actionpack 7.0.0.rc3 → 7.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b86d196896cf1c4cb68e9c778408c4e06ff5917ffc5f4f380c94f5e197fcccd6
4
- data.tar.gz: 191f09952edee10c8d6878fb4c787095648851a14362331a56ef7552c9ddf37a
3
+ metadata.gz: d79cdcfed6867089ed24ecf0bc02b3d82b461df4de9e4c991ceadf17a63e73ef
4
+ data.tar.gz: 9b9dde19de31d0f37ff14c4ffe053c2a3110cab6a68613a4c725e7a184cb0602
5
5
  SHA512:
6
- metadata.gz: 0ff06df26039c939836c24645e0b53c486cb44590a0454eb9cde3ff685bff3eab71039d5d4fb4e338f5e6d7dcd7e448294144a1782dcec92385c6b78297f39f1
7
- data.tar.gz: a68168892d623e72994383f24719aab1c9a648d149fc997ccac683dee3fe22c7b1c223a83936a743afff54030cc27c1a0572d891e4109437463fb21c09598bee
6
+ metadata.gz: 59f401a0ee0946d52261245762378ae29a5a13199e930a85b95c8891c2c02161757b763d4a780d571bec902db6f89f210664f2b1d06a91e98a811f27da52ba3f
7
+ data.tar.gz: 827e05337ec713bc3f47c5bf16df5ecf0217f3e2a1d293b24c2bd28a797c6c455f1301670c1292e350c2646e9eca3e368f2ce65bf392dbbff88bd2e6a1fc19af
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ ## Rails 7.0.0 (December 15, 2021) ##
2
+
3
+ * Deprecate `Rails.application.config.action_controller.urlsafe_csrf_tokens`. This config is now always enabled.
4
+
5
+ *Étienne Barrié*
6
+
7
+ * Instance variables set in requests in a `ActionController::TestCase` are now cleared before the next request
8
+
9
+ This means if you make multiple requests in the same test, instance variables set in the first request will
10
+ not persist into the second one. (It's not recommended to make multiple requests in the same test.)
11
+
12
+ *Alex Ghiculescu*
13
+
1
14
  ## Rails 7.0.0.rc3 (December 14, 2021) ##
2
15
 
3
16
  * No changes.
@@ -7,6 +20,8 @@
7
20
 
8
21
  * Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
9
22
 
23
+ ## Rails 7.0.0.rc1 (December 06, 2021) ##
24
+
10
25
  * `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
11
26
 
12
27
  This helps to better simulate request or job local state being reset between requests and prevent state
@@ -92,7 +92,16 @@ module ActionController # :nodoc:
92
92
 
93
93
  # Controls whether URL-safe CSRF tokens are generated.
94
94
  config_accessor :urlsafe_csrf_tokens, instance_writer: false
95
- self.urlsafe_csrf_tokens = false
95
+ self.urlsafe_csrf_tokens = true
96
+
97
+ singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
98
+ if urlsafe_csrf_tokens
99
+ ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
100
+ else
101
+ ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
102
+ end
103
+ config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
104
+ end
96
105
 
97
106
  helper_method :form_authenticity_token
98
107
  helper_method :protect_against_forgery?
@@ -963,7 +963,7 @@ module ActionController
963
963
  when Array
964
964
  return value if converted_arrays.member?(value)
965
965
  converted = value.map { |_| convert_value_to_parameters(_) }
966
- converted_arrays << converted
966
+ converted_arrays << converted.dup
967
967
  converted
968
968
  when Hash
969
969
  self.class.new(value)
@@ -4,6 +4,15 @@ module ActionController
4
4
  module Testing
5
5
  # Behavior specific to functional tests
6
6
  module Functional # :nodoc:
7
+ def clear_instance_variables_between_requests
8
+ if defined?(@_ivars)
9
+ new_ivars = instance_variables - @_ivars
10
+ new_ivars.each { |ivar| remove_instance_variable(ivar) }
11
+ end
12
+
13
+ @_ivars = instance_variables
14
+ end
15
+
7
16
  def recycle!
8
17
  @_url_options = nil
9
18
  self.formats = nil
@@ -465,9 +465,15 @@ module ActionController
465
465
  # prefer using #get, #post, #patch, #put, #delete and #head methods
466
466
  # respectively which will make tests more expressive.
467
467
  #
468
+ # It's not recommended to make more than one request in the same test. Instance
469
+ # variables that are set in one request will not persist to the next request,
470
+ # but it's not guaranteed that all Rails internal state will be reset. Prefer
471
+ # ActionDispatch::IntegrationTest for making multiple requests in the same test.
472
+ #
468
473
  # Note that the request method is not verified.
469
474
  def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
470
475
  check_required_ivars
476
+ @controller.clear_instance_variables_between_requests
471
477
 
472
478
  action = +action.to_s
473
479
  http_method = method.to_s.upcase
@@ -16,7 +16,16 @@ module ActionDispatch
16
16
  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
17
17
  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
18
18
  class HostAuthorization
19
- ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", /\A([a-z0-9-]+\.)?localhost:\d+\z/, IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
19
+ ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
20
+ PORT_REGEX = /(?::\d+)/ # :nodoc:
21
+ IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
22
+ IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
23
+ IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
24
+ VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
25
+ /\A#{IPV4_HOSTNAME}\z/,
26
+ /\A#{IPV6_HOSTNAME}\z/,
27
+ /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
28
+ )
20
29
 
21
30
  class Permissions # :nodoc:
22
31
  def initialize(hosts)
@@ -29,11 +38,17 @@ module ActionDispatch
29
38
 
30
39
  def allows?(host)
31
40
  @hosts.any? do |allowed|
32
- allowed === host
33
- rescue
34
- # IPAddr#=== raises an error if you give it a hostname instead of
35
- # IP. Treat similar errors as blocked access.
36
- false
41
+ if allowed.is_a?(IPAddr)
42
+ begin
43
+ allowed === extract_hostname(host)
44
+ rescue
45
+ # IPAddr#=== raises an error if you give it a hostname instead of
46
+ # IP. Treat similar errors as blocked access.
47
+ false
48
+ end
49
+ else
50
+ allowed === host
51
+ end
37
52
  end
38
53
  end
39
54
 
@@ -49,16 +64,20 @@ module ActionDispatch
49
64
  end
50
65
 
51
66
  def sanitize_regexp(host)
52
- /\A#{host}\z/
67
+ /\A#{host}#{PORT_REGEX}?\z/
53
68
  end
54
69
 
55
70
  def sanitize_string(host)
56
71
  if host.start_with?(".")
57
- /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
72
+ /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
58
73
  else
59
- /\A#{Regexp.escape host}\z/i
74
+ /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
60
75
  end
61
76
  end
77
+
78
+ def extract_hostname(host)
79
+ host.slice(VALID_IP_HOSTNAME, "host") || host
80
+ end
62
81
  end
63
82
 
64
83
  class DefaultResponseApp # :nodoc:
@@ -42,7 +42,7 @@ module ActionDispatch
42
42
  #
43
43
  # +take_failed_screenshot+ is called during system test teardown.
44
44
  def take_failed_screenshot
45
- take_screenshot if failed? && supports_screenshot?
45
+ take_screenshot if failed? && supports_screenshot? && Capybara::Session.instance_created?
46
46
  end
47
47
 
48
48
  private
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 0
13
- PRE = "rc3"
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.0.rc3
4
+ version: 7.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-12-14 00:00:00.000000000 Z
11
+ date: 2021-12-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.0.rc3
19
+ version: 7.0.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.0.rc3
26
+ version: 7.0.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 7.0.0.rc3
101
+ version: 7.0.0
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 7.0.0.rc3
108
+ version: 7.0.0
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 7.0.0.rc3
115
+ version: 7.0.0
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 7.0.0.rc3
122
+ version: 7.0.0
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -310,12 +310,12 @@ licenses:
310
310
  - MIT
311
311
  metadata:
312
312
  bug_tracker_uri: https://github.com/rails/rails/issues
313
- changelog_uri: https://github.com/rails/rails/blob/v7.0.0.rc3/actionpack/CHANGELOG.md
314
- documentation_uri: https://api.rubyonrails.org/v7.0.0.rc3/
313
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.0/actionpack/CHANGELOG.md
314
+ documentation_uri: https://api.rubyonrails.org/v7.0.0/
315
315
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
316
- source_code_uri: https://github.com/rails/rails/tree/v7.0.0.rc3/actionpack
316
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.0/actionpack
317
317
  rubygems_mfa_required: 'true'
318
- post_install_message:
318
+ post_install_message:
319
319
  rdoc_options: []
320
320
  require_paths:
321
321
  - lib
@@ -326,13 +326,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
326
326
  version: 2.7.0
327
327
  required_rubygems_version: !ruby/object:Gem::Requirement
328
328
  requirements:
329
- - - ">"
329
+ - - ">="
330
330
  - !ruby/object:Gem::Version
331
- version: 1.3.1
331
+ version: '0'
332
332
  requirements:
333
333
  - none
334
- rubygems_version: 3.2.15
335
- signing_key:
334
+ rubygems_version: 3.2.32
335
+ signing_key:
336
336
  specification_version: 4
337
337
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
338
338
  test_files: []