2020-01-03 13:32:44 -05:00
|
|
|
* `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
|
|
|
|
|
|
|
|
Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
|
|
|
|
Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
|
|
|
|
|
|
|
|
*Keenan Brock*
|
2020-01-03 17:00:08 -05:00
|
|
|
|
2019-12-17 16:44:59 -05:00
|
|
|
* Fix possible information leak / session hijacking vulnerability.
|
|
|
|
|
|
|
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
|
|
|
gem dalli to be updated as well.
|
|
|
|
|
|
|
|
CVE-2019-16782.
|
|
|
|
|
2018-02-28 18:18:37 -05:00
|
|
|
* Include child session assertion count in ActionDispatch::IntegrationTest
|
|
|
|
|
|
|
|
`IntegrationTest#open_session` uses `dup` to create the new session, which
|
|
|
|
meant it had its own copy of `@assertions`. This prevented the assertions
|
|
|
|
from being correctly counted and reported.
|
|
|
|
|
2019-12-18 02:46:48 -05:00
|
|
|
Child sessions now have their `attr_accessor` overridden to delegate to the
|
2018-02-28 18:18:37 -05:00
|
|
|
root session.
|
|
|
|
|
|
|
|
Fixes #32142
|
|
|
|
|
|
|
|
*Sam Bostock*
|
2019-04-20 22:09:50 -04:00
|
|
|
|
2018-08-19 15:32:35 -04:00
|
|
|
* Add SameSite protection to every written cookie.
|
|
|
|
|
|
|
|
Enabling `SameSite` cookie protection is an addition to CSRF protection,
|
|
|
|
where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
|
|
|
|
|
|
|
|
`:strict` disables cookies being sent in cross-site GET or POST requests.
|
|
|
|
|
|
|
|
Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
|
|
|
|
|
|
|
|
See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
|
|
|
|
|
|
|
|
More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
|
|
|
|
|
|
|
|
_NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
|
|
|
|
|
|
|
|
*Cédric Fabianski*
|
|
|
|
|
2019-12-05 09:06:14 -05:00
|
|
|
* Bring back the feature that allows loading external route files from the router.
|
|
|
|
|
|
|
|
This feature existed back in 2012 but got reverted with the incentive that
|
|
|
|
https://github.com/rails/routing_concerns was a better approach. Turned out
|
|
|
|
that this wasn't fully the case and loading external route files from the router
|
|
|
|
can be helpful for applications with a really large set of routes.
|
|
|
|
Without this feature, application needs to implement routes reloading
|
|
|
|
themselves and it's not straightforward.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
# config/routes.rb
|
|
|
|
|
|
|
|
Rails.application.routes.draw do
|
|
|
|
draw(:admin)
|
|
|
|
end
|
|
|
|
|
|
|
|
# config/routes/admin.rb
|
|
|
|
|
|
|
|
get :foo, to: 'foo#bar'
|
|
|
|
```
|
|
|
|
|
|
|
|
*Yehuda Katz*, *Edouard Chin*
|
|
|
|
|
2019-11-24 16:36:31 -05:00
|
|
|
* Fix system test driver option initialization for non-headless browsers.
|
|
|
|
|
|
|
|
*glaszig*
|
|
|
|
|
2019-11-22 15:06:46 -05:00
|
|
|
* `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
|
|
|
|
their payloads as `:request`.
|
|
|
|
|
|
|
|
*Austin Story*
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
* `respond_to#any` no longer returns a response's Content-Type based on the
|
|
|
|
request format but based on the block given.
|
2019-10-31 20:06:05 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Example:
|
2019-10-31 20:06:05 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
```ruby
|
|
|
|
def my_action
|
|
|
|
respond_to do |format|
|
|
|
|
format.any { render(json: { foo: 'bar' }) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
get('my_action.csv')
|
|
|
|
```
|
|
|
|
|
|
|
|
The previous behaviour was to respond with a `text/csv` Content-Type which
|
|
|
|
is inaccurate since a JSON response is being rendered.
|
2019-10-31 20:06:05 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Now it correctly returns a `application/json` Content-Type.
|
2019-10-31 20:06:05 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
*Edouard Chin*
|
2019-10-31 20:06:05 -04:00
|
|
|
|
2019-11-12 16:44:10 -05:00
|
|
|
* Replaces (back)slashes in failure screenshot image paths with dashes.
|
|
|
|
|
|
|
|
If a failed test case contained a slash or a backslash, a screenshot would be created in a
|
|
|
|
nested directory, causing issues with `tmp:clear`.
|
|
|
|
|
|
|
|
*Damir Zekic*
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
* Add `params.member?` to mimic Hash behavior.
|
2019-11-19 10:03:01 -05:00
|
|
|
|
|
|
|
*Younes Serraj*
|
|
|
|
|
2019-11-04 10:30:38 -05:00
|
|
|
* `process_action.action_controller` notifications now include the following in their payloads:
|
|
|
|
|
2019-11-04 18:29:38 -05:00
|
|
|
* `:request` - the `ActionDispatch::Request`
|
2019-11-16 08:17:01 -05:00
|
|
|
* `:response` - the `ActionDispatch::Response`
|
2019-11-04 07:46:48 -05:00
|
|
|
|
|
|
|
*George Claghorn*
|
|
|
|
|
2019-10-06 17:28:43 -04:00
|
|
|
* Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
|
|
|
|
`remote_ip` to `nil` before setting the header that the value is derived
|
|
|
|
from.
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Fixes #37383.
|
2019-10-06 17:28:43 -04:00
|
|
|
|
|
|
|
*Norm Provost*
|
|
|
|
|
2019-09-24 13:47:34 -04:00
|
|
|
* `ActionController::Base.log_at` allows setting a different log level per request.
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
# Use the debug level if a particular cookie is set.
|
|
|
|
class ApplicationController < ActionController::Base
|
|
|
|
log_at :debug, if: -> { cookies[:debug] }
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
*George Claghorn*
|
|
|
|
|
2019-06-23 22:41:30 -04:00
|
|
|
* Allow system test screen shots to be taken more than once in
|
|
|
|
a test by prefixing the file name with an incrementing counter.
|
|
|
|
|
|
|
|
Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
|
|
|
|
enable saving of HTML during a screenshot in addition to the image.
|
|
|
|
This uses the same image name, with the extension replaced with `.html`
|
|
|
|
|
|
|
|
*Tom Fakes*
|
|
|
|
|
2019-05-08 10:28:47 -04:00
|
|
|
* Add `Vary: Accept` header when using `Accept` header for response
|
|
|
|
|
|
|
|
For some requests like `/users/1`, Rails uses requests' `Accept`
|
|
|
|
header to determine what to return. And if we don't add `Vary`
|
|
|
|
in the response header, browsers might accidentally cache different
|
|
|
|
types of content, which would cause issues: e.g. javascript got displayed
|
|
|
|
instead of html content. This PR fixes these issues by adding `Vary: Accept`
|
|
|
|
in these types of requests. For more detailed problem description, please read:
|
|
|
|
|
|
|
|
https://github.com/rails/rails/pull/36213
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Fixes #25842.
|
2019-05-08 10:28:47 -04:00
|
|
|
|
|
|
|
*Stan Lo*
|
|
|
|
|
2018-10-12 02:06:13 -04:00
|
|
|
* Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
|
|
|
|
a 307 redirection.
|
|
|
|
|
|
|
|
*Edouard Chin*
|
|
|
|
|
2019-07-24 22:19:21 -04:00
|
|
|
* System tests require Capybara 3.26 or newer.
|
|
|
|
|
|
|
|
*George Claghorn*
|
|
|
|
|
2018-01-04 06:27:14 -05:00
|
|
|
* Reduced log noise handling ActionController::RoutingErrors.
|
|
|
|
|
|
|
|
*Alberto Fernández-Capel*
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
* Add DSL for configuring HTTP Feature Policy.
|
2019-07-10 18:33:16 -04:00
|
|
|
|
2019-09-23 19:33:10 -04:00
|
|
|
This new DSL provides a way to configure an HTTP Feature Policy at a
|
2019-07-10 18:33:16 -04:00
|
|
|
global or per-controller level. Full details of HTTP Feature Policy
|
|
|
|
specification and guidelines can be found at MDN:
|
|
|
|
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Example global policy:
|
2019-07-10 18:33:16 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
```ruby
|
2019-07-10 18:33:16 -04:00
|
|
|
Rails.application.config.feature_policy do |f|
|
|
|
|
f.camera :none
|
|
|
|
f.gyroscope :none
|
|
|
|
f.microphone :none
|
|
|
|
f.usb :none
|
|
|
|
f.fullscreen :self
|
2019-07-14 17:10:22 -04:00
|
|
|
f.payment :self, "https://secure.example.com"
|
2019-07-10 18:33:16 -04:00
|
|
|
end
|
|
|
|
```
|
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
Example controller level policy:
|
2019-07-10 18:33:16 -04:00
|
|
|
|
2019-11-23 19:20:00 -05:00
|
|
|
```ruby
|
2019-07-10 18:33:16 -04:00
|
|
|
class PagesController < ApplicationController
|
|
|
|
feature_policy do |p|
|
|
|
|
p.geolocation "https://example.com"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
```
|
|
|
|
|
|
|
|
*Jacob Bednarz*
|
|
|
|
|
2019-02-02 21:33:44 -05:00
|
|
|
* Add the ability to set the CSP nonce only to the specified directives.
|
|
|
|
|
|
|
|
Fixes #35137.
|
|
|
|
|
|
|
|
*Yuji Yaginuma*
|
|
|
|
|
2019-06-04 16:47:33 -04:00
|
|
|
* Keep part when scope option has value.
|
2018-12-08 16:42:40 -05:00
|
|
|
|
|
|
|
When a route was defined within an optional scope, if that route didn't
|
|
|
|
take parameters the scope was lost when using path helpers. This commit
|
|
|
|
ensures scope is kept both when the route takes parameters or when it
|
|
|
|
doesn't.
|
|
|
|
|
2019-06-04 16:47:33 -04:00
|
|
|
Fixes #33219.
|
2018-12-08 16:42:40 -05:00
|
|
|
|
|
|
|
*Alberto Almagro*
|
|
|
|
|
2019-05-17 09:13:03 -04:00
|
|
|
* Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
|
|
|
|
|
|
|
|
*Gustavo Gutierrez*
|
|
|
|
|
2019-07-28 02:53:51 -04:00
|
|
|
* Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
|
2019-05-18 17:49:32 -04:00
|
|
|
an enumerator for the parameters instead of the underlying hash.
|
|
|
|
|
|
|
|
*Eugene Kenny*
|
|
|
|
|
2019-06-04 16:47:33 -04:00
|
|
|
* Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
|
|
|
|
It should only block invalid key's values instead.
|
2019-04-20 22:09:50 -04:00
|
|
|
|
2017-08-01 14:02:41 -04:00
|
|
|
*Stan Lo*
|
2019-04-20 22:09:50 -04:00
|
|
|
|
2019-06-04 16:47:33 -04:00
|
|
|
|
2019-04-24 15:57:14 -04:00
|
|
|
Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.
|