* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8 loopback address. *Earl St Sauver*, *Sven Riedel* * Preserve original path in `ShowExceptions` middleware by stashing it as `env["action_dispatch.original_path"]` `ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code for the exception defined in `ExceptionWrapper`, so the path the user was visiting when an exception occurred was not previously available to any custom exceptions_app. The original `PATH_INFO` is now stashed in `env["action_dispatch.original_path"]`. *Grey Baker* * Use `String#bytesize` instead of `String#size` when checking for cookie overflow. *Agis Anastasopoulos* * `render nothing: true` or rendering a `nil` body no longer add a single space to the response body. The old behavior was added as a workaround for a bug in an early version of Safari, where the HTTP headers are not returned correctly if the response body has a 0-length. This is been fixed since and the workaround is no longer necessary. Use `render body: ' '` if the old behavior is desired. See #14883 for details. *Godfrey Chan* * Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671 ("Rosetta Flash") *Greg Campbell* * Because URI paths may contain non US-ASCII characters we need to force the encoding of any unescaped URIs to UTF-8 if they are US-ASCII. This essentially replicates the functionality of the monkey patch to URI.parser.unescape in active_support/core_ext/uri.rb. Fixes #16104. *Karl Entwistle* * Generate shallow paths for all children of shallow resources. Fixes #15783. *Seb Jacobs* * JSONP responses are now rendered with the `text/javascript` content type when rendering through a `respond_to` block. Fixes #15081. *Lucas Mazza* * Add `config.action_controller.always_permitted_parameters` to configure which parameters are permitted globally. The default value of this configuration is `['controller', 'action']`. *Gary S. Weaver*, *Rafael Chacon* * Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'. Fixes #15511. *Larry Lv* * ActionController::Parameters#require now accepts `false` values. Fixes #15685. *Sergio Romano* * With authorization header `Authorization: Token token=`, `authenticate` now recognize token as nil, instead of "token". Fixes #14846. *Larry Lv* * Ensure the controller is always notified as soon as the client disconnects during live streaming, even when the controller is blocked on a write. *Nicholas Jakobsen*, *Matthew Draper* * Routes specifying 'to:' must be a string that contains a "#" or a rack application. Use of a symbol should be replaced with `action: symbol`. Use of a string without a "#" should be replaced with `controller: string`. *Aaron Patterson* * Fix URL generation with `:trailing_slash` such that it does not add a trailing slash after `.:format` *Dan Langevin* * Build full URI as string when processing path in integration tests for performance reasons. *Guo Xiang Tan* * Fix `'Stack level too deep'` when rendering `head :ok` in an action method called 'status' in a controller. Fixes #13905. *Christiaan Van den Poel* * Add MKCALENDAR HTTP method (RFC 4791). *Sergey Karpesh* * Instrument fragment cache metrics. Adds `:controller`: and `:action` keys to the instrumentation payload for the `*_fragment.action_controller` notifications. This allows tracking e.g. the fragment cache hit rates for each controller action. *Daniel Schierbeck* * Always use the provided port if the protocol is relative. Fixes #15043. *Guilherme Cavalcanti*, *Andrew White* * Moved `params[request_forgery_protection_token]` into its own method and improved tests. Fixes #11316. *Tom Kadwill* * Added verification of route constraints given as a Proc or an object responding to `:matches?`. Previously, when given an non-complying object, it would just silently fail to enforce the constraint. It will now raise an `ArgumentError` when setting up the routes. *Xavier Defrang* * Properly treat the entire IPv6 User Local Address space as private for purposes of remote IP detection. Also handle uppercase private IPv6 addresses. Fixes #12638. *Caleb Spare* * Fixed an issue with migrating legacy json cookies. Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming cookies are marshal-encoded. This is not the case when `secret_token` is used in conjunction with the `:json` or `:hybrid` serializer. In those case, when upgrading to use `secret_key_base`, this would cause a `TypeError: incompatible marshal file format` and a 500 error for the user. Fixes #14774. *Godfrey Chan* * Make URL escaping more consistent: 1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers 2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters 3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation 4. Use `escape_segment` rather than `escape_path` in URL generation For point 4 there are two exceptions. Firstly, when a route uses wildcard segments (e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This means that wildcard routes can't be optimized. Secondly, if a `:controller` segment is used in the path then this uses `escape_path` as the controller may be namespaced. Fixes #14629, #14636 and #14070. *Andrew White*, *Edho Arief* * Add alias `ActionDispatch::Http::UploadedFile#to_io` to `ActionDispatch::Http::UploadedFile#tempfile`. *Tim Linquist* * Returns null type format when format is not know and controller is using `any` format block. Fixes #14462. *Rafael Mendonça França* * Improve routing error page with fuzzy matching search. *Winston* * Only make deeply nested routes shallow when parent is shallow. Fixes #14684. *Andrew White*, *James Coglan* * Append link to bad code to backtrace when exception is `SyntaxError`. *Boris Kuznetsov* * Swapped the parameters of assert_equal in `assert_select` so that the proper values were printed correctly. Fixes #14422. *Vishal Lal* * The method `shallow?` returns false if the parent resource is a singleton so we need to check if we're not inside a nested scope before copying the :path and :as options to their shallow equivalents. Fixes #14388. *Andrew White* * Make logging of CSRF failures optional (but on by default) with the `log_warning_on_csrf_failure` configuration setting in `ActionController::RequestForgeryProtection`. *John Barton* * Fix URL generation in controller tests with request-dependent `default_url_options` methods. *Tony Wooster* Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.