actionpack 2.3.8 → 2.3.9.pre

data/lib/action_controller/session/cookie_store.rb

@@ -36,6 +36,8 @@ module ActionController
     #
     # Note that changing digest or secret invalidates all existing sessions!
     class CookieStore
+      include AbstractStore::SessionUtils
+      
       # Cookies can typically store 4096 bytes.
       MAX = 4096
       SECRET_MIN_LENGTH = 30 # characters
@@ -93,20 +95,20 @@ module ActionController
       end
 
       def call(env)
-        env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
-        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
-
+        prepare!(env)
+        
         status, headers, body = @app.call(env)
 
         session_data = env[ENV_SESSION_KEY]
         options = env[ENV_SESSION_OPTIONS_KEY]
 
-        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
-          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
+        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after]
+          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
+
+          persistent_session_id!(session_data)
           session_data = marshal(session_data.to_hash)
 
           raise CookieOverflow if session_data.size > MAX
-
           cookie = Hash.new
           cookie[:value] = session_data
           unless options[:expire_after].nil?
@@ -114,17 +116,20 @@ module ActionController
           end
 
           cookie = build_cookie(@key, cookie.merge(options))
-          unless headers[HTTP_SET_COOKIE].blank?
-            headers[HTTP_SET_COOKIE] << "\n#{cookie}"
-          else
-            headers[HTTP_SET_COOKIE] = cookie
-          end
+          headers[HTTP_SET_COOKIE] = [] if headers[HTTP_SET_COOKIE].blank?
+          headers[HTTP_SET_COOKIE] << cookie
         end
 
         [status, headers, body]
       end
 
       private
+      
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
+        end
+      
         # Should be in Rack::Utils soon
         def build_cookie(key, value)
           case value
@@ -146,20 +151,46 @@ module ActionController
         end
 
         def load_session(env)
-          request = Rack::Request.new(env)
-          session_data = request.cookies[@key]
-          data = unmarshal(session_data) || persistent_session_id!({})
+          data = unpacked_cookie_data(env)
+          data = persistent_session_id!(data)
           [data[:session_id], data]
         end
+        
+        def extract_session_id(env)
+          if data = unpacked_cookie_data(env)
+            persistent_session_id!(data) unless data.empty?
+            data[:session_id]
+          else
+            nil
+          end
+        end
+
+        def current_session_id(env)
+          env[ENV_SESSION_OPTIONS_KEY][:id]
+        end
+
+        def exists?(env)
+          current_session_id(env).present?
+        end
+
+        def unpacked_cookie_data(env)
+          env["action_dispatch.request.unsigned_session_cookie"] ||= begin
+            stale_session_check! do
+              request = Rack::Request.new(env)
+              session_data = request.cookies[@key]
+              unmarshal(session_data) || {}
+            end
+          end
+        end
 
         # Marshal a session hash into safe cookie data. Include an integrity hash.
         def marshal(session)
-          @verifier.generate(persistent_session_id!(session))
+          @verifier.generate(session)
         end
 
         # Unmarshal cookie data to a hash and verify its integrity.
         def unmarshal(cookie)
-          persistent_session_id!(@verifier.verify(cookie)) if cookie
+          @verifier.verify(cookie) if cookie
         rescue ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
@@ -207,6 +238,10 @@ module ActionController
           ActiveSupport::SecureRandom.hex(16)
         end
 
+        def destroy(env)
+          # session data is stored on client; nothing to do here
+        end
+
         def persistent_session_id!(data)
           (data ||= {}).merge!(inject_persistent_session_id(data))
         end

data/lib/action_controller/session/mem_cache_store.rb

@@ -43,6 +43,15 @@ begin
           rescue MemCache::MemCacheError, Errno::ECONNREFUSED
             return false
           end
+          
+          def destroy(env)
+            if sid = current_session_id(env)
+              @pool.delete(sid)
+            end
+          rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+            false
+          end
+          
       end
     end
   end

data/lib/action_controller/test_process.rb

@@ -450,7 +450,7 @@ module ActionController #:nodoc:
     def xml_http_request(request_method, action, parameters = nil, session = nil, flash = nil)
       @request.env['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
       @request.env['HTTP_ACCEPT'] =  [Mime::JS, Mime::HTML, Mime::XML, 'text/xml', Mime::ALL].join(', ')
-      returning __send__(request_method, action, parameters, session, flash) do
+      __send__(request_method, action, parameters, session, flash).tap do
         @request.env.delete 'HTTP_X_REQUESTED_WITH'
         @request.env.delete 'HTTP_ACCEPT'
       end

data/lib/action_controller/url_rewriter.rb

@@ -92,6 +92,14 @@ module ActionController
   #     end
   #   end
   module UrlWriter
+    RESERVED_PCHAR = ':@&=+$,;%'
+    SAFE_PCHAR = "#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}"
+    if RUBY_VERSION >= '1.9'
+      UNSAFE_PCHAR = Regexp.new("[^#{SAFE_PCHAR}]", false).freeze
+    else
+      UNSAFE_PCHAR = Regexp.new("[^#{SAFE_PCHAR}]", false, 'N').freeze
+    end
+
     def self.included(base) #:nodoc:
       ActionController::Routing::Routes.install_helpers(base)
       base.mattr_accessor :default_url_options
@@ -142,7 +150,7 @@ module ActionController
       end
       trailing_slash = options.delete(:trailing_slash) if options.key?(:trailing_slash)
       url << ActionController::Base.relative_url_root.to_s unless options[:skip_relative_url_root]
-      anchor = "##{CGI.escape options.delete(:anchor).to_param.to_s}" if options[:anchor]
+      anchor = "##{URI.escape(options.delete(:anchor).to_param.to_s, UNSAFE_PCHAR)}" if options[:anchor]
       generated = Routing::Routes.generate(options, {})
       url << (trailing_slash ? generated.sub(/\?|\z/) { "/" + $& } : generated)
       url << anchor if anchor

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 8
+    TINY  = 9
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/action_view/helpers/form_helper.rb

@@ -877,9 +877,9 @@ module ActionView
 
         def value_before_type_cast(object, method_name)
           unless object.nil?
-            object.respond_to?(method_name + "_before_type_cast") ?
-            object.send(method_name + "_before_type_cast") :
-            object.send(method_name)
+            object.respond_to?(method_name) ?
+            object.send(method_name) :
+            object.send(method_name + "_before_type_cast")
           end
         end
 

data/lib/action_view/helpers/form_options_helper.rb

@@ -481,7 +481,7 @@ module ActionView
         end
 
         zone_options += options_for_select(convert_zones[zones], selected)
-        zone_options
+        zone_options.html_safe
       end
 
       private

data/lib/action_view/helpers/form_tag_helper.rb

@@ -440,7 +440,7 @@ module ActionView
 
       private
         def html_options_for_form(url_for_options, options, *parameters_for_url)
-          returning options.stringify_keys do |html_options|
+          options.stringify_keys.tap do |html_options|
             html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
             html_options["action"]  = url_for(url_for_options, *parameters_for_url)
           end

data/lib/action_view/helpers/prototype_helper.rb

@@ -653,7 +653,7 @@ module ActionView
         # <script> tag.
         module GeneratorMethods
           def to_s #:nodoc:
-            returning javascript = @lines * $/ do
+            (@lines * $/).tap do |javascript|
               if ActionView::Base.debug_rjs
                 source = javascript.dup
                 javascript.replace "try {\n#{source}\n} catch (e) "
@@ -981,8 +981,8 @@ module ActionView
             end
 
             def record(line)
-              returning line = "#{line.to_s.chomp.gsub(/\;\z/, '')};" do
-                self << line
+              "#{line.to_s.chomp.gsub(/\;\z/, '')};".tap do |_line|
+                self << _line
               end
             end
 

data/lib/action_view/helpers/text_helper.rb

@@ -532,9 +532,14 @@ module ActionView
         end
 
         AUTO_LINK_RE = %r{
-            ( https?:// | www\. )
+            (?: ([\w+.:-]+:)// | www\. )
             [^\s<]+
-          }x unless const_defined?(:AUTO_LINK_RE)
+          }x
+
+        # regexps for determining context, used high-volume
+        AUTO_LINK_CRE = [/<[^>]+$/, /^[^>]*>/, /<a\b.*?>/i, /<\/a>/i]
+
+        AUTO_EMAIL_RE = /[\w.!#\$%+-]+@[\w-]+(?:\.[\w-]+)+/
 
         BRACKETS = { ']' => '[', ')' => '(', '}' => '{' }
 
@@ -543,26 +548,26 @@ module ActionView
         def auto_link_urls(text, html_options = {})
           link_attributes = html_options.stringify_keys
           text.gsub(AUTO_LINK_RE) do
-            href = $&
-            punctuation = ''
-            left, right = $`, $'
-            # detect already linked URLs and URLs in the middle of a tag
-            if left =~ /<[^>]+$/ && right =~ /^[^>]*>/
+            scheme, href = $1, $&
+            punctuation = []
+
+            if auto_linked?($`, $')
               # do not change string; URL is already linked
               href
             else
               # don't include trailing punctuation character as part of the URL
-              if href.sub!(/[^\w\/-]$/, '') and punctuation = $& and opening = BRACKETS[punctuation]
-                if href.scan(opening).size > href.scan(punctuation).size
-                  href << punctuation
-                  punctuation = ''
+              while href.sub!(/[^\w\/-]$/, '')
+                punctuation.push $&
+                if opening = BRACKETS[punctuation.last] and href.scan(opening).size > href.scan(punctuation.last).size
+                  href << punctuation.pop
+                  break
                 end
               end
 
               link_text = block_given?? yield(href) : href
-              href = 'http://' + href unless href =~ %r{^[a-z]+://}i
+              href = 'http://' + href unless scheme
 
-              content_tag(:a, h(link_text), link_attributes.merge('href' => href)) + punctuation
+              content_tag(:a, h(link_text), link_attributes.merge('href' => href)) + punctuation.reverse.join('')
             end
           end
         end
@@ -570,11 +575,10 @@ module ActionView
         # Turns all email addresses into clickable links.  If a block is given,
         # each email is yielded and the result is used as the link text.
         def auto_link_email_addresses(text, html_options = {})
-          body = text.dup
-          text.gsub(/([\w\.!#\$%\-+.]+@[A-Za-z0-9\-]+(\.[A-Za-z0-9\-]+)+)/) do
-            text = $1
+          text.gsub(AUTO_EMAIL_RE) do
+            text = $&
 
-            if body.match(/<a\b[^>]*>(.*)(#{Regexp.escape(text)})(.*)<\/a>/)
+            if auto_linked?($`, $')
               text
             else
               display_text = (block_given?) ? yield(text) : text
@@ -582,6 +586,12 @@ module ActionView
             end
           end
         end
+
+        # Detects already linked context or position in the middle of a tag
+        def auto_linked?(left, right)
+          (left =~ AUTO_LINK_CRE[0] and right =~ AUTO_LINK_CRE[1]) or
+            (left.rindex(AUTO_LINK_CRE[2]) and $' !~ AUTO_LINK_CRE[3])
+        end
     end
   end
 end

data/lib/action_view/locale/en.yml

@@ -63,37 +63,37 @@
       half_a_minute: "half a minute"
       less_than_x_seconds:
         one:   "less than 1 second"
-        other: "less than {{count}} seconds"
+        other: "less than %{count} seconds"
       x_seconds:
         one:   "1 second"
-        other: "{{count}} seconds"
+        other: "%{count} seconds"
       less_than_x_minutes:
         one:   "less than a minute"
-        other: "less than {{count}} minutes"
+        other: "less than %{count} minutes"
       x_minutes:
         one:   "1 minute"
-        other: "{{count}} minutes"
+        other: "%{count} minutes"
       about_x_hours:
         one:   "about 1 hour"
-        other: "about {{count}} hours"
+        other: "about %{count} hours"
       x_days:
         one:   "1 day"
-        other: "{{count}} days"
+        other: "%{count} days"
       about_x_months:
         one:   "about 1 month"
-        other: "about {{count}} months"
+        other: "about %{count} months"
       x_months:
         one:   "1 month"
-        other: "{{count}} months"
+        other: "%{count} months"
       about_x_years:
         one:   "about 1 year"
-        other: "about {{count}} years"
+        other: "about %{count} years"
       over_x_years:
         one:   "over 1 year"
-        other: "over {{count}} years"
+        other: "over %{count} years"
       almost_x_years:
         one:   "almost 1 year"
-        other: "almost {{count}} years"
+        other: "almost %{count} years"
     prompts:
       year:   "Year"
       month:  "Month"
@@ -106,12 +106,12 @@
     errors:
       template:
         header:
-          one:    "1 error prohibited this {{model}} from being saved"
-          other:  "{{count}} errors prohibited this {{model}} from being saved"
+          one:    "1 error prohibited this %{model} from being saved"
+          other:  "%{count} errors prohibited this %{model} from being saved"
         # The variable :count is also available
         body: "There were problems with the following fields:"
 
   support:
     select:
       # default value for :prompt => true in FormOptionsHelper
-      prompt: "Please select"
+      prompt: "Please select"

data/lib/action_view/template.rb

@@ -45,8 +45,8 @@ module ActionView #:nodoc:
       end
 
       def self.new_and_loaded(path)
-        returning new(path) do |path|
-          path.load!
+        new(path).tap do |_path|
+          _path.load!
         end
       end
 

data/test/abstract_unit.rb

@@ -58,4 +58,21 @@ class DummyMutex
   end
 end
 
+class ActionController::IntegrationTest < ActiveSupport::TestCase
+  def with_autoload_path(path)
+    path = File.join(File.dirname(__FILE__), "fixtures", path)  
+    if ActiveSupport::Dependencies.autoload_paths.include?(path)
+      yield
+    else
+      begin
+        ActiveSupport::Dependencies.autoload_paths << path
+        yield
+      ensure
+        ActiveSupport::Dependencies.autoload_paths.reject! {|p| p == path}
+        ActiveSupport::Dependencies.clear
+      end              
+    end
+  end
+end
+
 ActionController::Reloader.default_lock = DummyMutex.new

data/test/activerecord/active_record_store_test.rb

@@ -22,7 +22,6 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
     end
 
     def get_session_id
-      session[:foo]
       render :text => "#{request.session_options[:id]}"
     end
 
@@ -45,23 +44,27 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
     ActiveRecord::SessionStore.session_class.drop_table!
   end
 
-  def test_setting_and_getting_session_value
-    with_test_route_set do
-      get '/set_session_value'
-      assert_response :success
-      assert cookies['_session_id']
-
-      get '/get_session_value'
-      assert_response :success
-      assert_equal 'foo: "bar"', response.body
-
-      get '/set_session_value', :foo => "baz"
-      assert_response :success
-      assert cookies['_session_id']
-
-      get '/get_session_value'
-      assert_response :success
-      assert_equal 'foo: "baz"', response.body
+  %w{ session sql_bypass }.each do |class_name|
+    define_method("test_setting_and_getting_session_value_with_#{class_name}_store") do
+      with_store class_name do
+        with_test_route_set do
+          get '/set_session_value'
+          assert_response :success
+          assert cookies['_session_id']
+
+          get '/get_session_value'
+          assert_response :success
+          assert_equal 'foo: "bar"', response.body
+
+          get '/set_session_value', :foo => "baz"
+          assert_response :success
+          assert cookies['_session_id']
+
+          get '/get_session_value'
+          assert_response :success
+          assert_equal 'foo: "baz"', response.body
+        end
+      end
     end
   end
 
@@ -107,6 +110,38 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
     end
   end
 
+  def test_getting_session_value
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
+      session_id = cookies["_session_id"]
+
+      get '/call_reset_session'
+      assert_response :success
+      assert_not_equal [], headers['Set-Cookie']
+
+      cookies["_session_id"] = session_id # replace our new session_id with our old, pre-reset session_id
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body, "data for this session should have been obliterated from the database"
+    end
+  end
+
+  def test_getting_from_nonexistent_session
+    with_test_route_set do
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body
+      assert_nil cookies['_session_id'], "should only create session on write, not read"
+    end
+  end
+
   def test_prevents_session_fixation
     with_test_route_set do
       get '/set_session_value'
@@ -171,4 +206,16 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
         yield
       end
     end
+
+    def with_store(class_name)
+      begin
+        session_class = ActiveRecord::SessionStore.session_class
+        ActiveRecord::SessionStore.session_class = "ActiveRecord::SessionStore::#{class_name.camelize}".constantize
+        yield
+      rescue
+        ActiveRecord::SessionStore.session_class = session_class
+        raise
+      end
+    end
+
 end