rails--rails/actionpack/CHANGELOG.md

• Use String#bytesize instead of String#size when checking for cookie overflow.

  Agis Anastasopoulos

• render nothing: true or rendering a nil body no longer add a single space to the response body.

  The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary.

  Use render body: ' ' if the old behavior is desired.

  See #14883 for details.

  Godfrey Chan

• Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash")

  Greg Campbell

• Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb.

  Fixes #16104.

  Karl Entwistle

• Generate shallow paths for all children of shallow resources.

  Fixes #15783.

  Seb Jacobs

• JSONP responses are now rendered with the text/javascript content type when rendering through a respond_to block.

  Fixes #15081.

  Lucas Mazza

• Add config.action_controller.always_permitted_parameters to configure which parameters are permitted globally. The default value of this configuration is ['controller', 'action'].

  Gary S. Weaver, Rafael Chacon

• Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.

  Fixes #15511.

  Larry Lv

• ActionController::Parameters#require now accepts false values.

  Fixes #15685.

  Sergio Romano

• With authorization header Authorization: Token token=, authenticate now recognize token as nil, instead of "token".

  Fixes #14846.

  Larry Lv

• Ensure the controller is always notified as soon as the client disconnects during live streaming, even when the controller is blocked on a write.

  Nicholas Jakobsen, Matthew Draper

• Routes specifying 'to:' must be a string that contains a "#" or a rack application. Use of a symbol should be replaced with action: symbol. Use of a string without a "#" should be replaced with controller: string.

  Aaron Patterson

• Fix URL generation with :trailing_slash such that it does not add a trailing slash after .:format

  Dan Langevin

• Build full URI as string when processing path in integration tests for performance reasons.

  Guo Xiang Tan

• Fix 'Stack level too deep' when rendering head :ok in an action method called 'status' in a controller.

  Fixes #13905.

  Christiaan Van den Poel

• Add MKCALENDAR HTTP method (RFC 4791).

  Sergey Karpesh

• Instrument fragment cache metrics.

  Adds :controller: and :action keys to the instrumentation payload for the *_fragment.action_controller notifications. This allows tracking e.g. the fragment cache hit rates for each controller action.

  Daniel Schierbeck

• Always use the provided port if the protocol is relative.

  Fixes #15043.

  Guilherme Cavalcanti, Andrew White

• Moved params[request_forgery_protection_token] into its own method and improved tests.

  Fixes #11316.

  Tom Kadwill

• Added verification of route constraints given as a Proc or an object responding to :matches?. Previously, when given an non-complying object, it would just silently fail to enforce the constraint. It will now raise an ArgumentError when setting up the routes.

  Xavier Defrang

• Properly treat the entire IPv6 User Local Address space as private for purposes of remote IP detection. Also handle uppercase private IPv6 addresses.

  Fixes #12638.

  Caleb Spare

• Fixed an issue with migrating legacy json cookies.

  Previously, the VerifyAndUpgradeLegacySignedMessage assumes all incoming cookies are marshal-encoded. This is not the case when secret_token is used in conjunction with the :json or :hybrid serializer.

  In those case, when upgrading to use secret_key_base, this would cause a TypeError: incompatible marshal file format and a 500 error for the user.

  Fixes #14774.

  Godfrey Chan

• Make URL escaping more consistent:

  1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
  2. Add an escape_segment helper to Router::Utils that escapes '/' characters
  3. Use escape_segment rather than escape_fragment in optimized URL generation
  4. Use escape_segment rather than escape_path in URL generation

  For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g. *foo) then we use escape_path as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a :controller segment is used in the path then this uses escape_path as the controller may be namespaced.

  Fixes #14629, #14636 and #14070.

  Andrew White, Edho Arief

• Add alias ActionDispatch::Http::UploadedFile#to_io to ActionDispatch::Http::UploadedFile#tempfile.

  Tim Linquist

• Returns null type format when format is not know and controller is using any format block.

  Fixes #14462.

  Rafael Mendonça França

• Improve routing error page with fuzzy matching search.

  Winston

• Only make deeply nested routes shallow when parent is shallow.

  Fixes #14684.

  Andrew White, James Coglan

• Append link to bad code to backtrace when exception is SyntaxError.

  Boris Kuznetsov

• Swapped the parameters of assert_equal in assert_select so that the proper values were printed correctly.

  Fixes #14422.

  Vishal Lal

• The method shallow? returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents.

  Fixes #14388.

  Andrew White

• Make logging of CSRF failures optional (but on by default) with the log_warning_on_csrf_failure configuration setting in ActionController::RequestForgeryProtection.

  John Barton

• Fix URL generation in controller tests with request-dependent default_url_options methods.

  Tony Wooster

Please check 4-1-stable for previous changes.