RubyGems - actionpack - Versions diffs - 4.2.11.1 → 6.1.3.2 - Mend

actionpack 4.2.11.1 → 6.1.3.2

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (187) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +291 -489
data/MIT-LICENSE +1 -1
data/README.rdoc +9 -9
data/lib/abstract_controller/asset_paths.rb +2 -0
data/lib/abstract_controller/base.rb +81 -51
data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
data/lib/abstract_controller/caching.rb +66 -0
data/lib/abstract_controller/callbacks.rb +61 -33
data/lib/abstract_controller/collector.rb +9 -13
data/lib/abstract_controller/error.rb +6 -0
data/lib/abstract_controller/helpers.rb +115 -99
data/lib/abstract_controller/logger.rb +2 -0
data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
data/lib/abstract_controller/rendering.rb +48 -47
data/lib/abstract_controller/translation.rb +17 -8
data/lib/abstract_controller/url_for.rb +2 -0
data/lib/abstract_controller.rb +13 -5
data/lib/action_controller/api/api_rendering.rb +16 -0
data/lib/action_controller/api.rb +150 -0
data/lib/action_controller/base.rb +29 -24
data/lib/action_controller/caching.rb +12 -57
data/lib/action_controller/form_builder.rb +50 -0
data/lib/action_controller/log_subscriber.rb +17 -19
data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
data/lib/action_controller/metal/conditional_get.rb +134 -46
data/lib/action_controller/metal/content_security_policy.rb +51 -0
data/lib/action_controller/metal/cookies.rb +6 -4
data/lib/action_controller/metal/data_streaming.rb +30 -50
data/lib/action_controller/metal/default_headers.rb +17 -0
data/lib/action_controller/metal/etag_with_flash.rb +18 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
data/lib/action_controller/metal/exceptions.rb +63 -15
data/lib/action_controller/metal/flash.rb +9 -8
data/lib/action_controller/metal/head.rb +26 -21
data/lib/action_controller/metal/helpers.rb +37 -18
data/lib/action_controller/metal/http_authentication.rb +81 -73
data/lib/action_controller/metal/implicit_render.rb +53 -9
data/lib/action_controller/metal/instrumentation.rb +32 -35
data/lib/action_controller/metal/live.rb +102 -120
data/lib/action_controller/metal/logging.rb +20 -0
data/lib/action_controller/metal/mime_responds.rb +49 -47
data/lib/action_controller/metal/parameter_encoding.rb +82 -0
data/lib/action_controller/metal/params_wrapper.rb +83 -66
data/lib/action_controller/metal/permissions_policy.rb +46 -0
data/lib/action_controller/metal/redirecting.rb +53 -32
data/lib/action_controller/metal/renderers.rb +87 -44
data/lib/action_controller/metal/rendering.rb +77 -50
data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
data/lib/action_controller/metal/rescue.rb +10 -17
data/lib/action_controller/metal/streaming.rb +12 -11
data/lib/action_controller/metal/strong_parameters.rb +714 -186
data/lib/action_controller/metal/testing.rb +2 -17
data/lib/action_controller/metal/url_for.rb +19 -10
data/lib/action_controller/metal.rb +104 -87
data/lib/action_controller/railtie.rb +28 -10
data/lib/action_controller/railties/helpers.rb +3 -1
data/lib/action_controller/renderer.rb +141 -0
data/lib/action_controller/template_assertions.rb +11 -0
data/lib/action_controller/test_case.rb +296 -422
data/lib/action_controller.rb +34 -23
data/lib/action_dispatch/http/cache.rb +107 -56
data/lib/action_dispatch/http/content_disposition.rb +45 -0
data/lib/action_dispatch/http/content_security_policy.rb +286 -0
data/lib/action_dispatch/http/filter_parameters.rb +32 -25
data/lib/action_dispatch/http/filter_redirect.rb +10 -12
data/lib/action_dispatch/http/headers.rb +55 -22
data/lib/action_dispatch/http/mime_negotiation.rb +79 -51
data/lib/action_dispatch/http/mime_type.rb +153 -121
data/lib/action_dispatch/http/mime_types.rb +20 -6
data/lib/action_dispatch/http/parameters.rb +90 -40
data/lib/action_dispatch/http/permissions_policy.rb +173 -0
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +226 -121
data/lib/action_dispatch/http/response.rb +248 -113
data/lib/action_dispatch/http/upload.rb +21 -7
data/lib/action_dispatch/http/url.rb +182 -100
data/lib/action_dispatch/journey/formatter.rb +90 -43
data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
data/lib/action_dispatch/journey/nodes/node.rb +29 -15
data/lib/action_dispatch/journey/parser.rb +17 -16
data/lib/action_dispatch/journey/parser.y +4 -3
data/lib/action_dispatch/journey/parser_extras.rb +12 -4
data/lib/action_dispatch/journey/path/pattern.rb +58 -54
data/lib/action_dispatch/journey/route.rb +100 -32
data/lib/action_dispatch/journey/router/utils.rb +29 -18
data/lib/action_dispatch/journey/router.rb +55 -51
data/lib/action_dispatch/journey/routes.rb +17 -17
data/lib/action_dispatch/journey/scanner.rb +26 -17
data/lib/action_dispatch/journey/visitors.rb +98 -54
data/lib/action_dispatch/journey.rb +5 -5
data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
data/lib/action_dispatch/middleware/callbacks.rb +3 -6
data/lib/action_dispatch/middleware/cookies.rb +347 -217
data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
data/lib/action_dispatch/middleware/debug_view.rb +66 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
data/lib/action_dispatch/middleware/executor.rb +21 -0
data/lib/action_dispatch/middleware/flash.rb +78 -54
data/lib/action_dispatch/middleware/host_authorization.rb +130 -0
data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
data/lib/action_dispatch/middleware/reloader.rb +5 -91
data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
data/lib/action_dispatch/middleware/request_id.rb +17 -10
data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
data/lib/action_dispatch/middleware/ssl.rb +118 -35
data/lib/action_dispatch/middleware/stack.rb +82 -41
data/lib/action_dispatch/middleware/static.rb +156 -89
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +15 -0
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
data/lib/action_dispatch/railtie.rb +27 -13
data/lib/action_dispatch/request/session.rb +109 -61
data/lib/action_dispatch/request/utils.rb +90 -23
data/lib/action_dispatch/routing/endpoint.rb +9 -2
data/lib/action_dispatch/routing/inspector.rb +141 -102
data/lib/action_dispatch/routing/mapper.rb +811 -473
data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
data/lib/action_dispatch/routing/redirection.rb +37 -27
data/lib/action_dispatch/routing/route_set.rb +363 -331
data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
data/lib/action_dispatch/routing/url_for.rb +66 -26
data/lib/action_dispatch/routing.rb +36 -36
data/lib/action_dispatch/system_test_case.rb +190 -0
data/lib/action_dispatch/system_testing/browser.rb +86 -0
data/lib/action_dispatch/system_testing/driver.rb +67 -0
data/lib/action_dispatch/system_testing/server.rb +31 -0
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
data/lib/action_dispatch/testing/assertion_response.rb +46 -0
data/lib/action_dispatch/testing/assertions/response.rb +44 -22
data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
data/lib/action_dispatch/testing/assertions.rb +6 -4
data/lib/action_dispatch/testing/integration.rb +391 -220
data/lib/action_dispatch/testing/request_encoder.rb +55 -0
data/lib/action_dispatch/testing/test_process.rb +53 -22
data/lib/action_dispatch/testing/test_request.rb +27 -34
data/lib/action_dispatch/testing/test_response.rb +11 -11
data/lib/action_dispatch.rb +35 -21
data/lib/action_pack/gem_version.rb +6 -4
data/lib/action_pack/version.rb +3 -1
data/lib/action_pack.rb +4 -2
metadata +78 -48
data/lib/action_controller/metal/force_ssl.rb +0 -97
data/lib/action_controller/metal/hide_actions.rb +0 -40
data/lib/action_controller/metal/rack_delegation.rb +0 -32
data/lib/action_controller/middleware.rb +0 -39
data/lib/action_controller/model_naming.rb +0 -12
data/lib/action_dispatch/http/parameter_filter.rb +0 -72
data/lib/action_dispatch/journey/backwards.rb +0 -5
data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
data/lib/action_dispatch/journey/router/strexp.rb +0 -27
data/lib/action_dispatch/middleware/params_parser.rb +0 -60
data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
data/lib/action_dispatch/testing/assertions/tag.rb +0 -3

data/lib/action_dispatch/http/filter_parameters.rb CHANGED Viewed

@@ -1,14 +1,16 @@
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/object/duplicable'
-require 'action_dispatch/http/parameter_filter'
+# frozen_string_literal: true
+require "active_support/parameter_filter"
 module ActionDispatch
   module Http
     # Allows you to specify sensitive parameters which will be replaced from
     # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all sub-hashes is passed to it, the value
-    # or key can be replaced using String#replace or similar method.
+    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
+    # from a hash is possible by using the dot notation: 'credit_card.number'.
+    # If a block is given, each key and value of the params hash and all
+    # sub-hashes are passed to it, where the value or the key can be replaced using
+    # String#replace or similar methods.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -16,61 +18,66 @@ module ActionDispatch
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = lambda do |k,v|
-    #     v.reverse! if k =~ /secret/i
+    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
+    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+    #   change { file: { code: "xxxx"} }
+    #
+    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
+    #     v.reverse! if k.match?(/secret/i)
     #   end
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
-      def initialize(env)
+      def initialize
         super
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
       end
-      # Return a hash of parameters with all sensitive data replaced.
+      # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        @filtered_parameters = {}
       end
-      # Return a hash of request.env with all sensitive data replaced.
+      # Returns a hash of request.env with all sensitive data replaced.
       def filtered_env
         @filtered_env ||= env_filter.filter(@env)
       end
-      # Reconstructed a path with all sensitive GET parameters replaced.
+      # Reconstructs a path with all sensitive GET parameters replaced.
       def filtered_path
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
-    protected
-      def parameter_filter
-        parameter_filter_for @env.fetch("action_dispatch.parameter_filter") {
+    private
+      def parameter_filter # :doc:
+        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER
         }
       end
-      def env_filter
-        user_key = @env.fetch("action_dispatch.parameter_filter") {
+      def env_filter # :doc:
+        user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
         }
         parameter_filter_for(Array(user_key) + ENV_MATCH)
       end
-      def parameter_filter_for(filters)
-        ParameterFilter.new(filters)
+      def parameter_filter_for(filters) # :doc:
+        ActiveSupport::ParameterFilter.new(filters)
       end
-      KV_RE   = '[^&;=]+'
+      KV_RE   = "[^&;=]+"
       PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
-      def filtered_query_string
+      def filtered_query_string # :doc:
         query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter([[$1, $2]]).first.join("=")
+          parameter_filter.filter($1 => $2).first.join("=")
         end
       end
     end

data/lib/action_dispatch/http/filter_redirect.rb CHANGED Viewed

@@ -1,12 +1,12 @@
+# frozen_string_literal: true
 module ActionDispatch
   module Http
     module FilterRedirect
+      FILTERED = "[FILTERED]" # :nodoc:
-      FILTERED = '[FILTERED]'.freeze # :nodoc:
-      def filtered_location
-        filters = location_filter
-        if !filters.empty? && location_filter_match?(filters)
+      def filtered_location # :nodoc:
+        if location_filter_match?
           FILTERED
         else
           location
@@ -14,25 +14,23 @@ module ActionDispatch
       end
     private
-      def location_filter
+      def location_filters
         if request
-          request.env['action_dispatch.redirect_filter'] || []
+          request.get_header("action_dispatch.redirect_filter") || []
         else
           []
         end
       end
-      def location_filter_match?(filters)
-        filters.any? do |filter|
+      def location_filter_match?
+        location_filters.any? do |filter|
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location.match(filter)
+            location.match?(filter)
           end
         end
       end
     end
   end
 end

data/lib/action_dispatch/http/headers.rb CHANGED Viewed

@@ -1,10 +1,26 @@
+# frozen_string_literal: true
 module ActionDispatch
   module Http
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain" }
-    #   headers = ActionDispatch::Http::Headers.new(env)
+    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #   headers = ActionDispatch::Http::Headers.from_hash(env)
     #   headers["Content-Type"] # => "text/plain"
+    #   headers["User-Agent"] # => "curl/7.43.0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #   # GET / HTTP/1.1
+    #   # ...
+    #   # User-Agent: curl/7.43.0
+    #   # X_Custom_Header: token
+    #
+    #   headers["X_Custom_Header"] # => nil
+    #   headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -30,27 +46,37 @@ module ActionDispatch
       HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
       include Enumerable
-      attr_reader :env
-      def initialize(env = {}) # :nodoc:
-        @env = env
+      def self.from_hash(hash)
+        new ActionDispatch::Request.new hash
+      end
+      def initialize(request) # :nodoc:
+        @req = request
       end
       # Returns the value for the given key mapped to @env.
       def [](key)
-        @env[env_name(key)]
+        @req.get_header env_name(key)
       end
       # Sets the given value for the key mapped to @env.
       def []=(key, value)
-        @env[env_name(key)] = value
+        @req.set_header env_name(key), value
+      end
+      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      def add(key, value)
+        @req.add_header env_name(key), value
       end
       def key?(key)
-        @env.key? env_name(key)
+        @req.has_header? env_name(key)
       end
       alias :include? :key?
+      DEFAULT = Object.new # :nodoc:
       # Returns the value for the given key mapped to @env.
       #
       # If the key is not found and an optional code block is not provided,
@@ -58,18 +84,22 @@ module ActionDispatch
       #
       # If the code block is provided, then it will be run and
       # its result returned.
-      def fetch(key, *args, &block)
-        @env.fetch env_name(key), *args, &block
+      def fetch(key, default = DEFAULT)
+        @req.fetch_header(env_name(key)) do
+          return default unless default == DEFAULT
+          return yield if block_given?
+          raise KeyError, key
+        end
       end
       def each(&block)
-        @env.each(&block)
+        @req.each_header(&block)
       end
       # Returns a new Http::Headers instance containing the contents of
       # <tt>headers_or_env</tt> and the original instance.
       def merge(headers_or_env)
-        headers = Http::Headers.new(env.dup)
+        headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
@@ -79,21 +109,24 @@ module ActionDispatch
       # <tt>headers_or_env</tt>.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
-          self[env_name(key)] = value
+          @req.set_header env_name(key), value
         end
       end
+      def env; @req.env.dup; end
       private
-      # Converts a HTTP header name to an environment variable name if it is
-      # not contained within the headers hash.
-      def env_name(key)
-        key = key.to_s
-        if key =~ HTTP_HEADER
-          key = key.upcase.tr('-', '_')
-          key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+        # Converts an HTTP header name to an environment variable name if it is
+        # not contained within the headers hash.
+        def env_name(key)
+          key = key.to_s
+          if HTTP_HEADER.match?(key)
+            key = key.upcase
+            key.tr!("-", "_")
+            key.prepend("HTTP_") unless CGI_VARIABLES.include?(key)
+          end
+          key
         end
-        key
-      end
     end
   end
 end

data/lib/action_dispatch/http/mime_negotiation.rb CHANGED Viewed

@@ -1,28 +1,34 @@
-require 'active_support/core_ext/module/attribute_accessors'
+# frozen_string_literal: true
+require "active_support/core_ext/module/attribute_accessors"
 module ActionDispatch
   module Http
     module MimeNegotiation
       extend ActiveSupport::Concern
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+      RESCUABLE_MIME_FORMAT_ERRORS = [
+        ActionController::BadRequest,
+        ActionDispatch::Http::Parameters::ParseError,
+      ]
       included do
-        mattr_accessor :ignore_accept_header
-        self.ignore_accept_header = false
+        mattr_accessor :ignore_accept_header, default: false
       end
-      attr_reader :variant
-      # The MIME type of the HTTP request, such as Mime::XML.
-      #
-      # For backward compatibility, the post \format is extracted from the
-      # X-Post-Data-Format HTTP header if present.
+      # The MIME type of the HTTP request, such as Mime[:xml].
       def content_mime_type
-        @env["action_dispatch.request.content_type"] ||= begin
-          if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
+        fetch_header("action_dispatch.request.content_type") do |k|
+          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
           end
+          set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
@@ -30,67 +36,73 @@ module ActionDispatch
         content_mime_type && content_mime_type.to_s
       end
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
+      end
       # Returns the accepted MIME type for the request.
       def accepts
-        @env["action_dispatch.request.accepts"] ||= begin
-          header = @env['HTTP_ACCEPT'].to_s.strip
+        fetch_header("action_dispatch.request.accepts") do |k|
+          header = get_header("HTTP_ACCEPT").to_s.strip
-          if header.empty?
+          v = if header.empty?
             [content_mime_type]
           else
             Mime::Type.parse(header)
           end
+          set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
       # Returns the MIME type for the \format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime::XML
-      #   GET /posts/5.xhtml | request.format => Mime::HTML
-      #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
+      #   GET /posts/5.xml   | request.format => Mime[:xml]
+      #   GET /posts/5.xhtml | request.format => Mime[:html]
+      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(view_path = [])
         formats.first || Mime::NullType.instance
       end
       def formats
-        @env["action_dispatch.request.formats"] ||= begin
-          params_readable = begin
-                              parameters[:format]
-                            rescue ActionController::BadRequest
-                              false
-                            end
-          v = if params_readable
+        fetch_header("action_dispatch.request.formats") do |k|
+          v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
+          elsif extension_format = format_from_path_extension
+            [extension_format]
           elsif xhr?
-            [Mime::JS]
+            [Mime[:js]]
           else
-            [Mime::HTML]
+            [Mime[:html]]
           end
-          v.select do |format|
+          v = v.select do |format|
             format.symbol || format.ref == "*/*"
           end
+          set_header k, v
         end
       end
       # Sets the \variant for template.
       def variant=(variant)
-        if variant.is_a?(Symbol)
-          @variant = [variant]
-        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
-          @variant = variant
+        variant = Array(variant)
+        if variant.all? { |v| v.is_a?(Symbol) }
+          @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
-            "For security reasons, never directly set the variant to a user-provided value, " \
-            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
-            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
         end
       end
+      def variant
+        @variant ||= ActiveSupport::ArrayInquirer.new
+      end
       # Sets the \format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
@@ -104,7 +116,7 @@ module ActionDispatch
       #   end
       def format=(extension)
         parameters[:format] = extension.to_s
-        @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
+        set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
       # Sets the \formats by string extensions. This differs from #format= by allowing you
@@ -123,14 +135,12 @@ module ActionDispatch
       #   end
       def formats=(extensions)
         parameters[:format] = extensions.first.to_s
-        @env["action_dispatch.request.formats"] = extensions.collect do |extension|
+        set_header "action_dispatch.request.formats", extensions.collect { |extension|
           Mime::Type.lookup_by_extension(extension)
-        end
+        }
       end
-      # Receives an array of mimes and return the first user sent mime that
-      # matches the order array.
-      #
+      # Returns the first MIME type that matches the provided array of MIME types.
       def negotiate_mime(order)
         formats.each do |priority|
           if priority == Mime::ALL
@@ -143,18 +153,36 @@ module ActionDispatch
         order.include?(Mime::ALL) ? format : nil
       end
-      protected
+      def should_apply_vary_header?
+        !params_readable? && use_accept_header && valid_accept_header
+      end
-      BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
+      private
+        # We use normal content negotiation unless you include */* in your list,
+        # in which case we assume you're a browser and send HTML.
+        BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
-      def valid_accept_header
-        (xhr? && (accept.present? || content_mime_type)) ||
-          (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
-      end
+        def params_readable? # :doc:
+          parameters[:format]
+        rescue *RESCUABLE_MIME_FORMAT_ERRORS
+          false
+        end
-      def use_accept_header
-        !self.class.ignore_accept_header
-      end
+        def valid_accept_header # :doc:
+          (xhr? && (accept.present? || content_mime_type)) ||
+            (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
+        end
+        def use_accept_header # :doc:
+          !self.class.ignore_accept_header
+        end
+        def format_from_path_extension # :doc:
+          path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
+          if match = path && path.match(/\.(\w+)\z/)
+            Mime[match.captures.first]
+          end
+        end
     end
   end
 end