Releases: rails/rails
v6.0.6
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Symbol is allowed by default for YAML columns
Étienne Barrié
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
7.0.3.1
tenderlove
Aaron Patterson
04972d9
tenderlove
Aaron Patterson
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.1.6.1
tenderlove
Aaron Patterson
dc1242f
tenderlove
Aaron Patterson
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.5.1
tenderlove
Aaron Patterson
eed4176
tenderlove
Aaron Patterson
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
5.2.8.1
tenderlove
Aaron Patterson
8030cff
tenderlove
Aaron Patterson
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
7.0.3
eileencodes
Eileen M. Uchitelle
3872bc0
eileencodes
Eileen M. Uchitelle
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Some internal housekeeping on reloads could break custom
respond_to?
methods in class objects that referenced reloadable constants. See
#44125 for details.Xavier Noria
-
Fixed MariaDB default function support.
Defaults would be written wrong in "db/schema.rb" and not work correctly
if usingdb:schema:load. Further more the function name would be
added as string content when saving new records.kaspernj
-
Fix
remove_foreign_keywith:if_existsoption when foreign key actually exists.fatkodima
-
Remove
--no-commentsflag in structure dumps for PostgreSQLThis broke some apps that used custom schema comments. If you don't want
comments in your structure dump, you can use:ActiveRecord::Tasks::DatabaseTasks.structure_dump_flags = ['--no-comments']
Alex Ghiculescu
-
Use the model name as a prefix when filtering encrypted attributes from logs.
For example, when encrypting
Person#nameit will addperson.nameas a filter
parameter, instead of justname. This prevents unintended filtering of parameters
with a matching name in other models.Jorge Manrubia
-
Fix quoting of
ActiveSupport::DurationandRationalnumbers in the MySQL adapter.Kevin McPhillips
-
Fix
change_column_commentto preserve column's AUTO_INCREMENT in the MySQL adapterfatkodima
Action View
-
Ensure models passed to
form_forattempt to callto_model.Sean Doyle
Action Pack
-
Allow relative redirects when
raise_on_open_redirectsis enabled.Tom Hughes
-
Fix
authenticate_with_http_basicto allow for missing password.Before Rails 7.0 it was possible to handle basic authentication with only a username.
authenticate_with_http_basic do |token, _| ApiClient.authenticate(token) end
This ability is restored.
Jean Boussier
-
Fix
content_security_policyreturning invalid directives.Directives such as
self,unsafe-evaland few others were not
single quoted when the directive was the result of calling a lambda
returning an array.content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end
With this fix the policy generated from above will now be valid.
Edouard Chin
-
Fix
skip_forgery_protectionto run without raising an error if forgery
protection has not been enabled /verify_authenticity_tokenis not a
defined callback.This fix prevents the Rails 7.0 Welcome Page (
/) from raising an
ArgumentErrorifdefault_protect_from_forgeryis false.Brad Trick
-
Fix
ActionController::Liveto copy the IsolatedExecutionState in the ephemeral thread.Since its inception
ActionController::Livehas been copying thread local variables
to keep things such asCurrentAttributesset from middlewares working in the controller action.With the introduction of
IsolatedExecutionStatein 7.0, some of that global state was lost in
ActionController::Livecontrollers.Jean Boussier
-
Fix setting
trailing_slash: truein route definition.get '/test' => "test#index", as: :test, trailing_slash: true test_path() # => "/test/"
Jean Boussier
Active Job
-
Add missing
bigdecimalrequire inActiveJob::ArgumentsCould cause
uninitialized constant ActiveJob::Arguments::BigDecimal (NameError)
when loading Active Job in isolation.Jean Boussier
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Don't stream responses in redirect mode
Previously, both redirect mode and proxy mode streamed their
responses which caused a new thread to be created, and could end
up leaking connections in the connection pool. But since redirect
mode doesn't actually send any data, it doesn't need to be
streamed.Luke Lau
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
-
If reloading and eager loading are both enabled, after a reload Rails eager loads again the application code.
Xavier Noria
-
Use
controller_class_pathinRails::Generators::NamedBase#route_urlThe
route_urlmethod now returns the correct path when generating
a namespaced controller with a top-level model using--model-name.Previously, when running this command:
bin/rails generate scaffold_controller Admin/Post --model-name Post
the comments above the controller action would look like:
# GET /posts def index @posts = Post.all end
afterwards, they now look like this:
# GET /admin/posts def index @posts = Post.all end
Fixes #44662.
Andrew White
6.1.6
eileencodes
Eileen M. Uchitelle
147557d
eileencodes
Eileen M. Uchitelle
Active Support
-
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous characters
in names of tags and names of attributes, following the specification of XML.Álvaro Martín Fraguas
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to the
whole tag.Álvaro Martín Fraguas
Action Pack
-
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.5
eileencodes
Eileen M. Uchitelle
4331155
eileencodes
Eileen M. Uchitelle
Active Support
-
Fix tag helper regression.
Eileen Uchitelle
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
Action Text
-
Disentangle Action Text from ApplicationController
Allow Action Text to be used without having an ApplicationController
defined.
This makes sure:- Action Text attachments render the correct URL host in mailers.
- an ActionController::Renderer isn't allocated per request.
- Sidekiq doesn't hang with the "classic" autoloader.
Jonathan Hefner
5.2.8
eileencodes
Eileen M. Uchitelle
2652133
eileencodes
Eileen M. Uchitelle
Active Support
-
Fix tag helper regression.
Eileen Uchitelle
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
v7.0.2.4
tenderlove
Aaron Patterson
3520cc7
tenderlove
Aaron Patterson
Active Support
-
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Add the method
ERB::Util.xml_name_escapeto escape dangerous characters
in names of tags and names of attributes, following the specification of XML.Álvaro Martín Fraguas
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Fix and add protections for XSS in
ActionView::HelpersandERB::Util.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributesto:escape, to simplify by applying the option to the
whole tag.Álvaro Martín Fraguas
Action Pack
-
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.