1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack/CHANGELOG.md

202 lines
6 KiB
Markdown
Raw Normal View History

* Introduce ActionDispatch::HostAuthorization
This is a new middleware that guards against DNS rebinding attacks by
white-listing the allowed hosts a request can be made to.
Each host is checked with the case operator (`#===`) to support `RegExp`,
`Proc`, `IPAddr` and custom objects as host allowances.
*Genadi Samokovarov*
* Allow using `parsed_body` in `ActionController::TestCase`.
In addition to `ActionDispatch::IntegrationTest`, allow using
`parsed_body` in `ActionController::TestCase`:
```
class SomeControllerTest < ActionController::TestCase
def test_some_action
post :action, body: { foo: 'bar' }
assert_equal({ "foo" => "bar" }, response.parsed_body)
end
end
```
Fixes #34676.
*Tobias Bühlmann*
* Raise an error on root route naming conflicts.
Raises an ArgumentError when multiple root routes are defined in the
same context instead of assigning nil names to subsequent roots.
*Gannon McGibbon*
* Allow rescue from parameter parse errors:
```
rescue_from ActionDispatch::Http::Parameters::ParseError do
head :unauthorized
end
```
*Gannon McGibbon*, *Josh Cheek*
* Reset Capybara sessions if failed system test screenshot raising an exception.
Reset Capybara sessions if `take_failed_screenshot` raise exception
in system test `after_teardown`.
*Maxim Perepelitsa*
* Use request object for context if there's no controller
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.
Fixes #34200.
*Andrew White*
* Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
*Andrew White*
* Add `ActionController::Parameters#each_value`.
*Lukáš Zapletal*
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
*Yoshiyuki Kinjo*
* Remove undocumented `params` option from `url_for` helper.
*Ilkka Oksanen*
* Encode Content-Disposition filenames on `send_data` and `send_file`.
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
garbled.
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
Most browsers can find filename correctly and old browsers fallback to ASCII
converted name.
*Fumiaki Matsushima*
* Expose `ActionController::Parameters#each_key` which allows iterating over
keys without allocating an array.
*Richard Schneeman*
* Purpose metadata for signed/encrypted cookies.
Rails can now thwart attacks that attempt to copy signed/encrypted value
of a cookie and use it as the value of another cookie.
It does so by stashing the cookie-name in the purpose field which is
then signed/encrypted along with the cookie value. Then, on a server-side
read, we verify the cookie-names and discard any attacked cookies.
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
writes cookies with the new purpose and expiry metadata embedded.
*Assain Jaleel*
2018-07-31 07:20:08 -04:00
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
`respond_to` can match multiple types and lead to undefined behavior when
multiple invocations are made and the types do not match:
respond_to do |outer_type|
outer_type.js do
respond_to do |inner_type|
inner_type.html { render body: "HTML" }
end
end
end
*Patrick Toomey*
Add implicit to path conversion to uploaded file (#28676) * Add implicit to path conversion to uploaded file Ruby has a few implicit conversion protocols (e.g. `to_hash`, `to_str`, `to_path`, etc.). These are considered implicit conversion protocols because in certain instances Ruby (MRI core objects) will check if an argument responds to the appropriate protocol and automatically convert it when it does; this is why you can provide a `Pathname` instance into `File.read` without having to explicitly call `to_s`. ```ruby a_file_path = 'some/path/file.ext' File.write a_file_path, 'String Path Content' File.read a_file_path a_pathname = Pathname(a_file_path) File.write core_file, 'Pathname Content' File.read a_file_path core_file = File.new(a_pathname) File.write core_file, 'File Content' File.read core_file tmp_file = Tempfile.new('example') File.write tmp_file, 'Tempfile Content' File.read tmp_file ``` So how does an uploaded file work in such cases? ```ruby tmp_file = Tempfile.new('example') File.write tmp_file, 'Uploaded Content' uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file) File.read uploaded_file ``` It fails with a `TypeError`: no implicit conversion of ActionDispatch::Http::UploadedFile into String In order to make an uploaded file work it must be explicitly converted to a file path using `path`. ```ruby File.read uploaded_file.path ``` This requires any code that expects path/file like objects to either special case an uploaded file, re-implement the path conversion protocol to use `path`, or forces the developer to explicitly cast uploaded files to paths. This last option can sometimes be difficult to do when such calls are deep within the inner workings of libraries. Since an uploaded file already has a path it makes sense to implement the implicit "path" conversion protocol (just like `File` and `Tempfile`). This change allows uploaded file content to be treated more closely to regular file content, without requiring any special case handling or explicit conversion for common file utilities. * Note uploaded file path delegation in CHANGELOG
2018-07-22 04:00:40 -04:00
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
This allows uploaded file objects to be passed directly to `File.read`
without raising a `TypeError`:
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
File.read(uploaded_file)
*Aaron Kromer*
* Pass along arguments to underlying `get` method in `follow_redirect!`.
Now all arguments passed to `follow_redirect!` are passed to the underlying
`get` method. This for example allows to set custom headers for the
redirection request to the server.
follow_redirect!(params: { foo: :bar })
*Remo Fritzsche*
* Introduce a new error page to when the implicit render page is accessed in the browser.
2018-02-01 09:47:42 -05:00
Now instead of showing an error page that with exception and backtraces we now show only
one informative page.
*Vinicius Stock*
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
Exception aware plugin authors can use the newly introduced
`.register_interceptor` method to get the processed exception, instead of
monkey patching DebugExceptions.
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
HypoteticalPlugin.capture_exception(request, exception)
end
*Genadi Samokovarov*
* Output only one Content-Security-Policy nonce header value per request.
Fixes #32597.
2018-04-18 03:44:48 -04:00
*Andrey Novikov*, *Andrew White*
* Move default headers configuration into their own module that can be included in controllers.
*Kevin Deisz*
* Add method `dig` to `session`.
*claudiob*, *Takumi Shotoku*
Deprecate controller level force_ssl Today there are two common ways for Rails developers to force their applications to communicate over HTTPS: * `config.force_ssl` is a setting in environment configurations that enables the `ActionDispatch::SSL` middleware. With this middleware enabled, all HTTP communication to your application will be redirected to HTTPS. The middleware also takes care of other best practices by setting HSTS headers, upgrading all cookies to secure only, etc. * The `force_ssl` controller method redirects HTTP requests to certain controllers to HTTPS. As a consultant, I've seen many applications with misconfigured HTTPS setups due to developers adding `force_ssl` to `ApplicationController` and not enabling `config.force_ssl`. With this configuration, many application requests can be served over HTTP such as assets, requests that hit mounted engines, etc. In addition, because cookies are not upgraded to secure only in this configuration and HSTS headers are not set, it's possible for cookies that are meant to be secure to be sent over HTTP. The confusion between these two methods of forcing HTTPS is compounded by the fact that they share an identical name. This makes finding documentation on the "right" method confusing. HTTPS throughout is quickly becomming table stakes for all web sites. Sites are expected to operate over HTTPS for all communication, sensitive or otherwise. Let's encourage use of the broader-reaching `ActionDispatch::SSL` middleware and elminate this source of user confusion. If, for some reason, applications need to expose certain endpoints over HTTP they can do so by properly configuring `config.ssl_options`.
2018-03-17 12:04:52 -04:00
* Controller level `force_ssl` has been deprecated in favor of
`config.force_ssl`.
*Derek Prior*
* Rails 6 requires Ruby 2.5.0 or newer.
*Jeremy Daer*, *Kasper Timm Hansen*
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.