actionpack 7.0.4.3 → 7.0.8.6

data/lib/action_controller/metal/rendering.rb

@@ -24,12 +24,124 @@ module ActionController
       end
     end
 
+    # Renders a template and assigns the result to +self.response_body+.
+    #
+    # If no rendering mode option is specified, the template will be derived
+    # from the first argument.
+    #
+    #   render "posts/show"
+    #   # => renders app/views/posts/show.html.erb
+    #
+    #   # In a PostsController action...
+    #   render :show
+    #   # => renders app/views/posts/show.html.erb
+    #
+    # If the first argument responds to +render_in+, the template will be
+    # rendered by calling +render_in+ with the current view context.
+    #
+    # ==== \Rendering Mode
+    #
+    # [+:partial+]
+    #   See ActionView::PartialRenderer for details.
+    #
+    #     render partial: "posts/form", locals: { post: Post.new }
+    #     # => renders app/views/posts/_form.html.erb
+    #
+    # [+:file+]
+    #   Renders the contents of a file. This option should <b>not</b> be used
+    #   with unsanitized user input.
+    #
+    #     render file: "/path/to/some/file"
+    #     # => renders /path/to/some/file
+    #
+    # [+:inline+]
+    #   Renders an ERB template string.
+    #
+    #     @name = "World"
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>"
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:body+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render body: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:plain+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render plain: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:html+]
+    #   Renders the provided HTML string, and sets the content type as +text/html+.
+    #   If the string is not +html_safe?+, performs HTML escaping on the string
+    #   before rendering.
+    #
+    #     render html: "<h1>Hello, World!</h1>".html_safe
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    #     render html: "<h1>Hello, World!</h1>"
+    #     # => renders "&lt;h1&gt;Hello, World!&lt;/h1&gt;"
+    #
+    # [+:json+]
+    #   Renders the provided object as JSON, and sets the content type as
+    #   +application/json+. If the object is not a string, it will be converted
+    #   to JSON by calling +to_json+.
+    #
+    #     render json: { hello: "world" }
+    #     # => renders "{\"hello\":\"world\"}"
+    #
+    # By default, when a rendering mode is specified, no layout template is
+    # rendered.
+    #
+    # ==== Options
+    #
+    # [+:assigns+]
+    #   Hash of instance variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>", assigns: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:locals+]
+    #   Hash of local variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= name %>!</h1>", locals: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:layout+]
+    #   The layout template to render. Can also be +false+ or +true+ to disable
+    #   or (re)enable the default layout template.
+    #
+    #     render "posts/show", layout: "holiday"
+    #     # => renders app/views/posts/show.html.erb with the app/views/layouts/holiday.html.erb layout
+    #
+    #     render "posts/show", layout: false
+    #     # => renders app/views/posts/show.html.erb with no layout
+    #
+    #     render inline: "<h1>Hello, World!</h1>", layout: true
+    #     # => renders "<h1>Hello, World!</h1>" with the default layout
+    #
+    # [+:status+]
+    #   The HTTP status code to send with the response. Can be specified as a
+    #   number or as the status name in Symbol form. Defaults to 200.
+    #
+    #     render "posts/new", status: 422
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #     render "posts/new", status: :unprocessable_entity
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #--
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) # :nodoc:
+    def render(*args)
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
+    #--
     # Override render_to_string because body can now be set to a Rack body.
     def render_to_string(*)
       result = super
@@ -42,7 +154,7 @@ module ActionController
       end
     end
 
-    def render_to_body(options = {})
+    def render_to_body(options = {}) # :nodoc:
       super || _render_in_priorities(options) || " "
     end
 

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -118,9 +118,11 @@ module ActionController # :nodoc:
       #     protect_from_forgery except: :index
       #   end
       #
-      # You can disable forgery protection on controller by skipping the verification before_action:
+      # You can disable forgery protection on a controller using skip_forgery_protection:
       #
-      #   skip_before_action :verify_authenticity_token
+      #   class BarController < ApplicationController
+      #     skip_forgery_protection
+      #   end
       #
       # Valid Options:
       #
@@ -334,7 +336,7 @@ module ActionController # :nodoc:
       #
       # * Is it a GET or HEAD request? GETs should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
-      # * Does the X-CSRF-Token header match the form_authenticity_token?
+      # * Does the +X-CSRF-Token+ header match the form_authenticity_token?
       def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)

data/lib/action_controller/metal/rescue.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 module ActionController # :nodoc:
-  # This module is responsible for providing +rescue_from+ helpers
-  # to controllers and configuring when detailed exceptions must be
-  # shown.
+  # This module is responsible for providing
+  # {rescue_from}[rdoc-ref:ActiveSupport::Rescuable::ClassMethods#rescue_from]
+  # to controllers, wrapping actions to handle configured errors, and
+  # configuring when detailed exceptions must be shown.
   module Rescue
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable

data/lib/action_controller/metal/streaming.rb

@@ -147,7 +147,7 @@ module ActionController # :nodoc:
   # needs to inject contents in the HTML body.
   #
   # Also <tt>Rack::Cache</tt> won't work with streaming as it does not support
-  # streaming bodies yet. Whenever streaming Cache-Control is automatically
+  # streaming bodies yet. Whenever streaming +Cache-Control+ is automatically
   # set to "no-cache".
   #
   # == Errors

data/lib/action_controller/metal/strong_parameters.rb

@@ -97,7 +97,7 @@ module ActionController
   #   * +false+ to take no action.
   #   * <tt>:log</tt> to emit an <tt>ActiveSupport::Notifications.instrument</tt> event on the
   #     <tt>unpermitted_parameters.action_controller</tt> topic and log at the DEBUG level.
-  #   * <tt>:raise</tt> to raise a <tt>ActionController::UnpermittedParameters</tt> exception.
+  #   * <tt>:raise</tt> to raise an ActionController::UnpermittedParameters exception.
   #
   # Examples:
   #
@@ -146,7 +146,7 @@ module ActionController
     # :method: each_key
     #
     # :call-seq:
-    #   each_key()
+    #   each_key(&block)
     #
     # Calls block once for each key in the parameters, passing the key.
     # If no block is given, an enumerator is returned instead.
@@ -159,14 +159,6 @@ module ActionController
     #
     # Returns true if the parameters have no key/value pairs.
 
-    ##
-    # :method: has_key?
-    #
-    # :call-seq:
-    #   has_key?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
     ##
     # :method: has_value?
     #
@@ -183,22 +175,6 @@ module ActionController
     #
     # Returns true if the given key is present in the parameters.
 
-    ##
-    # :method: key?
-    #
-    # :call-seq:
-    #   key?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
-    ##
-    # :method: member?
-    #
-    # :call-seq:
-    #   member?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
     ##
     # :method: keys
     #
@@ -230,9 +206,13 @@ module ActionController
     #   values()
     #
     # Returns a new array of the values of the parameters.
-    delegate :keys, :key?, :has_key?, :member?, :values, :has_value?, :value?, :empty?, :include?,
+    delegate :keys, :values, :has_value?, :value?, :empty?, :include?,
       :as_json, :to_s, :each_key, to: :@parameters
 
+    alias_method :has_key?, :include?
+    alias_method :key?, :include?
+    alias_method :member?, :include?
+
     # By default, never raise an UnpermittedParameters exception if these
     # params are present. The default includes both 'controller' and 'action'
     # because they are added by Rails and should be of no concern. One way
@@ -248,7 +228,7 @@ module ActionController
       end
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt>.
+    # Returns a new <tt>ActionController::Parameters</tt> instance.
     # Also, sets the +permitted+ attribute to the default value of
     # <tt>ActionController::Parameters.permit_all_parameters</tt>.
     #
@@ -290,7 +270,7 @@ module ActionController
       [self.class, @parameters, @permitted].hash
     end
 
-    # Returns a safe <tt>ActiveSupport::HashWithIndifferentAccess</tt>
+    # Returns a safe ActiveSupport::HashWithIndifferentAccess
     # representation of the parameters with all unpermitted keys removed.
     #
     #   params = ActionController::Parameters.new({
@@ -350,18 +330,15 @@ module ActionController
     #   safe_params.to_query("user")
     #   # => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"
     #
-    # The string pairs "key=value" that conform the query string
+    # The string pairs <tt>"key=value"</tt> that conform the query string
     # are sorted lexicographically in ascending order.
-    #
-    # This method is also aliased as +to_param+.
     def to_query(*args)
       to_h.to_query(*args)
     end
     alias_method :to_param, :to_query
 
-    # Returns an unsafe, unfiltered
-    # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of the
-    # parameters.
+    # Returns an unsafe, unfiltered ActiveSupport::HashWithIndifferentAccess
+    # representation of the parameters.
     #
     #   params = ActionController::Parameters.new({
     #     name: "Senjougahara Hitagi",
@@ -401,7 +378,7 @@ module ActionController
     # looping in the common use case permit + mass-assignment. Defined in a
     # method to instantiate it only if needed.
     #
-    # Testing membership still loops, but it's going to be faster than our own
+    # \Testing membership still loops, but it's going to be faster than our own
     # loop that converts values. Also, we are not going to build a new array
     # object per fetch.
     def converted_arrays
@@ -449,7 +426,7 @@ module ActionController
     #   ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
     #   # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #
-    # Otherwise raises <tt>ActionController::ParameterMissing</tt>:
+    # Otherwise raises ActionController::ParameterMissing:
     #
     #   ActionController::Parameters.new.require(:person)
     #   # ActionController::ParameterMissing: param is missing or the value is empty: person
@@ -501,7 +478,6 @@ module ActionController
       end
     end
 
-    # Alias of #require.
     alias :required :require
 
     # Returns a new <tt>ActionController::Parameters</tt> instance that
@@ -523,7 +499,7 @@ module ActionController
     # +:name+ passes if it is a key of +params+ whose associated value is of type
     # +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
     # +Date+, +Time+, +DateTime+, +StringIO+, +IO+,
-    # +ActionDispatch::Http::UploadedFile+ or +Rack::Test::UploadedFile+.
+    # ActionDispatch::Http::UploadedFile or +Rack::Test::UploadedFile+.
     # Otherwise, the key +:name+ is filtered out.
     #
     # You may declare that the parameter should be an array of permitted scalars
@@ -645,16 +621,16 @@ module ActionController
     end
 
     # Assigns a value to a given +key+. The given key may still get filtered out
-    # when +permit+ is called.
+    # when #permit is called.
     def []=(key, value)
       @parameters[key] = value
     end
 
     # Returns a parameter for the given +key+. If the +key+
     # can't be found, there are several options: With no other arguments,
-    # it will raise an <tt>ActionController::ParameterMissing</tt> error;
+    # it will raise an ActionController::ParameterMissing error;
     # if a second argument is given, then that is returned (converted to an
-    # instance of ActionController::Parameters if possible); if a block
+    # instance of +ActionController::Parameters+ if possible); if a block
     # is given, then that will be run and its result returned.
     #
     #   params = ActionController::Parameters.new(person: { name: "Francesco" })
@@ -700,7 +676,7 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.slice(*keys))
     end
 
-    # Returns current <tt>ActionController::Parameters</tt> instance which
+    # Returns the current <tt>ActionController::Parameters</tt> instance which
     # contains only the given +keys+.
     def slice!(*keys)
       @parameters.slice!(*keys)
@@ -726,7 +702,7 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.extract!(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with the results of
+    # Returns a new <tt>ActionController::Parameters</tt> instance with the results of
     # running +block+ once for every value. The keys are unchanged.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
@@ -773,9 +749,9 @@ module ActionController
       )
     end
 
-    # Returns the <tt>ActionController::Parameters</tt> instance changing its keys.
-    # This includes the keys from the root hash and from all nested hashes and arrays.
-    # The values are unchanged.
+    # Returns the same <tt>ActionController::Parameters</tt> instance with
+    # changed keys. This includes the keys from the root hash and from all
+    # nested hashes and arrays. The values are unchanged.
     def deep_transform_keys!(&block)
       @parameters.deep_transform_keys!(&block)
       self
@@ -783,13 +759,13 @@ module ActionController
 
     # Deletes a key-value pair from +Parameters+ and returns the value. If
     # +key+ is not found, returns +nil+ (or, with optional code block, yields
-    # +key+ and returns the result). Cf. #extract!, which returns the
-    # corresponding +ActionController::Parameters+ object.
+    # +key+ and returns the result). This method is similar to #extract!, which
+    # returns the corresponding +ActionController::Parameters+ object.
     def delete(key, &block)
       convert_value_to_parameters(@parameters.delete(key, &block))
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with only
+    # Returns a new <tt>ActionController::Parameters</tt> instance with only
     # items that the block evaluates to true.
     def select(&block)
       new_instance_with_inherited_permitted_status(@parameters.select(&block))
@@ -802,7 +778,7 @@ module ActionController
     end
     alias_method :keep_if, :select!
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with items
+    # Returns a new <tt>ActionController::Parameters</tt> instance with items
     # that the block evaluates to true removed.
     def reject(&block)
       new_instance_with_inherited_permitted_status(@parameters.reject(&block))
@@ -815,7 +791,7 @@ module ActionController
     end
     alias_method :delete_if, :reject!
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with +nil+ values removed.
+    # Returns a new <tt>ActionController::Parameters</tt> instance with +nil+ values removed.
     def compact
       new_instance_with_inherited_permitted_status(@parameters.compact)
     end
@@ -825,7 +801,7 @@ module ActionController
       self if @parameters.compact!
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> without the blank values.
+    # Returns a new <tt>ActionController::Parameters</tt> instance without the blank values.
     # Uses Object#blank? for determining if a value is blank.
     def compact_blank
       reject { |_k, v| v.blank? }
@@ -843,7 +819,7 @@ module ActionController
       convert_value_to_parameters(@parameters.values_at(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with all keys from
+    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys from
     # +other_hash+ merged into current hash.
     def merge(other_hash)
       new_instance_with_inherited_permitted_status(
@@ -851,15 +827,15 @@ module ActionController
       )
     end
 
-    # Returns current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current <tt>ActionController::Parameters</tt> instance with
     # +other_hash+ merged into current hash.
     def merge!(other_hash)
       @parameters.merge!(other_hash.to_h)
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with all keys from
-    # current hash merged into +other_hash+.
+    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys
+    # from current hash merged into +other_hash+.
     def reverse_merge(other_hash)
       new_instance_with_inherited_permitted_status(
         other_hash.to_h.merge(@parameters)
@@ -867,7 +843,7 @@ module ActionController
     end
     alias_method :with_defaults, :reverse_merge
 
-    # Returns current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current <tt>ActionController::Parameters</tt> instance with
     # current hash merged into +other_hash+.
     def reverse_merge!(other_hash)
       @parameters.merge!(other_hash.to_h) { |key, left, right| left }
@@ -917,7 +893,7 @@ module ActionController
       coder.map = { "parameters" => @parameters, "permitted" => @permitted }
     end
 
-    # Returns duplicate of object including all parameters.
+    # Returns a duplicate +ActionController::Parameters+ instance with the same permitted parameters.
     def deep_dup
       self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
         duplicate.permitted = @permitted
@@ -1024,10 +1000,11 @@ module ActionController
       # This is a list of permitted scalar types that includes the ones
       # supported in XML and JSON requests.
       #
-      # This list is in particular used to filter ordinary requests, String goes
+      # This list is in particular used to filter ordinary requests, \String goes
       # as first element to quickly short-circuit the common case.
       #
-      # If you modify this collection please update the API of +permit+ above.
+      # If you modify this collection please update the one in the #permit doc
+      # as well.
       PERMITTED_SCALAR_TYPES = [
         String,
         Symbol,
@@ -1083,8 +1060,8 @@ module ActionController
         value.is_a?(Array) || value.is_a?(Parameters)
       end
 
-      EMPTY_ARRAY = []
-      EMPTY_HASH  = {}
+      EMPTY_ARRAY = [] # :nodoc:
+      EMPTY_HASH  = {} # :nodoc:
       def hash_filter(params, filter)
         filter = filter.with_indifferent_access
 

data/lib/action_controller/metal/url_for.rb

@@ -6,10 +6,8 @@ module ActionController
   #
   # In addition to AbstractController::UrlFor, this module accesses the HTTP layer to define
   # URL options like the +host+. In order to do so, this module requires the host class
-  # to implement +env+ which needs to be Rack-compatible and +request+
-  # which is either an instance of ActionDispatch::Request or an object
-  # that responds to the +host+, +optional_port+, +protocol+, and
-  # +symbolized_path_parameter+ methods.
+  # to implement +env+ which needs to be Rack-compatible, and +request+ which
+  # returns an ActionDispatch::Request instance.
   #
   #   class RootUrl
   #     include ActionController::UrlFor

data/lib/action_controller/railtie.rb

@@ -111,7 +111,8 @@ module ActionController
         app.config.action_controller.log_query_tags_around_actions
 
       if query_logs_tags_enabled
-        app.config.active_record.query_log_tags += [:controller, :action]
+        app.config.active_record.query_log_tags |= [:controller] unless app.config.active_record.query_log_tags.include?(:namespaced_controller)
+        app.config.active_record.query_log_tags |= [:action]
 
         ActiveSupport.on_load(:active_record) do
           ActiveRecord::QueryLogs.taggings.merge!(

data/lib/action_controller/renderer.rb

@@ -68,26 +68,7 @@ module ActionController
       @env = normalize_keys defaults, env
     end
 
-    # Render templates with any options from ActionController::Base#render_to_string.
-    #
-    # The primary options are:
-    # * <tt>:partial</tt> - See ActionView::PartialRenderer for details.
-    # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
-    #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
-    # * <tt>:inline</tt> - Renders an ERB template string.
-    # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
-    # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
-    #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
-    # * <tt>:json</tt> - Renders the provided hash or object in JSON. You don't
-    #   need to call <tt>.to_json</tt> on the object you want to render.
-    # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
-    #
-    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
-    #
-    # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
-    # passing in the current view context.
-    #
-    # Otherwise, a partial is rendered using the second parameter as the locals hash.
+    # Renders a template to a string, just like ActionController::Rendering#render_to_string.
     def render(*args)
       raise "missing controller" unless controller
 

data/lib/action_dispatch/http/cache.rb

@@ -32,8 +32,8 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (Last-Modified and ETag) against request
-        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # Check response freshness (+Last-Modified+ and ETag) against request
+        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
         # supplied, both must match, or the request is not considered fresh.
         def fresh?(response)
           last_modified = if_modified_since
@@ -81,8 +81,8 @@ module ActionDispatch
 
         # This method sets a weak ETag validator on the response so browsers
         # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the If-None-Match header is set to the cached ETag. If it
-        # matches the current ETag, we can return a 304 Not Modified response
+        # requests, the +If-None-Match+ header is set to the cached ETag. If it
+        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
         # with no body, letting the browser or proxy know that their cache is
         # current. Big savings in request time and network bandwidth.
         #
@@ -92,7 +92,7 @@ module ActionDispatch
         # is viewing.
         #
         # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support Range requests, useful for paging
+        # browser or proxy cache to support +Range+ requests, useful for paging
         # through a PDF file or scrubbing through a video. Some CDNs only
         # support strong ETags and will ignore weak ETags entirely.
         #
@@ -112,12 +112,12 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set and it's a weak validator (preceded with W/)
+        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
         def strong_etag?
           etag? && !weak_etag?
         end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -33,7 +33,11 @@ module ActionDispatch # :nodoc:
 
       def call(env)
         request = ActionDispatch::Request.new env
-        _, headers, _ = response = @app.call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
+        # CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
 
         return response if policy_present?(headers)
 

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,33 +4,13 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
-    # from a hash is possible by using the dot notation: 'credit_card.number'.
-    # If a block is given, each key and value of the params hash and all
-    # sub-hashes are passed to it, where the value or the key can be replaced using
-    # String#replace or similar methods.
-    #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
+    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
-    #
-    #   env["action_dispatch.parameter_filter"] = [ /\Apin\z/i, /\Apin_/i ]
-    #   => replaces the value for the exact (case-insensitive) key 'pin' and all
-    #   (case-insensitive) keys beginning with 'pin_', with "[FILTERED]"
-    #   Does not match keys with 'pin' as a substring, such as 'shipping_id'.
-    #
-    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
-    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
-    #   change { file: { code: "xxxx"} }
     #
-    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k.match?(/secret/i)
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -78,12 +58,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/headers.rb

@@ -65,7 +65,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
       def add(key, value)
         @req.add_header env_name(key), value
       end