actionpack 6.1.7.5 → 7.1.3.1

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
-
 module ActionDispatch
+  # = Action Dispatch \HostAuthorization
+  #
   # This middleware guards from DNS rebinding attacks by explicitly permitting
   # the hosts a request can be sent to, and is passed the options set in
   # +config.host_authorization+.
@@ -20,6 +20,7 @@ module ActionDispatch
   class HostAuthorization
     ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
     PORT_REGEX = /(?::\d+)/ # :nodoc:
+    SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i # :nodoc:
     IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
     IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
     IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
@@ -71,7 +72,7 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
+            /\A#{SUBDOMAIN_REGEX}?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
             /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
@@ -97,14 +98,14 @@ module ActionDispatch
         def response_body(request)
           return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
 
-          template = DebugView.new(host: request.host)
+          template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
           template.render(template: "rescues/blocked_host", layout: "rescues/layout")
         end
 
         def response(format, body)
           [RESPONSE_STATUS,
-           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-             "Content-Length" => body.bytesize.to_s },
+           { Rack::CONTENT_TYPE => "#{format}; charset=#{Response.default_charset}",
+             Rack::CONTENT_LENGTH => body.bytesize.to_s },
            [body]]
         end
 
@@ -113,7 +114,7 @@ module ActionDispatch
 
           return unless logger
 
-          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
+          logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
         end
 
         def available_logger(request)
@@ -121,20 +122,11 @@ module ActionDispatch
         end
     end
 
-    def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
+    def initialize(app, hosts, exclude: nil, response_app: nil)
       @app = app
       @permissions = Permissions.new(hosts)
       @exclude = exclude
 
-      unless deprecated_response_app.nil?
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 7.0.
-          Use the Host Authorization `response_app` setting instead.
-        MSG
-
-        response_app ||= deprecated_response_app
-      end
-
       @response_app = response_app || DefaultResponseApp.new
     end
 
@@ -142,21 +134,28 @@ module ActionDispatch
       return @app.call(env) if @permissions.empty?
 
       request = Request.new(env)
+      hosts = blocked_hosts(request)
 
-      if authorized?(request) || excluded?(request)
+      if hosts.empty? || excluded?(request)
         mark_as_authorized(request)
         @app.call(env)
       else
+        env["action_dispatch.blocked_hosts"] = hosts
         @response_app.call(env)
       end
     end
 
     private
-      def authorized?(request)
+      def blocked_hosts(request)
+        hosts = []
+
         origin_host = request.get_header("HTTP_HOST")
+        hosts << origin_host unless @permissions.allows?(origin_host)
+
         forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+        hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
 
-        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        hosts
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \PublicExceptions
+  #
   # When called, this middleware renders an error page. By default if an HTML
   # response is expected it will render static error pages from the <tt>/public</tt>
   # directory. For example when this middleware receives a 500 response it will
@@ -42,8 +44,8 @@ module ActionDispatch
       end
 
       def render_format(status, content_type, body)
-        [status, { "Content-Type" => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
-                  "Content-Length" => body.bytesize.to_s }, [body]]
+        [status, { Rack::CONTENT_TYPE => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                  Rack::CONTENT_LENGTH => body.bytesize.to_s }, [body]]
       end
 
       def render_html(status)
@@ -53,7 +55,7 @@ module ActionDispatch
         if found || File.exist?(path)
           render_format(status, "text/html", File.read(path))
         else
-          [404, { "X-Cascade" => "pass" }, []]
+          [404, { Constants::X_CASCADE => "pass" }, []]
         end
       end
   end

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 module ActionDispatch
-  # ActionDispatch::Reloader wraps the request with callbacks provided by ActiveSupport::Reloader
-  # callbacks, intended to assist with code reloading during development.
+  # = Action Dispatch \Reloader
   #
-  # By default, ActionDispatch::Reloader is included in the middleware stack
-  # only in the development environment; specifically, when +config.cache_classes+
-  # is false.
+  # ActionDispatch::Reloader wraps the request with callbacks provided by
+  # ActiveSupport::Reloader, intended to assist with code reloading during
+  # development.
+  #
+  # ActionDispatch::Reloader is included in the middleware stack only if
+  # reloading is enabled, which it is by the default in +development+ mode.
   class Reloader < Executor
   end
 end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -3,14 +3,14 @@
 require "ipaddr"
 
 module ActionDispatch
+  # = Action Dispatch \RemoteIp
+  #
   # This middleware calculates the IP address of the remote client that is
   # making the request. It does this by checking various headers that could
   # contain the address, and then picking the last-set address that is not
   # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
-  # by @gingerlime. A more detailed explanation of the algorithm is given
-  # at GetIp#calculate_ip.
+  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453].
+  # A more detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
   # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
   # requires. Some Rack servers simply drop preceding headers, and only report
@@ -22,9 +22,10 @@ module ActionDispatch
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs.
+  # sometime before this middleware runs. Alternatively, remove this middleware
+  # to avoid inadvertently relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
@@ -51,11 +52,9 @@ module ActionDispatch
     # clients (like WAP devices), or behind proxies that set headers in an
     # incorrect or confusing way (like AWS ELB).
     #
-    # The +custom_proxies+ argument can take an Array of string, IPAddr, or
-    # Regexp objects which will be used instead of +TRUSTED_PROXIES+. If a
-    # single string, IPAddr, or Regexp object is provided, it will be used in
-    # addition to +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the X-Forwarded-For list,
+    # The +custom_proxies+ argument can take an enumerable which will be used
+    # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
+    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
     # ignore those IP addresses, and return the one that you want.
@@ -67,7 +66,19 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
-        Array(custom_proxies) + TRUSTED_PROXIES
+        raise(ArgumentError, <<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value isn't
+          supported. Please set this to an enumerable instead. For
+          example, instead of:
+
+          config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
+
+          Wrap the value in an Array:
+
+          config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
+
+          Note that passing an enumerable will *replace* the default set of trusted proxies.
+        EOM
       end
     end
 
@@ -98,11 +109,11 @@ module ActionDispatch
       # REMOTE_ADDR will be correct if the request is made directly against the
       # Ruby process, on e.g. Heroku. When the request is proxied by another
       # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an X-Forwarded-For header. If there are multiple
+      # request will be put in an +X-Forwarded-For+ header. If there are multiple
       # proxies, that header may contain a list of IPs. Other proxy services
-      # set the Client-Ip header instead, so we check that too.
+      # set the +Client-Ip+ header instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # As discussed in {this post about Rails IP Spoofing}[https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,
       # it could also have been set by the client maliciously.
       #
@@ -114,8 +125,8 @@ module ActionDispatch
         remote_addr = ips_from(@req.remote_addr).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse
+        client_ips    = ips_from(@req.client_ip).reverse!
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
         # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
         # If they are both set, it means that either:
@@ -143,7 +154,8 @@ module ActionDispatch
         #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
         #   - Client-Ip is propagated from the outermost proxy, or is blank
         #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips].flatten.compact
+        ips = forwarded_ips + client_ips
+        ips.compact!
 
         # If every single IP option is in the trusted list, return the IP
         # that's furthest away
@@ -161,7 +173,7 @@ module ActionDispatch
         return [] unless header
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
-        ips.select do |ip|
+        ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range
           # We want to make sure nobody is sneaking a netmask in.
@@ -169,6 +181,7 @@ module ActionDispatch
         rescue ArgumentError
           nil
         end
+        ips
       end
 
       def filter_proxies(ips) # :doc:

data/lib/action_dispatch/middleware/request_id.rb

@@ -4,11 +4,13 @@ require "securerandom"
 require "active_support/core_ext/string/access"
 
 module ActionDispatch
+  # = Action Dispatch \RequestId
+  #
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
-  # through <tt>ActionDispatch::Request#request_id</tt> or the alias <tt>ActionDispatch::Request#uuid</tt>) and sends
-  # the same id to the client via the X-Request-Id header.
+  # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
+  # the same id to the client via the +X-Request-Id+ header.
   #
-  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
+  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
   # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
   # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
   #

data/lib/action_dispatch/middleware/server_timing.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "active_support/notifications"
+
+module ActionDispatch
+  class ServerTiming
+    class Subscriber # :nodoc:
+      include Singleton
+      KEY = :action_dispatch_server_timing_events
+
+      def initialize
+        @mutex = Mutex.new
+      end
+
+      def call(event)
+        if events = ActiveSupport::IsolatedExecutionState[KEY]
+          events << event
+        end
+      end
+
+      def collect_events
+        events = []
+        ActiveSupport::IsolatedExecutionState[KEY] = events
+        yield
+        events
+      ensure
+        ActiveSupport::IsolatedExecutionState.delete(KEY)
+      end
+
+      def ensure_subscribed
+        @mutex.synchronize do
+          # Subscribe to all events, except those beginning with "!"
+          # Ideally we would be more selective of what is being measured
+          @subscriber ||= ActiveSupport::Notifications.subscribe(/\A[^!]/, self)
+        end
+      end
+
+      def unsubscribe
+        @mutex.synchronize do
+          ActiveSupport::Notifications.unsubscribe @subscriber
+          @subscriber = nil
+        end
+      end
+    end
+
+    def self.unsubscribe # :nodoc:
+      Subscriber.instance.unsubscribe
+    end
+
+    def initialize(app)
+      @app = app
+      @subscriber = Subscriber.instance
+      @subscriber.ensure_subscribed
+    end
+
+    def call(env)
+      response = nil
+      events = @subscriber.collect_events do
+        response = @app.call(env)
+      end
+
+      headers = response[1]
+
+      header_info = events.group_by(&:name).map do |event_name, events_collection|
+        "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
+      end
+
+      if headers[ActionDispatch::Constants::SERVER_TIMING].present?
+        header_info.prepend(headers[ActionDispatch::Constants::SERVER_TIMING])
+      end
+      headers[ActionDispatch::Constants::SERVER_TIMING] = header_info.join(", ")
+
+      response
+    end
+  end
+end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -8,7 +8,7 @@ require "action_dispatch/request/session"
 
 module ActionDispatch
   module Session
-    class SessionRestoreError < StandardError #:nodoc:
+    class SessionRestoreError < StandardError # :nodoc:
       def initialize
         super("Session contains objects whose class definition isn't available.\n" \
           "Remember to require the classes for all objects kept in the session.\n" \
@@ -67,6 +67,11 @@ module ActionDispatch
     end
 
     module SessionObject # :nodoc:
+      def commit_session(req, res)
+        req.commit_csrf_token
+        super(req, res)
+      end
+
       def prepare_session(req)
         Request::Session.create(self, req, @default_options)
       end

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -4,6 +4,8 @@ require "action_dispatch/middleware/session/abstract_store"
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \CacheStore
+    #
     # A session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
     # if you don't store critical data in your sessions and you don't need them to live for extended periods
     # of time.

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -6,46 +6,48 @@ require "rack/session/cookie"
 
 module ActionDispatch
   module Session
-    # This cookie-based session store is the Rails default. It is
+    # = Action Dispatch Session \CookieStore
+    #
+    # This cookie-based session store is the \Rails default. It is
     # dramatically faster than the alternatives.
     #
-    # Sessions typically contain at most a user_id and flash message; both fit
-    # within the 4096 bytes cookie size limit. A CookieOverflow exception is raised if
+    # Sessions typically contain at most a user ID and flash message; both fit
+    # within the 4096 bytes cookie size limit. A +CookieOverflow+ exception is raised if
     # you attempt to store more than 4096 bytes of data.
     #
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.
     #
-    # Your cookies will be encrypted using your apps secret_key_base. This
+    # Your cookies will be encrypted using your application's +secret_key_base+. This
     # goes a step further than signed cookies in that encrypted cookies cannot
-    # be altered or read by users. This is the default starting in Rails 4.
+    # be altered or read by users. This is the default starting in \Rails 4.
     #
     # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # In the development and test environments your application's secret key base is
-    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
+    # In the development and test environments your application's +secret_key_base+ is
+    # generated by \Rails and stored in a temporary file in <tt>tmp/local_secret.txt</tt>.
     # In all other environments, it is stored encrypted in the
     # <tt>config/credentials.yml.enc</tt> file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the secret_key_base
+    # If your application was not updated to \Rails 5.2 defaults, the +secret_key_base+
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
-    # Note that changing your secret_key_base will invalidate all existing session.
+    # Note that changing your +secret_key_base+ will invalidate all existing session.
     # Additionally, you should take care to make sure you are not relying on the
     # ability to decode signed cookies generated by your app in external
     # applications or JavaScript before changing it.
     #
-    # Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
+    # Because CookieStore extends +Rack::Session::Abstract::Persisted+, many of the
     # options described there can be used to customize the session cookie that
     # is generated. For example:
     #
     #   Rails.application.config.session_store :cookie_store, expire_after: 14.days
     #
     # would set the session cookie to expire automatically 14 days after creation.
-    # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
-    # <tt>:httponly</tt>.
+    # Other useful options include <tt>:key</tt>, <tt>:secure</tt>,
+    # <tt>:httponly</tt>, and <tt>:same_site</tt>.
     class CookieStore < AbstractSecureStore
       class SessionId < DelegateClass(Rack::Session::SessionId)
         attr_reader :cookie_value
@@ -56,8 +58,12 @@ module ActionDispatch
         end
       end
 
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
       def initialize(app, options = {})
-        super(app, options.merge!(cookie_only: true))
+        options[:cookie_only] = true
+        options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
+        super
       end
 
       def delete_session(req, session_id, options)

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -4,12 +4,14 @@ require "action_dispatch/middleware/session/abstract_store"
 begin
   require "rack/session/dalli"
 rescue LoadError => e
-  $stderr.puts "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  warn "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
   raise e
 end
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \MemCacheStore
+    #
     # A session store that uses MemCache to implement storage.
     #
     # ==== Options

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,49 +1,48 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 
 module ActionDispatch
+  # = Action Dispatch \ShowExceptions
+  #
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
-  # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Every time there is an exception, ShowExceptions will
-  # store the exception in env["action_dispatch.exception"], rewrite the
-  # PATH_INFO to the exception status code and call the Rack app.
+  # The exceptions app should be passed as a parameter on initialization of
+  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
+  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
+  # the +PATH_INFO+ to the exception status code, and call the Rack app.
+  #
+  # In \Rails applications, the exceptions app can be configured with
+  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
   #
-  # If the application returns a "X-Cascade" pass response, this middleware
-  # will send an empty response as result with the correct status code.
-  # If any exception happens inside the exceptions app, this middleware
-  # catches the exceptions and returns a FAILSAFE_RESPONSE.
+  # If the application returns a response with the <tt>X-Cascade</tt> header
+  # set to <tt>"pass"</tt>, this middleware will send an empty response as a
+  # result with the correct status code. If any exception happens inside the
+  # exceptions app, this middleware catches the exceptions and returns a
+  # failsafe response.
   class ShowExceptions
-    FAILSAFE_RESPONSE = [500, { "Content-Type" => "text/plain" },
-      ["500 Internal Server Error\n" \
-       "If you are the administrator of this website, then please read this web " \
-       "application's log file and/or the web server's log file to find out what " \
-       "went wrong."]]
-
     def initialize(app, exceptions_app)
       @app = app
       @exceptions_app = exceptions_app
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
       @app.call(env)
     rescue Exception => exception
-      if request.show_exceptions?
-        render_exception(request, exception)
+      request = ActionDispatch::Request.new env
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      if wrapper.show?(request)
+        render_exception(request, wrapper)
       else
         raise exception
       end
     end
 
     private
-      def render_exception(request, exception)
-        backtrace_cleaner = request.get_header "action_dispatch.backtrace_cleaner"
-        wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
-        status  = wrapper.status_code
+      def render_exception(request, wrapper)
+        status = wrapper.status_code
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
@@ -51,10 +50,15 @@ module ActionDispatch
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
-        response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
+        response[1][Constants::X_CASCADE] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
-        FAILSAFE_RESPONSE
+
+        [500, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" },
+          ["500 Internal Server Error\n" \
+          "If you are the administrator of this website, then please read this web " \
+          "application's log file and/or the web server's log file to find out what " \
+          "went wrong."]]
       end
 
       def fallback_to_html_format_if_invalid_mime_type(request)
@@ -67,7 +71,8 @@ module ActionDispatch
       end
 
       def pass_response(status)
-        [status, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => "0" }, []]
+        [status, { Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+                  Rack::CONTENT_LENGTH => "0" }, []]
       end
   end
 end

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \SSL
+  #
   # This middleware is added to the stack when <tt>config.force_ssl = true</tt>, and is passed
   # the options set in +config.ssl_options+. It does three jobs to enforce secure HTTP
   # requests:
@@ -86,7 +88,7 @@ module ActionDispatch
 
     private
       def set_hsts_header!(headers)
-        headers["Strict-Transport-Security"] ||= @hsts_header
+        headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header
       end
 
       def normalize_hsts_options(options)
@@ -112,23 +114,33 @@ module ActionDispatch
       end
 
       def flag_cookies_as_secure!(headers)
-        if cookies = headers["Set-Cookie"]
-          cookies = cookies.split("\n")
+        cookies = headers[Rack::SET_COOKIE]
+        return unless cookies
 
-          headers["Set-Cookie"] = cookies.map { |cookie|
+        if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+          cookies = cookies.split("\n")
+          headers[Rack::SET_COOKIE] = cookies.map { |cookie|
             if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
           }.join("\n")
+        else
+          headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          end
         end
       end
 
       def redirect_to_https(request)
         [ @redirect.fetch(:status, redirection_status(request)),
-          { "Content-Type" => "text/html",
-            "Location" => https_location_for(request) },
+          { Rack::CONTENT_TYPE => "text/html; charset=utf-8",
+            Constants::LOCATION => https_location_for(request) },
           (@redirect[:body] || []) ]
       end