actionpack 4.1.0.beta2 → 4.1.0.rc1

data/lib/action_controller/metal/params_wrapper.rb

@@ -231,7 +231,12 @@ module ActionController
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
+        if request.parameters[_wrapper_key].present?
+          wrapped_hash = _extract_parameters(request.parameters)
+        else
+          wrapped_hash = _wrap_parameters request.request_parameters
+        end
+
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -259,14 +264,16 @@ module ActionController
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if include_only = _wrapper_options.include
+        { _wrapper_key => _extract_parameters(parameters) }
+      end
+
+      def _extract_parameters(parameters)
+        if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
           exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
-
-        { _wrapper_key => value }
       end
 
       # Checks if we should perform parameters wrapping.

data/lib/action_controller/metal/rack_delegation.rb

@@ -5,8 +5,8 @@ module ActionController
   module RackDelegation
     extend ActiveSupport::Concern
 
-    delegate :headers, :status=, :location=, :content_type=,
-             :status, :location, :content_type, :to => "@_response"
+    delegate :headers, :status=, :location=, :content_type=, :no_content_type=,
+             :status, :location, :content_type, :no_content_type, :to => "@_response"
 
     def dispatch(action, request)
       set_response!(request)

data/lib/action_controller/metal/renderers.rb

@@ -43,7 +43,7 @@ module ActionController
     end
 
     # Hash of available renderers, mapping a renderer name to its proc.
-    # Default keys are :json, :js, :xml.
+    # Default keys are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
     RENDERERS = Set.new
 
     # Adds a new renderer to call within controller actions.

data/lib/action_controller/metal/rendering.rb

@@ -2,6 +2,8 @@ module ActionController
   module Rendering
     extend ActiveSupport::Concern
 
+    RENDER_FORMATS_IN_PRIORITY = [:body, :text, :plain, :html]
+
     # Before processing, set the request formats in current controller formats.
     def process_action(*) #:nodoc:
       self.formats = request.formats.map(&:ref).compact
@@ -27,15 +29,29 @@ module ActionController
     end
 
     def render_to_body(options = {})
-      super || options[:text].presence || ' '
+      super || _render_in_priorities(options) || ' '
     end
 
     private
 
-    def _process_format(format)
+    def _render_in_priorities(options)
+      RENDER_FORMATS_IN_PRIORITY.each do |format|
+        return options[format] if options.key?(format)
+      end
+
+      nil
+    end
+
+    def _process_format(format, options = {})
       super
-      # format is a Mime::NullType instance here then this condition can't be changed to `if format`
-      self.content_type ||= format.to_s unless format.nil?
+
+      if options[:body]
+        self.headers.delete "Content-Type"
+      elsif options[:plain]
+        self.content_type = Mime::TEXT
+      else
+        self.content_type ||= format.to_s
+      end
     end
 
     # Normalize arguments by catching blocks and setting them on :update.
@@ -47,12 +63,14 @@ module ActionController
 
     # Normalize both text and status options.
     def _normalize_options(options) #:nodoc:
-      if options.key?(:text) && options[:text].respond_to?(:to_text)
-        options[:text] = options[:text].to_text
+      _normalize_text(options)
+
+      if options[:html]
+        options[:html] = ERB::Util.html_escape(options[:html])
       end
 
-      if options.delete(:nothing) || (options.key?(:text) && options[:text].nil?)
-        options[:text] = " "
+      if options.delete(:nothing) || _any_render_format_is_nil?(options)
+        options[:body] = " "
       end
 
       if options[:status]
@@ -62,6 +80,18 @@ module ActionController
       super
     end
 
+    def _normalize_text(options)
+      RENDER_FORMATS_IN_PRIORITY.each do |format|
+        if options.key?(format) && options[format].respond_to?(:to_text)
+          options[format] = options[format].to_text
+        end
+      end
+    end
+
+    def _any_render_format_is_nil?(options)
+      RENDER_FORMATS_IN_PRIORITY.any? { |format| options.key?(format) && options[format].nil? }
+    end
+
     # Process controller specific options, as status, content-type and location.
     def _process_options(options) #:nodoc:
       status, content_type, location = options.values_at(:status, :content_type, :location)

data/lib/action_controller/metal/strong_parameters.rb

@@ -3,6 +3,7 @@ require 'active_support/core_ext/array/wrap'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
 require 'stringio'
+require 'set'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -125,6 +126,13 @@ module ActionController
       @permitted = self.class.permit_all_parameters
     end
 
+    # Attribute that keeps track of converted arrays, if any, to avoid double
+    # looping in the common use case permit + mass-assignment. Defined in a
+    # method to instantiate it only if needed.
+    def converted_arrays
+      @converted_arrays ||= Set.new
+    end
+
     # Returns +true+ if the parameter is permitted, +false+ otherwise.
     #
     #   params = ActionController::Parameters.new
@@ -149,8 +157,10 @@ module ActionController
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def permit!
       each_pair do |key, value|
-        convert_hashes_to_parameters(key, value)
-        self[key].permit! if self[key].respond_to? :permit!
+        value = convert_hashes_to_parameters(key, value)
+        Array.wrap(value).each do |_|
+          _.permit! if _.respond_to? :permit!
+        end
       end
 
       @permitted = true
@@ -284,14 +294,7 @@ module ActionController
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
     def fetch(key, *args)
-      value = super
-      # Don't rely on +convert_hashes_to_parameters+
-      # so as to not mutate via a +fetch+
-      if value.is_a?(Hash)
-        value = self.class.new(value)
-        value.permit! if permitted?
-      end
-      value
+      convert_hashes_to_parameters(key, super, false)
     rescue KeyError
       raise ActionController::ParameterMissing.new(key)
     end
@@ -329,12 +332,21 @@ module ActionController
       end
 
     private
-      def convert_hashes_to_parameters(key, value)
-        if value.is_a?(Parameters) || !value.is_a?(Hash)
+      def convert_hashes_to_parameters(key, value, assign_if_converted=true)
+        converted = convert_value_to_parameters(value)
+        self[key] = converted if assign_if_converted && !converted.equal?(value)
+        converted
+      end
+
+      def convert_value_to_parameters(value)
+        if value.is_a?(Array) && !converted_arrays.member?(value)
+          converted = value.map { |_| convert_value_to_parameters(_) }
+          converted_arrays << converted
+          converted
+        elsif value.is_a?(Parameters) || !value.is_a?(Hash)
           value
         else
-          # Convert to Parameters on first access
-          self[key] = self.class.new(value)
+          self.class.new(value)
         end
       end
 

data/lib/action_controller/railtie.rb

@@ -3,6 +3,7 @@ require "action_controller"
 require "action_dispatch/railtie"
 require "abstract_controller/railties/routes_helpers"
 require "action_controller/railties/helpers"
+require "action_view/railtie"
 
 module ActionController
   class Railtie < Rails::Railtie #:nodoc:

data/lib/action_controller/test_case.rb

@@ -213,6 +213,9 @@ module ActionController
       # Clear the combined params hash in case it was already referenced.
       @env.delete("action_dispatch.request.parameters")
 
+      # Clear the filter cache variables so they're not stale
+      @filtered_parameters = @filtered_env = @filtered_path = nil
+
       params = self.request_parameters.dup
       %w(controller action only_path).each do |k|
         params.delete(k)

data/lib/action_dispatch.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2013 David Heinemeier Hansson
+# Copyright (c) 2004-2014 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -74,18 +74,16 @@ module ActionDispatch
     autoload :MimeNegotiation
     autoload :Parameters
     autoload :ParameterFilter
-    autoload :FilterParameters
-    autoload :FilterRedirect
     autoload :Upload
     autoload :UploadedFile, 'action_dispatch/http/upload'
     autoload :URL
   end
 
   module Session
-    autoload :AbstractStore, 'action_dispatch/middleware/session/abstract_store'
-    autoload :CookieStore,   'action_dispatch/middleware/session/cookie_store'
-    autoload :MemCacheStore, 'action_dispatch/middleware/session/mem_cache_store'
-    autoload :CacheStore,    'action_dispatch/middleware/session/cache_store'
+    autoload :AbstractStore,     'action_dispatch/middleware/session/abstract_store'
+    autoload :CookieStore,       'action_dispatch/middleware/session/cookie_store'
+    autoload :MemCacheStore,     'action_dispatch/middleware/session/mem_cache_store'
+    autoload :CacheStore,        'action_dispatch/middleware/session/cache_store'
   end
 
   mattr_accessor :test_app

data/lib/action_dispatch/http/filter_redirect.rb

@@ -5,7 +5,8 @@ module ActionDispatch
       FILTERED = '[FILTERED]'.freeze # :nodoc:
 
       def filtered_location
-        if !location_filter.empty? && location_filter_match?
+        filters = location_filter
+        if !filters.empty? && location_filter_match?(filters)
           FILTERED
         else
           location
@@ -15,15 +16,15 @@ module ActionDispatch
     private
 
       def location_filter
-        if request.present?
+        if request
           request.env['action_dispatch.redirect_filter'] || []
         else
           []
         end
       end
 
-      def location_filter_match?
-        location_filter.any? do |filter|
+      def location_filter_match?(filters)
+        filters.any? do |filter|
           if String === filter
             location.include?(filter)
           elsif Regexp === filter

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -50,7 +50,7 @@ module ActionDispatch
       #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats
@@ -68,10 +68,12 @@ module ActionDispatch
 
       # Sets the \variant for template.
       def variant=(variant)
-        if variant.is_a? Symbol
+        if variant.is_a?(Symbol)
+          @variant = [variant]
+        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
           @variant = variant
         else
-          raise ArgumentError, "request.variant must be set to a Symbol, not a #{variant.class}. " \
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
             "For security reasons, never directly set the variant to a user-provided value, " \
             "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
             "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"

data/lib/action_dispatch/http/mime_type.rb

@@ -28,7 +28,7 @@ module Mime
   class << self
     def [](type)
       return type if type.is_a?(Type)
-      Type.lookup_by_extension(type) || NullType.instance
+      Type.lookup_by_extension(type)
     end
 
     def fetch(type)

data/lib/action_dispatch/http/response.rb

@@ -1,4 +1,5 @@
 require 'active_support/core_ext/module/attribute_accessors'
+require 'action_dispatch/http/filter_redirect'
 require 'monitor'
 
 module ActionDispatch # :nodoc:
@@ -62,6 +63,8 @@ module ActionDispatch # :nodoc:
     # content you're giving them, so we need to send that along.
     attr_accessor :charset
 
+    attr_accessor :no_content_type # :nodoc:
+
     CONTENT_TYPE = "Content-Type".freeze
     SET_COOKIE   = "Set-Cookie".freeze
     LOCATION     = "Location".freeze
@@ -302,8 +305,17 @@ module ActionDispatch # :nodoc:
       !@sending_file && @charset != false
     end
 
+    def remove_content_type!
+      headers.delete CONTENT_TYPE
+    end
+
     def rack_response(status, header)
-      assign_default_content_type_and_charset!(header)
+      if no_content_type
+        remove_content_type!
+      else
+        assign_default_content_type_and_charset!(header)
+      end
+
       handle_conditional_get!
 
       header[SET_COOKIE] = header[SET_COOKIE].join("\n") if header[SET_COOKIE].respond_to?(:join)
@@ -312,7 +324,7 @@ module ActionDispatch # :nodoc:
         header.delete CONTENT_TYPE
         [status, header, []]
       else
-        [status, header, self]
+        [status, header, Rack::BodyProxy.new(self){}]
       end
     end
   end

data/lib/action_dispatch/journey/formatter.rb

@@ -33,8 +33,8 @@ module ActionDispatch
           return [route.format(parameterized_parts), params]
         end
 
-        message = "No route matches #{constraints.inspect}"
-        message << " missing required keys: #{missing_keys.inspect}" if name
+        message = "No route matches #{Hash[constraints.sort].inspect}"
+        message << " missing required keys: #{missing_keys.sort.inspect}" if name
 
         raise ActionController::UrlGenerationError, message
       end

data/lib/action_dispatch/journey/router.rb

@@ -54,7 +54,7 @@ module ActionDispatch
       end
 
       def call(env)
-        env['PATH_INFO'] = normalize_path(env['PATH_INFO'])
+        env['PATH_INFO'] = Utils.normalize_path(env['PATH_INFO'])
 
         find_routes(env).each do |match, parameters, route|
           script_name, path_info, set_params = env.values_at('SCRIPT_NAME',
@@ -103,12 +103,6 @@ module ActionDispatch
 
       private
 
-        def normalize_path(path)
-          path = "/#{path}"
-          path.squeeze!('/')
-          path
-        end
-
         def partitioned_routes
           routes.partitioned_routes
         end

data/lib/action_dispatch/journey/visitors.rb

@@ -77,12 +77,32 @@ module ActionDispatch
         end
       end
 
-      class OptimizedPath < String # :nodoc:
+      class OptimizedPath < Visitor # :nodoc:
+        def accept(node)
+          Array(visit(node))
+        end
+
         private
 
-        def visit_GROUP(node)
-          ""
-        end
+          def visit_CAT(node)
+            [visit(node.left), visit(node.right)].flatten
+          end
+
+          def visit_SYMBOL(node)
+            node.left[1..-1].to_sym
+          end
+
+          def visit_STAR(node)
+            visit(node.left)
+          end
+
+          def visit_GROUP(node)
+            []
+          end
+
+          %w{ LITERAL SLASH DOT }.each do |t|
+            class_eval %{ def visit_#{t}(n); n.left; end }, __FILE__, __LINE__
+          end
       end
 
       # Used for formatting urls (url_for)

data/lib/action_dispatch/middleware/cookies.rb

@@ -23,15 +23,15 @@ module ActionDispatch
   #   # This cookie will be deleted when the user's browser is closed.
   #   cookies[:user_name] = "david"
   #
-  #   # Assign an array of values to a cookie.
-  #   cookies[:lat_lon] = [47.68, -122.37]
+  #   # Cookie values are String based. Other data types need to be serialized.
+  #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
   #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
   #
   #   # Sets a signed cookie, which prevents users from tampering with its value.
-  #   # The cookie is signed by your app's <tt>secrets.secret_key_base</tt> value.
-  #   # It can be read using the signed method <tt>cookies.signed[:name]</tt>
+  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
+  #   # It can be read using the signed method `cookies.signed[:name]`
   #   cookies.signed[:user_id] = current_user.id
   #
   #   # Sets a "permanent" cookie (which expires in 20 years from now).
@@ -42,10 +42,10 @@ module ActionDispatch
   #
   # Examples of reading:
   #
-  #   cookies[:user_name]    # => "david"
-  #   cookies.size           # => 2
-  #   cookies[:lat_lon]      # => [47.68, -122.37]
-  #   cookies.signed[:login] # => "XJ-122"
+  #   cookies[:user_name]           # => "david"
+  #   cookies.size                  # => 2
+  #   JSON.parse(cookies[:lat_lon]) # => [47.68, -122.37]
+  #   cookies.signed[:login]        # => "XJ-122"
   #
   # Example for deleting:
   #
@@ -63,7 +63,7 @@ module ActionDispatch
   #
   # The option symbols for setting cookies are:
   #
-  # * <tt>:value</tt> - The cookie's value or list of values (as an array).
+  # * <tt>:value</tt> - The cookie's value.
   # * <tt>:path</tt> - The path for which this cookie applies. Defaults to the root
   #   of the application.
   # * <tt>:domain</tt> - The domain for which this cookie applies so you can
@@ -89,6 +89,7 @@ module ActionDispatch
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
+    COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
 
     # Cookies can typically store 4096 bytes.
     MAX_COOKIE_SIZE = 4096
@@ -180,7 +181,7 @@ module ActionDispatch
 
       def verify_and_upgrade_legacy_signed_message(name, signed_message)
         @legacy_verifier.verify(signed_message).tap do |value|
-          self[name] = value
+          self[name] = { value: value }
         end
       rescue ActiveSupport::MessageVerifier::InvalidSignature
         nil
@@ -210,7 +211,8 @@ module ActionDispatch
           encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] || '',
           secret_token: env[SECRET_TOKEN],
           secret_key_base: env[SECRET_KEY_BASE],
-          upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?
+          upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?,
+          serializer: env[COOKIES_SERIALIZER]
         }
       end
 
@@ -372,28 +374,89 @@ module ActionDispatch
       end
     end
 
+    class JsonSerializer
+      def self.load(value)
+        JSON.parse(value, quirks_mode: true)
+      end
+
+      def self.dump(value)
+        JSON.generate(value, quirks_mode: true)
+      end
+    end
+
+    # Passing the NullSerializer downstream to the Message{Encryptor,Verifier}
+    # allows us to handle the (de)serialization step within the cookie jar,
+    # which gives us the opportunity to detect and migrate legacy cookies.
+    class NullSerializer
+      def self.load(value)
+        value
+      end
+
+      def self.dump(value)
+        value
+      end
+    end
+
+    module SerializedCookieJars
+      MARSHAL_SIGNATURE = "\x04\x08".freeze
+
+      protected
+        def needs_migration?(value)
+          @options[:serializer] == :hybrid && value.start_with?(MARSHAL_SIGNATURE)
+        end
+
+        def serialize(name, value)
+          serializer.dump(value)
+        end
+
+        def deserialize(name, value)
+          if value
+            if needs_migration?(value)
+              Marshal.load(value).tap do |v|
+                self[name] = { value: v }
+              end
+            else
+              serializer.load(value)
+            end
+          end
+        end
+
+        def serializer
+          serializer = @options[:serializer] || :marshal
+          case serializer
+          when :marshal
+            Marshal
+          when :json, :hybrid
+            JsonSerializer
+          else
+            serializer
+          end
+        end
+    end
+
     class SignedCookieJar #:nodoc:
       include ChainedCookieJars
+      include SerializedCookieJars
 
       def initialize(parent_jar, key_generator, options = {})
         @parent_jar = parent_jar
         @options = options
         secret = key_generator.generate_key(@options[:signed_cookie_salt])
-        @verifier   = ActiveSupport::MessageVerifier.new(secret)
+        @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: NullSerializer)
       end
 
       def [](name)
         if signed_message = @parent_jar[name]
-          verify(signed_message)
+          deserialize name, verify(signed_message)
         end
       end
 
       def []=(name, options)
         if options.is_a?(Hash)
           options.symbolize_keys!
-          options[:value] = @verifier.generate(options[:value])
+          options[:value] = @verifier.generate(serialize(name, options[:value]))
         else
-          options = { :value => @verifier.generate(options) }
+          options = { :value => @verifier.generate(serialize(name, options)) }
         end
 
         raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
@@ -417,13 +480,14 @@ module ActionDispatch
 
       def [](name)
         if signed_message = @parent_jar[name]
-          verify(signed_message) || verify_and_upgrade_legacy_signed_message(name, signed_message)
+          deserialize(name, verify(signed_message)) || verify_and_upgrade_legacy_signed_message(name, signed_message)
         end
       end
     end
 
     class EncryptedCookieJar #:nodoc:
       include ChainedCookieJars
+      include SerializedCookieJars
 
       def initialize(parent_jar, key_generator, options = {})
         if ActiveSupport::LegacyKeyGenerator === key_generator
@@ -435,12 +499,12 @@ module ActionDispatch
         @options = options
         secret = key_generator.generate_key(@options[:encrypted_cookie_salt])
         sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt])
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: NullSerializer)
       end
 
       def [](name)
         if encrypted_message = @parent_jar[name]
-          decrypt_and_verify(encrypted_message)
+          deserialize name, decrypt_and_verify(encrypted_message)
         end
       end
 
@@ -450,7 +514,8 @@ module ActionDispatch
         else
           options = { :value => options }
         end
-        options[:value] = @encryptor.encrypt_and_sign(options[:value])
+
+        options[:value] = @encryptor.encrypt_and_sign(serialize(name, options[:value]))
 
         raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
         @parent_jar[name] = options
@@ -473,7 +538,7 @@ module ActionDispatch
 
       def [](name)
         if encrypted_or_signed_message = @parent_jar[name]
-          decrypt_and_verify(encrypted_or_signed_message) || verify_and_upgrade_legacy_signed_message(name, encrypted_or_signed_message)
+          deserialize(name, decrypt_and_verify(encrypted_or_signed_message)) || verify_and_upgrade_legacy_signed_message(name, encrypted_or_signed_message)
         end
       end
     end