actionpack 3.2.19 → 4.0.0

data/lib/action_dispatch/middleware/request_id.rb

@@ -1,6 +1,5 @@
 require 'securerandom'
 require 'active_support/core_ext/string/access'
-require 'active_support/core_ext/object/blank'
 
 module ActionDispatch
   # Makes a unique request id available to the action_dispatch.request_id env variable (which is then accessible through
@@ -19,10 +18,7 @@ module ActionDispatch
 
     def call(env)
       env["action_dispatch.request_id"] = external_request_id(env) || internal_request_id
-      status, headers, body = @app.call(env)
-
-      headers["X-Request-Id"] = env["action_dispatch.request_id"]
-      [ status, headers, body ]
+      @app.call(env).tap { |_status, headers, _body| headers["X-Request-Id"] = env["action_dispatch.request_id"] }
     end
 
     private
@@ -33,7 +29,7 @@ module ActionDispatch
       end
 
       def internal_request_id
-        SecureRandom.hex(16)
+        SecureRandom.uuid
       end
   end
 end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -2,37 +2,31 @@ require 'rack/utils'
 require 'rack/request'
 require 'rack/session/abstract/id'
 require 'action_dispatch/middleware/cookies'
-require 'active_support/core_ext/object/blank'
+require 'action_dispatch/request/session'
 
 module ActionDispatch
   module Session
     class SessionRestoreError < StandardError #:nodoc:
-    end
+      attr_reader :original_exception
+
+      def initialize(const_error)
+        @original_exception = const_error
 
-    module DestroyableSession
-      def destroy
-        clear
-        options = @env[Rack::Session::Abstract::ENV_SESSION_OPTIONS_KEY] if @env
-        options ||= {}
-        @by.send(:destroy_session, @env, options[:id], options) if @by
-        options[:id] = nil
-        @loaded = false
+        super("Session contains objects whose class definition isn't available.\n" +
+          "Remember to require the classes for all objects kept in the session.\n" +
+          "(Original exception: #{const_error.message} [#{const_error.class}])\n")
       end
     end
 
-    ::Rack::Session::Abstract::SessionHash.send :include, DestroyableSession
-
     module Compatibility
       def initialize(app, options = {})
         options[:key] ||= '_session_id'
-        # FIXME Rack's secret is not being used
-        options[:secret] ||= SecureRandom.hex(30)
         super
       end
 
       def generate_sid
         sid = SecureRandom.hex(16)
-        sid.encode!('UTF-8') if sid.respond_to?(:encode!)
+        sid.encode!(Encoding::UTF_8)
         sid
       end
 
@@ -60,11 +54,8 @@ module ActionDispatch
           begin
             # Note that the regexp does not allow $1 to end with a ':'
             $1.constantize
-          rescue LoadError, NameError => const_error
-            raise ActionDispatch::Session::SessionRestoreError,
-              "Session contains objects whose class definition isn't available.\n" +
-              "Remember to require the classes for all objects kept in the session.\n" +
-              "(Original exception: #{const_error.message} [#{const_error.class}])\n"
+          rescue LoadError, NameError => e
+            raise ActionDispatch::Session::SessionRestoreError, e, e.backtrace
           end
           retry
         else
@@ -73,9 +64,20 @@ module ActionDispatch
       end
     end
 
+    module SessionObject # :nodoc:
+      def prepare_session(env)
+        Request::Session.create(self, env, @default_options)
+      end
+
+      def loaded_session?(session)
+        !session.is_a?(Request::Session) || session.loaded?
+      end
+    end
+
     class AbstractStore < Rack::Session::Abstract::ID
       include Compatibility
       include StaleSessionCheck
+      include SessionObject
 
       private
 

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -1,53 +1,92 @@
 require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/object/blank'
 require 'action_dispatch/middleware/session/abstract_store'
 require 'rack/session/cookie'
 
 module ActionDispatch
   module Session
-    # This cookie-based session store is the Rails default. Sessions typically
-    # contain at most a user_id and flash message; both fit within the 4K cookie
-    # size limit. Cookie-based sessions are dramatically faster than the
-    # alternatives.
+    # This cookie-based session store is the Rails default. It is
+    # dramatically faster than the alternatives.
     #
-    # If you have more than 4K of session data or don't want your data to be
-    # visible to the user, pick another session store.
+    # Sessions typically contain at most a user_id and flash message; both fit
+    # within the 4K cookie size limit. A CookieOverflow exception is raised if
+    # you attempt to store more than 4K of data.
     #
-    # CookieOverflow is raised if you attempt to store more than 4K of data.
+    # The cookie jar used for storage is automatically configured to be the
+    # best possible option given your application's configuration.
     #
-    # A message digest is included with the cookie to ensure data integrity:
-    # a user cannot alter his +user_id+ without knowing the secret key
-    # included in the hash. New apps are generated with a pregenerated secret
-    # in config/environment.rb. Set your own for old apps you're upgrading.
+    # If you only have secret_token set, your cookies will be signed, but
+    # not encrypted. This means a user cannot alter his +user_id+ without
+    # knowing your app's secret key, but can easily read his +user_id+. This
+    # was the default for Rails 3 apps.
     #
-    # Session options:
+    # If you have secret_key_base set, your cookies will be encrypted. This
+    # goes a step further than signed cookies in that encrypted cookies cannot
+    # be altered or read by users. This is the default starting in Rails 4.
     #
-    # * <tt>:secret</tt>: An application-wide key string. It's important that
-    #   the secret is not vulnerable to a dictionary attack. Therefore, you
-    #   should choose a secret consisting of random numbers and letters and
-    #   more than 30 characters.
+    # If you have both secret_token and secret_key base set, your cookies will
+    # be encrypted, and signed cookies generated by Rails 3 will be
+    # transparently read and encrypted to provide a smooth upgrade path.
     #
-    #     :secret => '449fe2e7daee471bffae2fd8dc02313d'
+    # Configure your session store in config/initializers/session_store.rb:
     #
-    # * <tt>:digest</tt>: The message digest algorithm used to verify session
-    #   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
-    #   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+    #   Myapp::Application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # To generate a secret key for an existing application, run
-    # "rake secret" and set the key in config/initializers/secret_token.rb.
+    # Configure your secret key in config/initializers/secret_token.rb:
+    #
+    #   Myapp::Application.config.secret_key_base 'secret key'
+    #
+    # To generate a secret key for an existing application, run `rake secret`.
+    #
+    # If you are upgrading an existing Rails 3 app, you should leave your
+    # existing secret_token in place and simply add the new secret_key_base.
+    # Note that you should wait to set secret_key_base until you have 100% of
+    # your userbase on Rails 4 and are reasonably sure you will not need to
+    # rollback to Rails 3. This is because cookies signed based on the new
+    # secret_key_base in Rails 4 are not backwards compatible with Rails 3.
+    # You are free to leave your existing secret_token in place, not set the
+    # new secret_key_base, and ignore the deprecation warnings until you are
+    # reasonably sure that your upgrade is otherwise complete. Additionally,
+    # you should take care to make sure you are not relying on the ability to
+    # decode signed cookies generated by your app in external applications or
+    # Javascript before upgrading.
     #
     # Note that changing digest or secret invalidates all existing sessions!
-    class CookieStore < Rack::Session::Cookie
+    class CookieStore < Rack::Session::Abstract::ID
       include Compatibility
       include StaleSessionCheck
+      include SessionObject
+
+      def initialize(app, options={})
+        super(app, options.merge!(:cookie_only => true))
+      end
+
+      def destroy_session(env, session_id, options)
+        new_sid = generate_sid unless options[:drop]
+        # Reset hash and Assign the new session id
+        env["action_dispatch.request.unsigned_session_cookie"] = new_sid ? { "session_id" => new_sid } : {}
+        new_sid
+      end
+
+      def load_session(env)
+        stale_session_check! do
+          data = unpacked_cookie_data(env)
+          data = persistent_session_id!(data)
+          [data["session_id"], data]
+        end
+      end
 
       private
 
+      def extract_session_id(env)
+        stale_session_check! do
+          unpacked_cookie_data(env)["session_id"]
+        end
+      end
+
       def unpacked_cookie_data(env)
         env["action_dispatch.request.unsigned_session_cookie"] ||= begin
           stale_session_check! do
-            request = ActionDispatch::Request.new(env)
-            if data = request.cookie_jar.signed[@key]
+            if data = get_cookie(env)
               data.stringify_keys!
             end
             data || {}
@@ -55,13 +94,28 @@ module ActionDispatch
         end
       end
 
+      def persistent_session_id!(data, sid=nil)
+        data ||= {}
+        data["session_id"] ||= sid || generate_sid
+        data
+      end
+
       def set_session(env, sid, session_data, options)
-        session_data.merge!("session_id" => sid)
+        session_data["session_id"] = sid
+        session_data
       end
 
       def set_cookie(env, session_id, cookie)
+        cookie_jar(env)[@key] = cookie
+      end
+
+      def get_cookie(env)
+        cookie_jar(env)[@key]
+      end
+
+      def cookie_jar(env)
         request = ActionDispatch::Request.new(env)
-        request.cookie_jar.signed[@key] = cookie
+        request.cookie_jar.signed_or_encrypted
       end
     end
   end

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -1,14 +1,19 @@
 require 'action_dispatch/middleware/session/abstract_store'
-require 'rack/session/memcache'
+begin
+  require 'rack/session/dalli'
+rescue LoadError => e
+  $stderr.puts "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  raise e
+end
 
 module ActionDispatch
   module Session
-    class MemCacheStore < Rack::Session::Memcache
+    class MemCacheStore < Rack::Session::Dalli
       include Compatibility
       include StaleSessionCheck
+      include SessionObject
 
       def initialize(app, options = {})
-        require 'memcache'
         options[:expire_after] ||= options[:expires]
         super
       end

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,73 +1,40 @@
 require 'action_dispatch/http/request'
 require 'action_dispatch/middleware/exception_wrapper'
-require 'active_support/deprecation'
 
 module ActionDispatch
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
   # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Everytime there is an exception, ShowExceptions will
+  # of ShowExceptions. Every time there is an exception, ShowExceptions will
   # store the exception in env["action_dispatch.exception"], rewrite the
   # PATH_INFO to the exception status code and call the rack app.
-  # 
+  #
   # If the application returns a "X-Cascade" pass response, this middleware
   # will send an empty response as result with the correct status code.
   # If any exception happens inside the exceptions app, this middleware
   # catches the exceptions and returns a FAILSAFE_RESPONSE.
   class ShowExceptions
-    FAILSAFE_RESPONSE = [500, {'Content-Type' => 'text/html'},
-      ["<html><body><h1>500 Internal Server Error</h1>" <<
-       "If you are the administrator of this website, then please read this web " <<
-       "application's log file and/or the web server's log file to find out what " <<
-       "went wrong.</body></html>"]]
-
-    class << self
-      def rescue_responses
-        ActiveSupport::Deprecation.warn "ActionDispatch::ShowExceptions.rescue_responses is deprecated. " \
-          "Please configure your exceptions using a railtie or in your application config instead."
-        ExceptionWrapper.rescue_responses
-      end
-
-      def rescue_templates
-        ActiveSupport::Deprecation.warn "ActionDispatch::ShowExceptions.rescue_templates is deprecated. " \
-          "Please configure your exceptions using a railtie or in your application config instead."
-        ExceptionWrapper.rescue_templates
-      end
-    end
-
-    def initialize(app, exceptions_app = nil)
-      if [true, false].include?(exceptions_app)
-        ActiveSupport::Deprecation.warn "Passing consider_all_requests_local option to ActionDispatch::ShowExceptions middleware no longer works"
-        exceptions_app = nil
-      end
-
-      if exceptions_app.nil?
-        raise ArgumentError, "You need to pass an exceptions_app when initializing ActionDispatch::ShowExceptions. " \
-          "In case you want to render pages from a public path, you can use ActionDispatch::PublicExceptions.new('path/to/public')"
-      end
+    FAILSAFE_RESPONSE = [500, { 'Content-Type' => 'text/plain' },
+      ["500 Internal Server Error\n" \
+       "If you are the administrator of this website, then please read this web " \
+       "application's log file and/or the web server's log file to find out what " \
+       "went wrong."]]
 
+    def initialize(app, exceptions_app)
       @app = app
       @exceptions_app = exceptions_app
     end
 
     def call(env)
-      begin
-        response  = @app.call(env)
-      rescue Exception => exception
-        raise exception if env['action_dispatch.show_exceptions'] == false
-      end
-
-      response || render_exception(env, exception)
+      @app.call(env)
+    rescue Exception => exception
+      raise exception if env['action_dispatch.show_exceptions'] == false
+      render_exception(env, exception)
     end
 
     private
 
-    # Define this method because some plugins were monkey patching it.
-    # Remove this after 3.2 is out with the other deprecations in this class.
-    def status_code(*)
-    end
-
     def render_exception(env, exception)
       wrapper = ExceptionWrapper.new(env, exception)
       status  = wrapper.status_code

data/lib/action_dispatch/middleware/ssl.rb

@@ -0,0 +1,70 @@
+module ActionDispatch
+  class SSL
+    YEAR = 31536000
+
+    def self.default_hsts_options
+      { :expires => YEAR, :subdomains => false }
+    end
+
+    def initialize(app, options = {})
+      @app = app
+
+      @hsts = options.fetch(:hsts, {})
+      @hsts = {} if @hsts == true
+      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+
+      @host    = options[:host]
+      @port    = options[:port]
+    end
+
+    def call(env)
+      request = Request.new(env)
+
+      if request.ssl?
+        status, headers, body = @app.call(env)
+        headers = hsts_headers.merge(headers)
+        flag_cookies_as_secure!(headers)
+        [status, headers, body]
+      else
+        redirect_to_https(request)
+      end
+    end
+
+    private
+      def redirect_to_https(request)
+        url        = URI(request.url)
+        url.scheme = "https"
+        url.host   = @host if @host
+        url.port   = @port if @port
+        headers    = hsts_headers.merge('Content-Type' => 'text/html',
+                                        'Location'     => url.to_s)
+
+        [301, headers, []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        if @hsts
+          value = "max-age=#{@hsts[:expires].to_i}"
+          value += "; includeSubDomains" if @hsts[:subdomains]
+          { 'Strict-Transport-Security' => value }
+        else
+          {}
+        end
+      end
+
+      def flag_cookies_as_secure!(headers)
+        if cookies = headers['Set-Cookie']
+          cookies = cookies.split("\n")
+
+          headers['Set-Cookie'] = cookies.map { |cookie|
+            if cookie !~ /;\s+secure(;|$)/
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        end
+      end
+  end
+end

data/lib/action_dispatch/middleware/stack.rb

@@ -75,6 +75,11 @@ module ActionDispatch
       middlewares[i]
     end
 
+    def unshift(*args, &block)
+      middleware = self.class::Middleware.new(*args, &block)
+      middlewares.unshift(middleware)
+    end
+
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
     end
@@ -110,7 +115,7 @@ module ActionDispatch
     def build(app = nil, &block)
       app ||= block
       raise "MiddlewareStack#build requires an app" unless app
-      middlewares.reverse.inject(app) { |a, e| e.build(a) }
+      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
     end
 
   protected

data/lib/action_dispatch/middleware/static.rb

@@ -1,4 +1,5 @@
 require 'rack/utils'
+require 'active_support/core_ext/uri'
 
 module ActionDispatch
   class FileHandler
@@ -29,7 +30,7 @@ module ActionDispatch
 
     def ext
       @ext ||= begin
-        ext = ::ActionController::Base.page_cache_extension
+        ext = ::ActionController::Base.default_static_extension
         "{,#{ext},/index#{ext}}"
       end
     end

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb

@@ -1,8 +1,8 @@
 <% unless @exception.blamed_files.blank? %>
   <% if (hide = @exception.blamed_files.length > 8) %>
-    <a href="#" onclick="document.getElementById('blame_trace').style.display='block'; return false;">Show blamed files</a>
+    <a href="#" onclick="return toggleTrace()">Toggle blamed files</a>
   <% end %>
-  <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%=h @exception.describe_blame %></code></pre>
+  <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%= @exception.describe_blame %></code></pre>
 <% end %>
 
 <%
@@ -12,20 +12,23 @@
 
   request_dump = clean_params.empty? ? 'None' : clean_params.inspect.gsub(',', ",\n")
 
-  def debug_hash(hash)
-    hash.sort_by { |k, v| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
+  def debug_hash(object)
+    object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
   end unless self.class.method_defined?(:debug_hash)
 %>
 
 <h2 style="margin-top: 30px">Request</h2>
-<p><b>Parameters</b>: <pre><%=h request_dump %></pre></p>
+<p><b>Parameters</b>:</p> <pre><%= request_dump %></pre>
 
-<p><a href="#" onclick="document.getElementById('session_dump').style.display='block'; return false;">Show session dump</a></p>
-<div id="session_dump" style="display:none"><pre><%= debug_hash @request.session %></pre></div>
-
-<p><a href="#" onclick="document.getElementById('env_dump').style.display='block'; return false;">Show env dump</a></p>
-<div id="env_dump" style="display:none"><pre><%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %></pre></div>
+<div class="details">
+  <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>
+  <div id="session_dump" style="display:none"><pre><%= debug_hash @request.session %></pre></div>
+</div>
 
+<div class="details">
+  <div class="summary"><a href="#" onclick="return toggleEnvDump()">Toggle env dump</a></div>
+  <div id="env_dump" style="display:none"><pre><%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %></pre></div>
+</div>
 
 <h2 style="margin-top: 30px">Response</h2>
-<p><b>Headers</b>: <pre><%=h defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %></pre></p>
+<p><b>Headers</b>:</p> <pre><%= defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %></pre>

data/lib/action_dispatch/middleware/templates/rescues/_source.erb

@@ -0,0 +1,25 @@
+<% if @source_extract %>
+<div class="source">
+<div class="info">
+  Extracted source (around line <strong>#<%= @line_number %></strong>):
+</div>
+<div class="data">
+  <table cellpadding="0" cellspacing="0" class="lines">
+      <tr>
+        <td>
+          <pre class="line_numbers">
+            <% @source_extract.keys.each do |line_number| %>
+<span><%= line_number -%></span>
+            <% end %>
+          </pre>
+        </td>
+<td width="100%">
+<pre>
+<% @source_extract.each do |line, source| -%><div class="line<%= " active" if line == @line_number -%>"><%= source -%></div><% end -%>
+</pre>
+</td>
+    </tr>
+  </table>
+</div>
+</div>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_trace.erb

@@ -1,10 +1,8 @@
 <%
-  traces = [
-    ["Application Trace", @application_trace],
-    ["Framework Trace", @framework_trace],
-    ["Full Trace", @full_trace]
-  ]
-  names = traces.collect {|name, trace| name}
+   traces = { "Application Trace" => @application_trace,
+              "Framework Trace"   => @framework_trace,
+              "Full Trace"        => @full_trace }
+   names = traces.keys
 %>
 
 <p><code>Rails.root: <%= defined?(Rails) && Rails.respond_to?(:root) ? Rails.root : "unset" %></code></p>
@@ -12,15 +10,15 @@
 <div id="traces">
   <% names.each do |name| %>
     <%
-      show = "document.getElementById('#{name.gsub(/\s/, '-')}').style.display='block';"
-      hide = (names - [name]).collect {|hide_name| "document.getElementById('#{hide_name.gsub(/\s/, '-')}').style.display='none';"}
+      show = "show('#{name.gsub(/\s/, '-')}');"
+      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}');"}
     %>
     <a href="#" onclick="<%= hide.join %><%= show %>; return false;"><%= name %></a> <%= '|' unless names.last == name %>
   <% end %>
 
   <% traces.each do |name, trace| %>
     <div id="<%= name.gsub(/\s/, '-') %>" style="display: <%= (name == "Application Trace") ? 'block' : 'none' %>;">
-      <pre><code><%=h trace.join "\n" %></code></pre>
+      <pre><code><%= trace.join "\n" %></code></pre>
     </div>
   <% end %>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb

@@ -1,10 +1,16 @@
-<h1>
-  <%=h @exception.class.to_s %>
-  <% if @request.parameters['controller'] %>
-    in <%=h @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%=h @request.parameters['action'] %><% end %>
-  <% end %>
-</h1>
-<pre><%=h @exception.message %></pre>
+<header>
+  <h1>
+    <%= @exception.class.to_s %>
+    <% if @request.parameters['controller'] %>
+      in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
+    <% end %>
+  </h1>
+</header>
 
-<%= render :template => "rescues/_trace" %>
-<%= render :template => "rescues/_request_and_response" %>
+<div id="container">
+  <h2><%= @exception.message %></h2>
+
+  <%= render template: "rescues/_source" %>
+  <%= render template: "rescues/_trace" %>
+  <%= render template: "rescues/_request_and_response" %>
+</div>