Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionpack-7.0 for
openSUSE:Factory checked in at 2022-05-16 18:08:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-7.0"
Mon May 16 18:08:27 2022 rev:4 rq:977361 version:7.0.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionpack-7.0/rubygem-actionpack-7.0.changes
2022-04-30 22:52:21.140209195 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-actionpack-7.0.new.1538/rubygem-actionpack-7.0.changes
2022-05-16 18:10:54.157391981 +0200
@@ -1,0 +2,68 @@
+Sun May 15 15:15:37 UTC 2022 - Manuel Schnitzer <[email protected]>
+
+- updated to version 7.0.3
+
+ * Allow relative redirects when `raise_on_open_redirects` is enabled.
+
+ *Tom Hughes*
+
+ * Fix `authenticate_with_http_basic` to allow for missing password.
+
+ Before Rails 7.0 it was possible to handle basic authentication with
only a username.
+
+ ```ruby
+ authenticate_with_http_basic do |token, _|
+ ApiClient.authenticate(token)
+ end
+ ```
+
+ This ability is restored.
+
+ *Jean Boussier*
+
+ * Fix `content_security_policy` returning invalid directives.
+
+ Directives such as `self`, `unsafe-eval` and few others were not
+ single quoted when the directive was the result of calling a lambda
+ returning an array.
+
+ ```ruby
+ content_security_policy do |policy|
+ policy.frame_ancestors lambda { [:self, "https://example.com";] }
+ end
+ ```
+
+ With this fix the policy generated from above will now be valid.
+
+ *Edouard Chin*
+
+ * Fix `skip_forgery_protection` to run without raising an error if forgery
+ protection has not been enabled / `verify_authenticity_token` is not a
+ defined callback.
+
+ This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+ `ArgumentError` if `default_protect_from_forgery` is false.
+
+ *Brad Trick*
+
+ * Fix `ActionController::Live` to copy the IsolatedExecutionState in the
ephemeral thread.
+
+ Since its inception `ActionController::Live` has been copying thread
local variables
+ to keep things such as `CurrentAttributes` set from middlewares working
in the controller action.
+
+ With the introduction of `IsolatedExecutionState` in 7.0, some of that
global state was lost in
+ `ActionController::Live` controllers.
+
+ *Jean Boussier*
+
+ * Fix setting `trailing_slash: true` in route definition.
+
+ ```ruby
+ get '/test' => "test#index", as: :test, trailing_slash: true
+
+ test_path() # => "/test/"
+ ```
+
+ *Jean Boussier*
+
+-------------------------------------------------------------------
Old:
----
actionpack-7.0.2.4.gem
New:
----
actionpack-7.0.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-7.0.spec ++++++
--- /var/tmp/diff_new_pack.EvEC1F/_old 2022-05-16 18:10:54.585392322 +0200
+++ /var/tmp/diff_new_pack.EvEC1F/_new 2022-05-16 18:10:54.593392328 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-actionpack-7.0
-Version: 7.0.2.4
+Version: 7.0.3
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
++++++ actionpack-7.0.2.4.gem -> actionpack-7.0.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-04-26 21:32:40.000000000 +0200
+++ new/CHANGELOG.md 2022-05-09 15:40:26.000000000 +0200
@@ -1,3 +1,68 @@
+## Rails 7.0.3 (May 09, 2022) ##
+
+* Allow relative redirects when `raise_on_open_redirects` is enabled.
+
+ *Tom Hughes*
+
+* Fix `authenticate_with_http_basic` to allow for missing password.
+
+ Before Rails 7.0 it was possible to handle basic authentication with only
a username.
+
+ ```ruby
+ authenticate_with_http_basic do |token, _|
+ ApiClient.authenticate(token)
+ end
+ ```
+
+ This ability is restored.
+
+ *Jean Boussier*
+
+* Fix `content_security_policy` returning invalid directives.
+
+ Directives such as `self`, `unsafe-eval` and few others were not
+ single quoted when the directive was the result of calling a lambda
+ returning an array.
+
+ ```ruby
+ content_security_policy do |policy|
+ policy.frame_ancestors lambda { [:self, "https://example.com";] }
+ end
+ ```
+
+ With this fix the policy generated from above will now be valid.
+
+ *Edouard Chin*
+
+* Fix `skip_forgery_protection` to run without raising an error if forgery
+ protection has not been enabled / `verify_authenticity_token` is not a
+ defined callback.
+
+ This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+ `ArgumentError` if `default_protect_from_forgery` is false.
+
+ *Brad Trick*
+
+* Fix `ActionController::Live` to copy the IsolatedExecutionState in the
ephemeral thread.
+
+ Since its inception `ActionController::Live` has been copying thread local
variables
+ to keep things such as `CurrentAttributes` set from middlewares working in
the controller action.
+
+ With the introduction of `IsolatedExecutionState` in 7.0, some of that
global state was lost in
+ `ActionController::Live` controllers.
+
+ *Jean Boussier*
+
+* Fix setting `trailing_slash: true` in route definition.
+
+ ```ruby
+ get '/test' => "test#index", as: :test, trailing_slash: true
+
+ test_path() # => "/test/"
+ ```
+
+ *Jean Boussier*
+
## Rails 7.0.2.4 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/abstract_controller/base.rb
new/lib/abstract_controller/base.rb
--- old/lib/abstract_controller/base.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/abstract_controller/base.rb 2022-05-09 15:40:26.000000000 +0200
@@ -150,13 +150,14 @@
process_action(action_name, *args)
end
+ ruby2_keywords(:process)
- # Delegates to the class' ::controller_path
+ # Delegates to the class's ::controller_path.
def controller_path
self.class.controller_path
end
- # Delegates to the class' ::action_methods
+ # Delegates to the class's ::action_methods.
def action_methods
self.class.action_methods
end
@@ -177,7 +178,7 @@
# Tests if a response body is set. Used to determine if the
# +process_action+ callback needs to be terminated in
- # +AbstractController::Callbacks+.
+ # AbstractController::Callbacks.
def performed?
response_body
end
@@ -210,8 +211,8 @@
#
# Notice that the first argument is the method to be dispatched
# which is *not* necessarily the same as the action name.
- def process_action(method_name, *args)
- send_action(method_name, *args)
+ def process_action(...)
+ send_action(...)
end
# Actually call the method associated with the action. Override
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/abstract_controller/callbacks.rb
new/lib/abstract_controller/callbacks.rb
--- old/lib/abstract_controller/callbacks.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/abstract_controller/callbacks.rb 2022-05-09 15:40:26.000000000
+0200
@@ -229,7 +229,7 @@
private
# Override <tt>AbstractController::Base#process_action</tt> to run the
# <tt>process_action</tt> callbacks around the normal behavior.
- def process_action(*)
+ def process_action(...)
run_callbacks(:process_action) do
super
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/api.rb
new/lib/action_controller/api.rb
--- old/lib/action_controller/api.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_controller/api.rb 2022-05-09 15:40:26.000000000 +0200
@@ -5,7 +5,7 @@
require "action_controller/log_subscriber"
module ActionController
- # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+ # API Controller is a lightweight version of ActionController::Base,
# created for applications that don't require all functionalities that a
complete
# \Rails controller provides, allowing you to create controllers with just
the
# features that you need for API only applications.
@@ -32,7 +32,7 @@
# end
#
# Request, response, and parameters objects all work the exact same way as
- # <tt>ActionController::Base</tt>.
+ # ActionController::Base.
#
# == Renders
#
@@ -51,7 +51,7 @@
#
# Redirects are used to move from one action to another. You can use the
# <tt>redirect_to</tt> method in your controllers in the same way as in
- # <tt>ActionController::Base</tt>. For example:
+ # ActionController::Base. For example:
#
# def create
# redirect_to root_url and return if not_authorized?
@@ -61,7 +61,7 @@
# == Adding New Behavior
#
# In some scenarios you may want to add back some functionality provided by
- # <tt>ActionController::Base</tt> that is not present by default in
+ # ActionController::Base that is not present by default in
# <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
# module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
# you just need to include the module in a specific controller or in
@@ -83,7 +83,7 @@
# end
# end
#
- # Make sure to check the modules included in <tt>ActionController::Base</tt>
+ # Make sure to check the modules included in ActionController::Base
# if you want to use any other functionality that is not provided
# by <tt>ActionController::API</tt> out of the box.
class API < Metal
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/base.rb
new/lib/action_controller/base.rb
--- old/lib/action_controller/base.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_controller/base.rb 2022-05-09 15:40:26.000000000 +0200
@@ -87,10 +87,11 @@
#
# or you can remove the entire session with +reset_session+.
#
- # Sessions are stored by default in a browser cookie that's
cryptographically signed, but unencrypted.
- # This prevents the user from tampering with the session but also allows
them to see its contents.
- #
- # Do not put secret information in cookie-based sessions!
+ # By default, sessions are stored in an encrypted browser cookie (see
+ # ActionDispatch::Session::CookieStore). Thus the user will not be able to
+ # read or edit the session data. However, the user can keep a copy of the
+ # cookie even after it has expired, so you should avoid storing sensitive
+ # information in cookie-based sessions.
#
# == Responses
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/form_builder.rb
new/lib/action_controller/form_builder.rb
--- old/lib/action_controller/form_builder.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/form_builder.rb 2022-05-09 15:40:26.000000000
+0200
@@ -3,7 +3,7 @@
module ActionController
# Override the default form builder for all views rendered by this
# controller and any of its descendants. Accepts a subclass of
- # +ActionView::Helpers::FormBuilder+.
+ # ActionView::Helpers::FormBuilder.
#
# For example, given a form builder:
#
@@ -36,7 +36,7 @@
# in the views rendered by this controller and its subclasses.
#
# ==== Parameters
- # * <tt>builder</tt> - Default form builder, an instance of
+ActionView::Helpers::FormBuilder+
+ # * <tt>builder</tt> - Default form builder, an instance of
ActionView::Helpers::FormBuilder
def default_form_builder(builder)
self._default_form_builder = builder
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/conditional_get.rb
new/lib/action_controller/metal/conditional_get.rb
--- old/lib/action_controller/metal/conditional_get.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/conditional_get.rb 2022-05-09
15:40:26.000000000 +0200
@@ -268,7 +268,7 @@
# expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds,
stale_if_error: 5.minutes
#
# HTTP Cache-Control Extensions other values:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
- # Any additional key-value pairs are concatenated onto the `Cache-Control`
header in the response:
+ # Any additional key-value pairs are concatenated onto the Cache-Control
header in the response:
#
# expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform":
true
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_controller/metal/content_security_policy.rb
new/lib/action_controller/metal/content_security_policy.rb
--- old/lib/action_controller/metal/content_security_policy.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/content_security_policy.rb 2022-05-09
15:40:26.000000000 +0200
@@ -2,7 +2,6 @@
module ActionController # :nodoc:
module ContentSecurityPolicy
- # TODO: Documentation
extend ActiveSupport::Concern
include AbstractController::Helpers
@@ -14,6 +13,29 @@
end
module ClassMethods
+ # Overrides parts of the globally configured Content-Security-Policy
+ # header:
+ #
+ # class PostsController < ApplicationController
+ # content_security_policy do |policy|
+ # policy.base_uri "https://www.example.com";
+ # end
+ # end
+ #
+ # Options can be passed similar to +before_action+. For example, pass
+ # <tt>only: :index</tt> to override the header on the index action only:
+ #
+ # class PostsController < ApplicationController
+ # content_security_policy(only: :index) do |policy|
+ # policy.default_src :self, :https
+ # end
+ # end
+ #
+ # Pass +false+ to remove the Content-Security-Policy header:
+ #
+ # class PostsController < ApplicationController
+ # content_security_policy false, only: :index
+ # end
def content_security_policy(enabled = true, **options, &block)
before_action(options) do
if block_given?
@@ -28,6 +50,18 @@
end
end
+ # Overrides the globally configured Content-Security-Policy-Report-Only
+ # header:
+ #
+ # class PostsController < ApplicationController
+ # content_security_policy_report_only only: :index
+ # end
+ #
+ # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
+ #
+ # class PostsController < ApplicationController
+ # content_security_policy_report_only false, only: :index
+ # end
def content_security_policy_report_only(report_only = true, **options)
before_action(options) do
request.content_security_policy_report_only = report_only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/helpers.rb
new/lib/action_controller/metal/helpers.rb
--- old/lib/action_controller/metal/helpers.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/metal/helpers.rb 2022-05-09 15:40:26.000000000
+0200
@@ -91,7 +91,7 @@
end
end
- # Overwrite modules_for_helpers to accept :all as argument, which loads
+ # Override modules_for_helpers to accept +:all+ as argument, which loads
# all helpers in helpers_path.
#
# ==== Parameters
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/http_authentication.rb
new/lib/action_controller/metal/http_authentication.rb
--- old/lib/action_controller/metal/http_authentication.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/http_authentication.rb 2022-05-09
15:40:26.000000000 +0200
@@ -5,9 +5,9 @@
require "active_support/core_ext/array/access"
module ActionController
- # HTTP Basic, Digest and Token authentication.
+ # HTTP Basic, Digest, and Token authentication.
module HttpAuthentication
- # HTTP \Basic authentication.
+ # = HTTP \Basic authentication
#
# === Simple \Basic example
#
@@ -70,7 +70,12 @@
extend ActiveSupport::Concern
module ClassMethods
+ # Enables HTTP \Basic authentication.
+ #
+ # See ActionController::HttpAuthentication::Basic for example usage.
def http_basic_authenticate_with(name:, password:, realm: nil,
**options)
+ raise ArgumentError, "Expected name: to be a String, got
#{name.class}" unless name.is_a?(String)
+ raise ArgumentError, "Expected password: to be a String, got
#{password.class}" unless password.is_a?(String)
before_action(options) { http_basic_authenticate_or_request_with
name: name, password: password, realm: realm }
end
end
@@ -79,8 +84,8 @@
authenticate_or_request_with_http_basic(realm, message) do
|given_name, given_password|
# This comparison uses & so that it doesn't short circuit and
# uses `secure_compare` so that length information isn't leaked.
- ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
- ActiveSupport::SecurityUtils.secure_compare(given_password,
password)
+ ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name)
&
+ ActiveSupport::SecurityUtils.secure_compare(given_password.to_s,
password)
end
end
@@ -104,7 +109,7 @@
end
def has_basic_credentials?(request)
- request.authorization.present? && (auth_scheme(request).downcase ==
"basic") && user_name_and_password(request).length == 2
+ request.authorization.present? && (auth_scheme(request).downcase ==
"basic")
end
def user_name_and_password(request)
@@ -135,7 +140,7 @@
end
end
- # HTTP \Digest authentication.
+ # = HTTP \Digest authentication
#
# === Simple \Digest example
#
@@ -181,22 +186,28 @@
extend self
module ControllerMethods
+ # Authenticate using an HTTP \Digest, or otherwise render an HTTP
header
+ # requesting the client to send a \Digest.
+ #
+ # See ActionController::HttpAuthentication::Digest for example usage.
def authenticate_or_request_with_http_digest(realm = "Application",
message = nil, &password_procedure)
authenticate_with_http_digest(realm, &password_procedure) ||
request_http_digest_authentication(realm, message)
end
- # Authenticate with HTTP Digest, returns true or false
+ # Authenticate using an HTTP \Digest. Returns true if authentication is
+ # successful, false otherwise.
def authenticate_with_http_digest(realm = "Application",
&password_procedure)
HttpAuthentication::Digest.authenticate(request, realm,
&password_procedure)
end
- # Render output including the HTTP Digest authentication header
+ # Render an HTTP header requesting the client to send a \Digest for
+ # authentication.
def request_http_digest_authentication(realm = "Application", message
= nil)
HttpAuthentication::Digest.authentication_request(self, realm,
message)
end
end
- # Returns false on a valid response, true otherwise
+ # Returns false on a valid response, true otherwise.
def authenticate(request, realm, &password_procedure)
request.authorization && validate_digest_response(request, realm,
&password_procedure)
end
@@ -301,7 +312,7 @@
#
# An implementation might choose not to accept a previously used nonce
or a previously used digest, in order to
# protect against a replay attack. Or, an implementation might choose to
use one-time nonces or digests for
- # POST, PUT, or PATCH requests and a time-stamp for GET requests. For
more details on the issues involved see Section 4
+ # POST, PUT, or PATCH requests, and a time-stamp for GET requests. For
more details on the issues involved see Section 4
# of this document.
#
# The nonce is opaque to the client. Composed of Time, and hash of Time
with secret
@@ -331,9 +342,9 @@
end
end
- # HTTP Token authentication.
+ # = HTTP \Token authentication
#
- # Simple Token example:
+ # === Simple \Token example
#
# class PostsController < ApplicationController
# TOKEN = "secret"
@@ -412,14 +423,22 @@
extend self
module ControllerMethods
+ # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
+ # header requesting the client to send a Bearer token.
+ #
+ # See ActionController::HttpAuthentication::Token for example usage.
def authenticate_or_request_with_http_token(realm = "Application",
message = nil, &login_procedure)
authenticate_with_http_token(&login_procedure) ||
request_http_token_authentication(realm, message)
end
+ # Authenticate using an HTTP Bearer token. Returns true if
+ # authentication is successful, false otherwise.
def authenticate_with_http_token(&login_procedure)
Token.authenticate(self, &login_procedure)
end
+ # Render an HTTP header requesting the client to send a Bearer token
for
+ # authentication.
def request_http_token_authentication(realm = "Application", message =
nil)
Token.authentication_request(self, realm, message)
end
@@ -428,17 +447,17 @@
# If token Authorization header is present, call the login
# procedure with the present token and options.
#
- # [controller]
- # ActionController::Base instance for the current request.
+ # Returns the return value of <tt>login_procedure</tt> if a
+ # token is found. Returns <tt>nil</tt> if no token is found.
+ #
+ # ==== Parameters
#
- # [login_procedure]
- # Proc to call if a token is present. The Proc should take two
arguments:
+ # * +controller+ - ActionController::Base instance for the current
request.
+ # * +login_procedure+ - Proc to call if a token is present. The Proc
+ # should take two arguments:
#
# authenticate(controller) { |token, options| ... }
#
- # Returns the return value of <tt>login_procedure</tt> if a
- # token is found. Returns <tt>nil</tt> if no token is found.
-
def authenticate(controller, &login_procedure)
token, options = token_and_options(controller.request)
unless token.blank?
@@ -449,14 +468,18 @@
# Parses the token and options out of the token Authorization header.
# The value for the Authorization header is expected to have the prefix
# <tt>"Token"</tt> or <tt>"Bearer"</tt>. If the header looks like this:
+ #
# Authorization: Token token="abc", nonce="def"
- # Then the returned token is <tt>"abc"</tt>, and the options are
- # <tt>{nonce: "def"}</tt>
#
- # request - ActionDispatch::Request instance with the current headers.
+ # Then the returned token is <tt>"abc"</tt>, and the options are
+ # <tt>{nonce: "def"}</tt>.
#
# Returns an +Array+ of <tt>[String, Hash]</tt> if a token is present.
# Returns +nil+ if no token is found.
+ #
+ # ==== Parameters
+ #
+ # * +request+ - ActionDispatch::Request instance with the current
headers.
def token_and_options(request)
authorization_request = request.authorization.to_s
if authorization_request[TOKEN_REGEX]
@@ -469,7 +492,7 @@
rewrite_param_values params_array_from raw_params auth
end
- # Takes raw_params and turns it into an array of parameters
+ # Takes +raw_params+ and turns it into an array of parameters.
def params_array_from(raw_params)
raw_params.map { |param| param.split %r/=(.+)?/ }
end
@@ -494,10 +517,12 @@
# Encodes the given token and options into an Authorization header value.
#
- # token - String token.
- # options - optional Hash of the options.
- #
# Returns String.
+ #
+ # ==== Parameters
+ #
+ # * +token+ - String token.
+ # * +options+ - Optional Hash of the options.
def encode_credentials(token, options = {})
values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key,
value|
"#{key}=#{value.to_s.inspect}"
@@ -507,10 +532,12 @@
# Sets a WWW-Authenticate header to let the client know a token is
desired.
#
- # controller - ActionController::Base instance for the outgoing response.
- # realm - String realm to use in the header.
- #
# Returns nothing.
+ #
+ # ==== Parameters
+ #
+ # * +controller+ - ActionController::Base instance for the outgoing
response.
+ # * +realm+ - String realm to use in the header.
def authentication_request(controller, realm, message = nil)
message ||= "HTTP Token: Access denied.\n"
controller.headers["WWW-Authenticate"] = %(Token
realm="#{realm.tr('"', "")}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/live.rb
new/lib/action_controller/metal/live.rb
--- old/lib/action_controller/metal/live.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/metal/live.rb 2022-05-09 15:40:26.000000000
+0200
@@ -261,6 +261,7 @@
# Since we're processing the view in a different thread, copy the
# thread locals from the main thread to the child thread. :'(
locals.each { |k, v| t2[k] = v }
+ ActiveSupport::IsolatedExecutionState.share_with(t1)
begin
super(name)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/permissions_policy.rb
new/lib/action_controller/metal/permissions_policy.rb
--- old/lib/action_controller/metal/permissions_policy.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/permissions_policy.rb 2022-05-09
15:40:26.000000000 +0200
@@ -1,37 +1,28 @@
# frozen_string_literal: true
module ActionController # :nodoc:
- # HTTP Permissions Policy is a web standard for defining a mechanism to
- # allow and deny the use of browser permissions in its own context, and
- # in content within any <iframe> elements in the document.
- #
- # Full details of HTTP Permissions Policy specification and guidelines can
- # be found at MDN:
- #
- # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
- #
- # Examples of usage:
- #
- # # Global policy
- # Rails.application.config.permissions_policy do |f|
- # f.camera :none
- # f.gyroscope :none
- # f.microphone :none
- # f.usb :none
- # f.fullscreen :self
- # f.payment :self, "https://secure.example.com";
- # end
- #
- # # Controller level policy
- # class PagesController < ApplicationController
- # permissions_policy do |p|
- # p.geolocation "https://example.com";
- # end
- # end
module PermissionsPolicy
extend ActiveSupport::Concern
module ClassMethods
+ # Overrides parts of the globally configured Feature-Policy
+ # header:
+ #
+ # class PagesController < ApplicationController
+ # permissions_policy do |policy|
+ # policy.geolocation "https://example.com";
+ # end
+ # end
+ #
+ # Options can be passed similar to +before_action+. For example, pass
+ # <tt>only: :index</tt> to override the header on the index action only:
+ #
+ # class PagesController < ApplicationController
+ # permissions_policy(only: :index) do |policy|
+ # policy.camera :self
+ # end
+ # end
+ #
def permissions_policy(**options, &block)
before_action(options) do
if block_given?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/redirecting.rb
new/lib/action_controller/metal/redirecting.rb
--- old/lib/action_controller/metal/redirecting.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/redirecting.rb 2022-05-09
15:40:26.000000000 +0200
@@ -74,7 +74,7 @@
#
# Raises UnsafeRedirectError in the case of an unsafe redirect.
#
- # To allow any external redirects pass `allow_other_host: true`, though
using a user-provided param in that case is unsafe.
+ # To allow any external redirects pass <tt>allow_other_host: true</tt>,
though using a user-provided param in that case is unsafe.
#
# redirect_to "https://rubyonrails.org";, allow_other_host: true
#
@@ -195,7 +195,7 @@
end
def _url_host_allowed?(url)
- URI(url.to_s).host == request.host
+ [request.host, nil].include?(URI(url.to_s).host)
rescue ArgumentError, URI::Error
false
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/renderers.rb
new/lib/action_controller/metal/renderers.rb
--- old/lib/action_controller/metal/renderers.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/renderers.rb 2022-05-09
15:40:26.000000000 +0200
@@ -31,8 +31,7 @@
class_attribute :_renderers, default: Set.new.freeze
end
- # Used in <tt>ActionController::Base</tt>
- # and <tt>ActionController::API</tt> to include all
+ # Used in ActionController::Base and ActionController::API to include all
# renderers by default.
module All
extend ActiveSupport::Concern
@@ -45,7 +44,7 @@
# Adds a new renderer to call within controller actions.
# A renderer is invoked by passing its name as an option to
- # <tt>AbstractController::Rendering#render</tt>. To create a renderer
+ # AbstractController::Rendering#render. To create a renderer
# pass it a name and a block. The block takes two arguments, the first
# is the value paired with its key and the second is the remaining
# hash of options passed to +render+.
@@ -96,18 +95,18 @@
# Adds, by name, a renderer or renderers to the +_renderers+ available
# to call within controller actions.
#
- # It is useful when rendering from an <tt>ActionController::Metal</tt>
controller or
+ # It is useful when rendering from an ActionController::Metal controller
or
# otherwise to add an available renderer proc to a specific controller.
#
- # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
- # include <tt>ActionController::Renderers::All</tt>, making all renderers
+ # Both ActionController::Base and ActionController::API
+ # include ActionController::Renderers::All, making all renderers
# available in the controller. See <tt>Renderers::RENDERERS</tt> and
<tt>Renderers.add</tt>.
#
- # Since <tt>ActionController::Metal</tt> controllers cannot render, the
controller
- # must include <tt>AbstractController::Rendering</tt>,
<tt>ActionController::Rendering</tt>,
- # and <tt>ActionController::Renderers</tt>, and have at least one
renderer.
+ # Since ActionController::Metal controllers cannot render, the controller
+ # must include AbstractController::Rendering,
ActionController::Rendering,
+ # and ActionController::Renderers, and have at least one renderer.
#
- # Rather than including <tt>ActionController::Renderers::All</tt> and
including all renderers,
+ # Rather than including ActionController::Renderers::All and including
all renderers,
# you may specify which renderers to include by passing the renderer
name or names to
# +use_renderers+. For example, a controller that includes only the
<tt>:json</tt> renderer
# (+_render_with_renderer_json+) might look like:
@@ -133,7 +132,7 @@
alias use_renderer use_renderers
end
- # Called by +render+ in <tt>AbstractController::Rendering</tt>
+ # Called by +render+ in AbstractController::Rendering
# which sets the return value as the +response_body+.
#
# If no renderer is found, +super+ returns control to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/rendering.rb
new/lib/action_controller/metal/rendering.rb
--- old/lib/action_controller/metal/rendering.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/rendering.rb 2022-05-09
15:40:26.000000000 +0200
@@ -30,7 +30,7 @@
super
end
- # Overwrite render_to_string because body can now be set to a Rack body.
+ # Override render_to_string because body can now be set to a Rack body.
def render_to_string(*)
result = super
if result.respond_to?(:each)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_controller/metal/request_forgery_protection.rb
new/lib/action_controller/metal/request_forgery_protection.rb
--- old/lib/action_controller/metal/request_forgery_protection.rb
2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/request_forgery_protection.rb
2022-05-09 15:40:26.000000000 +0200
@@ -32,7 +32,7 @@
# response may be extracted. To prevent this, only XmlHttpRequest (known as
XHR or
# Ajax) requests are allowed to make requests for JavaScript responses.
#
- # Subclasses of <tt>ActionController::Base</tt> are protected by default
with the
+ # Subclasses of ActionController::Base are protected by default with the
# <tt>:exception</tt> strategy, which raises an
# <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified
requests.
#
@@ -124,8 +124,8 @@
#
# Valid Options:
#
- # * <tt>:only/:except</tt> - Only apply forgery protection to a subset
of actions. For example <tt>only: [ :create, :create_all ]</tt>.
- # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely
depending on the passed Proc or method reference.
+ # * <tt>:only</tt> / <tt>:except</tt> - Only apply forgery protection to
a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+ # * <tt>:if</tt> / <tt>:unless</tt> - Turn off the forgery protection
entirely depending on the passed Proc or method reference.
# * <tt>:prepend</tt> - By default, the verification of the
authentication token will be added at the position of the
# protect_from_forgery call in your application. This means any
callbacks added before are run first. This is useful
# when you want your forgery protection to depend on other callbacks,
like authentication methods (Oauth vs Cookie auth).
@@ -168,7 +168,7 @@
#
# See +skip_before_action+ for allowed options.
def skip_forgery_protection(options = {})
- skip_before_action :verify_authenticity_token, options
+ skip_before_action :verify_authenticity_token,
options.reverse_merge(raise: false)
end
private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/streaming.rb
new/lib/action_controller/metal/streaming.rb
--- old/lib/action_controller/metal/streaming.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/streaming.rb 2022-05-09
15:40:26.000000000 +0200
@@ -24,7 +24,7 @@
# Ruby implementation).
#
# Streaming can be added to a given template easily, all you need to do is
- # to pass the :stream option.
+ # to pass the +:stream+ option.
#
# class PostsController
# def index
@@ -59,8 +59,8 @@
# render stream: true
# end
#
- # Notice that :stream only works with templates. Rendering :json
- # or :xml with :stream won't work.
+ # Notice that +:stream+ only works with templates. Rendering +:json+
+ # or +:xml+ with +:stream+ won't work.
#
# == Communication between layout and template
#
@@ -72,7 +72,7 @@
# variables set in the template to be used in the layout, they won't
# work once you move to streaming. The proper way to communicate
# between layout and template, regardless of whether you use streaming
- # or not, is by using +content_for+, +provide+ and +yield+.
+ # or not, is by using +content_for+, +provide+, and +yield+.
#
# Take a simple example where the layout expects the template to tell
# which title to use:
@@ -132,7 +132,7 @@
# That said, when streaming, you need to properly check your templates
# and choose when to use +provide+ and +content_for+.
#
- # == Headers, cookies, session and flash
+ # == Headers, cookies, session, and flash
#
# When streaming, the HTTP headers are sent to the client right before
# it renders the first line. This means that, modifying headers, cookies,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/strong_parameters.rb
new/lib/action_controller/metal/strong_parameters.rb
--- old/lib/action_controller/metal/strong_parameters.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_controller/metal/strong_parameters.rb 2022-05-09
15:40:26.000000000 +0200
@@ -236,7 +236,7 @@
# By default, never raise an UnpermittedParameters exception if these
# params are present. The default includes both 'controller' and 'action'
# because they are added by Rails and should be of no concern. One way
- # to change these is to specify `always_permitted_parameters` in your
+ # to change these is to specify +always_permitted_parameters+ in your
# config. For instance:
#
# config.action_controller.always_permitted_parameters = %w( controller
action format )
@@ -778,7 +778,7 @@
# Deletes a key-value pair from +Parameters+ and returns the value. If
# +key+ is not found, returns +nil+ (or, with optional code block, yields
- # +key+ and returns the result). Cf. +#extract!+, which returns the
+ # +key+ and returns the result). Cf. #extract!, which returns the
# corresponding +ActionController::Parameters+ object.
def delete(key, &block)
convert_value_to_parameters(@parameters.delete(key, &block))
@@ -908,6 +908,10 @@
end
end
+ def encode_with(coder) # :nodoc:
+ coder.map = { "parameters" => @parameters, "permitted" => @permitted }
+ end
+
# Returns duplicate of object including all parameters.
def deep_dup
self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal/url_for.rb
new/lib/action_controller/metal/url_for.rb
--- old/lib/action_controller/metal/url_for.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/metal/url_for.rb 2022-05-09 15:40:26.000000000
+0200
@@ -4,11 +4,11 @@
# Includes +url_for+ into the host class. The class has to provide a
+RouteSet+ by implementing
# the <tt>_routes</tt> method. Otherwise, an exception will be raised.
#
- # In addition to <tt>AbstractController::UrlFor</tt>, this module accesses
the HTTP layer to define
+ # In addition to AbstractController::UrlFor, this module accesses the HTTP
layer to define
# URL options like the +host+. In order to do so, this module requires the
host class
# to implement +env+ which needs to be Rack-compatible and +request+
- # which is either an instance of +ActionDispatch::Request+ or an object
- # that responds to the +host+, +optional_port+, +protocol+ and
+ # which is either an instance of ActionDispatch::Request or an object
+ # that responds to the +host+, +optional_port+, +protocol+, and
# +symbolized_path_parameter+ methods.
#
# class RootUrl
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/metal.rb
new/lib/action_controller/metal.rb
--- old/lib/action_controller/metal.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_controller/metal.rb 2022-05-09 15:40:26.000000000 +0200
@@ -60,7 +60,7 @@
# <tt>ActionController::Metal</tt> is the simplest possible controller,
providing a
# valid Rack interface without the additional niceties provided by
- # <tt>ActionController::Base</tt>.
+ # ActionController::Base.
#
# A sample metal controller might look like this:
#
@@ -111,7 +111,7 @@
#
# == Other Helpers
#
- # You can refer to the modules included in <tt>ActionController::Base</tt>
to see
+ # You can refer to the modules included in ActionController::Base to see
# other features you can bring into your metal controller.
#
class Metal < AbstractController::Base
@@ -137,7 +137,7 @@
false
end
- # Delegates to the class' <tt>controller_name</tt>.
+ # Delegates to the class's ::controller_name.
def controller_name
self.class.controller_name
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/renderer.rb
new/lib/action_controller/renderer.rb
--- old/lib/action_controller/renderer.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/renderer.rb 2022-05-09 15:40:26.000000000
+0200
@@ -71,7 +71,7 @@
# Render templates with any options from
ActionController::Base#render_to_string.
#
# The primary options are:
- # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt> for
details.
+ # * <tt>:partial</tt> - See ActionView::PartialRenderer for details.
# * <tt>:file</tt> - Renders an explicit template file. Add
<tt>:locals</tt> to pass in, if so desired.
# It shouldn???t be used directly with unsanitized user input due to
lack of validation.
# * <tt>:inline</tt> - Renders an ERB template string.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller/test_case.rb
new/lib/action_controller/test_case.rb
--- old/lib/action_controller/test_case.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_controller/test_case.rb 2022-05-09 15:40:26.000000000
+0200
@@ -241,7 +241,7 @@
# == Basic example
#
# Functional tests are written as follows:
- # 1. First, one uses the +get+, +post+, +patch+, +put+, +delete+ or +head+
method to simulate
+ # 1. First, one uses the +get+, +post+, +patch+, +put+, +delete+, or +head+
method to simulate
# an HTTP request.
# 2. Then, one asserts whether the current state is as expected. "State" can
be anything:
# the controller's HTTP response, the database contents, etc.
@@ -391,7 +391,7 @@
#
# You can also simulate POST, PATCH, PUT, DELETE, and HEAD requests with
# +post+, +patch+, +put+, +delete+, and +head+.
- # Example sending parameters, session and setting a flash message:
+ # Example sending parameters, session, and setting a flash message:
#
# get :show,
# params: { id: 7 },
@@ -461,7 +461,7 @@
# session: { user_id: 1 },
# flash: { notice: 'This is flash message' }
#
- # To simulate +GET+, +POST+, +PATCH+, +PUT+, +DELETE+ and +HEAD+ requests
+ # To simulate +GET+, +POST+, +PATCH+, +PUT+, +DELETE+, and +HEAD+
requests
# prefer using #get, #post, #patch, #put, #delete and #head methods
# respectively which will make tests more expressive.
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_controller.rb new/lib/action_controller.rb
--- old/lib/action_controller.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_controller.rb 2022-05-09 15:40:26.000000000 +0200
@@ -3,6 +3,7 @@
require "abstract_controller"
require "action_dispatch"
require "action_controller/metal/strong_parameters"
+require "action_controller/metal/exceptions"
module ActionController
extend ActiveSupport::Autoload
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/content_security_policy.rb
new/lib/action_dispatch/http/content_security_policy.rb
--- old/lib/action_dispatch/http/content_security_policy.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/http/content_security_policy.rb 2022-05-09
15:40:26.000000000 +0200
@@ -1,8 +1,26 @@
# frozen_string_literal: true
require "active_support/core_ext/object/deep_dup"
+require "active_support/core_ext/array/wrap"
module ActionDispatch # :nodoc:
+ # Configures the HTTP
+ #
{Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
+ # response header to help protect against XSS and injection attacks.
+ #
+ # Example global policy:
+ #
+ # Rails.application.config.content_security_policy do |policy|
+ # policy.default_src :self, :https
+ # policy.font_src :self, :https, :data
+ # policy.img_src :self, :https, :data
+ # policy.object_src :none
+ # policy.script_src :self, :https
+ # policy.style_src :self, :https
+ #
+ # # Specify URI for violation reports
+ # policy.report_uri "/csp-violation-report-endpoint"
+ # end
class ContentSecurityPolicy
class Middleware
CONTENT_TYPE = "Content-Type"
@@ -167,6 +185,15 @@
end
end
+ # Specify whether to prevent the user agent from loading any assets over
+ # HTTP when the page uses HTTPS:
+ #
+ # policy.block_all_mixed_content
+ #
+ # Pass +false+ to allow it again:
+ #
+ # policy.block_all_mixed_content false
+ #
def block_all_mixed_content(enabled = true)
if enabled
@directives["block-all-mixed-content"] = true
@@ -175,6 +202,14 @@
end
end
+ # Restricts the set of plugins that can be embedded:
+ #
+ # policy.plugin_types "application/x-shockwave-flash"
+ #
+ # Leave empty to allow all plugins:
+ #
+ # policy.plugin_types
+ #
def plugin_types(*types)
if types.first
@directives["plugin-types"] = types
@@ -183,10 +218,24 @@
end
end
+ # Enable the
{report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
+ # directive. Violation reports will be sent to the specified URI:
+ #
+ # policy.report_uri "/csp-violation-report-endpoint"
+ #
def report_uri(uri)
@directives["report-uri"] = [uri]
end
+ # Specify asset types for which {Subresource
Integrity}[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity]
+ # is required:
+ #
+ # policy.require_sri_for :script, :style
+ #
+ # Leave empty to not require Subresource Integrity:
+ #
+ # policy.require_sri_for
+ #
def require_sri_for(*types)
if types.first
@directives["require-sri-for"] = types
@@ -195,6 +244,19 @@
end
end
+ # Specify whether a
{sandbox}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox]
+ # should be enabled for the requested resource:
+ #
+ # policy.sandbox
+ #
+ # Values can be passed as arguments:
+ #
+ # policy.sandbox "allow-scripts", "allow-modals"
+ #
+ # Pass +false+ to disable the sandbox:
+ #
+ # policy.sandbox false
+ #
def sandbox(*values)
if values.empty?
@directives["sandbox"] = true
@@ -205,6 +267,14 @@
end
end
+ # Specify whether user agents should treat any assets over HTTP as HTTPS:
+ #
+ # policy.upgrade_insecure_requests
+ #
+ # Pass +false+ to disable it:
+ #
+ # policy.upgrade_insecure_requests false
+ #
def upgrade_insecure_requests(enabled = true)
if enabled
@directives["upgrade-insecure-requests"] = true
@@ -269,7 +339,7 @@
raise RuntimeError, "Missing context for the dynamic content
security policy source: #{source.inspect}"
else
resolved = context.instance_exec(&source)
- resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
+ apply_mappings(Array.wrap(resolved))
end
else
raise RuntimeError, "Unexpected content security policy source:
#{source.inspect}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/mime_negotiation.rb
new/lib/action_dispatch/http/mime_negotiation.rb
--- old/lib/action_dispatch/http/mime_negotiation.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/http/mime_negotiation.rb 2022-05-09
15:40:26.000000000 +0200
@@ -132,8 +132,8 @@
# Sets the \formats by string extensions. This differs from #format= by
allowing you
# to set multiple, ordered formats, which is useful when you want to
have a fallback.
#
- # In this example, the :iphone format will be used if it's available,
otherwise it'll fallback
- # to the :html format.
+ # In this example, the +:iphone+ format will be used if it's available,
otherwise it'll fallback
+ # to the +:html+ format.
#
# class ApplicationController < ActionController::Base
# before_action :adjust_format_for_iphone_with_html_fallback
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/permissions_policy.rb
new/lib/action_dispatch/http/permissions_policy.rb
--- old/lib/action_dispatch/http/permissions_policy.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/http/permissions_policy.rb 2022-05-09
15:40:26.000000000 +0200
@@ -3,6 +3,22 @@
require "active_support/core_ext/object/deep_dup"
module ActionDispatch # :nodoc:
+ # Configures the HTTP
+ #
{Feature-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy]
+ # response header to specify which browser features the current document and
+ # its iframes can use.
+ #
+ # Example global policy:
+ #
+ # Rails.application.config.permissions_policy do |policy|
+ # policy.camera :none
+ # policy.gyroscope :none
+ # policy.microphone :none
+ # policy.usb :none
+ # policy.fullscreen :self
+ # policy.payment :self, "https://secure.example.com";
+ # end
+ #
class PermissionsPolicy
class Middleware
CONTENT_TYPE = "Content-Type"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/http/request.rb
new/lib/action_dispatch/http/request.rb
--- old/lib/action_dispatch/http/request.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_dispatch/http/request.rb 2022-05-09 15:40:26.000000000
+0200
@@ -298,8 +298,8 @@
ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id" # :nodoc:
# Returns the unique request id, which is based on either the X-Request-Id
header that can
- # be generated by a firewall, load balancer, or web server or by the
RequestId middleware
- # (which sets the action_dispatch.request_id environment variable).
+ # be generated by a firewall, load balancer, or web server, or by the
RequestId middleware
+ # (which sets the +action_dispatch.request_id+ environment variable).
#
# This unique ID is useful for tracing a request from end-to-end as part
of logging or debugging.
# This relies on the Rack variable set by the ActionDispatch::RequestId
middleware.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/cookies.rb
new/lib/action_dispatch/middleware/cookies.rb
--- old/lib/action_dispatch/middleware/cookies.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/middleware/cookies.rb 2022-05-09
15:40:26.000000000 +0200
@@ -139,7 +139,7 @@
#
# cookies.delete :user_name
#
- # Please note that if you specify a :domain when setting a cookie, you must
also specify the domain when deleting the cookie:
+ # Please note that if you specify a +:domain+ when setting a cookie, you
must also specify the domain when deleting the cookie:
#
# cookies[:name] = {
# value: 'a yummy cookie',
@@ -176,6 +176,10 @@
# Default is +false+.
# * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
# only HTTP. Defaults to +false+.
+ # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
+ # determines how this cookie should be restricted in cross-site contexts.
+ # Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
+ # +:lax+.
class Cookies
HTTP_HEADER = "Set-Cookie"
GENERATOR_KEY = "action_dispatch.key_generator"
@@ -199,7 +203,7 @@
# Raised when storing more than 4K of session data.
CookieOverflow = Class.new StandardError
- # Include in a cookie jar to allow chaining, e.g. cookies.permanent.signed.
+ # Include in a cookie jar to allow chaining, e.g.
+cookies.permanent.signed+.
module ChainedCookieJars
# Returns a jar that'll automatically set the assigned cookies to have
an expiration date 20 years from now. Example:
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/flash.rb
new/lib/action_dispatch/middleware/flash.rb
--- old/lib/action_dispatch/middleware/flash.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_dispatch/middleware/flash.rb 2022-05-09 15:40:26.000000000
+0200
@@ -20,10 +20,11 @@
# end
# end
#
- # show.html.erb
- # <% if flash[:notice] %>
- # <div class="notice"><%= flash[:notice] %></div>
- # <% end %>
+ # Then in +show.html.erb+:
+ #
+ # <% if flash[:notice] %>
+ # <div class="notice"><%= flash[:notice] %></div>
+ # <% end %>
#
# Since the +notice+ and +alert+ keys are a common idiom, convenience
accessors are available:
#
@@ -41,9 +42,9 @@
KEY = "action_dispatch.request.flash_hash"
module RequestMethods
- # Access the contents of the flash. Use <tt>flash["notice"]</tt> to
- # read a notice you put there or <tt>flash["notice"] = "hello"</tt>
- # to put a new one.
+ # Access the contents of the flash. Returns a
ActionDispatch::Flash::FlashHash.
+ #
+ # See ActionDispatch::Flash for example usage.
def flash
flash = flash_hash
return flash if flash
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/middleware/request_id.rb
new/lib/action_dispatch/middleware/request_id.rb
--- old/lib/action_dispatch/middleware/request_id.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/middleware/request_id.rb 2022-05-09
15:40:26.000000000 +0200
@@ -5,7 +5,7 @@
module ActionDispatch
# Makes a unique request id available to the +action_dispatch.request_id+
env variable (which is then accessible
- # through <tt>ActionDispatch::Request#request_id</tt> or the alias
<tt>ActionDispatch::Request#uuid</tt>) and sends
+ # through ActionDispatch::Request#request_id or the alias
ActionDispatch::Request#uuid) and sends
# the same id to the client via the X-Request-Id header.
#
# The unique request id is either based on the X-Request-Id header in the
request, which would typically be generated
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/action_dispatch/middleware/session/cookie_store.rb
new/lib/action_dispatch/middleware/session/cookie_store.rb
--- old/lib/action_dispatch/middleware/session/cookie_store.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/middleware/session/cookie_store.rb 2022-05-09
15:40:26.000000000 +0200
@@ -44,8 +44,8 @@
# Rails.application.config.session_store :cookie_store, expire_after:
14.days
#
# would set the session cookie to expire automatically 14 days after
creation.
- # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
- # <tt>:httponly</tt>.
+ # Other useful options include <tt>:key</tt>, <tt>:secure</tt>,
+ # <tt>:httponly</tt>, and <tt>:same_site</tt>.
class CookieStore < AbstractSecureStore
class SessionId < DelegateClass(Rack::Session::SessionId)
attr_reader :cookie_value
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/mapper.rb
new/lib/action_dispatch/routing/mapper.rb
--- old/lib/action_dispatch/routing/mapper.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_dispatch/routing/mapper.rb 2022-05-09 15:40:26.000000000
+0200
@@ -390,10 +390,10 @@
#
# If you want to expose your action to both GET and POST, use:
#
- # # sets :controller, :action and :id in params
+ # # sets :controller, :action, and :id in params
# match ':controller/:action/:id', via: [:get, :post]
#
- # Note that +:controller+, +:action+ and +:id+ are interpreted as URL
+ # Note that +:controller+, +:action+, and +:id+ are interpreted as URL
# query parameters and thus available through +params+ in an action.
#
# If you want to expose your action to GET, use +get+ in the router:
@@ -906,7 +906,7 @@
#
# === Options
#
- # The +:path+, +:as+, +:module+, +:shallow_path+ and +:shallow_prefix+
+ # The +:path+, +:as+, +:module+, +:shallow_path+, and +:shallow_prefix+
# options all default to the name of the namespace.
#
# For options, see <tt>Base#match</tt>. For +:shallow_path+ option, see
@@ -1082,7 +1082,7 @@
# Resource routing allows you to quickly declare all of the common routes
# for a given resourceful controller. Instead of declaring separate
routes
- # for your +index+, +show+, +new+, +edit+, +create+, +update+ and
+destroy+
+ # for your +index+, +show+, +new+, +edit+, +create+, +update+, and
+destroy+
# actions, a resourceful route declares them in a single line of code:
#
# resources :photos
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/redirection.rb
new/lib/action_dispatch/routing/redirection.rb
--- old/lib/action_dispatch/routing/redirection.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/routing/redirection.rb 2022-05-09
15:40:26.000000000 +0200
@@ -142,6 +142,11 @@
# This will redirect the user, while ignoring certain parts of the
request, including query string, etc.
# <tt>/stories</tt>, <tt>/stories?foo=bar</tt>, etc all redirect to
<tt>/posts</tt>.
#
+ # The redirect will use a <tt>301 Moved Permanently</tt> status code by
+ # default. This can be overridden with the +:status+ option:
+ #
+ # get "/stories" => redirect("/posts", status: 307)
+ #
# You can also use interpolation in the supplied redirect argument:
#
# get 'docs/:article', to: redirect('/wiki/%{article}')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/route_set.rb
new/lib/action_dispatch/routing/route_set.rb
--- old/lib/action_dispatch/routing/route_set.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/routing/route_set.rb 2022-05-09
15:40:26.000000000 +0200
@@ -196,7 +196,9 @@
def call(t, method_name, args, inner_options, url_strategy)
if args.size == arg_size && !inner_options &&
optimize_routes_generation?(t)
options = t.url_options.merge @options
- options[:path] = optimized_helper(args)
+ path = optimized_helper(args)
+ path << "/" if options[:trailing_slash] && !path.end_with?("/")
+ options[:path] = path
original_script_name = options.delete(:original_script_name)
script_name = t._routes.find_script_name(options)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing/url_for.rb
new/lib/action_dispatch/routing/url_for.rb
--- old/lib/action_dispatch/routing/url_for.rb 2022-04-26 21:32:40.000000000
+0200
+++ new/lib/action_dispatch/routing/url_for.rb 2022-05-09 15:40:26.000000000
+0200
@@ -70,7 +70,7 @@
# resources :users
#
# This generates, among other things, the method <tt>users_path</tt>. By
default,
- # this method is accessible from your controllers, views and mailers. If
you need
+ # this method is accessible from your controllers, views, and mailers. If
you need
# to access this auto-generated method from other places (such as a
model), then
# you can do that by including Rails.application.routes.url_helpers in
your class:
#
@@ -115,7 +115,7 @@
default_url_options
end
- # Generate a URL based on the options provided, default_url_options and
the
+ # Generate a URL based on the options provided, default_url_options, and
the
# routes defined in routes.rb. The following options are supported:
#
# * <tt>:only_path</tt> - If true, the relative URL is returned.
Defaults to +false+.
@@ -154,7 +154,7 @@
# # => '/myapp/tasks/testing'
#
# Missing routes keys may be filled in from the current request's
parameters
- # (e.g. +:controller+, +:action+, +:id+ and any other parameters that are
+ # (e.g. +:controller+, +:action+, +:id+, and any other parameters that
are
# placed in the path). Given that the current action has been reached
# through <tt>GET /users/1</tt>:
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/routing.rb
new/lib/action_dispatch/routing.rb
--- old/lib/action_dispatch/routing.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_dispatch/routing.rb 2022-05-09 15:40:26.000000000 +0200
@@ -28,7 +28,7 @@
#
# Resource routing allows you to quickly declare all of the common routes
# for a given resourceful controller. Instead of declaring separate routes
- # for your +index+, +show+, +new+, +edit+, +create+, +update+ and +destroy+
+ # for your +index+, +show+, +new+, +edit+, +create+, +update+, and +destroy+
# actions, a resourceful route declares them in a single line of code:
#
# resources :photos
@@ -65,9 +65,8 @@
# resources :posts, :comments
# end
#
- # For more, see <tt>Routing::Mapper::Resources#resources</tt>,
- # <tt>Routing::Mapper::Scoping#namespace</tt>, and
- # <tt>Routing::Mapper::Scoping#scope</tt>.
+ # For more, see Routing::Mapper::Resources#resources,
+ # Routing::Mapper::Scoping#namespace, and Routing::Mapper::Scoping#scope.
#
# == Non-resourceful routes
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_dispatch/testing/assertions/routing.rb
new/lib/action_dispatch/testing/assertions/routing.rb
--- old/lib/action_dispatch/testing/assertions/routing.rb 2022-04-26
21:32:40.000000000 +0200
+++ new/lib/action_dispatch/testing/assertions/routing.rb 2022-05-09
15:40:26.000000000 +0200
@@ -18,8 +18,8 @@
# match +path+. Basically, it asserts that \Rails recognizes the route
given by +expected_options+.
#
# Pass a hash in the second argument (+path+) to specify the request
method. This is useful for routes
- # requiring a specific HTTP method. The hash should contain a :path with
the incoming request path
- # and a :method containing the required HTTP verb.
+ # requiring a specific HTTP method. The hash should contain a +:path+
with the incoming request path
+ # and a +:method+ containing the required HTTP verb.
#
# # Asserts that POSTing to /items will call the create action on
ItemsController
# assert_recognizes({controller: 'items', action: 'create'}, {path:
'items', method: :post})
@@ -187,6 +187,7 @@
super
end
end
+ ruby2_keywords(:method_missing)
private
# Recognizes the route for a given path.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/gem_version.rb
new/lib/action_pack/gem_version.rb
--- old/lib/action_pack/gem_version.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_pack/gem_version.rb 2022-05-09 15:40:26.000000000 +0200
@@ -1,7 +1,7 @@
# frozen_string_literal: true
module ActionPack
- # Returns the version of the currently loaded Action Pack as a
<tt>Gem::Version</tt>
+ # Returns the currently loaded version of Action Pack as a
<tt>Gem::Version</tt>.
def self.gem_version
Gem::Version.new VERSION::STRING
end
@@ -9,8 +9,8 @@
module VERSION
MAJOR = 7
MINOR = 0
- TINY = 2
- PRE = "4"
+ TINY = 3
+ PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_pack/version.rb
new/lib/action_pack/version.rb
--- old/lib/action_pack/version.rb 2022-04-26 21:32:40.000000000 +0200
+++ new/lib/action_pack/version.rb 2022-05-09 15:40:26.000000000 +0200
@@ -3,7 +3,7 @@
require_relative "gem_version"
module ActionPack
- # Returns the version of the currently loaded ActionPack as a
<tt>Gem::Version</tt>
+ # Returns the currently loaded version of Action Pack as a
<tt>Gem::Version</tt>.
def self.version
gem_version
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-04-26 21:32:40.000000000 +0200
+++ new/metadata 2022-05-09 15:40:26.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionpack
version: !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-04-26 00:00:00.000000000 Z
+date: 2022-05-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.4
+ version: 7.0.3
description: Web apps on Rails. Simple, battle-tested conventions for building
and
testing MVC web applications. Works with any Rack-compatible server.
email: [email protected]
@@ -310,10 +310,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.4/actionpack/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.3/actionpack/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.3/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/actionpack
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3/actionpack
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
@@ -331,7 +331,7 @@
version: '0'
requirements:
- none
-rubygems_version: 3.1.6
+rubygems_version: 3.3.7
signing_key:
specification_version: 4
summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails).
