actionpack-rack-upgrade-2 2.3.15

data/lib/action_controller/session/cookie_store.rb

@@ -0,0 +1,240 @@
+module ActionController
+  module Session
+    # This cookie-based session store is the Rails default. Sessions typically
+    # contain at most a user_id and flash message; both fit within the 4K cookie
+    # size limit. Cookie-based sessions are dramatically faster than the
+    # alternatives.
+    #
+    # If you have more than 4K of session data or don't want your data to be
+    # visible to the user, pick another session store.
+    #
+    # CookieOverflow is raised if you attempt to store more than 4K of data.
+    #
+    # A message digest is included with the cookie to ensure data integrity:
+    # a user cannot alter his +user_id+ without knowing the secret key
+    # included in the hash. New apps are generated with a pregenerated secret
+    # in config/environment.rb. Set your own for old apps you're upgrading.
+    #
+    # Session options:
+    #
+    # * <tt>:secret</tt>: An application-wide key string or block returning a
+    #   string called per generated digest. The block is called with the
+    #   CGI::Session instance as an argument. It's important that the secret
+    #   is not vulnerable to a dictionary attack. Therefore, you should choose
+    #   a secret consisting of random numbers and letters and more than 30
+    #   characters. Examples:
+    #
+    #     :secret => '449fe2e7daee471bffae2fd8dc02313d'
+    #     :secret => Proc.new { User.current_user.secret_key }
+    #
+    # * <tt>:digest</tt>: The message digest algorithm used to verify session
+    #   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
+    #   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+    #
+    # To generate a secret key for an existing application, run
+    # "rake secret" and set the key in config/environment.rb.
+    #
+    # Note that changing digest or secret invalidates all existing sessions!
+    class CookieStore
+      include AbstractStore::SessionUtils
+      
+      # Cookies can typically store 4096 bytes.
+      MAX = 4096
+      SECRET_MIN_LENGTH = 30 # characters
+
+      DEFAULT_OPTIONS = {
+        :key          => '_session_id',
+        :domain       => nil,
+        :path         => "/",
+        :expire_after => nil,
+        :httponly     => true
+      }.freeze
+
+      ENV_SESSION_KEY = "rack.session".freeze
+      ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
+
+      # Raised when storing more than 4K of session data.
+      class CookieOverflow < StandardError; end
+
+      def initialize(app, options = {})
+        # Process legacy CGI options
+        options = options.symbolize_keys
+        if options.has_key?(:session_path)
+          ActiveSupport::Deprecation.warn "Giving :session_path to SessionStore is deprecated, " <<
+            "please use :path instead", caller
+          options[:path] = options.delete(:session_path)
+        end
+        if options.has_key?(:session_key)
+          ActiveSupport::Deprecation.warn "Giving :session_key to SessionStore is deprecated, " <<
+            "please use :key instead", caller
+          options[:key] = options.delete(:session_key)
+        end
+        if options.has_key?(:session_http_only)
+          ActiveSupport::Deprecation.warn "Giving :session_http_only to SessionStore is deprecated, " <<
+            "please use :httponly instead", caller
+          options[:httponly] = options.delete(:session_http_only)
+        end
+
+        @app = app
+
+        # The session_key option is required.
+        ensure_session_key(options[:key])
+        @key = options.delete(:key).freeze
+
+        # The secret option is required.
+        ensure_secret_secure(options[:secret])
+        @secret = options.delete(:secret).freeze
+
+        @digest = options.delete(:digest) || 'SHA1'
+        @verifier = verifier_for(@secret, @digest)
+
+        @default_options = DEFAULT_OPTIONS.merge(options).freeze
+
+        freeze
+      end
+
+      def call(env)
+        prepare!(env)
+        
+        status, headers, body = @app.call(env)
+
+        session_data = env[ENV_SESSION_KEY]
+        options = env[ENV_SESSION_OPTIONS_KEY]
+        request = ActionController::Request.new(env)
+        
+        if !(options[:secure] && !request.ssl?) && (!session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after])
+          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
+
+          persistent_session_id!(session_data)
+          session_data = marshal(session_data.to_hash)
+
+          raise CookieOverflow if session_data.size > MAX
+          cookie = Hash.new
+          cookie[:value] = session_data
+          unless options[:expire_after].nil?
+            cookie[:expires] = Time.now + options[:expire_after]
+          end
+
+          Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
+        end
+
+        [status, headers, body]
+      end
+
+      private
+      
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
+        end
+
+        def load_session(env)
+          data = unpacked_cookie_data(env)
+          data = persistent_session_id!(data)
+          [data[:session_id], data]
+        end
+        
+        def extract_session_id(env)
+          if data = unpacked_cookie_data(env)
+            persistent_session_id!(data) unless data.empty?
+            data[:session_id]
+          else
+            nil
+          end
+        end
+
+        def current_session_id(env)
+          env[ENV_SESSION_OPTIONS_KEY][:id]
+        end
+
+        def exists?(env)
+          current_session_id(env).present?
+        end
+
+        def unpacked_cookie_data(env)
+          env["action_dispatch.request.unsigned_session_cookie"] ||= begin
+            stale_session_check! do
+              request = Rack::Request.new(env)
+              session_data = request.cookies[@key]
+              unmarshal(session_data) || {}
+            end
+          end
+        end
+
+        # Marshal a session hash into safe cookie data. Include an integrity hash.
+        def marshal(session)
+          @verifier.generate(session)
+        end
+
+        # Unmarshal cookie data to a hash and verify its integrity.
+        def unmarshal(cookie)
+          @verifier.verify(cookie) if cookie
+        rescue ActiveSupport::MessageVerifier::InvalidSignature
+          nil
+        end
+
+        def ensure_session_key(key)
+          if key.blank?
+            raise ArgumentError, 'A key is required to write a ' +
+              'cookie containing the session data. Use ' +
+              'config.action_controller.session = { :key => ' +
+              '"_myapp_session", :secret => "some secret phrase" } in ' +
+              'config/environment.rb'
+          end
+        end
+
+        # To prevent users from using something insecure like "Password" we make sure that the
+        # secret they've provided is at least 30 characters in length.
+        def ensure_secret_secure(secret)
+          # There's no way we can do this check if they've provided a proc for the
+          # secret.
+          return true if secret.is_a?(Proc)
+
+          if secret.blank?
+            raise ArgumentError, "A secret is required to generate an " +
+              "integrity hash for cookie session data. Use " +
+              "config.action_controller.session = { :key => " +
+              "\"_myapp_session\", :secret => \"some secret phrase of at " +
+              "least #{SECRET_MIN_LENGTH} characters\" } " +
+              "in config/environment.rb"
+          end
+
+          if secret.length < SECRET_MIN_LENGTH
+            raise ArgumentError, "Secret should be something secure, " +
+              "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
+              "provided, \"#{secret}\", is shorter than the minimum length " +
+              "of #{SECRET_MIN_LENGTH} characters"
+          end
+        end
+
+        def verifier_for(secret, digest)
+          key = secret.respond_to?(:call) ? secret.call : secret
+          ActiveSupport::MessageVerifier.new(key, digest)
+        end
+
+        def generate_sid
+          ActiveSupport::SecureRandom.hex(16)
+        end
+
+        def destroy(env)
+          # session data is stored on client; nothing to do here
+        end
+
+        def persistent_session_id!(data)
+          (data ||= {}).merge!(inject_persistent_session_id(data))
+        end
+
+        def inject_persistent_session_id(data)
+          requires_session_id?(data) ? { :session_id => generate_sid } : {}
+        end
+
+        def requires_session_id?(data)
+          if data
+            data.respond_to?(:key?) && !data.key?(:session_id)
+          else
+            true
+          end
+        end
+    end
+  end
+end

data/lib/action_controller/session/mem_cache_store.rb

@@ -0,0 +1,60 @@
+begin
+  require_library_or_gem 'memcache'
+  require 'thread'
+  module ActionController
+    module Session
+      class MemCacheStore < AbstractStore
+        def initialize(app, options = {})
+          # Support old :expires option
+          options[:expire_after] ||= options[:expires]
+
+          super
+
+          @default_options = {
+            :namespace => 'rack:session',
+            :memcache_server => 'localhost:11211'
+          }.merge(@default_options)
+
+          @pool = options[:cache] || MemCache.new(@default_options[:memcache_server], @default_options)
+          unless @pool.servers.any? { |s| s.alive? }
+            raise "#{self} unable to find server during initialization."
+          end
+          @mutex = Mutex.new
+
+          super
+        end
+
+        private
+          def get_session(env, sid)
+            sid ||= generate_sid
+            begin
+              session = @pool.get(sid) || {}
+            rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+              session = {}
+            end
+            [sid, session]
+          end
+
+          def set_session(env, sid, session_data)
+            options = env['rack.session.options']
+            expiry  = options[:expire_after] || 0
+            @pool.set(sid, session_data, expiry)
+            return true
+          rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+            return false
+          end
+          
+          def destroy(env)
+            if sid = current_session_id(env)
+              @pool.delete(sid)
+            end
+          rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+            false
+          end
+          
+      end
+    end
+  end
+rescue LoadError
+  # MemCache wasn't available so neither can the store be
+end

data/lib/action_controller/session_management.rb

@@ -0,0 +1,54 @@
+module ActionController #:nodoc:
+  module SessionManagement #:nodoc:
+    def self.included(base)
+      base.class_eval do
+        extend ClassMethods
+      end
+    end
+
+    module ClassMethods
+      # Set the session store to be used for keeping the session data between requests.
+      # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
+      # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
+      # <tt>:mem_cache_store</tt>, or your own custom class.
+      def session_store=(store)
+        if store == :active_record_store
+          self.session_store = ActiveRecord::SessionStore
+        else
+          @@session_store = store.is_a?(Symbol) ?
+            Session.const_get(store.to_s.camelize) :
+            store
+        end
+      end
+
+      # Returns the session store class currently used.
+      def session_store
+        if defined? @@session_store
+          @@session_store
+        else
+          Session::CookieStore
+        end
+      end
+
+      def session=(options = {})
+        self.session_store = nil if options.delete(:disabled)
+        session_options.merge!(options)
+      end
+
+      # Returns the hash used to configure the session. Example use:
+      #
+      #   ActionController::Base.session_options[:secure] = true # session only available over HTTPS
+      def session_options
+        @session_options ||= {}
+      end
+
+      def session(*args)
+        ActiveSupport::Deprecation.warn(
+          "Disabling sessions for a single controller has been deprecated. " +
+          "Sessions are now lazy loaded. So if you don't access them, " +
+          "consider them off. You can still modify the session cookie " +
+          "options with request.session_options.", caller)
+      end
+    end
+  end
+end

data/lib/action_controller/status_codes.rb

@@ -0,0 +1,88 @@
+module ActionController
+  module StatusCodes #:nodoc:
+    # Defines the standard HTTP status codes, by integer, with their
+    # corresponding default message texts.
+    # Source: http://www.iana.org/assignments/http-status-codes
+    STATUS_CODES = {
+      100 => "Continue",
+      101 => "Switching Protocols",
+      102 => "Processing",
+
+      200 => "OK",
+      201 => "Created",
+      202 => "Accepted",
+      203 => "Non-Authoritative Information",
+      204 => "No Content",
+      205 => "Reset Content",
+      206 => "Partial Content",
+      207 => "Multi-Status",
+      226 => "IM Used",
+
+      300 => "Multiple Choices",
+      301 => "Moved Permanently",
+      302 => "Found",
+      303 => "See Other",
+      304 => "Not Modified",
+      305 => "Use Proxy",
+      307 => "Temporary Redirect",
+
+      400 => "Bad Request",
+      401 => "Unauthorized",
+      402 => "Payment Required",
+      403 => "Forbidden",
+      404 => "Not Found",
+      405 => "Method Not Allowed",
+      406 => "Not Acceptable",
+      407 => "Proxy Authentication Required",
+      408 => "Request Timeout",
+      409 => "Conflict",
+      410 => "Gone",
+      411 => "Length Required",
+      412 => "Precondition Failed",
+      413 => "Request Entity Too Large",
+      414 => "Request-URI Too Long",
+      415 => "Unsupported Media Type",
+      416 => "Requested Range Not Satisfiable",
+      417 => "Expectation Failed",
+      422 => "Unprocessable Entity",
+      423 => "Locked",
+      424 => "Failed Dependency",
+      426 => "Upgrade Required",
+
+      500 => "Internal Server Error",
+      501 => "Not Implemented",
+      502 => "Bad Gateway",
+      503 => "Service Unavailable",
+      504 => "Gateway Timeout",
+      505 => "HTTP Version Not Supported",
+      507 => "Insufficient Storage",
+      510 => "Not Extended"
+    }
+
+    # Provides a symbol-to-fixnum lookup for converting a symbol (like
+    # :created or :not_implemented) into its corresponding HTTP status
+    # code (like 200 or 501).
+    SYMBOL_TO_STATUS_CODE = STATUS_CODES.inject({}) do |hash, (code, message)|
+      hash[message.gsub(/ /, "").underscore.to_sym] = code
+      hash
+    end
+
+    # Given a status parameter, determine whether it needs to be converted
+    # to a string. If it is a fixnum, use the STATUS_CODES hash to lookup
+    # the default message. If it is a symbol, use the SYMBOL_TO_STATUS_CODE
+    # hash to convert it.
+    def interpret_status(status)
+      case status
+      when Fixnum then
+        "#{status} #{STATUS_CODES[status]}".strip
+      when Symbol then
+        interpret_status(SYMBOL_TO_STATUS_CODE[status] ||
+          "500 Unknown Status #{status.inspect}")
+      else
+        status.to_s
+      end
+    end
+    private :interpret_status
+
+  end
+end

data/lib/action_controller/streaming.rb

@@ -0,0 +1,181 @@
+require 'active_support/core_ext/string/bytesize'
+
+module ActionController #:nodoc:
+  # Methods for sending arbitrary data and for streaming files to the browser,
+  # instead of rendering.
+  module Streaming
+    DEFAULT_SEND_FILE_OPTIONS = {
+      :type         => 'application/octet-stream'.freeze,
+      :disposition  => 'attachment'.freeze,
+      :stream       => true,
+      :buffer_size  => 4096,
+      :x_sendfile   => false
+    }.freeze
+
+    X_SENDFILE_HEADER = 'X-Sendfile'.freeze
+
+    protected
+      # Sends the file, by default streaming it 4096 bytes at a time. This way the
+      # whole file doesn't need to be read into memory at once. This makes it
+      # feasible to send even large files. You can optionally turn off streaming
+      # and send the whole file at once.
+      #
+      # Be careful to sanitize the path parameter if it is coming from a web
+      # page. <tt>send_file(params[:path])</tt> allows a malicious user to
+      # download any file on your server.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      #   Defaults to <tt>File.basename(path)</tt>.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
+      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
+      # * <tt>:length</tt> - used to manually override the length (in bytes) of the content that
+      #   is going to be sent to the client. Defaults to <tt>File.size(path)</tt>.
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:stream</tt> - whether to send the file to the user agent as it is read (+true+)
+      #   or to read the entire file before sending (+false+). Defaults to +true+.
+      # * <tt>:buffer_size</tt> - specifies size (in bytes) of the buffer used to stream the file.
+      #   Defaults to 4096.
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser guess the filename from
+      #   the URL, which is necessary for i18n filenames on certain browsers
+      #   (setting <tt>:filename</tt> overrides this option).
+      # * <tt>:x_sendfile</tt> - uses X-Sendfile to send the file when set to +true+. This is currently
+      #   only available with Lighttpd/Apache2 and specific modules installed and activated. Since this
+      #   uses the web server to send the file, this may lower memory consumption on your server and
+      #   it will not block your application for further requests.
+      #   See http://blog.lighttpd.net/articles/2006/07/02/x-sendfile and
+      #   http://tn123.ath.cx/mod_xsendfile/ for details. Defaults to +false+.
+      #
+      # The default Content-Type and Content-Disposition headers are
+      # set to download arbitrary binary files in as many browsers as
+      # possible.  IE versions 4, 5, 5.5, and 6 are all known to have
+      # a variety of quirks (especially when downloading over SSL).
+      #
+      # Simple download:
+      #
+      #   send_file '/path/to.zip'
+      #
+      # Show a JPEG in the browser:
+      #
+      #   send_file '/path/to.jpeg', :type => 'image/jpeg', :disposition => 'inline'
+      #
+      # Show a 404 page in the browser:
+      #
+      #   send_file '/path/to/404.html', :type => 'text/html; charset=utf-8', :status => 404
+      #
+      # Read about the other Content-* HTTP headers if you'd like to
+      # provide the user with more information (such as Content-Description) in
+      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      #
+      # Also be aware that the document may be cached by proxies and browsers.
+      # The Pragma and Cache-Control headers declare how the file may be cached
+      # by intermediaries.  They default to require clients to validate with
+      # the server before releasing cached responses.  See
+      # http://www.mnot.net/cache_docs/ for an overview of web caching and
+      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+      # for the Cache-Control header spec.
+      def send_file(path, options = {}) #:doc:
+        raise MissingFile, "Cannot read file #{path}" unless File.file?(path) and File.readable?(path)
+
+        options[:length]   ||= File.size(path)
+        options[:filename] ||= File.basename(path) unless options[:url_based_filename]
+        send_file_headers! options
+
+        @performed_render = false
+
+        if options[:x_sendfile]
+          logger.info "Sending #{X_SENDFILE_HEADER} header #{path}" if logger
+          head options[:status], X_SENDFILE_HEADER => path
+        else
+          if options[:stream]
+            render :status => options[:status], :text => Proc.new { |response, output|
+              logger.info "Streaming file #{path}" unless logger.nil?
+              len = options[:buffer_size] || 4096
+              File.open(path, 'rb') do |file|
+                while buf = file.read(len)
+                  output.write(buf)
+                end
+              end
+            }
+          else
+            logger.info "Sending file #{path}" unless logger.nil?
+            File.open(path, 'rb') { |file| render :status => options[:status], :text => file.read }
+          end
+        end
+      end
+
+      # Sends the given binary data to the browser. This method is similar to
+      # <tt>render :text => data</tt>, but also allows you to specify whether
+      # the browser should display the response as a file attachment (i.e. in a
+      # download dialog) or as inline data. You may also set the content type,
+      # the apparent file name, and other things.
+      #
+      # Options:
+      # * <tt>:filename</tt> - suggests a filename for the browser to use.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
+      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
+      # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+      #   Valid values are 'inline' and 'attachment' (default).
+      # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
+      #
+      # Generic data download:
+      #
+      #   send_data buffer
+      #
+      # Download a dynamically-generated tarball:
+      #
+      #   send_data generate_tgz('dir'), :filename => 'dir.tgz'
+      #
+      # Display an image Active Record in the browser:
+      #
+      #   send_data image.data, :type => image.content_type, :disposition => 'inline'
+      #
+      # See +send_file+ for more information on HTTP Content-* headers and caching.
+      #
+      # <b>Tip:</b> if you want to stream large amounts of on-the-fly generated
+      # data to the browser, then use <tt>render :text => proc { ... }</tt>
+      # instead. See ActionController::Base#render for more information.
+      def send_data(data, options = {}) #:doc:
+        logger.info "Sending data #{options[:filename]}" if logger
+        send_file_headers! options.merge(:length => data.bytesize)
+        @performed_render = false
+        render :status => options[:status], :text => data
+      end
+
+    private
+      def send_file_headers!(options)
+        options.update(DEFAULT_SEND_FILE_OPTIONS.merge(options))
+        [:length, :type, :disposition].each do |arg|
+          raise ArgumentError, ":#{arg} option required" if options[arg].nil?
+        end
+
+        disposition = options[:disposition].dup || 'attachment'
+
+        disposition <<= %(; filename="#{options[:filename]}") if options[:filename]
+
+        content_type = options[:type]
+        if content_type.is_a?(Symbol)
+          raise ArgumentError, "Unknown MIME type #{options[:type]}" unless Mime::EXTENSION_LOOKUP.has_key?(content_type.to_s)
+          content_type = Mime::Type.lookup_by_extension(content_type.to_s)
+        end
+        content_type = content_type.to_s.strip # fixes a problem with extra '\r' with some browsers
+
+        headers.merge!(
+          'Content-Length'            => options[:length].to_s,
+          'Content-Type'              => content_type,
+          'Content-Disposition'       => disposition,
+          'Content-Transfer-Encoding' => 'binary'
+        )
+
+        # Fix a problem with IE 6.0 on opening downloaded files:
+        # If Cache-Control: no-cache is set (which Rails does by default),
+        # IE removes the file it just downloaded from its cache immediately
+        # after it displays the "open/save" dialog, which means that if you
+        # hit "open" the file isn't there anymore when the application that
+        # is called for handling the download is run, so let's workaround that
+        headers['Cache-Control'] = 'private' if headers['Cache-Control'] == 'no-cache'
+      end
+  end
+end