actionpack 4.0.1 → 4.2.11.1

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -10,6 +10,8 @@ module ActionDispatch
         self.ignore_accept_header = false
       end
 
+      attr_reader :variant
+
       # The MIME type of the HTTP request, such as Mime::XML.
       #
       # For backward compatibility, the post \format is extracted from the
@@ -48,12 +50,18 @@ module ActionDispatch
       #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats
-        @env["action_dispatch.request.formats"] ||=
-          if parameters[:format]
+        @env["action_dispatch.request.formats"] ||= begin
+          params_readable = begin
+                              parameters[:format]
+                            rescue ActionController::BadRequest
+                              false
+                            end
+
+          v = if params_readable
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
@@ -62,6 +70,25 @@ module ActionDispatch
           else
             [Mime::HTML]
           end
+
+          v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+        end
+      end
+
+      # Sets the \variant for template.
+      def variant=(variant)
+        if variant.is_a?(Symbol)
+          @variant = [variant]
+        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
+          @variant = variant
+        else
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
+            "For security reasons, never directly set the variant to a user-provided value, " \
+            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
+            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+        end
       end
 
       # Sets the \format by string extension, which can be used to force custom formats
@@ -113,7 +140,7 @@ module ActionDispatch
           end
         end
 
-        order.include?(Mime::ALL) ? formats.first : nil
+        order.include?(Mime::ALL) ? format : nil
       end
 
       protected

data/lib/action_dispatch/http/mime_type.rb

@@ -1,5 +1,6 @@
 require 'set'
-require 'active_support/core_ext/class/attribute_accessors'
+require 'singleton'
+require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/core_ext/string/starts_ends_with'
 
 module Mime
@@ -22,12 +23,12 @@ module Mime
 
   SET              = Mimes.new
   EXTENSION_LOOKUP = {}
-  LOOKUP           = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? }
+  LOOKUP           = {}
 
   class << self
     def [](type)
       return type if type.is_a?(Type)
-      Type.lookup_by_extension(type) || NullType.new
+      Type.lookup_by_extension(type)
     end
 
     def fetch(type)
@@ -44,8 +45,8 @@ module Mime
   #
   #       respond_to do |format|
   #         format.html
-  #         format.ics { render text: post.to_ics, mime_type: Mime::Type["text/calendar"]  }
-  #         format.xml { render xml: @people }
+  #         format.ics { render text: @post.to_ics, mime_type: Mime::Type["text/calendar"]  }
+  #         format.xml { render xml: @post }
   #       end
   #     end
   #   end
@@ -53,10 +54,6 @@ module Mime
     @@html_types = Set.new [:html, :all]
     cattr_reader :html_types
 
-    # These are the content types which browsers can generate without using ajax, flash, etc
-    # i.e. following a link, getting an image or posting a form. CSRF protection
-    # only needs to protect against these types.
-    @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form, :text]
     attr_reader :symbol
 
     @register_callbacks = []
@@ -149,7 +146,7 @@ module Mime
       end
 
       def lookup(string)
-        LOOKUP[string]
+        LOOKUP[string] || Type.new(string)
       end
 
       def lookup_by_extension(extension)
@@ -177,7 +174,7 @@ module Mime
       end
 
       def parse(accept_header)
-        if accept_header !~ /,/
+        if !accept_header.include?(',')
           accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
           parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
         else
@@ -228,9 +225,12 @@ module Mime
       end
     end
 
+    attr_reader :hash
+
     def initialize(string, symbol = nil, synonyms = [])
       @symbol, @synonyms = symbol, synonyms
       @string = string
+      @hash = [@string, @synonyms, @symbol].hash
     end
 
     def to_s
@@ -264,6 +264,13 @@ module Mime
       end
     end
 
+    def eql?(other)
+      super || (self.class == other.class &&
+                @string    == other.string &&
+                @synonyms  == other.synonyms &&
+                @symbol    == other.symbol)
+    end
+
     def =~(mime_type)
       return false if mime_type.blank?
       regexp = Regexp.new(Regexp.quote(mime_type.to_s))
@@ -272,23 +279,15 @@ module Mime
       end
     end
 
-    # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See
-    # ActionController::RequestForgeryProtection.
-    def verify_request?
-      ActiveSupport::Deprecation.warn "Mime::Type#verify_request? is deprecated and will be removed in Rails 4.1"
-      @@browser_generated_types.include?(to_sym)
-    end
-
-    def self.browser_generated_types
-      ActiveSupport::Deprecation.warn "Mime::Type.browser_generated_types is deprecated and will be removed in Rails 4.1"
-      @@browser_generated_types
-    end
-
     def html?
       @@html_types.include?(to_sym) || @string =~ /html/
     end
 
 
+    protected
+
+    attr_reader :string, :synonyms
+
     private
 
     def to_ary; end
@@ -308,13 +307,13 @@ module Mime
   end
 
   class NullType
+    include Singleton
+
     def nil?
       true
     end
 
-    def ref
-      nil
-    end
+    def ref; end
 
     def respond_to_missing?(method, include_private = false)
       method.to_s.ends_with? '?'

data/lib/action_dispatch/http/mime_types.rb

@@ -7,6 +7,7 @@ Mime::Type.register "text/javascript", :js, %w( application/javascript applicati
 Mime::Type.register "text/css", :css
 Mime::Type.register "text/calendar", :ics
 Mime::Type.register "text/csv", :csv
+Mime::Type.register "text/vcard", :vcf
 
 Mime::Type.register "image/png", :png, [], %w(png)
 Mime::Type.register "image/jpeg", :jpeg, [], %w(jpg jpeg jpe pjpeg)

data/lib/action_dispatch/http/parameter_filter.rb

@@ -56,7 +56,7 @@ module ActionDispatch
             elsif value.is_a?(Array)
               value = value.map { |v| v.is_a?(Hash) ? call(v) : v }
             elsif blocks.any?
-              key = key.dup
+              key = key.dup if key.duplicable?
               value = value.dup if value.duplicable?
               blocks.each { |b| b.call(key, value) }
             end

data/lib/action_dispatch/http/parameters.rb

@@ -1,13 +1,11 @@
 require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/deprecation'
 
 module ActionDispatch
   module Http
     module Parameters
-      def initialize(env)
-        super
-        @symbolized_path_params = nil
-      end
+      PARAMETERS_KEY = 'action_dispatch.request.path_parameters'
 
       # Returns both GET and POST \parameters in a single hash.
       def parameters
@@ -18,65 +16,51 @@ module ActionDispatch
             query_parameters.dup
           end
           params.merge!(path_parameters)
-          params.with_indifferent_access
         end
       end
       alias :params :parameters
 
       def path_parameters=(parameters) #:nodoc:
-        @symbolized_path_params = nil
-        @env.delete("action_dispatch.request.parameters")
-        @env["action_dispatch.request.path_parameters"] = parameters
+        @env.delete('action_dispatch.request.parameters')
+        @env[PARAMETERS_KEY] = parameters
       end
 
-      # The same as <tt>path_parameters</tt> with explicitly symbolized keys.
       def symbolized_path_parameters
-        @symbolized_path_params ||= path_parameters.symbolize_keys
+        ActiveSupport::Deprecation.warn(
+          '`symbolized_path_parameters` is deprecated. Please use `path_parameters`.'
+        )
+        path_parameters
       end
 
       # Returns a hash with the \parameters used to form the \path of the request.
       # Returned hash keys are strings:
       #
       #   {'action' => 'my_action', 'controller' => 'my_controller'}
-      #
-      # See <tt>symbolized_path_parameters</tt> for symbolized keys.
       def path_parameters
-        @env["action_dispatch.request.path_parameters"] ||= {}
-      end
-
-      def reset_parameters #:nodoc:
-        @env.delete("action_dispatch.request.parameters")
+        @env[PARAMETERS_KEY] ||= {}
       end
 
     private
 
-      # Convert nested Hash to HashWithIndifferentAccess
-      # and UTF-8 encode both keys and values in nested Hash.
+      # Convert nested Hash to HashWithIndifferentAccess.
       #
-      # TODO: Validate that the characters are UTF-8. If they aren't,
-      # you'll get a weird error down the road, but our form handling
-      # should really prevent that from happening
       def normalize_encode_params(params)
-        if params.is_a?(String)
-          return params.force_encoding(Encoding::UTF_8).encode!
-        elsif !params.is_a?(Hash)
-          return params
-        end
-
-        new_hash = {}
-        params.each do |k, v|
-          new_key = k.is_a?(String) ? k.dup.force_encoding(Encoding::UTF_8).encode! : k
-          new_hash[new_key] =
-            case v
-            when Hash
-              normalize_encode_params(v)
-            when Array
-              v.map! {|el| normalize_encode_params(el) }
-            else
-              normalize_encode_params(v)
-            end
+        case params
+        when Hash
+          if params.has_key?(:tempfile)
+            UploadedFile.new(params)
+          else
+            params.each_with_object({}) do |(key, val), new_hash|
+              new_hash[key] = if val.is_a?(Array)
+                val.map! { |el| normalize_encode_params(el) }
+              else
+                normalize_encode_params(val)
+              end
+            end.with_indifferent_access
+          end
+        else
+          params
         end
-        new_hash.with_indifferent_access
       end
     end
   end

data/lib/action_dispatch/http/request.rb

@@ -18,12 +18,12 @@ module ActionDispatch
     include ActionDispatch::Http::MimeNegotiation
     include ActionDispatch::Http::Parameters
     include ActionDispatch::Http::FilterParameters
-    include ActionDispatch::Http::Upload
     include ActionDispatch::Http::URL
 
     autoload :Session, 'action_dispatch/request/session'
+    autoload :Utils,   'action_dispatch/request/utils'
 
-    LOCALHOST   = Regexp.union [/^127\.0\.0\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/]
+    LOCALHOST   = Regexp.union [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/]
 
     ENV_METHODS = %w[ AUTH_TYPE GATEWAY_INTERFACE
         PATH_TRANSLATED REMOTE_HOST
@@ -53,6 +53,17 @@ module ActionDispatch
       @uuid              = nil
     end
 
+    def check_path_parameters!
+      # If any of the path parameters has an invalid encoding then
+      # raise since it's likely to trigger errors further on.
+      path_parameters.each do |key, value|
+        next unless value.respond_to?(:valid_encoding?)
+        unless value.valid_encoding?
+          raise ActionController::BadRequest, "Invalid parameter: #{key} => #{value}"
+        end
+      end
+    end
+
     def key?(key)
       @env.key?(key)
     end
@@ -64,6 +75,7 @@ module ActionDispatch
     # Ordered Collections Protocol (WebDAV) (http://www.ietf.org/rfc/rfc3648.txt)
     # Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol (http://www.ietf.org/rfc/rfc3744.txt)
     # Web Distributed Authoring and Versioning (WebDAV) SEARCH (http://www.ietf.org/rfc/rfc5323.txt)
+    # Calendar Extensions to WebDAV (http://www.ietf.org/rfc/rfc4791.txt)
     # PATCH Method for HTTP (http://www.ietf.org/rfc/rfc5789.txt)
     RFC2616 = %w(OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT)
     RFC2518 = %w(PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK)
@@ -71,9 +83,10 @@ module ActionDispatch
     RFC3648 = %w(ORDERPATCH)
     RFC3744 = %w(ACL)
     RFC5323 = %w(SEARCH)
+    RFC4791 = %w(MKCALENDAR)
     RFC5789 = %w(PATCH)
 
-    HTTP_METHODS = RFC2616 + RFC2518 + RFC3253 + RFC3648 + RFC3744 + RFC5323 + RFC5789
+    HTTP_METHODS = RFC2616 + RFC2518 + RFC3253 + RFC3648 + RFC3744 + RFC5323 + RFC4791 + RFC5789
 
     HTTP_METHOD_LOOKUP = {}
 
@@ -92,6 +105,12 @@ module ActionDispatch
       @request_method ||= check_method(env["REQUEST_METHOD"])
     end
 
+    def request_method=(request_method) #:nodoc:
+      if check_method(request_method)
+        @request_method = env["REQUEST_METHOD"] = request_method
+      end
+    end
+
     # Returns a symbol form of the #request_method
     def request_method_symbol
       HTTP_METHOD_LOOKUP[request_method]
@@ -152,6 +171,13 @@ module ActionDispatch
       Http::Headers.new(@env)
     end
 
+    # Returns a +String+ with the last requested path including their params.
+    #
+    #    # get '/foo'
+    #    request.original_fullpath # => '/foo'
+    #
+    #    # get '/foo?bar'
+    #    request.original_fullpath # => '/foo?bar'
     def original_fullpath
       @original_fullpath ||= (env["ORIGINAL_FULLPATH"] || fullpath)
     end
@@ -189,8 +215,8 @@ module ActionDispatch
     end
 
     # Returns true if the "X-Requested-With" header contains "XMLHttpRequest"
-    # (case-insensitive). All major JavaScript libraries send this header with
-    # every Ajax request.
+    # (case-insensitive), which may need to be manually added depending on the
+    # choice of JavaScript libraries and frameworks.
     def xml_http_request?
       @env['HTTP_X_REQUESTED_WITH'] =~ /XMLHttpRequest/i
     end
@@ -205,7 +231,7 @@ module ActionDispatch
       @remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
     end
 
-    # Returns the unique request id, which is based off either the X-Request-Id header that can
+    # Returns the unique request id, which is based on either the X-Request-Id header that can
     # be generated by a firewall, load balancer, or web server or by the RequestId middleware
     # (which sets the action_dispatch.request_id environment variable).
     #
@@ -225,7 +251,7 @@ module ActionDispatch
     def raw_post
       unless @env.include? 'RAW_POST_DATA'
         raw_post_body = body
-        @env['RAW_POST_DATA'] = raw_post_body.read(@env['CONTENT_LENGTH'].to_i)
+        @env['RAW_POST_DATA'] = raw_post_body.read(content_length)
         raw_post_body.rewind if raw_post_body.respond_to?(:rewind)
       end
       @env['RAW_POST_DATA']
@@ -271,16 +297,16 @@ module ActionDispatch
 
     # Override Rack's GET method to support indifferent access
     def GET
-      @env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {})
-    rescue TypeError => e
+      @env["action_dispatch.request.query_parameters"] ||= Utils.deep_munge(normalize_encode_params(super || {}))
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
       raise ActionController::BadRequest.new(:query, e)
     end
     alias :query_parameters :GET
 
     # Override Rack's POST method to support indifferent access
     def POST
-      @env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {})
-    rescue TypeError => e
+      @env["action_dispatch.request.request_parameters"] ||= Utils.deep_munge(normalize_encode_params(super || {}))
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
       raise ActionController::BadRequest.new(:request, e)
     end
     alias :request_parameters :POST
@@ -299,33 +325,24 @@ module ActionDispatch
       LOCALHOST =~ remote_addr && LOCALHOST =~ remote_ip
     end
 
-    # Remove nils from the params hash
+    # Extracted into ActionDispatch::Request::Utils.deep_munge, but kept here for backwards compatibility.
     def deep_munge(hash)
-      hash.each do |k, v|
-        case v
-        when Array
-          v.grep(Hash) { |x| deep_munge(x) }
-          v.compact!
-          hash[k] = nil if v.empty?
-        when Hash
-          deep_munge(v)
-        end
-      end
+      ActiveSupport::Deprecation.warn(
+        'This method has been extracted into `ActionDispatch::Request::Utils.deep_munge`. Please start using that instead.'
+      )
 
-      hash
+      Utils.deep_munge(hash)
     end
 
     protected
-
-    def parse_query(qs)
-      deep_munge(super)
-    end
+      def parse_query(qs)
+        Utils.deep_munge(super)
+      end
 
     private
-
-    def check_method(name)
-      HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS.to_sentence(:locale => :en)}")
-      name
-    end
+      def check_method(name)
+        HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS[0...-1].join(', ')}, and #{HTTP_METHODS[-1]}")
+        name
+      end
   end
 end