Passing relative paths into form_for and related helpers led to invalid token generations, as the tokens did not match the request.path on the POST endpoint. Variants, such as: form_for url: * "" * "./" * "./post_one" * "post_one" are now handled according to [RFC 3986 5.2 - 5.4](https://tools.ietf.org/html/rfc3986#section-5.2) Limitations: double dots are not handled (../../path) relevant issue: #31191
3.5 KiB
-
Request Forgery takes relative paths into account.
Stefan Wienert
-
Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
DHH
-
Add
allow_browser
to set minimum browser versions for the application.A browser that's blocked will by default be served the file in
public/426.html
with a HTTP status code of "426 Upgrade Required".class ApplicationController < ActionController::Base # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has allow_browser versions: :modern end class ApplicationController < ActionController::Base # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+. allow_browser versions: { safari: 16.4, firefox: 121, ie: false } end class MessagesController < ApplicationController # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action. allow_browser versions: { opera: 104, chrome: 119 }, only: :show end
DHH
-
Add rate limiting API.
class SessionsController < ApplicationController rate_limit to: 10, within: 3.minutes, only: :create end class SignupsController < ApplicationController rate_limit to: 1000, within: 10.seconds, by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new end
DHH, Jean Boussier
-
Add
image/svg+xml
to the compressible content types of ActionDispatch::StaticGeorg Ledermann
-
Add instrumentation for ActionController::Live#send_stream
Allows subscribing to
send_stream
events. The event payload contains the filename, disposition, and type.Hannah Ramadan
-
Add support for
with_routing
test helper inActionDispatch::IntegrationTest
Gannon McGibbon
-
Remove deprecated support to set
Rails.application.config.action_dispatch.show_exceptions
totrue
andfalse
.Rafael Mendonça França
-
Remove deprecated
speaker
,vibrate
, andvr
permissions policy directives.Rafael Mendonça França
-
Remove deprecated
Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type
.Rafael Mendonça França
-
Deprecate
Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality
.Rafael Mendonça França
-
Remove deprecated comparison between
ActionController::Parameters
andHash
.Rafael Mendonça França
-
Remove deprecated constant
AbstractController::Helpers::MissingHelperError
.Rafael Mendonça França
-
Fix a race condition that could cause a
Text file busy - chromedriver
error with parallel system testsMatt Brictson
-
Add
racc
as a dependency since it will become a bundled gem in Ruby 3.4.0Hartley McGuire
-
Remove deprecated constant
ActionDispatch::IllegalStateError
.Rafael Mendonça França
-
Add parameter filter capability for redirect locations.
It uses the
config.filter_parameters
to match what needs to be filtered. The result would be like this:Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
Fixes #14055.
Roque Pinel, Trevor Turk, tonytonyjan
Please check 7-1-stable for previous changes.