actionpack 4.1.7 → 4.2.1

data/lib/action_dispatch/journey/router.rb

@@ -20,62 +20,32 @@ module ActionDispatch
       # :nodoc:
       VERSION = '2.0.0'
 
-      class NullReq # :nodoc:
-        attr_reader :env
-        def initialize(env)
-          @env = env
-        end
-
-        def request_method
-          env['REQUEST_METHOD']
-        end
-
-        def path_info
-          env['PATH_INFO']
-        end
-
-        def ip
-          env['REMOTE_ADDR']
-        end
-
-        def [](k)
-          env[k]
-        end
-      end
-
-      attr_reader :request_class, :formatter
       attr_accessor :routes
 
-      def initialize(routes, options)
-        @options       = options
-        @params_key    = options[:parameters_key]
-        @request_class = options[:request_class] || NullReq
-        @routes        = routes
+      def initialize(routes)
+        @routes = routes
       end
 
-      def call(env)
-        env['PATH_INFO'] = Utils.normalize_path(env['PATH_INFO'])
-
-        find_routes(env).each do |match, parameters, route|
-          script_name, path_info, set_params = env.values_at('SCRIPT_NAME',
-                                                             'PATH_INFO',
-                                                             @params_key)
+      def serve(req)
+        find_routes(req).each do |match, parameters, route|
+          set_params  = req.path_parameters
+          path_info   = req.path_info
+          script_name = req.script_name
 
           unless route.path.anchored
-            env['SCRIPT_NAME'] = (script_name.to_s + match.to_s).chomp('/')
-            path_info = match.post_match
-            env['PATH_INFO']   = path_info
-            env['PATH_INFO']   = "/" + path_info unless path_info.start_with? "/"
+            req.script_name = (script_name.to_s + match.to_s).chomp('/')
+            req.path_info = match.post_match
+            req.path_info = "/" + req.path_info unless req.path_info.start_with? "/"
           end
 
-          env[@params_key] = (set_params || {}).merge parameters
+          req.path_parameters = set_params.merge parameters
 
-          status, headers, body = route.app.call(env)
+          status, headers, body = route.app.serve(req)
 
           if 'pass' == headers['X-Cascade']
-            env['SCRIPT_NAME'] = script_name
-            env['PATH_INFO']   = path_info
-            env[@params_key]   = set_params
+            req.script_name     = script_name
+            req.path_info       = path_info
+            req.path_parameters = set_params
             next
           end
 
@@ -85,14 +55,14 @@ module ActionDispatch
         return [404, {'X-Cascade' => 'pass'}, ['Not Found']]
       end
 
-      def recognize(req)
-        find_routes(req.env).each do |match, parameters, route|
+      def recognize(rails_req)
+        find_routes(rails_req).each do |match, parameters, route|
           unless route.path.anchored
-            req.env['SCRIPT_NAME'] = match.to_s
-            req.env['PATH_INFO']   = match.post_match.sub(/^([^\/])/, '/\1')
+            rails_req.script_name = match.to_s
+            rails_req.path_info   = match.post_match.sub(/^([^\/])/, '/\1')
           end
 
-          yield(route, nil, parameters)
+          yield(route, parameters)
         end
       end
 
@@ -123,45 +93,51 @@ module ActionDispatch
 
         def filter_routes(path)
           return [] unless ast
-          data = simulator.match(path)
-          data ? data.memos : []
+          simulator.memos(path) { [] }
         end
 
-        def find_routes env
-          req = request_class.new(env)
-
+        def find_routes req
           routes = filter_routes(req.path_info).concat custom_routes.find_all { |r|
             r.path.match(req.path_info)
           }
-          routes.concat get_routes_as_head(routes)
 
-          routes.sort_by!(&:precedence).select! { |r| r.matches?(req) }
+          routes =
+            if req.request_method == "HEAD"
+              match_head_routes(routes, req)
+            else
+              match_routes(routes, req)
+            end
+
+          routes.sort_by!(&:precedence)
 
           routes.map! { |r|
             match_data  = r.path.match(req.path_info)
-            match_names = match_data.names.map { |n| n.to_sym }
-            match_values = match_data.captures.map { |v| v && Utils.unescape_uri(v) }
-            info = Hash[match_names.zip(match_values).find_all { |_, y| y }]
-
-            [match_data, r.defaults.merge(info), r]
+            path_parameters = r.defaults.dup
+            match_data.names.zip(match_data.captures) { |name,val|
+              path_parameters[name.to_sym] = Utils.unescape_uri(val) if val
+            }
+            [match_data, path_parameters, r]
           }
         end
 
-        def get_routes_as_head(routes)
-          precedence = (routes.map(&:precedence).max || 0) + 1
-          routes = routes.select { |r|
-            r.verb === "GET" && !(r.verb === "HEAD")
-          }.map! { |r|
-            Route.new(r.name,
-                      r.app,
-                      r.path,
-                      r.conditions.merge(request_method: "HEAD"),
-                      r.defaults).tap do |route|
-                        route.precedence = r.precedence + precedence
-                      end
-          }
-          routes.flatten!
-          routes
+        def match_head_routes(routes, req)
+          routes.delete_if { |route| route.verb == // }
+          head_routes = match_routes(routes, req)
+
+          if head_routes.empty?
+            begin
+              req.request_method = "GET"
+              match_routes(routes, req)
+            ensure
+              req.request_method = "HEAD"
+            end
+          else
+            head_routes
+          end
+        end
+
+        def match_routes(routes, req)
+          routes.select { |r| r.matches?(req) }
         end
     end
   end

data/lib/action_dispatch/journey/scanner.rb

@@ -39,18 +39,18 @@ module ActionDispatch
             [:SLASH, text]
           when text = @ss.scan(/\*\w+/)
             [:STAR, text]
-          when text = @ss.scan(/\(/)
+          when text = @ss.scan(/(?<!\\)\(/)
             [:LPAREN, text]
-          when text = @ss.scan(/\)/)
+          when text = @ss.scan(/(?<!\\)\)/)
             [:RPAREN, text]
           when text = @ss.scan(/\|/)
             [:OR, text]
           when text = @ss.scan(/\./)
             [:DOT, text]
-          when text = @ss.scan(/:\w+/)
+          when text = @ss.scan(/(?<!\\):\w+/)
             [:SYMBOL, text]
-          when text = @ss.scan(/[\w%\-~]+/)
-            [:LITERAL, text]
+          when text = @ss.scan(/(?:[\w%\-~!$&'*+,;=@]|\\:|\\\(|\\\))+/)
+            [:LITERAL, text.tr('\\', '')]
             # any char
           when text = @ss.scan(/./)
             [:LITERAL, text]

data/lib/action_dispatch/journey/visitors.rb

@@ -1,14 +1,57 @@
 # encoding: utf-8
 
-require 'thread_safe'
-
 module ActionDispatch
   module Journey # :nodoc:
+    class Format
+      ESCAPE_PATH    = ->(value) { Router::Utils.escape_path(value) }
+      ESCAPE_SEGMENT = ->(value) { Router::Utils.escape_segment(value) }
+
+      class Parameter < Struct.new(:name, :escaper)
+        def escape(value); escaper.call value; end
+      end
+
+      def self.required_path(symbol)
+        Parameter.new symbol, ESCAPE_PATH
+      end
+
+      def self.required_segment(symbol)
+        Parameter.new symbol, ESCAPE_SEGMENT
+      end
+
+      def initialize(parts)
+        @parts      = parts
+        @children   = []
+        @parameters = []
+
+        parts.each_with_index do |object,i|
+          case object
+          when Journey::Format
+            @children << i
+          when Parameter
+            @parameters << i
+          end
+        end
+      end
+
+      def evaluate(hash)
+        parts = @parts.dup
+
+        @parameters.each do |index|
+          param = parts[index]
+          value = hash[param.name]
+          return ''.freeze unless value
+          parts[index] = param.escape value
+        end
+
+        @children.each { |index| parts[index] = parts[index].evaluate(hash) }
+
+        parts.join
+      end
+    end
+
     module Visitors # :nodoc:
       class Visitor # :nodoc:
-        DISPATCH_CACHE = ThreadSafe::Cache.new { |h,k|
-          h[k] = :"visit_#{k}"
-        }
+        DISPATCH_CACHE = {}
 
         def accept(node)
           visit(node)
@@ -38,11 +81,41 @@ module ActionDispatch
           def visit_STAR(n); unary(n); end
 
           def terminal(node); end
-          %w{ LITERAL SYMBOL SLASH DOT }.each do |t|
-            class_eval %{ def visit_#{t}(n); terminal(n); end }, __FILE__, __LINE__
+          def visit_LITERAL(n); terminal(n); end
+          def visit_SYMBOL(n);  terminal(n); end
+          def visit_SLASH(n);   terminal(n); end
+          def visit_DOT(n);     terminal(n); end
+
+          private_instance_methods(false).each do |pim|
+            next unless pim =~ /^visit_(.*)$/
+            DISPATCH_CACHE[$1.to_sym] = pim
           end
       end
 
+      class FormatBuilder < Visitor # :nodoc:
+        def accept(node); Journey::Format.new(super); end
+        def terminal(node); [node.left]; end
+
+        def binary(node)
+          visit(node.left) + visit(node.right)
+        end
+
+        def visit_GROUP(n); [Journey::Format.new(unary(n))]; end
+
+        def visit_STAR(n)
+          [Journey::Format.required_path(n.left.to_sym)]
+        end
+
+        def visit_SYMBOL(n)
+          symbol = n.to_sym
+          if symbol == :controller
+            [Journey::Format.required_path(symbol)]
+          else
+            [Journey::Format.required_segment(symbol)]
+          end
+        end
+      end
+
       # Loop through the requirements AST
       class Each < Visitor # :nodoc:
         attr_reader :block
@@ -52,8 +125,8 @@ module ActionDispatch
         end
 
         def visit(node)
-          super
           block.call(node)
+          super
         end
       end
 
@@ -77,90 +150,6 @@ module ActionDispatch
         end
       end
 
-      class OptimizedPath < Visitor # :nodoc:
-        def accept(node)
-          Array(visit(node))
-        end
-
-        private
-
-          def visit_CAT(node)
-            [visit(node.left), visit(node.right)].flatten
-          end
-
-          def visit_SYMBOL(node)
-            node.left[1..-1].to_sym
-          end
-
-          def visit_STAR(node)
-            visit(node.left)
-          end
-
-          def visit_GROUP(node)
-            []
-          end
-
-          %w{ LITERAL SLASH DOT }.each do |t|
-            class_eval %{ def visit_#{t}(n); n.left; end }, __FILE__, __LINE__
-          end
-      end
-
-      # Used for formatting urls (url_for)
-      class Formatter < Visitor # :nodoc:
-        attr_reader :options
-
-        def initialize(options)
-          @options  = options
-        end
-
-        private
-          def escape_path(value)
-            Router::Utils.escape_path(value)
-          end
-
-          def escape_segment(value)
-            Router::Utils.escape_segment(value)
-          end
-
-          def visit(node, optional = false)
-            case node.type
-            when :LITERAL, :SLASH, :DOT
-              node.left
-            when :STAR
-              visit_STAR(node.left)
-            when :GROUP
-              visit(node.left, true)
-            when :CAT
-              visit_CAT(node, optional)
-            when :SYMBOL
-              visit_SYMBOL(node, node.to_sym)
-            end
-          end
-
-          def visit_CAT(node, optional)
-            left = visit(node.left, optional)
-            right = visit(node.right, optional)
-
-            if optional && !(right && left)
-              ""
-            else
-              [left, right].join
-            end
-          end
-
-          def visit_STAR(node)
-            if value = options[node.to_sym]
-              escape_path(value)
-            end
-          end
-
-          def visit_SYMBOL(node, name)
-            if value = options[name]
-              name == :controller ? escape_path(value) : escape_segment(value)
-            end
-          end
-      end
-
       class Dot < Visitor # :nodoc:
         def initialize
           @nodes = []

data/lib/action_dispatch/journey/visualizer/fsm.css

@@ -16,10 +16,6 @@ h2 {
   font-size: 0.5em;
 }
 
-div#chart-2 {
-  height: 350px;
-}
-
 .clearfix {display: inline-block; }
 .input { overflow: show;}
 .instruction { color: #666; padding: 0 30px 20px; font-size: 0.9em}

data/lib/action_dispatch/journey/visualizer/index.html.erb

@@ -2,13 +2,13 @@
 <html>
   <head>
     <title><%= title %></title>
-    <link rel="stylesheet" href="https://raw.github.com/gist/1706081/af944401f75ea20515a02ddb3fb43d23ecb8c662/reset.css" type="text/css">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.css" type="text/css">
     <style>
       <% stylesheets.each do |style| %>
         <%= style %>
       <% end %>
     </style>
-    <script src="https://raw.github.com/gist/1706081/df464722a05c3c2bec450b7b5c8240d9c31fa52d/d3.min.js" type="text/javascript"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js" type="text/javascript"></script>
   </head>
   <body>
     <div id="wrapper">

data/lib/action_dispatch/middleware/callbacks.rb

@@ -1,6 +1,6 @@
 
 module ActionDispatch
-  # Provide callbacks to be executed before and after the request dispatch.
+  # Provides callbacks to be executed before and after dispatching the request.
   class Callbacks
     include ActiveSupport::Callbacks
 

data/lib/action_dispatch/middleware/cookies.rb

@@ -3,6 +3,7 @@ require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/core_ext/object/blank'
 require 'active_support/key_generator'
 require 'active_support/message_verifier'
+require 'active_support/json'
 
 module ActionDispatch
   class Request < Rack::Request
@@ -70,11 +71,13 @@ module ActionDispatch
   #   restrict to the domain level. If you use a schema like www.example.com
   #   and want to share session with user.example.com set <tt>:domain</tt>
   #   to <tt>:all</tt>. Make sure to specify the <tt>:domain</tt> option with
-  #   <tt>:all</tt> again when deleting cookies.
+  #   <tt>:all</tt> or <tt>Array</tt> again when deleting cookies.
   #
   #     domain: nil  # Does not sets cookie domain. (default)
   #     domain: :all # Allow the cookie for the top most level
-  #                       domain and subdomains.
+  #                  # domain and subdomains.
+  #     domain: %w(.example.com .example.org) # Allow the cookie
+  #                                           # for concrete domain names.
   #
   # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object.
   # * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers.
@@ -90,6 +93,7 @@ module ActionDispatch
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
     COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
+    COOKIES_DIGEST = "action_dispatch.cookies_digest".freeze
 
     # Cookies can typically store 4096 bytes.
     MAX_COOKIE_SIZE = 4096
@@ -118,7 +122,7 @@ module ActionDispatch
       # the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
       # cookie was tampered with by the user (or a 3rd party), nil will be returned.
       #
-      # If +secrets.secret_key_base+ and +config.secret_token+ (deprecated) are both set,
+      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
       # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
@@ -141,7 +145,7 @@ module ActionDispatch
       # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
       # If the cookie was tampered with by the user (or a 3rd party), nil will be returned.
       #
-      # If +secrets.secret_key_base+ and +config.secret_token+ (deprecated) are both set,
+      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
       # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
@@ -173,10 +177,14 @@ module ActionDispatch
       end
     end
 
+    # Passing the ActiveSupport::MessageEncryptor::NullSerializer downstream
+    # to the Message{Encryptor,Verifier} allows us to handle the
+    # (de)serialization step within the cookie jar, which gives us the
+    # opportunity to detect and migrate legacy cookies.
     module VerifyAndUpgradeLegacySignedMessage
       def initialize(*args)
         super
-        @legacy_verifier = ActiveSupport::MessageVerifier.new(@options[:secret_token], serializer: NullSerializer)
+        @legacy_verifier = ActiveSupport::MessageVerifier.new(@options[:secret_token], serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 
       def verify_and_upgrade_legacy_signed_message(name, signed_message)
@@ -212,7 +220,8 @@ module ActionDispatch
           secret_token: env[SECRET_TOKEN],
           secret_key_base: env[SECRET_KEY_BASE],
           upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?,
-          serializer: env[COOKIES_SERIALIZER]
+          serializer: env[COOKIES_SERIALIZER],
+          digest: env[COOKIES_DIGEST]
         }
       end
 
@@ -289,8 +298,8 @@ module ActionDispatch
         end
       end
 
-      # Sets the cookie named +name+. The second argument may be the very cookie
-      # value, or a hash of options as documented above.
+      # Sets the cookie named +name+. The second argument may be the cookie's
+      # value or a hash of options as documented above.
       def []=(name, options)
         if options.is_a?(Hash)
           options.symbolize_keys!
@@ -385,24 +394,11 @@ module ActionDispatch
 
     class JsonSerializer
       def self.load(value)
-        JSON.parse(value, quirks_mode: true)
+        ActiveSupport::JSON.decode(value)
       end
 
       def self.dump(value)
-        JSON.generate(value, quirks_mode: true)
-      end
-    end
-
-    # Passing the NullSerializer downstream to the Message{Encryptor,Verifier}
-    # allows us to handle the (de)serialization step within the cookie jar,
-    # which gives us the opportunity to detect and migrate legacy cookies.
-    class NullSerializer
-      def self.load(value)
-        value
-      end
-
-      def self.dump(value)
-        value
+        ActiveSupport::JSON.encode(value)
       end
     end
 
@@ -441,6 +437,10 @@ module ActionDispatch
             serializer
           end
         end
+
+        def digest
+          @options[:digest] || 'SHA1'
+        end
     end
 
     class SignedCookieJar #:nodoc:
@@ -451,7 +451,7 @@ module ActionDispatch
         @parent_jar = parent_jar
         @options = options
         secret = key_generator.generate_key(@options[:signed_cookie_salt])
-        @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: NullSerializer)
+        @verifier = ActiveSupport::MessageVerifier.new(secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 
       def [](name)
@@ -468,7 +468,7 @@ module ActionDispatch
           options = { :value => @verifier.generate(serialize(name, options)) }
         end
 
-        raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
+        raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
         @parent_jar[name] = options
       end
 
@@ -481,7 +481,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacySignedCookieJar is used instead of SignedCookieJar if
-    # config.secret_token and secrets.secret_key_base are both set. It reads
+    # secrets.secret_token and secrets.secret_key_base are both set. It reads
     # legacy cookies signed with the old dummy key generator and re-saves
     # them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacySignedCookieJar < SignedCookieJar #:nodoc:
@@ -508,7 +508,7 @@ module ActionDispatch
         @options = options
         secret = key_generator.generate_key(@options[:encrypted_cookie_salt])
         sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt])
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: NullSerializer)
+        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 
       def [](name)
@@ -526,7 +526,7 @@ module ActionDispatch
 
         options[:value] = @encryptor.encrypt_and_sign(serialize(name, options[:value]))
 
-        raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
+        raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
         @parent_jar[name] = options
       end
 
@@ -539,7 +539,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
-    # instead of EncryptedCookieJar if config.secret_token and secrets.secret_key_base
+    # instead of EncryptedCookieJar if secrets.secret_token and secrets.secret_key_base
     # are both set. It reads legacy cookies signed with the old dummy key generator and
     # encrypts and re-saves them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacyEncryptedCookieJar < EncryptedCookieJar #:nodoc: