* Add binary encoding logic into ActionDispatch::Request::Utils Moving the logic to set binary encoding into ActionDispatch::Request::Utils will allow us to encode from GET and POST in ActionDispatch::Request. * Refactor binary encoding logic - Move binary encoding calls into GET, POST and path_parameters - Remove binary encoding from ActionDispatch::Http::Request - This way, we only raise an invalid encoding exception if the controller is not requesting parameters in binary encoding * Check if encoding is valid in ActionDispatch::Request#POST and raise BadRequest if invalid * Fix multipart_params_test that has binary-encoded params containing invalid UTF-8 characters * Address PR comments * Pass action and controller to Request::Utils.set_binary_encoding [Rafael Mendonça França + Adrianna Chang]
12 KiB
-
Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
Additionally, perform
#set_binary_encoding
inActionDispatch::Http::Request#GET
andActionDispatch::Http::Request#POST
prior to validating encoding.Adrianna Chang
-
Allow
assert_recognizes
routing assertions to work on mounted root routes.Gannon McGibbon
-
Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for
ActionDispatch::SSL
.Alan Tan, Oz Ben-David
-
Fix
follow_redirect!
to follow redirection with same HTTP verb when following a 308 redirection.Alan Tan
-
When multiple domains are specified for a cookie, a domain will now be chosen only if it is equal to or is a superdomain of the request host.
Jonathan Hefner
-
ActionDispatch::Static
handles precompiled Brotli (.br) files.Adds to existing support for precompiled gzip (.gz) files. Brotli files are preferred due to much better compression.
When the browser requests /some.js with
Accept-Encoding: br
, we check for public/some.js.br and serve that file, if present, withContent-Encoding: br
andVary: Accept-Encoding
headers.Ryan Edward Hall, Jeremy Daer
-
Add raise_on_missing_translations support for controllers.
This configuration determines whether an error should be raised for missing translations. It can be enabled through
config.i18n.raise_on_missing_translations
. Note that described configuration also affects raising error for missing translations in views.fatkodima
-
Added
compact
andcompact!
toActionController::Parameters
.Eugene Kenny
-
Calling
each_pair
oreach_value
on anActionController::Parameters
without passing a block now returns an enumerator.Eugene Kenny
-
fixture_file_upload
now uses path relative tofile_fixture_path
Previously the path had to be relative to
fixture_path
. You can change your existing code as follow:# Before fixture_file_upload('files/dog.png') # After fixture_file_upload('dog.png')
Edouard Chin
-
Remove deprecated
force_ssl
at the controller level.Rafael Mendonça França
-
The +helper+ class method for controllers loads helper modules specified as strings/symbols with
String#constantize
instead ofrequire_dependency
.Remember that support for strings/symbols is only a convenient API. You can always pass a module object:
helper UtilsHelper
which is recommended because it is simple and direct. When a string/symbol is received,
helper
just manipulates and inflects the argument to obtain that same module object.Xavier Noria, Jean Boussier
-
Correctly identify the entire localhost IPv4 range as trusted proxy.
Nick Soracco
-
url_for
will now use "https://" as the default protocol whenRails.application.config.force_ssl
is set to true.Jonathan Hefner
-
Accept and default to base64_urlsafe CSRF tokens.
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport.
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.
Scott Blum
-
Support rolling deploys for cookie serialization/encryption changes.
In a distributed configuration like rolling update, users may observe both old and new instances during deployment. Users may be served by a new instance and then by an old instance.
That means when the server changes
cookies_serializer
from:marshal
to:hybrid
or the server changesuse_authenticated_cookie_encryption
fromfalse
totrue
, users may lose their sessions if they access the server during deployment.We added fallbacks to downgrade the cookie format when necessary during deployment, ensuring compatibility on both old and new instances.
Masaki Hara
-
ActionDispatch::Request.remote_ip
has ip address even when all sites are trusted.Before, if all
X-Forwarded-For
sites were trusted, theremote_ip
would default to127.0.0.1
. Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.Keenan Brock
-
Fix possible information leak / session hijacking vulnerability.
The
ActionDispatch::Session::MemcacheStore
is still vulnerable given it requires the gem dalli to be updated as well.CVE-2019-16782.
-
Include child session assertion count in ActionDispatch::IntegrationTest.
IntegrationTest#open_session
usesdup
to create the new session, which meant it had its own copy of@assertions
. This prevented the assertions from being correctly counted and reported.Child sessions now have their
attr_accessor
overridden to delegate to the root session.Fixes #32142.
Sam Bostock
-
Add SameSite protection to every written cookie.
Enabling
SameSite
cookie protection is an addition to CSRF protection, where cookies won't be sent by browsers in cross-site POST requests when set to:lax
.:strict
disables cookies being sent in cross-site GET or POST requests.Passing
:none
disables this protection and is the same as previous versions albeit a; SameSite=None
is appended to the cookie.See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
More info here
NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies
Cédric Fabianski
-
Bring back the feature that allows loading external route files from the router.
This feature existed back in 2012 but got reverted with the incentive that https://github.com/rails/routing_concerns was a better approach. Turned out that this wasn't fully the case and loading external route files from the router can be helpful for applications with a really large set of routes. Without this feature, application needs to implement routes reloading themselves and it's not straightforward.
# config/routes.rb Rails.application.routes.draw do draw(:admin) end # config/routes/admin.rb get :foo, to: 'foo#bar'
Yehuda Katz, Edouard Chin
-
Fix system test driver option initialization for non-headless browsers.
glaszig
-
redirect_to.action_controller
notifications now include theActionDispatch::Request
in their payloads as:request
.Austin Story
-
respond_to#any
no longer returns a response's Content-Type based on the request format but based on the block given.Example:
def my_action respond_to do |format| format.any { render(json: { foo: 'bar' }) } end end get('my_action.csv')
The previous behaviour was to respond with a
text/csv
Content-Type which is inaccurate since a JSON response is being rendered.Now it correctly returns a
application/json
Content-Type.Edouard Chin
-
Replaces (back)slashes in failure screenshot image paths with dashes.
If a failed test case contained a slash or a backslash, a screenshot would be created in a nested directory, causing issues with
tmp:clear
.Damir Zekic
-
Add
params.member?
to mimic Hash behavior.Younes Serraj
-
process_action.action_controller
notifications now include the following in their payloads::request
- theActionDispatch::Request
:response
- theActionDispatch::Response
George Claghorn
-
Updated
ActionDispatch::Request.remote_ip
setter to clear set the instanceremote_ip
tonil
before setting the header that the value is derived from.Fixes #37383.
Norm Provost
-
ActionController::Base.log_at
allows setting a different log level per request.# Use the debug level if a particular cookie is set. class ApplicationController < ActionController::Base log_at :debug, if: -> { cookies[:debug] } end
George Claghorn
-
Allow system test screen shots to be taken more than once in a test by prefixing the file name with an incrementing counter.
Add an environment variable
RAILS_SYSTEM_TESTING_SCREENSHOT_HTML
to enable saving of HTML during a screenshot in addition to the image. This uses the same image name, with the extension replaced with.html
Tom Fakes
-
Add
Vary: Accept
header when usingAccept
header for response.For some requests like
/users/1
, Rails uses requests'Accept
header to determine what to return. And if we don't addVary
in the response header, browsers might accidentally cache different types of content, which would cause issues: e.g. javascript got displayed instead of html content. This PR fixes these issues by addingVary: Accept
in these types of requests. For more detailed problem description, please read:https://github.com/rails/rails/pull/36213
Fixes #25842.
Stan Lo
-
Fix IntegrationTest
follow_redirect!
to follow redirection using the same HTTP verb when following a 307 redirection.Edouard Chin
-
System tests require Capybara 3.26 or newer.
George Claghorn
-
Reduced log noise handling ActionController::RoutingErrors.
Alberto Fernández-Capel
-
Add DSL for configuring HTTP Feature Policy.
This new DSL provides a way to configure an HTTP Feature Policy at a global or per-controller level. Full details of HTTP Feature Policy specification and guidelines can be found at MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Example global policy:
Rails.application.config.feature_policy do |f| f.camera :none f.gyroscope :none f.microphone :none f.usb :none f.fullscreen :self f.payment :self, "https://secure.example.com" end
Example controller level policy:
class PagesController < ApplicationController feature_policy do |p| p.geolocation "https://example.com" end end
Jacob Bednarz
-
Add the ability to set the CSP nonce only to the specified directives.
Fixes #35137.
Yuji Yaginuma
-
Keep part when scope option has value.
When a route was defined within an optional scope, if that route didn't take parameters the scope was lost when using path helpers. This commit ensures scope is kept both when the route takes parameters or when it doesn't.
Fixes #33219.
Alberto Almagro
-
Added
deep_transform_keys
anddeep_transform_keys!
methods to ActionController::Parameters.Gustavo Gutierrez
-
Calling
ActionController::Parameters#transform_keys
/!
without a block now returns an enumerator for the parameters instead of the underlying hash.Eugene Kenny
-
Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical). It should only block invalid key's values instead.
Stan Lo
Please check 6-0-stable for previous changes.