Rails 8.0.2 (March 12, 2025)¶ ↑
-
No changes.
Rails 8.0.2 (March 12, 2025)¶ ↑
-
Improve
with_routingtest helper to not rebuild the middleware stack.Otherwise some middleware configuration could be lost.
Édouard Chin
-
Add resource name to the
ArgumentErrorthat's raised when invalid:onlyor:exceptoptions are given to resource or resourcesThis makes it easier to locate the source of the problem, especially for routes drawn by gems.
Before:
:only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
After:
Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
Jeremy Green
-
Fix
url_forto handle:path_paramsgracefully when it's not aHash.Prevents various security scanners from causing exceptions.
Martin Emde
-
Fix
ActionDispatch::Executorto unwrap exceptions like other error reporting middlewares.Jean Boussier
Rails 8.0.1 (December 13, 2024)¶ ↑
-
Add
ActionDispatch::Request::Session#storemethod to conform Rack spec.Yaroslav
Rails 8.0.0.1 (December 10, 2024)¶ ↑
-
Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.
[CVE-2024-54133]
Gannon McGibbon
Rails 8.0.0 (November 07, 2024)¶ ↑
-
No changes.
Rails 8.0.0.rc2 (October 30, 2024)¶ ↑
-
Fix routes with
::in the path.Rafael Mendonça França
-
Maintain Rack 2 parameter parsing behaviour.
Matthew Draper
Rails 8.0.0.rc1 (October 19, 2024)¶ ↑
-
Remove
Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality.Rafael Mendonça França
-
Improve
ActionController::TestCaseto expose a binary encodedrequest.body.The rack spec clearly states:
The input stream is an IO-like object which contains the raw HTTP POST data. When applicable, its external encoding must be “ASCII-8BIT” and it must be opened in binary mode.
Until now its encoding was generally UTF-8, which doesn’t accurately reflect production behavior.
Jean Boussier
-
Update
ActionController::AllowBrowserto support passing method names to:blockclass ApplicationController < ActionController::Base allow_browser versions: :modern, block: :handle_outdated_browser private def handle_outdated_browser render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable end end
Sean Doyle
-
Raise an
ArgumentErrorwhen invalid:onlyor:exceptoptions are passed into resource and resources.Joshua Young
Rails 8.0.0.beta1 (September 26, 2024)¶ ↑
-
Fix non-GET requests not updating cookies in
ActionController::TestCase.Jon Moss, Hartley McGuire
-
Update
ActionController::Liveto use a thread-pool to reuse threads across requests.Adam Renberg Tamm
-
Introduce safer, more explicit params handling method with
params#expectsuch thatparams.expect(table: [ :attr ])replacesparams.require(:table).permit(:attr)Ensures params are filtered with consideration for the expected types of values, improving handling of params and avoiding ignorable errors caused by params tampering.
# If the url is altered to ?person=hacked # Before params.require(:person).permit(:name, :age, pets: [:name]) # raises NoMethodError, causing a 500 and potential error reporting # After params.expect(person: [ :name, :age, pets: [[:name]] ]) # raises ActionController::ParameterMissing, correctly returning a 400 error
You may also notice the new double array
[[:name]]. In order to declare when a param is expected to be an array of parameter hashes, this new double array syntax is used to explicitly declare an array.expectrequires you to declare expected arrays in this way, and will ignore arrays that are passed when, for example,pet: [:name]is used.In order to preserve compatibility,
permitdoes not adopt the new double array syntax and is therefore more permissive about unexpected types. Usingexpecteverywhere is recommended.We suggest replacing
params.require(:person).permit(:name, :age)with the direct replacementparams.expect(person: [:name, :age])to prevent external users from manipulating params to trigger 500 errors. A 400 error will be returned instead, using public/400.htmlUsage of
params.require(:id)should likewise be replaced withparams.expect(:id)which is designed to ensure thatparams[:id]is a scalar and not an array or hash, also requiring the param.# Before User.find(params.require(:id)) # allows an array, altering behavior # After User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
Martin Emde
-
System Testing: Disable Chrome's search engine choice by default in system tests.
glaszig
-
Fix
Request#raw_postraisingNoMethodErrorwhenrack.inputisnil.Hartley McGuire
-
Remove
raccdependency by manually writingActionDispatch::Journey::Scanner.Gannon McGibbon
-
Speed up
ActionDispatch::Routing::Mapper::Scope#[]by merging frame hashes.Gannon McGibbon
-
Allow bots to ignore
allow_browser.Matthew Nguyen
-
Deprecate drawing routes with multiple paths to make routing faster. You may use
with_optionsor a loop to make drawing multiple paths easier.# Before get "/users", "/other_path", to: "users#index" # After get "/users", to: "users#index" get "/other_path", to: "users#index"
Gannon McGibbon
-
Make
http_cache_foreveruseimmutable: trueNate Matykiewicz
-
Add
config.action_dispatch.strict_freshness.When set to
true, theETagheader takes precedence over theLast-Modifiedheader when both are present, as specified by RFC 7232, Section 6.Defaults to
falseto maintain compatibility with previous versions ofRails, but is enabled as part ofRails8.0 defaults.heka1024
-
Support
immutabledirective in Cache-Controlexpires_in 1.minute, public: true, immutable: true # Cache-Control: public, max-age=60, immutable
heka1024
-
Add
:wasm_unsafe_evalmapping forcontent_security_policy# Before policy.script_src "'wasm-unsafe-eval'" # After policy.script_src :wasm_unsafe_eval
Joe Haig
-
Add
display_captureandkeyboard_mapinpermissions_policyCyril Blaecke
-
Add
connectroute helper.Samuel Williams
Please check 7-2-stable for previous changes.