actionpack 6.0.3.2 → 6.1.0

data/lib/action_controller/renderer.rb

@@ -65,7 +65,7 @@ module ActionController
     def initialize(controller, env, defaults)
       @controller = controller
       @defaults = defaults
-      @env = normalize_keys defaults.merge(env)
+      @env = normalize_keys defaults, env
     end
 
     # Render templates with any options from ActionController::Base#render_to_string.
@@ -82,8 +82,12 @@ module ActionController
     #   need to call <tt>.to_json</tt> on the object you want to render.
     # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
     #
-    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, the default is
-    # to render a partial and use the second parameter as the locals hash.
+    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
+    #
+    # If an object responding to `render_in` is passed, `render_in` is called on the object,
+    # passing in the current view context.
+    #
+    # Otherwise, a partial is rendered using the second parameter as the locals hash.
     def render(*args)
       raise "missing controller" unless controller
 
@@ -95,11 +99,18 @@ module ActionController
       instance.set_response! controller.make_response!(request)
       instance.render_to_string(*args)
     end
+    alias_method :render_to_string, :render # :nodoc:
 
     private
-      def normalize_keys(env)
+      def normalize_keys(defaults, env)
         new_env = {}
         env.each_pair { |k, v| new_env[rack_key_for(k)] = rack_value_for(k, v) }
+
+        defaults.each_pair do |k, v|
+          key = rack_key_for(k)
+          new_env[key] = rack_value_for(k, v) unless new_env.key?(key)
+        end
+
         new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
         new_env
       end
@@ -112,19 +123,19 @@ module ActionController
         input:       "rack.input"
       }
 
-      IDENTITY = ->(_) { _ }
-
-      RACK_VALUE_TRANSLATION = {
-        https: ->(v) { v ? "on" : "off" },
-        method: ->(v) { -v.upcase },
-      }
-
       def rack_key_for(key)
-        RACK_KEY_TRANSLATION.fetch(key, key.to_s)
+        RACK_KEY_TRANSLATION[key] || key.to_s
       end
 
       def rack_value_for(key, value)
-        RACK_VALUE_TRANSLATION.fetch(key, IDENTITY).call value
+        case key
+        when :https
+          value ? "on" : "off"
+        when :method
+          -value.upcase
+        else
+          value
+        end
       end
   end
 end

data/lib/action_controller/test_case.rb

@@ -84,7 +84,7 @@ module ActionController
             value = value.to_param
           end
 
-          path_parameters[key] = value
+          path_parameters[key.to_sym] = value
         end
       end
 
@@ -492,57 +492,8 @@ module ActionController
           parameters[:format] = format
         end
 
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
-        generated_path = generated_path(generated_extras)
-        query_string_keys = query_parameter_names(generated_extras)
-
-        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
-
-        @request.session.update(session) if session
-        @request.flash.update(flash || {})
-
-        if xhr
-          @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
-          @request.fetch_header("HTTP_ACCEPT") do |k|
-            @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
-          end
-        end
-
-        @request.fetch_header("SCRIPT_NAME") do |k|
-          @request.set_header k, @controller.config.relative_url_root
-        end
-
-        begin
-          @controller.recycle!
-          @controller.dispatch(action, @request, @response)
-        ensure
-          @request = @controller.request
-          @response = @controller.response
-
-          if @request.have_cookie_jar?
-            unless @request.cookie_jar.committed?
-              @request.cookie_jar.write(@response)
-              cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
-            end
-          end
-          @response.prepare!
-
-          if flash_value = @request.flash.to_session_value
-            @request.session["flash"] = flash_value
-          else
-            @request.session.delete("flash")
-          end
-
-          if xhr
-            @request.delete_header "HTTP_X_REQUESTED_WITH"
-            @request.delete_header "HTTP_ACCEPT"
-          end
-          @request.query_string = ""
-
-          @response.sent!
-        end
-
-        @response
+        setup_request(controller_class_name, action, parameters, session, flash, xhr)
+        process_controller_response(action, cookies, xhr)
       end
 
       def controller_class_name
@@ -598,11 +549,66 @@ module ActionController
       end
 
       private
+        def setup_request(controller_class_name, action, parameters, session, flash, xhr)
+          generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
+          generated_path = generated_path(generated_extras)
+          query_string_keys = query_parameter_names(generated_extras)
+
+          @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
+
+          @request.session.update(session) if session
+          @request.flash.update(flash || {})
+
+          if xhr
+            @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
+            @request.fetch_header("HTTP_ACCEPT") do |k|
+              @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
+            end
+          end
+
+          @request.fetch_header("SCRIPT_NAME") do |k|
+            @request.set_header k, @controller.config.relative_url_root
+          end
+        end
+
+        def process_controller_response(action, cookies, xhr)
+          begin
+            @controller.recycle!
+            @controller.dispatch(action, @request, @response)
+          ensure
+            @request = @controller.request
+            @response = @controller.response
+
+            if @request.have_cookie_jar?
+              unless @request.cookie_jar.committed?
+                @request.cookie_jar.write(@response)
+                cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
+              end
+            end
+            @response.prepare!
+
+            if flash_value = @request.flash.to_session_value
+              @request.session["flash"] = flash_value
+            else
+              @request.session.delete("flash")
+            end
+
+            if xhr
+              @request.delete_header "HTTP_X_REQUESTED_WITH"
+              @request.delete_header "HTTP_ACCEPT"
+            end
+            @request.query_string = ""
+
+            @response.sent!
+          end
+
+          @response
+        end
+
         def scrub_env!(env)
-          env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
-          env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
-          env.delete "action_dispatch.request.query_parameters"
-          env.delete "action_dispatch.request.request_parameters"
+          env.delete_if do |k, _|
+            k.start_with?("rack.request", "action_dispatch.request", "action_dispatch.rescue")
+          end
           env["rack.input"] = StringIO.new
           env.delete "CONTENT_LENGTH"
           env.delete "RAW_POST_DATA"

data/lib/action_dispatch.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2019 David Heinemeier Hansson
+# Copyright (c) 2004-2020 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -46,6 +46,7 @@ module ActionDispatch
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy
+      autoload :PermissionsPolicy
       autoload :Request
       autoload :Response
     end
@@ -82,7 +83,6 @@ module ActionDispatch
     autoload :Headers
     autoload :MimeNegotiation
     autoload :Parameters
-    autoload :ParameterFilter
     autoload :UploadedFile, "action_dispatch/http/upload"
     autoload :URL
   end
@@ -115,4 +115,5 @@ autoload :Mime, "action_dispatch/http/mime_type"
 ActiveSupport.on_load(:action_view) do
   ActionView::Base.default_formats ||= Mime::SET.symbols
   ActionView::Template::Types.delegate_to Mime
+  ActionView::LookupContext::DetailsKey.clear
 end

data/lib/action_dispatch/http/cache.rb

@@ -114,7 +114,7 @@ module ActionDispatch
 
         # True if an ETag is set and it's a weak validator (preceded with W/)
         def weak_etag?
-          etag? && etag.starts_with?('W/"')
+          etag? && etag.start_with?('W/"')
         end
 
         # True if an ETag is set and it isn't a weak validator (not preceded with W/)
@@ -125,7 +125,7 @@ module ActionDispatch
       private
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -150,8 +150,8 @@ module ActionDispatch
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive
-              key = directive.tr("-", "_")
-              cache_control[key.to_sym] = argument || true
+              directive.tr!("-", "_")
+              cache_control[directive.to_sym] = argument || true
             else
               cache_control[:extras] ||= []
               cache_control[:extras] << segment
@@ -166,6 +166,7 @@ module ActionDispatch
         end
 
         DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+        NO_STORE              = "no-store"
         NO_CACHE              = "no-cache"
         PUBLIC                = "public"
         PRIVATE               = "private"
@@ -182,19 +183,20 @@ module ActionDispatch
         end
 
         def merge_and_normalize_cache_control!(cache_control)
-          control = {}
-          cc_headers = cache_control_headers
-          if extras = cc_headers.delete(:extras)
+          control = cache_control_headers
+
+          return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
+
+          if extras = control.delete(:extras)
             cache_control[:extras] ||= []
             cache_control[:extras] += extras
             cache_control[:extras].uniq!
           end
 
-          control.merge! cc_headers
           control.merge! cache_control
 
-          if control.empty?
-            # Let middleware handle default behavior
+          if control[:no_store]
+            self._cache_control = NO_STORE
           elsif control[:no_cache]
             options = []
             options << PUBLIC if control[:public]

data/lib/action_dispatch/http/content_disposition.rb

@@ -14,13 +14,13 @@ module ActionDispatch
         @filename = filename
       end
 
-      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!#$+.^_`|~-]/
+      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!\#$+.^_`|~-]/
 
       def ascii_filename
         'filename="' + percent_escape(I18n.transliterate(filename), TRADITIONAL_ESCAPED_CHAR) + '"'
       end
 
-      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!#$&+.^_`|~-]/
+      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!\#$&+.^_`|~-]/
 
       def utf8_filename
         "filename*=UTF-8''" + percent_escape(filename, RFC_5987_ESCAPED_CHAR)

data/lib/action_dispatch/http/content_security_policy.rb

@@ -33,7 +33,7 @@ module ActionDispatch #:nodoc:
       private
         def html_response?(headers)
           if content_type = headers[CONTENT_TYPE]
-            content_type =~ /html/
+            /html/.match?(content_type)
           end
         end
 
@@ -137,7 +137,11 @@ module ActionDispatch #:nodoc:
       object_src:      "object-src",
       prefetch_src:    "prefetch-src",
       script_src:      "script-src",
+      script_src_attr: "script-src-attr",
+      script_src_elem: "script-src-elem",
       style_src:       "style-src",
+      style_src_attr:  "style-src-attr",
+      style_src_elem:  "style-src-elem",
       worker_src:      "worker-src"
     }.freeze
 

data/lib/action_dispatch/http/filter_parameters.rb

@@ -23,7 +23,7 @@ module ActionDispatch
     #   change { file: { code: "xxxx"} }
     #
     #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k =~ /secret/i
+    #     v.reverse! if k.match?(/secret/i)
     #   end
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters

data/lib/action_dispatch/http/filter_redirect.rb

@@ -27,7 +27,7 @@ module ActionDispatch
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location =~ filter
+            location.match?(filter)
           end
         end
       end

data/lib/action_dispatch/http/headers.rb

@@ -121,8 +121,9 @@ module ActionDispatch
         def env_name(key)
           key = key.to_s
           if HTTP_HEADER.match?(key)
-            key = key.upcase.tr("-", "_")
-            key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+            key = key.upcase
+            key.tr!("-", "_")
+            key.prepend("HTTP_") unless CGI_VARIABLES.include?(key)
           end
           key
         end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -7,6 +7,8 @@ module ActionDispatch
     module MimeNegotiation
       extend ActiveSupport::Concern
 
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+
       RESCUABLE_MIME_FORMAT_ERRORS = [
         ActionController::BadRequest,
         ActionDispatch::Http::Parameters::ParseError,
@@ -25,6 +27,8 @@ module ActionDispatch
             nil
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -47,6 +51,8 @@ module ActionDispatch
             Mime::Type.parse(header)
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -62,13 +68,7 @@ module ActionDispatch
 
       def formats
         fetch_header("action_dispatch.request.formats") do |k|
-          params_readable = begin
-                              parameters[:format]
-                            rescue *RESCUABLE_MIME_FORMAT_ERRORS
-                              false
-                            end
-
-          v = if params_readable
+          v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
@@ -153,12 +153,24 @@ module ActionDispatch
         order.include?(Mime::ALL) ? format : nil
       end
 
+      def should_apply_vary_header?
+        !params_readable? && use_accept_header && valid_accept_header
+      end
+
       private
+        # We use normal content negotiation unless you include */* in your list,
+        # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
+        def params_readable? # :doc:
+          parameters[:format]
+        rescue *RESCUABLE_MIME_FORMAT_ERRORS
+          false
+        end
+
         def valid_accept_header # :doc:
           (xhr? && (accept.present? || content_mime_type)) ||
-            (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
+            (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
         def use_accept_header # :doc:

data/lib/action_dispatch/http/mime_type.rb

@@ -1,15 +1,17 @@
 # frozen_string_literal: true
 
 require "singleton"
-require "active_support/core_ext/string/starts_ends_with"
+require "active_support/core_ext/symbol/starts_ends_with"
 
 module Mime
   class Mimes
+    attr_reader :symbols
+
     include Enumerable
 
     def initialize
       @mimes = []
-      @symbols = nil
+      @symbols = []
     end
 
     def each
@@ -18,15 +20,16 @@ module Mime
 
     def <<(type)
       @mimes << type
-      @symbols = nil
+      @symbols << type.to_sym
     end
 
     def delete_if
-      @mimes.delete_if { |x| yield x }.tap { @symbols = nil }
-    end
-
-    def symbols
-      @symbols ||= map(&:to_sym)
+      @mimes.delete_if do |x|
+        if yield x
+          @symbols.delete(x.to_sym)
+          true
+        end
+      end
     end
   end
 
@@ -114,7 +117,7 @@ module Mime
             type = list[idx]
             break if type.q < app_xml.q
 
-            if type.name.ends_with? "+xml"
+            if type.name.end_with? "+xml"
               list[app_xml_idx], list[idx] = list[idx], app_xml
               app_xml_idx = idx
             end
@@ -202,7 +205,7 @@ module Mime
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
       # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
       def parse_data_with_trailing_star(type)
-        Mime::SET.select { |m| m =~ type }
+        Mime::SET.select { |m| m.match?(type) }
       end
 
       # This method is opposite of register method.
@@ -283,8 +286,14 @@ module Mime
       @synonyms.any? { |synonym| synonym.to_s =~ regexp } || @string =~ regexp
     end
 
+    def match?(mime_type)
+      return false unless mime_type
+      regexp = Regexp.new(Regexp.quote(mime_type.to_s))
+      @synonyms.any? { |synonym| synonym.to_s.match?(regexp) } || @string.match?(regexp)
+    end
+
     def html?
-      symbol == :html || @string =~ /html/
+      (symbol == :html) || /html/.match?(@string)
     end
 
     def all?; false; end
@@ -297,7 +306,7 @@ module Mime
       def to_a; end
 
       def method_missing(method, *args)
-        if method.to_s.ends_with? "?"
+        if method.end_with?("?")
           method[0..-2].downcase.to_sym == to_sym
         else
           super
@@ -305,7 +314,7 @@ module Mime
       end
 
       def respond_to_missing?(method, include_private = false)
-        (method.to_s.ends_with? "?") || super
+        method.end_with?("?") || super
       end
   end
 
@@ -332,15 +341,19 @@ module Mime
       true
     end
 
+    def to_s
+      ""
+    end
+
     def ref; end
 
     private
       def respond_to_missing?(method, _)
-        method.to_s.ends_with? "?"
+        method.end_with?("?")
       end
 
       def method_missing(method, *args)
-        false if method.to_s.ends_with? "?"
+        false if method.end_with?("?")
       end
   end
 end