actionpack 2.3.18 → 3.0.0.beta

data/lib/action_controller/vendor/html-scanner.rb

@@ -1,16 +1,20 @@
 $LOAD_PATH << "#{File.dirname(__FILE__)}/html-scanner"
 
 module HTML
-  autoload :CDATA, 'html/node'
-  autoload :Document, 'html/document'
-  autoload :FullSanitizer, 'html/sanitizer'
-  autoload :LinkSanitizer, 'html/sanitizer'
-  autoload :Node, 'html/node'
-  autoload :Sanitizer, 'html/sanitizer'
-  autoload :Selector, 'html/selector'
-  autoload :Tag, 'html/node'
-  autoload :Text, 'html/node'
-  autoload :Tokenizer, 'html/tokenizer'
-  autoload :Version, 'html/version'
-  autoload :WhiteListSanitizer, 'html/sanitizer'
+  extend ActiveSupport::Autoload
+
+  eager_autoload do
+    autoload :CDATA, 'html/node'
+    autoload :Document, 'html/document'
+    autoload :FullSanitizer, 'html/sanitizer'
+    autoload :LinkSanitizer, 'html/sanitizer'
+    autoload :Node, 'html/node'
+    autoload :Sanitizer, 'html/sanitizer'
+    autoload :Selector, 'html/selector'
+    autoload :Tag, 'html/node'
+    autoload :Text, 'html/node'
+    autoload :Tokenizer, 'html/tokenizer'
+    autoload :Version, 'html/version'
+    autoload :WhiteListSanitizer, 'html/sanitizer'
+  end
 end

data/lib/action_controller/vendor/html-scanner/html/node.rb

@@ -162,7 +162,7 @@ module HTML #:nodoc:
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
           name.downcase!
   
           unless closing

data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

@@ -1,3 +1,6 @@
+require 'set'
+require 'active_support/core_ext/class/inheritable_attributes'
+
 module HTML
   class Sanitizer
     def sanitize(text, options = {})
@@ -62,8 +65,8 @@ module HTML
 
     # A regular expression of the valid characters used to separate protocols like
     # the ':' in 'http://foo.com'
-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i
-
+    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|%)3A/
+    
     # Specifies a Set of HTML attributes that can have URIs.
     self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
 
@@ -73,7 +76,7 @@ module HTML
     
     # Specifies the default Set of tags that the #sanitize helper will allow unscathed.
     self.allowed_tags           = Set.new(%w(strong em b i p code pre tt samp kbd var sub 
-      sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr 
+      sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr 
       acronym a img blockquote del ins))
 
     # Specifies the default Set of html attributes that the #sanitize helper will leave 
@@ -106,8 +109,8 @@ module HTML
       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
 
       # gauntlet
-      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
-          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+      if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+          style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
         return ''
       end
 
@@ -117,8 +120,8 @@ module HTML
           clean <<  prop + ': ' + val + ';'
         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
           unless val.split().any? do |keyword|
-            !allowed_css_keywords.include?(keyword) &&
-              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+            !allowed_css_keywords.include?(keyword) && 
+              keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
           end
             clean << prop + ': ' + val + ';'
           end
@@ -166,8 +169,8 @@ module HTML
     end
 
     def contains_bad_protocols?(attr_name, value)
-      uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+      uri_attributes.include?(attr_name) && 
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
     end
   end
 end

data/lib/action_dispatch.rb

@@ -0,0 +1,88 @@
+#--
+# Copyright (c) 2004-2010 David Heinemeier Hansson
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#++
+
+activesupport_path = File.expand_path('../../../activesupport/lib', __FILE__)
+$:.unshift(activesupport_path) if File.directory?(activesupport_path) && !$:.include?(activesupport_path)
+
+require 'active_support'
+require 'active_support/dependencies/autoload'
+
+require 'rack'
+
+module Rack
+  autoload :Test, 'rack/test'
+end
+
+module ActionDispatch
+  extend ActiveSupport::Autoload
+
+  autoload_under 'http' do
+    autoload :Request
+    autoload :Response
+  end
+
+  autoload_under 'middleware' do
+    autoload :Callbacks
+    autoload :Cascade
+    autoload :Cookies
+    autoload :Flash
+    autoload :Head
+    autoload :ParamsParser
+    autoload :Rescue
+    autoload :ShowExceptions
+    autoload :Static
+  end
+
+  autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
+  autoload :Routing
+
+  module Http
+    extend ActiveSupport::Autoload
+
+    autoload :Cache
+    autoload :Headers
+    autoload :MimeNegotiation
+    autoload :Parameters
+    autoload :FilterParameters
+    autoload :Upload
+    autoload :UploadedFile, 'action_dispatch/http/upload'
+    autoload :URL
+  end
+
+  module Session
+    autoload :AbstractStore, 'action_dispatch/middleware/session/abstract_store'
+    autoload :CookieStore,   'action_dispatch/middleware/session/cookie_store'
+    autoload :MemCacheStore, 'action_dispatch/middleware/session/mem_cache_store'
+  end
+
+  autoload_under 'testing' do
+    autoload :Assertions
+    autoload :Integration
+    autoload :PerformanceTest
+    autoload :TestProcess
+    autoload :TestRequest
+    autoload :TestResponse
+  end
+end
+
+autoload :Mime, 'action_dispatch/http/mime_type'

data/lib/action_dispatch/http/cache.rb

@@ -0,0 +1,123 @@
+module ActionDispatch
+  module Http
+    module Cache
+      module Request
+        def if_modified_since
+          if since = env['HTTP_IF_MODIFIED_SINCE']
+            Time.rfc2822(since) rescue nil
+          end
+        end
+
+        def if_none_match
+          env['HTTP_IF_NONE_MATCH']
+        end
+
+        def not_modified?(modified_at)
+          if_modified_since && modified_at && if_modified_since >= modified_at
+        end
+
+        def etag_matches?(etag)
+          if_none_match && if_none_match == etag
+        end
+
+        # Check response freshness (Last-Modified and ETag) against request
+        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # supplied, both must match, or the request is not considered fresh.
+        def fresh?(response)
+          last_modified = if_modified_since
+          etag          = if_none_match
+
+          return false unless last_modified || etag
+
+          success = true
+          success &&= not_modified?(response.last_modified) if last_modified
+          success &&= etag_matches?(response.etag) if etag
+          success
+        end
+      end
+
+      module Response
+        def cache_control
+          @cache_control ||= {}
+        end
+
+        def last_modified
+          if last = headers['Last-Modified']
+            Time.httpdate(last)
+          end
+        end
+
+        def last_modified?
+          headers.include?('Last-Modified')
+        end
+
+        def last_modified=(utc_time)
+          headers['Last-Modified'] = utc_time.httpdate
+        end
+
+        def etag
+          @etag
+        end
+
+        def etag?
+          @etag
+        end
+
+        def etag=(etag)
+          key = ActiveSupport::Cache.expand_cache_key(etag)
+          @etag = %("#{Digest::MD5.hexdigest(key)}")
+        end
+
+      private
+
+        def handle_conditional_get!
+          if etag? || last_modified? || !@cache_control.empty?
+            set_conditional_cache_control!
+          elsif nonempty_ok_response?
+            self.etag = @body
+
+            if request && request.etag_matches?(etag)
+              self.status = 304
+              self.body = []
+            end
+
+            set_conditional_cache_control!
+          else
+            headers["Cache-Control"] = "no-cache"
+          end
+        end
+
+        def nonempty_ok_response?
+          @status == 200 && string_body?
+        end
+
+        def string_body?
+          !@blank && @body.respond_to?(:all?) && @body.all? { |part| part.is_a?(String) }
+        end
+
+        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+
+        def set_conditional_cache_control!
+          control = @cache_control
+
+          if control.empty?
+            headers["Cache-Control"] = DEFAULT_CACHE_CONTROL
+          elsif @cache_control[:no_cache]
+            headers["Cache-Control"] = "no-cache"
+          else
+            extras  = control[:extras]
+            max_age = control[:max_age]
+
+            options = []
+            options << "max-age=#{max_age.to_i}" if max_age
+            options << (control[:public] ? "public" : "private")
+            options << "must-revalidate" if control[:must_revalidate]
+            options.concat(extras) if extras
+
+            headers["Cache-Control"] = options.join(", ")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -0,0 +1,98 @@
+require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/hash/keys'
+
+module ActionDispatch
+  module Http
+    # Allows you to specify sensitive parameters which will be replaced from
+    # the request log by looking in all subhashes of the param hash for keys
+    # to filter. If a block is given, each key and value of the parameter
+    # hash and all subhashes is passed to it, the value or key can be replaced
+    # using String#replace or similar method.
+    #
+    # Examples:
+    #
+    #   env["action_dispatch.parameter_filter"] = [:password]
+    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    #
+    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
+    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
+    #
+    #   env["action_dispatch.parameter_filter"] = lambda do |k,v|
+    #     v.reverse! if k =~ /secret/i
+    #   end
+    #   => reverses the value to all keys matching /secret/i
+    #
+    module FilterParameters
+      extend ActiveSupport::Concern
+
+      # Return a hash of parameters with all sensitive data replaced.
+      def filtered_parameters
+        @filtered_parameters ||= process_parameter_filter(parameters)
+      end
+      alias :fitered_params :filtered_parameters
+
+      # Return a hash of request.env with all sensitive data replaced.
+      def filtered_env
+        filtered_env = @env.dup
+        filtered_env.each do |key, value|
+          if (key =~ /RAW_POST_DATA/i)
+            filtered_env[key] = '[FILTERED]'
+          elsif value.is_a?(Hash)
+            filtered_env[key] = process_parameter_filter(value)
+          end
+        end
+        filtered_env
+      end
+
+    protected
+
+      def compile_parameter_filter #:nodoc:
+        strings, regexps, blocks = [], [], []
+
+        Array(@env["action_dispatch.parameter_filter"]).each do |item|
+          case item
+          when NilClass
+          when Proc
+            blocks << item
+          when Regexp
+            regexps << item
+          else
+            strings << item.to_s
+          end
+        end
+
+        regexps << Regexp.new(strings.join('|'), true) unless strings.empty?
+        [regexps, blocks]
+      end
+
+      def filtering_parameters? #:nodoc:
+        @env["action_dispatch.parameter_filter"].present?
+      end
+
+      def process_parameter_filter(original_params) #:nodoc:
+        return original_params.dup unless filtering_parameters?
+
+        filtered_params = {}
+        regexps, blocks = compile_parameter_filter
+
+        original_params.each do |key, value|
+          if regexps.find { |r| key =~ r }
+            value = '[FILTERED]'
+          elsif value.is_a?(Hash)
+            value = process_parameter_filter(value)
+          elsif value.is_a?(Array)
+            value = value.map { |i| process_parameter_filter(i) }
+          elsif blocks.present?
+            key = key.dup
+            value = value.dup if value.duplicable?
+            blocks.each { |b| b.call(key, value) }
+          end
+
+          filtered_params[key] = value
+        end
+
+        filtered_params
+      end
+    end
+  end
+end

data/lib/{action_controller → action_dispatch/http}/headers.rb

@@ -1,18 +1,18 @@
 require 'active_support/memoizable'
 
-module ActionController
+module ActionDispatch
   module Http
     class Headers < ::Hash
       extend ActiveSupport::Memoizable
 
       def initialize(*args)
-         if args.size == 1 && args[0].is_a?(Hash)
-           super()
-           update(args[0])
-         else
-           super
-         end
-       end
+        if args.size == 1 && args[0].is_a?(Hash)
+          super()
+          update(args[0])
+        else
+          super
+        end
+      end
 
       def [](header_name)
         if include?(header_name)

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -0,0 +1,101 @@
+module ActionDispatch
+  module Http
+    module MimeNegotiation
+      # The MIME type of the HTTP request, such as Mime::XML.
+      #
+      # For backward compatibility, the post \format is extracted from the
+      # X-Post-Data-Format HTTP header if present.
+      def content_type
+        @env["action_dispatch.request.content_type"] ||= begin
+          if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
+            Mime::Type.lookup($1.strip.downcase)
+          else
+            nil
+          end
+        end
+      end
+
+      # Returns the accepted MIME type for the request.
+      def accepts
+        @env["action_dispatch.request.accepts"] ||= begin
+          header = @env['HTTP_ACCEPT'].to_s.strip
+
+          if header.empty?
+            [content_type]
+          else
+            Mime::Type.parse(header)
+          end
+        end
+      end
+
+      # Returns the Mime type for the \format used in the request.
+      #
+      #   GET /posts/5.xml   | request.format => Mime::XML
+      #   GET /posts/5.xhtml | request.format => Mime::HTML
+      #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first depending on the value of <tt>ActionController::Base.use_accept_header</tt>
+      #
+      def format(view_path = [])
+        formats.first
+      end
+
+      def formats
+        accept = @env['HTTP_ACCEPT']
+
+        @env["action_dispatch.request.formats"] ||=
+          if parameters[:format]
+            Array(Mime[parameters[:format]])
+          elsif xhr? || (accept && !accept.include?(?,))
+            accepts
+          else
+            [Mime::HTML]
+          end
+      end
+
+      # Sets the \format by string extension, which can be used to force custom formats
+      # that are not controlled by the extension.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     before_filter :adjust_format_for_iphone
+      #
+      #     private
+      #       def adjust_format_for_iphone
+      #         request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #       end
+      #   end
+      def format=(extension)
+        parameters[:format] = extension.to_s
+        @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
+      end
+
+      # Returns a symbolized version of the <tt>:format</tt> parameter of the request.
+      # If no \format is given it returns <tt>:js</tt>for Ajax requests and <tt>:html</tt>
+      # otherwise.
+      def template_format
+        parameter_format = parameters[:format]
+
+        if parameter_format
+          parameter_format
+        elsif xhr?
+          :js
+        else
+          :html
+        end
+      end
+
+      # Receives an array of mimes and return the first user sent mime that
+      # matches the order array.
+      #
+      def negotiate_mime(order)
+        formats.each do |priority|
+          if priority == Mime::ALL
+            return order.first
+          elsif order.include?(priority)
+            return priority
+          end
+        end
+
+        order.include?(Mime::ALL) ? formats.first : nil
+      end
+    end
+  end
+end