File rubygem-actionpack-5.2.changes of Package rubygem-actionpack-5.2
-------------------------------------------------------------------
Thu Aug 4 12:49:45 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.8.1
see installed CHANGELOG.md
## Rails 5.2.8.1 (July 12, 2022) ##
* No changes.
## Rails 5.2.8 (May 09, 2022) ##
* No changes.
-------------------------------------------------------------------
Thu Apr 28 05:08:18 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.7.1
see installed CHANGELOG.md
## Rails 5.2.7.1 (April 26, 2022) ##
* Allow Content Security Policy DSL to generate for API responses.
*Tim Wade*
## Rails 5.2.7 (March 10, 2022) ##
* No changes.
## Rails 5.2.6.3 (March 08, 2022) ##
* No changes.
-------------------------------------------------------------------
Tue Feb 15 07:06:29 UTC 2022 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.6.2
see installed CHANGELOG.md
## Rails 5.2.6.2 (February 11, 2022) ##
* No changes.
## Rails 5.2.6.1 (February 11, 2022) ##
* Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
-------------------------------------------------------------------
Thu Jun 24 16:48:01 UTC 2021 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.6
see installed CHANGELOG.md
## Rails 5.2.6 (May 05, 2021) ##
* Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
tokens for backwards compatibility.
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
config.
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
**Atention**: If you already upgraded your application to 5.2.5, set the config
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
during the deploy of this new version.
```ruby
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
```
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
*Scott Blum*, *Étienne Barrié*
## Rails 5.2.5 (March 26, 2021) ##
* No changes.
## Rails 5.2.4.6 (May 05, 2021) ##
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
## Rails 5.2.4.5 (February 10, 2021) ##
* No changes.
-------------------------------------------------------------------
Fri Sep 25 13:19:36 UTC 2020 - Stephan Kulow <coolo@suse.com>
updated to version 5.2.4.4
see installed CHANGELOG.md
## Rails 5.2.4.4 (September 09, 2020) ##
* No changes.
## Rails 5.2.4.3 (May 18, 2020) ##
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
-------------------------------------------------------------------
Thu May 7 19:58:11 UTC 2020 - Stephan Kulow <coolo@suse.com>
- updated to version 5.2.4.2
see installed CHANGELOG.md
-------------------------------------------------------------------
Fri Dec 20 15:12:50 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- update to version 5.2.4.1 (CVE-2019-16782):
https://weblog.rubyonrails.org/2019/12/18/Rails-5-2-4-1-has-been-released/
-------------------------------------------------------------------
Thu Nov 28 12:52:16 UTC 2019 - Manuel Schnitzer <mschnitzer@suse.com>
- updated to version 5.2.4
* no changes
-------------------------------------------------------------------
Fri Mar 29 05:49:58 UTC 2019 - Stephan Kulow <coolo@suse.com>
- updated to version 5.2.3
see installed CHANGELOG.md
## Rails 5.2.3 (March 27, 2019) ##
* Allow using combine the Cache Control `public` and `no-cache` headers.
Before this change, even if `public` was specified for Cache Control header,
it was excluded when `no-cache` was included. This fixed to keep `public`
header as is.
Fixes #34780.
*Yuji Yaginuma*
* Allow `nil` params for `ActionController::TestCase`.
*Ryo Nakamura*
-------------------------------------------------------------------
Thu Mar 14 03:44:21 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- update to version 5.2.2.1:
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
CVE-2019-5418 CVE-2019-5419 CVE-2019-5420
-------------------------------------------------------------------
Sat Jan 19 19:50:56 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- rb_build_ruby_abi needs to be rb_build_ruby_abis
-------------------------------------------------------------------
Fri Jan 18 16:24:32 UTC 2019 - Marcus Rueckert <mrueckert@suse.de>
- limit to ruby 2.5 and above for 42.3/sle12
-------------------------------------------------------------------
Sat Dec 8 16:12:29 UTC 2018 - Stephan Kulow <coolo@suse.com>
- updated to version 5.2.2
see installed CHANGELOG.md
## Rails 5.2.2 (December 04, 2018) ##
* Reset Capybara sessions if failed system test screenshot raising an exception.
Reset Capybara sessions if `take_failed_screenshot` raise exception
in system test `after_teardown`.
*Maxim Perepelitsa*
* Use request object for context if there's no controller
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.
Fixes #34200.
*Andrew White*
* Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
*Andrew White*
* Fix `rails routes -c` for controller name consists of multiple word.
*Yoshiyuki Kinjo*
* Call the `#redirect_to` block in controller context.
*Steven Peckins*
-------------------------------------------------------------------
Mon Dec 3 06:18:31 UTC 2018 - mschnitzer@suse.com
- updated to version 5.2.1.1 (boo#1118076)
* No changes / Just a version bump to match with Rails 5.2.1.1
-------------------------------------------------------------------
Wed Aug 8 14:44:15 UTC 2018 - mschnitzer@suse.com
- updated to version 5.2.1 (boo#1104209)
* Prevent `?null=` being passed on JSON encoded test requests.
`RequestEncoder#encode_params` won't attempt to parse params if
there are none.
So call like this will no longer append a `?null=` query param.
get foos_url, as: :json
(Alireza Bashiri)
* Ensure `ActionController::Parameters#transform_values` and
`ActionController::Parameters#transform_values!` converts hashes into
parameters.
(Kevin Sjöberg)
* Fix strong parameters `permit!` with nested arrays.
Given:
```
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
params.permit!
```
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
(Steve Hull)
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
`ActionController::TestCase` subclasses.
(Eugene Kenny)
* Output only one Content-Security-Policy nonce header value per request.
Fixes #32597.
(Andrey Novikov, Andrew White)
* Only disable GPUs for headless Chrome on Windows.
It is not necessary anymore for Linux and macOS machines.
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
(Stefan Wrobel)
* Fix system tests transactions not closed between examples.
(Sergey Tarasov)
-------------------------------------------------------------------
Mon Apr 16 12:05:02 UTC 2018 - mschnitzer@suse.com
- initialize package
see changelog: https://github.com/rails/rails/blob/v5.2.0/actionpack/CHANGELOG.md
