actionpack 3.2.19 → 4.2.11.3

data/lib/action_controller.rb

@@ -1,5 +1,8 @@
+require 'active_support/rails'
 require 'abstract_controller'
 require 'action_dispatch'
+require 'action_controller/metal/live'
+require 'action_controller/metal/strong_parameters'
 
 module ActionController
   extend ActiveSupport::Autoload
@@ -14,6 +17,7 @@ module ActionController
     autoload :ConditionalGet
     autoload :Cookies
     autoload :DataStreaming
+    autoload :EtagWithTemplateDigest
     autoload :Flash
     autoload :ForceSSL
     autoload :Head
@@ -30,36 +34,25 @@ module ActionController
     autoload :Rendering
     autoload :RequestForgeryProtection
     autoload :Rescue
-    autoload :Responder
-    autoload :SessionManagement
     autoload :Streaming
+    autoload :StrongParameters
     autoload :Testing
     autoload :UrlFor
   end
 
-  autoload :Integration,        'action_controller/deprecated/integration_test'
-  autoload :IntegrationTest,    'action_controller/deprecated/integration_test'
-  autoload :PerformanceTest,    'action_controller/deprecated/performance_test'
-  autoload :UrlWriter,          'action_controller/deprecated'
-  autoload :Routing,            'action_controller/deprecated'
   autoload :TestCase,           'action_controller/test_case'
   autoload :TemplateAssertions, 'action_controller/test_case'
 
-  eager_autoload do
-    autoload :RecordIdentifier
+  def self.eager_load!
+    super
+    ActionController::Caching.eager_load!
   end
 end
 
-# All of these simply register additional autoloads
-require 'action_view'
-require 'action_controller/vendor/html-scanner'
-
 # Common Active Support usage in Action Controller
-require 'active_support/concern'
-require 'active_support/core_ext/class/attribute_accessors'
+require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/core_ext/load_error'
 require 'active_support/core_ext/module/attr_internal'
-require 'active_support/core_ext/module/delegation'
 require 'active_support/core_ext/name_error'
 require 'active_support/core_ext/uri'
 require 'active_support/inflector'

data/lib/action_dispatch/http/cache.rb

@@ -1,4 +1,3 @@
-require 'active_support/core_ext/object/blank'
 
 module ActionDispatch
   module Http
@@ -18,12 +17,21 @@ module ActionDispatch
           env[HTTP_IF_NONE_MATCH]
         end
 
+        def if_none_match_etags
+          (if_none_match ? if_none_match.split(/\s*,\s*/) : []).collect do |etag|
+            etag.gsub(/^\"|\"$/, "")
+          end
+        end
+
         def not_modified?(modified_at)
           if_modified_since && modified_at && if_modified_since >= modified_at
         end
 
         def etag_matches?(etag)
-          if_none_match && if_none_match == etag
+          if etag
+            etag = etag.gsub(/^\"|\"$/, "")
+            if_none_match_etags.include?(etag)
+          end
         end
 
         # Check response freshness (Last-Modified and ETag) against request
@@ -60,6 +68,20 @@ module ActionDispatch
           headers[LAST_MODIFIED] = utc_time.httpdate
         end
 
+        def date
+          if date_header = headers[DATE]
+            Time.httpdate(date_header)
+          end
+        end
+
+        def date?
+          headers.include?(DATE)
+        end
+
+        def date=(utc_time)
+          headers[DATE] = utc_time.httpdate
+        end
+
         def etag=(etag)
           key = ActiveSupport::Cache.expand_cache_key(etag)
           @etag = self[ETAG] = %("#{Digest::MD5.hexdigest(key)}")
@@ -67,20 +89,41 @@ module ActionDispatch
 
       private
 
+        DATE          = 'Date'.freeze
         LAST_MODIFIED = "Last-Modified".freeze
         ETAG          = "ETag".freeze
         CACHE_CONTROL = "Cache-Control".freeze
+        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public must-revalidate])
 
-        def prepare_cache_control!
-          @cache_control = {}
-          @etag = self[ETAG]
-
+        def cache_control_segments
           if cache_control = self[CACHE_CONTROL]
-            cache_control.split(/,\s*/).each do |segment|
-              first, last = segment.split("=")
-              @cache_control[first.to_sym] = last || true
+            cache_control.delete(' ').split(',')
+          else
+            []
+          end
+        end
+
+        def cache_control_headers
+          cache_control = {}
+
+          cache_control_segments.each do |segment|
+            directive, argument = segment.split('=', 2)
+
+            if SPECIAL_KEYS.include? directive
+              key = directive.tr('-', '_')
+              cache_control[key.to_sym] = argument || true
+            else
+              cache_control[:extras] ||= []
+              cache_control[:extras] << segment
             end
           end
+
+          cache_control
+        end
+
+        def prepare_cache_control!
+          @cache_control = cache_control_headers
+          @etag = self[ETAG]
         end
 
         def handle_conditional_get!
@@ -96,14 +139,24 @@ module ActionDispatch
         MUST_REVALIDATE       = "must-revalidate".freeze
 
         def set_conditional_cache_control!
-          return if self[CACHE_CONTROL].present?
+          control = {}
+          cc_headers = cache_control_headers
+          if extras = cc_headers.delete(:extras)
+            @cache_control[:extras] ||= []
+            @cache_control[:extras] += extras
+            @cache_control[:extras].uniq!
+          end
 
-          control = @cache_control
+          control.merge! cc_headers
+          control.merge! @cache_control
 
           if control.empty?
             headers[CACHE_CONTROL] = DEFAULT_CACHE_CONTROL
           elsif control[:no_cache]
             headers[CACHE_CONTROL] = NO_CACHE
+            if control[:extras]
+              headers[CACHE_CONTROL] += ", #{control[:extras].join(', ')}"
+            end
           else
             extras  = control[:extras]
             max_age = control[:max_age]

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,17 +1,15 @@
-require 'active_support/core_ext/object/blank'
 require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/object/duplicable'
+require 'action_dispatch/http/parameter_filter'
 
 module ActionDispatch
   module Http
     # Allows you to specify sensitive parameters which will be replaced from
     # the request log by looking in the query string of the request and all
-    # subhashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all subhashes is passed to it, the value
+    # sub-hashes of the params hash to filter. If a block is given, each key and
+    # value of the params hash and all sub-hashes is passed to it, the value
     # or key can be replaced using String#replace or similar method.
     #
-    # Examples:
-    #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
     #
@@ -22,9 +20,17 @@ module ActionDispatch
     #     v.reverse! if k =~ /secret/i
     #   end
     #   => reverses the value to all keys matching /secret/i
-    #
     module FilterParameters
-      extend ActiveSupport::Concern
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
+      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+
+      def initialize(env)
+        super
+        @filtered_parameters = nil
+        @filtered_env        = nil
+        @filtered_path       = nil
+      end
 
       # Return a hash of parameters with all sensitive data replaced.
       def filtered_parameters
@@ -44,11 +50,16 @@ module ActionDispatch
     protected
 
       def parameter_filter
-        parameter_filter_for(@env["action_dispatch.parameter_filter"])
+        parameter_filter_for @env.fetch("action_dispatch.parameter_filter") {
+          return NULL_PARAM_FILTER
+        }
       end
 
       def env_filter
-        parameter_filter_for(Array.wrap(@env["action_dispatch.parameter_filter"]) << /RAW_POST_DATA/)
+        user_key = @env.fetch("action_dispatch.parameter_filter") {
+          return NULL_ENV_FILTER
+        }
+        parameter_filter_for(Array(user_key) + ENV_MATCH)
       end
 
       def parameter_filter_for(filters)
@@ -62,7 +73,6 @@ module ActionDispatch
           parameter_filter.filter([[$1, $2]]).first.join("=")
         end
       end
-
     end
   end
 end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -0,0 +1,38 @@
+module ActionDispatch
+  module Http
+    module FilterRedirect
+
+      FILTERED = '[FILTERED]'.freeze # :nodoc:
+
+      def filtered_location
+        filters = location_filter
+        if !filters.empty? && location_filter_match?(filters)
+          FILTERED
+        else
+          location
+        end
+      end
+
+    private
+
+      def location_filter
+        if request
+          request.env['action_dispatch.redirect_filter'] || []
+        else
+          []
+        end
+      end
+
+      def location_filter_match?(filters)
+        filters.any? do |filter|
+          if String === filter
+            location.include?(filter)
+          elsif Regexp === filter
+            location.match(filter)
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/action_dispatch/http/headers.rb

@@ -1,31 +1,99 @@
 module ActionDispatch
   module Http
-    class Headers < ::Hash
-      @@env_cache = Hash.new { |h,k| h[k] = "HTTP_#{k.upcase.gsub(/-/, '_')}" }
+    # Provides access to the request's HTTP headers from the environment.
+    #
+    #   env     = { "CONTENT_TYPE" => "text/plain" }
+    #   headers = ActionDispatch::Http::Headers.new(env)
+    #   headers["Content-Type"] # => "text/plain"
+    class Headers
+      CGI_VARIABLES = Set.new(%W[
+        AUTH_TYPE
+        CONTENT_LENGTH
+        CONTENT_TYPE
+        GATEWAY_INTERFACE
+        HTTPS
+        PATH_INFO
+        PATH_TRANSLATED
+        QUERY_STRING
+        REMOTE_ADDR
+        REMOTE_HOST
+        REMOTE_IDENT
+        REMOTE_USER
+        REQUEST_METHOD
+        SCRIPT_NAME
+        SERVER_NAME
+        SERVER_PORT
+        SERVER_PROTOCOL
+        SERVER_SOFTWARE
+      ]).freeze
 
-      def initialize(*args)
+      HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
 
-        if args.size == 1 && args[0].is_a?(Hash)
-          super()
-          update(args[0])
-        else
-          super
-        end
+      include Enumerable
+      attr_reader :env
+
+      def initialize(env = {}) # :nodoc:
+        @env = env
+      end
+
+      # Returns the value for the given key mapped to @env.
+      def [](key)
+        @env[env_name(key)]
+      end
+
+      # Sets the given value for the key mapped to @env.
+      def []=(key, value)
+        @env[env_name(key)] = value
+      end
+
+      def key?(key)
+        @env.key? env_name(key)
       end
+      alias :include? :key?
 
-      def [](header_name)
-        if include?(header_name)
-          super
-        else
-          super(env_name(header_name))
+      # Returns the value for the given key mapped to @env.
+      #
+      # If the key is not found and an optional code block is not provided,
+      # raises a <tt>KeyError</tt> exception.
+      #
+      # If the code block is provided, then it will be run and
+      # its result returned.
+      def fetch(key, *args, &block)
+        @env.fetch env_name(key), *args, &block
+      end
+
+      def each(&block)
+        @env.each(&block)
+      end
+
+      # Returns a new Http::Headers instance containing the contents of
+      # <tt>headers_or_env</tt> and the original instance.
+      def merge(headers_or_env)
+        headers = Http::Headers.new(env.dup)
+        headers.merge!(headers_or_env)
+        headers
+      end
+
+      # Adds the contents of <tt>headers_or_env</tt> to original instance
+      # entries; duplicate keys are overwritten with the values from
+      # <tt>headers_or_env</tt>.
+      def merge!(headers_or_env)
+        headers_or_env.each do |key, value|
+          self[env_name(key)] = value
         end
       end
 
       private
-        # Converts a HTTP header name to an environment variable name.
-        def env_name(header_name)
-          @@env_cache[header_name]
+      # Converts a HTTP header name to an environment variable name if it is
+      # not contained within the headers hash.
+      def env_name(key)
+        key = key.to_s
+        if key =~ HTTP_HEADER
+          key = key.upcase.tr('-', '_')
+          key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
         end
+        key
+      end
     end
   end
 end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -1,3 +1,5 @@
+require 'active_support/core_ext/module/attribute_accessors'
+
 module ActionDispatch
   module Http
     module MimeNegotiation
@@ -8,6 +10,8 @@ module ActionDispatch
         self.ignore_accept_header = false
       end
 
+      attr_reader :variant
+
       # The MIME type of the HTTP request, such as Mime::XML.
       #
       # For backward compatibility, the post \format is extracted from the
@@ -46,12 +50,18 @@ module ActionDispatch
       #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats
-        @env["action_dispatch.request.formats"] ||=
-          if parameters[:format]
+        @env["action_dispatch.request.formats"] ||= begin
+          params_readable = begin
+                              parameters[:format]
+                            rescue ActionController::BadRequest
+                              false
+                            end
+
+          v = if params_readable
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
@@ -60,13 +70,32 @@ module ActionDispatch
           else
             [Mime::HTML]
           end
+
+          v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+        end
+      end
+
+      # Sets the \variant for template.
+      def variant=(variant)
+        if variant.is_a?(Symbol)
+          @variant = [variant]
+        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
+          @variant = variant
+        else
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
+            "For security reasons, never directly set the variant to a user-provided value, " \
+            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
+            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+        end
       end
 
       # Sets the \format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
       #   class ApplicationController < ActionController::Base
-      #     before_filter :adjust_format_for_iphone
+      #     before_action :adjust_format_for_iphone
       #
       #     private
       #       def adjust_format_for_iphone
@@ -78,6 +107,27 @@ module ActionDispatch
         @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
+      # Sets the \formats by string extensions. This differs from #format= by allowing you
+      # to set multiple, ordered formats, which is useful when you want to have a fallback.
+      #
+      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
+      # to the :html format.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #
+      #     private
+      #       def adjust_format_for_iphone_with_html_fallback
+      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #       end
+      #   end
+      def formats=(extensions)
+        parameters[:format] = extensions.first.to_s
+        @env["action_dispatch.request.formats"] = extensions.collect do |extension|
+          Mime::Type.lookup_by_extension(extension)
+        end
+      end
+
       # Receives an array of mimes and return the first user sent mime that
       # matches the order array.
       #
@@ -90,7 +140,7 @@ module ActionDispatch
           end
         end
 
-        order.include?(Mime::ALL) ? formats.first : nil
+        order.include?(Mime::ALL) ? format : nil
       end
 
       protected