* 'rosetta_flash' of https://github.com/gcampbell/rails: Address CVE-2014-4671 (JSONP Flash exploit) Conflicts: actionpack/CHANGELOG.md
5.9 KiB
-
Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash")
Greg Campbell
-
Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
Karl Entwistle
-
Generate shallow paths for all children of shallow resources.
Fixes #15783.
Seb Jacobs
-
JSONP responses are now rendered with the
text/javascript
content type when rendering through arespond_to
block.Fixes #15081.
Lucas Mazza
-
Add
config.action_controller.always_permitted_parameters
to configure which parameters are permitted globally. The default value of this configuration is['controller', 'action']
.Gary S. Weaver, Rafael Chacon
-
Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
Larry Lv
-
ActionController::Parameters#require now accepts
false
values.Fixes #15685.
Sergio Romano
-
With authorization header
Authorization: Token token=
,authenticate
now recognize token as nil, instead of "token".Fixes #14846.
Larry Lv
-
Ensure the controller is always notified as soon as the client disconnects during live streaming, even when the controller is blocked on a write.
Nicholas Jakobsen, Matthew Draper
-
Routes specifying 'to:' must be a string that contains a "#" or a rack application. Use of a symbol should be replaced with
action: symbol
. Use of a string without a "#" should be replaced withcontroller: string
. -
Fix URL generation with
:trailing_slash
such that it does not add a trailing slash after.:format
Dan Langevin
-
Build full URI as string when processing path in integration tests for performance reasons.
Guo Xiang Tan
-
Fix
'Stack level too deep'
when renderinghead :ok
in an action method called 'status' in a controller.Fixes #13905.
Christiaan Van den Poel
-
Add MKCALENDAR HTTP method (RFC 4791).
Sergey Karpesh
-
Instrument fragment cache metrics.
Adds
:controller
: and:action
keys to the instrumentation payload for the*_fragment.action_controller
notifications. This allows tracking e.g. the fragment cache hit rates for each controller action.Daniel Schierbeck
-
Always use the provided port if the protocol is relative.
Fixes #15043.
Guilherme Cavalcanti, Andrew White
-
Moved
params[request_forgery_protection_token]
into its own method and improved tests.Fixes #11316.
Tom Kadwill
-
Added verification of route constraints given as a Proc or an object responding to
:matches?
. Previously, when given an non-complying object, it would just silently fail to enforce the constraint. It will now raise anArgumentError
when setting up the routes.Xavier Defrang
-
Properly treat the entire IPv6 User Local Address space as private for purposes of remote IP detection. Also handle uppercase private IPv6 addresses.
Fixes #12638.
Caleb Spare
-
Fixed an issue with migrating legacy json cookies.
Previously, the
VerifyAndUpgradeLegacySignedMessage
assumes all incoming cookies are marshal-encoded. This is not the case whensecret_token
is used in conjunction with the:json
or:hybrid
serializer.In those case, when upgrading to use
secret_key_base
, this would cause aTypeError: incompatible marshal file format
and a 500 error for the user.Fixes #14774.
Godfrey Chan
-
Make URL escaping more consistent:
- Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
- Add an
escape_segment
helper toRouter::Utils
that escapes '/' characters - Use
escape_segment
rather thanescape_fragment
in optimized URL generation - Use
escape_segment
rather thanescape_path
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g.
*foo
) then we useescape_path
as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a:controller
segment is used in the path then this usesescape_path
as the controller may be namespaced.Fixes #14629, #14636 and #14070.
Andrew White, Edho Arief
-
Add alias
ActionDispatch::Http::UploadedFile#to_io
toActionDispatch::Http::UploadedFile#tempfile
.Tim Linquist
-
Returns null type format when format is not know and controller is using
any
format block.Fixes #14462.
Rafael Mendonça França
-
Improve routing error page with fuzzy matching search.
Winston
-
Only make deeply nested routes shallow when parent is shallow.
Fixes #14684.
Andrew White, James Coglan
-
Append link to bad code to backtrace when exception is
SyntaxError
.Boris Kuznetsov
-
Swapped the parameters of assert_equal in
assert_select
so that the proper values were printed correctly.Fixes #14422.
Vishal Lal
-
The method
shallow?
returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents.Fixes #14388.
Andrew White
-
Make logging of CSRF failures optional (but on by default) with the
log_warning_on_csrf_failure
configuration setting inActionController::RequestForgeryProtection
.John Barton
-
Fix URL generation in controller tests with request-dependent
default_url_options
methods.Tony Wooster
Please check 4-1-stable for previous changes.