aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/CHANGELOG.md
Commit message (Collapse)AuthorAgeFilesLines
...
* Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* Deprecate TagAssertion instead of removingRafael Mendonça França2014-08-181-1/+1
|
* Merge branch 'master' into loofahRafael Mendonça França2014-08-171-0/+45
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use AS::JSON for (de)serializing cookiesGodfrey Chan2014-08-171-0/+8
| | | | | | | | | | | | | | | | Use the Active Support JSON encoder for cookie jars using the `:json` or `:hybrid` serializer. This allows you to serialize custom Ruby objects into cookies by defining the `#as_json` hook on such objects. Fixes #16520.
| * Merge pull request #16467 from strzalek/cookies-digest-config-option2Godfrey Chan2014-08-171-0/+5
| |\ | | | | | | | | | | | | | | | | | | | | | Cookies digest config option (pt. 2) Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_dispatch/middleware/cookies.rb
| | * Add config option for cookies digestŁukasz Strzałkowski2014-08-121-0/+5
| | | | | | | | | | | | | | | | | | You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = 'SHA256'
| * | Move respond_with to the responders gemJosé Valim2014-08-171-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | respond_with (and consequently the class-level respond_to) are being removed from Rails. Instead of moving it to a 3rd library, the functionality will be moved to responders gem (at github.com/plataformatec/responders) which already provides some responders extensions.
| * | When your templates change, browser caches bust automatically.Jeremy Kemper2014-08-171-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New default: the template digest is automatically included in your ETags. When you call `fresh_when @post`, the digest for `posts/show.html.erb` is mixed in so future changes to the HTML will blow HTTP caches for you. This makes it easy to HTTP-cache many more of your actions. If you render a different template, you can now pass the `:template` option to include its digest instead: fresh_when @post, template: 'widgets/show' Pass `template: false` to skip the lookup. To turn this off entirely, set: config.action_controller.etag_with_template_digest = false
| * | remove deprecated `MissingHelperError` proxy.Yves Senn2014-08-141-0/+5
| | | | | | | | | | | | The error was moved outside of the `ClassMethods` module.
| * | Fix assert_template for files.Guo Xiang Tan2014-08-141-0/+4
| | | | | | | | | | | | | | | The test was not failing for `assert_template file: nil` when a file has been rendered.
* | | Prepare for partial release.Kasper Timm Hansen2014-08-171-3/+1
| | | | | | | | | | | | | | | | | | | | | - Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper. - Add upgrade notes. - Add sanitizer to new applications Gemfiles. - Remove 'rails-dom-testing' as a dependency.
* | | Merge branch 'master' into loofahRafael Mendonça França2014-08-121-0/+42
|\| | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | Revert "Merge pull request #16434 from strzalek/cookies-digest-config-option"Santiago Pastorino2014-08-081-5/+0
| | | | | | | | | | | | | | | | | | | | | This reverts commit 705977620539e2be6548027042f33175ebdc2505, reversing changes made to dde91e9bf5ab246f0f684b40288b272f4ba9a699. IT BROKE THE BUILD!!!
| * | Add config option for cookies digestŁukasz Strzałkowski2014-08-081-0/+5
| |/ | | | | | | | | | | You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = \SHA256'
| * Update actionpack CHANGELOGRyan Dao2014-08-081-0/+5
| |
| * Add CHANGELOG for #14886Arthur Neves2014-07-181-0/+5
| | | | | | | | | | | | | | Also cleanup test a bit [related #14886] [related #14743]
| * Stash original path in `ShowExceptions` middlewareGrey Baker2014-07-141-1/+12
| | | | | | | | | | | | | | | | | | | | `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code for the exception defined in `ExceptionWrapper`, so the path the user was visiting when an exception occurred was not previously available to any custom exceptions_app. The original `PATH_INFO` is now stashed in `env["action_dispatch.original_path"]`.
| * Use `#bytesize` instead of `#size` when checking for cookie overflowAgis-2014-07-111-0/+5
| | | | | | | | | | | | | | | | | | | | Although the cookie values happens to be ASCII strings because they are Base64 encoded, it is semantically incorrect to check for the number of the characters in the cookie, when we actually want to check for the number of the bytes it consists of. Furthermore it is unecessary coupling with the current implementation that uses Base64 for encoding the values.
| * Synced 4.2 release notes with the latest commits.Godfrey Chan2014-07-111-0/+2
| | | | | | | | | | Also reordered some of the items to put newer ones on top (same order as CHANGELOGs), which makes it easier to diff while we are still working on it.
| * Removed single space padding from empty response body.Godfrey Chan2014-07-101-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired.
* | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-101-0/+6
|\ \ | |/ |/| | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| * Added deprecation notice to actionpack changelog.Timm2014-06-161-0/+6
| |
* | Merge branch 'rosetta_flash' of https://github.com/gcampbell/rails into ↵Aaron Patterson2014-07-101-0/+5
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | gcampbell-rosetta_flash * 'rosetta_flash' of https://github.com/gcampbell/rails: Address CVE-2014-4671 (JSONP Flash exploit) Conflicts: actionpack/CHANGELOG.md
| * | Address CVE-2014-4671 (JSONP Flash exploit)Greg Campbell2014-07-091-0/+5
| | | | | | | | | | | | | | | | | | Adds a comment before JSONP callbacks. See http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ for more details on the exploit in question.
* | | Force encoding of US-ASCII to UTF-8 in unescape_uri.Karl Entwistle2014-07-101-0/+9
|/ / | | | | | | | | | | | | | | | | Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb. Fixes #16104.
* | Generate shallow paths for all children of shallow resources.Seb Jacobs2014-07-061-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prior to this commit shallow resources would only generate paths for non-direct children (with a nested depth greater than 1). Take the following routes file. resources :blogs do resources :posts, shallow: true do resources :comments do resources :tags end end end This would generate shallow paths for `tags` nested under `posts`, e.g `/posts/:id/tags/`, however it would not generate shallow paths for `comments` nested under `posts`, e.g `/posts/:id/comments/new`. This commit changes the behaviour of the route mapper so that it generate paths for direct children of shallow resources, for example if you take the previous routes file, this will now generate shallow paths for `comments` nested under `posts`, .e.g `posts/:id/comments/new`. This was the behaviour in Rails `4.0.4` however this was broken in @jcoglan's fix for another routes related issue[1]. This also fixes an issue[2] reported by @smdern. [1] https://github.com/rails/rails/commit/d0e5963 [2] https://github.com/rails/rails/issues/15783
* | Change the JSON renderer to enforce the 'JS' Content TypeLucas Mazza2014-07-021-0/+7
| | | | | | | | | | | | | | The controller can set the response format as 'JSON' before the renderer code be evaluated, so we must replace it when necessary. Fixes #15081
* | Merge pull request #15933 from rafael/masterRafael Mendonça França2014-06-271-0/+6
|\ \ | | | | | | | | | | | | | | | Add always permitted parameters as a configurable option. [Rafael Mendonça França + Gary S. Weaver]
* | | Fix request's path_info when a rack app mounted at '/'.Larry Lv2014-06-141-0/+6
| | | | | | | | | | | | Fixes issue #15511.
* | | Merge pull request #15692 from sromano/falseClassMatthew Draper2014-06-141-0/+6
|\ \ \ | | | | | | | | | | | | ActionController::Parameters#require now accepts FalseClass values
| * | | ActionController::Parameters#require now accepts FalseClass valuesSergio Romano2014-06-131-0/+6
|/ / / | | | | | | | | | Fixes #15685.
* | / Fix parsed token value with header `Authorization token=`.Larry Lv2014-06-131-0/+7
| |/ |/|
* | Handle client disconnect during live streamingMatthew Draper2014-06-081-0/+5
| | | | | | | | .. even when the producer is blocked for a write.
* | Partially revert deprecation of *_filterRafael Mendonça França2014-06-031-4/+0
| | | | | | | | | | | | | | | | | | | | | | We are going to deprecate only on Rails 5 to make easier plugin maintainers support different Rails versions. Right now we are only discouraging their usage. This reverts commit 6c5f43bab8206747a8591435b2aa0ff7051ad3de. Conflicts: actionpack/CHANGELOG.md
* | Routes specifying 'to:' must be a string that contains a "#" or a rackAaron Patterson2014-06-031-0/+4
| | | | | | | | | | application. Use of a symbol should be replaced with `action: symbol`. Use of a string without a "#" should be replaced with `controller: string`.
* | Missing period from AP/CHANGELOG [ci skip]Zachary Scott2014-05-311-1/+1
| |
* | Deprecate all *_filter callbacks in favor of *_action callbacksRafael Mendonça França2014-05-271-0/+4
| | | | | | | | | | This is the continuation of the work started at 9d62e04838f01f5589fa50b0baa480d60c815e2c
* | Merge pull request #14986 from dlangevin/trailing-slash-url-generationRafael Mendonça França2014-05-241-0/+6
|\ \ | | | | | | | | | | | | | | | | | | Fixes URL generation with trailing_slash: true Conflicts: actionpack/lib/action_dispatch/http/url.rb
| * | Fixes URL generation with trailing_slash: trueDan Langevin2014-05-221-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | URL generation with trailing_slash: true was adding a trailing slash after .:format Routes.draw do resources :bars end bars_url(trailing_slash: true, format: 'json') # => /bars.json/ This commit removes that extra trailing slash
* | | Future port c8ddb61Zachary Scott2014-05-231-3/+3
| | |
* | | Form full URI as string to be parsed in Rack::Test.Guo Xiang Tan2014-05-211-0/+5
| | | | | | | | | | | | There are performance gains to be made by avoiding URI setter methods.
* | | Merge pull request #15118 from ↵Rafael Mendonça França2014-05-151-0/+7
|\ \ \ | | | | | | | | | | | | | | | | | | | | khelben/head_with_status_action_stack_level_too_deep fixes stack level too deep exception on action named 'status' rendering 'head :ok'
| * | | fixes stack level too deep exception on action named 'status' returning ↵Christiaan Van den Poel2014-05-151-0/+7
|/ / / | | | | | | | | | 'head :ok'
* | | Merge pull request #15121 from skarpesh/rfc4791-methodsRafael Mendonça França2014-05-151-0/+4
|\ \ \ | | | | | | | | | | | | Add RFC 4791 MKCALENDAR method
| * | | Add RFC4791 MKCALENDAR methodkasper2014-05-151-0/+4
|/ / /
* | | Merge pull request #14137 from dasch/better-fragment-cache-instrumentationRafael Mendonça França2014-05-141-0/+8
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Add controller and action name to the fragment caching instrumentation payload Conflicts: actionpack/CHANGELOG.md
| * | | Add controller and action name to the instrumentation payloadDaniel Schierbeck2014-05-101-0/+8
| | | |
* | | | Always use the provided port for protocol relative urlsAndrew White2014-05-111-0/+6
| | | | | | | | | | | | | | | | | | | | There may be situations where you need to tunnel SSL connections over port 80 so we shouldn't remove it if it has been explicitly provided.
* | | | Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-0/+7
| |/ / |/| | | | | | | | improved tests.
* | | Improve CHANGELOG entryRafael Mendonça França2014-05-041-2/+2
| | |