- No changes.
-
Under certain circumstances, the middleware isn't informed that the response body has been fully closed which result in request state not being fully reset before the next request
[CVE-2022-23633]
- No changes.
-
Fix
ActionController::Parametersmethods to keep the original logger context when creating a new copy of the original object.Yutaka Kamei
-
Deprecate
Rails.application.config.action_controller.urlsafe_csrf_tokens. This config is now always enabled.Étienne Barrié
-
Instance variables set in requests in a
ActionController::TestCaseare now cleared before the next requestThis means if you make multiple requests in the same test, instance variables set in the first request will not persist into the second one. (It's not recommended to make multiple requests in the same test.)
Alex Ghiculescu
- No changes.
- Fix X_FORWARDED_HOST protection. [CVE-2021-44528]
-
Rails.application.executorhooks can now be called around every request in aActionController::TestCaseThis helps to better simulate request or job local state being reset between requests and prevent state leaking from one request to another.
To enable this, set
config.active_support.executor_around_test_case = true(this is the default in Rails 7).Alex Ghiculescu
-
Consider onion services secure for cookies.
Justin Tracey
-
Remove deprecated
Rails.config.action_view.raise_on_missing_translations.Rafael Mendonça França
-
Remove deprecated support to passing a path to
fixture_file_uploadrelative tofixture_path.Rafael Mendonça França
-
Remove deprecated
ActionDispatch::SystemTestCase#host!.Rafael Mendonça França
-
Remove deprecated
Rails.config.action_dispatch.hosts_response_app.Rafael Mendonça França
-
Remove deprecated
ActionDispatch::Response.return_only_media_type_on_content_type.Rafael Mendonça França
-
Raise
ActionController::Redirecting::UnsafeRedirectErrorfor unsaferedirect_toredirects.This allows
rescue_fromto be used to add a default fallback route:rescue_from ActionController::Redirecting::UnsafeRedirectError do redirect_to root_url end
Kasper Timm Hansen, Chris Oliver
-
Add
url_fromto verify a redirect location is internal.Takes the open redirect protection from
redirect_toso users can wrap a param, and fall back to an alternate redirect URL when the param provided one is unsafe.def create redirect_to url_from(params[:redirect_url]) || root_url end
dmcge, Kasper Timm Hansen
-
Allow Capybara driver name overrides in
SystemTestCase::driven_byAllow users to prevent conflicts among drivers that use the same driver type (selenium, poltergeist, webkit, rack test).
Fixes #42502
Chris LaRose
-
Allow multiline to be passed in routes when using wildcard segments.
Previously routes with newlines weren't detected when using wildcard segments, returning a
No route matcheserror. After this change, routes with newlines are detected on wildcard segments. Exampledraw do get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard end # After the change, the path matches. assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
Fixes #39103
Ignacio Chiazzo
-
Treat html suffix in controller translation.
Rui Onodera, Gavin Miller
-
Allow permitting numeric params.
Previously it was impossible to permit different fields on numeric parameters. After this change you can specify different fields for each numbered parameter. For example params like,
book: { authors_attributes: { '0': { name: "William Shakespeare", age_of_death: "52" }, '1': { name: "Unattributed Assistant" }, '2': "Not a hash", 'new_record': { name: "Some name" } } }
Before you could permit name on each author with,
permit book: { authors_attributes: [ :name ] }After this change you can permit different keys on each numbered element,
permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }Fixes #41625
Adam Hess
-
Update
HostAuthorizationmiddleware to render debug info only whenconfig.consider_all_requests_localis set to true.Also, blocked host info is always logged with level
error.Fixes #42813
Nikita Vyrko
-
Add Server-Timing middleware
Server-Timing specification defines how the server can communicate to browsers performance metrics about the request it is responding to.
The ServerTiming middleware is enabled by default on
developmentenvironment by default using theconfig.server_timingsetting and set the relevant duration metrics in theServer-TimingheaderThe full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
Sebastian Sogamoso, Guillermo Iguaran
- No changes.
-
Use a static error message when raising
ActionDispatch::Http::Parameters::ParseErrorto avoid inadvertently logging the HTTP request body at thefatallevel when it contains malformed JSON.Fixes #41145
Aaron Lahey
-
Add
Middleware#delete!to delete middleware or raise if not found.Middleware#delete!works just likeMiddleware#deletebut will raise an error if the middleware isn't found.Alex Ghiculescu, Petrik de Heus, Junichi Sato
-
Raise error on unpermitted open redirects.
Add
allow_other_hostoptions toredirect_to. Opt in to this behaviour withActionController::Base.raise_on_open_redirects = true.Gannon McGibbon
-
Deprecate
poltergeistandwebkit(capybara-webkit) driver registration for system testing (they will be removed in Rails 7.1). Addcupriteinstead.Poltergeist and capybara-webkit are already not maintained. These usage in Rails are removed for avoiding confusing users.
Cuprite is a good alternative to Poltergeist. Some guide descriptions are replaced from Poltergeist to Cuprite.
Yusuke Iwaki
-
Exclude additional flash types from
ActionController::Base.action_methods.Ensures that additional flash types defined on ActionController::Base subclasses are not listed as actions on that controller.
class MyController < ApplicationController add_flash_types :hype end MyController.action_methods.include?('hype') # => falseGavin Morrice
-
OpenSSL constants are now used for Digest computations.
Dirkjan Bussink
-
Remove IE6-7-8 file download related hack/fix from ActionController::DataStreaming module.
Due to the age of those versions of IE this fix is no longer relevant, more importantly it creates an edge-case for unexpected Cache-Control headers.
Tadas Sasnauskas
-
Configuration setting to skip logging an uncaught exception backtrace when the exception is present in
rescued_responses.It may be too noisy to get all backtraces logged for applications that manage uncaught exceptions via
rescued_responsesandexceptions_app.config.action_dispatch.log_rescued_responses(defaults totrue) can be set tofalsein this case, so that only exceptions not found inrescued_responseswill be logged.Alexander Azarov, Mike Dalessio
-
Ignore file fixtures on
db:fixtures:load.Kevin Sjöberg
-
Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
Dylan Thacker-Smith
-
New
ActionController::ConditionalGet#no_storemethod to set HTTP cache controlno-storedirective.Tadas Sasnauskas
-
Drop support for the
SERVER_ADDRheader.Following up rack/rack#1573 and #42349.
Ricardo Díaz
-
Set session options when initializing a basic session.
Gannon McGibbon
-
Add
cache_control: {}option tofresh_whenandstale?.Works as a shortcut to set
response.cache_controlwith the above methods.Jacopo Beschi
-
Writing into a disabled session will now raise an error.
Previously when no session store was set, writing into the session would silently fail.
Jean Boussier
-
Add support for 'require-trusted-types-for' and 'trusted-types' headers.
Fixes #42034.
lfalcao
-
Remove inline styles and address basic accessibility issues on rescue templates.
Jacob Herrington
-
Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
Alex Smith
-
Expand payload of
unpermitted_parameters.action_controllerinstrumentation to allow subscribers to know which controller action received unpermitted parameters.bbuchalter
-
Add
ActionController::Live#send_streamthat makes it more convenient to send generated streams:send_stream(filename: "subscribers.csv") do |stream| stream.writeln "email_address,updated_at" @subscribers.find_each do |subscriber| stream.writeln [ subscriber.email_address, subscriber.updated_at ].join(",") end end
DHH
-
Add
ActionController::Live::Buffer#writelnto write a line to the stream with a newline included.DHH
-
ActionDispatch::Request#content_typenow returned Content-Type header as it is.Previously,
ActionDispatch::Request#content_typereturned value does NOT contain charset part. This behavior changed to returned Content-Type header containing charset part as it is.If you want just MIME type, please use
ActionDispatch::Request#media_typeinstead.Before:
request = ActionDispatch::Request.new("CONTENT_TYPE" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET") request.content_type #=> "text/csv"
After:
request = ActionDispatch::Request.new("Content-Type" => "text/csv; header=present; charset=utf-16", "REQUEST_METHOD" => "GET") request.content_type #=> "text/csv; header=present; charset=utf-16" request.media_type #=> "text/csv"
Rafael Mendonça França
-
Change
ActionDispatch::Request#media_typeto returnnilwhen the request don't have aContent-Typeheader.Rafael Mendonça França
-
Fix error in
ActionController::LogSubscriberthat would happen when throwing inside a controller action.Janko Marohnić
-
Allow anything with
#to_str(likeAddressable::URI) as aredirect_tolocation.ojab
-
Change the request method to a
GETwhen passing failed requests down toconfig.exceptions_app.Alex Robbin
-
Deprecate the ability to assign a single value to
config.action_dispatch.trusted_proxiesasRemoteIpmiddleware behaves inconsistently depending on whether this is configured with a single value or an enumerable.Fixes #40772.
Christian Sutter
-
Add
redirect_back_or_to(fallback_location, **)as a more aesthetically pleasing version ofredirect_back fallback_location:, **. The old method name is retained without explicit deprecation.DHH
Please check 6-1-stable for previous changes.