actionpack 1.13.6 → 2.0.0

data/lib/action_controller/cgi_ext.rb

@@ -0,0 +1,16 @@
+require 'action_controller/cgi_ext/stdinput'
+require 'action_controller/cgi_ext/query_extension'
+require 'action_controller/cgi_ext/cookie'
+require 'action_controller/cgi_ext/session'
+
+class CGI #:nodoc:
+  include ActionController::CgiExt::Stdinput
+
+  class << self
+    alias :escapeHTML_fail_on_nil :escapeHTML
+
+    def escapeHTML(string)
+      escapeHTML_fail_on_nil(string) unless string.nil?
+    end
+  end
+end

data/lib/action_controller/cgi_ext/{cookie_performance_fix.rb → cookie.rb}

@@ -1,10 +1,11 @@
 CGI.module_eval { remove_const "Cookie" }
 
+# TODO: document how this differs from stdlib CGI::Cookie
 class CGI #:nodoc:
-  # This is a cookie class that fixes the performance problems with the default one that ships with 1.8.1 and below.
-  # It replaces the inheritance on SimpleDelegator with DelegateClass(Array) following the suggestion from Matz on
-  # http://groups.google.com/groups?th=e3a4e68ba042f842&seekm=c3sioe%241qvm%241%40news.cybercity.dk#link14
   class Cookie < DelegateClass(Array)
+    attr_accessor :name, :value, :path, :domain, :expires
+    attr_reader :secure, :http_only
+
     # Create a new CGI::Cookie object.
     #
     # The contents of the cookie can be specified as a +name+ and one
@@ -19,9 +20,11 @@ class CGI #:nodoc:
     # domain:: the domain for which this cookie applies.
     # expires:: the time at which this cookie expires, as a +Time+ object.
     # secure:: whether this cookie is a secure cookie or not (default to
-    #          false).  Secure cookies are only transmitted to HTTPS 
+    #          false).  Secure cookies are only transmitted to HTTPS
     #          servers.
-    #
+    # http_only:: whether this cookie can be accessed by client side scripts (e.g. document.cookie) or only over HTTP 
+    #             More details: http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx
+    #             Defaults to false.
     # These keywords correspond to attributes of the cookie object.
     def initialize(name = '', *value)
       if name.kind_of?(String)
@@ -30,6 +33,7 @@ class CGI #:nodoc:
         @domain = nil
         @expires = nil
         @secure = false
+        @http_only = false
         @path = nil
       else
         @name = name['name']
@@ -37,12 +41,11 @@ class CGI #:nodoc:
         @domain = name['domain']
         @expires = name['expires']
         @secure = name['secure'] || false
+        @http_only = name['http_only'] || false
         @path = name['path']
       end
-      
-      unless @name
-        raise ArgumentError, "`name' required"
-      end
+
+      raise ArgumentError, "`name' required" unless @name
 
       # simple support for IE
       unless @path
@@ -57,44 +60,26 @@ class CGI #:nodoc:
       @_dc_obj = obj
     end
 
-    attr_accessor("name", "value", "path", "domain", "expires")
-    attr_reader("secure")
-
     # Set whether the Cookie is a secure cookie or not.
-    #
-    # +val+ must be a boolean.
     def secure=(val)
-      @secure = val if val == true or val == false
-      @secure
+      @secure = val == true
+    end
+
+    # Set whether the Cookie is an HTTP only cookie or not.
+    def http_only=(val)
+      @http_only = val == true
     end
 
     # Convert the Cookie to its string representation.
     def to_s
-      buf = ""
+      buf = ''
       buf << @name << '='
-
-      if @value.kind_of?(String)
-        buf << CGI::escape(@value)
-      else
-        buf << @value.collect{|v| CGI::escape(v) }.join("&")
-      end
-
-      if @domain
-        buf << '; domain=' << @domain
-      end
-
-      if @path
-        buf << '; path=' << @path
-      end
-
-      if @expires
-        buf << '; expires=' << CGI::rfc1123_date(@expires)
-      end
-
-      if @secure == true
-        buf << '; secure'
-      end
-
+      buf << (@value.kind_of?(String) ? CGI::escape(@value) : @value.collect{|v| CGI::escape(v) }.join("&"))
+      buf << '; domain=' << @domain if @domain
+      buf << '; path=' << @path if @path
+      buf << '; expires=' << CGI::rfc1123_date(@expires) if @expires
+      buf << '; secure' if @secure
+      buf << '; HttpOnly' if @http_only
       buf
     end
 

data/lib/action_controller/cgi_ext/query_extension.rb

@@ -0,0 +1,22 @@
+require 'cgi'
+
+class CGI #:nodoc:
+  module QueryExtension
+    # Remove the old initialize_query method before redefining it.
+    remove_method :initialize_query
+
+    # Neuter CGI parameter parsing.
+    def initialize_query
+      # Fix some strange request environments.
+      env_table['REQUEST_METHOD'] ||= 'GET'
+
+      # POST assumes missing Content-Type is application/x-www-form-urlencoded.
+      if env_table['CONTENT_TYPE'].blank? && env_table['REQUEST_METHOD'] == 'POST'
+        env_table['CONTENT_TYPE'] = 'application/x-www-form-urlencoded'
+      end
+
+      @cookies = CGI::Cookie::parse(env_table['HTTP_COOKIE'] || env_table['COOKIE'])
+      @params = {}
+    end
+  end
+end

data/lib/action_controller/cgi_ext/session.rb

@@ -0,0 +1,73 @@
+require 'digest/md5'
+require 'cgi/session'
+require 'cgi/session/pstore'
+
+class CGI #:nodoc:
+  # * Expose the CGI instance to session stores.
+  # * Don't require 'digest/md5' whenever a new session id is generated.
+  class Session #:nodoc:
+    begin
+      require 'securerandom'
+
+      # Generate a 32-character unique id using SecureRandom.
+      # This is used to generate session ids but may be reused elsewhere.
+      def self.generate_unique_id(constant = nil)
+        SecureRandom.hex(16)
+      end
+    rescue LoadError
+      # Generate an 32-character unique id based on a hash of the current time,
+      # a random number, the process id, and a constant string. This is used
+      # to generate session ids but may be reused elsewhere.
+      def self.generate_unique_id(constant = 'foobar')
+        md5 = Digest::MD5.new
+        now = Time.now
+        md5 << now.to_s
+        md5 << String(now.usec)
+        md5 << String(rand(0))
+        md5 << String($$)
+        md5 << constant
+        md5.hexdigest
+      end
+    end
+
+    # Make the CGI instance available to session stores.
+    attr_reader :cgi
+    attr_reader :dbman
+    alias_method :initialize_without_cgi_reader, :initialize
+    def initialize(cgi, options = {})
+      @cgi = cgi
+      initialize_without_cgi_reader(cgi, options)
+    end
+
+    private
+      # Create a new session id.
+      def create_new_id
+        @new_session = true
+        self.class.generate_unique_id
+      end
+
+    # * Don't require 'digest/md5' whenever a new session is started.
+    class PStore #:nodoc:
+      def initialize(session, option={})
+        dir = option['tmpdir'] || Dir::tmpdir
+        prefix = option['prefix'] || ''
+        id = session.session_id
+        md5 = Digest::MD5.hexdigest(id)[0,16]
+        path = dir+"/"+prefix+md5
+        path.untaint
+        if File::exist?(path)
+          @hash = nil
+        else
+          unless session.new_session
+            raise CGI::Session::NoSession, "uninitialized session"
+          end
+          @hash = {}
+        end
+        @p = ::PStore.new(path)
+        @p.transaction do |p|
+          File.chmod(0600, p.path)
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/cgi_ext/stdinput.rb

@@ -0,0 +1,23 @@
+require 'cgi'
+
+module ActionController
+  module CgiExt
+    # Publicize the CGI's internal input stream so we can lazy-read
+    # request.body. Make it writable so we don't have to play $stdin games.
+    module Stdinput
+      def self.included(base)
+        base.class_eval do
+          remove_method :stdinput
+          attr_accessor :stdinput
+        end
+
+        base.alias_method_chain :initialize, :stdinput
+      end
+
+      def initialize_with_stdinput(type = nil, stdinput = $stdin)
+        @stdinput = stdinput
+        initialize_without_stdinput(type || 'query')
+      end
+    end
+  end
+end

data/lib/action_controller/cgi_process.rb

@@ -1,8 +1,5 @@
-require 'action_controller/cgi_ext/cgi_ext'
-require 'action_controller/cgi_ext/cookie_performance_fix'
-require 'action_controller/cgi_ext/raw_post_data_fix'
-require 'action_controller/cgi_ext/session_performance_fix'
-require 'action_controller/cgi_ext/pstore_performance_fix'
+require 'action_controller/cgi_ext'
+require 'action_controller/session/cookie_store'
 
 module ActionController #:nodoc:
   class Base
@@ -40,9 +37,9 @@ module ActionController #:nodoc:
     class SessionFixationAttempt < StandardError; end #:nodoc:
 
     DEFAULT_SESSION_OPTIONS = {
-      :database_manager => CGI::Session::PStore,
-      :prefix           => "ruby_sess.",
-      :session_path     => "/",
+      :database_manager => CGI::Session::CookieStore, # store data in cookie
+      :prefix           => "ruby_sess.",    # prefix session file names
+      :session_path     => "/",             # available to all paths in app
       :session_key      => "_session_id",
       :cookie_only      => true
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
@@ -50,45 +47,42 @@ module ActionController #:nodoc:
     def initialize(cgi, session_options = {})
       @cgi = cgi
       @session_options = session_options
-      @env = @cgi.send(:env_table)
+      @env = @cgi.send!(:env_table)
       super()
     end
 
-    def cookie_only?
-      session_options_with_string_keys['cookie_only']
-    end
-
     def query_string
-      if (qs = @cgi.query_string) && !qs.empty?
+      qs = @cgi.query_string if @cgi.respond_to?(:query_string)
+      if !qs.blank?
         qs
-      elsif uri = @env['REQUEST_URI']
-        parts = uri.split('?')
-        parts.shift
-        parts.join('?')
       else
-        @env['QUERY_STRING'] || ''
+        super
+      end
+    end
+
+    # The request body is an IO input stream. If the RAW_POST_DATA environment
+    # variable is already set, wrap it in a StringIO.
+    def body
+      if raw_post = env['RAW_POST_DATA']
+        StringIO.new(raw_post)
+      else
+        @cgi.stdinput
       end
     end
 
     def query_parameters
-      @query_parameters ||=
-        (qs = self.query_string).empty? ? {} : CGIMethods.parse_query_parameters(qs)
+      @query_parameters ||= self.class.parse_query_parameters(query_string)
     end
 
     def request_parameters
-      @request_parameters ||=
-        if ActionController::Base.param_parsers.has_key?(content_type)
-          CGIMethods.parse_formatted_request_parameters(content_type, @env['RAW_POST_DATA'])
-        else
-          CGIMethods.parse_request_parameters(@cgi.params)
-        end
+      @request_parameters ||= parse_formatted_request_parameters
     end
 
     def cookies
       @cgi.cookies.freeze
     end
 
-    def host_with_port
+    def host_with_port_without_standard_port_handling
       if forwarded = env["HTTP_X_FORWARDED_HOST"]
         forwarded.split(/,\s?/).last
       elsif http_host = env['HTTP_HOST']
@@ -101,11 +95,11 @@ module ActionController #:nodoc:
     end
 
     def host
-      host_with_port[/^[^:]+/]
+      host_with_port_without_standard_port_handling.sub(/:\d+$/, '')
     end
 
     def port
-      if host_with_port =~ /:(\d+)$/
+      if host_with_port_without_standard_port_handling =~ /:(\d+)$/
         $1.to_i
       else
         standard_port
@@ -118,7 +112,7 @@ module ActionController #:nodoc:
           @session = Hash.new
         else
           stale_session_check! do
-            if cookie_only? && request_parameters[session_options_with_string_keys['session_key']]
+            if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
               raise SessionFixationAttempt
             end
             case value = session_options_with_string_keys['new_session']
@@ -150,7 +144,7 @@ module ActionController #:nodoc:
     end
 
     def method_missing(method_id, *arguments)
-      @cgi.send(method_id, *arguments) rescue super
+      @cgi.send!(method_id, *arguments) rescue super
     end
 
     private
@@ -164,12 +158,17 @@ module ActionController #:nodoc:
         end
       end
 
+      def cookie_only?
+        session_options_with_string_keys['cookie_only']
+      end
+
       def stale_session_check!
         yield
       rescue ArgumentError => argument_error
-        if argument_error.message =~ %r{undefined class/module ([\w:]+)}
+        if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
           begin
-            Module.const_missing($1)
+            # Note that the regexp does not allow $1 to end with a ':'
+            $1.constantize
           rescue LoadError, NameError => const_error
             raise ActionController::SessionRestoreError, <<-end_msg
 Session contains objects whose class definition isn\'t available.
@@ -196,16 +195,13 @@ end_msg
     end
 
     def out(output = $stdout)
-      convert_content_type!
-      set_content_length!
-
       output.binmode      if output.respond_to?(:binmode)
       output.sync = false if output.respond_to?(:sync=)
 
       begin
         output.write(@cgi.header(@headers))
 
-        if @cgi.send(:env_table)['REQUEST_METHOD'] == 'HEAD'
+        if @cgi.send!(:env_table)['REQUEST_METHOD'] == 'HEAD'
           return
         elsif @body.respond_to?(:call)
           # Flush the output now in case the @body Proc uses
@@ -221,24 +217,5 @@ end_msg
         # lost connection to parent process, ignore output
       end
     end
-
-    private
-      def convert_content_type!
-        if content_type = @headers.delete("Content-Type")
-          @headers["type"] = content_type
-        end
-        if content_type = @headers.delete("Content-type")
-          @headers["type"] = content_type
-        end
-        if content_type = @headers.delete("content-type")
-          @headers["type"] = content_type
-        end
-      end
-      
-      # Don't set the Content-Length for block-based bodies as that would mean reading it all into memory. Not nice
-      # for, say, a 2GB streaming file.
-      def set_content_length!
-        @headers["Content-Length"] = @body.size unless @body.respond_to?(:call)
-      end
   end
 end

data/lib/action_controller/components.rb

@@ -17,44 +17,44 @@ module ActionController #:nodoc:
   #   end
   #
   # The same can be done in a view to do a partial rendering:
-  # 
-  #   Let's see a greeting: 
+  #
+  #   Let's see a greeting:
   #   <%= render_component :controller => "greeter", :action => "hello_world" %>
   #
   # It is also possible to specify the controller as a class constant, bypassing the inflector
   # code to compute the controller class at runtime:
-  # 
+  #
   # <%= render_component :controller => GreeterController, :action => "hello_world" %>
   #
   # == When to use components
   #
   # Components should be used with care. They're significantly slower than simply splitting reusable parts into partials and
   # conceptually more complicated. Don't use components as a way of separating concerns inside a single application. Instead,
-  # reserve components to those rare cases where you truly have reusable view and controller elements that can be employed 
+  # reserve components to those rare cases where you truly have reusable view and controller elements that can be employed
   # across many applications at once.
   #
   # So to repeat: Components are a special-purpose approach that can often be replaced with better use of partials and filters.
   module Components
     def self.included(base) #:nodoc:
-      base.send :include, InstanceMethods
-      base.extend(ClassMethods)
+      base.class_eval do
+        include InstanceMethods
+        extend ClassMethods
 
-      base.helper do
-        def render_component(options) 
-          @controller.send(:render_component_as_string, options)
+        helper do
+          def render_component(options)
+            @controller.send!(:render_component_as_string, options)
+          end
         end
-      end
-            
-      # If this controller was instantiated to process a component request,
-      # +parent_controller+ points to the instantiator of this controller.
-      base.send :attr_accessor, :parent_controller
-      
-      base.class_eval do
+
+        # If this controller was instantiated to process a component request,
+        # +parent_controller+ points to the instantiator of this controller.
+        attr_accessor :parent_controller
+
         alias_method_chain :process_cleanup, :components
         alias_method_chain :set_session_options, :components
         alias_method_chain :flash, :components
 
-        alias_method :component_request?, :parent_controller       
+        alias_method :component_request?, :parent_controller
       end
     end
 
@@ -65,23 +65,6 @@ module ActionController #:nodoc:
         controller.parent_controller = parent_controller
         controller.process(request, response)
       end
-
-      # Set the template root to be one directory behind the root dir of the controller. Examples:
-      #   /code/weblog/components/admin/users_controller.rb with Admin::UsersController 
-      #     will use /code/weblog/components as template root 
-      #     and find templates in /code/weblog/components/admin/users/
-      #
-      #   /code/weblog/components/admin/parties/users_controller.rb with Admin::Parties::UsersController 
-      #     will also use /code/weblog/components as template root 
-      #     and find templates in /code/weblog/components/admin/parties/users/
-      def uses_component_template_root
-        path_of_calling_controller = File.dirname(caller[1].split(/:\d+:/, 2).first)
-        path_of_controller_root    = path_of_calling_controller.sub(/#{Regexp.escape(File.dirname(controller_path))}$/, "")
-
-        self.template_root = path_of_controller_root
-      end
-
-      deprecate :uses_component_template_root => 'Components are deprecated and will be removed in Rails 2.0.'
     end
 
     module InstanceMethods
@@ -90,12 +73,12 @@ module ActionController #:nodoc:
         flash.discard if component_request?
         process_without_components(request, response, method, *arguments)
       end
-      
+
       protected
         # Renders the component specified as the response for the current method
         def render_component(options) #:doc:
           component_logging(options) do
-            render_text(component_response(options, true).body, response.headers["Status"])
+            render_for_text(component_response(options, true).body, response.headers["Status"])
           end
         end