diff options
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/4_1_release_notes.md | 294 | ||||
| -rw-r--r-- | guides/source/security.md | 8 | ||||
| -rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 44 |
3 files changed, 203 insertions, 143 deletions
diff --git a/guides/source/4_1_release_notes.md b/guides/source/4_1_release_notes.md index ebeda1d25e..95351ac8be 100644 --- a/guides/source/4_1_release_notes.md +++ b/guides/source/4_1_release_notes.md @@ -222,6 +222,17 @@ This example is equivalent to defining a `EventTracking` module inline, extending it with `ActiveSupport::Concern`, then mixing it in to the `Todo` class. +### CSRF protection from remote `<script>` tags + +Cross-site request forgery (CSRF) protection now covers GET requests with +JavaScript responses, too. That prevents a third-party site from referencing +your JavaScript URL and attempting to run it to extract sensitive data. + +This means any of your tests that hit `.js` URLs will now fail CSRF protection +unless they use `xhr`. Upgrade your tests to be explicit about expecting +XmlHttpRequests. Instead of `post :create, format: :js`, switch to the explicit +`xhr :post, :create, format: :js`. + Railties -------- @@ -262,138 +273,6 @@ for detailed changes. * Add `Application#message_verifier` method to return a message verifier. ([Pull Request](https://github.com/rails/rails/pull/12995)) -Action Mailer -------------- - -Please refer to the -[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md) -for detailed changes. - -### Notable changes - -* Instrument the generation of Action Mailer messages. The time it takes to - generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556)) - - -Active Model ------------- - -Please refer to the -[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md) -for detailed changes. - -### Deprecations - -* Deprecate `Validator#setup`. This should be done manually now in the - validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a)) - -### Notable changes - -* Added new API methods `reset_changes` and `changes_applied` to - `ActiveModel::Dirty` that control changes state. - - -Active Support --------------- - -Please refer to the -[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md) -for detailed changes. - - -### Removals - -* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode` - no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -* Removed support for the `encode_json` hook used for encoding custom objects into - JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) - gem. - ([Related Pull Request](https://github.com/rails/rails/pull/12183) / - [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement. - -* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`). - -* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`. - -* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_fromat`. - -* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`). - -* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and - `Time#local_time` in favor of `Time#utc` and `Time#local`. - -* Removed deprecated `Hash#diff` with no replacement. - -* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`. - -* Removed deprecated `Proc#bind` with no replacement. - -* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native - `Array#uniq` and `Array#uniq!` instead. - -* Removed deprecated `ActiveSupport::BasicObject`, use - `ActiveSupport::ProxyObject` instead. - -* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead. - -* Removed deprecated `assert_present` and `assert_blank` methods, use `assert - object.blank?` and `assert object.present?` instead. - -### Deprecations - -* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to - explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago` - ([Pull Request](https://github.com/rails/rails/pull/12389)) - -* Deprecated the require path `active_support/core_ext/object/to_json`. Require - `active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203)) - -* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature - has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) - gem. - ([Pull Request](https://github.com/rails/rails/pull/12785) / - [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has - been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) - gem. - ([Pull Request](https://github.com/rails/rails/pull/13060) / - [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -### Notable changes - -* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the - JSON gem rather than doing custom encoding in pure-Ruby. - ([Pull Request](https://github.com/rails/rails/pull/12183) / - [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -* Improved compatibility with the JSON gem. - ([Pull Request](https://github.com/rails/rails/pull/12862) / - [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) - -* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These - methods change current time to the given time or time difference by stubbing - `Time.now` and - `Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824)) - -* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed - them to JavaScript functions like - `getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643)) - -* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day` - methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and - `at_middle_of_day` as - aliases. ([Pull Request](https://github.com/rails/rails/pull/10879)) - -* Added `String#remove(pattern)` as a short-hand for the common pattern of - `String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f)) - -* Removed 'cow' => 'kine' irregular inflection from default - inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9)) - Action Pack ----------- @@ -413,16 +292,23 @@ for detailed changes. * Removed deprecated constants from Action Controller: - ActionController::AbstractRequest => ActionDispatch::Request - ActionController::Request => ActionDispatch::Request - ActionController::AbstractResponse => ActionDispatch::Response - ActionController::Response => ActionDispatch::Response - ActionController::Routing => ActionDispatch::Routing - ActionController::Integration => ActionDispatch::Integration - ActionController::IntegrationTest => ActionDispatch::IntegrationTest + | Removed | Successor | + |:-----------------------------------|:--------------------------------| + | ActionController::AbstractRequest | ActionDispatch::Request | + | ActionController::Request | ActionDispatch::Request | + | ActionController::AbstractResponse | ActionDispatch::Response | + | ActionController::Response | ActionDispatch::Response | + | ActionController::Routing | ActionDispatch::Routing | + | ActionController::Integration | ActionDispatch::Integration | + | ActionController::IntegrationTest | ActionDispatch::IntegrationTest | ### Notable changes +* `protect_from_forgery` also prevents cross-origin `<script>` tags. + Update your tests to use `xhr :get, :foo, format: :js` instead of + `get :foo, format: :js`. + ([Pull Request](https://github.com/rails/rails/pull/13345)) + * `#url_for` takes a hash with options inside an array. ([Pull Request](https://github.com/rails/rails/pull/9599)) @@ -434,6 +320,17 @@ for detailed changes. * Separated Action View completely from Action Pack. ([Pull Request](https://github.com/rails/rails/pull/11032)) +Action Mailer +------------- + +Please refer to the +[Changelog](https://github.com/rails/rails/blob/4-1-stable/actionmailer/CHANGELOG.md) +for detailed changes. + +### Notable changes + +* Instrument the generation of Action Mailer messages. The time it takes to + generate a message is written to the log. ([Pull Request](https://github.com/rails/rails/pull/12556)) Active Record ------------- @@ -578,6 +475,125 @@ for detailed changes. object. Helper methods used by multiple fixtures should be defined on modules included in `ActiveRecord::FixtureSet.context_class`. ([Pull Request](https://github.com/rails/rails/pull/13022)) +Active Model +------------ + +Please refer to the +[Changelog](https://github.com/rails/rails/blob/4-1-stable/activemodel/CHANGELOG.md) +for detailed changes. + +### Deprecations + +* Deprecate `Validator#setup`. This should be done manually now in the + validator's constructor. ([Commit](https://github.com/rails/rails/commit/7d84c3a2f7ede0e8d04540e9c0640de7378e9b3a)) + +### Notable changes + +* Added new API methods `reset_changes` and `changes_applied` to + `ActiveModel::Dirty` that control changes state. + + +Active Support +-------------- + +Please refer to the +[Changelog](https://github.com/rails/rails/blob/4-1-stable/activesupport/CHANGELOG.md) +for detailed changes. + + +### Removals + +* Removed `MultiJSON` dependency. As a result, `ActiveSupport::JSON.decode` + no longer accepts an options hash for `MultiJSON`. ([Pull Request](https://github.com/rails/rails/pull/10576) / [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +* Removed support for the `encode_json` hook used for encoding custom objects into + JSON. This feature has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) + gem. + ([Related Pull Request](https://github.com/rails/rails/pull/12183) / + [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +* Removed deprecated `ActiveSupport::JSON::Variable` with no replacement. + +* Removed deprecated `String#encoding_aware?` core extensions (`core_ext/string/encoding`). + +* Removed deprecated `Module#local_constant_names` in favor of `Module#local_constants`. + +* Removed deprecated `DateTime.local_offset` in favor of `DateTime.civil_from_format`. + +* Removed deprecated `Logger` core extensions (`core_ext/logger.rb`). + +* Removed deprecated `Time#time_with_datetime_fallback`, `Time#utc_time` and + `Time#local_time` in favor of `Time#utc` and `Time#local`. + +* Removed deprecated `Hash#diff` with no replacement. + +* Removed deprecated `Date#to_time_in_current_zone` in favor of `Date#in_time_zone`. + +* Removed deprecated `Proc#bind` with no replacement. + +* Removed deprecated `Array#uniq_by` and `Array#uniq_by!`, use native + `Array#uniq` and `Array#uniq!` instead. + +* Removed deprecated `ActiveSupport::BasicObject`, use + `ActiveSupport::ProxyObject` instead. + +* Removed deprecated `BufferedLogger`, use `ActiveSupport::Logger` instead. + +* Removed deprecated `assert_present` and `assert_blank` methods, use `assert + object.blank?` and `assert object.present?` instead. + +### Deprecations + +* Deprecated `Numeric#{ago,until,since,from_now}`, the user is expected to + explicitly convert the value into an AS::Duration, i.e. `5.ago` => `5.seconds.ago` + ([Pull Request](https://github.com/rails/rails/pull/12389)) + +* Deprecated the require path `active_support/core_ext/object/to_json`. Require + `active_support/core_ext/object/json` instead. ([Pull Request](https://github.com/rails/rails/pull/12203)) + +* Deprecated `ActiveSupport::JSON::Encoding::CircularReferenceError`. This feature + has been extracted into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) + gem. + ([Pull Request](https://github.com/rails/rails/pull/12785) / + [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +* Deprecated `ActiveSupport.encode_big_decimal_as_string` option. This feature has + been extracetd into the [activesupport-json_encoder](https://github.com/rails/activesupport-json_encoder) + gem. + ([Pull Request](https://github.com/rails/rails/pull/13060) / + [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +### Notable changes + +* `ActiveSupport`'s JSON encoder has been rewritten to take advantage of the + JSON gem rather than doing custom encoding in pure-Ruby. + ([Pull Request](https://github.com/rails/rails/pull/12183) / + [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +* Improved compatibility with the JSON gem. + ([Pull Request](https://github.com/rails/rails/pull/12862) / + [More Details](upgrading_ruby_on_rails.html#changes-in-json-handling)) + +* Added `ActiveSupport::Testing::TimeHelpers#travel` and `#travel_to`. These + methods change current time to the given time or time difference by stubbing + `Time.now` and + `Date.today`. ([Pull Request](https://github.com/rails/rails/pull/12824)) + +* Added `Numeric#in_milliseconds`, like `1.hour.in_milliseconds`, so we can feed + them to JavaScript functions like + `getTime()`. ([Commit](https://github.com/rails/rails/commit/423249504a2b468d7a273cbe6accf4f21cb0e643)) + +* Added `Date#middle_of_day`, `DateTime#middle_of_day` and `Time#middle_of_day` + methods. Also added `midday`, `noon`, `at_midday`, `at_noon` and + `at_middle_of_day` as + aliases. ([Pull Request](https://github.com/rails/rails/pull/10879)) + +* Added `String#remove(pattern)` as a short-hand for the common pattern of + `String#gsub(pattern,'')`. ([Commit](https://github.com/rails/rails/commit/5da23a3f921f0a4a3139495d2779ab0d3bd4cb5f)) + +* Removed 'cow' => 'kine' irregular inflection from default + inflections. ([Commit](https://github.com/rails/rails/commit/c300dca9963bda78b8f358dbcb59cabcdc5e1dc9)) + Credits ------- diff --git a/guides/source/security.md b/guides/source/security.md index c698959a2c..21cc3deb8a 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -230,13 +230,15 @@ Or the attacker places the code into the onmouseover event handler of an image: <img src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." /> ``` -There are many other possibilities, including Ajax to attack the victim in the background.
The _solution to this is including a security token in non-GET requests_ which check on the server-side. In Rails 2 or higher, this is a one-liner in the application controller: +There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since XmlHttpRequest is subject to the browser Same-Origin policy - meaning only your site can initiate the request. + +To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller: ```ruby -protect_from_forgery secret: "123456789012345678901234567890..." +protect_from_forgery ``` -This will automatically include a security token, calculated from the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won't need the secret, if you use CookieStorage as session storage. If the security token doesn't match what was expected, the session will be reset. **Note:** In Rails versions prior to 3.0.4, this raised an `ActionController::InvalidAuthenticityToken` error. +This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, the session will be reset. It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself: diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index b838874e2b..2f0f3573fb 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -27,6 +27,31 @@ Upgrading from Rails 4.0 to Rails 4.1 NOTE: This section is a work in progress. +### CSRF protection from remote `<script>` tags + +Or, "whaaat my tests are failing!!!?" + +Cross-site request forgery (CSRF) protection now covers GET requests with +JavaScript responses, too. That prevents a third-party site from referencing +your JavaScript URL and attempting to run it to extract sensitive data. + +This means that your functional and integration tests that use + +```ruby +get :index, format: :js +``` + +will now trigger CSRF protection. Switch to + +```ruby +xhr :get, :index, format: :js +``` + +to explicitly test an XmlHttpRequest. + +If you really mean to load JavaScript from remote `<script>` tags, skip CSRF +protection on that action. + ### Spring If you want to use Spring as your application preloader you need to: @@ -68,7 +93,7 @@ secrets, you need to: ### Changes in JSON handling -The are a few major changes related to JSON handling in Rails 4.1. +There are a few major changes related to JSON handling in Rails 4.1. #### MultiJSON removal @@ -200,6 +225,23 @@ Note that this option was added as a security measure, to ensure user input coul not be used as locale information unless previously known, so it's recommended not to disable this option unless you have a strong reason for doing so. +### Mutator methods called on Relation + +`Relation` no longer has mutator methods like `#map!` and `#delete_if`. Convert +to an `Array` by calling `#to_a` before using these methods. + +It intends to prevent odd bugs and confusion in code that call mutator +methods directly on the `Relation`. + +```ruby +# Instead of this +Author.where(name: 'Hank Moody').compact! + +# Now you have to do this +authors = Author.where(name: 'Hank Moody').to_a +authors.compact! +``` + Upgrading from Rails 3.2 to Rails 4.0 ------------------------------------- |