actionpack 1.13.6 → 2.0.0

data/lib/action_controller/routing_optimisation.rb

@@ -0,0 +1,119 @@
+module ActionController
+  module Routing
+    # Much of the slow performance from routes comes from the 
+    # complexity of expiry, :requirements matching, defaults providing
+    # and figuring out which url pattern to use.  With named routes 
+    # we can avoid the expense of finding the right route.  So if 
+    # they've provided the right number of arguments, and have no
+    # :requirements, we can just build up a string and return it.
+    # 
+    # To support building optimisations for other common cases, the 
+    # generation code is separated into several classes 
+    module Optimisation
+      def generate_optimisation_block(route, kind)
+        return "" unless route.optimise?
+        OPTIMISERS.inject("") do |memo, klazz|
+          memo << klazz.new(route, kind).source_code
+          memo
+        end
+      end
+
+      class Optimiser
+        attr_reader :route, :kind
+        def initialize(route, kind)
+          @route = route
+          @kind  = kind
+        end
+
+        def guard_condition
+          'false'
+        end
+
+        def generation_code
+          'nil'
+        end
+
+        def source_code
+          if applicable?
+            "return #{generation_code} if #{guard_condition}\n"
+          else
+            "\n"
+          end
+        end
+
+        # Temporarily disabled :url optimisation pending proper solution to 
+        # Issues around request.host etc.
+        def applicable?
+          true
+        end
+      end
+
+      # Given a route:
+      # map.person '/people/:id'
+      #
+      # If the user calls person_url(@person), we can simply
+      # return a string like "/people/#{@person.to_param}" 
+      # rather than triggering the expensive logic in url_for
+      class PositionalArguments < Optimiser
+        def guard_condition
+          number_of_arguments = route.segment_keys.size
+          # if they're using foo_url(:id=>2) it's one 
+          # argument, but we don't want to generate /foos/id2
+          if number_of_arguments == 1
+            "defined?(request) && request && args.size == 1 && !args.first.is_a?(Hash)"
+          else
+            "defined?(request) && request && args.size == #{number_of_arguments}"
+          end
+        end
+
+        def generation_code
+          elements = []
+          idx = 0
+
+          if kind == :url
+            elements << '#{request.protocol}'
+            elements << '#{request.host_with_port}'
+          end
+
+          elements << '#{request.relative_url_root if request.relative_url_root}'
+
+          # The last entry in route.segments appears to # *always* be a
+          # 'divider segment' for '/' but we have assertions to ensure that
+          # we don't include the trailing slashes, so skip them.
+          (route.segments.size == 1 ? route.segments : route.segments[0..-2]).each do |segment|
+            if segment.is_a?(DynamicSegment)
+              elements << segment.interpolation_chunk("args[#{idx}].to_param")
+              idx += 1
+            else
+              elements << segment.interpolation_chunk
+            end
+          end
+          %("#{elements * ''}")
+        end
+      end
+
+      # This case is mostly the same as the positional arguments case
+      # above, but it supports additional query parameters as the last 
+      # argument
+      class PositionalArgumentsWithAdditionalParams < PositionalArguments
+        def guard_condition
+          "defined?(request) && request && args.size == #{route.segment_keys.size + 1} && !args.last.has_key?(:anchor) && !args.last.has_key?(:port) && !args.last.has_key?(:host)"
+        end
+
+        # This case uses almost the same code as positional arguments, 
+        # but add an args.last.to_query on the end
+        def generation_code
+          super.insert(-2, '?#{args.last.to_query}')
+        end
+
+        # To avoid generating http://localhost/?host=foo.example.com we
+        # can't use this optimisation on routes without any segments
+        def applicable?
+          super && route.segment_keys.size > 0 
+        end
+      end
+
+      OPTIMISERS = [PositionalArguments, PositionalArgumentsWithAdditionalParams]
+    end
+  end
+end

data/lib/action_controller/session/active_record_store.rb

@@ -122,13 +122,14 @@ class CGI
           @data ||= self.class.unmarshal(read_attribute(@@data_column_name)) || {}
         end
 
+        attr_writer :data
+
         # Has the session been loaded yet?
         def loaded?
           !! @data
         end
 
         private
-          attr_writer :data
 
           def marshal_data!
             return false if !loaded?
@@ -332,4 +333,4 @@ class CGI
         end
     end
   end
-end
+end

data/lib/action_controller/session/cookie_store.rb

@@ -0,0 +1,161 @@
+require 'cgi'
+require 'cgi/session'
+require 'base64'        # to convert Marshal.dump to ASCII
+require 'openssl'       # to generate the HMAC message digest
+
+# This cookie-based session store is the Rails default. Sessions typically
+# contain at most a user_id and flash message; both fit within the 4K cookie
+# size limit. Cookie-based sessions are dramatically faster than the
+# alternatives.
+#
+# If you have more than 4K of session data or don't want your data to be
+# visible to the user, pick another session store.
+#
+# CookieOverflow is raised if you attempt to store more than 4K of data.
+# TamperedWithCookie is raised if the data integrity check fails.
+#
+# A message digest is included with the cookie to ensure data integrity:
+# a user cannot alter his user_id without knowing the secret key included in
+# the hash. New apps are generated with a pregenerated secret in
+# config/environment.rb. Set your own for old apps you're upgrading.
+#
+# Session options:
+#   :secret   An application-wide key string or block returning a string
+#             called per generated digest. The block is called with the
+#             CGI::Session instance as an argument. It's important that the
+#             secret is not vulnerable to a dictionary attack. Therefore,
+#             you should choose a secret consisting of random numbers and
+#             letters and more than 30 characters.
+#
+#             Example:  :secret => '449fe2e7daee471bffae2fd8dc02313d'
+#                       :secret => Proc.new { User.current_user.secret_key }
+#
+#   :digest   The message digest algorithm used to verify session integrity
+#             defaults to 'SHA1' but may be any digest provided by OpenSSL,
+#             such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+#
+# Note that changing digest or secret invalidates all existing sessions!
+class CGI::Session::CookieStore
+  # Cookies can typically store 4096 bytes.
+  MAX = 4096
+  SECRET_MIN_LENGTH = 30 # characters
+
+  # Raised when storing more than 4K of session data.
+  class CookieOverflow < StandardError; end
+
+  # Raised when the cookie fails its integrity check.
+  class TamperedWithCookie < StandardError; end
+
+  # Called from CGI::Session only.
+  def initialize(session, options = {})
+    # The session_key option is required.
+    if options['session_key'].blank?
+      raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
+    end
+
+    # The secret option is required.
+    ensure_secret_secure(options['secret'])
+
+    # Keep the session and its secret on hand so we can read and write cookies.
+    @session, @secret = session, options['secret']
+
+    # Message digest defaults to SHA1.
+    @digest = options['digest'] || 'SHA1'
+
+    # Default cookie options derived from session settings.
+    @cookie_options = {
+      'name'    => options['session_key'],
+      'path'    => options['session_path'],
+      'domain'  => options['session_domain'],
+      'expires' => options['session_expires'],
+      'secure'  => options['session_secure']
+    }
+
+    # Set no_hidden and no_cookies since the session id is unused and we
+    # set our own data cookie.
+    options['no_hidden'] = true
+    options['no_cookies'] = true
+  end
+
+  # To prevent users from using something insecure like "Password" we make sure that the
+  # secret they've provided is at least 30 characters in length.
+  def ensure_secret_secure(secret)
+    # There's no way we can do this check if they've provided a proc for the
+    # secret.
+    return true if secret.is_a?(Proc)
+
+    if secret.blank?
+      raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
+    end
+
+    if secret.length < SECRET_MIN_LENGTH
+      raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}".  The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
+    end
+  end
+
+  # Restore session data from the cookie.
+  def restore
+    @original = read_cookie
+    @data = unmarshal(@original) || {}
+  end
+
+  # Wait until close to write the session data cookie.
+  def update; end
+
+  # Write the session data cookie if it was loaded and has changed.
+  def close
+    if defined?(@data) && !@data.blank?
+      updated = marshal(@data)
+      raise CookieOverflow if updated.size > MAX
+      write_cookie('value' => updated) unless updated == @original
+    end
+  end
+
+  # Delete the session data by setting an expired cookie with no data.
+  def delete
+    @data = nil
+    clear_old_cookie_value
+    write_cookie('value' => '', 'expires' => 1.year.ago)
+  end
+
+  # Generate the HMAC keyed message digest. Uses SHA1 by default.
+  def generate_digest(data)
+    key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data)
+  end
+
+  private
+    # Marshal a session hash into safe cookie data. Include an integrity hash.
+    def marshal(session)
+      data = Base64.encode64(Marshal.dump(session)).chop
+      CGI.escape "#{data}--#{generate_digest(data)}"
+    end
+
+    # Unmarshal cookie data to a hash and verify its integrity.
+    def unmarshal(cookie)
+      if cookie
+        data, digest = CGI.unescape(cookie).split('--')
+        unless digest == generate_digest(data)
+          delete
+          raise TamperedWithCookie
+        end
+        Marshal.load(Base64.decode64(data))
+      end
+    end
+
+    # Read the session data cookie.
+    def read_cookie
+      @session.cgi.cookies[@cookie_options['name']].first
+    end
+
+    # CGI likes to make you hack.
+    def write_cookie(options)
+      cookie = CGI::Cookie.new(@cookie_options.merge(options))
+      @session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
+    end
+
+    # Clear cookie value so subsequent new_session doesn't reload old data.
+    def clear_old_cookie_value
+      @session.cgi.cookies[@cookie_options['name']].clear
+    end
+end

data/lib/action_controller/session/mem_cache_store.rb

@@ -9,7 +9,7 @@
 
 begin
   require 'cgi/session'
-  require 'memcache'
+  require_library_or_gem 'memcache'
 
   class CGI
     class Session
@@ -57,26 +57,22 @@ begin
           @expires = options['expires'] || 0
           @session_key = "session:#{id}"
           @session_data = {}
+          # Add this key to the store if haven't done so yet
+          unless @cache.get(@session_key)
+            @cache.add(@session_key, @session_data, @expires)
+          end
         end
 
         # Restore session state from the session's memcache entry.
         #
         # Returns the session state as a hash.
         def restore
-          begin
-            @session_data = @cache[@session_key] || {}
-          rescue
-            @session_data = {}
-          end
+          @session_data = @cache[@session_key] || {}
         end
 
         # Save session state to the session's memcache entry.
         def update
-          begin
-            @cache.set(@session_key, @session_data, @expires)
-          rescue
-            # Ignore session update failures.
-          end
+          @cache.set(@session_key, @session_data, @expires)
         end
       
         # Update and close the session's memcache entry.
@@ -86,17 +82,14 @@ begin
 
         # Delete the session's memcache entry.
         def delete
-          begin
-            @cache.delete(@session_key)
-          rescue
-            # Ignore session delete failures.
-          end
+          @cache.delete(@session_key)
           @session_data = {}
         end
         
         def data
           @session_data
         end
+
       end
     end
   end

data/lib/action_controller/session_management.rb

@@ -1,3 +1,4 @@
+require 'action_controller/session/cookie_store'
 require 'action_controller/session/drb_store'
 require 'action_controller/session/mem_cache_store'
 if Object.const_defined?(:ActiveRecord)
@@ -7,16 +8,17 @@ end
 module ActionController #:nodoc:
   module SessionManagement #:nodoc:
     def self.included(base)
-      base.extend(ClassMethods)
-      
-      base.send :alias_method_chain, :process, :session_management_support
-      base.send :alias_method_chain, :process_cleanup, :session_management_support
+      base.class_eval do
+        extend ClassMethods
+        alias_method_chain :process, :session_management_support
+        alias_method_chain :process_cleanup, :session_management_support
+      end
     end
 
     module ClassMethods
-      # Set the session store to be used for keeping the session data between requests. The default is using the
-      # file system, but you can also specify one of the other included stores (:active_record_store, :drb_store, 
-      # :mem_cache_store, or :memory_store) or use your own class.
+      # Set the session store to be used for keeping the session data between requests. By default, sessions are stored
+      # in browser cookies (:cookie_store), but you can also specify one of the other included stores
+      # (:active_record_store, :p_store, drb_store, :mem_cache_store, or :memory_store) or your own custom class.
       def session_store=(store)
         ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] =
           store.is_a?(Symbol) ? CGI::Session.const_get(store == :drb_store ? "DRbStore" : store.to_s.camelize) : store
@@ -61,10 +63,14 @@ module ActionController #:nodoc:
       #   session :off, :only => :foo,
       #           :if => Proc.new { |req| req.parameters[:ws] }
       #
+      #   # the session will be disabled for non html/ajax requests
+      #   session :off, 
+      #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
+      #
       # All session options described for ActionController::Base.process_cgi
       # are valid arguments.
       def session(*args)
-        options = Hash === args.last ? args.pop : {}
+        options = args.extract_options!
 
         options[:disabled] = true if !args.empty?
         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
@@ -76,6 +82,9 @@ module ActionController #:nodoc:
         write_inheritable_array("session_options", [options])
       end
 
+      # So we can declare session options in the Rails initializer.
+      alias_method :session=, :session
+
       def cached_session_options #:nodoc:
         @session_options ||= read_inheritable_attribute("session_options") || []
       end

data/lib/action_controller/streaming.rb

@@ -29,6 +29,9 @@ module ActionController #:nodoc:
       # * <tt>:buffer_size</tt> - specifies size (in bytes) of the buffer used to stream the file.
       #   Defaults to 4096.
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to '200 OK'.
+      # * <tt>:url_based_filename</tt> - set to true if you want the browser guess the filename from 
+      #   the URL, which is necessary for i18n filenames on certain browsers 
+      #   (setting :filename overrides this option).
       #
       # The default Content-Type and Content-Disposition headers are
       # set to download arbitrary binary files in as many browsers as
@@ -42,7 +45,7 @@ module ActionController #:nodoc:
       #   send_file '/path/to.jpeg', :type => 'image/jpeg', :disposition => 'inline'
       #
       # Show a 404 page in the browser:
-      #   send_file '/path/to/404.html, :type => 'text/html; charset=utf-8', :status => 404
+      #   send_file '/path/to/404.html', :type => 'text/html; charset=utf-8', :status => 404
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description).
@@ -59,7 +62,7 @@ module ActionController #:nodoc:
         raise MissingFile, "Cannot read file #{path}" unless File.file?(path) and File.readable?(path)
 
         options[:length]   ||= File.size(path)
-        options[:filename] ||= File.basename(path)
+        options[:filename] ||= File.basename(path) unless options[:url_based_filename]
         send_file_headers! options
 
         @performed_render = false
@@ -121,7 +124,7 @@ module ActionController #:nodoc:
 
         headers.update(
           'Content-Length'            => options[:length],
-          'Content-Type'              => options[:type].strip,  # fixes a problem with extra '\r' with some browsers
+          'Content-Type'              => options[:type].to_s.strip,  # fixes a problem with extra '\r' with some browsers
           'Content-Disposition'       => disposition,
           'Content-Transfer-Encoding' => 'binary'
         )