TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
63970d9b01
rails/actionpack/CHANGELOG.md
Stefan Wienert e2a8bfa1f2
Request Forgery takes relative paths into account 
Passing relative paths into form_for and related helpers led to invalid
token generations, as the tokens did not match the request.path on the
POST endpoint. Variants, such as:

form_for url:
* ""
* "./"
* "./post_one"
* "post_one"

are now handled according to [RFC 3986 5.2 - 5.4](https://tools.ietf.org/html/rfc3986#section-5.2)

Limitations: double dots are not handled (../../path)

relevant issue: #31191
2024-02-20 23:35:17 +00:00

109 lines
3.5 KiB
Markdown
Raw Blame History

* Request Forgery takes relative paths into account.
*Stefan Wienert*
* Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
*DHH*
* Add `allow_browser` to set minimum browser versions for the application.
A browser that's blocked will by default be served the file in `public/426.html` with a HTTP status code of "426 Upgrade Required".
```ruby
class ApplicationController < ActionController::Base
# Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has
allow_browser versions: :modern
end
class ApplicationController < ActionController::Base
# All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
end
class MessagesController < ApplicationController
# In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
allow_browser versions: { opera: 104, chrome: 119 }, only: :show
end
```
*DHH*
* Add rate limiting API.
```ruby
class SessionsController < ApplicationController
rate_limit to: 10, within: 3.minutes, only: :create
end
class SignupsController < ApplicationController
rate_limit to: 1000, within: 10.seconds,
by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new
end
```
*DHH*, *Jean Boussier*
* Add `image/svg+xml` to the compressible content types of ActionDispatch::Static
*Georg Ledermann*
* Add instrumentation for ActionController::Live#send_stream
Allows subscribing to `send_stream` events. The event payload contains the filename, disposition, and type.
*Hannah Ramadan*
* Add support for `with_routing` test helper in `ActionDispatch::IntegrationTest`
*Gannon McGibbon*
* Remove deprecated support to set `Rails.application.config.action_dispatch.show_exceptions` to `true` and `false`.
*Rafael Mendonça França*
* Remove deprecated `speaker`, `vibrate`, and `vr` permissions policy directives.
*Rafael Mendonça França*
* Remove deprecated `Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type`.
*Rafael Mendonça França*
* Deprecate `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
*Rafael Mendonça França*
* Remove deprecated comparison between `ActionController::Parameters` and `Hash`.
*Rafael Mendonça França*
* Remove deprecated constant `AbstractController::Helpers::MissingHelperError`.
*Rafael Mendonça França*
* Fix a race condition that could cause a `Text file busy - chromedriver`
error with parallel system tests
*Matt Brictson*
* Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
*Hartley McGuire*
* Remove deprecated constant `ActionDispatch::IllegalStateError`.
*Rafael Mendonça França*
* Add parameter filter capability for redirect locations.
It uses the `config.filter_parameters` to match what needs to be filtered.
The result would be like this:
Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
Fixes #14055.
*Roque Pinel*, *Trevor Turk*, *tonytonyjan*
Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.
Reference in New Issue View Git Blame Copy Permalink