TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
63970d9b01
rails/actionpack/CHANGELOG.md
Stefan Wienert e2a8bfa1f2
Request Forgery takes relative paths into account 
Passing relative paths into form_for and related helpers led to invalid
token generations, as the tokens did not match the request.path on the
POST endpoint. Variants, such as:

form_for url:
* ""
* "./"
* "./post_one"
* "post_one"

are now handled according to [RFC 3986 5.2 - 5.4](https://tools.ietf.org/html/rfc3986#section-5.2)

Limitations: double dots are not handled (../../path)

relevant issue: #31191
2024-02-20 23:35:17 +00:00

3.5 KiB
Raw Blame History

  • Request Forgery takes relative paths into account.

    Stefan Wienert

  • Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.

    DHH

  • Add allow_browser to set minimum browser versions for the application.

    A browser that's blocked will by default be served the file in public/426.html with a HTTP status code of "426 Upgrade Required".

    class ApplicationController < ActionController::Base
  # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has
  allow_browser versions: :modern
end

class ApplicationController < ActionController::Base
  # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
  allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
end

class MessagesController < ApplicationController
  # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
  allow_browser versions: { opera: 104, chrome: 119 }, only: :show
end

    DHH

  • Add rate limiting API.

    class SessionsController < ApplicationController
  rate_limit to: 10, within: 3.minutes, only: :create
end

class SignupsController < ApplicationController
  rate_limit to: 1000, within: 10.seconds,
    by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new
end

    DHH, Jean Boussier

  • Add image/svg+xml to the compressible content types of ActionDispatch::Static

    Georg Ledermann

  • Add instrumentation for ActionController::Live#send_stream

    Allows subscribing to send_stream events. The event payload contains the filename, disposition, and type.

    Hannah Ramadan

  • Add support for with_routing test helper in ActionDispatch::IntegrationTest

    Gannon McGibbon

  • Remove deprecated support to set Rails.application.config.action_dispatch.show_exceptions to true and false.

    Rafael Mendonça França

  • Remove deprecated speaker, vibrate, and vr permissions policy directives.

    Rafael Mendonça França

  • Remove deprecated Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type.

    Rafael Mendonça França

  • Deprecate Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality.

    Rafael Mendonça França

  • Remove deprecated comparison between ActionController::Parameters and Hash.

    Rafael Mendonça França

  • Remove deprecated constant AbstractController::Helpers::MissingHelperError.

    Rafael Mendonça França

  • Fix a race condition that could cause a Text file busy - chromedriver error with parallel system tests

    Matt Brictson

  • Add racc as a dependency since it will become a bundled gem in Ruby 3.4.0

    Hartley McGuire

  • Remove deprecated constant ActionDispatch::IllegalStateError.

    Rafael Mendonça França

  • Add parameter filter capability for redirect locations.

    It uses the config.filter_parameters to match what needs to be filtered. The result would be like this:

    Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]

    Fixes #14055.

    Roque Pinel, Trevor Turk, tonytonyjan

Please check 7-1-stable for previous changes.