actionpack 3.2.19 → 4.2.11.3

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,77 +1,48 @@
 require 'action_dispatch/http/request'
 require 'action_dispatch/middleware/exception_wrapper'
-require 'active_support/deprecation'
 
 module ActionDispatch
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
   # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Everytime there is an exception, ShowExceptions will
+  # of ShowExceptions. Every time there is an exception, ShowExceptions will
   # store the exception in env["action_dispatch.exception"], rewrite the
   # PATH_INFO to the exception status code and call the rack app.
-  # 
+  #
   # If the application returns a "X-Cascade" pass response, this middleware
   # will send an empty response as result with the correct status code.
   # If any exception happens inside the exceptions app, this middleware
   # catches the exceptions and returns a FAILSAFE_RESPONSE.
   class ShowExceptions
-    FAILSAFE_RESPONSE = [500, {'Content-Type' => 'text/html'},
-      ["<html><body><h1>500 Internal Server Error</h1>" <<
-       "If you are the administrator of this website, then please read this web " <<
-       "application's log file and/or the web server's log file to find out what " <<
-       "went wrong.</body></html>"]]
-
-    class << self
-      def rescue_responses
-        ActiveSupport::Deprecation.warn "ActionDispatch::ShowExceptions.rescue_responses is deprecated. " \
-          "Please configure your exceptions using a railtie or in your application config instead."
-        ExceptionWrapper.rescue_responses
-      end
-
-      def rescue_templates
-        ActiveSupport::Deprecation.warn "ActionDispatch::ShowExceptions.rescue_templates is deprecated. " \
-          "Please configure your exceptions using a railtie or in your application config instead."
-        ExceptionWrapper.rescue_templates
-      end
-    end
-
-    def initialize(app, exceptions_app = nil)
-      if [true, false].include?(exceptions_app)
-        ActiveSupport::Deprecation.warn "Passing consider_all_requests_local option to ActionDispatch::ShowExceptions middleware no longer works"
-        exceptions_app = nil
-      end
-
-      if exceptions_app.nil?
-        raise ArgumentError, "You need to pass an exceptions_app when initializing ActionDispatch::ShowExceptions. " \
-          "In case you want to render pages from a public path, you can use ActionDispatch::PublicExceptions.new('path/to/public')"
-      end
+    FAILSAFE_RESPONSE = [500, { 'Content-Type' => 'text/plain' },
+      ["500 Internal Server Error\n" \
+       "If you are the administrator of this website, then please read this web " \
+       "application's log file and/or the web server's log file to find out what " \
+       "went wrong."]]
 
+    def initialize(app, exceptions_app)
       @app = app
       @exceptions_app = exceptions_app
     end
 
     def call(env)
-      begin
-        response  = @app.call(env)
-      rescue Exception => exception
-        raise exception if env['action_dispatch.show_exceptions'] == false
+      @app.call(env)
+    rescue Exception => exception
+      if env['action_dispatch.show_exceptions'] == false
+        raise exception
+      else
+        render_exception(env, exception)
       end
-
-      response || render_exception(env, exception)
     end
 
     private
 
-    # Define this method because some plugins were monkey patching it.
-    # Remove this after 3.2 is out with the other deprecations in this class.
-    def status_code(*)
-    end
-
     def render_exception(env, exception)
       wrapper = ExceptionWrapper.new(env, exception)
       status  = wrapper.status_code
       env["action_dispatch.exception"] = wrapper.exception
+      env["action_dispatch.original_path"] = env["PATH_INFO"]
       env["PATH_INFO"] = "/#{status}"
       response = @exceptions_app.call(env)
       response[1]['X-Cascade'] == 'pass' ? pass_response(status) : response

data/lib/action_dispatch/middleware/ssl.rb

@@ -0,0 +1,72 @@
+module ActionDispatch
+  class SSL
+    YEAR = 31536000
+
+    def self.default_hsts_options
+      { :expires => YEAR, :subdomains => false }
+    end
+
+    def initialize(app, options = {})
+      @app = app
+
+      @hsts = options.fetch(:hsts, {})
+      @hsts = {} if @hsts == true
+      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+
+      @host    = options[:host]
+      @port    = options[:port]
+    end
+
+    def call(env)
+      request = Request.new(env)
+
+      if request.ssl?
+        status, headers, body = @app.call(env)
+        headers.reverse_merge!(hsts_headers)
+        flag_cookies_as_secure!(headers)
+        [status, headers, body]
+      else
+        redirect_to_https(request)
+      end
+    end
+
+    private
+      def redirect_to_https(request)
+        host = @host || request.host
+        port = @port || request.port
+
+        location = "https://#{host}"
+        location << ":#{port}" if port != 80
+        location << request.fullpath
+
+        headers = { 'Content-Type' => 'text/html', 'Location' => location }
+
+        [301, headers, []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        if @hsts
+          value = "max-age=#{@hsts[:expires].to_i}"
+          value += "; includeSubDomains" if @hsts[:subdomains]
+          { 'Strict-Transport-Security' => value }
+        else
+          {}
+        end
+      end
+
+      def flag_cookies_as_secure!(headers)
+        if cookies = headers['Set-Cookie']
+          cookies = cookies.split("\n")
+
+          headers['Set-Cookie'] = cookies.map { |cookie|
+            if cookie !~ /;\s*secure\s*(;|$)/i
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        end
+      end
+  end
+end

data/lib/action_dispatch/middleware/stack.rb

@@ -75,6 +75,11 @@ module ActionDispatch
       middlewares[i]
     end
 
+    def unshift(*args, &block)
+      middleware = self.class::Middleware.new(*args, &block)
+      middlewares.unshift(middleware)
+    end
+
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
     end
@@ -110,7 +115,7 @@ module ActionDispatch
     def build(app = nil, &block)
       app ||= block
       raise "MiddlewareStack#build requires an app" unless app
-      middlewares.reverse.inject(app) { |a, e| e.build(a) }
+      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
     end
 
   protected

data/lib/action_dispatch/middleware/static.rb

@@ -1,49 +1,106 @@
 require 'rack/utils'
+require 'active_support/core_ext/uri'
 
 module ActionDispatch
+  # This middleware returns a file's contents from disk in the body response.
+  # When initialized it can accept an optional 'Cache-Control' header which
+  # will be set when a response containing a file's contents is delivered.
+  #
+  # This middleware will render the file specified in `env["PATH_INFO"]`
+  # where the base path is in the +root+ directory. For example if the +root+
+  # is set to `public/` then a request with `env["PATH_INFO"]` of
+  # `assets/application.js` will return a response with contents of a file
+  # located at `public/assets/application.js` if the file exists. If the file
+  # does not exist a 404 "File not Found" response will be returned.
   class FileHandler
     def initialize(root, cache_control)
       @root          = root.chomp('/')
       @compiled_root = /^#{Regexp.escape(root)}/
-      headers = cache_control && { 'Cache-Control' => cache_control }
-      @file_server   = ::Rack::File.new(@root, headers)
+      headers        = cache_control && { 'Cache-Control' => cache_control }
+      @file_server = ::Rack::File.new(@root, headers)
     end
 
     def match?(path)
-      path = path.dup
+      path = URI.parser.unescape(path)
+      return false unless valid_path?(path)
 
-      full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(unescape_path(path)))
-      paths = "#{full_path}#{ext}"
+      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
+        Rack::Utils.clean_path_info v
+      }
 
-      matches = Dir[paths]
-      match = matches.detect { |m| File.file?(m) }
-      if match
-        match.sub!(@compiled_root, '')
-        ::Rack::Utils.escape(match)
+      if match = paths.detect { |p|
+        path = File.join(@root, p.force_encoding('UTF-8'))
+        begin
+          File.file?(path) && File.readable?(path)
+        rescue SystemCallError
+          false
+        end
+
+      }
+        return ::Rack::Utils.escape(match)
       end
     end
 
     def call(env)
-      @file_server.call(env)
-    end
+      path      = env['PATH_INFO']
+      gzip_path = gzip_file_path(path)
 
-    def ext
-      @ext ||= begin
-        ext = ::ActionController::Base.page_cache_extension
-        "{,#{ext},/index#{ext}}"
+      if gzip_path && gzip_encoding_accepted?(env)
+        env['PATH_INFO']            = gzip_path
+        status, headers, body       = @file_server.call(env)
+        if status == 304
+          return [status, headers, body]
+        end
+        headers['Content-Encoding'] = 'gzip'
+        headers['Content-Type']     = content_type(path)
+      else
+        status, headers, body = @file_server.call(env)
       end
-    end
 
-    def unescape_path(path)
-      URI.parser.unescape(path)
-    end
+      headers['Vary'] = 'Accept-Encoding' if gzip_path
 
-    def escape_glob_chars(path)
-      path.force_encoding('binary') if path.respond_to? :force_encoding
-      path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+      return [status, headers, body]
+    ensure
+      env['PATH_INFO'] = path
     end
+
+    private
+      def ext
+        ::ActionController::Base.default_static_extension
+      end
+
+      def content_type(path)
+        ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
+      end
+
+      def gzip_encoding_accepted?(env)
+        env['HTTP_ACCEPT_ENCODING'] =~ /\bgzip\b/i
+      end
+
+      def gzip_file_path(path)
+        can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
+        gzip_path     = "#{path}.gz"
+        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape(gzip_path)))
+          gzip_path
+        else
+          false
+        end
+      end
+
+      def valid_path?(path)
+        path.valid_encoding? && !path.include?("\0")
+      end
   end
 
+  # This middleware will attempt to return the contents of a file's body from
+  # disk in the response.  If a file is not found on disk, the request will be
+  # delegated to the application stack. This middleware is commonly initialized
+  # to serve assets from a server's `public/` directory.
+  #
+  # This middleware verifies the path to ensure that only files
+  # living in the root directory can be rendered. A request cannot
+  # produce a directory traversal using this middleware. Only 'GET' and 'HEAD'
+  # requests will result in a file being returned.
   class Static
     def initialize(app, path, cache_control=nil)
       @app = app

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -0,0 +1,34 @@
+<% unless @exception.blamed_files.blank? %>
+  <% if (hide = @exception.blamed_files.length > 8) %>
+    <a href="#" onclick="return toggleTrace()">Toggle blamed files</a>
+  <% end %>
+  <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%= @exception.describe_blame %></code></pre>
+<% end %>
+
+<%
+  clean_params = @request.filtered_parameters.clone
+  clean_params.delete("action")
+  clean_params.delete("controller")
+
+  request_dump = clean_params.empty? ? 'None' : clean_params.inspect.gsub(',', ",\n")
+
+  def debug_hash(object)
+    object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
+  end unless self.class.method_defined?(:debug_hash)
+%>
+
+<h2 style="margin-top: 30px">Request</h2>
+<p><b>Parameters</b>:</p> <pre><%= request_dump %></pre>
+
+<div class="details">
+  <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>
+  <div id="session_dump" style="display:none"><pre><%= debug_hash @request.session %></pre></div>
+</div>
+
+<div class="details">
+  <div class="summary"><a href="#" onclick="return toggleEnvDump()">Toggle env dump</a></div>
+  <div id="env_dump" style="display:none"><pre><%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %></pre></div>
+</div>
+
+<h2 style="margin-top: 30px">Response</h2>
+<p><b>Headers</b>:</p> <pre><%= defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %></pre>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb

@@ -0,0 +1,23 @@
+<%
+  clean_params = @request.filtered_parameters.clone
+  clean_params.delete("action")
+  clean_params.delete("controller")
+
+  request_dump = clean_params.empty? ? 'None' : clean_params.inspect.gsub(',', ",\n")
+
+  def debug_hash(object)
+    object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
+  end unless self.class.method_defined?(:debug_hash)
+%>
+
+Request parameters
+<%= request_dump %>
+
+Session dump
+<%= debug_hash @request.session %>
+
+Env dump
+<%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %>
+
+Response headers
+<%= defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %>

data/lib/action_dispatch/middleware/templates/rescues/_source.erb

@@ -0,0 +1,27 @@
+<% @source_extracts.each_with_index do |source_extract, index| %>
+  <% if source_extract[:code] %>
+    <div class="source <%="hidden" if @show_source_idx != index%>" id="frame-source-<%=index%>">
+      <div class="info">
+        Extracted source (around line <strong>#<%= source_extract[:line_number] %></strong>):
+      </div>
+      <div class="data">
+        <table cellpadding="0" cellspacing="0" class="lines">
+          <tr>
+            <td>
+              <pre class="line_numbers">
+                <% source_extract[:code].each_key do |line_number| %>
+<span><%= line_number -%></span>
+                <% end %>
+              </pre>
+            </td>
+<td width="100%">
+<pre>
+<% source_extract[:code].each do |line, source| -%><div class="line<%= " active" if line == source_extract[:line_number] -%>"><%= source -%></div><% end -%>
+</pre>
+</td>
+          </tr>
+        </table>
+      </div>
+    </div>
+  <% end %>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -0,0 +1,52 @@
+<% names = @traces.keys %>
+
+<p><code>Rails.root: <%= defined?(Rails) && Rails.respond_to?(:root) ? Rails.root : "unset" %></code></p>
+
+<div id="traces">
+  <% names.each do |name| %>
+    <%
+      show = "show('#{name.gsub(/\s/, '-')}');"
+      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}');"}
+    %>
+    <a href="#" onclick="<%= hide.join %><%= show %>; return false;"><%= name %></a> <%= '|' unless names.last == name %>
+  <% end %>
+
+  <% @traces.each do |name, trace| %>
+    <div id="<%= name.gsub(/\s/, '-') %>" style="display: <%= (name == @trace_to_show) ? 'block' : 'none' %>;">
+      <pre><code><% trace.each do |frame| %><a class="trace-frames" data-frame-id="<%= frame[:id] %>" href="#"><%= frame[:trace] %></a><br><% end %></code></pre>
+    </div>
+  <% end %>
+
+  <script type="text/javascript">
+    var traceFrames = document.getElementsByClassName('trace-frames');
+    var selectedFrame, currentSource = document.getElementById('frame-source-0');
+
+    // Add click listeners for all stack frames
+    for (var i = 0; i < traceFrames.length; i++) {
+      traceFrames[i].addEventListener('click', function(e) {
+        e.preventDefault();
+        var target = e.target;
+        var frame_id = target.dataset.frameId;
+
+        if (selectedFrame) {
+          selectedFrame.className = selectedFrame.className.replace("selected", "");
+        }
+
+        target.className += " selected";
+        selectedFrame = target;
+
+        // Change the extracted source code
+        changeSourceExtract(frame_id);
+      });
+
+      function changeSourceExtract(frame_id) {
+        var el = document.getElementById('frame-source-' + frame_id);
+        if (currentSource && el) {
+          currentSource.className += " hidden";
+          el.className = el.className.replace(" hidden", "");
+          currentSource = el;
+        }
+      }
+    }
+  </script>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb

@@ -0,0 +1,9 @@
+Rails.root: <%= defined?(Rails) && Rails.respond_to?(:root) ? Rails.root : "unset" %>
+
+<% @traces.each do |name, trace| %>
+<% if trace.any? %>
+<%= name %>
+<%= trace.map { |t| t[:trace] }.join("\n") %>
+
+<% end %>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -0,0 +1,16 @@
+<header>
+  <h1>
+    <%= @exception.class.to_s %>
+    <% if @request.parameters['controller'] %>
+      in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
+    <% end %>
+  </h1>
+</header>
+
+<div id="container">
+  <h2><%= h @exception.message %></h2>
+
+  <%= render template: "rescues/_source" %>
+  <%= render template: "rescues/_trace" %>
+  <%= render template: "rescues/_request_and_response" %>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb

@@ -0,0 +1,9 @@
+<%= @exception.class.to_s %><%
+  if @request.parameters['controller']
+%> in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
+<% end %>
+
+<%= @exception.message %>
+<%= render template: "rescues/_source" %>
+<%= render template: "rescues/_trace" %>
+<%= render template: "rescues/_request_and_response" %>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -4,7 +4,11 @@
   <meta charset="utf-8" />
   <title>Action Controller: Exception caught</title>
   <style>
-    body { background-color: #fff; color: #333; }
+    body {
+      background-color: #FAFAFA;
+      color: #333;
+      margin: 0px;
+    }
 
     body, p, ol, ul, td {
       font-family: helvetica, verdana, arial, sans-serif;
@@ -13,16 +17,140 @@
     }
 
     pre {
-      background-color: #eee;
-      padding: 10px;
       font-size: 11px;
       white-space: pre-wrap;
     }
 
-    a { color: #000; }
+    pre.box {
+      border: 1px solid #EEE;
+      padding: 10px;
+      margin: 0px;
+      width: 958px;
+    }
+
+    header {
+      color: #F0F0F0;
+      background: #C52F24;
+      padding: 0.5em 1.5em;
+    }
+
+    h1 {
+      margin: 0.2em 0;
+      line-height: 1.1em;
+      font-size: 2em;
+    }
+
+    h2 {
+      color: #C52F24;
+      line-height: 25px;
+    }
+
+    .details {
+      border: 1px solid #D0D0D0;
+      border-radius: 4px;
+      margin: 1em 0px;
+      display: block;
+      width: 978px;
+    }
+
+    .summary {
+      padding: 8px 15px;
+      border-bottom: 1px solid #D0D0D0;
+      display: block;
+    }
+
+    .details pre {
+      margin: 5px;
+      border: none;
+    }
+
+    #container {
+      box-sizing: border-box;
+      width: 100%;
+      padding: 0 1.5em;
+    }
+
+    .source * {
+      margin: 0px;
+      padding: 0px;
+    }
+
+    .source {
+      border: 1px solid #D9D9D9;
+      background: #ECECEC;
+      width: 978px;
+    }
+
+    .source pre {
+      padding: 10px 0px;
+      border: none;
+    }
+
+    .source .data {
+      font-size: 80%;
+      overflow: auto;
+      background-color: #FFF;
+    }
+
+    .info {
+      padding: 0.5em;
+    }
+
+    .source .data .line_numbers {
+      background-color: #ECECEC;
+      color: #AAA;
+      padding: 1em .5em;
+      border-right: 1px solid #DDD;
+      text-align: right;
+    }
+
+    .line {
+      padding-left: 10px;
+    }
+
+    .line:hover {
+      background-color: #F6F6F6;
+    }
+
+    .line.active {
+      background-color: #FFCCCC;
+    }
+
+    .hidden {
+      display: none;
+    }
+
+    a { color: #980905; }
     a:visited { color: #666; }
-    a:hover { color: #fff; background-color:#000; }
+    a.trace-frames { color: #666; }
+    a:hover { color: #C52F24; }
+    a.trace-frames.selected { color: #C52F24 }
+
+    <%= yield :style %>
   </style>
+
+  <script>
+    var toggle = function(id) {
+      var s = document.getElementById(id).style;
+      s.display = s.display == 'none' ? 'block' : 'none';
+      return false;
+    }
+    var show = function(id) {
+      document.getElementById(id).style.display = 'block';
+    }
+    var hide = function(id) {
+      document.getElementById(id).style.display = 'none';
+    }
+    var toggleTrace = function() {
+      return toggle('blame_trace');
+    }
+    var toggleSessionDump = function() {
+      return toggle('session_dump');
+    }
+    var toggleEnvDump = function() {
+      return toggle('env_dump');
+    }
+  </script>
 </head>
 <body>
 

data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb

@@ -0,0 +1,11 @@
+<header>
+  <h1>Template is missing</h1>
+</header>
+
+<div id="container">
+  <h2><%= h @exception.message %></h2>
+
+  <%= render template: "rescues/_source" %>
+  <%= render template: "rescues/_trace" %>
+  <%= render template: "rescues/_request_and_response" %>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/missing_template.text.erb

@@ -0,0 +1,3 @@
+Template is missing
+
+<%= @exception.message %>