1 files changed, 25 insertions, 151 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index c38b31903b..3f29d810d5 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,168 +1,42 @@
-*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+*   Correctly rely on the response's status code to handle calls to `head`.
 
-    Fixes #15511.
+    *Robin Dupret*
 
-    *Larry Lv*
+*   Using `head` method returns empty response_body instead
+    of returning a single space " ".
 
-*   ActionController::Parameters#require now accepts `false` values.
+    The old behavior was added as a workaround for a bug in an early
+    version of Safari, where the HTTP headers are not returned correctly
+    if the response body has a 0-length. This is been fixed since and
+    the workaround is no longer necessary.
 
-    Fixes #15685.
+    Fixes #18253.
 
-    *Sergio Romano*
+    *Prathamesh Sonpatki*
 
-*   With authorization header `Authorization: Token token=`, `authenticate` now
-    recognize token as nil, instead of "token".
+*   Fix how polymorphic routes works with objects that implement `to_model`.
 
-    Fixes #14846.
+    *Travis Grathwell*
 
-    *Larry Lv*
+*   Stop converting empty arrays in `params` to `nil`
 
-*   Ensure the controller is always notified as soon as the client disconnects
-    during live streaming, even when the controller is blocked on a write.
+    This behaviour was introduced in response to CVE-2012-2660, CVE-2012-2694
+    and CVE-2013-0155
 
-    *Nicholas Jakobsen*, *Matthew Draper*
+    ActiveRecord now issues a safe query when passing an empty array into
+    a where clause, so there is no longer a need to defend against this type
+    of input (any nils are still stripped from the array).
 
-*   Routes specifying 'to:' must be a string that contains a "#" or a rack
-    application.  Use of a symbol should be replaced with `action: symbol`.
-    Use of a string without a "#" should be replaced with `controller: string`.
+    *Chris Sinjakli*
 
-*   Fix URL generation with `:trailing_slash` such that it does not add
-    a trailing slash after `.:format`
+*   Fixed usage of optional scopes in url helpers.
 
-    *Dan Langevin*
+    *Alex Robbin*
 
-*   Build full URI as string when processing path in integration tests for
-    performance reasons.
+*   Fixed handling of positional url helper arguments when `format: false`.
 
-    *Guo Xiang Tan*
+    Fixes #17819.
 
-*   Fix `'Stack level too deep'` when rendering `head :ok` in an action method
-    called 'status' in a controller.
+    *Andrew White*, *Tatiana Soukiassian*
 
-    Fixes #13905.
-
-    *Christiaan Van den Poel*
-
-*   Add MKCALENDAR HTTP method (RFC 4791).
-
-    *Sergey Karpesh*
-
-*   Instrument fragment cache metrics.
-
-    Adds `:controller`: and `:action` keys to the instrumentation payload
-    for the `*_fragment.action_controller` notifications. This allows tracking
-    e.g. the fragment cache hit rates for each controller action.
-
-    *Daniel Schierbeck*
-
-*   Always use the provided port if the protocol is relative.
-
-    Fixes #15043.
-
-    *Guilherme Cavalcanti*, *Andrew White*
-
-*   Moved `params[request_forgery_protection_token]` into its own method
-    and improved tests.
-
-    Fixes #11316.
-
-    *Tom Kadwill*
-
-*   Added verification of route constraints given as a Proc or an object responding
-    to `:matches?`. Previously, when given an non-complying object, it would just
-    silently fail to enforce the constraint. It will now raise an `ArgumentError`
-    when setting up the routes.
-
-    *Xavier Defrang*
-
-*   Properly treat the entire IPv6 User Local Address space as private for
-    purposes of remote IP detection. Also handle uppercase private IPv6
-    addresses.
-
-    Fixes #12638.
-
-    *Caleb Spare*
-
-*   Fixed an issue with migrating legacy json cookies.
-
-    Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
-    cookies are marshal-encoded. This is not the case when `secret_token` is
-    used in conjunction with the `:json` or `:hybrid` serializer.
-
-    In those case, when upgrading to use `secret_key_base`, this would cause a
-    `TypeError: incompatible marshal file format` and a 500 error for the user.
-
-    Fixes #14774.
-
-    *Godfrey Chan*
-
-*   Make URL escaping more consistent:
-
-    1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
-    2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
-    3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
-    4. Use `escape_segment` rather than `escape_path` in URL generation
-
-    For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
-    (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
-    means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
-    is used in the path then this uses `escape_path` as the controller may be namespaced.
-
-    Fixes #14629, #14636 and #14070.
-
-    *Andrew White*, *Edho Arief*
-
-*   Add alias `ActionDispatch::Http::UploadedFile#to_io` to
-    `ActionDispatch::Http::UploadedFile#tempfile`.
-
-    *Tim Linquist*
-
-*   Returns null type format when format is not know and controller is using `any`
-    format block.
-
-    Fixes #14462.
-
-    *Rafael Mendonça França*
-
-*   Improve routing error page with fuzzy matching search.
-
-    *Winston*
-
-*   Only make deeply nested routes shallow when parent is shallow.
-
-    Fixes #14684.
-
-    *Andrew White*, *James Coglan*
-
-*   Append link to bad code to backtrace when exception is `SyntaxError`.
-
-    *Boris Kuznetsov*
-
-*   Swapped the parameters of assert_equal in `assert_select` so that the
-    proper values were printed correctly.
-
-    Fixes #14422.
-
-    *Vishal Lal*
-
-*   The method `shallow?` returns false if the parent resource is a singleton so
-    we need to check if we're not inside a nested scope before copying the :path
-    and :as options to their shallow equivalents.
-
-    Fixes #14388.
-
-    *Andrew White*
-
-*   Make logging of CSRF failures optional (but on by default) with the
-    `log_warning_on_csrf_failure` configuration setting in
-    `ActionController::RequestForgeryProtection`.
-
-    *John Barton*
-
-*   Fix URL generation in controller tests with request-dependent
-    `default_url_options` methods.
-
-    *Tony Wooster*
-
-
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [4-2-stable](https://github.com/rails/rails/blob/4-2-stable/actionpack/CHANGELOG.md) for previous changes.