actionpack 7.0.0.alpha2 → 7.0.0

data/lib/action_controller/metal/strong_parameters.rb

@@ -81,7 +81,7 @@ module ActionController
   #   })
   #
   #   permitted = params.require(:person).permit(:name, :age)
-  #   permitted            # => <ActionController::Parameters {"name"=>"Francesco", "age"=>22} permitted: true>
+  #   permitted            # => #<ActionController::Parameters {"name"=>"Francesco", "age"=>22} permitted: true>
   #   permitted.permitted? # => true
   #
   #   Person.first.update!(permitted)
@@ -111,7 +111,7 @@ module ActionController
   #
   #   params = ActionController::Parameters.new(a: "123", b: "456")
   #   params.permit(:c)
-  #   # => <ActionController::Parameters {} permitted: true>
+  #   # => #<ActionController::Parameters {} permitted: true>
   #
   #   ActionController::Parameters.action_on_unpermitted_parameters = :raise
   #
@@ -442,7 +442,7 @@ module ActionController
     # either present or the singleton +false+, returns said value:
     #
     #   ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
-    #   # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
+    #   # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #
     # Otherwise raises <tt>ActionController::ParameterMissing</tt>:
     #
@@ -570,13 +570,48 @@ module ActionController
     #   })
     #
     #   params.require(:person).permit(:contact)
-    #   # => <ActionController::Parameters {} permitted: true>
+    #   # => #<ActionController::Parameters {} permitted: true>
     #
     #   params.require(:person).permit(contact: :phone)
-    #   # => <ActionController::Parameters {"contact"=><ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
+    #   # => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
     #
     #   params.require(:person).permit(contact: [ :email, :phone ])
-    #   # => <ActionController::Parameters {"contact"=><ActionController::Parameters {"email"=>"none@test.com", "phone"=>"555-1234"} permitted: true>} permitted: true>
+    #   # => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"email"=>"none@test.com", "phone"=>"555-1234"} permitted: true>} permitted: true>
+    #
+    # If your parameters specify multiple parameters indexed by a number,
+    # you can permit each set of parameters under the numeric key to be the same using the same syntax as permitting a single item.
+    #
+    #   params = ActionController::Parameters.new({
+    #     person: {
+    #       '0': {
+    #         email: "none@test.com",
+    #         phone: "555-1234"
+    #       },
+    #       '1': {
+    #         email: "nothing@test.com",
+    #         phone: "555-6789"
+    #       },
+    #     }
+    #   })
+    #   params.permit(person: [:email]).to_h
+    #   # => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"email"=>"nothing@test.com"}}}
+    #
+    # If you want to specify what keys you want from each numeric key, you can instead specify each one individually
+    #
+    #   params = ActionController::Parameters.new({
+    #     person: {
+    #       '0': {
+    #         email: "none@test.com",
+    #         phone: "555-1234"
+    #       },
+    #       '1': {
+    #         email: "nothing@test.com",
+    #         phone: "555-6789"
+    #       },
+    #     }
+    #   })
+    #   params.permit(person: { '0': [:email], '1': [:phone]}).to_h
+    #   # => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"phone"=>"555-6789"}}}
     def permit(*filters)
       params = self.class.new
 
@@ -598,7 +633,7 @@ module ActionController
     # returns +nil+.
     #
     #   params = ActionController::Parameters.new(person: { name: "Francesco" })
-    #   params[:person] # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
+    #   params[:person] # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #   params[:none]   # => nil
     def [](key)
       convert_hashes_to_parameters(key, @parameters[key])
@@ -618,9 +653,9 @@ module ActionController
     # is given, then that will be run and its result returned.
     #
     #   params = ActionController::Parameters.new(person: { name: "Francesco" })
-    #   params.fetch(:person)               # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
+    #   params.fetch(:person)               # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #   params.fetch(:none)                 # => ActionController::ParameterMissing: param is missing or the value is empty: none
-    #   params.fetch(:none, {})             # => <ActionController::Parameters {} permitted: false>
+    #   params.fetch(:none, {})             # => #<ActionController::Parameters {} permitted: false>
     #   params.fetch(:none, "Francesco")    # => "Francesco"
     #   params.fetch(:none) { "Francesco" } # => "Francesco"
     def fetch(key, *args)
@@ -654,8 +689,8 @@ module ActionController
     # don't exist, returns an empty hash.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
-    #   params.slice(:a, :b) # => <ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
-    #   params.slice(:d)     # => <ActionController::Parameters {} permitted: false>
+    #   params.slice(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
+    #   params.slice(:d)     # => #<ActionController::Parameters {} permitted: false>
     def slice(*keys)
       new_instance_with_inherited_permitted_status(@parameters.slice(*keys))
     end
@@ -671,8 +706,8 @@ module ActionController
     # filters out the given +keys+.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
-    #   params.except(:a, :b) # => <ActionController::Parameters {"c"=>3} permitted: false>
-    #   params.except(:d)     # => <ActionController::Parameters {"a"=>1, "b"=>2, "c"=>3} permitted: false>
+    #   params.except(:a, :b) # => #<ActionController::Parameters {"c"=>3} permitted: false>
+    #   params.except(:d)     # => #<ActionController::Parameters {"a"=>1, "b"=>2, "c"=>3} permitted: false>
     def except(*keys)
       new_instance_with_inherited_permitted_status(@parameters.except(*keys))
     end
@@ -680,8 +715,8 @@ module ActionController
     # Removes and returns the key/value pairs matching the given keys.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
-    #   params.extract!(:a, :b) # => <ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
-    #   params                  # => <ActionController::Parameters {"c"=>3} permitted: false>
+    #   params.extract!(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
+    #   params                  # => #<ActionController::Parameters {"c"=>3} permitted: false>
     def extract!(*keys)
       new_instance_with_inherited_permitted_status(@parameters.extract!(*keys))
     end
@@ -691,7 +726,7 @@ module ActionController
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
     #   params.transform_values { |x| x * 2 }
-    #   # => <ActionController::Parameters {"a"=>2, "b"=>4, "c"=>6} permitted: false>
+    #   # => #<ActionController::Parameters {"a"=>2, "b"=>4, "c"=>6} permitted: false>
     def transform_values
       return to_enum(:transform_values) unless block_given?
       new_instance_with_inherited_permitted_status(
@@ -928,7 +963,7 @@ module ActionController
         when Array
           return value if converted_arrays.member?(value)
           converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
+          converted_arrays << converted.dup
           converted
         when Hash
           self.class.new(value)
@@ -937,12 +972,18 @@ module ActionController
         end
       end
 
-      def each_element(object, &block)
+      def specify_numeric_keys?(filter)
+        if filter.respond_to?(:keys)
+          filter.keys.any? { |key| /\A-?\d+\z/.match?(key) }
+        end
+      end
+
+      def each_element(object, filter, &block)
         case object
         when Array
           object.grep(Parameters).filter_map(&block)
         when Parameters
-          if object.nested_attributes?
+          if object.nested_attributes? && !specify_numeric_keys?(filter)
             object.each_nested_attribute(&block)
           else
             yield object
@@ -1055,7 +1096,7 @@ module ActionController
             end
           elsif non_scalar?(value)
             # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
-            params[key] = each_element(value) do |element|
+            params[key] = each_element(value, filter[key]) do |element|
               element.permit(*Array.wrap(filter[key]))
             end
           end

data/lib/action_controller/metal/testing.rb

@@ -4,6 +4,15 @@ module ActionController
   module Testing
     # Behavior specific to functional tests
     module Functional # :nodoc:
+      def clear_instance_variables_between_requests
+        if defined?(@_ivars)
+          new_ivars = instance_variables - @_ivars
+          new_ivars.each { |ivar| remove_instance_variable(ivar) }
+        end
+
+        @_ivars = instance_variables
+      end
+
       def recycle!
         @_url_options = nil
         self.formats = nil

data/lib/action_controller/railtie.rb

@@ -12,6 +12,7 @@ module ActionController
     config.action_controller = ActiveSupport::OrderedOptions.new
     config.action_controller.raise_on_open_redirects = false
     config.action_controller.log_query_tags_around_actions = true
+    config.action_controller.wrap_parameters_by_default = false
 
     config.eager_load_namespaces << ActionController
 
@@ -62,15 +63,18 @@ module ActionController
         extend ::AbstractController::Railties::RoutesHelpers.with(app.routes)
         extend ::ActionController::Railties::Helpers
 
+        wrap_parameters format: [:json] if options.wrap_parameters_by_default && respond_to?(:wrap_parameters)
+
         # Configs used in other initializers
-        options = options.except(
+        filtered_options = options.except(
           :log_query_tags_around_actions,
           :permit_all_parameters,
           :action_on_unpermitted_parameters,
-          :always_permitted_parameters
+          :always_permitted_parameters,
+          :wrap_parameters_by_default
         )
 
-        options.each do |k, v|
+        filtered_options.each do |k, v|
           k = "#{k}="
           if respond_to?(k)
             send(k, v)
@@ -109,18 +113,20 @@ module ActionController
       if query_logs_tags_enabled
         app.config.active_record.query_log_tags += [:controller, :action]
 
-        ActiveSupport.on_load(:action_controller) do
-          include ActionController::QueryTags
-        end
-
         ActiveSupport.on_load(:active_record) do
           ActiveRecord::QueryLogs.taggings.merge!(
-            controller:            ->(context) { context[:controller].controller_name },
-            action:                ->(context) { context[:controller].action_name },
-            namespaced_controller: ->(context) { context[:controller].class.name }
+            controller:            ->(context) { context[:controller]&.controller_name },
+            action:                ->(context) { context[:controller]&.action_name },
+            namespaced_controller: ->(context) { context[:controller].class.name if context[:controller] }
           )
         end
       end
     end
+
+    initializer "action_controller.test_case" do |app|
+      ActiveSupport.on_load(:action_controller_test_case) do
+        ActionController::TestCase.executor_around_each_request = app.config.active_support.executor_around_test_case
+      end
+    end
   end
 end

data/lib/action_controller/test_case.rb

@@ -333,6 +333,8 @@ module ActionController
   #
   #  assert_redirected_to page_url(title: 'foo')
   class TestCase < ActiveSupport::TestCase
+    singleton_class.attr_accessor :executor_around_each_request
+
     module Behavior
       extend ActiveSupport::Concern
       include ActionDispatch::TestProcess
@@ -463,9 +465,15 @@ module ActionController
       # prefer using #get, #post, #patch, #put, #delete and #head methods
       # respectively which will make tests more expressive.
       #
+      # It's not recommended to make more than one request in the same test. Instance
+      # variables that are set in one request will not persist to the next request,
+      # but it's not guaranteed that all Rails internal state will be reset. Prefer
+      # ActionDispatch::IntegrationTest for making multiple requests in the same test.
+      #
       # Note that the request method is not verified.
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
+        @controller.clear_instance_variables_between_requests
 
         action = +action.to_s
         http_method = method.to_s.upcase
@@ -578,10 +586,19 @@ module ActionController
           end
         end
 
+        def wrap_execution(&block)
+          if ActionController::TestCase.executor_around_each_request && defined?(Rails.application) && Rails.application
+            Rails.application.executor.wrap(&block)
+          else
+            yield
+          end
+        end
+
         def process_controller_response(action, cookies, xhr)
           begin
             @controller.recycle!
-            @controller.dispatch(action, @request, @response)
+
+            wrap_execution { @controller.dispatch(action, @request, @response) }
           ensure
             @request = @controller.request
             @response = @controller.response
@@ -627,7 +644,7 @@ module ActionController
         end
 
         def check_required_ivars
-          # Sanity check for required instance variables so we can give an
+          # Check for required instance variables so we can give an
           # understandable error message.
           [:@routes, :@controller, :@request, :@response].each do |iv_name|
             if !instance_variable_defined?(iv_name) || instance_variable_get(iv_name).nil?

data/lib/action_controller.rb

@@ -37,7 +37,6 @@ module ActionController
     autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
-    autoload :QueryTags
     autoload :Redirecting
     autoload :Renderers
     autoload :Rendering

data/lib/action_dispatch/http/response.rb

@@ -86,18 +86,6 @@ module ActionDispatch # :nodoc:
     cattr_accessor :default_charset, default: "utf-8"
     cattr_accessor :default_headers
 
-    def self.return_only_media_type_on_content_type=(*)
-      ActiveSupport::Deprecation.warn(
-        ".return_only_media_type_on_content_type= is deprecated with no replacement and will be removed in 7.0."
-      )
-    end
-
-    def self.return_only_media_type_on_content_type
-      ActiveSupport::Deprecation.warn(
-        ".return_only_media_type_on_content_type is deprecated with no replacement and will be removed in 7.0."
-      )
-    end
-
     include Rack::Response::Helpers
     # Aliasing these off because AD::Http::Cache::Response defines them.
     alias :_cache_control :cache_control

data/lib/action_dispatch/http/url.rb

@@ -71,7 +71,8 @@ module ActionDispatch
           path = options[:script_name].to_s.chomp("/")
           path << options[:path] if options.key?(:path)
 
-          add_trailing_slash(path) if options[:trailing_slash]
+          path = "/" if options[:trailing_slash] && path.blank?
+
           add_params(path, options[:params]) if options.key?(:params)
           add_anchor(path, options[:anchor]) if options.key?(:anchor)
 
@@ -101,14 +102,6 @@ module ActionDispatch
             parts[0..-(tld_length + 2)]
           end
 
-          def add_trailing_slash(path)
-            if path.include?("?")
-              path.sub!(/\?/, '/\&')
-            elsif !path.include?(".")
-              path.sub!(/[^\/]\z|\A\z/, '\&/')
-            end
-          end
-
           def build_host_url(host, port, protocol, options, path)
             if match = host.match(HOST_REGEXP)
               protocol ||= match[1] unless protocol == false

data/lib/action_dispatch/journey/nodes/node.rb

@@ -53,7 +53,7 @@ module ActionDispatch
               if formatted != false
                 # Add a constraint for wildcard route to make it non-greedy and
                 # match the optional format part of the route by default.
-                wildcard_options[node.name.to_sym] ||= /.+?/
+                wildcard_options[node.name.to_sym] ||= /.+?/m
               end
             end
 
@@ -166,7 +166,7 @@ module ActionDispatch
           super(left)
 
           # By default wildcard routes are non-greedy and must match something.
-          @regexp = /.+?/
+          @regexp = /.+?/m
         end
 
         def star?; true; end

data/lib/action_dispatch/journey/route.rb

@@ -91,7 +91,7 @@ module ActionDispatch
       # as requirements.
       def requirements
         @defaults.merge(path.requirements).delete_if { |_, v|
-          /.+?/ == v
+          /.+?/m == v
         }
       end
 

data/lib/action_dispatch/middleware/cookies.rb

@@ -439,7 +439,7 @@ module ActionDispatch
         end
 
         def write_cookie?(cookie)
-          request.ssl? || !cookie[:secure] || always_write_cookie
+          request.ssl? || !cookie[:secure] || always_write_cookie || request.host.end_with?(".onion")
         end
 
         def handle_options(options)

data/lib/action_dispatch/middleware/executor.rb

@@ -13,6 +13,9 @@ module ActionDispatch
       begin
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+      rescue => error
+        @executor.error_reporter.report(error, handled: false)
+        raise
       ensure
         state.complete! unless returned
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -11,8 +11,22 @@ module ActionDispatch
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run, which responds with <tt>403 Forbidden</tt>.
+  # default one will run.
+  # The default response app logs blocked host info with level 'error' and
+  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
+  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
   class HostAuthorization
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    PORT_REGEX = /(?::\d+)/ # :nodoc:
+    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
+    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
+    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
+    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
+      /\A#{IPV4_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME}\z/,
+      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
+    )
+
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -24,11 +38,17 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          allowed === host
-        rescue
-          # IPAddr#=== raises an error if you give it a hostname instead of
-          # IP. Treat similar errors as blocked access.
-          false
+          if allowed.is_a?(IPAddr)
+            begin
+              allowed === extract_hostname(host)
+            rescue
+              # IPAddr#=== raises an error if you give it a hostname instead of
+              # IP. Treat similar errors as blocked access.
+              false
+            end
+          else
+            allowed === host
+          end
         end
       end
 
@@ -44,46 +64,67 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}\z/
+          /\A#{host}#{PORT_REGEX}?\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
-            /\A#{Regexp.escape host}\z/i
+            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
         end
+
+        def extract_hostname(host)
+          host.slice(VALID_IP_HOSTNAME, "host") || host
+        end
     end
 
-    DEFAULT_RESPONSE_APP = -> env do
-      request = Request.new(env)
+    class DefaultResponseApp # :nodoc:
+      RESPONSE_STATUS = 403
+
+      def call(env)
+        request = Request.new(env)
+        format = request.xhr? ? "text/plain" : "text/html"
+
+        log_error(request)
+        response(format, response_body(request))
+      end
+
+      private
+        def response_body(request)
+          return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
 
-      format = request.xhr? ? "text/plain" : "text/html"
-      template = DebugView.new(host: request.host)
-      body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+          template = DebugView.new(host: request.host)
+          template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+        end
+
+        def response(format, body)
+          [RESPONSE_STATUS,
+           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
+             "Content-Length" => body.bytesize.to_s },
+           [body]]
+        end
+
+        def log_error(request)
+          logger = available_logger(request)
+
+          return unless logger
+
+          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
+        end
 
-      [403, {
-        "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-        "Content-Length" => body.bytesize.to_s,
-      }, [body]]
+        def available_logger(request)
+          request.logger || ActionView::Base.logger
+        end
     end
 
-    def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
+    def initialize(app, hosts, exclude: nil, response_app: nil)
       @app = app
       @permissions = Permissions.new(hosts)
       @exclude = exclude
 
-      unless deprecated_response_app.nil?
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 7.0.
-          Use the Host Authorization `response_app` setting instead.
-        MSG
-
-        response_app ||= deprecated_response_app
-      end
-
-      @response_app = response_app || DEFAULT_RESPONSE_APP
+      @response_app = response_app || DefaultResponseApp.new
     end
 
     def call(env)
@@ -100,13 +141,9 @@ module ActionDispatch
     end
 
     private
-      HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
-      VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
-      VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
-
       def authorized?(request)
-        origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
-        forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
+        origin_host = request.get_header("HTTP_HOST")
+        forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
 
         @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end

data/lib/action_dispatch/middleware/server_timing.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "active_support/notifications"
+
+module ActionDispatch
+  class ServerTiming
+    SERVER_TIMING_HEADER = "Server-Timing"
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      events = []
+      subscriber = ActiveSupport::Notifications.subscribe(/.*/) do |*args|
+        events << ActiveSupport::Notifications::Event.new(*args)
+      end
+
+      status, headers, body = begin
+        @app.call(env)
+      ensure
+        ActiveSupport::Notifications.unsubscribe(subscriber)
+      end
+
+      header_info = events.group_by(&:name).map do |event_name, events_collection|
+        "#{event_name};dur=#{events_collection.sum(&:duration)}"
+      end
+      headers[SERVER_TIMING_HEADER] = header_info.join(", ")
+
+      [ status, headers, body ]
+    end
+  end
+end

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -40,6 +40,7 @@ module ActionDispatch
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
+        fallback_to_html_format_if_invalid_mime_type(request)
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
@@ -54,6 +55,15 @@ module ActionDispatch
           "went wrong."]]
       end
 
+      def fallback_to_html_format_if_invalid_mime_type(request)
+        # If the MIME type for the request is invalid then the
+        # @exceptions_app may not be able to handle it. To make it
+        # easier to handle, we switch to HTML.
+        request.formats
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+        request.set_header "HTTP_ACCEPT", "text/html"
+      end
+
       def pass_response(status)
         [status, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => "0" }, []]
       end

data/lib/action_dispatch/middleware/static.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "rack/utils"
-require "active_support/core_ext/uri"
 
 module ActionDispatch
   # This middleware serves static files from disk, if available.

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -4,4 +4,5 @@
 <main role="main" id="container">
   <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
   <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
+  <p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
 </main>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -3,3 +3,5 @@ Blocked host: <%= @host %>
 To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
 
   config.hosts << "<%= @host %>"
+
+For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

data/lib/action_dispatch/routing/inspector.rb

@@ -5,7 +5,7 @@ require "io/console/size"
 
 module ActionDispatch
   module Routing
-    class RouteWrapper < SimpleDelegator
+    class RouteWrapper < SimpleDelegator # :nodoc:
       def endpoint
         app.dispatcher? ? "#{controller}##{action}" : rack_app.inspect
       end