actionpack 4.2.11.3 → 5.0.7.2

data/lib/action_controller.rb

@@ -7,13 +7,18 @@ require 'action_controller/metal/strong_parameters'
 module ActionController
   extend ActiveSupport::Autoload
 
+  autoload :API
   autoload :Base
-  autoload :Caching
   autoload :Metal
   autoload :Middleware
+  autoload :Renderer
+  autoload :FormBuilder
+
+  eager_autoload do
+    autoload :Caching
+  end
 
   autoload_under "metal" do
-    autoload :Compatibility
     autoload :ConditionalGet
     autoload :Cookies
     autoload :DataStreaming
@@ -22,13 +27,12 @@ module ActionController
     autoload :ForceSSL
     autoload :Head
     autoload :Helpers
-    autoload :HideActions
     autoload :HttpAuthentication
+    autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
     autoload :MimeResponds
     autoload :ParamsWrapper
-    autoload :RackDelegation
     autoload :Redirecting
     autoload :Renderers
     autoload :Rendering
@@ -40,13 +44,12 @@ module ActionController
     autoload :UrlFor
   end
 
+  autoload_under "api" do
+    autoload :ApiRendering
+  end
+
   autoload :TestCase,           'action_controller/test_case'
   autoload :TemplateAssertions, 'action_controller/test_case'
-
-  def self.eager_load!
-    super
-    ActionController::Caching.eager_load!
-  end
 end
 
 # Common Active Support usage in Action Controller

data/lib/action_dispatch/http/cache.rb

@@ -1,4 +1,3 @@
-
 module ActionDispatch
   module Http
     module Cache
@@ -8,19 +7,17 @@ module ActionDispatch
         HTTP_IF_NONE_MATCH     = 'HTTP_IF_NONE_MATCH'.freeze
 
         def if_modified_since
-          if since = env[HTTP_IF_MODIFIED_SINCE]
+          if since = get_header(HTTP_IF_MODIFIED_SINCE)
             Time.rfc2822(since) rescue nil
           end
         end
 
         def if_none_match
-          env[HTTP_IF_NONE_MATCH]
+          get_header HTTP_IF_NONE_MATCH
         end
 
         def if_none_match_etags
-          (if_none_match ? if_none_match.split(/\s*,\s*/) : []).collect do |etag|
-            etag.gsub(/^\"|\"$/, "")
-          end
+          if_none_match ? if_none_match.split(/\s*,\s*/) : []
         end
 
         def not_modified?(modified_at)
@@ -29,8 +26,8 @@ module ActionDispatch
 
         def etag_matches?(etag)
           if etag
-            etag = etag.gsub(/^\"|\"$/, "")
-            if_none_match_etags.include?(etag)
+            validators = if_none_match_etags
+            validators.include?(etag) || validators.include?('*')
           end
         end
 
@@ -51,52 +48,95 @@ module ActionDispatch
       end
 
       module Response
-        attr_reader :cache_control, :etag
-        alias :etag? :etag
+        attr_reader :cache_control
 
         def last_modified
-          if last = headers[LAST_MODIFIED]
+          if last = get_header(LAST_MODIFIED)
             Time.httpdate(last)
           end
         end
 
         def last_modified?
-          headers.include?(LAST_MODIFIED)
+          has_header? LAST_MODIFIED
         end
 
         def last_modified=(utc_time)
-          headers[LAST_MODIFIED] = utc_time.httpdate
+          set_header LAST_MODIFIED, utc_time.httpdate
         end
 
         def date
-          if date_header = headers[DATE]
+          if date_header = get_header(DATE)
             Time.httpdate(date_header)
           end
         end
 
         def date?
-          headers.include?(DATE)
+          has_header? DATE
         end
 
         def date=(utc_time)
-          headers[DATE] = utc_time.httpdate
+          set_header DATE, utc_time.httpdate
+        end
+
+        # This method sets a weak ETag validator on the response so browsers
+        # and proxies may cache the response, keyed on the ETag. On subsequent
+        # requests, the If-None-Match header is set to the cached ETag. If it
+        # matches the current ETag, we can return a 304 Not Modified response
+        # with no body, letting the browser or proxy know that their cache is
+        # current. Big savings in request time and network bandwidth.
+        #
+        # Weak ETags are considered to be semantically equivalent but not
+        # byte-for-byte identical. This is perfect for browser caching of HTML
+        # pages where we don't care about exact equality, just what the user
+        # is viewing.
+        #
+        # Strong ETags are considered byte-for-byte identical. They allow a
+        # browser or proxy cache to support Range requests, useful for paging
+        # through a PDF file or scrubbing through a video. Some CDNs only
+        # support strong ETags and will ignore weak ETags entirely.
+        #
+        # Weak ETags are what we almost always need, so they're the default.
+        # Check out `#strong_etag=` to provide a strong ETag validator.
+        def etag=(weak_validators)
+          self.weak_etag = weak_validators
         end
 
-        def etag=(etag)
-          key = ActiveSupport::Cache.expand_cache_key(etag)
-          @etag = self[ETAG] = %("#{Digest::MD5.hexdigest(key)}")
+        def weak_etag=(weak_validators)
+          set_header 'ETag', generate_weak_etag(weak_validators)
+        end
+
+        def strong_etag=(strong_validators)
+          set_header 'ETag', generate_strong_etag(strong_validators)
+        end
+
+        def etag?; etag; end
+
+        # True if an ETag is set and it's a weak validator (preceded with W/)
+        def weak_etag?
+          etag? && etag.starts_with?('W/"')
+        end
+
+        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        def strong_etag?
+          etag? && !weak_etag?
         end
 
       private
 
         DATE          = 'Date'.freeze
         LAST_MODIFIED = "Last-Modified".freeze
-        ETAG          = "ETag".freeze
-        CACHE_CONTROL = "Cache-Control".freeze
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+
+        def generate_weak_etag(validators)
+          "W/#{generate_strong_etag(validators)}"
+        end
+
+        def generate_strong_etag(validators)
+          %("#{Digest::MD5.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
+        end
 
         def cache_control_segments
-          if cache_control = self[CACHE_CONTROL]
+          if cache_control = _cache_control
             cache_control.delete(' ').split(',')
           else
             []
@@ -123,12 +163,11 @@ module ActionDispatch
 
         def prepare_cache_control!
           @cache_control = cache_control_headers
-          @etag = self[ETAG]
         end
 
         def handle_conditional_get!
           if etag? || last_modified? || !@cache_control.empty?
-            set_conditional_cache_control!
+            set_conditional_cache_control!(@cache_control)
           end
         end
 
@@ -138,24 +177,24 @@ module ActionDispatch
         PRIVATE               = "private".freeze
         MUST_REVALIDATE       = "must-revalidate".freeze
 
-        def set_conditional_cache_control!
+        def set_conditional_cache_control!(cache_control)
           control = {}
           cc_headers = cache_control_headers
           if extras = cc_headers.delete(:extras)
-            @cache_control[:extras] ||= []
-            @cache_control[:extras] += extras
-            @cache_control[:extras].uniq!
+            cache_control[:extras] ||= []
+            cache_control[:extras] += extras
+            cache_control[:extras].uniq!
           end
 
           control.merge! cc_headers
-          control.merge! @cache_control
+          control.merge! cache_control
 
           if control.empty?
-            headers[CACHE_CONTROL] = DEFAULT_CACHE_CONTROL
+            self._cache_control = DEFAULT_CACHE_CONTROL
           elsif control[:no_cache]
-            headers[CACHE_CONTROL] = NO_CACHE
+            self._cache_control = NO_CACHE
             if control[:extras]
-              headers[CACHE_CONTROL] += ", #{control[:extras].join(', ')}"
+              self._cache_control = _cache_control + ", #{control[:extras].join(', ')}"
             end
           else
             extras  = control[:extras]
@@ -167,7 +206,7 @@ module ActionDispatch
             options << MUST_REVALIDATE if control[:must_revalidate]
             options.concat(extras) if extras
 
-            headers[CACHE_CONTROL] = options.join(", ")
+            self._cache_control = options.join(", ")
           end
         end
       end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,14 +1,14 @@
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/object/duplicable'
 require 'action_dispatch/http/parameter_filter'
 
 module ActionDispatch
   module Http
     # Allows you to specify sensitive parameters which will be replaced from
     # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all sub-hashes is passed to it, the value
-    # or key can be replaced using String#replace or similar method.
+    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
+    # from a hash is possible by using the dot notation: 'credit_card.number'.
+    # If a block is given, each key and value of the params hash and all
+    # sub-hashes is passed to it, the value or key can be replaced using
+    # String#replace or similar method.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -16,7 +16,11 @@ module ActionDispatch
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = lambda do |k,v|
+    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
+    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+    #   change { file: { code: "xxxx"} }
+    #
+    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
     #     v.reverse! if k =~ /secret/i
     #   end
     #   => reverses the value to all keys matching /secret/i
@@ -25,19 +29,19 @@ module ActionDispatch
       NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
       NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
 
-      def initialize(env)
+      def initialize
         super
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
       end
 
-      # Return a hash of parameters with all sensitive data replaced.
+      # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
       end
 
-      # Return a hash of request.env with all sensitive data replaced.
+      # Returns a hash of request.env with all sensitive data replaced.
       def filtered_env
         @filtered_env ||= env_filter.filter(@env)
       end
@@ -50,13 +54,13 @@ module ActionDispatch
     protected
 
       def parameter_filter
-        parameter_filter_for @env.fetch("action_dispatch.parameter_filter") {
+        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER
         }
       end
 
       def env_filter
-        user_key = @env.fetch("action_dispatch.parameter_filter") {
+        user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
         }
         parameter_filter_for(Array(user_key) + ENV_MATCH)
@@ -70,7 +74,7 @@ module ActionDispatch
       PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string
         query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter([[$1, $2]]).first.join("=")
+          parameter_filter.filter($1 => $2).first.join("=")
         end
       end
     end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -4,9 +4,8 @@ module ActionDispatch
 
       FILTERED = '[FILTERED]'.freeze # :nodoc:
 
-      def filtered_location
-        filters = location_filter
-        if !filters.empty? && location_filter_match?(filters)
+      def filtered_location # :nodoc:
+        if location_filter_match?
           FILTERED
         else
           location
@@ -15,20 +14,20 @@ module ActionDispatch
 
     private
 
-      def location_filter
+      def location_filters
         if request
-          request.env['action_dispatch.redirect_filter'] || []
+          request.get_header('action_dispatch.redirect_filter') || []
         else
           []
         end
       end
 
-      def location_filter_match?(filters)
-        filters.any? do |filter|
+      def location_filter_match?
+        location_filters.any? do |filter|
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location.match(filter)
+            location =~ filter
           end
         end
       end

data/lib/action_dispatch/http/headers.rb

@@ -2,9 +2,23 @@ module ActionDispatch
   module Http
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain" }
-    #   headers = ActionDispatch::Http::Headers.new(env)
+    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #   headers = ActionDispatch::Http::Headers.from_hash(env)
     #   headers["Content-Type"] # => "text/plain"
+    #   headers["User-Agent"] # => "curl/7.43.0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #   # GET / HTTP/1.1
+    #   # ...
+    #   # User-Agent: curl/7.43.0
+    #   # X_Custom_Header: token
+    #
+    #   headers["X_Custom_Header"] # => nil
+    #   headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -30,27 +44,37 @@ module ActionDispatch
       HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
 
       include Enumerable
-      attr_reader :env
 
-      def initialize(env = {}) # :nodoc:
-        @env = env
+      def self.from_hash(hash)
+        new ActionDispatch::Request.new hash
+      end
+
+      def initialize(request) # :nodoc:
+        @req = request
       end
 
       # Returns the value for the given key mapped to @env.
       def [](key)
-        @env[env_name(key)]
+        @req.get_header env_name(key)
       end
 
       # Sets the given value for the key mapped to @env.
       def []=(key, value)
-        @env[env_name(key)] = value
+        @req.set_header env_name(key), value
+      end
+
+      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      def add(key, value)
+        @req.add_header env_name(key), value
       end
 
       def key?(key)
-        @env.key? env_name(key)
+        @req.has_header? env_name(key)
       end
       alias :include? :key?
 
+      DEFAULT = Object.new # :nodoc:
+
       # Returns the value for the given key mapped to @env.
       #
       # If the key is not found and an optional code block is not provided,
@@ -58,18 +82,22 @@ module ActionDispatch
       #
       # If the code block is provided, then it will be run and
       # its result returned.
-      def fetch(key, *args, &block)
-        @env.fetch env_name(key), *args, &block
+      def fetch(key, default = DEFAULT)
+        @req.fetch_header(env_name(key)) do
+          return default unless default == DEFAULT
+          return yield if block_given?
+          raise NameError, key
+        end
       end
 
       def each(&block)
-        @env.each(&block)
+        @req.each_header(&block)
       end
 
       # Returns a new Http::Headers instance containing the contents of
       # <tt>headers_or_env</tt> and the original instance.
       def merge(headers_or_env)
-        headers = Http::Headers.new(env.dup)
+        headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
@@ -79,12 +107,15 @@ module ActionDispatch
       # <tt>headers_or_env</tt>.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
-          self[env_name(key)] = value
+          @req.set_header env_name(key), value
         end
       end
 
+      def env; @req.env.dup; end
+
       private
-      # Converts a HTTP header name to an environment variable name if it is
+
+      # Converts an HTTP header name to an environment variable name if it is
       # not contained within the headers hash.
       def env_name(key)
         key = key.to_s

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -10,19 +10,18 @@ module ActionDispatch
         self.ignore_accept_header = false
       end
 
-      attr_reader :variant
-
-      # The MIME type of the HTTP request, such as Mime::XML.
+      # The MIME type of the HTTP request, such as Mime[:xml].
       #
       # For backward compatibility, the post \format is extracted from the
       # X-Post-Data-Format HTTP header if present.
       def content_mime_type
-        @env["action_dispatch.request.content_type"] ||= begin
-          if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
+        fetch_header("action_dispatch.request.content_type") do |k|
+          v = if get_header('CONTENT_TYPE') =~ /^([^,\;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
           end
+          set_header k, v
         end
       end
 
@@ -30,31 +29,36 @@ module ActionDispatch
         content_mime_type && content_mime_type.to_s
       end
 
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
+      end
+
       # Returns the accepted MIME type for the request.
       def accepts
-        @env["action_dispatch.request.accepts"] ||= begin
-          header = @env['HTTP_ACCEPT'].to_s.strip
+        fetch_header("action_dispatch.request.accepts") do |k|
+          header = get_header('HTTP_ACCEPT').to_s.strip
 
-          if header.empty?
+          v = if header.empty?
             [content_mime_type]
           else
             Mime::Type.parse(header)
           end
+          set_header k, v
         end
       end
 
       # Returns the MIME type for the \format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime::XML
-      #   GET /posts/5.xhtml | request.format => Mime::HTML
-      #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
+      #   GET /posts/5.xml   | request.format => Mime[:xml]
+      #   GET /posts/5.xhtml | request.format => Mime[:html]
+      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(view_path = [])
         formats.first || Mime::NullType.instance
       end
 
       def formats
-        @env["action_dispatch.request.formats"] ||= begin
+        fetch_header("action_dispatch.request.formats") do |k|
           params_readable = begin
                               parameters[:format]
                             rescue ActionController::BadRequest
@@ -65,32 +69,40 @@ module ActionDispatch
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
+          elsif extension_format = format_from_path_extension
+            [extension_format]
           elsif xhr?
-            [Mime::JS]
+            [Mime[:js]]
           else
-            [Mime::HTML]
+            [Mime[:html]]
           end
 
-          v.select do |format|
+          v = v.select do |format|
             format.symbol || format.ref == "*/*"
           end
+
+          set_header k, v
         end
       end
 
       # Sets the \variant for template.
       def variant=(variant)
-        if variant.is_a?(Symbol)
-          @variant = [variant]
-        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
-          @variant = variant
+        variant = Array(variant)
+
+        if variant.all? { |v| v.is_a?(Symbol) }
+          @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
             "For security reasons, never directly set the variant to a user-provided value, " \
             "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
             "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
         end
       end
 
+      def variant
+        @variant ||= ActiveSupport::ArrayInquirer.new
+      end
+
       # Sets the \format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
@@ -104,7 +116,7 @@ module ActionDispatch
       #   end
       def format=(extension)
         parameters[:format] = extension.to_s
-        @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
+        set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
       # Sets the \formats by string extensions. This differs from #format= by allowing you
@@ -123,9 +135,9 @@ module ActionDispatch
       #   end
       def formats=(extensions)
         parameters[:format] = extensions.first.to_s
-        @env["action_dispatch.request.formats"] = extensions.collect do |extension|
+        set_header "action_dispatch.request.formats", extensions.collect { |extension|
           Mime::Type.lookup_by_extension(extension)
-        end
+        }
       end
 
       # Receives an array of mimes and return the first user sent mime that
@@ -155,6 +167,13 @@ module ActionDispatch
       def use_accept_header
         !self.class.ignore_accept_header
       end
+
+      def format_from_path_extension
+        path = get_header('action_dispatch.original_path') || get_header('PATH_INFO')
+        if match = path && path.match(/\.(\w+)\z/)
+          Mime[match.captures.first]
+        end
+      end
     end
   end
 end