2018-08-13 13:56:26 -04:00
|
|
|
* Purpose metadata for signed/encrypted cookies.
|
|
|
|
|
|
|
|
|
|
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
|
|
|
|
of a cookie and use it as the value of another cookie.
|
|
|
|
|
|
|
|
|
|
It does so by stashing the cookie-name in the purpose field which is
|
|
|
|
|
then signed/encrypted along with the cookie value. Then, on a server-side
|
|
|
|
|
read, we verify the cookie-names and discard any attacked cookies.
|
|
|
|
|
|
|
|
|
|
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
|
|
|
|
writes cookies with the new purpose and expiry metadata embedded.
|
|
|
|
|
|
|
|
|
|
Pull Request: #32937
|
|
|
|
|
|
|
|
|
|
*Assain Jaleel*
|
|
|
|
|
|
2018-07-31 07:20:08 -04:00
|
|
|
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
|
2018-07-26 12:29:57 -04:00
|
|
|
|
|
|
|
|
`respond_to` can match multiple types and lead to undefined behavior when
|
|
|
|
|
multiple invocations are made and the types do not match:
|
|
|
|
|
|
|
|
|
|
respond_to do |outer_type|
|
|
|
|
|
outer_type.js do
|
|
|
|
|
respond_to do |inner_type|
|
|
|
|
|
inner_type.html { render body: "HTML" }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
*Patrick Toomey*
|
|
|
|
|
|
Add implicit to path conversion to uploaded file (#28676)
* Add implicit to path conversion to uploaded file
Ruby has a few implicit conversion protocols (e.g. `to_hash`, `to_str`,
`to_path`, etc.). These are considered implicit conversion protocols
because in certain instances Ruby (MRI core objects) will check if an
argument responds to the appropriate protocol and automatically convert
it when it does; this is why you can provide a `Pathname` instance into
`File.read` without having to explicitly call `to_s`.
```ruby
a_file_path = 'some/path/file.ext'
File.write a_file_path, 'String Path Content'
File.read a_file_path
a_pathname = Pathname(a_file_path)
File.write core_file, 'Pathname Content'
File.read a_file_path
core_file = File.new(a_pathname)
File.write core_file, 'File Content'
File.read core_file
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Tempfile Content'
File.read tmp_file
```
So how does an uploaded file work in such cases?
```ruby
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Uploaded Content'
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
File.read uploaded_file
```
It fails with a `TypeError`:
no implicit conversion of ActionDispatch::Http::UploadedFile into String
In order to make an uploaded file work it must be explicitly converted
to a file path using `path`.
```ruby
File.read uploaded_file.path
```
This requires any code that expects path/file like objects to either
special case an uploaded file, re-implement the path conversion protocol
to use `path`, or forces the developer to explicitly cast uploaded files
to paths. This last option can sometimes be difficult to do when such
calls are deep within the inner workings of libraries.
Since an uploaded file already has a path it makes sense to implement
the implicit "path" conversion protocol (just like `File` and
`Tempfile`). This change allows uploaded file content to be treated more
closely to regular file content, without requiring any special case
handling or explicit conversion for common file utilities.
* Note uploaded file path delegation in CHANGELOG
2018-07-22 04:00:40 -04:00
|
|
|
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
|
|
|
|
|
|
|
|
|
This allows uploaded file objects to be passed directly to `File.read`
|
|
|
|
|
without raising a `TypeError`:
|
|
|
|
|
|
|
|
|
|
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
|
|
|
|
File.read(uploaded_file)
|
|
|
|
|
|
|
|
|
|
*Aaron Kromer*
|
|
|
|
|
|
2018-07-05 16:51:52 -04:00
|
|
|
* Pass along arguments to underlying `get` method in `follow_redirect!`
|
|
|
|
|
|
|
|
|
|
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
|
|
|
|
`get` method. This for example allows to set custom headers for the
|
|
|
|
|
redirection request to the server.
|
|
|
|
|
|
|
|
|
|
follow_redirect!(params: { foo: :bar })
|
|
|
|
|
|
|
|
|
|
*Remo Fritzsche*
|
|
|
|
|
|
2018-06-19 15:59:35 -04:00
|
|
|
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
2018-02-01 09:47:42 -05:00
|
|
|
|
2018-04-20 16:36:34 -04:00
|
|
|
Now instead of showing an error page that with exception and backtraces we now show only
|
|
|
|
|
one informative page.
|
|
|
|
|
|
|
|
|
|
*Vinicius Stock*
|
|
|
|
|
|
2016-02-24 16:19:57 -05:00
|
|
|
* Introduce ActionDispatch::DebugExceptions.register_interceptor
|
|
|
|
|
|
|
|
|
|
Exception aware plugin authors can use the newly introduced
|
|
|
|
|
`.register_interceptor` method to get the processed exception, instead of
|
|
|
|
|
monkey patching DebugExceptions.
|
|
|
|
|
|
|
|
|
|
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
|
|
|
|
HypoteticalPlugin.capture_exception(request, exception)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
*Genadi Samokovarov*
|
|
|
|
|
|
2018-04-17 05:48:29 -04:00
|
|
|
* Output only one Content-Security-Policy nonce header value per request.
|
|
|
|
|
|
2018-04-19 04:50:09 -04:00
|
|
|
Fixes #32597.
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-18 03:44:48 -04:00
|
|
|
*Andrey Novikov*, *Andrew White*
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-06 15:13:28 -04:00
|
|
|
* Move default headers configuration into their own module that can be included in controllers.
|
|
|
|
|
|
|
|
|
|
*Kevin Deisz*
|
|
|
|
|
|
2018-04-06 08:02:44 -04:00
|
|
|
* Add method `dig` to `session`.
|
|
|
|
|
|
|
|
|
|
*claudiob*, *Takumi Shotoku*
|
|
|
|
|
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
* Controller level `force_ssl` has been deprecated in favor of
|
|
|
|
|
`config.force_ssl`.
|
|
|
|
|
|
|
|
|
|
*Derek Prior*
|
|
|
|
|
|
2018-02-17 16:02:18 -05:00
|
|
|
* Rails 6 requires Ruby 2.4.1 or newer.
|
|
|
|
|
|
|
|
|
|
*Jeremy Daer*
|
|
|
|
|
|
2018-01-08 22:14:22 -05:00
|
|
|
|
2018-01-30 18:51:17 -05:00
|
|
|
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|