actionpack 6.1.7.3 → 7.0.8

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 require "action_dispatch/routing/inspector"
 
@@ -135,6 +134,7 @@ module ActionDispatch
         logger = logger(request)
 
         return unless logger
+        return if !log_rescued_responses?(request) && wrapper.rescue_response?
 
         exception = wrapper.exception
         trace = wrapper.exception_trace
@@ -149,9 +149,7 @@ module ActionDispatch
         log_array(logger, message)
       end
 
-      def log_array(logger, array)
-        lines = Array(array)
-
+      def log_array(logger, lines)
         return if lines.empty?
 
         if logger.formatter && logger.formatter.respond_to?(:tags_text)
@@ -178,5 +176,9 @@ module ActionDispatch
       def api_request?(content_type)
         @response_format == :api && !content_type.html?
       end
+
+      def log_rescued_responses?(request)
+        request.get_header("action_dispatch.log_rescued_responses")
+      end
   end
 end

data/lib/action_dispatch/middleware/debug_locks.rb

@@ -9,9 +9,9 @@ module ActionDispatch
   #     config.middleware.insert_before Rack::Sendfile, ActionDispatch::DebugLocks
   #
   # After restarting the application and re-triggering the deadlock condition,
-  # <tt>/rails/locks</tt> will show a summary of all threads currently known to
-  # the interlock, which lock level they are holding or awaiting, and their
-  # current backtrace.
+  # the route <tt>/rails/locks</tt> will show a summary of all threads currently
+  # known to the interlock, which lock level they are holding or awaiting, and
+  # their current backtrace.
   #
   # Generally a deadlock will be caused by the interlock conflicting with some
   # other external lock or blocking I/O call. These cannot be automatically

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -118,6 +118,10 @@ module ActionDispatch
       Rack::Utils.status_code(@@rescue_responses[class_name])
     end
 
+    def rescue_response?
+      @@rescue_responses.key?(exception.class.name)
+    end
+
     def source_extracts
       backtrace.map do |trace|
         file, line_number = extract_file_and_line_number(trace)

data/lib/action_dispatch/middleware/executor.rb

@@ -13,6 +13,9 @@ module ActionDispatch
       begin
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+      rescue => error
+        @executor.error_reporter.report(error, handled: false)
+        raise
       ensure
         state.complete! unless returned
       end

data/lib/action_dispatch/middleware/flash.rb

@@ -20,10 +20,11 @@ module ActionDispatch
   #     end
   #   end
   #
-  #   show.html.erb
-  #     <% if flash[:notice] %>
-  #       <div class="notice"><%= flash[:notice] %></div>
-  #     <% end %>
+  # Then in +show.html.erb+:
+  #
+  #   <% if flash[:notice] %>
+  #     <div class="notice"><%= flash[:notice] %></div>
+  #   <% end %>
   #
   # Since the +notice+ and +alert+ keys are a common idiom, convenience accessors are available:
   #
@@ -41,9 +42,9 @@ module ActionDispatch
     KEY = "action_dispatch.request.flash_hash"
 
     module RequestMethods
-      # Access the contents of the flash. Use <tt>flash["notice"]</tt> to
-      # read a notice you put there or <tt>flash["notice"] = "hello"</tt>
-      # to put a new one.
+      # Access the contents of the flash. Returns a ActionDispatch::Flash::FlashHash.
+      #
+      # See ActionDispatch::Flash for example usage.
       def flash
         flash = flash_hash
         return flash if flash
@@ -59,16 +60,14 @@ module ActionDispatch
       end
 
       def commit_flash # :nodoc:
-        session    = self.session || {}
-        flash_hash = self.flash_hash
+        return unless session.enabled?
 
         if flash_hash && (flash_hash.present? || session.key?("flash"))
           session["flash"] = flash_hash.to_session_value
           self.flash = flash_hash.dup
         end
 
-        if (!session.respond_to?(:loaded?) || session.loaded?) && # reset_session uses {}, which doesn't implement #loaded?
-            session.key?("flash") && session["flash"].nil?
+        if session.loaded? && session.key?("flash") && session["flash"].nil?
           session.delete("flash")
         end
       end
@@ -79,7 +78,7 @@ module ActionDispatch
       end
     end
 
-    class FlashNow #:nodoc:
+    class FlashNow # :nodoc:
       attr_accessor :flash
 
       def initialize(flash)
@@ -111,7 +110,7 @@ module ActionDispatch
     class FlashHash
       include Enumerable
 
-      def self.from_session_value(value) #:nodoc:
+      def self.from_session_value(value) # :nodoc:
         case value
         when FlashHash # Rails 3.1, 3.2
           flashes = value.instance_variable_get(:@flashes)
@@ -132,13 +131,13 @@ module ActionDispatch
 
       # Builds a hash containing the flashes to keep for the next request.
       # If there are none to keep, returns +nil+.
-      def to_session_value #:nodoc:
+      def to_session_value # :nodoc:
         flashes_to_keep = @flashes.except(*@discard)
         return nil if flashes_to_keep.empty?
         { "discard" => [], "flashes" => flashes_to_keep }
       end
 
-      def initialize(flashes = {}, discard = []) #:nodoc:
+      def initialize(flashes = {}, discard = []) # :nodoc:
         @discard = Set.new(stringify_array(discard))
         @flashes = flashes.stringify_keys
         @now     = nil
@@ -162,7 +161,7 @@ module ActionDispatch
         @flashes[k.to_s]
       end
 
-      def update(h) #:nodoc:
+      def update(h) # :nodoc:
         @discard.subtract stringify_array(h.keys)
         @flashes.update h.stringify_keys
         self
@@ -202,7 +201,7 @@ module ActionDispatch
 
       alias :merge! :update
 
-      def replace(h) #:nodoc:
+      def replace(h) # :nodoc:
         @discard.clear
         @flashes.replace h.stringify_keys
         self
@@ -253,7 +252,7 @@ module ActionDispatch
       # Mark for removal entries that were kept, and delete unkept ones.
       #
       # This method is called automatically by filters, so you generally don't need to care about it.
-      def sweep #:nodoc:
+      def sweep # :nodoc:
         @discard.each { |k| @flashes.delete k }
         @discard.replace @flashes.keys
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
-
 module ActionDispatch
   # This middleware guards from DNS rebinding attacks by explicitly permitting
   # the hosts a request can be sent to, and is passed the options set in
@@ -97,7 +95,7 @@ module ActionDispatch
         def response_body(request)
           return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
 
-          template = DebugView.new(host: request.host)
+          template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
           template.render(template: "rescues/blocked_host", layout: "rescues/layout")
         end
 
@@ -113,7 +111,7 @@ module ActionDispatch
 
           return unless logger
 
-          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
+          logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
         end
 
         def available_logger(request)
@@ -121,20 +119,11 @@ module ActionDispatch
         end
     end
 
-    def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
+    def initialize(app, hosts, exclude: nil, response_app: nil)
       @app = app
       @permissions = Permissions.new(hosts)
       @exclude = exclude
 
-      unless deprecated_response_app.nil?
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 7.0.
-          Use the Host Authorization `response_app` setting instead.
-        MSG
-
-        response_app ||= deprecated_response_app
-      end
-
       @response_app = response_app || DefaultResponseApp.new
     end
 
@@ -142,21 +131,28 @@ module ActionDispatch
       return @app.call(env) if @permissions.empty?
 
       request = Request.new(env)
+      hosts = blocked_hosts(request)
 
-      if authorized?(request) || excluded?(request)
+      if hosts.empty? || excluded?(request)
         mark_as_authorized(request)
         @app.call(env)
       else
+        env["action_dispatch.blocked_hosts"] = hosts
         @response_app.call(env)
       end
     end
 
     private
-      def authorized?(request)
+      def blocked_hosts(request)
+        hosts = []
+
         origin_host = request.get_header("HTTP_HOST")
+        hosts << origin_host unless @permissions.allows?(origin_host)
+
         forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+        hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
 
-        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        hosts
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -22,7 +22,7 @@ module ActionDispatch
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
   # sometime before this middleware runs.
   class RemoteIp
@@ -51,11 +51,9 @@ module ActionDispatch
     # clients (like WAP devices), or behind proxies that set headers in an
     # incorrect or confusing way (like AWS ELB).
     #
-    # The +custom_proxies+ argument can take an Array of string, IPAddr, or
-    # Regexp objects which will be used instead of +TRUSTED_PROXIES+. If a
-    # single string, IPAddr, or Regexp object is provided, it will be used in
-    # addition to +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the X-Forwarded-For list,
+    # The +custom_proxies+ argument can take an enumerable which will be used
+    # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
+    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
     # ignore those IP addresses, and return the one that you want.
@@ -67,6 +65,20 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
+        ActiveSupport::Deprecation.warn(<<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value has
+          been deprecated. Please set this to an enumerable instead. For
+          example, instead of:
+
+          config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
+
+          Wrap the value in an Array:
+
+          config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
+
+          Note that unlike passing a single argument, passing an enumerable
+          will *replace* the default set of trusted proxies.
+        EOM
         Array(custom_proxies) + TRUSTED_PROXIES
       end
     end
@@ -98,9 +110,9 @@ module ActionDispatch
       # REMOTE_ADDR will be correct if the request is made directly against the
       # Ruby process, on e.g. Heroku. When the request is proxied by another
       # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an X-Forwarded-For header. If there are multiple
+      # request will be put in an +X-Forwarded-For+ header. If there are multiple
       # proxies, that header may contain a list of IPs. Other proxy services
-      # set the Client-Ip header instead, so we check that too.
+      # set the +Client-Ip+ header instead, so we check that too.
       #
       # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,

data/lib/action_dispatch/middleware/request_id.rb

@@ -5,10 +5,10 @@ require "active_support/core_ext/string/access"
 
 module ActionDispatch
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
-  # through <tt>ActionDispatch::Request#request_id</tt> or the alias <tt>ActionDispatch::Request#uuid</tt>) and sends
-  # the same id to the client via the X-Request-Id header.
+  # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
+  # the same id to the client via the +X-Request-Id+ header.
   #
-  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
+  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
   # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
   # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
   #

data/lib/action_dispatch/middleware/server_timing.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "active_support/notifications"
+
+module ActionDispatch
+  class ServerTiming
+    SERVER_TIMING_HEADER = "Server-Timing"
+
+    class Subscriber # :nodoc:
+      include Singleton
+      KEY = :action_dispatch_server_timing_events
+
+      def initialize
+        @mutex = Mutex.new
+      end
+
+      def call(event)
+        if events = ActiveSupport::IsolatedExecutionState[KEY]
+          events << event
+        end
+      end
+
+      def collect_events
+        events = []
+        ActiveSupport::IsolatedExecutionState[KEY] = events
+        yield
+        events
+      ensure
+        ActiveSupport::IsolatedExecutionState.delete(KEY)
+      end
+
+      def ensure_subscribed
+        @mutex.synchronize do
+          # Subscribe to all events, except those beginning with "!"
+          # Ideally we would be more selective of what is being measured
+          @subscriber ||= ActiveSupport::Notifications.subscribe(/\A[^!]/, self)
+        end
+      end
+
+      def unsubscribe
+        @mutex.synchronize do
+          ActiveSupport::Notifications.unsubscribe @subscriber
+          @subscriber = nil
+        end
+      end
+    end
+
+    def self.unsubscribe # :nodoc:
+      Subscriber.instance.unsubscribe
+    end
+
+    def initialize(app)
+      @app = app
+      @subscriber = Subscriber.instance
+      @subscriber.ensure_subscribed
+    end
+
+    def call(env)
+      response = nil
+      events = @subscriber.collect_events do
+        response = @app.call(env)
+      end
+
+      headers = response[1]
+
+      header_info = events.group_by(&:name).map do |event_name, events_collection|
+        "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
+      end
+
+      header_info.prepend(headers[SERVER_TIMING_HEADER]) if headers[SERVER_TIMING_HEADER].present?
+      headers[SERVER_TIMING_HEADER] = header_info.join(", ")
+
+      response
+    end
+  end
+end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -8,7 +8,7 @@ require "action_dispatch/request/session"
 
 module ActionDispatch
   module Session
-    class SessionRestoreError < StandardError #:nodoc:
+    class SessionRestoreError < StandardError # :nodoc:
       def initialize
         super("Session contains objects whose class definition isn't available.\n" \
           "Remember to require the classes for all objects kept in the session.\n" \

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -9,14 +9,14 @@ module ActionDispatch
     # This cookie-based session store is the Rails default. It is
     # dramatically faster than the alternatives.
     #
-    # Sessions typically contain at most a user_id and flash message; both fit
-    # within the 4096 bytes cookie size limit. A CookieOverflow exception is raised if
+    # Sessions typically contain at most a user ID and flash message; both fit
+    # within the 4096 bytes cookie size limit. A +CookieOverflow+ exception is raised if
     # you attempt to store more than 4096 bytes of data.
     #
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.
     #
-    # Your cookies will be encrypted using your apps secret_key_base. This
+    # Your cookies will be encrypted using your application's +secret_key_base+. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
@@ -24,28 +24,28 @@ module ActionDispatch
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # In the development and test environments your application's secret key base is
+    # In the development and test environments your application's +secret_key_base+ is
     # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
     # In all other environments, it is stored encrypted in the
     # <tt>config/credentials.yml.enc</tt> file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the secret_key_base
+    # If your application was not updated to Rails 5.2 defaults, the +secret_key_base+
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
-    # Note that changing your secret_key_base will invalidate all existing session.
+    # Note that changing your +secret_key_base+ will invalidate all existing session.
     # Additionally, you should take care to make sure you are not relying on the
     # ability to decode signed cookies generated by your app in external
     # applications or JavaScript before changing it.
     #
-    # Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
+    # Because CookieStore extends +Rack::Session::Abstract::Persisted+, many of the
     # options described there can be used to customize the session cookie that
     # is generated. For example:
     #
     #   Rails.application.config.session_store :cookie_store, expire_after: 14.days
     #
     # would set the session cookie to expire automatically 14 days after creation.
-    # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
-    # <tt>:httponly</tt>.
+    # Other useful options include <tt>:key</tt>, <tt>:secure</tt>,
+    # <tt>:httponly</tt>, and <tt>:same_site</tt>.
     class CookieStore < AbstractSecureStore
       class SessionId < DelegateClass(Rack::Session::SessionId)
         attr_reader :cookie_value

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,28 +1,24 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 
 module ActionDispatch
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
-  # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Every time there is an exception, ShowExceptions will
-  # store the exception in env["action_dispatch.exception"], rewrite the
-  # PATH_INFO to the exception status code and call the Rack app.
+  # The exceptions app should be passed as a parameter on initialization of
+  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
+  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
+  # the +PATH_INFO+ to the exception status code and call the Rack app.
   #
-  # If the application returns a "X-Cascade" pass response, this middleware
-  # will send an empty response as result with the correct status code.
-  # If any exception happens inside the exceptions app, this middleware
-  # catches the exceptions and returns a FAILSAFE_RESPONSE.
+  # In \Rails applications, the exceptions app can be configured with
+  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
+  #
+  # If the application returns an <tt>"X-Cascade" => "pass"</tt> response, this
+  # middleware will send an empty response as a result with the correct status
+  # code. If any exception happens inside the exceptions app, this middleware
+  # catches the exceptions and returns a failsafe response.
   class ShowExceptions
-    FAILSAFE_RESPONSE = [500, { "Content-Type" => "text/plain" },
-      ["500 Internal Server Error\n" \
-       "If you are the administrator of this website, then please read this web " \
-       "application's log file and/or the web server's log file to find out what " \
-       "went wrong."]]
-
     def initialize(app, exceptions_app)
       @app = app
       @exceptions_app = exceptions_app
@@ -54,7 +50,12 @@ module ActionDispatch
         response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
-        FAILSAFE_RESPONSE
+
+        [500, { "Content-Type" => "text/plain" },
+          ["500 Internal Server Error\n" \
+          "If you are the administrator of this website, then please read this web " \
+          "application's log file and/or the web server's log file to find out what " \
+          "went wrong."]]
       end
 
       def fallback_to_html_format_if_invalid_mime_type(request)

data/lib/action_dispatch/middleware/stack.rb

@@ -72,8 +72,8 @@ module ActionDispatch
       yield(self) if block_given?
     end
 
-    def each
-      @middlewares.each { |x| yield x }
+    def each(&block)
+      @middlewares.each(&block)
     end
 
     def size
@@ -91,7 +91,7 @@ module ActionDispatch
     def unshift(klass, *args, &block)
       middlewares.unshift(build_middleware(klass, args, block))
     end
-    ruby2_keywords(:unshift) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:unshift)
 
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
@@ -101,7 +101,7 @@ module ActionDispatch
       index = assert_index(index, :before)
       middlewares.insert(index, build_middleware(klass, args, block))
     end
-    ruby2_keywords(:insert) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:insert)
 
     alias_method :insert_before, :insert
 
@@ -109,17 +109,29 @@ module ActionDispatch
       index = assert_index(index, :after)
       insert(index + 1, *args, &block)
     end
-    ruby2_keywords(:insert_after) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:insert_after)
 
     def swap(target, *args, &block)
       index = assert_index(target, :before)
       insert(index, *args, &block)
       middlewares.delete_at(index + 1)
     end
-    ruby2_keywords(:swap) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:swap)
 
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or
+    # returns nil if the target is not found.
     def delete(target)
-      middlewares.delete_if { |m| m.klass == target }
+      middlewares.reject! { |m| m.name == target.name }
+    end
+
+    # Deletes a middleware from the middleware stack.
+    #
+    # Returns the array of middlewares not including the deleted item, or
+    # raises +RuntimeError+ if the target is not found.
+    def delete!(target)
+      delete(target) || (raise "No such middleware to remove: #{target.inspect}")
     end
 
     def move(target, source)
@@ -143,7 +155,7 @@ module ActionDispatch
     def use(klass, *args, &block)
       middlewares.push(build_middleware(klass, args, block))
     end
-    ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
+    ruby2_keywords(:use)
 
     def build(app = nil, &block)
       instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
@@ -158,7 +170,7 @@ module ActionDispatch
 
     private
       def assert_index(index, where)
-        i = index.is_a?(Integer) ? index : middlewares.index { |m| m.klass == index }
+        i = index.is_a?(Integer) ? index : index_of(index)
         raise "No such middleware to insert #{where}: #{index.inspect}" unless i
         i
       end
@@ -166,5 +178,11 @@ module ActionDispatch
       def build_middleware(klass, args, block)
         Middleware.new(klass, args, block)
       end
+
+      def index_of(klass)
+        middlewares.index do |m|
+          m.name == klass.name
+        end
+      end
   end
 end

data/lib/action_dispatch/middleware/static.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "rack/utils"
-require "active_support/core_ext/uri"
 
 module ActionDispatch
   # This middleware serves static files from disk, if available.
@@ -25,7 +24,7 @@ module ActionDispatch
     end
   end
 
-  # This endpoint serves static files from disk using Rack::File.
+  # This endpoint serves static files from disk using +Rack::File+.
   #
   # URL paths are matched with static files according to expected
   # conventions: +path+, +path+.html, +path+/index.html.
@@ -34,13 +33,13 @@ module ActionDispatch
   # and gzip (.gz) files are supported. If +path+.br exists, this
   # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
   #
-  # If no matching file is found, this endpoint responds 404 Not Found.
+  # If no matching file is found, this endpoint responds <tt>404 Not Found</tt>.
   #
   # Pass the +root+ directory to search for matching files, an optional
   # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
   # additional response headers.
   class FileHandler
-    # Accept-Encoding value -> file extension
+    # +Accept-Encoding+ value -> file extension
     PRECOMPRESSED = {
       "br" => ".br",
       "gzip" => ".gz",
@@ -137,11 +136,8 @@ module ActionDispatch
       end
 
       def file_readable?(path)
-        file_stat = File.stat(File.join(@root, path.b))
-      rescue SystemCallError
-        false
-      else
-        file_stat.file? && file_stat.readable?
+        file_path = File.join(@root, path.b)
+        File.file?(file_path) && File.readable?(file_path)
       end
 
       def compressible?(content_type)