actionpack 3.0.0.beta → 3.0.0.beta2

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -5,7 +5,7 @@ module ActionDispatch
       #
       # For backward compatibility, the post \format is extracted from the
       # X-Post-Data-Format HTTP header if present.
-      def content_type
+      def content_mime_type
         @env["action_dispatch.request.content_type"] ||= begin
           if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
             Mime::Type.lookup($1.strip.downcase)
@@ -15,13 +15,17 @@ module ActionDispatch
         end
       end
 
+      def content_type
+        content_mime_type && content_mime_type.to_s
+      end
+
       # Returns the accepted MIME type for the request.
       def accepts
         @env["action_dispatch.request.accepts"] ||= begin
           header = @env['HTTP_ACCEPT'].to_s.strip
 
           if header.empty?
-            [content_type]
+            [content_mime_type]
           else
             Mime::Type.parse(header)
           end
@@ -67,21 +71,6 @@ module ActionDispatch
         @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
-      # Returns a symbolized version of the <tt>:format</tt> parameter of the request.
-      # If no \format is given it returns <tt>:js</tt>for Ajax requests and <tt>:html</tt>
-      # otherwise.
-      def template_format
-        parameter_format = parameters[:format]
-
-        if parameter_format
-          parameter_format
-        elsif xhr?
-          :js
-        else
-          :html
-        end
-      end
-
       # Receives an array of mimes and return the first user sent mime that
       # matches the order array.
       #

data/lib/action_dispatch/http/mime_type.rb

@@ -1,5 +1,6 @@
 require 'set'
 require 'active_support/core_ext/class/attribute_accessors'
+require 'active_support/core_ext/object/blank'
 
 module Mime
   class Mimes < Array
@@ -52,12 +53,6 @@ module Mime
     cattr_reader :browser_generated_types
     attr_reader :symbol
 
-    @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
-    def self.unverifiable_types
-      ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller)
-      @@unverifiable_types
-    end
-
     # A simple helper class used in parsing the accept header
     class AcceptItem #:nodoc:
       attr_accessor :order, :name, :q
@@ -100,7 +95,7 @@ module Mime
       end
 
       def register(string, symbol, mime_type_synonyms = [], extension_synonyms = [], skip_lookup = false)
-        Mime.instance_eval { const_set symbol.to_s.upcase, Type.new(string, symbol, mime_type_synonyms) }
+        Mime.const_set(symbol.to_s.upcase, Type.new(string, symbol, mime_type_synonyms))
 
         SET << Mime.const_get(symbol.to_s.upcase)
 

data/lib/action_dispatch/http/request.rb

@@ -30,6 +30,14 @@ module ActionDispatch
       METHOD
     end
 
+    def self.new(env)
+      if request = env["action_dispatch.request"] && request.instance_of?(self)
+        return request
+      end
+
+      super
+    end
+
     def key?(key)
       @env.key?(key)
     end
@@ -88,11 +96,11 @@ module ActionDispatch
     end
 
     def forgery_whitelisted?
-      method == :get || xhr? || content_type.nil? || !content_type.verify_request?
+      method == :get || xhr? || content_mime_type.nil? || !content_mime_type.verify_request?
     end
 
     def media_type
-      content_type.to_s
+      content_mime_type.to_s
     end
 
     # Returns the content length of the request as an integer.
@@ -119,36 +127,7 @@ module ActionDispatch
     # delimited list in the case of multiple chained proxies; the last
     # address which is not trusted is the originating IP.
     def remote_ip
-      remote_addr_list = @env['REMOTE_ADDR'] && @env['REMOTE_ADDR'].scan(/[^,\s]+/)
-
-      unless remote_addr_list.blank?
-        not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES || addr =~ ActionController::Base.trusted_proxies}
-        return not_trusted_addrs.first unless not_trusted_addrs.empty?
-      end
-      remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
-
-      if @env.include? 'HTTP_CLIENT_IP'
-        if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
-          # We don't know which came from the proxy, and which from the user
-          raise ActionController::ActionControllerError.new <<EOM
-IP spoofing attack?!
-HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}
-HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}
-EOM
-        end
-
-        return @env['HTTP_CLIENT_IP']
-      end
-
-      if remote_ips
-        while remote_ips.size > 1 && (TRUSTED_PROXIES =~ remote_ips.last.strip || ActionController::Base.trusted_proxies =~ remote_ips.last.strip)
-          remote_ips.pop
-        end
-
-        return remote_ips.last.strip
-      end
-
-      @env['REMOTE_ADDR']
+      (@env["action_dispatch.remote_ip"] || ip).to_s
     end
 
     # Returns the lowercase name of the HTTP server software.
@@ -178,7 +157,7 @@ EOM
     end
 
     def form_data?
-      FORM_DATA_MEDIA_TYPES.include?(content_type.to_s)
+      FORM_DATA_MEDIA_TYPES.include?(content_mime_type.to_s)
     end
 
     def body_stream #:nodoc:

data/lib/action_dispatch/http/response.rb

@@ -1,5 +1,6 @@
 require 'digest/md5'
 require 'active_support/core_ext/module/delegation'
+require 'active_support/core_ext/object/blank'
 
 module ActionDispatch # :nodoc:
   # Represents an HTTP response generated by a controller action. One can use
@@ -32,31 +33,38 @@ module ActionDispatch # :nodoc:
   #    end
   #  end
   class Response < Rack::Response
-    include ActionDispatch::Http::Cache::Response
-
     attr_accessor :request, :blank
 
     attr_writer :header, :sending_file
     alias_method :headers=, :header=
 
-    def initialize
-      @status = 200
-      @header = {}
-      @cache_control = {}
+    module Setup
+      def initialize(status = 200, header = {}, body = [])
+        @writer = lambda { |x| @body << x }
+        @block = nil
+        @length = 0
 
-      @writer = lambda { |x| @body << x }
-      @block = nil
-      @length = 0
+        @status, @header = status, header
+        self.body = body
 
-      @body, @cookie = [], []
-      @sending_file = false
+        @cookie = []
+        @sending_file = false
 
-      @blank = false
-      @etag = nil
+        @blank = false
+
+        if content_type = self["Content-Type"]
+          type, charset = content_type.split(/;\s*charset=/)
+          @content_type = Mime::Type.lookup(type)
+          @charset = charset || "UTF-8"
+        end
 
-      yield self if block_given?
+        yield self if block_given?
+      end
     end
 
+    include Setup
+    include ActionDispatch::Http::Cache::Response
+
     def status=(status)
       @status = Rack::Utils.status_code(status)
     end
@@ -76,6 +84,18 @@ module ActionDispatch # :nodoc:
     end
     alias_method :status_message, :message
 
+    def respond_to?(method)
+      if method.to_sym == :to_path
+        @body.respond_to?(:to_path)
+      else
+        super
+      end
+    end
+
+    def to_path
+      @body.to_path
+    end
+
     def body
       str = ''
       each { |part| str << part.to_s }
@@ -120,7 +140,7 @@ module ActionDispatch # :nodoc:
       assign_default_content_type_and_charset!
       handle_conditional_get!
       self["Set-Cookie"] = @cookie.join("\n") unless @cookie.blank?
-      self["ETag"]       = @etag if @etag
+      self["ETag"]       = @_etag if @_etag
       super
     end
 

data/lib/action_dispatch/http/upload.rb

@@ -1,3 +1,5 @@
+require 'active_support/core_ext/object/blank'
+
 module ActionDispatch
   module Http
     module UploadedFile

data/lib/action_dispatch/http/url.rb

@@ -3,7 +3,7 @@ module ActionDispatch
     module URL
       # Returns the complete URL used for this request.
       def url
-        protocol + host_with_port + request_uri
+        protocol + host_with_port + fullpath
       end
 
       # Returns 'https://' if this is an SSL request and 'http://' otherwise.
@@ -81,42 +81,15 @@ module ActionDispatch
         parts[0..-(tld_length+2)]
       end
 
-      # Returns the query string, accounting for server idiosyncrasies.
-      def query_string
-        @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : (@env['REQUEST_URI'].to_s.split('?', 2)[1] || '')
+      def subdomain(tld_length = 1)
+        subdomains(tld_length).join('.')
       end
 
       # Returns the request URI, accounting for server idiosyncrasies.
       # WEBrick includes the full URL. IIS leaves REQUEST_URI blank.
       def request_uri
-        if uri = @env['REQUEST_URI']
-          # Remove domain, which webrick puts into the request_uri.
-          (%r{^\w+\://[^/]+(/.*|$)$} =~ uri) ? $1 : uri
-        else
-          # Construct IIS missing REQUEST_URI from SCRIPT_NAME and PATH_INFO.
-          uri = @env['PATH_INFO'].to_s
-
-          if script_filename = @env['SCRIPT_NAME'].to_s.match(%r{[^/]+$})
-            uri = uri.sub(/#{script_filename}\//, '')
-          end
-
-          env_qs = @env['QUERY_STRING'].to_s
-          uri += "?#{env_qs}" unless env_qs.empty?
-
-          if uri.blank?
-            @env.delete('REQUEST_URI')
-          else
-            @env['REQUEST_URI'] = uri
-          end
-        end
-      end
-
-      # Returns the interpreted \path to requested resource after all the installation
-      # directory of this application was taken into account.
-      def path
-        path = request_uri.to_s[/\A[^\?]*/]
-        path.sub!(/\A#{ActionController::Base.relative_url_root}/, '')
-        path
+        ActiveSupport::Deprecation.warn "Using #request_uri is deprecated. Use fullpath instead.", caller
+        fullpath
       end
 
     private

data/lib/action_dispatch/middleware/callbacks.rb

@@ -37,7 +37,7 @@ module ActionDispatch
 
     def initialize(app, prepare_each_request = false)
       @app, @prepare_each_request = app, prepare_each_request
-      run_callbacks(:prepare) unless @prepare_each_request
+      run_callbacks(:prepare)
     end
 
     def call(env)

data/lib/action_dispatch/middleware/cookies.rb

@@ -84,6 +84,7 @@ module ActionDispatch
 
         options[:path] ||= "/"
         @set_cookies[key] = options
+        @delete_cookies.delete(key)
         value
       end
 
@@ -167,12 +168,12 @@ module ActionDispatch
 
     class SignedCookieJar < CookieJar #:nodoc:
       def initialize(parent_jar)
-        unless ActionController::Base.cookie_verifier_secret
-          raise "You must set ActionController::Base.cookie_verifier_secret to use signed cookies"
+        unless ActionController::Base.config.secret
+          raise "You must set ActionController::Base.config.secret"
         end
 
         @parent_jar = parent_jar
-        @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.cookie_verifier_secret)
+        @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret)
       end
 
       def [](name)

data/lib/action_dispatch/middleware/params_parser.rb

@@ -1,4 +1,3 @@
-require 'active_support/json'
 require 'action_dispatch/http/request'
 
 module ActionDispatch
@@ -26,7 +25,9 @@ module ActionDispatch
 
         return false if request.content_length.zero?
 
-        mime_type = content_type_from_legacy_post_data_format_header(env) || request.content_type
+        mime_type = content_type_from_legacy_post_data_format_header(env) ||
+          request.content_mime_type
+
         strategy = @parsers[mime_type]
 
         return false unless strategy
@@ -54,7 +55,7 @@ module ActionDispatch
 
         raise
           { "body"           => request.raw_post,
-            "content_type"   => request.content_type,
+            "content_type"   => request.content_mime_type,
             "content_length" => request.content_length,
             "exception"      => "#{e.message} (#{e.class})",
             "backtrace"      => e.backtrace }

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -0,0 +1,51 @@
+module ActionDispatch
+  class RemoteIp
+    class IpSpoofAttackError < StandardError ; end
+
+    class RemoteIpGetter
+      def initialize(env, check_ip_spoofing, trusted_proxies)
+        @env = env
+        @check_ip_spoofing = check_ip_spoofing
+        @trusted_proxies = trusted_proxies
+      end
+
+      def remote_addrs
+        @remote_addrs ||= begin
+          list = @env['REMOTE_ADDR'] ? @env['REMOTE_ADDR'].split(/[,\s]+/) : []
+          list.reject { |addr| addr =~ @trusted_proxies }
+        end
+      end
+
+      def to_s
+        return remote_addrs.first if remote_addrs.any?
+
+        forwarded_ips = @env['HTTP_X_FORWARDED_FOR'] ? @env['HTTP_X_FORWARDED_FOR'].strip.split(/[,\s]+/) : []
+
+        if client_ip = @env['HTTP_CLIENT_IP']
+          if @check_ip_spoofing && !forwarded_ips.include?(client_ip)
+            # We don't know which came from the proxy, and which from the user
+            raise IpSpoofAttackError, "IP spoofing attack?!" \
+              "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}" \
+              "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
+          end
+          return client_ip
+        end
+
+        return forwarded_ips.reject { |ip| ip =~ @trusted_proxies }.last || @env["REMOTE_ADDR"]
+      end
+    end
+
+    def initialize(app, check_ip_spoofing = true, trusted_proxies = nil)
+      @app = app
+      @check_ip_spoofing = check_ip_spoofing
+      regex = '(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)'
+      regex << "|(#{trusted_proxies})" if trusted_proxies
+      @trusted_proxies = Regexp.new(regex, "i")
+    end
+
+    def call(env)
+      env["action_dispatch.remote_ip"] = RemoteIpGetter.new(env, @check_ip_spoofing, @trusted_proxies)
+      @app.call(env)
+    end
+  end
+end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -1,5 +1,6 @@
 require 'rack/utils'
 require 'rack/request'
+require 'active_support/core_ext/object/blank'
 
 module ActionDispatch
   module Session

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -1,5 +1,5 @@
 require 'active_support/core_ext/hash/keys'
-require 'rack/request'
+require 'active_support/core_ext/object/blank'
 
 module ActionDispatch
   module Session
@@ -177,9 +177,8 @@ module ActionDispatch
           if key.blank?
             raise ArgumentError, 'A key is required to write a ' +
               'cookie containing the session data. Use ' +
-              'config.action_controller.session = { :key => ' +
-              '"_myapp_session", :secret => "some secret phrase" } in ' +
-              'config/application.rb'
+              'config.action_controller.session_store :cookie_store, { :key => ' +
+              '"_myapp_session" } in config/application.rb'
           end
         end
 
@@ -193,10 +192,9 @@ module ActionDispatch
           if secret.blank?
             raise ArgumentError, "A secret is required to generate an " +
               "integrity hash for cookie session data. Use " +
-              "config.action_controller.session = { :key => " +
-              "\"_myapp_session\", :secret => \"some secret phrase of at " +
-              "least #{SECRET_MIN_LENGTH} characters\" } " +
-              "in config/environment.rb"
+              "config.cookie_secret = \"some secret phrase of at " +
+              "least #{SECRET_MIN_LENGTH} characters\"" +
+              "in config/application.rb"
           end
 
           if secret.length < SECRET_MIN_LENGTH