actionpack 5.2.8.1 → 6.0.6

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/parameter_filter"
+require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
@@ -9,8 +9,8 @@ module ActionDispatch
     # sub-hashes of the params hash to filter. Filtering only certain sub-keys
     # from a hash is possible by using the dot notation: 'credit_card.number'.
     # If a block is given, each key and value of the params hash and all
-    # sub-hashes is passed to it, where the value or the key can be replaced using
-    # String#replace or similar method.
+    # sub-hashes are passed to it, where the value or the key can be replaced using
+    # String#replace or similar methods.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -28,8 +28,8 @@ module ActionDispatch
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
 
       def initialize
         super
@@ -41,6 +41,8 @@ module ActionDispatch
       # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        @filtered_parameters = {}
       end
 
       # Returns a hash of request.env with all sensitive data replaced.
@@ -54,7 +56,6 @@ module ActionDispatch
       end
 
     private
-
       def parameter_filter # :doc:
         parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER
@@ -69,7 +70,7 @@ module ActionDispatch
       end
 
       def parameter_filter_for(filters) # :doc:
-        ParameterFilter.new(filters)
+        ActiveSupport::ParameterFilter.new(filters)
       end
 
       KV_RE   = "[^&;=]+"

data/lib/action_dispatch/http/filter_redirect.rb

@@ -3,7 +3,7 @@
 module ActionDispatch
   module Http
     module FilterRedirect
-      FILTERED = "[FILTERED]".freeze # :nodoc:
+      FILTERED = "[FILTERED]" # :nodoc:
 
       def filtered_location # :nodoc:
         if location_filter_match?
@@ -14,7 +14,6 @@ module ActionDispatch
       end
 
     private
-
       def location_filters
         if request
           request.get_header("action_dispatch.redirect_filter") || []

data/lib/action_dispatch/http/headers.rb

@@ -116,12 +116,11 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-
         # Converts an HTTP header name to an environment variable name if it is
         # not contained within the headers hash.
         def env_name(key)
           key = key.to_s
-          if key =~ HTTP_HEADER
+          if HTTP_HEADER.match?(key)
             key = key.upcase.tr("-", "_")
             key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
           end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -7,6 +7,13 @@ module ActionDispatch
     module MimeNegotiation
       extend ActiveSupport::Concern
 
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+
+      RESCUABLE_MIME_FORMAT_ERRORS = [
+        ActionController::BadRequest,
+        ActionDispatch::Http::Parameters::ParseError,
+      ]
+
       included do
         mattr_accessor :ignore_accept_header, default: false
       end
@@ -20,6 +27,8 @@ module ActionDispatch
             nil
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -42,6 +51,8 @@ module ActionDispatch
             Mime::Type.parse(header)
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -59,7 +70,7 @@ module ActionDispatch
         fetch_header("action_dispatch.request.formats") do |k|
           params_readable = begin
                               parameters[:format]
-                            rescue ActionController::BadRequest
+                            rescue *RESCUABLE_MIME_FORMAT_ERRORS
                               false
                             end
 
@@ -90,10 +101,7 @@ module ActionDispatch
         if variant.all? { |v| v.is_a?(Symbol) }
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
-            "For security reasons, never directly set the variant to a user-provided value, " \
-            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
-            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
         end
       end
 
@@ -152,7 +160,6 @@ module ActionDispatch
       end
 
       private
-
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
         def valid_accept_header # :doc:

data/lib/action_dispatch/http/mime_type.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# -*- frozen-string-literal: true -*-
-
 require "singleton"
 require "active_support/core_ext/string/starts_ends_with"
 
@@ -74,7 +72,7 @@ module Mime
       def initialize(index, name, q = nil)
         @index = index
         @name = name
-        q ||= 0.0 if @name == "*/*".freeze # Default wildcard match to end of list.
+        q ||= 0.0 if @name == "*/*" # Default wildcard match to end of list.
         @q = ((q || 1.0).to_f * 100).to_i
       end
 
@@ -172,6 +170,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
+          return [] unless accept_header
           parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
         else
           list, index = [], 0
@@ -223,7 +222,18 @@ module Mime
 
     attr_reader :hash
 
+    MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
+    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
+
+    class InvalidMimeType < StandardError; end
+
     def initialize(string, symbol = nil, synonyms = [])
+      unless MIME_REGEXP.match?(string)
+        raise InvalidMimeType, "#{string.inspect} is not a valid MIME type"
+      end
       @symbol, @synonyms = symbol, synonyms
       @string = string
       @hash = [@string, @synonyms, @symbol].hash
@@ -279,14 +289,10 @@ module Mime
 
     def all?; false; end
 
-    # TODO Change this to private once we've dropped Ruby 2.2 support.
-    # Workaround for Ruby 2.2 "private attribute?" warning.
     protected
-
       attr_reader :string, :synonyms
 
     private
-
       def to_ary; end
       def to_a; end
 
@@ -307,7 +313,7 @@ module Mime
     include Singleton
 
     def initialize
-      super "*/*", :all
+      super "*/*", nil
     end
 
     def all?; true; end

data/lib/action_dispatch/http/parameter_filter.rb

@@ -1,86 +1,12 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/object/duplicable"
+require "active_support/deprecation/constant_accessor"
+require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    class ParameterFilter
-      FILTERED = "[FILTERED]".freeze # :nodoc:
-
-      def initialize(filters = [])
-        @filters = filters
-      end
-
-      def filter(params)
-        compiled_filter.call(params)
-      end
-
-    private
-
-      def compiled_filter
-        @compiled_filter ||= CompiledFilter.compile(@filters)
-      end
-
-      class CompiledFilter # :nodoc:
-        def self.compile(filters)
-          return lambda { |params| params.dup } if filters.empty?
-
-          strings, regexps, blocks = [], [], []
-
-          filters.each do |item|
-            case item
-            when Proc
-              blocks << item
-            when Regexp
-              regexps << item
-            else
-              strings << Regexp.escape(item.to_s)
-            end
-          end
-
-          deep_regexps, regexps = regexps.partition { |r| r.to_s.include?("\\.".freeze) }
-          deep_strings, strings = strings.partition { |s| s.include?("\\.".freeze) }
-
-          regexps << Regexp.new(strings.join("|".freeze), true) unless strings.empty?
-          deep_regexps << Regexp.new(deep_strings.join("|".freeze), true) unless deep_strings.empty?
-
-          new regexps, deep_regexps, blocks
-        end
-
-        attr_reader :regexps, :deep_regexps, :blocks
-
-        def initialize(regexps, deep_regexps, blocks)
-          @regexps = regexps
-          @deep_regexps = deep_regexps.any? ? deep_regexps : nil
-          @blocks = blocks
-        end
-
-        def call(original_params, parents = [])
-          filtered_params = original_params.class.new
-
-          original_params.each do |key, value|
-            parents.push(key) if deep_regexps
-            if regexps.any? { |r| key =~ r }
-              value = FILTERED
-            elsif deep_regexps && (joined = parents.join(".")) && deep_regexps.any? { |r| joined =~ r }
-              value = FILTERED
-            elsif value.is_a?(Hash)
-              value = call(value, parents)
-            elsif value.is_a?(Array)
-              value = value.map { |v| v.is_a?(Hash) ? call(v, parents) : v }
-            elsif blocks.any?
-              key = key.dup if key.duplicable?
-              value = value.dup if value.duplicable?
-              blocks.each { |b| b.call(key, value) }
-            end
-            parents.pop if deep_regexps
-
-            filtered_params[key] = value
-          end
-
-          filtered_params
-        end
-      end
-    end
+    include ActiveSupport::Deprecation::DeprecatedConstantAccessor
+    deprecate_constant "ParameterFilter", "ActiveSupport::ParameterFilter",
+      message: "ActionDispatch::Http::ParameterFilter is deprecated and will be removed from Rails 6.1. Use ActiveSupport::ParameterFilter instead."
   end
 end

data/lib/action_dispatch/http/parameters.rb

@@ -85,12 +85,11 @@ module ActionDispatch
       end
 
       private
-
         def set_binary_encoding(params, controller, action)
           return params unless controller && controller.valid_encoding?
 
           if binary_params_for?(controller, action)
-            ActionDispatch::Request::Utils.each_param_value(params) do |param|
+            ActionDispatch::Request::Utils.each_param_value(params.except(:controller, :action)) do |param|
               param.force_encoding ::Encoding::ASCII_8BIT
             end
           end
@@ -99,7 +98,7 @@ module ActionDispatch
 
         def binary_params_for?(controller, action)
           controller_class_for(controller).binary_params_for?(action)
-        rescue NameError
+        rescue MissingController
           false
         end
 
@@ -111,13 +110,23 @@ module ActionDispatch
           begin
             strategy.call(raw_post)
           rescue # JSON or Ruby code block errors.
-            my_logger = logger || ActiveSupport::Logger.new($stderr)
-            my_logger.debug "Error occurred while parsing request parameters.\nContents:\n\n#{raw_post}"
-
+            log_parse_error_once
             raise ParseError
           end
         end
 
+        def log_parse_error_once
+          @parse_error_logged ||= begin
+            parse_logger = logger || ActiveSupport::Logger.new($stderr)
+            parse_logger.debug <<~MSG.chomp
+              Error occurred while parsing request parameters.
+              Contents:
+
+              #{raw_post}
+            MSG
+          end
+        end
+
         def params_parsers
           ActionDispatch::Request.parameter_parsers
         end

data/lib/action_dispatch/http/request.rb

@@ -85,7 +85,15 @@ module ActionDispatch
       if name
         controller_param = name.underscore
         const_name = "#{controller_param.camelize}Controller"
-        ActiveSupport::Dependencies.constantize(const_name)
+        begin
+          ActiveSupport::Dependencies.constantize(const_name)
+        rescue NameError => error
+          if error.missing_name == const_name || const_name.start_with?("#{error.missing_name}::")
+            raise MissingController.new(error.message, error.name)
+          else
+            raise
+          end
+        end
       else
         PASS_NOT_FOUND
       end
@@ -125,6 +133,8 @@ module ActionDispatch
       HTTP_METHOD_LOOKUP[method] = method.underscore.to_sym
     }
 
+    alias raw_request_method request_method # :nodoc:
+
     # Returns the HTTP \method that the application should see.
     # In the case where the \method was overridden by a middleware
     # (for instance, if a HEAD request was converted to a GET,
@@ -136,11 +146,11 @@ module ActionDispatch
     end
 
     def routes # :nodoc:
-      get_header("action_dispatch.routes".freeze)
+      get_header("action_dispatch.routes")
     end
 
     def routes=(routes) # :nodoc:
-      set_header("action_dispatch.routes".freeze, routes)
+      set_header("action_dispatch.routes", routes)
     end
 
     def engine_script_name(_routes) # :nodoc:
@@ -158,11 +168,11 @@ module ActionDispatch
     end
 
     def controller_instance # :nodoc:
-      get_header("action_controller.instance".freeze)
+      get_header("action_controller.instance")
     end
 
     def controller_instance=(controller) # :nodoc:
-      set_header("action_controller.instance".freeze, controller)
+      set_header("action_controller.instance", controller)
     end
 
     def http_auth_salt
@@ -173,7 +183,7 @@ module ActionDispatch
       # We're treating `nil` as "unset", and we want the default setting to be
       # `true`. This logic should be extracted to `env_config` and calculated
       # once.
-      !(get_header("action_dispatch.show_exceptions".freeze) == false)
+      !(get_header("action_dispatch.show_exceptions") == false)
     end
 
     # Returns a symbol form of the #request_method.
@@ -280,10 +290,10 @@ module ActionDispatch
     end
 
     def remote_ip=(remote_ip)
-      set_header "action_dispatch.remote_ip".freeze, remote_ip
+      set_header "action_dispatch.remote_ip", remote_ip
     end
 
-    ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id".freeze # :nodoc:
+    ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id" # :nodoc:
 
     # Returns the unique request id, which is based on either the X-Request-Id header that can
     # be generated by a firewall, load balancer, or web server or by the RequestId middleware
@@ -383,9 +393,6 @@ module ActionDispatch
         end
         self.request_parameters = Request::Utils.normalize_encode_params(pr)
       end
-    rescue Http::Parameters::ParseError # one of the parse strategies blew up
-      self.request_parameters = Request::Utils.normalize_encode_params(super || {})
-      raise
     rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
       raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
     end
@@ -407,18 +414,18 @@ module ActionDispatch
 
     def request_parameters=(params)
       raise if params.nil?
-      set_header("action_dispatch.request.request_parameters".freeze, params)
+      set_header("action_dispatch.request.request_parameters", params)
     end
 
     def logger
-      get_header("action_dispatch.logger".freeze)
+      get_header("action_dispatch.logger")
     end
 
     def commit_flash
     end
 
     def ssl?
-      super || scheme == "wss".freeze
+      super || scheme == "wss"
     end
 
     private

data/lib/action_dispatch/http/response.rb

@@ -78,13 +78,14 @@ module ActionDispatch # :nodoc:
       x
     end
 
-    CONTENT_TYPE = "Content-Type".freeze
-    SET_COOKIE   = "Set-Cookie".freeze
-    LOCATION     = "Location".freeze
+    CONTENT_TYPE = "Content-Type"
+    SET_COOKIE   = "Set-Cookie"
+    LOCATION     = "Location"
     NO_CONTENT_CODES = [100, 101, 102, 204, 205, 304]
 
     cattr_accessor :default_charset, default: "utf-8"
     cattr_accessor :default_headers
+    cattr_accessor :return_only_media_type_on_content_type, default: false
 
     include Rack::Response::Helpers
     # Aliasing these off because AD::Http::Cache::Response defines them.
@@ -105,7 +106,7 @@ module ActionDispatch # :nodoc:
 
       def body
         @str_body ||= begin
-          buf = "".dup
+          buf = +""
           each { |chunk| buf << chunk }
           buf
         end
@@ -142,7 +143,6 @@ module ActionDispatch # :nodoc:
       end
 
       private
-
         def each_chunk(&block)
           @buf.each(&block)
         end
@@ -224,16 +224,6 @@ module ActionDispatch # :nodoc:
       @status = Rack::Utils.status_code(status)
     end
 
-    # Sets the HTTP content type.
-    def content_type=(content_type)
-      return unless content_type
-      new_header_info = parse_content_type(content_type.to_s)
-      prev_header_info = parsed_content_type_header
-      charset = new_header_info.charset || prev_header_info.charset
-      charset ||= self.class.default_charset unless prev_header_info.mime_type
-      set_content_type new_header_info.mime_type, charset
-    end
-
     # Sets the HTTP response's content MIME type. For example, in the controller
     # you could write this:
     #
@@ -242,8 +232,32 @@ module ActionDispatch # :nodoc:
     # If a character set has been defined for this response (see charset=) then
     # the character set information will also be included in the content type
     # information.
+    def content_type=(content_type)
+      return unless content_type
+      new_header_info = parse_content_type(content_type.to_s)
+      prev_header_info = parsed_content_type_header
+      charset = new_header_info.charset || prev_header_info.charset
+      charset ||= self.class.default_charset unless prev_header_info.mime_type
+      set_content_type new_header_info.mime_type, charset
+    end
 
+    # Content type of response.
     def content_type
+      if self.class.return_only_media_type_on_content_type
+        ActiveSupport::Deprecation.warn(
+          "Rails 6.1 will return Content-Type header without modification." \
+          " If you want just the MIME type, please use `#media_type` instead."
+        )
+
+        content_type = super
+        content_type ? content_type.split(/;\s*charset=/)[0].presence : content_type
+      else
+        super.presence
+      end
+    end
+
+    # Media type of response.
+    def media_type
       parsed_content_type_header.mime_type
     end
 
@@ -404,15 +418,18 @@ module ActionDispatch # :nodoc:
     end
 
   private
-
     ContentTypeHeader = Struct.new :mime_type, :charset
     NullContentTypeHeader = ContentTypeHeader.new nil, nil
 
+    CONTENT_TYPE_PARSER = /
+      \A
+      (?<mime_type>[^;\s]+\s*(?:;\s*(?:(?!charset)[^;\s])+)*)?
+      (?:;\s*charset=(?<quote>"?)(?<charset>[^;\s]+)\k<quote>)?
+    /x # :nodoc:
+
     def parse_content_type(content_type)
-      if content_type
-        type, charset = content_type.split(/;\s*charset=/)
-        type = nil if type && type.empty?
-        ContentTypeHeader.new(type, charset)
+      if content_type && match = CONTENT_TYPE_PARSER.match(content_type)
+        ContentTypeHeader.new(match[:mime_type], match[:charset])
       else
         NullContentTypeHeader
       end
@@ -459,7 +476,7 @@ module ActionDispatch # :nodoc:
     end
 
     def assign_default_content_type_and_charset!
-      return if content_type
+      return if media_type
 
       ct = parsed_content_type_header
       set_content_type(ct.mime_type || Mime[:html].to_s,
@@ -517,4 +534,6 @@ module ActionDispatch # :nodoc:
       end
     end
   end
+
+  ActiveSupport.run_load_hooks(:action_dispatch_response, Response)
 end

data/lib/action_dispatch/http/upload.rb

@@ -20,7 +20,6 @@ module ActionDispatch
       # A +Tempfile+ object with the actual uploaded file. Note that some of
       # its interface is available directly.
       attr_accessor :tempfile
-      alias :to_io :tempfile
 
       # A string with the headers of the multipart request.
       attr_accessor :headers
@@ -65,6 +64,11 @@ module ActionDispatch
         @tempfile.path
       end
 
+      # Shortcut for +tempfile.to_path+.
+      def to_path
+        @tempfile.to_path
+      end
+
       # Shortcut for +tempfile.rewind+.
       def rewind
         @tempfile.rewind
@@ -79,6 +83,10 @@ module ActionDispatch
       def eof?
         @tempfile.eof?
       end
+
+      def to_io
+        @tempfile.to_io
+      end
     end
   end
 end