1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
* Allows ActionDispatch::Request::LOCALHOST to match any IPv4 127.0.0.0/8
loopback address.
*Earl St Sauver*, *Sven Riedel*
* Preserve original path in `ShowExceptions` middleware by stashing it as
`env["action_dispatch.original_path"]`
`ActionDispatch::ShowExceptions` overwrites `PATH_INFO` with the status code
for the exception defined in `ExceptionWrapper`, so the path
the user was visiting when an exception occurred was not previously
available to any custom exceptions_app. The original `PATH_INFO` is now
stashed in `env["action_dispatch.original_path"]`.
*Grey Baker*
* Use `String#bytesize` instead of `String#size` when checking for cookie
overflow.
*Agis Anastasopoulos*
* `render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
See #14883 for details.
*Godfrey Chan*
* Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
("Rosetta Flash")
*Greg Campbell*
* Because URI paths may contain non US-ASCII characters we need to force
the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
This essentially replicates the functionality of the monkey patch to
URI.parser.unescape in active_support/core_ext/uri.rb.
Fixes #16104.
*Karl Entwistle*
* Generate shallow paths for all children of shallow resources.
Fixes #15783.
*Seb Jacobs*
* JSONP responses are now rendered with the `text/javascript` content type
when rendering through a `respond_to` block.
Fixes #15081.
*Lucas Mazza*
* Add `config.action_controller.always_permitted_parameters` to configure which
parameters are permitted globally. The default value of this configuration is
`['controller', 'action']`.
*Gary S. Weaver*, *Rafael Chacon*
* Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
Fixes #15511.
*Larry Lv*
* ActionController::Parameters#require now accepts `false` values.
Fixes #15685.
*Sergio Romano*
* With authorization header `Authorization: Token token=`, `authenticate` now
recognize token as nil, instead of "token".
Fixes #14846.
*Larry Lv*
* Ensure the controller is always notified as soon as the client disconnects
during live streaming, even when the controller is blocked on a write.
*Nicholas Jakobsen*, *Matthew Draper*
* Routes specifying 'to:' must be a string that contains a "#" or a rack
application. Use of a symbol should be replaced with `action: symbol`.
Use of a string without a "#" should be replaced with `controller: string`.
*Aaron Patterson*
* Fix URL generation with `:trailing_slash` such that it does not add
a trailing slash after `.:format`
*Dan Langevin*
* Build full URI as string when processing path in integration tests for
performance reasons.
*Guo Xiang Tan*
* Fix `'Stack level too deep'` when rendering `head :ok` in an action method
called 'status' in a controller.
Fixes #13905.
*Christiaan Van den Poel*
* Add MKCALENDAR HTTP method (RFC 4791).
*Sergey Karpesh*
* Instrument fragment cache metrics.
Adds `:controller`: and `:action` keys to the instrumentation payload
for the `*_fragment.action_controller` notifications. This allows tracking
e.g. the fragment cache hit rates for each controller action.
*Daniel Schierbeck*
* Always use the provided port if the protocol is relative.
Fixes #15043.
*Guilherme Cavalcanti*, *Andrew White*
* Moved `params[request_forgery_protection_token]` into its own method
and improved tests.
Fixes #11316.
*Tom Kadwill*
* Added verification of route constraints given as a Proc or an object responding
to `:matches?`. Previously, when given an non-complying object, it would just
silently fail to enforce the constraint. It will now raise an `ArgumentError`
when setting up the routes.
*Xavier Defrang*
* Properly treat the entire IPv6 User Local Address space as private for
purposes of remote IP detection. Also handle uppercase private IPv6
addresses.
Fixes #12638.
*Caleb Spare*
* Fixed an issue with migrating legacy json cookies.
Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming
cookies are marshal-encoded. This is not the case when `secret_token` is
used in conjunction with the `:json` or `:hybrid` serializer.
In those case, when upgrading to use `secret_key_base`, this would cause a
`TypeError: incompatible marshal file format` and a 500 error for the user.
Fixes #14774.
*Godfrey Chan*
* Make URL escaping more consistent:
1. Escape '%' characters in URLs - only unescaped data should be passed to URL helpers
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
4. Use `escape_segment` rather than `escape_path` in URL generation
For point 4 there are two exceptions. Firstly, when a route uses wildcard segments
(e.g. `*foo`) then we use `escape_path` as the value may contain '/' characters. This
means that wildcard routes can't be optimized. Secondly, if a `:controller` segment
is used in the path then this uses `escape_path` as the controller may be namespaced.
Fixes #14629, #14636 and #14070.
*Andrew White*, *Edho Arief*
* Add alias `ActionDispatch::Http::UploadedFile#to_io` to
`ActionDispatch::Http::UploadedFile#tempfile`.
*Tim Linquist*
* Returns null type format when format is not know and controller is using `any`
format block.
Fixes #14462.
*Rafael Mendonça França*
* Improve routing error page with fuzzy matching search.
*Winston*
* Only make deeply nested routes shallow when parent is shallow.
Fixes #14684.
*Andrew White*, *James Coglan*
* Append link to bad code to backtrace when exception is `SyntaxError`.
*Boris Kuznetsov*
* Swapped the parameters of assert_equal in `assert_select` so that the
proper values were printed correctly.
Fixes #14422.
*Vishal Lal*
* The method `shallow?` returns false if the parent resource is a singleton so
we need to check if we're not inside a nested scope before copying the :path
and :as options to their shallow equivalents.
Fixes #14388.
*Andrew White*
* Make logging of CSRF failures optional (but on by default) with the
`log_warning_on_csrf_failure` configuration setting in
`ActionController::RequestForgeryProtection`.
*John Barton*
* Fix URL generation in controller tests with request-dependent
`default_url_options` methods.
*Tony Wooster*
Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionpack/CHANGELOG.md) for previous changes.
|