2018-06-14 04:09:00 -04:00
|
|
|
* Introduce ActionDispatch::HostAuthorization
|
|
|
|
|
|
|
|
This is a new middleware that guards against DNS rebinding attacks by
|
|
|
|
white-listing the allowed hosts a request can be made to.
|
|
|
|
|
|
|
|
Each host is checked with the case operator (`#===`) to support `RegExp`,
|
|
|
|
`Proc`, `IPAddr` and custom objects as host allowances.
|
|
|
|
|
|
|
|
*Genadi Samokovarov*
|
|
|
|
|
2018-12-16 05:02:45 -05:00
|
|
|
* Allow using `parsed_body` in `ActionController::TestCase`.
|
|
|
|
|
|
|
|
In addition to `ActionDispatch::IntegrationTest`, allow using
|
|
|
|
`parsed_body` in `ActionController::TestCase`:
|
|
|
|
|
|
|
|
```
|
|
|
|
class SomeControllerTest < ActionController::TestCase
|
|
|
|
def test_some_action
|
|
|
|
post :action, body: { foo: 'bar' }
|
|
|
|
assert_equal({ "foo" => "bar" }, response.parsed_body)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
Fixes #34676.
|
|
|
|
|
|
|
|
*Tobias Bühlmann*
|
|
|
|
|
2018-11-20 13:16:39 -05:00
|
|
|
* Raise an error on root route naming conflicts.
|
|
|
|
|
|
|
|
Raises an ArgumentError when multiple root routes are defined in the
|
|
|
|
same context instead of assigning nil names to subsequent roots.
|
|
|
|
|
|
|
|
*Gannon McGibbon*
|
|
|
|
|
2018-10-29 13:45:26 -04:00
|
|
|
* Allow rescue from parameter parse errors:
|
|
|
|
|
|
|
|
```
|
|
|
|
rescue_from ActionDispatch::Http::Parameters::ParseError do
|
|
|
|
head :unauthorized
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
*Gannon McGibbon*, *Josh Cheek*
|
|
|
|
|
2018-11-08 13:03:04 -05:00
|
|
|
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
|
|
|
|
|
|
|
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
|
|
|
in system test `after_teardown`.
|
|
|
|
|
|
|
|
*Maxim Perepelitsa*
|
|
|
|
|
2018-10-22 12:15:33 -04:00
|
|
|
* Use request object for context if there's no controller
|
|
|
|
|
|
|
|
There is no controller instance when using a redirect route or a
|
|
|
|
mounted rack application so pass the request object as the context
|
|
|
|
when resolving dynamic CSP sources in this scenario.
|
2018-10-31 23:42:06 -04:00
|
|
|
|
2018-10-22 12:15:33 -04:00
|
|
|
Fixes #34200.
|
2018-10-31 23:42:06 -04:00
|
|
|
|
2018-10-22 12:15:33 -04:00
|
|
|
*Andrew White*
|
|
|
|
|
2018-10-22 12:10:01 -04:00
|
|
|
* Apply mapping to symbols returned from dynamic CSP sources
|
|
|
|
|
|
|
|
Previously if a dynamic source returned a symbol such as :self it
|
|
|
|
would be converted to a string implicity, e.g:
|
|
|
|
|
|
|
|
policy.default_src -> { :self }
|
2018-10-31 23:42:06 -04:00
|
|
|
|
2018-10-22 12:10:01 -04:00
|
|
|
would generate the header:
|
|
|
|
|
|
|
|
Content-Security-Policy: default-src self
|
|
|
|
|
|
|
|
and now it generates:
|
|
|
|
|
|
|
|
Content-Security-Policy: default-src 'self'
|
|
|
|
|
|
|
|
*Andrew White*
|
|
|
|
|
2018-10-15 08:28:15 -04:00
|
|
|
* Add `ActionController::Parameters#each_value`.
|
|
|
|
|
|
|
|
*Lukáš Zapletal*
|
|
|
|
|
2018-09-21 00:49:59 -04:00
|
|
|
* Deprecate `ActionDispatch::Http::ParameterFilter` in favor of `ActiveSupport::ParameterFilter`.
|
|
|
|
|
|
|
|
*Yoshiyuki Kinjo*
|
|
|
|
|
2018-09-30 21:20:50 -04:00
|
|
|
* Remove undocumented `params` option from `url_for` helper.
|
2018-06-29 06:41:34 -04:00
|
|
|
|
|
|
|
*Ilkka Oksanen*
|
|
|
|
|
2018-09-09 03:35:48 -04:00
|
|
|
* Encode Content-Disposition filenames on `send_data` and `send_file`.
|
|
|
|
Previously, `send_data 'data', filename: "\u{3042}.txt"` sends
|
|
|
|
`"filename=\"\u{3042}.txt\""` as Content-Disposition and it can be
|
|
|
|
garbled.
|
|
|
|
Now it follows [RFC 2231](https://tools.ietf.org/html/rfc2231) and
|
|
|
|
[RFC 5987](https://tools.ietf.org/html/rfc5987) and sends
|
|
|
|
`"filename=\"%3F.txt\"; filename*=UTF-8''%E3%81%82.txt"`.
|
|
|
|
Most browsers can find filename correctly and old browsers fallback to ASCII
|
|
|
|
converted name.
|
|
|
|
|
|
|
|
*Fumiaki Matsushima*
|
|
|
|
|
2018-09-06 18:56:31 -04:00
|
|
|
* Expose `ActionController::Parameters#each_key` which allows iterating over
|
2018-08-30 10:35:06 -04:00
|
|
|
keys without allocating an array.
|
|
|
|
|
|
|
|
*Richard Schneeman*
|
|
|
|
|
2018-08-13 13:56:26 -04:00
|
|
|
* Purpose metadata for signed/encrypted cookies.
|
|
|
|
|
|
|
|
Rails can now thwart attacks that attempt to copy signed/encrypted value
|
|
|
|
of a cookie and use it as the value of another cookie.
|
|
|
|
|
|
|
|
It does so by stashing the cookie-name in the purpose field which is
|
|
|
|
then signed/encrypted along with the cookie value. Then, on a server-side
|
|
|
|
read, we verify the cookie-names and discard any attacked cookies.
|
|
|
|
|
|
|
|
Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
|
|
|
|
writes cookies with the new purpose and expiry metadata embedded.
|
|
|
|
|
|
|
|
*Assain Jaleel*
|
|
|
|
|
2018-07-31 07:20:08 -04:00
|
|
|
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
|
2018-07-26 12:29:57 -04:00
|
|
|
|
|
|
|
`respond_to` can match multiple types and lead to undefined behavior when
|
|
|
|
multiple invocations are made and the types do not match:
|
|
|
|
|
|
|
|
respond_to do |outer_type|
|
|
|
|
outer_type.js do
|
|
|
|
respond_to do |inner_type|
|
|
|
|
inner_type.html { render body: "HTML" }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
*Patrick Toomey*
|
|
|
|
|
Add implicit to path conversion to uploaded file (#28676)
* Add implicit to path conversion to uploaded file
Ruby has a few implicit conversion protocols (e.g. `to_hash`, `to_str`,
`to_path`, etc.). These are considered implicit conversion protocols
because in certain instances Ruby (MRI core objects) will check if an
argument responds to the appropriate protocol and automatically convert
it when it does; this is why you can provide a `Pathname` instance into
`File.read` without having to explicitly call `to_s`.
```ruby
a_file_path = 'some/path/file.ext'
File.write a_file_path, 'String Path Content'
File.read a_file_path
a_pathname = Pathname(a_file_path)
File.write core_file, 'Pathname Content'
File.read a_file_path
core_file = File.new(a_pathname)
File.write core_file, 'File Content'
File.read core_file
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Tempfile Content'
File.read tmp_file
```
So how does an uploaded file work in such cases?
```ruby
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Uploaded Content'
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
File.read uploaded_file
```
It fails with a `TypeError`:
no implicit conversion of ActionDispatch::Http::UploadedFile into String
In order to make an uploaded file work it must be explicitly converted
to a file path using `path`.
```ruby
File.read uploaded_file.path
```
This requires any code that expects path/file like objects to either
special case an uploaded file, re-implement the path conversion protocol
to use `path`, or forces the developer to explicitly cast uploaded files
to paths. This last option can sometimes be difficult to do when such
calls are deep within the inner workings of libraries.
Since an uploaded file already has a path it makes sense to implement
the implicit "path" conversion protocol (just like `File` and
`Tempfile`). This change allows uploaded file content to be treated more
closely to regular file content, without requiring any special case
handling or explicit conversion for common file utilities.
* Note uploaded file path delegation in CHANGELOG
2018-07-22 04:00:40 -04:00
|
|
|
* `ActionDispatch::Http::UploadedFile` now delegates `to_path` to its tempfile.
|
|
|
|
|
|
|
|
This allows uploaded file objects to be passed directly to `File.read`
|
|
|
|
without raising a `TypeError`:
|
|
|
|
|
|
|
|
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
|
|
|
|
File.read(uploaded_file)
|
|
|
|
|
|
|
|
*Aaron Kromer*
|
|
|
|
|
2018-08-30 02:58:55 -04:00
|
|
|
* Pass along arguments to underlying `get` method in `follow_redirect!`.
|
2018-07-05 16:51:52 -04:00
|
|
|
|
|
|
|
Now all arguments passed to `follow_redirect!` are passed to the underlying
|
|
|
|
`get` method. This for example allows to set custom headers for the
|
|
|
|
redirection request to the server.
|
|
|
|
|
|
|
|
follow_redirect!(params: { foo: :bar })
|
|
|
|
|
|
|
|
*Remo Fritzsche*
|
|
|
|
|
2018-06-19 15:59:35 -04:00
|
|
|
* Introduce a new error page to when the implicit render page is accessed in the browser.
|
2018-02-01 09:47:42 -05:00
|
|
|
|
2018-04-20 16:36:34 -04:00
|
|
|
Now instead of showing an error page that with exception and backtraces we now show only
|
|
|
|
one informative page.
|
|
|
|
|
|
|
|
*Vinicius Stock*
|
|
|
|
|
2018-08-30 02:58:55 -04:00
|
|
|
* Introduce `ActionDispatch::DebugExceptions.register_interceptor`.
|
2016-02-24 16:19:57 -05:00
|
|
|
|
|
|
|
Exception aware plugin authors can use the newly introduced
|
|
|
|
`.register_interceptor` method to get the processed exception, instead of
|
|
|
|
monkey patching DebugExceptions.
|
|
|
|
|
|
|
|
ActionDispatch::DebugExceptions.register_interceptor do |request, exception|
|
|
|
|
HypoteticalPlugin.capture_exception(request, exception)
|
|
|
|
end
|
|
|
|
|
|
|
|
*Genadi Samokovarov*
|
|
|
|
|
2018-04-17 05:48:29 -04:00
|
|
|
* Output only one Content-Security-Policy nonce header value per request.
|
|
|
|
|
2018-04-19 04:50:09 -04:00
|
|
|
Fixes #32597.
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-18 03:44:48 -04:00
|
|
|
*Andrey Novikov*, *Andrew White*
|
2018-04-17 05:48:29 -04:00
|
|
|
|
2018-04-06 15:13:28 -04:00
|
|
|
* Move default headers configuration into their own module that can be included in controllers.
|
|
|
|
|
|
|
|
*Kevin Deisz*
|
|
|
|
|
2018-04-06 08:02:44 -04:00
|
|
|
* Add method `dig` to `session`.
|
|
|
|
|
|
|
|
*claudiob*, *Takumi Shotoku*
|
|
|
|
|
Deprecate controller level force_ssl
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
2018-03-17 12:04:52 -04:00
|
|
|
* Controller level `force_ssl` has been deprecated in favor of
|
|
|
|
`config.force_ssl`.
|
|
|
|
|
|
|
|
*Derek Prior*
|
|
|
|
|
2018-12-19 15:09:34 -05:00
|
|
|
* Rails 6 requires Ruby 2.5.0 or newer.
|
2018-02-17 16:02:18 -05:00
|
|
|
|
2018-12-19 15:09:34 -05:00
|
|
|
*Jeremy Daer*, *Kasper Timm Hansen*
|
2018-02-17 16:02:18 -05:00
|
|
|
|
2018-01-08 22:14:22 -05:00
|
|
|
|
2018-01-30 18:51:17 -05:00
|
|
|
Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionpack/CHANGELOG.md) for previous changes.
|