actionpack 4.0.3 → 4.0.4.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 88bdd4990a97dcad1337f5538672cf2ba466bc9e
-  data.tar.gz: 5c5e247912af700ec1d6cfe4a46d6fd123d6d2c9
+  metadata.gz: 3b4c750612bd5a8cdff3e5d2d1fdebb223ff0722
+  data.tar.gz: f9d86118539be440b17fc08301300003f877425e
 SHA512:
-  metadata.gz: 24449d94d5ae99d1571a69d0c39459c07c88effd7614c1f368bb359688aec13f492e0b42fe4d8cf924d6879d5a309261567e6f2019d5b34a60fbcf2637877b50
-  data.tar.gz: e81f58104713eb4cecddc46b0903bbf436a19e7bd40c347311ba1fdce6f7a4f30d6cb62ddc92cbb9b9e8550693c172c29846f1fa5ee9ed5dc5aafd741ad2af59
+  metadata.gz: 0e07cef37e94e404063ff892491a75489d99b0a264a2826c7a7ae74cdb78d76ce465e199c9177b1c840d650bbe0ad36d89aa5a409e7352683597f721997690d9
+  data.tar.gz: b97cffd76fb157bdef3492d70718dbc527c73d5c028c03e2e0e62cf79f148266a17fe34c357640873b1392ec2ab20e1a37e423e0ba99d95c568d8a7d1ec3bebc

data/CHANGELOG.md

@@ -1,7 +1,185 @@
+## Rails 4.0.4 ##
+
+*   Fix label translation for more than 10 nested elements.
+
+    *Vladimir Krylov*
+
+*   Use a custom route visitor for optimized url generation. Fixes #13349.
+
+    *Andrew White*
+
+*   Set the `:shallow_path` scope option as each scope is generated rather than
+    waiting until the `shallow` option is set. Also make the behavior of the
+    `:shallow` resource option consistent with the behavior of the `shallow` method.
+
+    Fixes #12498.
+
+    *Andrew White*, *Aleksi Aalto*
+
+*   Do not discard query parameters that form a hash with the same root key as
+    the `wrapper_key` for a request using `wrap_parameters`.
+
+    *Josh Jordan*
+
+*   Ensure that `request.filtered_parameters` is reset between calls to `process`
+    in `ActionController::TestCase`.
+
+    Fixes #13803.
+
+    *Andrew White*
+
+*   Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
+
+    Fixes #13810.
+
+    *Maurizio De Santis*
+
+*   Unique the segment keys array for non-optimized url helpers
+
+    In Rails 3.2 you only needed pass an argument for dynamic segment once so
+    unique the segment keys array to match the number of args. Since the number
+    of args is less than required parts the non-optimized code path is selected.
+    This means to benefit from optimized url generation the arg needs to be
+    specified as many times as it appears in the path.
+
+    Fixes #12808.
+
+    *Andrew White*
+
+*   Show full route constraints in error message
+
+    When an optimized helper fails to generate, show the full route constraints
+    in the error message. Previously it would only show the contraints that were
+    required as part of the path.
+
+    Fixes #13592.
+
+    *Andrew White*
+
+*   Allow engine root relative redirects using an empty string.
+
+    Example:
+
+        # application routes.rb
+        mount BlogEngine => '/blog'
+
+        # engine routes.rb
+        get '/welcome' => redirect('')
+
+    This now redirects to the path `/blog`, whereas before it would redirect
+    to the application root path. In the case of a path redirect or a custom
+    redirect if the path returned contains a host then the path is treated as
+    absolute. Similarly for option redirects, if the options hash returned
+    contains a `:host` or `:domain` key then the path is treated as absolute.
+
+    Fixes #7977.
+
+    *Andrew White*
+
+*   Fix `Encoding::CompatibilityError` when public path is UTF-8
+
+    In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling
+    from blowing up before an application has had chance to deal with possibly invalid
+    urls. However this has a negative side effect of making it an incompatible encoding
+    if the application's public path has UTF-8 characters in it.
+
+    To work around the problem we check to see if the path has a valid encoding once
+    it has been unescaped. If it is not valid then we can return early since it will
+    not match any file anyway.
+
+    Fixes #13518.
+
+    *Andrew White*
+
+*   `ActionController::Parameters#permit!` permits hashes in array values.
+
+    *Xavier Noria*
+
+*   Converts hashes in arrays of unfiltered params to unpermitted params.
+
+    Fixes #13382.
+
+    *Xavier Noria*
+
+*   `rake routes` shows routes defined under assets prefix.
+
+    *Ryunosuke SATO*
+
+*   Label tags generated by collection helpers only inherit the `:index` and
+    `:namespace` from the input, because only these attributes modifies the
+    `for` attribute of the label. Also, the input attributes don't have
+    precedence over the label attributes anymore.
+
+    Before:
+
+        collection = [[1, true, { class: 'foo' }]]
+        f.collection_check_boxes :options, collection, :second, :first do |b|
+          b.label(class: 'my_custom_class')
+        end
+
+        # => <label class="foo" for="user_active_true">1</label>
+
+    After:
+
+        collection = [[1, true, { class: 'foo' }]]
+        f.collection_check_boxes :options, collection, :second, :first do |b|
+          b.label(class: 'my_custom_class')
+        end
+
+        # => <label class="my_custom_class" for="user_active_true">1</label>
+
+    *Andriel Nuernberg*
+
+*   Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with
+    `options[:raise]`.
+
+    This regression was introduced at ec16ba75a5493b9da972eea08bae630eba35b62f.
+
+    *Shota Fukumori (sora_h)*
+
+*   Fix render of localized templates without an explicit format using wrong
+    content header and not passing correct formats to template due to the
+    introduction of the `NullType` for mimes.
+
+    Templates like `hello.it.erb` were subject to this issue.
+
+    Fixes #13064.
+
+    *Angelo Capilleri*, *Carlos Antonio da Silva*
+
+*   Fix regression with `simple_format` not having access to the `raw` method
+    when included in isolation, introduced with the security fix in Rails 4.0.2.
+
+    *Mario Visic*
+
+*   Fix formatting for `rake routes` when a section is shorter than a header.
+
+    *Sıtkı Bağdat*
+
+*   Use `set_backtrace` instead of instance variable `@backtrace` in ActionView exceptions.
+
+    *Shimpei Makimoto*
+
+*   Fix `simple_format` escapes own output when passing `sanitize: true`.
+
+    *Paul Seidemann*
+
+*   Don't let strong parameters mutate the given hash via `fetch`.
+
+    Create a new instance if the given parameter is a `Hash` instead of
+    passing it to the `convert_hashes_to_parameters` method since it is
+    overriding its default value.
+
+    *Brendon Murphy*, *Doug Cole*
+
+
+## Rails 4.0.3 (February 18, 2014) ##
+
 *   Escape format, negative_format and units options of number helpers
 
     Fixes: CVE-2014-0081
 
+
 ## Rails 4.0.2 (December 02, 2013) ##
 
 *   Ensure simple_format escapes its html attributes. This fixes CVE-2013-6416

data/lib/action_controller/base.rb

@@ -85,7 +85,7 @@ module ActionController
   # or you can remove the entire session with +reset_session+.
   #
   # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
-  # This prevents the user from tampering with the session but also allows him to see its contents.
+  # This prevents the user from tampering with the session but also allows them to see its contents.
   #
   # Do not put secret information in cookie-based sessions!
   #

data/lib/action_controller/metal/params_wrapper.rb

@@ -231,7 +231,12 @@ module ActionController
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
+        if request.parameters[_wrapper_key].present?
+          wrapped_hash = _extract_parameters(request.parameters)
+        else
+          wrapped_hash = _wrap_parameters request.request_parameters
+        end
+
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -259,14 +264,16 @@ module ActionController
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if include_only = _wrapper_options.include
+        { _wrapper_key => _extract_parameters(parameters) }
+      end
+
+      def _extract_parameters(parameters)
+        if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
           exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
-
-        { _wrapper_key => value }
       end
 
       # Checks if we should perform parameters wrapping.

data/lib/action_controller/metal/redirecting.rb

@@ -58,7 +58,7 @@ module ActionController
     #   redirect_to post_url(@post), alert: "Watch it, mister!"
     #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
     #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
-    #   redirect_to { action: 'atom' }, alert: "Something serious happened"
+    #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
     #
     # When using <tt>redirect_to :back</tt>, if there is no referrer, ActionController::RedirectBackError will be raised. You may specify some fallback
     # behavior for this case by rescuing ActionController::RedirectBackError.

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -124,6 +124,9 @@ module ActionController #:nodoc:
             @loaded = true
           end
 
+          # no-op
+          def destroy; end
+
           def exists?
             true
           end

data/lib/action_controller/metal/responder.rb

@@ -140,7 +140,7 @@ module ActionController #:nodoc:
     undef_method(:to_json) if method_defined?(:to_json)
     undef_method(:to_yaml) if method_defined?(:to_yaml)
 
-    # Initializes a new responder an invoke the proper format. If the format is
+    # Initializes a new responder and invokes the proper format. If the format is
     # not defined, call to_format.
     #
     def self.call(*args)

data/lib/action_controller/metal/strong_parameters.rb

@@ -3,6 +3,7 @@ require 'active_support/core_ext/array/wrap'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
 require 'stringio'
+require 'set'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -17,7 +18,7 @@ module ActionController
 
     def initialize(param) # :nodoc:
       @param = param
-      super("param not found: #{param}")
+      super("param is missing or the value is empty: #{param}")
     end
   end
 
@@ -125,6 +126,13 @@ module ActionController
       @permitted = self.class.permit_all_parameters
     end
 
+    # Attribute that keeps track of converted arrays, if any, to avoid double
+    # looping in the common use case permit + mass-assignment. Defined in a
+    # method to instantiate it only if needed.
+    def converted_arrays
+      @converted_arrays ||= Set.new
+    end
+
     # Returns +true+ if the parameter is permitted, +false+ otherwise.
     #
     #   params = ActionController::Parameters.new
@@ -149,8 +157,10 @@ module ActionController
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def permit!
       each_pair do |key, value|
-        convert_hashes_to_parameters(key, value)
-        self[key].permit! if self[key].respond_to? :permit!
+        value = convert_hashes_to_parameters(key, value)
+        Array.wrap(value).each do |_|
+          _.permit! if _.respond_to? :permit!
+        end
       end
 
       @permitted = true
@@ -284,7 +294,7 @@ module ActionController
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
     def fetch(key, *args)
-      convert_hashes_to_parameters(key, super)
+      convert_hashes_to_parameters(key, super, false)
     rescue KeyError
       raise ActionController::ParameterMissing.new(key)
     end
@@ -317,12 +327,21 @@ module ActionController
     end
 
     private
-      def convert_hashes_to_parameters(key, value)
-        if value.is_a?(Parameters) || !value.is_a?(Hash)
+      def convert_hashes_to_parameters(key, value, assign_if_converted=true)
+        converted = convert_value_to_parameters(value)
+        self[key] = converted if assign_if_converted && !converted.equal?(value)
+        converted
+      end
+
+      def convert_value_to_parameters(value)
+        if value.is_a?(Array) && !converted_arrays.member?(value)
+          converted = value.map { |_| convert_value_to_parameters(_) }
+          converted_arrays << converted
+          converted
+        elsif value.is_a?(Parameters) || !value.is_a?(Hash)
           value
         else
-          # Convert to Parameters on first access
-          self[key] = self.class.new(value)
+          self.class.new(value)
         end
       end
 

data/lib/action_controller/test_case.rb

@@ -213,6 +213,9 @@ module ActionController
       # Clear the combined params hash in case it was already referenced.
       @env.delete("action_dispatch.request.parameters")
 
+      # Clear the filter cache variables so they're not stale
+      @filtered_parameters = @filtered_env = @filtered_path = nil
+
       params = self.request_parameters.dup
       %w(controller action only_path).each do |k|
         params.delete(k)

data/lib/action_dispatch.rb

@@ -52,7 +52,6 @@ module ActionDispatch
     autoload :DebugExceptions
     autoload :ExceptionWrapper
     autoload :Flash
-    autoload :Head
     autoload :ParamsParser
     autoload :PublicExceptions
     autoload :Reloader

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -48,7 +48,7 @@ module ActionDispatch
       #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats

data/lib/action_dispatch/http/mime_type.rb

@@ -1,4 +1,5 @@
 require 'set'
+require 'singleton'
 require 'active_support/core_ext/class/attribute_accessors'
 require 'active_support/core_ext/string/starts_ends_with'
 
@@ -27,7 +28,7 @@ module Mime
   class << self
     def [](type)
       return type if type.is_a?(Type)
-      Type.lookup_by_extension(type) || NullType.new
+      Type.lookup_by_extension(type)
     end
 
     def fetch(type)
@@ -308,6 +309,8 @@ module Mime
   end
 
   class NullType
+    include Singleton
+
     def nil?
       true
     end

data/lib/action_dispatch/journey/formatter.rb

@@ -33,8 +33,8 @@ module ActionDispatch
           return [route.format(parameterized_parts), params]
         end
 
-        message = "No route matches #{constraints.inspect}"
-        message << " missing required keys: #{missing_keys.inspect}" if name
+        message = "No route matches #{Hash[constraints.sort].inspect}"
+        message << " missing required keys: #{missing_keys.sort.inspect}" if name
 
         raise ActionController::UrlGenerationError, message
       end

data/lib/action_dispatch/journey/visitors.rb

@@ -77,12 +77,32 @@ module ActionDispatch
         end
       end
 
-      class OptimizedPath < String # :nodoc:
+      class OptimizedPath < Visitor # :nodoc:
+        def accept(node)
+          Array(visit(node))
+        end
+
         private
 
-        def visit_GROUP(node)
-          ""
-        end
+          def visit_CAT(node)
+            [visit(node.left), visit(node.right)].flatten
+          end
+
+          def visit_SYMBOL(node)
+            node.left[1..-1].to_sym
+          end
+
+          def visit_STAR(node)
+            visit(node.left)
+          end
+
+          def visit_GROUP(node)
+            []
+          end
+
+          %w{ LITERAL SLASH DOT }.each do |t|
+            class_eval %{ def visit_#{t}(n); n.left; end }, __FILE__, __LINE__
+          end
       end
 
       # Used for formatting urls (url_for)