actionpack 2.2.3 → 2.3.2

data/lib/action_controller/request_forgery_protection.rb

@@ -5,8 +5,6 @@ module ActionController #:nodoc:
   module RequestForgeryProtection
     def self.included(base)
       base.class_eval do
-        class_inheritable_accessor :request_forgery_protection_options
-        self.request_forgery_protection_options = {}
         helper_method :form_authenticity_token
         helper_method :protect_against_forgery?
       end
@@ -14,7 +12,7 @@ module ActionController #:nodoc:
     end
     
     # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
-    # forged link from another site, is done by embedding a token based on the session (which an attacker wouldn't know) in all
+    # forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all
     # forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller.  Only
     # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication
     # scheme there anyway).  Also, GET requests are not protected as these should be idempotent anyway.
@@ -57,12 +55,8 @@ module ActionController #:nodoc:
       # Example:
       #
       #   class FooController < ApplicationController
-      #     # uses the cookie session store (then you don't need a separate :secret)
       #     protect_from_forgery :except => :index
       #
-      #     # uses one of the other session stores that uses a session_id value.
-      #     protect_from_forgery :secret => 'my-little-pony', :except => :index
-      #
       #     # you can disable csrf protection on controller-by-controller basis:
       #     skip_before_filter :verify_authenticity_token
       #   end
@@ -70,13 +64,12 @@ module ActionController #:nodoc:
       # Valid Options:
       #
       # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
-      # * <tt>:secret</tt> - Custom salt used to generate the <tt>form_authenticity_token</tt>.
-      #   Leave this off if you are using the cookie session store.
-      # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'.
       def protect_from_forgery(options = {})
         self.request_forgery_protection_token ||= :authenticity_token
         before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
-        request_forgery_protection_options.update(options)
+        if options[:secret] || options[:digest]
+          ActiveSupport::Deprecation.warn("protect_from_forgery only takes :only and :except options now. :digest and :secret have no effect", caller)
+        end
       end
     end
 
@@ -90,7 +83,7 @@ module ActionController #:nodoc:
       #
       # * is the format restricted?  By default, only HTML and AJAX requests are checked.
       # * is it a GET request?  Gets should be safe and idempotent
-      # * Does the form_authenticity_token match the given _token value from the params?
+      # * Does the form_authenticity_token match the given token value from the params?
       def verified_request?
         !protect_against_forgery?     ||
           request.method == :get      ||
@@ -105,34 +98,9 @@ module ActionController #:nodoc:
       # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
       # in +protect_from_forgery+ to add a custom salt to the hash.
       def form_authenticity_token
-        @form_authenticity_token ||= if !session.respond_to?(:session_id)
-          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
-        elsif request_forgery_protection_options[:secret]
-          authenticity_token_from_session_id
-        elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
-          authenticity_token_from_cookie_session
-        else
-          raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
-        end
-      end
-      
-      # Generates a unique digest using the session_id and the CSRF secret.
-      def authenticity_token_from_session_id
-        key = if request_forgery_protection_options[:secret].respond_to?(:call)
-          request_forgery_protection_options[:secret].call(@session)
-        else
-          request_forgery_protection_options[:secret]
-        end
-        digest = request_forgery_protection_options[:digest] ||= 'SHA1'
-        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
-      end
-      
-      # No secret was given, so assume this is a cookie session store.
-      def authenticity_token_from_cookie_session
-        session[:csrf_id] ||= CGI::Session.generate_unique_id
-        session.dbman.generate_digest(session[:csrf_id])
+        session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
       end
-      
+
       def protect_against_forgery?
         allow_forgery_protection && request_forgery_protection_token
       end

data/lib/action_controller/rescue.rb

@@ -1,13 +1,19 @@
 module ActionController #:nodoc:
-  # Actions that fail to perform as expected throw exceptions. These exceptions can either be rescued for the public view
-  # (with a nice user-friendly explanation) or for the developers view (with tons of debugging information). The developers view
-  # is already implemented by the Action Controller, but the public view should be tailored to your specific application. 
-  # 
-  # The default behavior for public exceptions is to render a static html file with the name of the error code thrown.  If no such 
-  # file exists, an empty response is sent with the correct status code.
+  # Actions that fail to perform as expected throw exceptions. These
+  # exceptions can either be rescued for the public view (with a nice
+  # user-friendly explanation) or for the developers view (with tons of
+  # debugging information). The developers view is already implemented by
+  # the Action Controller, but the public view should be tailored to your
+  # specific application.
   #
-  # You can override what constitutes a local request by overriding the <tt>local_request?</tt> method in your own controller.
-  # Custom rescue behavior is achieved by overriding the <tt>rescue_action_in_public</tt> and <tt>rescue_action_locally</tt> methods.
+  # The default behavior for public exceptions is to render a static html
+  # file with the name of the error code thrown.  If no such file exists, an
+  # empty response is sent with the correct status code.
+  #
+  # You can override what constitutes a local request by overriding the
+  # <tt>local_request?</tt> method in your own controller. Custom rescue
+  # behavior is achieved by overriding the <tt>rescue_action_in_public</tt>
+  # and <tt>rescue_action_locally</tt> methods.
   module Rescue
     LOCALHOST = '127.0.0.1'.freeze
 
@@ -32,6 +38,9 @@ module ActionController #:nodoc:
       'ActionView::TemplateError'         => 'template_error'
     }
 
+    RESCUES_TEMPLATE_PATH = ActionView::Template::EagerPath.new_and_loaded(
+      File.join(File.dirname(__FILE__), "templates"))
+
     def self.included(base) #:nodoc:
       base.cattr_accessor :rescue_responses
       base.rescue_responses = Hash.new(DEFAULT_RESCUE_RESPONSE)
@@ -50,47 +59,60 @@ module ActionController #:nodoc:
     end
 
     module ClassMethods
-      def process_with_exception(request, response, exception) #:nodoc:
+      def call_with_exception(env, exception) #:nodoc:
+        request = env["action_controller.rescue.request"] ||= Request.new(env)
+        response = env["action_controller.rescue.response"] ||= Response.new
         new.process(request, response, :rescue_action, exception)
       end
     end
 
     protected
-      # Exception handler called when the performance of an action raises an exception.
+      # Exception handler called when the performance of an action raises
+      # an exception.
       def rescue_action(exception)
-        rescue_with_handler(exception) || rescue_action_without_handler(exception)
+        rescue_with_handler(exception) ||
+          rescue_action_without_handler(exception)
       end
 
-      # Overwrite to implement custom logging of errors. By default logs as fatal.
+      # Overwrite to implement custom logging of errors. By default
+      # logs as fatal.
       def log_error(exception) #:doc:
         ActiveSupport::Deprecation.silence do
           if ActionView::TemplateError === exception
             logger.fatal(exception.to_s)
           else
             logger.fatal(
-              "\n\n#{exception.class} (#{exception.message}):\n    " +
-              clean_backtrace(exception).join("\n    ") +
-              "\n\n"
+              "\n#{exception.class} (#{exception.message}):\n  " +
+              clean_backtrace(exception).join("\n  ") + "\n\n"
             )
           end
         end
       end
 
-      # Overwrite to implement public exception handling (for requests answering false to <tt>local_request?</tt>).  By
-      # default will call render_optional_error_file.  Override this method to provide more user friendly error messages.
+      # Overwrite to implement public exception handling (for requests
+      # answering false to <tt>local_request?</tt>).  By default will call
+      # render_optional_error_file.  Override this method to provide more
+      # user friendly error messages.
       def rescue_action_in_public(exception) #:doc:
         render_optional_error_file response_code_for_rescue(exception)
       end
-      
-      # Attempts to render a static error page based on the <tt>status_code</tt> thrown,
-      # or just return headers if no such file exists. For example, if a 500 error is 
-      # being handled Rails will first attempt to render the file at <tt>public/500.html</tt>. 
-      # If the file doesn't exist, the body of the response will be left empty.
+
+      # Attempts to render a static error page based on the
+      # <tt>status_code</tt> thrown, or just return headers if no such file
+      # exists. At first, it will try to render a localized static page.
+      # For example, if a 500 error is being handled Rails and locale is :da,
+      # it will first attempt to render the file at <tt>public/500.da.html</tt>
+      # then attempt to render <tt>public/500.html</tt>. If none of them exist,
+      # the body of the response will be left empty.
       def render_optional_error_file(status_code)
         status = interpret_status(status_code)
+        locale_path = "#{Rails.public_path}/#{status[0,3]}.#{I18n.locale}.html" if I18n.locale
         path = "#{Rails.public_path}/#{status[0,3]}.html"
-        if File.exist?(path)
-          render :file => path, :status => status
+
+        if locale_path && File.exist?(locale_path)
+          render :file => locale_path, :status => status, :content_type => Mime::HTML
+        elsif File.exist?(path)
+          render :file => path, :status => status, :content_type => Mime::HTML
         else
           head status
         end
@@ -107,11 +129,13 @@ module ActionController #:nodoc:
       # a controller action.
       def rescue_action_locally(exception)
         @template.instance_variable_set("@exception", exception)
-        @template.instance_variable_set("@rescues_path", File.dirname(rescues_path("stub")))
-        @template.instance_variable_set("@contents", @template.render(:file => template_path_for_local_rescue(exception)))
+        @template.instance_variable_set("@rescues_path", RESCUES_TEMPLATE_PATH)
+        @template.instance_variable_set("@contents",
+          @template.render(:file => template_path_for_local_rescue(exception)))
 
         response.content_type = Mime::HTML
-        render_for_file(rescues_path("layout"), response_code_for_rescue(exception))
+        render_for_file(rescues_path("layout"),
+          response_code_for_rescue(exception))
       end
 
       def rescue_action_without_handler(exception)
@@ -139,7 +163,7 @@ module ActionController #:nodoc:
       end
 
       def rescues_path(template_name)
-        "#{File.dirname(__FILE__)}/templates/rescues/#{template_name}.erb"
+        RESCUES_TEMPLATE_PATH["rescues/#{template_name}.erb"]
       end
 
       def template_path_for_local_rescue(exception)
@@ -151,13 +175,9 @@ module ActionController #:nodoc:
       end
 
       def clean_backtrace(exception)
-        if backtrace = exception.backtrace
-          if defined?(RAILS_ROOT)
-            backtrace.map { |line| line.sub RAILS_ROOT, '' }
-          else
-            backtrace
-          end
-        end
+        defined?(Rails) && Rails.respond_to?(:backtrace_cleaner) ?
+          Rails.backtrace_cleaner.clean(exception.backtrace) :
+          exception.backtrace
       end
   end
 end

data/lib/action_controller/resources.rb

@@ -42,7 +42,7 @@ module ActionController
   #
   # Read more about REST at http://en.wikipedia.org/wiki/Representational_State_Transfer
   module Resources
-    INHERITABLE_OPTIONS = :namespace, :shallow, :actions
+    INHERITABLE_OPTIONS = :namespace, :shallow
 
     class Resource #:nodoc:
       DEFAULT_ACTIONS = :index, :create, :new, :edit, :show, :update, :destroy
@@ -91,7 +91,7 @@ module ActionController
       end
 
       def shallow_path_prefix
-        @shallow_path_prefix ||= "#{path_prefix unless @options[:shallow]}"
+        @shallow_path_prefix ||= @options[:shallow] ? @options[:namespace].try(:sub, /\/$/, '') : path_prefix
       end
 
       def member_path
@@ -103,7 +103,7 @@ module ActionController
       end
 
       def shallow_name_prefix
-        @shallow_name_prefix ||= "#{name_prefix unless @options[:shallow]}"
+        @shallow_name_prefix ||= @options[:shallow] ? @options[:namespace].try(:gsub, /\//, '_') : name_prefix
       end
 
       def nesting_name_prefix
@@ -119,7 +119,7 @@ module ActionController
       end
 
       def has_action?(action)
-        !DEFAULT_ACTIONS.include?(action) || @options[:actions].nil? || @options[:actions].include?(action)
+        !DEFAULT_ACTIONS.include?(action) || action_allowed?(action)
       end
 
       protected
@@ -135,24 +135,29 @@ module ActionController
         end
 
         def set_allowed_actions
-          only    = @options.delete(:only)
-          except  = @options.delete(:except)
+          only, except = @options.values_at(:only, :except)
+          @allowed_actions ||= {}
 
-          if only && except
-            raise ArgumentError, 'Please supply either :only or :except, not both.'
-          elsif only == :all || except == :none
-            options[:actions] = DEFAULT_ACTIONS
+          if only == :all || except == :none
+            only = nil
+            except = []
           elsif only == :none || except == :all
-            options[:actions] = []
-          elsif only
-            options[:actions] = DEFAULT_ACTIONS & Array(only).map(&:to_sym)
+            only = []
+            except = nil
+          end
+
+          if only
+            @allowed_actions[:only] = Array(only).map(&:to_sym)
           elsif except
-            options[:actions] = DEFAULT_ACTIONS - Array(except).map(&:to_sym)
-          else
-            # leave options[:actions] alone
+            @allowed_actions[:except] = Array(except).map(&:to_sym)
           end
         end
 
+        def action_allowed?(action)
+          only, except = @allowed_actions.values_at(:only, :except)
+          (!only || only.include?(action)) && (!except || !except.include?(action))
+        end
+
         def set_prefixes
           @path_prefix = options.delete(:path_prefix)
           @name_prefix = options.delete(:name_prefix)
@@ -283,7 +288,12 @@ module ActionController
     # * <tt>:new</tt> - Same as <tt>:collection</tt>, but for actions that operate on the new \resource action.
     # * <tt>:controller</tt> - Specify the controller name for the routes.
     # * <tt>:singular</tt> - Specify the singular name used in the member routes.
-    # * <tt>:requirements</tt> - Set custom routing parameter requirements.
+    # * <tt>:requirements</tt> - Set custom routing parameter requirements; this is a hash of either 
+    #     regular expressions (which must match for the route to match) or extra parameters. For example:
+    #
+    #       map.resource :profile, :path_prefix => ':name', :requirements => { :name => /[a-zA-Z]+/, :extra => 'value' }
+    #
+    #     will only match if the first part is alphabetic, and will pass the parameter :extra to the controller.
     # * <tt>:conditions</tt> - Specify custom routing recognition conditions.  \Resources sets the <tt>:method</tt> value for the method-specific routes.
     # * <tt>:as</tt> - Specify a different \resource name to use in the URL path. For example:
     #     # products_path == '/productos'
@@ -398,8 +408,6 @@ module ActionController
     #   # --> POST /posts/1/comments (maps to the CommentsController#create action)
     #   # --> PUT /posts/1/comments/1 (fails)
     #
-    # The <tt>:only</tt> and <tt>:except</tt> options are inherited by any nested resource(s).
-    #
     # If <tt>map.resources</tt> is called with multiple resources, they all get the same options applied.
     #
     # Examples:
@@ -622,7 +630,7 @@ module ActionController
               action_path = resource.options[:path_names][action] if resource.options[:path_names].is_a?(Hash)
               action_path ||= Base.resources_path_names[action] || action
 
-              map_resource_routes(map, resource, action, "#{resource.member_path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.shallow_name_prefix}#{resource.singular}", m)
+              map_resource_routes(map, resource, action, "#{resource.member_path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.shallow_name_prefix}#{resource.singular}", m, { :force_id => true })
             end
           end
         end
@@ -633,16 +641,14 @@ module ActionController
         map_resource_routes(map, resource, :destroy, resource.member_path, route_path)
       end
 
-      def map_resource_routes(map, resource, action, route_path, route_name = nil, method = nil)
+      def map_resource_routes(map, resource, action, route_path, route_name = nil, method = nil, resource_options = {} )
         if resource.has_action?(action)
-          action_options = action_options_for(action, resource, method)
+          action_options = action_options_for(action, resource, method, resource_options)
           formatted_route_path = "#{route_path}.:format"
 
           if route_name && @set.named_routes[route_name.to_sym].nil?
-            map.named_route(route_name, route_path, action_options)
-            map.named_route("formatted_#{route_name}", formatted_route_path, action_options)
+            map.named_route(route_name, formatted_route_path, action_options)
           else
-            map.connect(route_path, action_options)
             map.connect(formatted_route_path, action_options)
           end
         end
@@ -654,9 +660,10 @@ module ActionController
         end
       end
 
-      def action_options_for(action, resource, method = nil)
+      def action_options_for(action, resource, method = nil, resource_options = {})
         default_options = { :action => action.to_s }
         require_id = !resource.kind_of?(SingletonResource)
+        force_id = resource_options[:force_id] && !resource.kind_of?(SingletonResource)
 
         case default_options[:action]
           when "index", "new"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements)
@@ -664,12 +671,8 @@ module ActionController
           when "show", "edit"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements(require_id))
           when "update";       default_options.merge(add_conditions_for(resource.conditions, method || :put)).merge(resource.requirements(require_id))
           when "destroy";      default_options.merge(add_conditions_for(resource.conditions, method || :delete)).merge(resource.requirements(require_id))
-          else                  default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements)
+          else                 default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements(force_id))
         end
       end
   end
 end
-
-class ActionController::Routing::RouteSet::Mapper
-  include ActionController::Resources
-end

data/lib/action_controller/response.rb

@@ -1,24 +1,25 @@
 require 'digest/md5'
 
 module ActionController # :nodoc:
-  # Represents an HTTP response generated by a controller action. One can use an
-  # ActionController::AbstractResponse object to retrieve the current state of the
-  # response, or customize the response. An AbstractResponse object can either
-  # represent a "real" HTTP response (i.e. one that is meant to be sent back to the
-  # web browser) or a test response (i.e. one that is generated from integration
-  # tests). See CgiResponse and TestResponse, respectively.
+  # Represents an HTTP response generated by a controller action. One can use
+  # an ActionController::Response object to retrieve the current state
+  # of the response, or customize the response. An Response object can
+  # either represent a "real" HTTP response (i.e. one that is meant to be sent
+  # back to the web browser) or a test response (i.e. one that is generated
+  # from integration tests). See CgiResponse and TestResponse, respectively.
   #
-  # AbstractResponse is mostly a Ruby on Rails framework implement detail, and should
-  # never be used directly in controllers. Controllers should use the methods defined
-  # in ActionController::Base instead. For example, if you want to set the HTTP
-  # response's content MIME type, then use ActionControllerBase#headers instead of
-  # AbstractResponse#headers.
+  # Response is mostly a Ruby on Rails framework implement detail, and
+  # should never be used directly in controllers. Controllers should use the
+  # methods defined in ActionController::Base instead. For example, if you want
+  # to set the HTTP response's content MIME type, then use
+  # ActionControllerBase#headers instead of Response#headers.
   #
-  # Nevertheless, integration tests may want to inspect controller responses in more
-  # detail, and that's when AbstractResponse can be useful for application developers.
-  # Integration test methods such as ActionController::Integration::Session#get and
-  # ActionController::Integration::Session#post return objects of type TestResponse
-  # (which are of course also of type AbstractResponse).
+  # Nevertheless, integration tests may want to inspect controller responses in
+  # more detail, and that's when Response can be useful for application
+  # developers. Integration test methods such as
+  # ActionController::Integration::Session#get and
+  # ActionController::Integration::Session#post return objects of type
+  # TestResponse (which are of course also of type Response).
   #
   # For example, the following demo integration "test" prints the body of the
   # controller response to the console:
@@ -29,25 +30,25 @@ module ActionController # :nodoc:
   #      puts @response.body
   #    end
   #  end
-  class AbstractResponse
+  class Response < Rack::Response
     DEFAULT_HEADERS = { "Cache-Control" => "no-cache" }
     attr_accessor :request
 
-    # The body content (e.g. HTML) of the response, as a String.
-    attr_accessor :body
-    # The headers of the response, as a Hash. It maps header names to header values.
-    attr_accessor :headers
-    attr_accessor :session, :cookies, :assigns, :template, :layout
+    attr_accessor :session, :assigns, :template, :layout
     attr_accessor :redirected_to, :redirected_to_method_params
 
     delegate :default_charset, :to => 'ActionController::Base'
 
     def initialize
-      @body, @headers, @session, @assigns = "", DEFAULT_HEADERS.merge("cookie" => []), [], []
-    end
+      @status = 200
+      @header = Rack::Utils::HeaderHash.new(DEFAULT_HEADERS)
+
+      @writer = lambda { |x| @body << x }
+      @block = nil
 
-    def status; headers['Status'] end
-    def status=(status) headers['Status'] = status end
+      @body = "",
+      @session, @assigns = [], []
+    end
 
     def location; headers['Location'] end
     def location=(url) headers['Location'] = url end
@@ -109,13 +110,17 @@ module ActionController # :nodoc:
     def etag
       headers['ETag']
     end
-    
+
     def etag?
       headers.include?('ETag')
     end
-    
+
     def etag=(etag)
-      headers['ETag'] = %("#{Digest::MD5.hexdigest(ActiveSupport::Cache.expand_cache_key(etag))}")
+      if etag.blank?
+        headers.delete('ETag')
+      else
+        headers['ETag'] = %("#{Digest::MD5.hexdigest(ActiveSupport::Cache.expand_cache_key(etag))}")
+      end
     end
 
     def redirect(url, status)
@@ -138,26 +143,58 @@ module ActionController # :nodoc:
       handle_conditional_get!
       set_content_length!
       convert_content_type!
+      convert_language!
+      convert_cookies!
+    end
+
+    def each(&callback)
+      if @body.respond_to?(:call)
+        @writer = lambda { |x| callback.call(x) }
+        @body.call(self, self)
+      elsif @body.is_a?(String)
+        @body.each_line(&callback)
+      else
+        @body.each(&callback)
+      end
+
+      @writer = callback
+      @block.call(self) if @block
+    end
+
+    def write(str)
+      @writer.call str.to_s
+      str
+    end
+
+    def set_cookie(key, value)
+      if value.has_key?(:http_only)
+        ActiveSupport::Deprecation.warn(
+          "The :http_only option in ActionController::Response#set_cookie " +
+          "has been renamed. Please use :httponly instead.", caller)
+        value[:httponly] ||= value.delete(:http_only)
+      end
+
+      super(key, value)
     end
 
     private
-      def handle_conditional_get! 
-        if etag? || last_modified? 
-          set_conditional_cache_control! 
-        elsif nonempty_ok_response? 
-          self.etag = body 
-
-          if request && request.etag_matches?(etag) 
-            self.status = '304 Not Modified' 
-            self.body = '' 
-          end 
-
-          set_conditional_cache_control! 
-        end 
+      def handle_conditional_get!
+        if etag? || last_modified?
+          set_conditional_cache_control!
+        elsif nonempty_ok_response?
+          self.etag = body
+
+          if request && request.etag_matches?(etag)
+            self.status = '304 Not Modified'
+            self.body = ''
+          end
+
+          set_conditional_cache_control!
+        end
       end
 
       def nonempty_ok_response?
-        ok = !status || status[0..2] == '200'
+        ok = !status || status.to_s[0..2] == '200'
         ok && body.is_a?(String) && !body.empty?
       end
 
@@ -168,23 +205,28 @@ module ActionController # :nodoc:
       end
 
       def convert_content_type!
-        if content_type = headers.delete("Content-Type")
-          self.headers["type"] = content_type
-        end
-        if content_type = headers.delete("Content-type")
-          self.headers["type"] = content_type
-        end
-        if content_type = headers.delete("content-type")
-          self.headers["type"] = content_type
-        end
+        headers['Content-Type'] ||= "text/html"
+        headers['Content-Type'] += "; charset=" + headers.delete('charset') if headers['charset']
       end
-    
-      # Don't set the Content-Length for block-based bodies as that would mean reading it all into memory. Not nice
-      # for, say, a 2GB streaming file.
+
+      # Don't set the Content-Length for block-based bodies as that would mean
+      # reading it all into memory. Not nice for, say, a 2GB streaming file.
       def set_content_length!
-        unless body.respond_to?(:call) || (status && status[0..2] == '304')
-          self.headers["Content-Length"] ||= body.size
+        if status && status.to_s[0..2] == '204'
+          headers.delete('Content-Length')
+        elsif length = headers['Content-Length']
+          headers['Content-Length'] = length.to_s
+        elsif !body.respond_to?(:call) && (!status || status.to_s[0..2] != '304')
+          headers["Content-Length"] = (body.respond_to?(:bytesize) ? body.bytesize : body.size).to_s
         end
       end
+
+      def convert_language!
+        headers["Content-Language"] = headers.delete("language") if headers["language"]
+      end
+
+      def convert_cookies!
+        headers['Set-Cookie'] = Array(headers['Set-Cookie']).compact
+      end
   end
 end