actionpack 6.1.7 → 7.0.4.1

data/lib/action_dispatch/middleware/static.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "rack/utils"
-require "active_support/core_ext/uri"
 
 module ActionDispatch
   # This middleware serves static files from disk, if available.
@@ -137,11 +136,8 @@ module ActionDispatch
       end
 
       def file_readable?(path)
-        file_stat = File.stat(File.join(@root, path.b))
-      rescue SystemCallError
-        false
-      else
-        file_stat.file? && file_stat.readable?
+        file_path = File.join(@root, path.b)
+        File.file?(file_path) && File.readable?(file_path)
       end
 
       def compressible?(content_type)

data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb

@@ -11,7 +11,7 @@
     <b>Did you mean?</b>
     <ul>
     <% corrections.each do |correction| %>
-      <li style="list-style-type: none"><%= h correction %></li>
+      <li class="correction"><%= h correction %></li>
     <% end %>
     </ul>
   <% end %>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -1,24 +1,17 @@
-<% unless @exception.blamed_files.blank? %>
-  <% if (hide = @exception.blamed_files.length > 8) %>
-    <a href="#" onclick="return toggleTrace()">Toggle blamed files</a>
-  <% end %>
-  <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%= @exception.describe_blame %></code></pre>
-<% end %>
-
-<h2 style="margin-top: 30px">Request</h2>
+<h2 class="request-heading">Request</h2>
 <% if params_valid? %>
   <p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
 <% end %>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>
-  <div id="session_dump" style="display:none"><pre><%= debug_hash @request.session %></pre></div>
+  <div id="session_dump" class="hidden"><pre><%= debug_hash @request.session %></pre></div>
 </div>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleEnvDump()">Toggle env dump</a></div>
-  <div id="env_dump" style="display:none"><pre><%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %></pre></div>
+  <div id="env_dump" class="hidden"><pre><%= debug_hash @request.env.slice(*@request.class::ENV_METHODS) %></pre></div>
 </div>
 
-<h2 style="margin-top: 30px">Response</h2>
+<h2 class="response-heading">Response</h2>
 <p><b>Headers</b>:</p> <pre><%= debug_headers(defined?(@response) ? @response.headers : {}) %></pre>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -14,7 +14,7 @@
 
   <% traces.each do |name, trace| %>
     <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
-      <code style="font-size: 11px;">
+      <code class="traces">
         <% trace.each do |frame| %>
           <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
             <%= frame[:trace] %>
@@ -25,7 +25,7 @@
     </div>
   <% end %>
 
-  <script type="text/javascript">
+  <script>
     (function() {
       var traceFrames = document.getElementsByClassName('trace-frames-<%= error_index %>');
       var selectedFrame, currentSource = document.getElementById('frame-source-<%= error_index %>-0');

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -1,7 +1,8 @@
 <header>
   <h1>Blocked host: <%= @host %></h1>
 </header>
-<div id="container">
+<main role="main" id="container">
   <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
   <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
-</div>
+  <p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -3,3 +3,5 @@ Blocked host: <%= @host %>
 To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
 
   config.hosts << "<%= @host %>"
+
+For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -7,7 +7,7 @@
   </h1>
 </header>
 
-<div id="container">
+<main role="main" id="container">
   <%= render "rescues/message_and_suggestions", exception: @exception %>
   <%= render "rescues/actions", exception: @exception, request: @request %>
 
@@ -20,16 +20,16 @@
 
   <% @exception_wrapper.wrapped_causes.each.with_index(1) do |wrapper, index| %>
     <div class="details">
-      <a class="summary" href="#" style="color: #F0F0F0; text-decoration: none; background: #C52F24; border-bottom: none;" onclick="return toggle(<%= wrapper.exception.object_id %>)">
+      <a class="summary" href="#" onclick="return toggle(<%= wrapper.exception.object_id %>)">
         <%= wrapper.exception.class.name %>: <%= h wrapper.exception.message %>
       </a>
     </div>
 
-    <div id="<%= wrapper.exception.object_id %>" style="display: none;">
+    <div id="<%= wrapper.exception.object_id %>" class="hidden">
       <%= render "rescues/source", source_extracts: wrapper.source_extracts, show_source_idx: wrapper.source_to_show_id, error_index: index %>
       <%= render "rescues/trace", traces: wrapper.traces, trace_to_show: wrapper.trace_to_show, error_index: index %>
     </div>
   <% end %>
 
   <%= render template: "rescues/_request_and_response" %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -1,4 +1,4 @@
-<header>
+<header role="banner">
   <h1>
     <%= @exception.class.to_s %>
     <% if @request.parameters['controller'] %>
@@ -7,7 +7,7 @@
   </h1>
 </header>
 
-<div id="container">
+<main role="main" id="container">
   <h2>
     <%= h @exception.message %>
     <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
@@ -21,4 +21,4 @@
   <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
   <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -49,11 +49,19 @@
       line-height: 25px;
     }
 
+    code.traces {
+      font-size: 11px;
+    }
+
+    .response-heading, .request-heading {
+      margin-top: 30px;
+    }
+
     .exception-message {
       padding: 8px 0;
     }
 
-    .exception-message .message{
+    .exception-message .message {
       margin-bottom: 8px;
       line-height: 25px;
       font-size: 1.5em;
@@ -75,6 +83,13 @@
       display: block;
     }
 
+    a.summary {
+      color: #F0F0F0;
+      text-decoration: none;
+      background: #C52F24;
+      border-bottom: none;
+    }
+
     .details pre {
       margin: 5px;
       border: none;
@@ -114,7 +129,7 @@
 
     .source .data .line_numbers {
       background-color: #ECECEC;
-      color: #AAA;
+      color: #555;
       padding: 1em .5em;
       border-right: 1px solid #DDD;
       text-align: right;
@@ -143,6 +158,10 @@
       display: none;
     }
 
+    .correction {
+      list-style-type: none;
+    }
+
     input[type="submit"] {
       color: white;
       background-color: #C00;
@@ -153,6 +172,7 @@
       font-weight: bold;
       margin: 0;
       padding: 10px 18px;
+      cursor: pointer;
       -webkit-appearance: none;
     }
     input[type="submit"]:focus,
@@ -164,15 +184,14 @@
       transform: translateY(1px)
     }
 
-
     a { color: #980905; }
     a:visited { color: #666; }
     a.trace-frames {
       color: #666;
       overflow-wrap: break-word;
     }
-    a:hover { color: #C00; }
-    a.trace-frames.selected { color: #C00 }
+    a:hover, a.trace-frames.selected { color: #C00; }
+    a.summary:hover { color: #FFF; }
 
     @media (prefers-color-scheme: dark) {
       body {
@@ -180,11 +199,7 @@
         color: #ECECEC;
       }
 
-      .details {
-        border-color: #666;
-      }
-
-      .summary {
+      .details, .summary {
         border-color: #666;
       }
 
@@ -219,8 +234,7 @@
 
       a { color: #C00; }
       a.trace-frames { color: #999; }
-      a:hover { color: #E9382B; }
-      a.trace-frames.selected { color: #E9382B; }
+      a:hover, a.trace-frames.selected { color: #E9382B; }
     }
 
     <%= yield :style %>
@@ -228,8 +242,7 @@
 
   <script>
     var toggle = function(id) {
-      var s = document.getElementById(id).style;
-      s.display = s.display == 'none' ? 'block' : 'none';
+      document.getElementById(id).classList.toggle('hidden');
       return false;
     }
     var show = function(id) {
@@ -238,9 +251,6 @@
     var hide = function(id) {
       document.getElementById(id).style.display = 'none';
     }
-    var toggleTrace = function() {
-      return toggle('blame_trace');
-    }
     var toggleSessionDump = function() {
       return toggle('session_dump');
     }
@@ -251,7 +261,7 @@
 </head>
 <body>
 
-<%= yield %>
+  <%= yield %>
 
 </body>
 </html>

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb

@@ -1,8 +1,8 @@
-<header>
+<header role="banner">
   <h1>No template for interactive request</h1>
 </header>
 
-<div id="container">
+<main id="container">
   <h2><%= h @exception.message %></h2>
 
   <p class="summary">
@@ -16,4 +16,4 @@
     since we expect an HTML template
     to be rendered for such requests. If that's the case, carry on.
   </p>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb

@@ -1,11 +1,11 @@
-<header>
+<header role="banner">
   <h1>Template is missing</h1>
 </header>
 
-<div id="container">
+<main role="main" id="container">
   <h2><%= h @exception.message %></h2>
 
   <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
   <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb

@@ -1,7 +1,7 @@
-<header>
+<header role="banner">
   <h1>Routing Error</h1>
 </header>
-<div id="container">
+<main role="main" id="container">
   <h2><%= h @exception.message %></h2>
   <% unless @exception.failures.empty? %>
     <p>
@@ -29,4 +29,4 @@
   <% end %>
 
   <%= render template: "rescues/_request_and_response" %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb

@@ -1,11 +1,11 @@
-<header>
+<header role="banner">
   <h1>
     <%= @exception.cause.class.to_s %> in
     <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>
   </h1>
 </header>
 
-<div id="container">
+<main role="main" id="container">
   <p>
     Showing <i><%= @exception.file_name %></i> where line <b>#<%= @exception.line_number %></b> raised:
   </p>
@@ -17,4 +17,4 @@
 
   <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb

@@ -1,6 +1,6 @@
-<header>
+<header role="banner">
   <h1>Unknown action</h1>
 </header>
-<div id="container">
+<main role="main" id="container">
   <%= render "rescues/message_and_suggestions", exception: @exception %>
-</div>
+</main>

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -51,22 +51,13 @@
   }
 
   @media (prefers-color-scheme: dark) {
-    body {
-      background-color: #222;
-      color: #ECECEC;
-    }
-
     #route_table tbody tr:nth-child(odd) {
-      background: #333;
-    }
-
-    #route_table tbody tr:nth-child(even) {
-      background: #444;
+      background: #282828;
     }
 
-    #route_table tbody.exact_matches,
-    #route_table tbody.fuzzy_matches {
-      color: #333;
+    #route_table tbody.exact_matches tr,
+    #route_table tbody.fuzzy_matches tr {
+      background: DarkSlateGrey;
     }
   }
 <% end %>
@@ -104,7 +95,7 @@
   </tbody>
 </table>
 
-<script type='text/javascript'>
+<script>
   // support forEach iterator on NodeList
   NodeList.prototype.forEach = Array.prototype.forEach;
 

data/lib/action_dispatch/railtie.rb

@@ -24,6 +24,8 @@ module ActionDispatch
     config.action_dispatch.use_cookies_with_metadata = false
     config.action_dispatch.perform_deep_munge = true
     config.action_dispatch.request_id_header = "X-Request-Id"
+    config.action_dispatch.return_only_request_media_type_on_content_type = true
+    config.action_dispatch.log_rescued_responses = true
 
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
@@ -41,8 +43,12 @@ module ActionDispatch
     initializer "action_dispatch.configure" do |app|
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
-      ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
-      ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
+
+      ActiveSupport.on_load(:action_dispatch_request) do
+        self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
+        self.return_only_media_type_on_content_type = app.config.action_dispatch.return_only_request_media_type_on_content_type
+        ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
+      end
 
       ActiveSupport.on_load(:action_dispatch_response) do
         self.default_charset = app.config.action_dispatch.default_charset || app.config.encoding

data/lib/action_dispatch/request/session.rb

@@ -6,6 +6,7 @@ module ActionDispatch
   class Request
     # Session is responsible for lazily loading the session from store.
     class Session # :nodoc:
+      DisabledSessionError    = Class.new(StandardError)
       ENV_SESSION_KEY         = Rack::RACK_SESSION # :nodoc:
       ENV_SESSION_OPTIONS_KEY = Rack::RACK_SESSION_OPTIONS # :nodoc:
 
@@ -23,6 +24,12 @@ module ActionDispatch
         session
       end
 
+      def self.disabled(req)
+        new(nil, req, enabled: false).tap do
+          Session::Options.set(req, Session::Options.new(nil, { id: nil }))
+        end
+      end
+
       def self.find(req)
         req.get_header ENV_SESSION_KEY
       end
@@ -31,7 +38,11 @@ module ActionDispatch
         req.set_header ENV_SESSION_KEY, session
       end
 
-      class Options #:nodoc:
+      def self.delete(req)
+        req.delete_header ENV_SESSION_KEY
+      end
+
+      class Options # :nodoc:
         def self.set(req, options)
           req.set_header ENV_SESSION_OPTIONS_KEY, options
         end
@@ -60,30 +71,38 @@ module ActionDispatch
         def values_at(*args); @delegate.values_at(*args); end
       end
 
-      def initialize(by, req)
+      def initialize(by, req, enabled: true)
         @by       = by
         @req      = req
         @delegate = {}
         @loaded   = false
         @exists   = nil # We haven't checked yet.
+        @enabled  = enabled
       end
 
       def id
         options.id(@req)
       end
 
+      def enabled?
+        @enabled
+      end
+
       def options
         Options.find @req
       end
 
       def destroy
         clear
-        options = self.options || {}
-        @by.send(:delete_session, @req, options.id(@req), options)
 
-        # Load the new sid to be written with the response.
-        @loaded = false
-        load_for_write!
+        if enabled?
+          options = self.options || {}
+          @by.send(:delete_session, @req, options.id(@req), options)
+
+          # Load the new sid to be written with the response.
+          @loaded = false
+          load_for_write!
+        end
       end
 
       # Returns value of the key stored in the session or
@@ -135,7 +154,7 @@ module ActionDispatch
 
       # Clears the session.
       def clear
-        load_for_write!
+        load_for_delete!
         @delegate.clear
       end
 
@@ -163,7 +182,7 @@ module ActionDispatch
 
       # Deletes given key from the session.
       def delete(key)
-        load_for_write!
+        load_for_delete!
         @delegate.delete key.to_s
       end
 
@@ -199,6 +218,7 @@ module ActionDispatch
       end
 
       def exists?
+        return false unless enabled?
         return @exists unless @exists.nil?
         @exists = @by.send(:session_exists?, @req)
       end
@@ -227,13 +247,23 @@ module ActionDispatch
         end
 
         def load_for_write!
-          load! unless loaded?
+          if enabled?
+            load! unless loaded?
+          else
+            raise DisabledSessionError, "Your application has sessions disabled. To write to the session you must first configure a session store"
+          end
+        end
+
+        def load_for_delete!
+          load! if enabled? && !loaded?
         end
 
         def load!
-          id, session = @by.load_session @req
-          options[:id] = id
-          @delegate.replace(session.stringify_keys)
+          if enabled?
+            id, session = @by.load_session @req
+            options[:id] = id
+            @delegate.replace(session.stringify_keys)
+          end
           @loaded = true
         end
     end

data/lib/action_dispatch/routing/inspector.rb

@@ -5,7 +5,7 @@ require "io/console/size"
 
 module ActionDispatch
   module Routing
-    class RouteWrapper < SimpleDelegator
+    class RouteWrapper < SimpleDelegator # :nodoc:
       def endpoint
         app.dispatcher? ? "#{controller}##{action}" : rack_app.inspect
       end