fixes an issue that would cause `default_url_options` to be lost when
+    generating URLs with fewer positional arguments than parameters in the
+    route definition.
 
-    Fixes #14846.
+    *Tekin Suleyman*
 
-    *Larry Lv*
+*   Deprecate `*_via_redirect` integration test methods.
 
-*   Ensure the controller is always notified as soon as the client disconnects
-    during live streaming, even when the controller is blocked on a write.
+    Use `follow_redirect!` manually after the request call for the same behavior.
 
-    *Nicholas Jakobsen*, *Matthew Draper*
+    *Aditya Kapoor*
 
-*   Routes specifying 'to:' must be a string that contains a "#" or a rack
-    application.  Use of a symbol should be replaced with `action: symbol`.
-    Use of a string without a "#" should be replaced with `controller: string`.
+*   Add `ActionController::Renderer` to render arbitrary templates
+    outside controller actions.
 
-    *Aaron Patterson*
+    Its functionality is accessible through class methods `render` and
+    `renderer` of `ActionController::Base`.
 
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
+    *Ravil Bayramgalin*
 
-    *Dan Langevin*
+*   Support `:assigns` option when rendering with controllers/mailers.
 
-*   Build full URI as string when processing path in integration tests for
-    performance reasons. One consequence of this is that the leading slash
-    is now required in integration test `process` helpers, whereas previously
-    it could be omitted. The fact that this worked was a unintended consequence
-    of the implementation and was never an intentional feature.
+    *Ravil Bayramgalin*
 
-    *Guo Xiang Tan*
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+    *Jonas Baumann*
 
-    Fixes #13905.
+*   Deprecate all `*_filter` callbacks in favor of `*_action` callbacks.
 
-    *Christiaan Van den Poel*
+    *Rafael Mendonça França*
 
-*   Add MKCALENDAR HTTP method (RFC 4791).
+*   Allow you to pass `prepend: false` to `protect_from_forgery` to have the
+    verification callback appended instead of prepended to the chain.
+    This allows you to let the verification step depend on prior callbacks.
 
-    *Sergey Karpesh*
+    Example:
 
-*   Instrument fragment cache metrics.
+        class ApplicationController < ActionController::Base
+          before_action :authenticate
+          protect_from_forgery prepend: false, unless: -> { @authenticated_by.oauth? }
 
-    Adds `:controller`: and `:action` keys to the instrumentation payload
-    for the `*_fragment.action_controller` notifications. This allows tracking
-    e.g. the fragment cache hit rates for each controller action.
+          private
+            def authenticate
+              if oauth_request?
+                # authenticate with oauth
+                @authenticated_by = 'oauth'.inquiry
+              else
+                # authenticate with cookies
+                @authenticated_by = 'cookie'.inquiry
+              end
+            end
+        end
 
-    *Daniel Schierbeck*
+    *Josef Šimánek*
 
-*   Always use the provided port if the protocol is relative.
+*   Remove `ActionController::HideActions`.
 
-    Fixes #15043.
+    *Ravil Bayramgalin*
 
-    *Guilherme Cavalcanti*, *Andrew White*
+*   Remove `respond_to`/`respond_with` placeholder methods, this functionality
+    has been extracted to the `responders` gem.
 
-*   Moved `params[request_forgery_protection_token]` into its own method
-    and improved tests.
+    *Carlos Antonio da Silva*
 
-    Fixes #11316.
+*   Remove deprecated assertion files.
 
-    *Tom Kadwill*
+    *Rafael Mendonça França*
 
-*   Added verification of route constraints given as a Proc or an object responding
-    to `:matches?`. Previously, when given an non-complying object, it would just
-    silently fail to enforce the constraint. It will now raise an `ArgumentError`
-    when setting up the routes.
+*   Remove deprecated usage of string keys in URL helpers.
 
-    *Xavier Defrang*
+    *Rafael Mendonça França*
 
-*   Properly treat the entire IPv6 User Local Address space as private for
-    purposes of remote IP detection. Also handle uppercase private IPv6
-    addresses.
+*   Remove deprecated `only_path` option on `*_path` helpers.
 
-    Fixes #12638.
+    *Rafael Mendonça França*
 
-    *Caleb Spare*
+*   Remove deprecated `NamedRouteCollection#helpers`.
 
-*   Fixed an issue with migrating legacy json cookies.
+    *Rafael Mendonça França*
 
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
-    cookies are marshal-encoded. This is not the case when `secret_token` is
-    used in conjunction with the `:json` or `:hybrid` serializer.
+*   Remove deprecated support to define routes with `:to` option that doesn't contain `#`.
 
-    In those case, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
+    *Rafael Mendonça França*
 
-    Fixes #14774.
+*   Remove deprecated `ActionDispatch::Response#to_ary`.
 
-    *Godfrey Chan*
+    *Rafael Mendonça França*
 
-*   Make URL escaping more consistent:
+*   Remove deprecated `ActionDispatch::Request#deep_munge`.
 
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
+    *Rafael Mendonça França*
 
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
+*   Remove deprecated `ActionDispatch::Http::Parameters#symbolized_path_parameters`.
 
-    Fixes #14629, #14636 and #14070.
+    *Rafael Mendonça França*
 
-    *Andrew White*, *Edho Arief*
+*   Remove deprecated option `use_route` in controller tests.
 
-*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
-    `ActionDispatch::Http::UploadedFile#tempfile`.
+    *Rafael Mendonça França*
 
-    *Tim Linquist*
+*   Ensure `append_info_to_payload` is called even if an exception is raised.
 
-*   Returns null type format when format is not know and controller is using `any`
-    format block.
+    Fixes an issue where when an exception is raised in the request the additional
+    payload data is not available.
 
-    Fixes #14462.
+    See:
+    * #14903
+    * https://github.com/roidrage/lograge/issues/37
 
-    *Rafael Mendonça França*
+    *Dieter Komendera*, *Margus Pärt*
 
-*   Improve routing error page with fuzzy matching search.
+*   Correctly rely on the response's status code to handle calls to `head`.
 
-    *Winston*
+    *Robin Dupret*
 
-*   Only make deeply nested routes shallow when parent is shallow.
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
 
-    Fixes #14684.
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-    *Andrew White*, *James Coglan*
+    Fixes #18253.
 
-*   Append link to bad code to backtrace when exception is `SyntaxError`.
+    *Prathamesh Sonpatki*
 
-    *Boris Kuznetsov*
+*   Fix how polymorphic routes works with objects that implement `to_model`.
 
-*   Swapped the parameters of assert_equal in `assert_select` so that the
-    proper values were printed correctly.
+    *Travis Grathwell*
 
-    Fixes #14422.
+*   Stop converting empty arrays in `params` to `nil`.
 
-    *Vishal Lal*
+    This behavior was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
 
-*   The method `shallow?` returns false if the parent resource is a singleton so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
 
-    Fixes #14388.
+    *Chris Sinjakli*
 
-    *Andrew White*
+*   Fixed usage of optional scopes in url helpers.
 
-*   Make logging of CSRF failures optional (but on by default) with the
-    `log_warning_on_csrf_failure` configuration setting in
-    `ActionController::RequestForgeryProtection`.
+    *Alex Robbin*
 
-    *John Barton*
+*   Fixed handling of positional url helper arguments when `format: false`.
 
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
+    Fixes #17819.
 
-    *Tony Wooster*
+    *Andrew White*, *Tatiana Soukiassian*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes.