Releases: rails/rails
v7.0.4
Active Support
-
Redis cache store is now compatible with redis-rb 5.0.
Jean Boussier
-
Fix
NoMethodError
on customActiveSupport::Deprecation
behavior.ActiveSupport::Deprecation.behavior=
was supposed to accept any object
that responds tocall
, but in fact its internal implementation assumed that
this object could respond toarity
, so it was restricted to onlyProc
objects.This change removes this
arity
restriction of custom behaviors.Ryo Nakamura
Active Model
-
Handle name clashes in attribute methods code generation cache.
When two distinct attribute methods would generate similar names,
the first implementation would be incorrectly re-used.class A attribute_method_suffix "_changed?" define_attribute_methods :x end class B attribute_method_suffix "?" define_attribute_methods :x_changed end
Jean Boussier
Active Record
-
Symbol is allowed by default for YAML columns
Étienne Barrié
-
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.Jean Boussier
-
Add
timestamptz
as a time zone aware type for PostgreSQLThis is required for correctly parsing
timestamp with time zone
values in your database.If you don't want this, you can opt out by adding this initializer:
ActiveRecord::Base.time_zone_aware_types -= [:timestamptz]
Alex Ghiculescu
-
Fix supporting timezone awareness for
tsrange
andtstzrange
array columns.# In database migrations add_column :shops, :open_hours, :tsrange, array: true # In app config ActiveRecord::Base.time_zone_aware_types += [:tsrange] # In the code times are properly converted to app time zone Shop.create!(open_hours: [Time.current..8.hour.from_now])
Wojciech Wnętrzak
-
Resolve issue where a relation cache_version could be left stale.
Previously, when
reset
was called on a relation object it did not reset the cache_versions
ivar. This led to a confusing situation where despite having the correct data the relation
still reported a stale cache_version.Usage:
developers = Developer.all developers.cache_version Developer.update_all(updated_at: Time.now.utc + 1.second) developers.cache_version # Stale cache_version developers.reset developers.cache_version # Returns the current correct cache_version
Fixes #45341.
Austen Madden
-
Fix
load_async
when called on an association proxy.Calling
load_async
directly an association would schedule
a query but never use it.comments = post.comments.load_async # schedule a query comments.to_a # perform an entirely new sync query
Now it does use the async query, however note that it doesn't
cause the association to be loaded.Jean Boussier
-
Fix eager loading for models without primary keys.
Anmol Chopra, Matt Lawrence, and Jonathan Hefner
-
rails db:schema:{dump,load}
now checksENV["SCHEMA_FORMAT"]
before configSince
rails db:structure:{dump,load}
was deprecated there wasn't a simple
way to dump a schema to both SQL and Ruby formats. You can now do this with
an environment variable. For example:SCHEMA_FORMAT=sql rake db:schema:dump
Alex Ghiculescu
-
Fix Hstore deserialize regression.
edsharp
Action View
-
Guard against
ActionView::Helpers::FormTagHelper#field_name
calls with nil
object_name
arguments. For example:<%= fields do |f| %> <%= f.field_name :body %> <% end %>
Sean Doyle
-
Strings returned from
strip_tags
are correctly taggedhtml_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
entities when being concatenated to a SafeBuffer during rendering.Fixes rails/rails-html-sanitizer#124
Mike Dalessio
Action Pack
-
Prevent
ActionDispatch::ServerTiming
from overwriting existing values inServer-Timing
.Previously, if another middleware down the chain set
Server-Timing
header,
it would overwritten byActionDispatch::ServerTiming
.Jakub Malinowski
Active Job
-
Update
ActiveJob::QueueAdapters::QueAdapter
to remove deprecation warning.Remove a deprecation warning introduced in que 1.2 to prepare for changes in
que 2.0 necessary for Ruby 3 compatibility.Damir Zekic and Adis Hasovic
Action Mailer
- No changes.
Action Cable
-
The Redis adapter is now compatible with redis-rb 5.0
Compatibility with redis-rb 3.x was dropped.
Jean Boussier
-
The Action Cable server is now mounted with
anchor: true
.This means that routes that also start with
/cable
will no longer clash with Action Cable.Alex Ghiculescu
Active Storage
-
Fixes proxy downloads of files over 5MiB
Previously, trying to view and/or download files larger than 5mb stored in
services like S3 via proxy mode could return corrupted files at around
5.2mb or cause random halts in the download. Now,
ActiveStorage::Blobs::ProxyController
correctly handles streaming these
larger files from the service to the client without any issues.Fixes #44679
Felipe Raul
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
-
config.allow_concurrency = false
now use aMonitor
instead of aMutex
This allows to enable
config.active_support.executor_around_test_case
even
whenconfig.allow_concurrency
is disabled.Jean Boussier
-
Skip Active Storage and Action Mailer if Active Job is skipped.
Étienne Barrié
-
Correctly check if frameworks are disabled when running app:update.
Étienne Barrié and Paulo Barros
-
Fixed
config.active_support.cache_format_version
never being applied.Rails 7.0 shipped with a new serializer for Rails.cache, but the associated config
wasn't working properly. Note that even after this fix, it can only be applied from
theapplication.rb
file.Alex Ghiculescu
v6.1.7
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Symbol is allowed by default for YAML columns
Étienne Barrié
-
Fix
ActiveRecord::Store
to serialize as a regular HashPreviously it would serialize as an
ActiveSupport::HashWithIndifferentAccess
which is wasteful and cause problem with YAML safe_load.Jean Boussier
-
Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes #44307.
Nikita Vasilevsky
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.
fatkodima
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v6.0.6
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Symbol is allowed by default for YAML columns
Étienne Barrié
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
7.0.3.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.1.6.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.5.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
5.2.8.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
7.0.3
Active Support
- No changes.
Active Model
- No changes.
Active Record
-
Some internal housekeeping on reloads could break custom
respond_to?
methods in class objects that referenced reloadable constants. See
#44125 for details.Xavier Noria
-
Fixed MariaDB default function support.
Defaults would be written wrong in "db/schema.rb" and not work correctly
if usingdb:schema:load
. Further more the function name would be
added as string content when saving new records.kaspernj
-
Fix
remove_foreign_key
with:if_exists
option when foreign key actually exists.fatkodima
-
Remove
--no-comments
flag in structure dumps for PostgreSQLThis broke some apps that used custom schema comments. If you don't want
comments in your structure dump, you can use:ActiveRecord::Tasks::DatabaseTasks.structure_dump_flags = ['--no-comments']
Alex Ghiculescu
-
Use the model name as a prefix when filtering encrypted attributes from logs.
For example, when encrypting
Person#name
it will addperson.name
as a filter
parameter, instead of justname
. This prevents unintended filtering of parameters
with a matching name in other models.Jorge Manrubia
-
Fix quoting of
ActiveSupport::Duration
andRational
numbers in the MySQL adapter.Kevin McPhillips
-
Fix
change_column_comment
to preserve column's AUTO_INCREMENT in the MySQL adapterfatkodima
Action View
-
Ensure models passed to
form_for
attempt to callto_model
.Sean Doyle
Action Pack
-
Allow relative redirects when
raise_on_open_redirects
is enabled.Tom Hughes
-
Fix
authenticate_with_http_basic
to allow for missing password.Before Rails 7.0 it was possible to handle basic authentication with only a username.
authenticate_with_http_basic do |token, _| ApiClient.authenticate(token) end
This ability is restored.
Jean Boussier
-
Fix
content_security_policy
returning invalid directives.Directives such as
self
,unsafe-eval
and few others were not
single quoted when the directive was the result of calling a lambda
returning an array.content_security_policy do |policy| policy.frame_ancestors lambda { [:self, "https://example.com"] } end
With this fix the policy generated from above will now be valid.
Edouard Chin
-
Fix
skip_forgery_protection
to run without raising an error if forgery
protection has not been enabled /verify_authenticity_token
is not a
defined callback.This fix prevents the Rails 7.0 Welcome Page (
/
) from raising an
ArgumentError
ifdefault_protect_from_forgery
is false.Brad Trick
-
Fix
ActionController::Live
to copy the IsolatedExecutionState in the ephemeral thread.Since its inception
ActionController::Live
has been copying thread local variables
to keep things such asCurrentAttributes
set from middlewares working in the controller action.With the introduction of
IsolatedExecutionState
in 7.0, some of that global state was lost in
ActionController::Live
controllers.Jean Boussier
-
Fix setting
trailing_slash: true
in route definition.get '/test' => "test#index", as: :test, trailing_slash: true test_path() # => "/test/"
Jean Boussier
Active Job
-
Add missing
bigdecimal
require inActiveJob::Arguments
Could cause
uninitialized constant ActiveJob::Arguments::BigDecimal (NameError)
when loading Active Job in isolation.Jean Boussier
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
-
Don't stream responses in redirect mode
Previously, both redirect mode and proxy mode streamed their
responses which caused a new thread to be created, and could end
up leaking connections in the connection pool. But since redirect
mode doesn't actually send any data, it doesn't need to be
streamed.Luke Lau
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
-
If reloading and eager loading are both enabled, after a reload Rails eager loads again the application code.
Xavier Noria
-
Use
controller_class_path
inRails::Generators::NamedBase#route_url
The
route_url
method now returns the correct path when generating
a namespaced controller with a top-level model using--model-name
.Previously, when running this command:
bin/rails generate scaffold_controller Admin/Post --model-name Post
the comments above the controller action would look like:
# GET /posts def index @posts = Post.all end
afterwards, they now look like this:
# GET /admin/posts def index @posts = Post.all end
Fixes #44662.
Andrew White
6.1.6
Active Support
-
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous characters
in names of tags and names of attributes, following the specification of XML.Álvaro Martín Fraguas
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to the
whole tag.Álvaro Martín Fraguas
Action Pack
-
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
6.0.5
Active Support
-
Fix tag helper regression.
Eileen Uchitelle
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Railties
- No changes.
Action Text
-
Disentangle Action Text from ApplicationController
Allow Action Text to be used without having an ApplicationController
defined.
This makes sure:- Action Text attachments render the correct URL host in mailers.
- an ActionController::Renderer isn't allocated per request.
- Sidekiq doesn't hang with the "classic" autoloader.
Jonathan Hefner