actionpack 4.1.5 → 4.1.6.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75f52f279a3dcbebd7cd713a60cde986b719a01d
-  data.tar.gz: 1a11a8b99c12e30e426d95d4022762c610d3b167
+  metadata.gz: 96113274b5d28b07e75dabf11541471ebccdccc7
+  data.tar.gz: 843e54d51e82a92780cfe8cae6781192457a82e0
 SHA512:
-  metadata.gz: 296c74dba601781a69e896a1dcb8c631f0dcbf52602d71993edcc3b3a5d4d9533c0e0548864433b811c534ce42f1b7a6bc365fb839c2c1f814b7eb1445d1dd0d
-  data.tar.gz: b9ce487a368bec96ef4249c0ccd7774e409beef42b5bfe0b62271f00bff5ed95f50f8e0a262214488e133ae2632a7900379e3334f4da81a8ea5f97a9ccccaada
+  metadata.gz: 0a61760da903d7e67557792644ea4642f6e255b4bb726db52c9274747ebf04bb3c0c10f755453c00b7b48d04f1e8c08c6703ecc8b608f5a9545dcd398b35b3c6
+  data.tar.gz: e793f5394b46c5a44201bc3f712a14f1b66882f09806617528b82a63f66845ebd9df69225b824e8a1bab83ee51d4d9c44f81a526f5210c2afe1d331ec031b6ad

data/CHANGELOG.md

@@ -1,3 +1,52 @@
+## Rails 4.1.6 (August 19, 2014) ##
+
+*   Prepend a JS comment to JSONP callbacks. Addresses CVE-2014-4671
+    ("Rosetta Flash")
+
+    *Greg Campbell*
+
+*   Because URI paths may contain non US-ASCII characters we need to force
+    the encoding of any unescaped URIs to UTF-8 if they are US-ASCII.
+    This essentially replicates the functionality of the monkey patch to
+    URI.parser.unescape in active_support/core_ext/uri.rb.
+
+    Fixes #16104.
+
+    *Karl Entwistle*
+
+*   Generate shallow paths for all children of shallow resources.
+
+    Fixes #15783.
+
+    *Seb Jacobs*
+
+*   JSONP responses are now rendered with the `text/javascript` content type
+    when rendering through a `respond_to` block.
+
+    Fixes #15081.
+
+    *Lucas Mazza*
+
+*   Fix env['PATH_INFO'] missing leading slash when a rack app mounted at '/'.
+
+    Fixes #15511.
+
+    *Larry Lv*
+
+*   ActionController::Parameters#require now accepts `false` values.
+
+    Fixes #15685.
+
+    *Sergio Romano*
+
+*   With authorization header `Authorization: Token token=`, `authenticate` now
+    recognize token as nil, instead of "token".
+
+    Fixes #14846.
+
+    *Larry Lv*
+
+
 ## Rails 4.1.4 (July 2, 2014) ##
 
 *   No changes.

data/lib/abstract_controller/base.rb

@@ -253,7 +253,7 @@ module AbstractController
 
       # Checks if the action name is valid and returns false otherwise.
       def _valid_action_name?(action_name)
-        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+        !action_name.to_s.include? File::SEPARATOR
       end
   end
 end

data/lib/action_controller/metal/http_authentication.rb

@@ -121,8 +121,8 @@ module ActionController
 
       def authentication_request(controller, realm)
         controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
-        controller.response_body = "HTTP Basic: Access denied.\n"
         controller.status = 401
+        controller.response_body = "HTTP Basic: Access denied.\n"
       end
     end
 
@@ -256,8 +256,8 @@ module ActionController
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Digest: Access denied.\n"
         authentication_header(controller, realm)
-        controller.response_body = message
         controller.status = 401
+        controller.response_body = message
       end
 
       def secret_token(request)
@@ -449,7 +449,7 @@ module ActionController
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
           params = token_params_from authorization_request
-          [params.shift.last, Hash[params].with_indifferent_access]
+          [params.shift[1], Hash[params].with_indifferent_access]
         end
       end
 
@@ -464,7 +464,7 @@ module ActionController
 
       # This removes the `"` characters wrapping the value.
       def rewrite_param_values(array_params)
-        array_params.each { |param| param.last.gsub! %r/^"|"$/, '' }
+        array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, '' }
       end
 
       # This method takes an authorization body and splits up the key-value

data/lib/action_controller/metal/redirecting.rb

@@ -64,6 +64,7 @@ module ActionController
     # behavior for this case by rescuing ActionController::RedirectBackError.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)

data/lib/action_controller/metal/renderers.rb

@@ -96,8 +96,11 @@ module ActionController
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        self.content_type ||= Mime::JS
-        "#{options[:callback]}(#{json})"
+        if self.content_type.nil? || self.content_type == Mime::JSON
+          self.content_type = Mime::JS
+        end
+
+        "/**/#{options[:callback]}(#{json})"
       else
         self.content_type ||= Mime::JSON
         json

data/lib/action_controller/metal/strong_parameters.rb

@@ -180,7 +180,12 @@ module ActionController
     #   ActionController::Parameters.new(person: {}).require(:person)
     #   # => ActionController::ParameterMissing: param not found: person
     def require(key)
-      self[key].presence || raise(ParameterMissing.new(key))
+      value = self[key]
+      if value.present? || value == false
+        value
+      else
+        raise ParameterMissing.new(key)
+      end
     end
 
     # Alias of #require.

data/lib/action_dispatch/journey/router.rb

@@ -63,7 +63,9 @@ module ActionDispatch
 
           unless route.path.anchored
             env['SCRIPT_NAME'] = (script_name.to_s + match.to_s).chomp('/')
-            env['PATH_INFO']   = match.post_match
+            path_info = match.post_match
+            env['PATH_INFO']   = path_info
+            env['PATH_INFO']   = "/" + path_info unless path_info.start_with? "/"
           end
 
           env[@params_key] = (set_params || {}).merge parameters

data/lib/action_dispatch/journey/router/utils.rb

@@ -25,9 +25,10 @@ module ActionDispatch
         # http://tools.ietf.org/html/rfc3986
         class UriEncoder # :nodoc:
           ENCODE   = "%%%02X".freeze
-          ENCODING = Encoding::US_ASCII
-          EMPTY    = "".force_encoding(ENCODING).freeze
-          DEC2HEX  = (0..255).to_a.map{ |i| ENCODE % i }.map{ |s| s.force_encoding(ENCODING) }
+          US_ASCII = Encoding::US_ASCII
+          UTF_8    = Encoding::UTF_8
+          EMPTY    = "".force_encoding(US_ASCII).freeze
+          DEC2HEX  = (0..255).to_a.map{ |i| ENCODE % i }.map{ |s| s.force_encoding(US_ASCII) }
 
           ALPHA = "a-zA-Z".freeze
           DIGIT = "0-9".freeze
@@ -53,12 +54,13 @@ module ActionDispatch
           end
 
           def unescape_uri(uri)
-            uri.gsub(ESCAPED) { [$&[1, 2].hex].pack('C') }.force_encoding(uri.encoding)
+            encoding = uri.encoding == US_ASCII ? UTF_8 : uri.encoding
+            uri.gsub(ESCAPED) { [$&[1, 2].hex].pack('C') }.force_encoding(encoding)
           end
 
           protected
             def escape(component, pattern)
-              component.gsub(pattern){ |unsafe| percent_encode(unsafe) }.force_encoding(ENCODING)
+              component.gsub(pattern){ |unsafe| percent_encode(unsafe) }.force_encoding(US_ASCII)
             end
 
             def percent_encode(unsafe)

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -16,9 +16,9 @@ module ActionDispatch
 
       # Get a session from the cache.
       def get_session(env, sid)
-        sid ||= generate_sid
-        session = @cache.read(cache_key(sid))
-        session ||= {}
+        unless sid and session = @cache.read(cache_key(sid))
+          sid, session = generate_sid, {}
+        end
         [sid, session]
       end
 

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -29,7 +29,7 @@ module ActionDispatch
     #
     # Configure your session store in config/initializers/session_store.rb:
     #
-    #   Myapp::Application.config.session_store :cookie_store, key: '_your_app_session'
+    #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
     # Configure your secret key in config/secrets.yml:
     #

data/lib/action_dispatch/routing.rb

@@ -12,7 +12,7 @@ module ActionDispatch
   # Think of creating routes as drawing a map for your requests. The map tells
   # them where to go based on some predefined pattern:
   #
-  #   AppName::Application.routes.draw do
+  #   Rails.application.routes.draw do
   #     Pattern 1 tells some request to go to one place
   #     Pattern 2 tell them to go to another
   #     ...

data/lib/action_dispatch/routing/mapper.rb

@@ -404,6 +404,12 @@ module ActionDispatch
         # [:action]
         #   The route's action.
         #
+        # [:param]
+        #   Overrides the default resource identifier `:id` (name of the
+        #   dynamic segment used to generate the routes).
+        #   You can access that segment from your controller using
+        #   <tt>params[<:param>]</tt>.
+        #
         # [:path]
         #   The path prefix for the routes.
         #
@@ -1382,7 +1388,7 @@ module ActionDispatch
           end
 
           with_scope_level(:nested) do
-            if shallow? && shallow_nesting_depth > 1
+            if shallow? && shallow_nesting_depth >= 1
               shallow_scope(parent_resource.nested_scope, nested_options) { yield }
             else
               scope(parent_resource.nested_scope, nested_options) { yield }

data/lib/action_pack/gem_version.rb

@@ -7,8 +7,8 @@ module ActionPack
   module VERSION
     MAJOR = 4
     MINOR = 1
-    TINY  = 5
-    PRE   = nil
+    TINY  = 6
+    PRE   = "rc1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 4.1.5
+  version: 4.1.6.rc1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-18 00:00:00.000000000 Z
+date: 2014-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.5
+        version: 4.1.6.rc1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -252,9 +252,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements:
 - none
 rubyforge_project: