- No changes.
- No changes.
-
Do not allow render with unpermitted parameter.
Fixes CVE-2016-2098.
Arthur Neves
- No changes.
- No changes.
- No changes.
-
Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
Previously, an empty X_FORWARDED_HOST header would cause Actiondispatch::Http:URL.raw_host_with_port to return nil, causing Actiondispatch::Http:URL.host to raise a NoMethodError.
Adam Forsyth
-
Fix regression in functional tests. Responses should have default headers assigned.
See #18423.
Jeremy Kemper, Yves Senn
- No changes.
-
Preserve default format when generating URLs
Fixes an issue that would cause the format set in default_url_options to be lost when generating URLs with fewer positional arguments than parameters in the route definition.
Backport of #18627
Tekin Suleyman, Dominic Baggott
-
Default headers, removed in controller actions, are no longer reapplied on the test response.
Jonas Baumann
-
Ensure
append_info_to_payload
is called even if an exception is raised.Fixes an issue where when an exception is raised in the request the additonal payload data is not available.
See:
- #14903
- roidrage/lograge#37
Dieter Komendera, Margus Pärt
-
Fixed handling of positional url helper arguments when
format: false
.Fixes #17819.
Andrew White, Tatiana Soukiassian
-
Restore handling of a bare
Authorization
header, withouttoken=
prefix.Fixes #17108.
Guo Xiang Tan
-
Fix regression where path was getting overwritten when route anchor was false, and X-Cascade pass
fixes #17035.
arthurnn
-
Fix a bug where malformed query strings lead to 500.
fixes #11502.
Yuki Nishijima
-
Fix arbitrary file existence disclosure in Action Pack.
CVE-2014-7829.
-
Fix arbitrary file existence disclosure in Action Pack.
CVE-2014-7818.
-
Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash")
Greg Campbell
-
Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
Karl Entwistle
-
Generate shallow paths for all children of shallow resources.
Fixes #15783.
Seb Jacobs
-
JSONP responses are now rendered with the
text/javascript
content type when rendering through arespond_to
block.Fixes #15081.
Lucas Mazza
-
Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
Larry Lv
-
ActionController::Parameters#require now accepts
false
values.Fixes #15685.
Sergio Romano
-
With authorization header
Authorization: Token token=
,authenticate
now recognize token as nil, instead of "token".Fixes #14846.
Larry Lv
- No changes.
- No changes.
-
Fix URL generation with
:trailing_slash
such that it does not add a trailing slash after.:format
Dan Langevin
-
Fix an issue with migrating legacy json cookies.
Previously, the
VerifyAndUpgradeLegacySignedMessage
assumed all incoming cookies were marshal-encoded. This was not the case whensecret_token
was used in conjunction with the:json
or:hybrid
serializer.In those cases, when upgrading to use
secret_key_base
, this would cause aTypeError: incompatible marshal file format
and a 500 error for the user.Fixes #14774.
Godfrey Chan
-
http_basic_authenticate_with
only checks the authentication if the schema isBasic
.Fixes #10257.
tomykaira
-
Fix
'Stack level too deep'
when renderinghead :ok
in an action method called 'status' in a controller.Fixes #13905.
Christiaan Van den Poel
-
Always use the provided port if the protocol is relative.
Fixes #15043.
Guilherme Cavalcanti, Andrew White
-
Append a link in the backtrace to the bad code when a
SyntaxError
exception occurs.Boris Kuznetsov
-
Make URL escaping more consistent:
- Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
- Add an
escape_segment
helper toRouter::Utils
that escapes '/' characters - Use
escape_segment
rather thanescape_fragment
in optimized URL generation - Use
escape_segment
rather thanescape_path
in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g.
*foo
) then we useescape_path
as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a:controller
segment is used in the path then this usesescape_path
as the controller may be namespaced.Fixes #14629, #14636 and #14070.
Andrew White, Edho Arief
-
Returns a null type format when the format is not known and the controller is using an
any
format block.Fixes #14462.
Rafael Mendonça França
-
Only make deeply nested routes shallow when the parent is shallow.
Fixes #14684.
Andrew White, James Coglan
-
Only accept actions without
File::SEPARATOR
in the name.This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
Rafael Mendonça França
-
Swap the parameters of assert_equal in
assert_select
so that the proper values are printed correctlyFixes #14422.
Vishal Lal
-
The method
shallow?
returns false if the parent resource is a singleton, so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents.Fixes #14388.
Andrew White
-
Fix URL generation in controller tests with request-dependent
default_url_options
methods.Tony Wooster
-
Introduce
render :html
as an option to render HTML content with a content type oftext/html
. This rendering option callsERB::Util.html_escape
internally to escape unsafe HTML strings, so you will need to mark a string ashtml_safe
if it contains any HTML tag.See #14062, #12374.
Prem Sichanugrist
-
Introduce
render :plain
as an option to render content with a content type oftext/plain
. This is the preferred option if you are planning to render a plain text content.See #14062, #12374.
Prem Sichanugrist
-
Introduce
render :body
as an option for sending a raw content back to browser. Note that this rendering option does not include "Content-Type" header back in the response.You should only use this option if you don't care about the content type of the response. More information on "Content-Type" header can be found on RFC 2616, section 7.2.1.
See #14062, #12374.
Prem Sichanugrist
-
Set stream status to 500 (or 400 on BadRequest) when an error is thrown before committing.
Fixes #12552.
Kevin Casey
-
Add a new config option
config.action_dispatch.cookies_serializer
for specifying a serializer for the signed and encrypted cookie jars.The possible values are:
:json
- serialize cookie values withJSON
:marshal
- serialize cookie values withMarshal
:hybrid
- transparently migrate existingMarshal
cookie values toJSON
For new apps the
:json
option is added by default and:marshal
is used when no option is specified to maintain backwards compatibility.Łukasz Sarnacki, Matt Aimonetti, Guillermo Iguaran, Godfrey Chan, Rafael Mendonça França
-
FlashHash
now behaves like aHashWithIndifferentAccess
.Guillermo Iguaran
-
Set the
:shallow_path
scope option as each scope is generated rather than waiting until theshallow
option is set. Also make the behavior of the:shallow
resource option consistent with the behavior of theshallow
method.Fixes #12498.
Andrew White, Aleksi Aalto
-
Properly require
action_view
inAbstractController::Rendering
to prevent an uninitialized constant error forENCODING_FLAG
.Philipe Fatio
-
Do not discard query parameters that form a hash with the same root key as the
wrapper_key
for a request usingwrap_parameters
.Josh Jordan
-
Ensure that
request.filtered_parameters
is reset between calls toprocess
inActionController::TestCase
.Fixes #13803.
Andrew White
-
Fix
rake routes
error whenRails::Engine
with empty routes is mounted.Fixes #13810.
Maurizio De Santis
-
Log which keys were affected by deep munge.
Deep munge solves the CVE-2013-0155 security vulnerability, but its behaviour is confusing. With this commit, the information about which key values were set to nil is now visible in logs.
Łukasz Sarnacki
-
Automatically convert dashes to underscores for shorthand routes, e.g:
get '/our-work/latest'
When running
rake routes
you will get the following output:Prefix Verb URI Pattern Controller#Action our_work_latest GET /our-work/latest(.:format) our_work#latest
Mikko Johansson
-
Automatically convert dashes to underscores for url helpers, e.g:
get '/contact-us' => 'pages#contact' get '/about-us' => 'pages#about_us'
When running
rake routes
you will get the following output:Prefix Verb URI Pattern Controller#Action contact_us GET /contact-us(.:format) pages#contact about_us GET /about-us(.:format) pages#about_us
Amr Tamimi
-
Fix stream closing when sending file with
ActionController::Live
included.Fixes #12381.
Alessandro Diaferia
-
Allow an absolute controller path inside a module scope. Fixes #12777.
Example:
namespace :foo do # will route to BarController without the namespace. get '/special', to: '/bar#index' end
-
Unique the segment keys array for non-optimized url helpers
In Rails 3.2 you only needed to pass an argument for a dynamic segment once so unique the segment keys array to match the number of args. Since the number of args is less than the required parts, the non-optimized code path is selected. To benefit from optimized url generation, the arg needs to be specified as many times as it appears in the path.
Fixes #12808.
Andrew White
-
Show full route constraints in error message.
When an optimized helper fails to generate, show the full route constraints in the error message. Previously it would only show the contraints that were required as part of the path.
Fixes #13592.
Andrew White
-
Use a custom route visitor for optimized url generation. Fixes #13349.
Andrew White
-
Allow engine root relative redirects using an empty string.
Example:
# application routes.rb mount BlogEngine => '/blog' # engine routes.rb get '/welcome' => redirect('')
This now redirects to the path
/blog
, whereas before it would redirect to the application root path. In the case of a path redirect or a custom redirect, if the path returned contains a host then the path is treated as absolute. Similarly for option redirects, if the options hash returned contains a:host
or:domain
key then the path is treated as absolute.Fixes #7977.
Andrew White
-
Fix
Encoding::CompatibilityError
when public path is UTF-8In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling from blowing up before an application has had a chance to deal with possibly invalid urls. However this has a negative side effect of making it an incompatible encoding if the application's public path has UTF-8 characters in it.
To work around the problem we check to see if the path has a valid encoding once it has been unescaped. If it is not valid then we can return early since it will not match any file anyway.
Fixes #13518.
Andrew White
-
ActionController::Parameters#permit!
permits hashes in array values.Xavier Noria
-
Converts hashes in arrays of unfiltered params to unpermitted params.
Fixes #13382.
Xavier Noria
-
New config option to opt out of params "deep munging" that was used to address the security vulnerability CVE-2013-0155. In your app config:
config.action_dispatch.perform_deep_munge = false
Take care to understand the security risk involved before disabling this. Read more.
Bernard Potocki
-
rake routes
shows routes defined under assets prefix.Ryunosuke SATO
-
Extend cross-site request forgery (CSRF) protection to GET requests with JavaScript responses, protecting apps from cross-origin
<script>
tags.Jeremy Kemper
-
Fix generating a path for an engine inside a resources block.
Fixes #8533.
Piotr Sarnacki
-
Add
Mime::Type.register "text/vcard", :vcf
to the default list of mime types.DHH
-
Remove deprecated
ActionController::RecordIdentifier
, useActionView::RecordIdentifier
instead.kennyj
-
Fix regression when using
ActionView::Helpers::TranslationHelper#translate
withoptions[:raise]
.This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
Shota Fukumori (sora_h)
-
Introducing Variants
We often want to render different html/json/xml templates for phones, tablets, and desktop browsers. Variants make it easy.
The request variant is a specialization of the request format, like
:tablet
,:phone
, or:desktop
.You can set the variant in a
before_action
:request.variant = :tablet if request.user_agent =~ /iPad/
Respond to variants in the action just like you respond to formats:
respond_to do |format| format.html do |html| html.tablet # renders app/views/projects/show.html+tablet.erb html.phone { extra_setup; render ... } end end
Provide separate templates for each format and variant:
app/views/projects/show.html.erb app/views/projects/show.html+tablet.erb app/views/projects/show.html+phone.erb
You can also simplify the variants definition using the inline syntax:
respond_to do |format| format.js { render "trash" } format.html.phone { redirect_to progress_path } format.html.none { render "trash" } end
Variants also support the common
any
/all
block that formats have.It works for both inline:
respond_to do |format| format.html.any { render text: "any" } format.html.phone { render text: "phone" } end
and block syntax:
respond_to do |format| format.html do |variant| variant.any(:tablet, :phablet){ render text: "any" } variant.phone { render text: "phone" } end end
Łukasz Strzałkowski
-
Fix rendering localized templates without an explicit format using wrong content header and not passing correct formats to template due to the introduction of the
NullType
for mimes.Templates like
hello.it.erb
were subject to this issue.Fixes #13064.
Angelo Capilleri, Carlos Antonio da Silva
-
Try to escape each part of a url correctly when using a redirect route.
Fixes #13110.
Andrew White
-
Better error message for typos in assert_response arguments.
When the response type argument to
assert_response
is not a known response type,assert_response
now throws an ArgumentError with a clear message. This is intended to help debug typos in the response type.Victor Costan
-
Fix formatting for
rake routes
when a section is shorter than a header.Sıtkı Bağdat
-
Accept an options hash inside the array in
#url_for
.Example:
url_for [:new, :admin, :post, { param: 'value' }] # => http://example.com/admin/posts/new?param=value
Andrey Ognevsky
-
Add
session#fetch
methodfetch behaves like Hash#fetch. It returns a value from the hash for the given key. If the key can’t be found, there are several options:
- With no other arguments, it will raise a KeyError exception.
- If a default value is given, then it will be returned.
- If the optional code block is specified, then it will be run and its result returned.
Damien Mathieu
-
Don't let strong parameters mutate the given hash via
fetch
Create a new instance if the given parameter is a
Hash
instead of passing it to theconvert_hashes_to_parameters
method since it is overriding its default value.Brendon Murphy, Doug Cole
-
Add a
params
option to thebutton_to
form helper which renders the given hash as hidden form fields.Andy Waite
-
Enable assets helpers to work in the controllers like they do in the views.
Example:
# config/application.rb config.asset_host = 'http://mycdn.com' ActionController::Base.helpers.asset_path('fallback.png') # => http://mycdn.com/assets/fallback.png
Fixes #10051.
Tima Maslyuchenko
-
Respect
SCRIPT_NAME
when usingredirect
with a relative pathExample:
# application routes.rb mount BlogEngine => '/blog' # engine routes.rb get '/admin' => redirect('admin/dashboard')
This now redirects to the path
/blog/admin/dashboard
, whereas before it would have generated an invalid url because there would be no slash between the host name and the path. It also allows redirects to work when the application is deployed to a subdirectory of a website.Fixes #7977.
Andrew White
-
Fixing
repond_with
working directly on the options hash This fixes an issue where therespond_with
worked directly with the given options hash, so that if a user relied on it after callingrespond_with
, the hash wouldn't be the same.Fixes #12029.
bluehotdog
-
Fix
ActionDispatch::RemoteIp::GetIp#calculate_ip
to only check for spoofing attacks if bothHTTP_CLIENT_IP
andHTTP_X_FORWARDED_FOR
are set.Fixes #10844.
Tamir Duberstein
-
Strong parameters should permit a nested number to be a key.
Fixes #12293.
kennyj
-
Fix the regex used to detect URI schemes in
redirect_to
, to be consistent with RFC 3986.Derek Prior
-
Fix incorrect
assert_redirected_to
failure message for protocol-relative URLs.Derek Prior
-
Fix an issue where the router could not recognize a downcased url encoding path.
Fixes #12269.
kennyj
-
Fix custom flash type definition. Misuse of the
_flash_types
class variable caused an error when reloading controllers with custom flash types.Fixes #12057.
Ricardo de Cillo
-
Do not break params filtering on
nil
values.Fixes #12149.
Vasiliy Ermolovich
-
Development mode exceptions are rendered in text format in case of an XHR request.
Kir Shatrov
-
Fix an issue where :if and :unless controller action procs were being run before checking for the correct action in the :only and :unless options.
Fixes #11799.
Nicholas Jakobsen
-
Fix an issue where
assert_dom_equal
andassert_dom_not_equal
were ignoring the passed failure message argument.Fixes #11751.
Ryan McGeary
-
Allow REMOTE_ADDR, HTTP_HOST and HTTP_USER_AGENT to be overridden from the environment passed into
ActionDispatch::TestRequest.new
.Fixes #11590.
Andrew White
-
Fix an issue where Journey was failing to clear the named routes hash when the routes were reloaded and since it doesn't overwrite existing routes then if a route changed but wasn't renamed it kept the old definition. This was being masked by the optimised url helpers so it only became apparent when passing an options hash to the url helper.
Andrew White
-
Skip routes pointing to a redirect or mounted application when generating urls using an options hash as they aren't relevant and generate incorrect urls.
Fixes #8018.
Andrew White
-
Move
MissingHelperError
out of theClassMethods
module.Yves Senn
-
Fix an issue where Rails raised an exception about a missing helper when it should have thrown a
LoadError
instead. When the helper file exists and only the loaded file from the helper does not exist, Rails should now throw aLoadError
instead of aMissingHelperError
.Piotr Niełacny
-
Fix
ActionDispatch::ParamsParser#parse_formatted_parameters
to rewind body input stream on parsing json params.Fixes #11345.
Yuri Bol, Paul Nikitochkin
-
Ignore spaces around delimiters in the Set-Cookie header.
Yamagishi Kazutoshi
-
Remove deprecated Rails application fallback for integration testing. Set
ActionDispatch.test_app
instead.Carlos Antonio da Silva
-
Remove deprecated
page_cache_extension
config.Francesco Rodriguez
-
Remove deprecated constants from Action Controller:
ActionController::AbstractRequest => ActionDispatch::Request ActionController::Request => ActionDispatch::Request ActionController::AbstractResponse => ActionDispatch::Response ActionController::Response => ActionDispatch::Response ActionController::Routing => ActionDispatch::Routing ActionController::Integration => ActionDispatch::Integration ActionController::IntegrationTest => ActionDispatch::IntegrationTest
Carlos Antonio da Silva
-
Fix
Mime::Type.parse
when a bad accepts header is looked up. Previously, it was settingrequest.formats
with an array containing anil
value, which raised an error when setting the controller formats.Fixes #10965.
Becker
-
Merge
:action
from routing scope and assign endpoint if both:controller
and:action
are present. The endpoint assignment only occurs if there is no:to
present in the options hash, so should only affect routes using the shorthand syntax (i.e. endpoint is inferred from the path).Fixes #9856.
Yves Senn, Andrew White
-
Action View extracted from Action Pack.
Piotr Sarnacki, Łukasz Strzałkowski
Please check 4-0-stable for previous changes.