Releases: rails/rails
7.0.6
Active Support
-
Fix
EncryptedConfiguration
returning incorrect values for someHash
methodsHartley McGuire
-
Fix arguments being destructed
Enumerable#many?
with block.Andrew Novoselac
-
Fix humanize for strings ending with id.
fatkodima
Active Model
- No changes.
Active Record
-
Fix autosave associations with validations added on
:base
of the associated objects.fatkodima
-
Fix result with anonymous PostgreSQL columns of different type from json.
Oleksandr Avoiants
-
Preserve timestamp when setting an
ActiveSupport::TimeWithZone
value totimestamptz
attribute.fatkodima
-
Fix where on association with has_one/has_many polymorphic relations.
Before:
Treasure.where(price_estimates: PriceEstimate.all) #=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates")
Later:
Treasure.where(price_estimates: PriceEstimate.all) #=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates" WHERE "price_estimates"."estimate_of_type" = 'Treasure')
Lázaro Nixon
-
Fix decrementing counter caches on optimistically locked record deletion
fatkodima
-
Ensure binary-destined values have binary encoding during type cast.
Matthew Draper
-
Preserve existing column default functions when altering table in SQLite.
fatkodima
-
Remove table alias added when using
where.missing
orwhere.associated
.fatkodima
-
Fix
Enumerable#in_order_of
to only flatten first level to preserve nesting.Miha Rekar
Action View
- No changes.
Action Pack
- No changes.
Active Job
-
Fix error Active Job passed class with
permitted?
.Alex Baldwin
Action Mailer
- No changes.
Action Cable
-
Fix Action Cable Redis configuration with sentinels.
Dmitriy Ivliev
Active Storage
-
Fix retrieving rotation value from FFmpeg on version 5.0+.
In FFmpeg version 5.0+ the rotation value has been removed from tags.
Instead the value can be found in side_data_list. Along with
this update it's possible to have values of -90, -270 to denote the video
has been rotated.Haroon Ahmed
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
-
Avoid escaping paths when editing credentials.
Jonathan Hefner
v7.0.5.1
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]Zack Deveau
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v6.1.7.4
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]Zack Deveau
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v7.0.5
Active Support
-
Fixes TimeWithZone ArgumentError.
Niklas Häusele
Active Model
- No changes.
Active Record
-
Type cast
#attribute_changed?
:from
and:to
options.Andrew Novoselac
-
Fix
index_exists?
when column is an array.Eileen M. Uchitelle
-
Handle
Date
objects for PostgreSQLtimestamptz
columns.Alex Ghiculescu
-
Fix collation for changing column to non-string.
Hartley McGuire
-
Map through subtype in
PostgreSQL::OID::Array
.Jonathan Hefner
-
Store correct environment in
internal_metadata
when run railsdb:prepare
.fatkodima
-
Make sure
ActiveRecord::Relation#sum
works with objects that implement#coerce
without deprecation.Alex Ghiculescu
-
Fix retrieving foreign keys referencing tables named like keywords in PostgreSQL and MySQL.
fatkodima
-
Support UUIDs in Disable Joins.
Samuel Cochran
-
Fix Active Record's explain for queries starting with comments.
fatkodima
-
Fix incorrectly preloading through association records when middle association has been loaded.
Joshua Young
-
Fix where.missing and where.associated for parent/child associations.
fatkodima
-
Fix Enumerable#in_order_of to preserve duplicates.
fatkodima
-
Fix autoincrement on primary key for mysql.
Eileen M. Uchitelle
-
Restore ability to redefine column in
create_table
for Rails 5.2 migrations.fatkodima
-
Fix schema cache dumping of virtual columns.
fatkodima
-
Fix Active Record grouped calculations on joined tables on column present in both tables.
fatkodima
-
Fix mutation detection for serialized attributes backed by binary columns.
Jean Boussier
-
Fix a bug where using groups and counts with long table names would return incorrect results.
Shota Toguchi, Yusaku Ono
-
Fix erroneous nil default precision on virtual datetime columns.
Prior to this change, virtual datetime columns did not have the same
default precision as regular datetime columns, resulting in the following
being erroneously equivalent:t.virtual :name, type: datetime, as: "expression" t.virtual :name, type: datetime, precision: nil, as: "expression"
This change fixes the default precision lookup, so virtual and regular
datetime column default precisions match.Sam Bostock
-
Fix a case where the query cache can return wrong values. See #46044
Aaron Patterson
Action View
-
FormBuilder#id
finds id set byform_for
andform_with
.Matt Polito
-
Allow all available locales for template lookups.
Ben Dilley
-
Choices of
select
can optionally contain html attributes as the last element
of the child arrays when using grouped/nested collections<%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %> # => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
Chris Gunther
Action Pack
-
Do not return CSP headers for 304 Not Modified responses.
Tobias Kraze
-
Fix
EtagWithFlash
when there is noFlash
middleware available.fatkodima
-
Fix content-type header with
send_stream
.Elliot Crosby-McCullough
-
Address Selenium
:capabilities
deprecation warning.Ron Shinall
-
Fix cookie domain for domain: all on two letter single level TLD.
John Hawthorn
-
Don't double log the
controller
,action
, ornamespaced_controller
when usingActiveRecord::QueryLog
Previously if you set
config.active_record.query_log_tags
to an array that included
:controller
,:namespaced_controller
, or:action
, that item would get logged twice.
This bug has been fixed.Alex Ghiculescu
-
Rescue
EOFError
exception fromrack
on a multipart request.Nikita Vasilevsky
-
Rescue
JSON::ParserError
in Cookies json deserializer to discards marshal dumps:Without this change, if
action_dispatch.cookies_serializer
is set to:json
and
the app tries to read a:marshal
serialized cookie, it would error out which wouldn't
clear the cookie and force app users to manually clear it in their browser.(See #45127 for original bug discussion)
Nathan Bardoux
Active Job
-
Make delayed job
display_name
failsafe.codez
-
Don't double log the
job
when usingActiveRecord::QueryLog
Previously if you set
config.active_record.query_log_tags
to an array that included
:job
, the job name would get logged twice. This bug has been fixed.Alex Ghiculescu
Action Mailer
- No changes.
Action Cable
-
Restore Action Cable Redis pub/sub listener on connection failure.
Vladimir Dementyev
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
-
Fix
ActionText::Attachable#as_json
.Alexandre Ruban
Railties
-
Add puma app server to Gemfile in order to start test/dummy.
Donapieppo
-
Rails console now disables
IRB
's autocompletion feature in production by default.Setting
IRB_USE_AUTOCOMPLETE=true
can override this default.Stan Lo
-
Send 303 See Other status code back for the destroy action on newly generated
scaffold controllers.Tony Drake
v7.0.4.3
Active Support
-
Implement SafeBuffer#bytesplice
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Ignore certain data-* attributes in rails-ujs when element is contenteditable
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v6.1.7.3
Active Support
-
Implement SafeBuffer#bytesplice
Active Model
- No changes.
Active Record
- No changes.
Action View
-
Ignore certain data-* attributes in rails-ujs when element is contenteditable
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v7.0.4.2
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Fix
domain: :all
for two letter TLDThis fixes a compatibility issue introduced in our previous security
release when usingdomain: :all
with a two letter but single level top
level domain domain (like.ca
, rather than.co.uk
).
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v6.1.7.2
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
-
Fix
domain: :all
for two letter TLDThis fixes a compatibility issue introduced in our previous security
release when usingdomain: :all
with a two letter but single level top
level domain domain (like.ca
, rather than.co.uk
).
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v7.0.4.1
This is a security release. More information is available in our security announcements forum: https://discuss.rubyonrails.org/c/security-announcements/9
Active Support
-
Avoid regex backtracking in Inflector.underscore
Active Model
- No changes.
Active Record
-
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.This also clarifies in the documentation of annotate that it should not
be provided user input. -
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Action View
- No changes.
Action Pack
-
Fix sec issue with _url_host_allowed?
Disallow certain strings from
_url_host_allowed?
to avoid a redirect
to malicious sites. -
Avoid regex backtracking on If-None-Match header
-
Use string#split instead of regex for domain parts
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.
v6.1.7.1
Active Support
-
Avoid regex backtracking in Inflector.underscore
Active Model
- No changes.
Active Record
-
Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.This commit makes the sanitization more robust by replacing any
occurrances of "/" or "/" with "/ " or " /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.This also clarifies in the documentation of annotate that it should not
be provided user input. -
Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
Action View
- No changes.
Action Pack
-
Avoid regex backtracking on If-None-Match header
-
Use string#split instead of regex for domain parts
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
- No changes.
Active Storage
- No changes.
Action Mailbox
- No changes.
Action Text
- No changes.
Railties
- No changes.