Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming cookies are marshal-encoded. This is not the case when `secret_token` is used in conjunction with the `:json` or `:hybrid` serializer. In those case, when upgrading to use `secret_key_base`, this would cause a `TypeError: incompatible marshal file format` and a 500 error for the user. Fixes #14774. *Godfrey Chan*
2.6 KiB
-
Fixed an issue with migrating legacy json cookies.
Previously, the
VerifyAndUpgradeLegacySignedMessage
assumes all incoming cookies are marshal-encoded. This is not the case whensecret_token
is used in conjunction with the:json
or:hybrid
serializer.In those case, when upgrading to use
secret_key_base
, this would cause aTypeError: incompatible marshal file format
and a 500 error for the user.Fixes #14774.
Godfrey Chan
-
Make URL escaping more consistent:
- Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
- Add an
escape_segment
helper toRouter::Utils
that escapes '/' characters - Use
escape_segment
rather thanescape_fragment
in optimized URL generation - Use
escape_segment
rather thanescape_path
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g. *foo) then we use
escape_path
as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a:controller
segment is used in the path then this usesescape_path
as the controller may be namespaced.Fixes #14629, #14636 and #14070.
Andrew White, Edho Arief
-
Add alias
ActionDispatch::Http::UploadedFile#to_io
toActionDispatch::Http::UploadedFile#tempfile
.Tim Linquist
-
Returns null type format when format is not know and controller is using
any
format block.Fixes #14462.
Rafael Mendonça França
-
Improve routing error page with fuzzy matching search.
Winston
-
Only make deeply nested routes shallow when parent is shallow.
Fixes #14684.
Andrew White, James Coglan
-
Append link to bad code to backtrace when exception is SyntaxError.
Boris Kuznetsov
-
Swapped the parameters of assert_equal in
assert_select
so that the proper values were printed correctlyFixes #14422.
Vishal Lal
-
The method
shallow?
returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents.Fixes #14388.
Andrew White
-
Make logging of CSRF failures optional (but on by default) with the
log_warning_on_csrf_failure
configuration setting inActionController::RequestForgeryProtection
.John Barton
-
Fix URL generation in controller tests with request-dependent
default_url_options
methods.Tony Wooster
Please check 4-1-stable for previous changes.