RubyGems - actionpack - Versions diffs - 2.2.3 → 2.3.2 - Mend

actionpack 2.2.3 → 2.3.2

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (264) hide show

data/CHANGELOG +433 -375
data/MIT-LICENSE +1 -1
data/README +21 -75
data/Rakefile +1 -1
data/lib/action_controller.rb +80 -43
data/lib/action_controller/assertions/model_assertions.rb +1 -0
data/lib/action_controller/assertions/response_assertions.rb +43 -16
data/lib/action_controller/assertions/routing_assertions.rb +1 -1
data/lib/action_controller/assertions/selector_assertions.rb +17 -12
data/lib/action_controller/assertions/tag_assertions.rb +1 -4
data/lib/action_controller/base.rb +153 -82
data/lib/action_controller/benchmarking.rb +9 -9
data/lib/action_controller/caching.rb +9 -11
data/lib/action_controller/caching/actions.rb +11 -18
data/lib/action_controller/caching/fragments.rb +28 -20
data/lib/action_controller/caching/pages.rb +13 -15
data/lib/action_controller/caching/sweeping.rb +2 -2
data/lib/action_controller/cgi_ext.rb +0 -1
data/lib/action_controller/cgi_ext/cookie.rb +2 -0
data/lib/action_controller/cgi_process.rb +54 -162
data/lib/action_controller/cookies.rb +13 -25
data/lib/action_controller/dispatcher.rb +43 -122
data/lib/action_controller/failsafe.rb +52 -0
data/lib/action_controller/flash.rb +38 -47
data/lib/action_controller/helpers.rb +13 -9
data/lib/action_controller/http_authentication.rb +203 -23
data/lib/action_controller/integration.rb +126 -70
data/lib/action_controller/layout.rb +36 -39
data/lib/action_controller/middleware_stack.rb +119 -0
data/lib/action_controller/middlewares.rb +13 -0
data/lib/action_controller/mime_responds.rb +19 -4
data/lib/action_controller/mime_type.rb +8 -0
data/lib/action_controller/params_parser.rb +71 -0
data/lib/action_controller/performance_test.rb +0 -1
data/lib/action_controller/polymorphic_routes.rb +36 -30
data/lib/action_controller/reloader.rb +14 -0
data/lib/action_controller/request.rb +107 -499
data/lib/action_controller/request_forgery_protection.rb +7 -39
data/lib/action_controller/rescue.rb +55 -35
data/lib/action_controller/resources.rb +34 -31
data/lib/action_controller/response.rb +99 -57
data/lib/action_controller/rewindable_input.rb +28 -0
data/lib/action_controller/routing.rb +7 -7
data/lib/action_controller/routing/builder.rb +4 -1
data/lib/action_controller/routing/optimisations.rb +1 -1
data/lib/action_controller/routing/recognition_optimisation.rb +1 -2
data/lib/action_controller/routing/route.rb +15 -5
data/lib/action_controller/routing/route_set.rb +82 -35
data/lib/action_controller/routing/segments.rb +35 -0
data/lib/action_controller/session/abstract_store.rb +181 -0
data/lib/action_controller/session/cookie_store.rb +197 -175
data/lib/action_controller/session/mem_cache_store.rb +36 -83
data/lib/action_controller/session_management.rb +26 -134
data/lib/action_controller/streaming.rb +24 -7
data/lib/action_controller/templates/rescues/diagnostics.erb +2 -2
data/lib/action_controller/templates/rescues/template_error.erb +2 -2
data/lib/action_controller/test_case.rb +87 -30
data/lib/action_controller/test_process.rb +145 -104
data/lib/action_controller/uploaded_file.rb +44 -0
data/lib/action_controller/url_rewriter.rb +3 -6
data/lib/action_controller/vendor/html-scanner.rb +16 -0
data/lib/action_controller/vendor/html-scanner/html/selector.rb +1 -1
data/lib/action_controller/vendor/rack-1.0/rack.rb +89 -0
data/lib/action_controller/vendor/rack-1.0/rack/adapter/camping.rb +22 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/abstract/handler.rb +37 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/abstract/request.rb +37 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/basic.rb +58 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/digest/md5.rb +124 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/digest/nonce.rb +51 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/digest/params.rb +55 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/digest/request.rb +40 -0
data/lib/action_controller/vendor/rack-1.0/rack/auth/openid.rb +480 -0
data/lib/action_controller/vendor/rack-1.0/rack/builder.rb +63 -0
data/lib/action_controller/vendor/rack-1.0/rack/cascade.rb +36 -0
data/lib/action_controller/vendor/rack-1.0/rack/chunked.rb +49 -0
data/lib/action_controller/vendor/rack-1.0/rack/commonlogger.rb +61 -0
data/lib/action_controller/vendor/rack-1.0/rack/conditionalget.rb +45 -0
data/lib/action_controller/vendor/rack-1.0/rack/content_length.rb +29 -0
data/lib/action_controller/vendor/rack-1.0/rack/content_type.rb +23 -0
data/lib/action_controller/vendor/rack-1.0/rack/deflater.rb +85 -0
data/lib/action_controller/vendor/rack-1.0/rack/directory.rb +153 -0
data/lib/action_controller/vendor/rack-1.0/rack/file.rb +88 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler.rb +48 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/cgi.rb +61 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/evented_mongrel.rb +8 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/fastcgi.rb +89 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/lsws.rb +55 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/mongrel.rb +84 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/scgi.rb +59 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/swiftiplied_mongrel.rb +8 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/thin.rb +18 -0
data/lib/action_controller/vendor/rack-1.0/rack/handler/webrick.rb +67 -0
data/lib/action_controller/vendor/rack-1.0/rack/head.rb +19 -0
data/lib/action_controller/vendor/rack-1.0/rack/lint.rb +462 -0
data/lib/action_controller/vendor/rack-1.0/rack/lobster.rb +65 -0
data/lib/action_controller/vendor/rack-1.0/rack/lock.rb +16 -0
data/lib/action_controller/vendor/rack-1.0/rack/methodoverride.rb +27 -0
data/lib/action_controller/vendor/rack-1.0/rack/mime.rb +204 -0
data/lib/action_controller/vendor/rack-1.0/rack/mock.rb +160 -0
data/lib/action_controller/vendor/rack-1.0/rack/recursive.rb +57 -0
data/lib/action_controller/vendor/rack-1.0/rack/reloader.rb +64 -0
data/lib/action_controller/vendor/rack-1.0/rack/request.rb +241 -0
data/lib/action_controller/vendor/rack-1.0/rack/response.rb +179 -0
data/lib/action_controller/vendor/rack-1.0/rack/session/abstract/id.rb +142 -0
data/lib/action_controller/vendor/rack-1.0/rack/session/cookie.rb +91 -0
data/lib/action_controller/vendor/rack-1.0/rack/session/memcache.rb +109 -0
data/lib/action_controller/vendor/rack-1.0/rack/session/pool.rb +100 -0
data/lib/action_controller/vendor/rack-1.0/rack/showexceptions.rb +349 -0
data/lib/action_controller/vendor/rack-1.0/rack/showstatus.rb +106 -0
data/lib/action_controller/vendor/rack-1.0/rack/static.rb +38 -0
data/lib/action_controller/vendor/rack-1.0/rack/urlmap.rb +55 -0
data/lib/action_controller/vendor/rack-1.0/rack/utils.rb +392 -0
data/lib/action_controller/verification.rb +1 -1
data/lib/action_pack.rb +1 -1
data/lib/action_pack/version.rb +2 -2
data/lib/action_view.rb +22 -17
data/lib/action_view/base.rb +53 -79
data/lib/action_view/erb/util.rb +38 -0
data/lib/action_view/helpers.rb +24 -5
data/lib/action_view/helpers/active_record_helper.rb +2 -2
data/lib/action_view/helpers/asset_tag_helper.rb +81 -50
data/lib/action_view/helpers/atom_feed_helper.rb +1 -1
data/lib/action_view/helpers/benchmark_helper.rb +26 -5
data/lib/action_view/helpers/date_helper.rb +82 -7
data/lib/action_view/helpers/form_helper.rb +295 -64
data/lib/action_view/helpers/form_options_helper.rb +160 -18
data/lib/action_view/helpers/form_tag_helper.rb +2 -2
data/lib/action_view/helpers/number_helper.rb +31 -18
data/lib/action_view/helpers/prototype_helper.rb +2 -12
data/lib/action_view/helpers/sanitize_helper.rb +0 -10
data/lib/action_view/helpers/scriptaculous_helper.rb +1 -0
data/lib/action_view/helpers/tag_helper.rb +3 -4
data/lib/action_view/helpers/text_helper.rb +99 -122
data/lib/action_view/helpers/translation_helper.rb +19 -1
data/lib/action_view/helpers/url_helper.rb +25 -2
data/lib/action_view/inline_template.rb +1 -1
data/lib/action_view/locale/en.yml +19 -1
data/lib/action_view/partials.rb +46 -9
data/lib/action_view/paths.rb +28 -84
data/lib/action_view/reloadable_template.rb +117 -0
data/lib/action_view/renderable.rb +28 -35
data/lib/action_view/renderable_partial.rb +3 -4
data/lib/action_view/template.rb +172 -31
data/lib/action_view/template_error.rb +8 -9
data/lib/action_view/template_handler.rb +1 -1
data/lib/action_view/template_handlers.rb +9 -6
data/lib/action_view/template_handlers/erb.rb +2 -39
data/lib/action_view/template_handlers/rjs.rb +1 -0
data/lib/action_view/test_case.rb +27 -1
data/test/abstract_unit.rb +23 -17
data/test/active_record_unit.rb +5 -4
data/test/activerecord/active_record_store_test.rb +139 -106
data/test/activerecord/render_partial_with_record_identification_test.rb +5 -21
data/test/controller/action_pack_assertions_test.rb +25 -23
data/test/controller/addresses_render_test.rb +3 -6
data/test/controller/assert_select_test.rb +83 -70
data/test/controller/base_test.rb +11 -13
data/test/controller/benchmark_test.rb +3 -3
data/test/controller/caching_test.rb +34 -24
data/test/controller/capture_test.rb +3 -6
data/test/controller/content_type_test.rb +3 -6
data/test/controller/cookie_test.rb +31 -66
data/test/controller/deprecation/deprecated_base_methods_test.rb +9 -11
data/test/controller/dispatcher_test.rb +23 -28
data/test/controller/fake_models.rb +8 -0
data/test/controller/filters_test.rb +6 -2
data/test/controller/flash_test.rb +2 -6
data/test/controller/helper_test.rb +15 -1
data/test/controller/html-scanner/document_test.rb +1 -1
data/test/controller/html-scanner/sanitizer_test.rb +1 -1
data/test/controller/http_basic_authentication_test.rb +88 -0
data/test/controller/http_digest_authentication_test.rb +178 -0
data/test/controller/integration_test.rb +56 -52
data/test/controller/layout_test.rb +46 -44
data/test/controller/middleware_stack_test.rb +90 -0
data/test/controller/mime_responds_test.rb +7 -11
data/test/controller/mime_type_test.rb +9 -0
data/test/controller/polymorphic_routes_test.rb +235 -151
data/test/controller/rack_test.rb +52 -81
data/test/controller/redirect_test.rb +6 -14
data/test/controller/render_test.rb +273 -60
data/test/controller/request/json_params_parsing_test.rb +45 -0
data/test/controller/request/multipart_params_parsing_test.rb +223 -0
data/test/controller/request/query_string_parsing_test.rb +120 -0
data/test/controller/request/url_encoded_params_parsing_test.rb +184 -0
data/test/controller/request/xml_params_parsing_test.rb +88 -0
data/test/controller/request_forgery_protection_test.rb +17 -98
data/test/controller/request_test.rb +45 -530
data/test/controller/rescue_test.rb +45 -22
data/test/controller/resources_test.rb +112 -37
data/test/controller/routing_test.rb +1442 -1384
data/test/controller/selector_test.rb +3 -3
data/test/controller/send_file_test.rb +30 -3
data/test/controller/session/cookie_store_test.rb +169 -240
data/test/controller/session/mem_cache_store_test.rb +94 -148
data/test/controller/session/test_session_test.rb +58 -0
data/test/controller/test_test.rb +32 -13
data/test/controller/url_rewriter_test.rb +54 -4
data/test/controller/verification_test.rb +1 -1
data/test/controller/view_paths_test.rb +15 -15
data/test/controller/webservice_test.rb +178 -147
data/test/fixtures/alternate_helpers/foo_helper.rb +3 -0
data/test/fixtures/layout_tests/alt/layouts/alt.rhtml +0 -0
data/test/fixtures/layouts/default_html.html.erb +1 -0
data/test/fixtures/layouts/xhr.html.erb +2 -0
data/test/fixtures/multipart/empty +10 -0
data/test/fixtures/multipart/hello.txt +1 -0
data/test/fixtures/multipart/none +9 -0
data/test/fixtures/public/500.da.html +1 -0
data/test/fixtures/quiz/questions/_question.html.erb +1 -0
data/test/fixtures/replies.yml +1 -1
data/test/fixtures/test/_one.html.erb +1 -0
data/test/fixtures/test/_two.html.erb +1 -0
data/test/fixtures/test/dont_pick_me +1 -0
data/test/fixtures/test/hello.builder +1 -1
data/test/fixtures/test/hello_world.da.html.erb +1 -0
data/test/fixtures/test/hello_world.erb~ +1 -0
data/test/fixtures/test/hello_world.pt-BR.html.erb +1 -0
data/test/fixtures/test/malformed/malformed.en.html.erb~ +1 -0
data/test/fixtures/test/malformed/malformed.erb~ +1 -0
data/test/fixtures/test/malformed/malformed.html.erb~ +1 -0
data/test/fixtures/test/render_explicit_html_template.js.rjs +1 -0
data/test/fixtures/test/render_implicit_html_template.js.rjs +1 -0
data/test/fixtures/test/render_implicit_html_template_from_xhr_request.da.html.erb +1 -0
data/test/fixtures/test/render_implicit_html_template_from_xhr_request.html.erb +1 -0
data/test/fixtures/test/render_implicit_js_template_without_layout.js.erb +1 -0
data/test/fixtures/test/utf8.html.erb +2 -0
data/test/template/active_record_helper_i18n_test.rb +31 -33
data/test/template/active_record_helper_test.rb +34 -0
data/test/template/asset_tag_helper_test.rb +52 -14
data/test/template/atom_feed_helper_test.rb +3 -5
data/test/template/benchmark_helper_test.rb +50 -24
data/test/template/compiled_templates_test.rb +177 -33
data/test/template/date_helper_i18n_test.rb +88 -81
data/test/template/date_helper_test.rb +427 -43
data/test/template/form_helper_test.rb +243 -44
data/test/template/form_options_helper_test.rb +631 -565
data/test/template/form_tag_helper_test.rb +9 -2
data/test/template/javascript_helper_test.rb +0 -5
data/test/template/number_helper_i18n_test.rb +60 -48
data/test/template/number_helper_test.rb +1 -0
data/test/template/render_test.rb +117 -35
data/test/template/test_test.rb +4 -6
data/test/template/text_helper_test.rb +129 -50
data/test/template/translation_helper_test.rb +23 -19
data/test/template/url_helper_test.rb +35 -2
data/test/view/test_case_test.rb +8 -0
metadata +197 -23
data/lib/action_controller/assertions.rb +0 -69
data/lib/action_controller/caching/sql_cache.rb +0 -18
data/lib/action_controller/cgi_ext/session.rb +0 -53
data/lib/action_controller/components.rb +0 -169
data/lib/action_controller/rack_process.rb +0 -297
data/lib/action_controller/request_profiler.rb +0 -169
data/lib/action_controller/session/active_record_store.rb +0 -340
data/lib/action_controller/session/drb_server.rb +0 -32
data/lib/action_controller/session/drb_store.rb +0 -35
data/test/controller/cgi_test.rb +0 -269
data/test/controller/components_test.rb +0 -156
data/test/controller/http_authentication_test.rb +0 -54
data/test/controller/integration_upload_test.rb +0 -43
data/test/controller/session_fixation_test.rb +0 -89
data/test/controller/session_management_test.rb +0 -178
data/test/fixtures/test/hello_world.js +0 -1

data/lib/action_controller/session/cookie_store.rb CHANGED

@@ -1,199 +1,221 @@
-require 'cgi'
-require 'cgi/session'
-require 'openssl'       # to generate the HMAC message digest
-# This cookie-based session store is the Rails default. Sessions typically
-# contain at most a user_id and flash message; both fit within the 4K cookie
-# size limit. Cookie-based sessions are dramatically faster than the
-# alternatives.
-#
-# If you have more than 4K of session data or don't want your data to be
-# visible to the user, pick another session store.
-#
-# CookieOverflow is raised if you attempt to store more than 4K of data.
-# TamperedWithCookie is raised if the data integrity check fails.
-#
-# A message digest is included with the cookie to ensure data integrity:
-# a user cannot alter his +user_id+ without knowing the secret key included in
-# the hash. New apps are generated with a pregenerated secret in
-# config/environment.rb. Set your own for old apps you're upgrading.
-#
-# Session options:
-#
-# * <tt>:secret</tt>: An application-wide key string or block returning a string
-#   called per generated digest. The block is called with the CGI::Session
-#   instance as an argument. It's important that the secret is not vulnerable to
-#   a dictionary attack. Therefore, you should choose a secret consisting of
-#   random numbers and letters and more than 30 characters. Examples:
-#
-#     :secret => '449fe2e7daee471bffae2fd8dc02313d'
-#     :secret => Proc.new { User.current_user.secret_key }
-#
-# * <tt>:digest</tt>: The message digest algorithm used to verify session
-#   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
-#   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
-#
-# To generate a secret key for an existing application, run
-# "rake secret" and set the key in config/environment.rb.
-#
-# Note that changing digest or secret invalidates all existing sessions!
-class CGI::Session::CookieStore
-  # Cookies can typically store 4096 bytes.
-  MAX = 4096
-  SECRET_MIN_LENGTH = 30 # characters
-  # Raised when storing more than 4K of session data.
-  class CookieOverflow < StandardError; end
-  # Raised when the cookie fails its integrity check.
-  class TamperedWithCookie < StandardError; end
-  # Called from CGI::Session only.
-  def initialize(session, options = {})
-    # The session_key option is required.
-    if options['session_key'].blank?
-      raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
-    end
+module ActionController
+  module Session
+    # This cookie-based session store is the Rails default. Sessions typically
+    # contain at most a user_id and flash message; both fit within the 4K cookie
+    # size limit. Cookie-based sessions are dramatically faster than the
+    # alternatives.
+    #
+    # If you have more than 4K of session data or don't want your data to be
+    # visible to the user, pick another session store.
+    #
+    # CookieOverflow is raised if you attempt to store more than 4K of data.
+    #
+    # A message digest is included with the cookie to ensure data integrity:
+    # a user cannot alter his +user_id+ without knowing the secret key
+    # included in the hash. New apps are generated with a pregenerated secret
+    # in config/environment.rb. Set your own for old apps you're upgrading.
+    #
+    # Session options:
+    #
+    # * <tt>:secret</tt>: An application-wide key string or block returning a
+    #   string called per generated digest. The block is called with the
+    #   CGI::Session instance as an argument. It's important that the secret
+    #   is not vulnerable to a dictionary attack. Therefore, you should choose
+    #   a secret consisting of random numbers and letters and more than 30
+    #   characters. Examples:
+    #
+    #     :secret => '449fe2e7daee471bffae2fd8dc02313d'
+    #     :secret => Proc.new { User.current_user.secret_key }
+    #
+    # * <tt>:digest</tt>: The message digest algorithm used to verify session
+    #   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
+    #   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+    #
+    # To generate a secret key for an existing application, run
+    # "rake secret" and set the key in config/environment.rb.
+    #
+    # Note that changing digest or secret invalidates all existing sessions!
+    class CookieStore
+      # Cookies can typically store 4096 bytes.
+      MAX = 4096
+      SECRET_MIN_LENGTH = 30 # characters
+      DEFAULT_OPTIONS = {
+        :key          => '_session_id',
+        :domain       => nil,
+        :path         => "/",
+        :expire_after => nil,
+        :httponly     => true
+      }.freeze
+      ENV_SESSION_KEY = "rack.session".freeze
+      ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
+      HTTP_SET_COOKIE = "Set-Cookie".freeze
+      # Raised when storing more than 4K of session data.
+      class CookieOverflow < StandardError; end
+      def initialize(app, options = {})
+        # Process legacy CGI options
+        options = options.symbolize_keys
+        if options.has_key?(:session_path)
+          options[:path] = options.delete(:session_path)
+        end
+        if options.has_key?(:session_key)
+          options[:key] = options.delete(:session_key)
+        end
+        if options.has_key?(:session_http_only)
+          options[:httponly] = options.delete(:session_http_only)
+        end
-    # The secret option is required.
-    ensure_secret_secure(options['secret'])
-    # Keep the session and its secret on hand so we can read and write cookies.
-    @session, @secret = session, options['secret']
-    # Message digest defaults to SHA1.
-    @digest = options['digest'] || 'SHA1'
-    # Default cookie options derived from session settings.
-    @cookie_options = {
-      'name'    => options['session_key'],
-      'path'    => options['session_path'],
-      'domain'  => options['session_domain'],
-      'expires' => options['session_expires'],
-      'secure'  => options['session_secure'],
-      'http_only' => options['session_http_only']
-    }
-    # Set no_hidden and no_cookies since the session id is unused and we
-    # set our own data cookie.
-    options['no_hidden'] = true
-    options['no_cookies'] = true
-  end
+        @app = app
-  # To prevent users from using something insecure like "Password" we make sure that the
-  # secret they've provided is at least 30 characters in length.
-  def ensure_secret_secure(secret)
-    # There's no way we can do this check if they've provided a proc for the
-    # secret.
-    return true if secret.is_a?(Proc)
+        # The session_key option is required.
+        ensure_session_key(options[:key])
+        @key = options.delete(:key).freeze
-    if secret.blank?
-      raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
-    end
+        # The secret option is required.
+        ensure_secret_secure(options[:secret])
+        @secret = options.delete(:secret).freeze
-    if secret.length < SECRET_MIN_LENGTH
-      raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}".  The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
-    end
-  end
+        @digest = options.delete(:digest) || 'SHA1'
+        @verifier = verifier_for(@secret, @digest)
-  # Restore session data from the cookie.
-  def restore
-    @original = read_cookie
-    @data = unmarshal(@original) || {}
-  end
+        @default_options = DEFAULT_OPTIONS.merge(options).freeze
-  # Wait until close to write the session data cookie.
-  def update; end
+        freeze
+      end
-  # Write the session data cookie if it was loaded and has changed.
-  def close
-    if defined?(@data) && !@data.blank?
-      updated = marshal(@data)
-      raise CookieOverflow if updated.size > MAX
-      write_cookie('value' => updated) unless updated == @original
-    end
-  end
+      def call(env)
+        env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
+        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
-  # Delete the session data by setting an expired cookie with no data.
-  def delete
-    @data = nil
-    clear_old_cookie_value
-    write_cookie('value' => nil, 'expires' => 1.year.ago)
-  end
+        status, headers, body = @app.call(env)
-  # Generate the HMAC keyed message digest. Uses SHA1 by default.
-  def generate_digest(data)
-    key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret
-    OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data)
-  end
+        session_data = env[ENV_SESSION_KEY]
+        options = env[ENV_SESSION_OPTIONS_KEY]
-  private
-    # Marshal a session hash into safe cookie data. Include an integrity hash.
-    def marshal(session)
-      data = ActiveSupport::Base64.encode64s(Marshal.dump(session))
-      "#{data}--#{generate_digest(data)}"
-    end
+        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
+          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
+          session_data = marshal(session_data.to_hash)
-    # Unmarshal cookie data to a hash and verify its integrity.
-    def unmarshal(cookie)
-      if cookie
-        data, digest = cookie.split('--')
+          raise CookieOverflow if session_data.size > MAX
-        # Do two checks to transparently support old double-escaped data.
-        unless secure_compare(digest, generate_digest(data)) || secure_compare(digest, generate_digest(data = CGI.unescape(data)))
-          delete
-          raise TamperedWithCookie
+          cookie = Hash.new
+          cookie[:value] = session_data
+          unless options[:expire_after].nil?
+            cookie[:expires] = Time.now + options[:expire_after]
+          end
+          cookie = build_cookie(@key, cookie.merge(options))
+          unless headers[HTTP_SET_COOKIE].blank?
+            headers[HTTP_SET_COOKIE] << "\n#{cookie}"
+          else
+            headers[HTTP_SET_COOKIE] = cookie
+          end
         end
-        Marshal.load(ActiveSupport::Base64.decode64(data))
+        [status, headers, body]
       end
-    end
-    # Read the session data cookie.
-    def read_cookie
-      @session.cgi.cookies[@cookie_options['name']].first
-    end
+      private
+        # Should be in Rack::Utils soon
+        def build_cookie(key, value)
+          case value
+          when Hash
+            domain  = "; domain="  + value[:domain] if value[:domain]
+            path    = "; path="    + value[:path]   if value[:path]
+            # According to RFC 2109, we need dashes here.
+            # N.B.: cgi.rb uses spaces...
+            expires = "; expires=" + value[:expires].clone.gmtime.
+              strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
+            secure = "; secure" if value[:secure]
+            httponly = "; HttpOnly" if value[:httponly]
+            value = value[:value]
+          end
+          value = [value] unless Array === value
+          cookie = Rack::Utils.escape(key) + "=" +
+            value.map { |v| Rack::Utils.escape(v) }.join("&") +
+            "#{domain}#{path}#{expires}#{secure}#{httponly}"
+        end
-    # CGI likes to make you hack.
-    def write_cookie(options)
-      cookie = CGI::Cookie.new(@cookie_options.merge(options))
-      @session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
-    end
+        def load_session(env)
+          request = Rack::Request.new(env)
+          session_data = request.cookies[@key]
+          data = unmarshal(session_data) || persistent_session_id!({})
+          [data[:session_id], data]
+        end
-    # Clear cookie value so subsequent new_session doesn't reload old data.
-    def clear_old_cookie_value
-      @session.cgi.cookies[@cookie_options['name']].clear
-    end
-    if "foo".respond_to?(:force_encoding)
-      # constant-time comparison algorithm to prevent timing attacks
-      def secure_compare(a, b)
-        a = a.dup.force_encoding(Encoding::BINARY)
-        b = b.dup.force_encoding(Encoding::BINARY)
-        if a.length == b.length
-          result = 0
-          for i in 0..(a.length - 1)
-            result |= a[i].ord ^ b[i].ord
+        # Marshal a session hash into safe cookie data. Include an integrity hash.
+        def marshal(session)
+          @verifier.generate(persistent_session_id!(session))
+        end
+        # Unmarshal cookie data to a hash and verify its integrity.
+        def unmarshal(cookie)
+          persistent_session_id!(@verifier.verify(cookie)) if cookie
+        rescue ActiveSupport::MessageVerifier::InvalidSignature
+          nil
+        end
+        def ensure_session_key(key)
+          if key.blank?
+            raise ArgumentError, 'A key is required to write a ' +
+              'cookie containing the session data. Use ' +
+              'config.action_controller.session = { :key => ' +
+              '"_myapp_session", :secret => "some secret phrase" } in ' +
+              'config/environment.rb'
           end
-          result == 0
-        else
-          false
         end
-      end
-    else
-      # For 1.8
-      def secure_compare(a, b)
-        if a.length == b.length
-          result = 0
-          for i in 0..(a.length - 1)
-            result |= a[i] ^ b[i]
+        # To prevent users from using something insecure like "Password" we make sure that the
+        # secret they've provided is at least 30 characters in length.
+        def ensure_secret_secure(secret)
+          # There's no way we can do this check if they've provided a proc for the
+          # secret.
+          return true if secret.is_a?(Proc)
+          if secret.blank?
+            raise ArgumentError, "A secret is required to generate an " +
+              "integrity hash for cookie session data. Use " +
+              "config.action_controller.session = { :key => " +
+              "\"_myapp_session\", :secret => \"some secret phrase of at " +
+              "least #{SECRET_MIN_LENGTH} characters\" } " +
+              "in config/environment.rb"
+          end
+          if secret.length < SECRET_MIN_LENGTH
+            raise ArgumentError, "Secret should be something secure, " +
+              "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
+              "provided, \"#{secret}\", is shorter than the minimum length " +
+              "of #{SECRET_MIN_LENGTH} characters"
           end
-          result == 0
-        else
-          false
         end
-      end
-    end
+        def verifier_for(secret, digest)
+          key = secret.respond_to?(:call) ? secret.call : secret
+          ActiveSupport::MessageVerifier.new(key, digest)
+        end
+        def generate_sid
+          ActiveSupport::SecureRandom.hex(16)
+        end
+        def persistent_session_id!(data)
+          (data ||= {}).merge!(inject_persistent_session_id(data))
+        end
+        def inject_persistent_session_id(data)
+          requires_session_id?(data) ? { :session_id => generate_sid } : {}
+        end
+        def requires_session_id?(data)
+          if data
+            data.respond_to?(:key?) && !data.key?(:session_id)
+          else
+            true
+          end
+        end
+    end
+  end
 end

data/lib/action_controller/session/mem_cache_store.rb CHANGED

@@ -1,95 +1,48 @@
-# cgi/session/memcached.rb - persistent storage of marshalled session data
-#
-# == Overview
-#
-# This file provides the CGI::Session::MemCache class, which builds
-# persistence of storage data on top of the MemCache library.  See
-# cgi/session.rb for more details on session storage managers.
-#
 begin
-  require 'cgi/session'
   require_library_or_gem 'memcache'
-  class CGI
-    class Session
-      # MemCache-based session storage class.
-      #
-      # This builds upon the top-level MemCache class provided by the
-      # library file memcache.rb.  Session data is marshalled and stored
-      # in a memcached cache.
-      class MemCacheStore
-        def check_id(id) #:nodoc:#
-          /[^0-9a-zA-Z]+/ =~ id.to_s ? false : true
-        end
+  module ActionController
+    module Session
+      class MemCacheStore < AbstractStore
+        def initialize(app, options = {})
+          # Support old :expires option
+          options[:expire_after] ||= options[:expires]
-        # Create a new CGI::Session::MemCache instance
-        #
-        # This constructor is used internally by CGI::Session. The
-        # user does not generally need to call it directly.
-        #
-        # +session+ is the session for which this instance is being
-        # created. The session id must only contain alphanumeric
-        # characters; automatically generated session ids observe
-        # this requirement.
-        #
-        # +options+ is a hash of options for the initializer. The
-        # following options are recognized:
-        #
-        # cache::  an instance of a MemCache client to use as the
-        #      session cache.
-        #
-        # expires:: an expiry time value to use for session entries in
-        #     the session cache. +expires+ is interpreted in seconds
-        #     relative to the current time if it�s less than 60*60*24*30
-        #     (30 days), or as an absolute Unix time (e.g., Time#to_i) if
-        #     greater. If +expires+ is +0+, or not passed on +options+,
-        #     the entry will never expire.
-        #
-        # This session's memcache entry will be created if it does
-        # not exist, or retrieved if it does.
-        def initialize(session, options = {})
-          id = session.session_id
-          unless check_id(id)
-            raise ArgumentError, "session_id '%s' is invalid" % id
-          end
-          @cache = options['cache'] || MemCache.new('localhost')
-          @expires = options['expires'] || 0
-          @session_key = "session:#{id}"
-          @session_data = {}
-          # Add this key to the store if haven't done so yet
-          unless @cache.get(@session_key)
-            @cache.add(@session_key, @session_data, @expires)
-          end
-        end
+          super
-        # Restore session state from the session's memcache entry.
-        #
-        # Returns the session state as a hash.
-        def restore
-          @session_data = @cache[@session_key] || {}
-        end
+          @default_options = {
+            :namespace => 'rack:session',
+            :memcache_server => 'localhost:11211'
+          }.merge(@default_options)
-        # Save session state to the session's memcache entry.
-        def update
-          @cache.set(@session_key, @session_data, @expires)
-        end
-        # Update and close the session's memcache entry.
-        def close
-          update
-        end
+          @pool = options[:cache] || MemCache.new(@default_options[:memcache_server], @default_options)
+          unless @pool.servers.any? { |s| s.alive? }
+            raise "#{self} unable to find server during initialization."
+          end
+          @mutex = Mutex.new
-        # Delete the session's memcache entry.
-        def delete
-          @cache.delete(@session_key)
-          @session_data = {}
-        end
-        def data
-          @session_data
+          super
         end
+        private
+          def get_session(env, sid)
+            sid ||= generate_sid
+            begin
+              session = @pool.get(sid) || {}
+            rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+              session = {}
+            end
+            [sid, session]
+          end
+          def set_session(env, sid, session_data)
+            options = env['rack.session.options']
+            expiry  = options[:expire_after] || 0
+            @pool.set(sid, session_data, expiry)
+            return true
+          rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+            return false
+          end
       end
     end
   end