Update dependency activestorage to v6 [SECURITY] #11
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.4.4
->6.1.7.7
GitHub Vulnerability Alerts
CVE-2022-21831
The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or arguments. Additionally, a strict ImageMagick security policy will help mitigate this issue.
CVE-2024-26144
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a
Set-Cookie
header along with the user'ssession cookie when serving blobs. It also sets
Cache-Control
to public.Certain proxies may cache the Set-Cookie, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0
Not affected: < 5.2.0, > 7.1.0
Fixed Versions: 7.0.8.1, 6.1.7.7
Impact
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.
This was patched in 7.1.0 but not previously identified as a security
vulnerability.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.
Credits
Thanks to tyage for reporting this!
Release Notes
rails/rails (activestorage)
v6.1.7.7
: 6.1.7.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Disables the session in
ActiveStorage::Blobs::ProxyController
and
ActiveStorage::Representations::ProxyController
in order to allow caching by default in some CDNs as CloudFlare
Fixes #44136
Bruno Prieto
Action Mailbox
Action Text
Railties
v6.1.7.6
Compare Source
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
v6.1.7.5
: 6.1.7.5 ReleaseCompare Source
Active Support
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.4
Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Zack Deveau
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.3
Compare Source
Active Support
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Active Model
Active Record
Action View
Ignore certain data-* attributes in rails-ujs when element is contenteditable
[CVE-2023-23913]
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.2
Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Fix
domain: :all
for two letter TLDThis fixes a compatibility issue introduced in our previous security
release when using
domain: :all
with a two letter but single level toplevel domain domain (like
.ca
, rather than.co.uk
).Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7.1
Compare Source
Active Support
Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
Active Model
Active Record
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Action View
Action Pack
Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
Use string#split instead of regex for domain parts
[CVE-2023-22792]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.7
Compare Source
Active Support
Active Model
Active Record
Symbol is allowed by default for YAML columns
Étienne Barrié
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.
Jean Boussier
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
Action Text
Railties
v6.1.6.1
: 6.1.6.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.6
: 6.1.6Compare Source
Active Support
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.5.1
: 6.1.5.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v6.1.5
: 6.1.5Compare Source
Active Support
Fix
ActiveSupport::Duration.build
to support negative values.The algorithm to collect the
parts
of theActiveSupport::Duration
ignored the sign of the
value
and accumulated incorrect part values. Thisimpacted
ActiveSupport::Duration#sum
(which is dependent onparts
) butnot
ActiveSupport::Duration#eql?
(which is dependent onvalue
).Caleb Buxton, Braden Staudacher
Time#change
and methods that call it (eg.Time#advance
) will nowreturn a
Time
with the timezone argument provided, if the caller wasinitialized with a timezone argument.
Fixes #42467.
Alex Ghiculescu
Clone to keep extended Logger methods for tagged logger.
Orhan Toy
assert_changes
works on includingActiveSupport::Assertions
module.Pedro Medeiros
Active Model
Clear secure password cache if password is set to
nil
Before:
user.password = 'something'
user.password = nil
user.password # => 'something'
Now:
user.password = 'something'
user.password = nil
user.password # => nil
Markus Doits
Fix delegation in
ActiveModel::Type::Registry#lookup
andActiveModel::Type.lookup
Passing a last positional argument
{}
would be incorrectly considered as keyword argument.Benoit Daloze
Fix
to_json
afterchanges_applied
forActiveModel::Dirty
object.Ryuta Kamizono
Active Record
Fix
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate
for Ruby 2.6.Ruby 2.6 and 2.7 have slightly different implementations of the
String#@​-
method.In Ruby 2.6, the receiver of the
String#@​-
method is modified under certain circumstances.This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
fixed in Ruby 2.7.
Before the changes in this commit, the
ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate
method, which internallycalls the
String#@​-
method, could also modify an input string argument in Ruby 2.6 --changing a tainted, unfrozen string into a tainted, frozen string.
Fixes #43056
Eric O'Hanlon
Fix migration compatibility to create SQLite references/belongs_to column as integer when
migration version is 6.0.
reference
/belongs_to
in migrations with version 6.0 were creating columns asbigint instead of integer for the SQLite Adapter.
Marcelo Lauxen
Fix dbconsole for 3-tier config.
Eileen M. Uchitelle
Better handle SQL queries with invalid encoding.
Would cause all adapters to fail in a non controlled way in the code
responsible to detect write queries.
The query is now properly passed to the database connection, which might or might
not be able to handle it, but will either succeed or failed in a more correct way.
Jean Boussier
Ignore persisted in-memory records when merging target lists.
Kevin Sjöberg
Fix regression bug that caused ignoring additional conditions for preloading
has_many
through relations.Fixes #43132
Alexander Pauly
Fix
ActiveRecord::InternalMetadata
to not be broken byconfig.active_record.record_timestamps = false
Since the model always create the timestamp columns, it has to set them, otherwise it breaks
various DB management tasks.
Fixes #42983
Jean Boussier
Fix duplicate active record objects on
inverse_of
.Justin Carvalho
Fix duplicate objects stored in has many association after save.
Fixes #42549.
Alex Ghiculescu
Fix performance regression in
CollectionAssocation#build
.Alex Ghiculescu
Fix retrieving default value for text column for MariaDB.
fatkodima
Action View
preload_link_tag
properly insertsas
attributes for files withimage
MIMEtypes, such as JPG or SVG.
Nate Berkopec
Add
autocomplete="off"
to all generated hidden fields.Fixes #42610.
Ryan Baumann
Fix
current_page?
when URL has trailing slash.This fixes the
current_page?
helper when the given URL has a trailing slash,and is an absolute URL or also has query params.
Fixes #33956.
Jonathan Hefner
Action Pack
Fix
content_security_policy
returning invalid directives.Directives such as
self
,unsafe-eval
and few others were notsingle quoted when the directive was the result of calling a lambda
returning an array.
With this fix the policy generated from above will now be valid.
Edouard Chin
Update
HostAuthorization
middleware to render debug info onlywhen
config.consider_all_requests_local
is set to true.Also, blocked host info is always logged with level
error
.Fixes #42813.
Nikita Vyrko
Dup arrays that get "converted".
Fixes #43681.
Aaron Patterson
Don't show deprecation warning for equal paths.
Anton Rieder
Fix crash in
ActionController::Instrumentation
with invalid HTTP formats.Fixes #43094.
Alex Ghiculescu
Add fallback host for SystemTestCase driven by RackTest.
Fixes #42780.
Petrik de Heus
Add more detail about what hosts are allowed.
Alex Ghiculescu
Active Job
Action Mailer
Action Cable
The Action Cable client now ensures successful channel subscriptions:
the server confirms the subscription or the channel is torn down.
by a subscribe (on the same channel identifier) and the requests are
handled out of order by the ActionCable server, thereby ignoring the
subscribe command.
Daniel Spinosa
Truncate broadcast logging messages.
J Smith
Active Storage
Attachments can be deleted after their association is no longer defined.
Fixes #42514
Don Sisco
Action Mailbox
Add
attachments
to the list of permitted parameters for inbound emails conductor.When using the conductor to test inbound emails with attachments, this prevents an
unpermitted parameter warning in default configurations, and prevents errors for
applications that set:
David Jones, Dana Henke
Action Text
Fix Action Text extra trix content wrapper.
Alexandre Ruban
Railties
In
zeitwerk
mode, setup theonce
autoloader first, and themain
autoloader after it.This order plays better with shared namespaces.
Xavier Noria
Handle paths with spaces when editing credentials.
Alex Ghiculescu
Support Psych 4 when loading secrets.
Nat Morcos
v6.1.4.7
: 6.1.4.7Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Action Mailbox
Action Text
Railties
v6.1.4.6
: 6.1.4.6Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.5
: 6.1.4.5Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.4
: 6.1.4.4Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.3
: 6.1.4.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
Allow localhost with a port by default in development
[Fixes: #43864]
v6.1.4.2
: 6.1.4.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.4.1
Compare Source
v6.1.4
: 6.1.4Compare Source
Active Support
MemCacheStore: convert any underlying value (including
false
) to anEntry
.See #42559.
Alex Ghiculescu
Fix bug in
number_with_precision
when using largeBigDecimal
values.Fixes #42302.
Federico Aldunate, Zachary Scott
Check byte size instead of length on
secure_compare
.Tietew
Fix
Time.at
to not lose:in
option.Ryuta Kamizono
Require a path for
config.cache_store = :file_store
.Alex Ghiculescu
Avoid having to store complex object in the default translation file.
Rafael Mendonça França
Active Model
Fix
to_json
forActiveModel::Dirty
object.Exclude +mutations_from_database+ attribute from json as it lead to recursion.
Anil Maurya
Active Record
Do not try to rollback transactions that failed due to a
ActiveRecord::TransactionRollbackError
.Jamie McCarthy
Raise an error if
pool_config
isnil
inset_pool_config
.Eileen M. Uchitelle
Fix compatibility with
psych >= 4
.Starting in Psych 4.0.0
YAML.load
behaves likeYAML.safe_load
. To preserve compatibilityActive Record's schema cache loader and
YAMLColumn
now usesYAML.unsafe_load
if available.Jean Boussier
Support using replicas when using
rails dbconsole
.Christopher Thornton
Restore connection pools after transactional tests.
Eugene Kenny
Change
upsert_all
to fails cleanly for MySQL when:unique_by
is used.Bastian Bartmann
Fix user-defined
self.default_scope
to respect table alias.Ryuta Kamizono
Clear
@cache_keys
cache afterupdate_all
,delete_all
,destroy_all
.Ryuta Kamizono
Changed Arel predications
contains
andoverlaps
to usequoted_node
so that PostgreSQL arrays are quoted properly.Bradley Priest
Fix
merge
when thewhere
clauses have string contents.Ryuta Kamizono
Fix rollback of parent destruction with nested
dependent: :destroy
.Jacopo Beschi
Fix binds logging for
"WHERE ... IN ..."
statements.Ricardo Díaz
Handle
false
in relation strict loading checks.Previously when a model had strict loading set to true and then had a
relation set
strict_loading
to false the false wasn't considered whendeciding whether to raise/warn about strict loading.
In the example,
dog.treats
would still raise even thoughstrict_loading
was set to false. This is a bug effecting more thanActive Storage which is why I made this PR superceeding #41461. We need
to fix this for all applications since the behavior is a little
surprising. I took the test from ##41461 and the code suggestion from #41453
with some additions.
Eileen M. Uchitelle, Radamés Roriz
Fix numericality validator without precision.
Ryuta Kamizono
Fix aggregate attribute on Enum types.
Ryuta Kamizono
Fix
CREATE INDEX
statement generation for PostgreSQL.eltongo
Fix where clause on enum attribute when providing array of strings.
Ryuta Kamizono
Fix
unprepared_statement
to work it when nesting.Ryuta Kamizono
Action View
The
translate
helper now passesdefault
values that aren'ttranslation keys through
I18n.translate
for interpolation.Jonathan Hefner
Don't attach UJS form submission handlers to Turbo forms.
David Heinemeier Hansson
Allow both
current_page?(url_hash)
andcurrent_page?(**url_hash)
on Ruby 2.7.Ryuta Kamizono
Action Pack
Ignore file fixtures on
db:fixtures:load
Kevin Sjöberg
Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.
Dylan Thacker-Smith
Correctly place optional path parameter booleans.
Previously, if you specify a url parameter that is part of the path as false it would include that part
of the path as parameter for example:
After this change, true and false will be treated the same when used as optional path parameters. Meaning now:
Adam Hess
Add support for 'private, no-store' Cache-Control headers.
Previously, 'no-store' was exclusive; no other directives could be specified.
Alex Smith
Active Job
Action Mailer
Action Cable
Fix
ArgumentError
with ruby 3.0 onRemoteConnection#disconnect
.Vladislav
Active Storage
The parameters sent to
ffmpeg
for generating a video preview image are nowconfigurable under
config.active_storage.video_preview_arguments
.Brendon Muir
Fix Active Storage update task when running in an engine.
Justin Malčić*
Don't raise an error if the mime type is not recognized.
Fixes #41777.
Alex Ghiculescu
ActiveStorage::PreviewError
is raised when a previewer is unable to generate a preview image.Alex Robbin
respond with 404 given invalid variation key when asking for representations.
George Claghorn
Blob
creation shouldn't crash if no service selected.Alex Ghiculescu
Action Mailbox
Action Text
Always render attachment partials as HTML with
:html
format inside trix editor.James Brooks
Railties
Fix compatibility with
psych >= 4
.Starting in Psych 4.0.0
YAML.load
behaves likeYAML.safe_load
. To preserve compatibilityRails.application.config_for
now usesYAML.unsafe_load
if available.Jean Boussier
Ensure
Rails.application.config_for
always cast hashes toActiveSupport::OrderedOptions
.Jean Boussier
Fix create migration generator with
--pretend
option.euxx
v6.1.3.2
: 6.1.3.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
Prevent regex DoS in HTTP token authentication
CVE-2021-22904
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an arrayof arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
Gannon McGibbon
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.3.1
: 6.1.3.1Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.
George Claghorn
Action Mailbox
Action Text
Railties
v6.1.3
: 6.1.3Compare Source
Active Support
Active Model
Active Record
Fix the MySQL adapter to always set the right collation and charset
to the connection session.
Rafael Mendonça França
Fix MySQL adapter handling of time objects when prepared statements
are enabled.
Rafael Mendonça França
Fix scoping in enum fields using conditions that would generate
an
IN
clause.Ryuta Kamizono
Skip optimised #exist? query when #include? is called on a relation
with a having clause
Relations that have aliased select values AND a having clause that
references an aliased select value would generate an error when
#include? was called, due to an optimisation that would generate
call #exists? on the relation instead, which effectively alters
the select values of the query (and thus removes the aliased select
values), but leaves the having clause intact. Because the having
clause is then referencing an aliased column that is no longer
present in the simplified query, an ActiveRecord::InvalidStatement
error was raised.
An sample query affected by this problem:
This change adds an addition check to the condition that skips the
simplified #exists? query, which simply checks for the presence of
a having clause.
Fixes #41417
Michael Smart
Increment postgres prepared statement counter before making a prepared statement, so if the statement is aborted
without Rails knowledge (e.g., if app gets kill -9d during long-running query or due to Rack::Timeout), app won't end
up in perpetual crash state for being inconsistent with Postgres.
wbharding, Martin Tepper
Action View
Action Pack
Re-define routes when not set correctly via inheritance.
John Hawthorn
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.2.1
: 6.1.2.1Compare Source
Active Support
Active Model
Active Record
Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
Aaron Patterson
Action View
Action Pack
Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
Aaron Patterson
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.2
: 6.1.2Compare Source
Active Support
ActiveSupport::Cache::MemCacheStore
now accepts an explicitnil
for itsaddresses
argument.is now equivalent to
and is also equivalent to
which is the fallback behavior of Dalli
Active Model
Active Record
Fix timestamp type for sqlite3.
Eileen M. Uchitelle
Make destroy async transactional.
An active record rollback could occur while enqueuing a job. In this
case the job would enqueue even though the database deletion
rolledback putting things in a funky state.
Now the jobs are only enqueued until after the db transaction has been committed.
Cory Gwin
Fix malformed packet error in MySQL statement for connection configuration.
robinroestenburg
Connection specification now passes the "url" key as a configuration for the
adapter if the "url" protocol is "jdbc", "http", or "https". Previously only
urls with the "jdbc" prefix were passed to the Active Record Adapter, others
are assumed to be adapter specification urls.
Fixes #41137.
Jonathan Bracy
Fix granular connection swapping when there are multiple abstract classes.
Eileen M. Uchitelle
Fix
find_by
with custom primary key for belongs_to association.Ryuta Kamizono
Add support for
rails console --sandbox
for multiple database applications.alpaca-tc
Fix
where
on polymorphic association with empty array.Ryuta Kamizono
Fix preventing writes for
ApplicationRecord
.Eileen M. Uchitelle
Action View
Action Pack
Fix error in
ActionController::LogSubscriber
that would happen when throwing inside a controller action.Janko Marohnić
Fix
fixture_file_upload
deprecation whenfile_fixture_path
is a relative path.Eugene Kenny
Active Job
Action Mailer
Action Cable
Active Storage
Action Mailbox
Action Text
Railties
v6.1.1
: 6.1.1Compare Source
Active Support
Change
IPAddr#to_json
to match the behavior of the json gem returning the string representationinstead of the instance variables of the object.
Before:
=> "{"addr":2130706433,"family":2,"mask_addr":4294967295}"
=> ""127.0.0.1""
Active Model
Active Record
Fix fixtures loading when strict loading is enabled for the association.
Alex Ghiculescu
Fix
where
with custom primary key for belongs_to association.Ryuta Kamizono
Fix
where
with aliased associations.Ryuta Kamizono
Fix
composed_of
with symbol mapping.Ryuta Kamizono
Don't skip money's type cast for pluck and calculations.
Ryuta Kamizono
Fix
where
on polymorphic association with non Active Record object.Ryuta Kamizono
Make sure
db:prepare
works even the schema file doesn't exist.Rafael Mendonça França
Fix complicated
has_many :through
with nested where condition.Ryuta Kamizono
Handle STI models for
has_many dependent: :destroy_async
.Muhammad Usman
Restore possibility of passing
false
to :polymorphic option ofbelongs_to
.Previously, passing
false
would trigger the option validation logicto throw an error saying :polymorphic would not be a valid option.
glaszig
Allow adding nonnamed expression indexes to be revertible.
Fixes #40732.
Previously, the following code would raise an error, when executed while rolling back,
and the index name should be specified explicitly. Now, the index name is inferred
automatically.
fatkodima
Action View
Fix lazy translation in partial with block.
Marek Kasztelnik
Avoid extra
SELECT COUNT
queries when rendering Active Record collections.aar0nr
Link preloading keep integrity hashes in the header.
Étienne Barrié
Add
config.action_view.preload_links_header
to allow disabling ofthe
Link
header being added by default when usingstylesheet_link_tag
and
javascript_include_tag
.Andrew White
The
translate
helper now resolvesdefault
values when anil
key isspecified, instead of always returning
nil
.Jonathan Hefner
Action Pack
Fix nil translation key lookup in controllers/
Jan Klimo
Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
Alex Robbin
Change the request method to a
GET
when passing failed requests down toconfig.exceptions_app
.Alex Robbin
Active Job
Make
retry_job
return the job that was created.Rafael Mendonça França
Include
ActiveSupport::Testing::Assertions
inActiveJob::TestHelpers
.Mikkel Malmberg
Action Mailer
Sets default mailer queue to
"default"
in the mail assertions.Paul Keen
Action Cable
Active Storage
Fix S3 multipart uploads when threshold is larger than file.
Matt Muller
Action Mailbox
Action Text
Railties
Allow spaces in path to Yarn binstub and only run on precompile if needed.
Markus Doits
Populate ARGV for app template.
Fixes #40945.
Jonathan Hefner
v6.1.0
: 6.1.0Compare Source
Active Support
Ensure
MemoryStore
disables compression by default. Reverts behavior ofMemoryStore
to its prior rails5.1
behavior.Max Gurewitz
Calling
iso8601
on negative durations retains the negative sign on individualdigits instead of prepending it.
This change is required so we can interoperate with PostgreSQL, which prefers
negative signs for each component.
Compatibility with other iso8601 parsers which support leading negatives as well
as negatives per component is still retained.
Before:
=> "-P1Y1D"
=> "P-1Y-1D"
Remove deprecated
ActiveSupport::Notifications::Instrumenter#end=
.Rafael Mendonça França
Deprecate
ActiveSupport::Multibyte::Unicode.default_normalization_form
.Rafael Mendonça França
Remove deprecated
ActiveSupport::Multibyte::Unicode.pack_graphemes
,ActiveSupport::Multibyte::Unicode.unpack_graphemes
,ActiveSupport::Multibyte::Unicode.normalize
,ActiveSupport::Multibyte::Unicode.downcase
,ActiveSupport::Multibyte::Unicode.upcase
andActiveSupport::Multibyte::Unicode.swapcase
.Rafael Mendonça França
Remove deprecated
ActiveSupport::Multibyte::Chars#consumes?
andActiveSupport::Multibyte::Chars#normalize
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/range/include_range
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/hash/transform_values
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/hash/compact
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/array/prepend_and_append
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/numeric/inquiry
.Rafael Mendonça França
Remove deprecated file
active_support/core_ext/module/reachable
.Rafael Mendonça França
Remove deprecated
Module#parent_name
,Module#parent
andModule#parents
.Rafael Mendonça França
Remove deprecated
ActiveSupport::LoggerThreadSafeLevel#after_initialize
.Rafael Mendonça França
Remove deprecated
LoggerSilence
constant.Rafael Mendonça França
Remove deprecated fallback to
I18n.default_local
whenconfig.i18n.fallbacks
is empty.Rafael Mendonça França
Remove entries from local cache on
RedisCacheStore#delete_matched
Fixes #38627
ojab
Speed up
ActiveSupport::SecurityUtils.fixed_length_secure_compare
by usingOpenSSL.fixed_length_secure_compare
, if available.Nate Matykiewicz
ActiveSupport::Cache::MemCacheStore
now checksENV["MEMCACHE_SERVERS"]
before falling back to"localhost:11211"
if configured without any addresses.is now equivalent to
instead of
ActiveSupport::Subscriber#attach_to
now accepts aninherit_all:
argument. When set to true,it allows a subscriber to receive events for methods defined in the subscriber's ancestor class(es).
We detach ActionControllerSubscriber from the :action_controller namespace so that our CustomActionControllerSubscriber
can provide its own instrumentation for certain events in the namespace
=> CustomActionControllerSubscriber will process events for "start_processing.action_controller" notifications
using its own #start_processing implementation, while retaining ActionControllerSubscriber's instrumentation
for "redirect_to.action_controller" notifications
Allow the digest class used to generate non-sensitive digests to be configured with
config.active_support.hash_digest_class
.config.active_support.use_sha1_digests
is deprecated in favour ofconfig.active_support.hash_digest_class = ::Digest::SHA1
.Dirkjan Bussink
Fix bug to make memcached write_entry expire correctly with unless_exist
Jye Lee
Add
ActiveSupport::Duration
conversion methodsin_seconds
,in_minutes
,in_hours
,in_days
,in_weeks
,in_months
, andin_years
return the respective duration covered.Jason York
Fixed issue in
ActiveSupport::Cache::RedisCacheStore
not passing optionsto
read_multi
causingfetch_multi
to not work properlyRajesh Sharma
Fixed issue in
ActiveSupport::Cache::MemCacheStore
which caused duplicate compression,and caused the provided
compression_threshold
to not be respected.Max Gurewitz
Prevent
RedisCacheStore
andMemCacheStore
from performing compressionwhen reading entries written with
raw: true
.Max Gurewitz
URI.parser
is deprecated and will be removed in Rails 6.2. UseURI::DEFAULT_PARSER
instead.Jean Boussier
require_dependency
has been documented to be obsolete in:zeitwerk
mode. The method is not deprecated as such (yet), but applications are
encouraged to not use it.
In
:zeitwerk
mode, semantics match Ruby's and you do not need to bedefensive with load order. Just refer to classes and modules normally. If
the constant name is dynamic, camelize if needed, and constantize.
Xavier Noria
Add 3rd person aliases of
Symbol#start_with?
andSymbol#end_with?
.Ryuta Kamizono
Add override of unary plus for
ActiveSupport::Duration
.+ 1.second
is now identical to+1.second
to prevent errorswhere a seemingly innocent change of formatting leads to a change in the code behavior.
Before:
=> ActiveSupport::Duration
=> Integer
=> ActiveSupport::Duration
=> ActiveSupport::Duration
Add subsec to
ActiveSupport::TimeWithZone#inspect
.Before:
=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"
=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"
=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"
=> "Thu, 22 Jun 2017 02:39:00.000000000 UTC +00:00"
=> "Thu, 22 Jun 2017 02:39:00.123456780 UTC +00:00"
=> "Thu, 22 Jun 2017 02:39:00.333333333 UTC +00:00"
Calling
ActiveSupport::TaggedLogging#tagged
without a block now returns a tagged logger.Eugene Kenny
Align
Range#cover?
extension behavior with Ruby behavior for backwards ranges.(1..10).cover?(5..3)
now returnsfalse
, as it does in plain Ruby.Also update
#include?
and#===
behavior to match.Michael Groeneman
Update to TZInfo v2.0.0.
This changes the output of
ActiveSupport::TimeZone.utc_to_local
, butcan be controlled with the
ActiveSupport.utc_to_local_returns_utc_offset_times
config.New Rails 6.1 apps have it enabled by default, existing apps can upgrade
via the config in config/initializers/new_framework_defaults_6_1.rb
See the
utc_to_local_returns_utc_offset_times
documentation for details.Phil Ross, Jared Beck
Add Date and Time
#yesterday?
and#tomorrow?
alongside#today?
.Aliased to
#prev_day?
and#next_day?
to match the existing#prev/next_day
methods.Jatin Dhankhar
Add
Enumerable#pick
to complementActiveRecord::Relation#pick
.Eugene Kenny
[Breaking change]
ActiveSupport::Callbacks#halted_callback_hook
now receive a 2nd argument:ActiveSupport::Callbacks#halted_callback_hook
now receive the name of the callbackbeing halted as second argument.
This change will allow you to differentiate which callbacks halted the chain
and act accordingly.
Edouard Chin
Support
prepend
withActiveSupport::Concern
.Allows a module with
extend ActiveSupport::Concern
to be prepended.Same as
included
, except only run when prepended.Deprecate using
Range#include?
method to check the inclusion of a valuein a date time range. It is recommended to use
Range#cover?
methodinstead of
Range#include?
to check the inclusion of a valuein a date time range.
Vishal Telangre
Support added for a
round_mode
parameter, in all number helpers. (See:BigDecimal::mode
.)Tom Lord
Array#to_sentence
no longer returns a frozen string.Before:
=> true
=> false
When an instance of
ActiveSupport::Duration
is converted to aniso8601
duration string, ifweeks
are mixed withdate
parts, theweek
part will be converted to days.This keeps the parser and serializer on the same page.
1 week, 4 days, 13 hours, 46 minutes, and 40.0 seconds
P11DT13H46M40S
11 days, 13 hours, 46 minutes, and 40 seconds
1 week
P1W
1 week
Add block support to
ActiveSupport::Testing::TimeHelpers#travel_back
.Tim Masliuchenko
Update
ActiveSupport::Messages::Metadata#fresh?
to work for cookies with expiry set whenActiveSupport.parse_json_times = true
.Christian Gregg
Support symbolic links for
content_path
inActiveSupport::EncryptedFile
.Takumi Shotoku
Improve
Range#===
,Range#include?
, andRange#cover?
to work with beginless (startless)and endless range targets.
Allen Hsu, Andrew Hodgkinson
Don't use
Process#clock_gettime(CLOCK_THREAD_CPUTIME_ID)
on Solaris.Iain Beeston
Prevent
ActiveSupport::Duration.build(value)
from creating instances ofActiveSupport::Duration
unlessvalue
is of typeNumeric
.Addresses the errant set of behaviours described in #37012 where
ActiveSupport::Duration
comparisons would fail confusinglyor return unexpected results when comparing durations built from instances of
String
.Before:
=> false
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.