actionpack 7.0.4.2 → 7.0.5

data/lib/action_controller/metal/etag_with_flash.rb

@@ -12,7 +12,7 @@ module ActionController
     include ActionController::ConditionalGet
 
     included do
-      etag { flash unless flash.empty? }
+      etag { flash if request.respond_to?(:flash) && !flash.empty? }
     end
   end
 end

data/lib/action_controller/metal/head.rb

@@ -17,7 +17,7 @@ module ActionController
     #   return head(:bad_request) unless valid_request?
     #   render
     #
-    # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
+    # See +Rack::Utils::SYMBOL_TO_STATUS_CODE+ for a full list of valid +status+ symbols.
     def head(status, options = {})
       if status.is_a?(Hash)
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."

data/lib/action_controller/metal/live.rb

@@ -321,7 +321,7 @@ module ActionController
     def send_stream(filename:, disposition: "attachment", type: nil)
       response.headers["Content-Type"] =
         (type.is_a?(Symbol) ? Mime[type].to_s : type) ||
-        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete(".")) ||
+        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete("."))&.to_s ||
         "application/octet-stream"
 
       response.headers["Content-Disposition"] =

data/lib/action_controller/metal/permissions_policy.rb

@@ -5,7 +5,7 @@ module ActionController # :nodoc:
     extend ActiveSupport::Concern
 
     module ClassMethods
-      # Overrides parts of the globally configured Feature-Policy
+      # Overrides parts of the globally configured +Feature-Policy+
       # header:
       #
       #   class PagesController < ApplicationController

data/lib/action_controller/metal/redirecting.rb

@@ -200,7 +200,7 @@ module ActionController
         return true if host == request.host
         return false unless host.nil?
         return false unless url.to_s.start_with?("/")
-        return !url.to_s.start_with?("//")
+        !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end

data/lib/action_controller/metal/rendering.rb

@@ -24,12 +24,124 @@ module ActionController
       end
     end
 
+    # Renders a template and assigns the result to +self.response_body+.
+    #
+    # If no rendering mode option is specified, the template will be derived
+    # from the first argument.
+    #
+    #   render "posts/show"
+    #   # => renders app/views/posts/show.html.erb
+    #
+    #   # In a PostsController action...
+    #   render :show
+    #   # => renders app/views/posts/show.html.erb
+    #
+    # If the first argument responds to +render_in+, the template will be
+    # rendered by calling +render_in+ with the current view context.
+    #
+    # ==== \Rendering Mode
+    #
+    # [+:partial+]
+    #   See ActionView::PartialRenderer for details.
+    #
+    #     render partial: "posts/form", locals: { post: Post.new }
+    #     # => renders app/views/posts/_form.html.erb
+    #
+    # [+:file+]
+    #   Renders the contents of a file. This option should <b>not</b> be used
+    #   with unsanitized user input.
+    #
+    #     render file: "/path/to/some/file"
+    #     # => renders /path/to/some/file
+    #
+    # [+:inline+]
+    #   Renders an ERB template string.
+    #
+    #     @name = "World"
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>"
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:body+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render body: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:plain+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render plain: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:html+]
+    #   Renders the provided HTML string, and sets the content type as +text/html+.
+    #   If the string is not +html_safe?+, performs HTML escaping on the string
+    #   before rendering.
+    #
+    #     render html: "<h1>Hello, World!</h1>".html_safe
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    #     render html: "<h1>Hello, World!</h1>"
+    #     # => renders "&lt;h1&gt;Hello, World!&lt;/h1&gt;"
+    #
+    # [+:json+]
+    #   Renders the provided object as JSON, and sets the content type as
+    #   +application/json+. If the object is not a string, it will be converted
+    #   to JSON by calling +to_json+.
+    #
+    #     render json: { hello: "world" }
+    #     # => renders "{\"hello\":\"world\"}"
+    #
+    # By default, when a rendering mode is specified, no layout template is
+    # rendered.
+    #
+    # ==== Options
+    #
+    # [+:assigns+]
+    #   Hash of instance variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>", assigns: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:locals+]
+    #   Hash of local variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= name %>!</h1>", locals: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:layout+]
+    #   The layout template to render. Can also be +false+ or +true+ to disable
+    #   or (re)enable the default layout template.
+    #
+    #     render "posts/show", layout: "holiday"
+    #     # => renders app/views/posts/show.html.erb with the app/views/layouts/holiday.html.erb layout
+    #
+    #     render "posts/show", layout: false
+    #     # => renders app/views/posts/show.html.erb with no layout
+    #
+    #     render inline: "<h1>Hello, World!</h1>", layout: true
+    #     # => renders "<h1>Hello, World!</h1>" with the default layout
+    #
+    # [+:status+]
+    #   The HTTP status code to send with the response. Can be specified as a
+    #   number or as the status name in Symbol form. Defaults to 200.
+    #
+    #     render "posts/new", status: 422
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #     render "posts/new", status: :unprocessable_entity
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #--
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) # :nodoc:
+    def render(*args)
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
+    #--
     # Override render_to_string because body can now be set to a Rack body.
     def render_to_string(*)
       result = super
@@ -42,7 +154,7 @@ module ActionController
       end
     end
 
-    def render_to_body(options = {})
+    def render_to_body(options = {}) # :nodoc:
       super || _render_in_priorities(options) || " "
     end
 

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -118,9 +118,11 @@ module ActionController # :nodoc:
       #     protect_from_forgery except: :index
       #   end
       #
-      # You can disable forgery protection on controller by skipping the verification before_action:
+      # You can disable forgery protection on a controller using skip_forgery_protection:
       #
-      #   skip_before_action :verify_authenticity_token
+      #   class BarController < ApplicationController
+      #     skip_forgery_protection
+      #   end
       #
       # Valid Options:
       #
@@ -334,7 +336,7 @@ module ActionController # :nodoc:
       #
       # * Is it a GET or HEAD request? GETs should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
-      # * Does the X-CSRF-Token header match the form_authenticity_token?
+      # * Does the +X-CSRF-Token+ header match the form_authenticity_token?
       def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)

data/lib/action_controller/metal/streaming.rb

@@ -147,7 +147,7 @@ module ActionController # :nodoc:
   # needs to inject contents in the HTML body.
   #
   # Also <tt>Rack::Cache</tt> won't work with streaming as it does not support
-  # streaming bodies yet. Whenever streaming Cache-Control is automatically
+  # streaming bodies yet. Whenever streaming +Cache-Control+ is automatically
   # set to "no-cache".
   #
   # == Errors

data/lib/action_controller/metal/url_for.rb

@@ -6,10 +6,8 @@ module ActionController
   #
   # In addition to AbstractController::UrlFor, this module accesses the HTTP layer to define
   # URL options like the +host+. In order to do so, this module requires the host class
-  # to implement +env+ which needs to be Rack-compatible and +request+
-  # which is either an instance of ActionDispatch::Request or an object
-  # that responds to the +host+, +optional_port+, +protocol+, and
-  # +symbolized_path_parameter+ methods.
+  # to implement +env+ which needs to be Rack-compatible, and +request+ which
+  # returns an ActionDispatch::Request instance.
   #
   #   class RootUrl
   #     include ActionController::UrlFor

data/lib/action_controller/railtie.rb

@@ -111,7 +111,8 @@ module ActionController
         app.config.action_controller.log_query_tags_around_actions
 
       if query_logs_tags_enabled
-        app.config.active_record.query_log_tags += [:controller, :action]
+        app.config.active_record.query_log_tags |= [:controller] unless app.config.active_record.query_log_tags.include?(:namespaced_controller)
+        app.config.active_record.query_log_tags |= [:action]
 
         ActiveSupport.on_load(:active_record) do
           ActiveRecord::QueryLogs.taggings.merge!(

data/lib/action_controller/renderer.rb

@@ -68,26 +68,7 @@ module ActionController
       @env = normalize_keys defaults, env
     end
 
-    # Render templates with any options from ActionController::Base#render_to_string.
-    #
-    # The primary options are:
-    # * <tt>:partial</tt> - See ActionView::PartialRenderer for details.
-    # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
-    #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
-    # * <tt>:inline</tt> - Renders an ERB template string.
-    # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
-    # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
-    #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
-    # * <tt>:json</tt> - Renders the provided hash or object in JSON. You don't
-    #   need to call <tt>.to_json</tt> on the object you want to render.
-    # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
-    #
-    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
-    #
-    # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
-    # passing in the current view context.
-    #
-    # Otherwise, a partial is rendered using the second parameter as the locals hash.
+    # Renders a template to a string, just like ActionController::Rendering#render_to_string.
     def render(*args)
       raise "missing controller" unless controller
 

data/lib/action_dispatch/http/cache.rb

@@ -32,8 +32,8 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (Last-Modified and ETag) against request
-        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # Check response freshness (+Last-Modified+ and ETag) against request
+        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
         # supplied, both must match, or the request is not considered fresh.
         def fresh?(response)
           last_modified = if_modified_since
@@ -81,8 +81,8 @@ module ActionDispatch
 
         # This method sets a weak ETag validator on the response so browsers
         # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the If-None-Match header is set to the cached ETag. If it
-        # matches the current ETag, we can return a 304 Not Modified response
+        # requests, the +If-None-Match+ header is set to the cached ETag. If it
+        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
         # with no body, letting the browser or proxy know that their cache is
         # current. Big savings in request time and network bandwidth.
         #
@@ -92,7 +92,7 @@ module ActionDispatch
         # is viewing.
         #
         # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support Range requests, useful for paging
+        # browser or proxy cache to support +Range+ requests, useful for paging
         # through a PDF file or scrubbing through a video. Some CDNs only
         # support strong ETags and will ignore weak ETags entirely.
         #
@@ -112,12 +112,12 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set and it's a weak validator (preceded with W/)
+        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
         def strong_etag?
           etag? && !weak_etag?
         end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -33,7 +33,11 @@ module ActionDispatch # :nodoc:
 
       def call(env)
         request = ActionDispatch::Request.new env
-        _, headers, _ = response = @app.call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
+        # CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
 
         return response if policy_present?(headers)
 

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,33 +4,13 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
-    # from a hash is possible by using the dot notation: 'credit_card.number'.
-    # If a block is given, each key and value of the params hash and all
-    # sub-hashes are passed to it, where the value or the key can be replaced using
-    # String#replace or similar methods.
-    #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
+    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
-    #
-    #   env["action_dispatch.parameter_filter"] = [ /\Apin\z/i, /\Apin_/i ]
-    #   => replaces the value for the exact (case-insensitive) key 'pin' and all
-    #   (case-insensitive) keys beginning with 'pin_', with "[FILTERED]"
-    #   Does not match keys with 'pin' as a substring, such as 'shipping_id'.
-    #
-    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
-    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
-    #   change { file: { code: "xxxx"} }
     #
-    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k.match?(/secret/i)
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:

data/lib/action_dispatch/http/headers.rb

@@ -65,7 +65,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
       def add(key, value)
         @req.add_header env_name(key), value
       end

data/lib/action_dispatch/http/request.rb

@@ -107,22 +107,21 @@ module ActionDispatch
       has_header? key
     end
 
-    # List of HTTP request methods from the following RFCs:
-    # Hypertext Transfer Protocol -- HTTP/1.1 (https://www.ietf.org/rfc/rfc2616.txt)
-    # HTTP Extensions for Distributed Authoring -- WEBDAV (https://www.ietf.org/rfc/rfc2518.txt)
-    # Versioning Extensions to WebDAV (https://www.ietf.org/rfc/rfc3253.txt)
-    # Ordered Collections Protocol (WebDAV) (https://www.ietf.org/rfc/rfc3648.txt)
-    # Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol (https://www.ietf.org/rfc/rfc3744.txt)
-    # Web Distributed Authoring and Versioning (WebDAV) SEARCH (https://www.ietf.org/rfc/rfc5323.txt)
-    # Calendar Extensions to WebDAV (https://www.ietf.org/rfc/rfc4791.txt)
-    # PATCH Method for HTTP (https://www.ietf.org/rfc/rfc5789.txt)
+    # HTTP methods from {RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1}[https://www.ietf.org/rfc/rfc2616.txt]
     RFC2616 = %w(OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT)
+    # HTTP methods from {RFC 2518: HTTP Extensions for Distributed Authoring -- WEBDAV}[https://www.ietf.org/rfc/rfc2518.txt]
     RFC2518 = %w(PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK)
+    # HTTP methods from {RFC 3253: Versioning Extensions to WebDAV}[https://www.ietf.org/rfc/rfc3253.txt]
     RFC3253 = %w(VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY)
+    # HTTP methods from {RFC 3648: WebDAV Ordered Collections Protocol}[https://www.ietf.org/rfc/rfc3648.txt]
     RFC3648 = %w(ORDERPATCH)
+    # HTTP methods from {RFC 3744: WebDAV Access Control Protocol}[https://www.ietf.org/rfc/rfc3744.txt]
     RFC3744 = %w(ACL)
+    # HTTP methods from {RFC 5323: WebDAV SEARCH}[https://www.ietf.org/rfc/rfc5323.txt]
     RFC5323 = %w(SEARCH)
+    # HTTP methods from {RFC 4791: Calendaring Extensions to WebDAV}[https://www.ietf.org/rfc/rfc4791.txt]
     RFC4791 = %w(MKCALENDAR)
+    # HTTP methods from {RFC 5789: PATCH Method for HTTP}[https://www.ietf.org/rfc/rfc5789.txt]
     RFC5789 = %w(PATCH)
 
     HTTP_METHODS = RFC2616 + RFC2518 + RFC3253 + RFC3648 + RFC3744 + RFC5323 + RFC4791 + RFC5789
@@ -271,7 +270,7 @@ module ActionDispatch
       super.to_i
     end
 
-    # Returns true if the "X-Requested-With" header contains "XMLHttpRequest"
+    # Returns true if the +X-Requested-With+ header contains "XMLHttpRequest"
     # (case-insensitive), which may need to be manually added depending on the
     # choice of JavaScript libraries and frameworks.
     def xml_http_request?
@@ -297,7 +296,7 @@ module ActionDispatch
 
     ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id" # :nodoc:
 
-    # Returns the unique request id, which is based on either the X-Request-Id header that can
+    # Returns the unique request id, which is based on either the +X-Request-Id+ header that can
     # be generated by a firewall, load balancer, or web server, or by the RequestId middleware
     # (which sets the +action_dispatch.request_id+ environment variable).
     #
@@ -341,13 +340,13 @@ module ActionDispatch
     end
 
     # Determine whether the request body contains form-data by checking
-    # the request Content-Type for one of the media-types:
-    # "application/x-www-form-urlencoded" or "multipart/form-data". The
+    # the request +Content-Type+ for one of the media-types:
+    # +application/x-www-form-urlencoded+ or +multipart/form-data+. The
     # list of form-data media types can be modified through the
     # +FORM_DATA_MEDIA_TYPES+ array.
     #
     # A request body is not assumed to contain form-data when no
-    # Content-Type header is provided and the request_method is POST.
+    # +Content-Type+ header is provided and the request_method is POST.
     def form_data?
       FORM_DATA_MEDIA_TYPES.include?(media_type)
     end
@@ -379,7 +378,7 @@ module ActionDispatch
         Request::Utils.check_param_encoding(rack_query_params)
         set_header k, Request::Utils.normalize_encode_params(rack_query_params)
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
       raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
     end
     alias :query_parameters :GET
@@ -394,7 +393,7 @@ module ActionDispatch
         Request::Utils.check_param_encoding(pr)
         self.request_parameters = Request::Utils.normalize_encode_params(pr)
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
       raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
     end
     alias :request_parameters :POST

data/lib/action_dispatch/http/response.rb

@@ -501,10 +501,6 @@ module ActionDispatch # :nodoc:
       def to_path
         @response.stream.to_path
       end
-
-      def to_ary
-        nil
-      end
     end
 
     def handle_no_content!

data/lib/action_dispatch/http/upload.rb

@@ -28,6 +28,8 @@ module ActionDispatch
         @tempfile = hash[:tempfile]
         raise(ArgumentError, ":tempfile is required") unless @tempfile
 
+        @content_type = hash[:type]
+
         if hash[:filename]
           @original_filename = hash[:filename].dup
 
@@ -40,8 +42,17 @@ module ActionDispatch
           @original_filename = nil
         end
 
-        @content_type      = hash[:type]
-        @headers           = hash[:head]
+        if hash[:head]
+          @headers = hash[:head].dup
+
+          begin
+            @headers.encode!(Encoding::UTF_8)
+          rescue EncodingError
+            @headers.force_encoding(Encoding::UTF_8)
+          end
+        else
+          @headers = nil
+        end
       end
 
       # Shortcut for +tempfile.read+.

data/lib/action_dispatch/middleware/cookies.rb

@@ -95,7 +95,7 @@ module ActionDispatch
   # Read and write data to cookies through ActionController::Base#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
-  # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
+  # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
   #
   # Examples of writing:
   #
@@ -443,7 +443,7 @@ module ActionDispatch
 
           if options[:domain] == :all || options[:domain] == "all"
             cookie_domain = ""
-            dot_splitted_host = request.host.split('.', -1)
+            dot_splitted_host = request.host.split(".", -1)
 
             # Case where request.host is not an IP address or it's an invalid domain
             # (ip confirms to the domain structure we expect so we explicitly check for ip)
@@ -453,10 +453,10 @@ module ActionDispatch
             end
 
             # If there is a provided tld length then we use it otherwise default domain.
-            if options[:tld_length].present? 
+            if options[:tld_length].present?
               # Case where the tld_length provided is valid
               if dot_splitted_host.length >= options[:tld_length]
-                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join(".")
               end
             # Case where tld_length is not provided
             else
@@ -465,7 +465,7 @@ module ActionDispatch
                 cookie_domain = dot_splitted_host.last(2).join(".")
               # **.**, ***.** style TLDs like co.uk and com.au
               else
-                cookie_domain = dot_splitted_host.last(3).join('.')
+                cookie_domain = dot_splitted_host.last(3).join(".")
               end
             end
 
@@ -683,7 +683,7 @@ module ActionDispatch
           deserialize(name) do |rotate|
             @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
           end
-        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
+        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature, JSON::ParserError
           nil
         end
 

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -22,7 +22,7 @@ module ActionDispatch
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
   # sometime before this middleware runs.
   class RemoteIp
@@ -53,7 +53,7 @@ module ActionDispatch
     #
     # The +custom_proxies+ argument can take an enumerable which will be used
     # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the X-Forwarded-For list,
+    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
     # ignore those IP addresses, and return the one that you want.
@@ -110,9 +110,9 @@ module ActionDispatch
       # REMOTE_ADDR will be correct if the request is made directly against the
       # Ruby process, on e.g. Heroku. When the request is proxied by another
       # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an X-Forwarded-For header. If there are multiple
+      # request will be put in an +X-Forwarded-For+ header. If there are multiple
       # proxies, that header may contain a list of IPs. Other proxy services
-      # set the Client-Ip header instead, so we check that too.
+      # set the +Client-Ip+ header instead, so we check that too.
       #
       # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,

data/lib/action_dispatch/middleware/request_id.rb

@@ -6,9 +6,9 @@ require "active_support/core_ext/string/access"
 module ActionDispatch
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
   # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
-  # the same id to the client via the X-Request-Id header.
+  # the same id to the client via the +X-Request-Id+ header.
   #
-  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
+  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
   # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
   # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
   #

data/lib/action_dispatch/middleware/static.rb

@@ -24,7 +24,7 @@ module ActionDispatch
     end
   end
 
-  # This endpoint serves static files from disk using Rack::File.
+  # This endpoint serves static files from disk using +Rack::File+.
   #
   # URL paths are matched with static files according to expected
   # conventions: +path+, +path+.html, +path+/index.html.
@@ -33,13 +33,13 @@ module ActionDispatch
   # and gzip (.gz) files are supported. If +path+.br exists, this
   # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
   #
-  # If no matching file is found, this endpoint responds 404 Not Found.
+  # If no matching file is found, this endpoint responds <tt>404 Not Found</tt>.
   #
   # Pass the +root+ directory to search for matching files, an optional
   # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
   # additional response headers.
   class FileHandler
-    # Accept-Encoding value -> file extension
+    # +Accept-Encoding+ value -> file extension
     PRECOMPRESSED = {
       "br" => ".br",
       "gzip" => ".gz",