actionpack 5.2.6 → 6.1.4.4

data/lib/action_dispatch/http/request.rb

@@ -23,6 +23,7 @@ module ActionDispatch
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
     include ActionDispatch::ContentSecurityPolicy::Request
+    include ActionDispatch::PermissionsPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"
@@ -44,11 +45,14 @@ module ActionDispatch
         SERVER_ADDR
         ].freeze
 
+    # TODO: Remove SERVER_ADDR when we remove support to Rack 2.1.
+    # See https://github.com/rack/rack/commit/c173b188d81ee437b588c1e046a1c9f031dea550
     ENV_METHODS.each do |env|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
-        def #{env.sub(/^HTTP_/n, '').downcase}  # def accept_charset
-          get_header "#{env}".freeze            #   get_header "HTTP_ACCEPT_CHARSET".freeze
-        end                                     # end
+        # frozen_string_literal: true
+        def #{env.delete_prefix("HTTP_").downcase}  # def accept_charset
+          get_header "#{env}"                       #   get_header "HTTP_ACCEPT_CHARSET"
+        end                                         # end
       METHOD
     end
 
@@ -72,7 +76,7 @@ module ActionDispatch
     PASS_NOT_FOUND = Class.new { # :nodoc:
       def self.action(_); self; end
       def self.call(_); [404, { "X-Cascade" => "pass" }, []]; end
-      def self.binary_params_for?(action); false; end
+      def self.action_encoding_template(action); false; end
     }
 
     def controller_class
@@ -84,8 +88,16 @@ module ActionDispatch
     def controller_class_for(name)
       if name
         controller_param = name.underscore
-        const_name = "#{controller_param.camelize}Controller"
-        ActiveSupport::Dependencies.constantize(const_name)
+        const_name = controller_param.camelize << "Controller"
+        begin
+          ActiveSupport::Dependencies.constantize(const_name)
+        rescue NameError => error
+          if error.missing_name == const_name || const_name.start_with?("#{error.missing_name}::")
+            raise MissingController.new(error.message, error.name)
+          else
+            raise
+          end
+        end
       else
         PASS_NOT_FOUND
       end
@@ -125,6 +137,8 @@ module ActionDispatch
       HTTP_METHOD_LOOKUP[method] = method.underscore.to_sym
     }
 
+    alias raw_request_method request_method # :nodoc:
+
     # Returns the HTTP \method that the application should see.
     # In the case where the \method was overridden by a middleware
     # (for instance, if a HEAD request was converted to a GET,
@@ -136,11 +150,11 @@ module ActionDispatch
     end
 
     def routes # :nodoc:
-      get_header("action_dispatch.routes".freeze)
+      get_header("action_dispatch.routes")
     end
 
     def routes=(routes) # :nodoc:
-      set_header("action_dispatch.routes".freeze, routes)
+      set_header("action_dispatch.routes", routes)
     end
 
     def engine_script_name(_routes) # :nodoc:
@@ -158,11 +172,11 @@ module ActionDispatch
     end
 
     def controller_instance # :nodoc:
-      get_header("action_controller.instance".freeze)
+      get_header("action_controller.instance")
     end
 
     def controller_instance=(controller) # :nodoc:
-      set_header("action_controller.instance".freeze, controller)
+      set_header("action_controller.instance", controller)
     end
 
     def http_auth_salt
@@ -173,7 +187,7 @@ module ActionDispatch
       # We're treating `nil` as "unset", and we want the default setting to be
       # `true`. This logic should be extracted to `env_config` and calculated
       # once.
-      !(get_header("action_dispatch.show_exceptions".freeze) == false)
+      !(get_header("action_dispatch.show_exceptions") == false)
     end
 
     # Returns a symbol form of the #request_method.
@@ -264,7 +278,7 @@ module ActionDispatch
     # (case-insensitive), which may need to be manually added depending on the
     # choice of JavaScript libraries and frameworks.
     def xml_http_request?
-      get_header("HTTP_X_REQUESTED_WITH") =~ /XMLHttpRequest/i
+      /XMLHttpRequest/i.match?(get_header("HTTP_X_REQUESTED_WITH"))
     end
     alias :xhr? :xml_http_request?
 
@@ -280,10 +294,11 @@ module ActionDispatch
     end
 
     def remote_ip=(remote_ip)
-      set_header "action_dispatch.remote_ip".freeze, remote_ip
+      @remote_ip = nil
+      set_header "action_dispatch.remote_ip", remote_ip
     end
 
-    ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id".freeze # :nodoc:
+    ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id" # :nodoc:
 
     # Returns the unique request id, which is based on either the X-Request-Id header that can
     # be generated by a firewall, load balancer, or web server or by the RequestId middleware
@@ -321,7 +336,7 @@ module ActionDispatch
     # variable is already set, wrap it in a StringIO.
     def body
       if raw_post = get_header("RAW_POST_DATA")
-        raw_post = raw_post.dup.force_encoding(Encoding::BINARY)
+        raw_post = (+raw_post).force_encoding(Encoding::BINARY)
         StringIO.new(raw_post)
       else
         body_stream
@@ -366,6 +381,9 @@ module ActionDispatch
     def GET
       fetch_header("action_dispatch.request.query_parameters") do |k|
         rack_query_params = super || {}
+        controller = path_parameters[:controller]
+        action = path_parameters[:action]
+        rack_query_params = Request::Utils.set_binary_encoding(self, rack_query_params, controller, action)
         # Check for non UTF-8 parameter values, which would cause errors later
         Request::Utils.check_param_encoding(rack_query_params)
         set_header k, Request::Utils.normalize_encode_params(rack_query_params)
@@ -381,11 +399,10 @@ module ActionDispatch
         pr = parse_formatted_parameters(params_parsers) do |params|
           super || {}
         end
+        pr = Request::Utils.set_binary_encoding(self, pr, path_parameters[:controller], path_parameters[:action])
+        Request::Utils.check_param_encoding(pr)
         self.request_parameters = Request::Utils.normalize_encode_params(pr)
       end
-    rescue Http::Parameters::ParseError # one of the parse strategies blew up
-      self.request_parameters = Request::Utils.normalize_encode_params(super || {})
-      raise
     rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
       raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
     end
@@ -402,23 +419,27 @@ module ActionDispatch
 
     # True if the request came from localhost, 127.0.0.1, or ::1.
     def local?
-      LOCALHOST =~ remote_addr && LOCALHOST =~ remote_ip
+      LOCALHOST.match?(remote_addr) && LOCALHOST.match?(remote_ip)
     end
 
     def request_parameters=(params)
       raise if params.nil?
-      set_header("action_dispatch.request.request_parameters".freeze, params)
+      set_header("action_dispatch.request.request_parameters", params)
     end
 
     def logger
-      get_header("action_dispatch.logger".freeze)
+      get_header("action_dispatch.logger")
     end
 
     def commit_flash
     end
 
     def ssl?
-      super || scheme == "wss".freeze
+      super || scheme == "wss"
+    end
+
+    def inspect # :nodoc:
+      "#<#{self.class.name} #{method} #{original_url.dump} for #{remote_ip}>"
     end
 
     private
@@ -428,3 +449,5 @@ module ActionDispatch
       end
   end
 end
+
+ActiveSupport.run_load_hooks :action_dispatch_request, ActionDispatch::Request

data/lib/action_dispatch/http/response.rb

@@ -78,14 +78,26 @@ module ActionDispatch # :nodoc:
       x
     end
 
-    CONTENT_TYPE = "Content-Type".freeze
-    SET_COOKIE   = "Set-Cookie".freeze
-    LOCATION     = "Location".freeze
-    NO_CONTENT_CODES = [100, 101, 102, 204, 205, 304]
+    CONTENT_TYPE = "Content-Type"
+    SET_COOKIE   = "Set-Cookie"
+    LOCATION     = "Location"
+    NO_CONTENT_CODES = [100, 101, 102, 103, 204, 205, 304]
 
     cattr_accessor :default_charset, default: "utf-8"
     cattr_accessor :default_headers
 
+    def self.return_only_media_type_on_content_type=(*)
+      ActiveSupport::Deprecation.warn(
+        ".return_only_media_type_on_content_type= is dreprecated with no replacement and will be removed in 6.2."
+      )
+    end
+
+    def self.return_only_media_type_on_content_type
+      ActiveSupport::Deprecation.warn(
+        ".return_only_media_type_on_content_type is dreprecated with no replacement and will be removed in 6.2."
+      )
+    end
+
     include Rack::Response::Helpers
     # Aliasing these off because AD::Http::Cache::Response defines them.
     alias :_cache_control :cache_control
@@ -105,7 +117,7 @@ module ActionDispatch # :nodoc:
 
       def body
         @str_body ||= begin
-          buf = "".dup
+          buf = +""
           each { |chunk| buf << chunk }
           buf
         end
@@ -142,7 +154,6 @@ module ActionDispatch # :nodoc:
       end
 
       private
-
         def each_chunk(&block)
           @buf.each(&block)
         end
@@ -224,16 +235,6 @@ module ActionDispatch # :nodoc:
       @status = Rack::Utils.status_code(status)
     end
 
-    # Sets the HTTP content type.
-    def content_type=(content_type)
-      return unless content_type
-      new_header_info = parse_content_type(content_type.to_s)
-      prev_header_info = parsed_content_type_header
-      charset = new_header_info.charset || prev_header_info.charset
-      charset ||= self.class.default_charset unless prev_header_info.mime_type
-      set_content_type new_header_info.mime_type, charset
-    end
-
     # Sets the HTTP response's content MIME type. For example, in the controller
     # you could write this:
     #
@@ -242,8 +243,22 @@ module ActionDispatch # :nodoc:
     # If a character set has been defined for this response (see charset=) then
     # the character set information will also be included in the content type
     # information.
+    def content_type=(content_type)
+      return unless content_type
+      new_header_info = parse_content_type(content_type.to_s)
+      prev_header_info = parsed_content_type_header
+      charset = new_header_info.charset || prev_header_info.charset
+      charset ||= self.class.default_charset unless prev_header_info.mime_type
+      set_content_type new_header_info.mime_type, charset
+    end
 
+    # Content type of response.
     def content_type
+      super.presence
+    end
+
+    # Media type of response.
+    def media_type
       parsed_content_type_header.mime_type
     end
 
@@ -404,15 +419,18 @@ module ActionDispatch # :nodoc:
     end
 
   private
-
     ContentTypeHeader = Struct.new :mime_type, :charset
     NullContentTypeHeader = ContentTypeHeader.new nil, nil
 
+    CONTENT_TYPE_PARSER = /
+      \A
+      (?<mime_type>[^;\s]+\s*(?:;\s*(?:(?!charset)[^;\s])+)*)?
+      (?:;\s*charset=(?<quote>"?)(?<charset>[^;\s]+)\k<quote>)?
+    /x # :nodoc:
+
     def parse_content_type(content_type)
-      if content_type
-        type, charset = content_type.split(/;\s*charset=/)
-        type = nil if type && type.empty?
-        ContentTypeHeader.new(type, charset)
+      if content_type && match = CONTENT_TYPE_PARSER.match(content_type)
+        ContentTypeHeader.new(match[:mime_type], match[:charset])
       else
         NullContentTypeHeader
       end
@@ -425,8 +443,8 @@ module ActionDispatch # :nodoc:
     end
 
     def set_content_type(content_type, charset)
-      type = (content_type || "").dup
-      type << "; charset=#{charset.to_s.downcase}" if charset
+      type = content_type || ""
+      type = "#{type}; charset=#{charset.to_s.downcase}" if charset
       set_header CONTENT_TYPE, type
     end
 
@@ -459,7 +477,7 @@ module ActionDispatch # :nodoc:
     end
 
     def assign_default_content_type_and_charset!
-      return if content_type
+      return if media_type
 
       ct = parsed_content_type_header
       set_content_type(ct.mime_type || Mime[:html].to_s,
@@ -486,7 +504,7 @@ module ActionDispatch # :nodoc:
       end
 
       def respond_to?(method, include_private = false)
-        if method.to_s == "to_path"
+        if method.to_sym == :to_path
           @response.stream.respond_to?(method)
         else
           super
@@ -517,4 +535,6 @@ module ActionDispatch # :nodoc:
       end
     end
   end
+
+  ActiveSupport.run_load_hooks(:action_dispatch_response, Response)
 end

data/lib/action_dispatch/http/upload.rb

@@ -20,7 +20,6 @@ module ActionDispatch
       # A +Tempfile+ object with the actual uploaded file. Note that some of
       # its interface is available directly.
       attr_accessor :tempfile
-      alias :to_io :tempfile
 
       # A string with the headers of the multipart request.
       attr_accessor :headers
@@ -65,6 +64,11 @@ module ActionDispatch
         @tempfile.path
       end
 
+      # Shortcut for +tempfile.to_path+.
+      def to_path
+        @tempfile.to_path
+      end
+
       # Shortcut for +tempfile.rewind+.
       def rewind
         @tempfile.rewind
@@ -79,6 +83,10 @@ module ActionDispatch
       def eof?
         @tempfile.eof?
       end
+
+      def to_io
+        @tempfile.to_io
+      end
     end
   end
 end

data/lib/action_dispatch/http/url.rb

@@ -9,6 +9,7 @@ module ActionDispatch
       HOST_REGEXP     = /(^[^:]+:\/\/)?(\[[^\]]+\]|[^:]+)(?::(\d+$))?/
       PROTOCOL_REGEXP = /^([^:]+)(:)?(\/\/)?$/
 
+      mattr_accessor :secure_protocol, default: false
       mattr_accessor :tld_length, default: 1
 
       class << self
@@ -67,7 +68,7 @@ module ActionDispatch
         end
 
         def path_for(options)
-          path = options[:script_name].to_s.chomp("/".freeze)
+          path = options[:script_name].to_s.chomp("/")
           path << options[:path] if options.key?(:path)
 
           add_trailing_slash(path) if options[:trailing_slash]
@@ -78,109 +79,108 @@ module ActionDispatch
         end
 
         private
-
-        def add_params(path, params)
-          params = { params: params } unless params.is_a?(Hash)
-          params.reject! { |_, v| v.to_param.nil? }
-          query = params.to_query
-          path << "?#{query}" unless query.empty?
-        end
-
-        def add_anchor(path, anchor)
-          if anchor
-            path << "##{Journey::Router::Utils.escape_fragment(anchor.to_param)}"
+          def add_params(path, params)
+            params = { params: params } unless params.is_a?(Hash)
+            params.reject! { |_, v| v.to_param.nil? }
+            query = params.to_query
+            path << "?#{query}" unless query.empty?
           end
-        end
 
-        def extract_domain_from(host, tld_length)
-          host.split(".").last(1 + tld_length).join(".")
-        end
+          def add_anchor(path, anchor)
+            if anchor
+              path << "##{Journey::Router::Utils.escape_fragment(anchor.to_param)}"
+            end
+          end
 
-        def extract_subdomains_from(host, tld_length)
-          parts = host.split(".")
-          parts[0..-(tld_length + 2)]
-        end
+          def extract_domain_from(host, tld_length)
+            host.split(".").last(1 + tld_length).join(".")
+          end
 
-        def add_trailing_slash(path)
-          if path.include?("?")
-            path.sub!(/\?/, '/\&')
-          elsif !path.include?(".")
-            path.sub!(/[^\/]\z|\A\z/, '\&/')
+          def extract_subdomains_from(host, tld_length)
+            parts = host.split(".")
+            parts[0..-(tld_length + 2)]
           end
-        end
 
-        def build_host_url(host, port, protocol, options, path)
-          if match = host.match(HOST_REGEXP)
-            protocol ||= match[1] unless protocol == false
-            host       = match[2]
-            port       = match[3] unless options.key? :port
+          def add_trailing_slash(path)
+            if path.include?("?")
+              path.sub!(/\?/, '/\&')
+            elsif !path.include?(".")
+              path.sub!(/[^\/]\z|\A\z/, '\&/')
+            end
           end
 
-          protocol = normalize_protocol protocol
-          host     = normalize_host(host, options)
+          def build_host_url(host, port, protocol, options, path)
+            if match = host.match(HOST_REGEXP)
+              protocol ||= match[1] unless protocol == false
+              host       = match[2]
+              port       = match[3] unless options.key? :port
+            end
 
-          result = protocol.dup
+            protocol = normalize_protocol protocol
+            host     = normalize_host(host, options)
 
-          if options[:user] && options[:password]
-            result << "#{Rack::Utils.escape(options[:user])}:#{Rack::Utils.escape(options[:password])}@"
-          end
+            result = protocol.dup
 
-          result << host
-          normalize_port(port, protocol) { |normalized_port|
-            result << ":#{normalized_port}"
-          }
+            if options[:user] && options[:password]
+              result << "#{Rack::Utils.escape(options[:user])}:#{Rack::Utils.escape(options[:password])}@"
+            end
 
-          result.concat path
-        end
+            result << host
+            normalize_port(port, protocol) { |normalized_port|
+              result << ":#{normalized_port}"
+            }
 
-        def named_host?(host)
-          IP_HOST_REGEXP !~ host
-        end
+            result.concat path
+          end
 
-        def normalize_protocol(protocol)
-          case protocol
-          when nil
-            "http://"
-          when false, "//"
-            "//"
-          when PROTOCOL_REGEXP
-            "#{$1}://"
-          else
-            raise ArgumentError, "Invalid :protocol option: #{protocol.inspect}"
+          def named_host?(host)
+            !IP_HOST_REGEXP.match?(host)
           end
-        end
 
-        def normalize_host(_host, options)
-          return _host unless named_host?(_host)
+          def normalize_protocol(protocol)
+            case protocol
+            when nil
+              secure_protocol ? "https://" : "http://"
+            when false, "//"
+              "//"
+            when PROTOCOL_REGEXP
+              "#{$1}://"
+            else
+              raise ArgumentError, "Invalid :protocol option: #{protocol.inspect}"
+            end
+          end
+
+          def normalize_host(_host, options)
+            return _host unless named_host?(_host)
 
-          tld_length = options[:tld_length] || @@tld_length
-          subdomain  = options.fetch :subdomain, true
-          domain     = options[:domain]
+            tld_length = options[:tld_length] || @@tld_length
+            subdomain  = options.fetch :subdomain, true
+            domain     = options[:domain]
 
-          host = "".dup
-          if subdomain == true
-            return _host if domain.nil?
+            host = +""
+            if subdomain == true
+              return _host if domain.nil?
 
-            host << extract_subdomains_from(_host, tld_length).join(".")
-          elsif subdomain
-            host << subdomain.to_param
+              host << extract_subdomains_from(_host, tld_length).join(".")
+            elsif subdomain
+              host << subdomain.to_param
+            end
+            host << "." unless host.empty?
+            host << (domain || extract_domain_from(_host, tld_length))
+            host
           end
-          host << "." unless host.empty?
-          host << (domain || extract_domain_from(_host, tld_length))
-          host
-        end
 
-        def normalize_port(port, protocol)
-          return unless port
+          def normalize_port(port, protocol)
+            return unless port
 
-          case protocol
-          when "//" then yield port
-          when "https://"
-            yield port unless port.to_i == 443
-          else
-            yield port unless port.to_i == 80
+            case protocol
+            when "//" then yield port
+            when "https://"
+              yield port unless port.to_i == 443
+            else
+              yield port unless port.to_i == 80
+            end
           end
-        end
       end
 
       def initialize
@@ -231,7 +231,7 @@ module ActionDispatch
       #   req = ActionDispatch::Request.new 'HTTP_HOST' => 'example.com:8080'
       #   req.host # => "example.com"
       def host
-        raw_host_with_port.sub(/:\d+$/, "".freeze)
+        raw_host_with_port.sub(/:\d+$/, "")
       end
 
       # Returns a \host:\port string for this request, such as "example.com" or