actionpack 5.0.0.1 → 5.0.1.rc1

data/lib/action_dispatch.rb

@@ -50,6 +50,7 @@ module ActionDispatch
     autoload :Callbacks
     autoload :Cookies
     autoload :DebugExceptions
+    autoload :DebugLocks
     autoload :ExceptionWrapper
     autoload :Executor
     autoload :Flash

data/lib/action_dispatch/http/headers.rb

@@ -3,7 +3,7 @@ module ActionDispatch
     # Provides access to the request's HTTP headers from the environment.
     #
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
-    #   headers = ActionDispatch::Http::Headers.new(env)
+    #   headers = ActionDispatch::Http::Headers.from_hash(env)
     #   headers["Content-Type"] # => "text/plain"
     #   headers["User-Agent"] # => "curl/7.43.0"
     #

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -29,8 +29,8 @@ module ActionDispatch
         content_mime_type && content_mime_type.to_s
       end
 
-      def has_content_type?
-        has_header? 'CONTENT_TYPE'
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
       end
 
       # Returns the accepted MIME type for the request.

data/lib/action_dispatch/http/parameters.rb

@@ -44,7 +44,14 @@ module ActionDispatch
 
       def path_parameters=(parameters) #:nodoc:
         delete_header('action_dispatch.request.parameters')
+
+        # If any of the path parameters has an invalid encoding then
+        # raise since it's likely to trigger errors further on.
+        Request::Utils.check_param_encoding(parameters)
+
         set_header PARAMETERS_KEY, parameters
+      rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+        raise ActionController::BadRequest.new("Invalid path parameters: #{e.message}")
       end
 
       # Returns a hash with the \parameters used to form the \path of the request.
@@ -58,7 +65,7 @@ module ActionDispatch
       private
 
       def parse_formatted_parameters(parsers)
-        return yield if content_length.zero?
+        return yield if content_length.zero? || content_mime_type.nil?
 
         strategy = parsers.fetch(content_mime_type.symbol) { return yield }
 

data/lib/action_dispatch/http/request.rb

@@ -66,24 +66,12 @@ module ActionDispatch
     def commit_cookie_jar! # :nodoc:
     end
 
-    def check_path_parameters!
-      # If any of the path parameters has an invalid encoding then
-      # raise since it's likely to trigger errors further on.
-      path_parameters.each do |key, value|
-        next unless value.respond_to?(:valid_encoding?)
-        unless value.valid_encoding?
-          raise ActionController::BadRequest, "Invalid parameter encoding: #{key} => #{value.inspect}"
-        end
-      end
-    end
-
     PASS_NOT_FOUND = Class.new { # :nodoc:
       def self.action(_); self; end
       def self.call(_); [404, {'X-Cascade' => 'pass'}, []]; end
     }
 
     def controller_class
-      check_path_parameters!
       params = path_parameters
 
       if params.key?(:controller)

data/lib/action_dispatch/http/response.rb

@@ -224,8 +224,10 @@ module ActionDispatch # :nodoc:
 
     # Sets the HTTP content type.
     def content_type=(content_type)
-      header_info = parse_content_type
-      set_content_type content_type.to_s, header_info.charset || self.class.default_charset
+      return unless content_type
+      new_header_info = parse_content_type(content_type.to_s)
+      prev_header_info = parsed_content_type_header
+      set_content_type new_header_info.mime_type, new_header_info.charset || prev_header_info.charset || self.class.default_charset
     end
 
     # Sets the HTTP response's content MIME type. For example, in the controller
@@ -238,7 +240,7 @@ module ActionDispatch # :nodoc:
     # information.
 
     def content_type
-      parse_content_type.mime_type
+      parsed_content_type_header.mime_type
     end
 
     def sending_file=(v)
@@ -253,7 +255,7 @@ module ActionDispatch # :nodoc:
     #   response.charset = 'utf-16' # => 'utf-16'
     #   response.charset = nil      # => 'utf-8'
     def charset=(charset)
-      header_info = parse_content_type
+      header_info = parsed_content_type_header
       if false == charset
         set_header CONTENT_TYPE, header_info.mime_type
       else
@@ -265,7 +267,7 @@ module ActionDispatch # :nodoc:
     # The charset of the response. HTML wants to know the encoding of the
     # content you're giving them, so we need to send that along.
     def charset
-      header_info = parse_content_type
+      header_info = parsed_content_type_header
       header_info.charset || self.class.default_charset
     end
 
@@ -403,8 +405,7 @@ module ActionDispatch # :nodoc:
     ContentTypeHeader = Struct.new :mime_type, :charset
     NullContentTypeHeader = ContentTypeHeader.new nil, nil
 
-    def parse_content_type
-      content_type = get_header CONTENT_TYPE
+    def parse_content_type(content_type)
       if content_type
         type, charset = content_type.split(/;\s*charset=/)
         type = nil if type.empty?
@@ -414,6 +415,12 @@ module ActionDispatch # :nodoc:
       end
     end
 
+    # Small internal convenience method to get the parsed version of the current
+    # content type header.
+    def parsed_content_type_header
+      parse_content_type(get_header(CONTENT_TYPE))
+    end
+
     def set_content_type(content_type, charset)
       type = (content_type || '').dup
       type << "; charset=#{charset}" if charset
@@ -450,7 +457,7 @@ module ActionDispatch # :nodoc:
     def assign_default_content_type_and_charset!
       return if content_type
 
-      ct = parse_content_type
+      ct = parsed_content_type_header
       set_content_type(ct.mime_type || Mime[:html].to_s,
                        ct.charset || self.class.default_charset)
     end

data/lib/action_dispatch/journey/formatter.rb

@@ -1,10 +1,11 @@
 require 'action_controller/metal/exceptions'
 
 module ActionDispatch
+  # :stopdoc:
   module Journey
     # The Formatter class is used for formatting URLs. For example, parameters
     # passed to +url_for+ in Rails will eventually call Formatter#generate.
-    class Formatter # :nodoc:
+    class Formatter
       attr_reader :routes
 
       def initialize(routes)
@@ -174,4 +175,5 @@ module ActionDispatch
         end
     end
   end
+  # :stopdoc:
 end

data/lib/action_dispatch/journey/parser.rb

@@ -9,6 +9,7 @@ require 'racc/parser.rb'
 
 require 'action_dispatch/journey/parser_extras'
 module ActionDispatch
+  # :stopdoc:
   module Journey
     class Parser < Racc::Parser
 ##### State transition tables begin ###
@@ -195,4 +196,5 @@ end
 
     end   # class Parser
     end   # module Journey
+  # :startdoc:
   end   # module ActionDispatch

data/lib/action_dispatch/journey/parser_extras.rb

@@ -2,8 +2,9 @@ require 'action_dispatch/journey/scanner'
 require 'action_dispatch/journey/nodes/node'
 
 module ActionDispatch
-  module Journey # :nodoc:
-    class Parser < Racc::Parser # :nodoc:
+  # :stopdoc:
+  module Journey
+    class Parser < Racc::Parser
       include Journey::Nodes
 
       def self.parse(string)
@@ -24,4 +25,5 @@ module ActionDispatch
       end
     end
   end
+  # :startdoc:
 end

data/lib/action_dispatch/journey/route.rb

@@ -1,6 +1,7 @@
 module ActionDispatch
-  module Journey # :nodoc:
-    class Route # :nodoc:
+  # :stopdoc:
+  module Journey
+    class Route
       attr_reader :app, :path, :defaults, :name, :precedence
 
       attr_reader :constraints, :internal
@@ -81,7 +82,7 @@ module ActionDispatch
         end
       end
 
-      def requirements # :nodoc:
+      def requirements
         # needed for rails `rails routes`
         @defaults.merge(path.requirements).delete_if { |_,v|
           /.+?/ == v
@@ -177,4 +178,5 @@ module ActionDispatch
       end
     end
   end
+  # :startdoc:
 end

data/lib/action_dispatch/journey/router.rb

@@ -72,7 +72,9 @@ module ActionDispatch
       private
 
         def partitioned_routes
-          routes.partitioned_routes
+          routes.partition { |r|
+            r.path.anchored && r.ast.grep(Nodes::Symbol).all? { |n| n.default_regexp?  }
+          }
         end
 
         def ast

data/lib/action_dispatch/journey/visitors.rb

@@ -1,5 +1,6 @@
 module ActionDispatch
-  module Journey # :nodoc:
+  # :stopdoc:
+  module Journey
     class Format
       ESCAPE_PATH    = ->(value) { Router::Utils.escape_path(value) }
       ESCAPE_SEGMENT = ->(value) { Router::Utils.escape_segment(value) }
@@ -261,4 +262,5 @@ module ActionDispatch
       end
     end
   end
+  # :startdoc:
 end

data/lib/action_dispatch/middleware/cookies.rb

@@ -372,7 +372,7 @@ module ActionDispatch
 
         handle_options(options)
 
-        if @cookies[name.to_s] != value or options[:expires]
+        if @cookies[name.to_s] != value || options[:expires]
           @cookies[name.to_s] = value
           @set_cookies[name.to_s] = options
           @delete_cookies.delete(name.to_s)
@@ -576,8 +576,8 @@ module ActionDispatch
             "Read the upgrade documentation to learn more about this new config option."
         end
 
-        secret = key_generator.generate_key(request.encrypted_cookie_salt || '')
-        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || '')
+        secret = key_generator.generate_key(request.encrypted_cookie_salt || "")[0, ActiveSupport::MessageEncryptor.key_len]
+        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "")
         @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -165,7 +165,11 @@ module ActionDispatch
     end
 
     def log_array(logger, array)
-      array.map { |line| logger.fatal line }
+      if logger.formatter && logger.formatter.respond_to?(:tags_text)
+        logger.fatal array.join("\n#{logger.formatter.tags_text}")
+      else
+        logger.fatal array.join("\n")
+      end
     end
 
     def logger(request)

data/lib/action_dispatch/middleware/debug_locks.rb

@@ -0,0 +1,122 @@
+module ActionDispatch
+  # This middleware can be used to diagnose deadlocks in the autoload interlock.
+  #
+  # To use it, insert it near the top of the middleware stack, using
+  # <tt>config/application.rb</tt>:
+  #
+  #     config.middleware.insert_before Rack::Sendfile, ActionDispatch::DebugLocks
+  #
+  # After restarting the application and re-triggering the deadlock condition,
+  # <tt>/rails/locks</tt> will show a summary of all threads currently known to
+  # the interlock, which lock level they are holding or awaiting, and their
+  # current backtrace.
+  #
+  # Generally a deadlock will be caused by the interlock conflicting with some
+  # other external lock or blocking I/O call. These cannot be automatically
+  # identified, but should be visible in the displayed backtraces.
+  #
+  # NOTE: The formatting and content of this middleware's output is intended for
+  # human consumption, and should be expected to change between releases.
+  #
+  # This middleware exposes operational details of the server, with no access
+  # control. It should only be enabled when in use, and removed thereafter.
+  class DebugLocks
+    def initialize(app, path = '/rails/locks')
+      @app = app
+      @path = path
+    end
+
+    def call(env)
+      req = ActionDispatch::Request.new env
+
+      if req.get?
+        path = req.path_info.chomp('/'.freeze)
+        if path == @path
+          return render_details(req)
+        end
+      end
+
+      @app.call(env)
+    end
+
+    private
+      def render_details(req)
+        threads = ActiveSupport::Dependencies.interlock.raw_state do |threads|
+          # The Interlock itself comes to a complete halt as long as this block
+          # is executing. That gives us a more consistent picture of everything,
+          # but creates a pretty strong Observer Effect.
+          #
+          # Most directly, that means we need to do as little as possible in
+          # this block. More widely, it means this middleware should remain a
+          # strictly diagnostic tool (to be used when something has gone wrong),
+          # and not for any sort of general monitoring.
+
+          threads.each.with_index do |(thread, info), idx|
+            info[:index] = idx
+            info[:backtrace] = thread.backtrace
+          end
+
+          threads
+        end
+
+        str = threads.map do |thread, info|
+          if info[:exclusive]
+            lock_state = 'Exclusive'
+          elsif info[:sharing] > 0
+            lock_state = 'Sharing'
+            lock_state << " x#{info[:sharing]}" if info[:sharing] > 1
+          else
+            lock_state = 'No lock'
+          end
+
+          if info[:waiting]
+            lock_state << ' (yielded share)'
+          end
+
+          msg = "Thread #{info[:index]} [0x#{thread.__id__.to_s(16)} #{thread.status || 'dead'}]  #{lock_state}\n"
+
+          if info[:sleeper]
+            msg << "  Waiting in #{info[:sleeper]}"
+            msg << " to #{info[:purpose].to_s.inspect}" unless info[:purpose].nil?
+            msg << "\n"
+
+            if info[:compatible]
+              compat = info[:compatible].map { |c| c == false ? "share" : c.to_s.inspect }
+              msg << "  may be pre-empted for: #{compat.join(', ')}\n"
+            end
+
+            blockers = threads.values.select { |binfo| blocked_by?(info, binfo, threads.values) }
+            msg << "  blocked by: #{blockers.map {|i| i[:index] }.join(', ')}\n" if blockers.any?
+          end
+
+          blockees = threads.values.select { |binfo| blocked_by?(binfo, info, threads.values) }
+          msg << "  blocking: #{blockees.map {|i| i[:index] }.join(', ')}\n" if blockees.any?
+
+          msg << "\n#{info[:backtrace].join("\n")}\n" if info[:backtrace]
+        end.join("\n\n---\n\n\n")
+
+        [200, { "Content-Type" => "text/plain", "Content-Length" => str.size }, [str]]
+      end
+
+      def blocked_by?(victim, blocker, all_threads)
+        return false if victim.equal?(blocker)
+
+        case victim[:sleeper]
+        when :start_sharing
+          blocker[:exclusive] ||
+            (!victim[:waiting] && blocker[:compatible] && !blocker[:compatible].include?(false))
+        when :start_exclusive
+          blocker[:sharing] > 0 ||
+            blocker[:exclusive] ||
+            (blocker[:compatible] && !blocker[:compatible].include?(victim[:purpose]))
+        when :yield_shares
+          blocker[:exclusive]
+        when :stop_exclusive
+          blocker[:exclusive] ||
+            victim[:compatible] &&
+            victim[:compatible].include?(blocker[:purpose]) &&
+            all_threads.all? { |other| !other[:compatible] || blocker.equal?(other) || other[:compatible].include?(blocker[:purpose]) }
+        end
+      end
+  end
+end

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -17,8 +17,8 @@ module ActionDispatch
       'ActionDispatch::ParamsParser::ParseError'      => :bad_request,
       'ActionController::BadRequest'                  => :bad_request,
       'ActionController::ParameterMissing'            => :bad_request,
-      'Rack::Utils::ParameterTypeError'               => :bad_request,
-      'Rack::Utils::InvalidParameterError'            => :bad_request
+      'Rack::QueryParser::ParameterTypeError'         => :bad_request,
+      'Rack::QueryParser::InvalidParameterError'      => :bad_request
     )
 
     cattr_accessor :rescue_templates

data/lib/action_dispatch/middleware/ssl.rb

@@ -18,17 +18,18 @@ module ActionDispatch
   #      Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.
   #
   # Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
-  #   * `expires`: How long, in seconds, these settings will stick. Defaults to
-  #     `180.days` (recommended). The minimum required to qualify for browser
-  #     preload lists is `18.weeks`.
+  #   * `expires`: How long, in seconds, these settings will stick. The minimum
+  #     required to qualify for browser preload lists is `18.weeks`. Defaults to
+  #     `180.days` (recommended).
   #   * `subdomains`: Set to `true` to tell the browser to apply these settings
   #     to all subdomains. This protects your cookies from interception by a
-  #     vulnerable site on a subdomain. Defaults to `true`.
+  #     vulnerable site on a subdomain. Defaults to `false`.
   #   * `preload`: Advertise that this site may be included in browsers'
   #     preloaded HSTS lists. HSTS protects your site on every visit *except the
   #     first visit* since it hasn't seen your HSTS header yet. To close this
   #     gap, browser vendors include a baked-in list of HSTS-enabled sites.
   #     Go to https://hstspreload.appspot.com to submit your site for inclusion.
+  #     Defaults to `false`.
   #
   # To turn off HSTS, omitting the header is not enough. Browsers will remember the
   # original HSTS directive until it expires. Instead, use the header to tell browsers to
@@ -132,12 +133,20 @@ module ActionDispatch
       end
 
       def redirect_to_https(request)
-        [ @redirect.fetch(:status, 301),
+        [ @redirect.fetch(:status, redirection_status(request)),
           { 'Content-Type' => 'text/html',
             'Location' => https_location_for(request) },
           @redirect.fetch(:body, []) ]
       end
 
+      def redirection_status(request)
+        if request.get? || request.head?
+          301 # Issue a permanent redirect via a GET request.
+        else
+          307 # Issue a fresh request redirect to preserve the HTTP method.
+        end
+      end
+
       def https_location_for(request)
         host = @redirect[:host] || request.host
         port = @redirect[:port] || request.port