3.11.0.txt

doc/release_notes/3.11.0.txt
Last Update: 2018-08-15 07:42:06 -0700

Improvements

  • The order in which internal plugin before and after hooks are run when multiple plugins are loaded is now fixed and does not depend on the order in which the plugins are loaded. This can prevent some issues in cases the plugins were not loaded in the order previously recommended in the documentation.

    Internal plugin before hooks are now run in the following order:

    • hooks

    • heartbeat

    • static_routing

    and internal plugin after hooks are now run in the following order:

    • class_level_routing

    • status_handler

    • head

    • flash

    • session

    • hooks

  • Default compression of sessions over 128 bytes in length has been disabled in the sessions plugin. Compression of sessions must now be manually enabled if it is desired by setting :gzip_over to an integer.

    This change is being made to avoid possible compression ratio attacks if both sensitive data and user-submitted data are stored in the session. Such attacks were mitigated by the sessions plugin’s default use of padding after compression, and the JSON serialization format used, but disabling compression avoids the possibility.

    This does not affect backwards compatibility, as compressed sessions will still be decompressed correctly, unless the size of the session cookie when not using compression is over 4096 bytes.

Backwards Compatibility

  • When using the error_handler plugin, if routing raises an exception that is handled by the error handler, but an exception is raised by a plugin internal after hook after the error handler has been run, the exception will be logged to the rack.errors entry in the environment, but it will be otherwise ignored.

    Exceptions raised inside the error handler will continue to be be raised to the application’s caller.

    Additionally, the error_handler plugin no longers call before hooks during error handling.

  • A private Roda#_call method has been added. This could potentially cause issues for applications that add their own _call method.