actionpack 7.0.4.3 → 7.0.8.6

data/lib/action_dispatch/http/permissions_policy.rb

@@ -37,7 +37,6 @@ module ActionDispatch # :nodoc:
         request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.permissions_policy
@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc:
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
-          end
-        end
-
         def policy_present?(headers)
           headers[POLICY]
         end

data/lib/action_dispatch/http/request.rb

@@ -107,22 +107,21 @@ module ActionDispatch
       has_header? key
     end
 
-    # List of HTTP request methods from the following RFCs:
-    # Hypertext Transfer Protocol -- HTTP/1.1 (https://www.ietf.org/rfc/rfc2616.txt)
-    # HTTP Extensions for Distributed Authoring -- WEBDAV (https://www.ietf.org/rfc/rfc2518.txt)
-    # Versioning Extensions to WebDAV (https://www.ietf.org/rfc/rfc3253.txt)
-    # Ordered Collections Protocol (WebDAV) (https://www.ietf.org/rfc/rfc3648.txt)
-    # Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol (https://www.ietf.org/rfc/rfc3744.txt)
-    # Web Distributed Authoring and Versioning (WebDAV) SEARCH (https://www.ietf.org/rfc/rfc5323.txt)
-    # Calendar Extensions to WebDAV (https://www.ietf.org/rfc/rfc4791.txt)
-    # PATCH Method for HTTP (https://www.ietf.org/rfc/rfc5789.txt)
+    # HTTP methods from {RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1}[https://www.ietf.org/rfc/rfc2616.txt]
     RFC2616 = %w(OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT)
+    # HTTP methods from {RFC 2518: HTTP Extensions for Distributed Authoring -- WEBDAV}[https://www.ietf.org/rfc/rfc2518.txt]
     RFC2518 = %w(PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK)
+    # HTTP methods from {RFC 3253: Versioning Extensions to WebDAV}[https://www.ietf.org/rfc/rfc3253.txt]
     RFC3253 = %w(VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY)
+    # HTTP methods from {RFC 3648: WebDAV Ordered Collections Protocol}[https://www.ietf.org/rfc/rfc3648.txt]
     RFC3648 = %w(ORDERPATCH)
+    # HTTP methods from {RFC 3744: WebDAV Access Control Protocol}[https://www.ietf.org/rfc/rfc3744.txt]
     RFC3744 = %w(ACL)
+    # HTTP methods from {RFC 5323: WebDAV SEARCH}[https://www.ietf.org/rfc/rfc5323.txt]
     RFC5323 = %w(SEARCH)
+    # HTTP methods from {RFC 4791: Calendaring Extensions to WebDAV}[https://www.ietf.org/rfc/rfc4791.txt]
     RFC4791 = %w(MKCALENDAR)
+    # HTTP methods from {RFC 5789: PATCH Method for HTTP}[https://www.ietf.org/rfc/rfc5789.txt]
     RFC5789 = %w(PATCH)
 
     HTTP_METHODS = RFC2616 + RFC2518 + RFC3253 + RFC3648 + RFC3744 + RFC5323 + RFC4791 + RFC5789
@@ -271,7 +270,7 @@ module ActionDispatch
       super.to_i
     end
 
-    # Returns true if the "X-Requested-With" header contains "XMLHttpRequest"
+    # Returns true if the +X-Requested-With+ header contains "XMLHttpRequest"
     # (case-insensitive), which may need to be manually added depending on the
     # choice of JavaScript libraries and frameworks.
     def xml_http_request?
@@ -297,7 +296,7 @@ module ActionDispatch
 
     ACTION_DISPATCH_REQUEST_ID = "action_dispatch.request_id" # :nodoc:
 
-    # Returns the unique request id, which is based on either the X-Request-Id header that can
+    # Returns the unique request id, which is based on either the +X-Request-Id+ header that can
     # be generated by a firewall, load balancer, or web server, or by the RequestId middleware
     # (which sets the +action_dispatch.request_id+ environment variable).
     #
@@ -341,13 +340,13 @@ module ActionDispatch
     end
 
     # Determine whether the request body contains form-data by checking
-    # the request Content-Type for one of the media-types:
-    # "application/x-www-form-urlencoded" or "multipart/form-data". The
+    # the request +Content-Type+ for one of the media-types:
+    # +application/x-www-form-urlencoded+ or +multipart/form-data+. The
     # list of form-data media types can be modified through the
     # +FORM_DATA_MEDIA_TYPES+ array.
     #
     # A request body is not assumed to contain form-data when no
-    # Content-Type header is provided and the request_method is POST.
+    # +Content-Type+ header is provided and the request_method is POST.
     def form_data?
       FORM_DATA_MEDIA_TYPES.include?(media_type)
     end
@@ -379,7 +378,7 @@ module ActionDispatch
         Request::Utils.check_param_encoding(rack_query_params)
         set_header k, Request::Utils.normalize_encode_params(rack_query_params)
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
       raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
     end
     alias :query_parameters :GET
@@ -394,7 +393,7 @@ module ActionDispatch
         Request::Utils.check_param_encoding(pr)
         self.request_parameters = Request::Utils.normalize_encode_params(pr)
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
       raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
     end
     alias :request_parameters :POST

data/lib/action_dispatch/http/response.rb

@@ -501,10 +501,6 @@ module ActionDispatch # :nodoc:
       def to_path
         @response.stream.to_path
       end
-
-      def to_ary
-        nil
-      end
     end
 
     def handle_no_content!

data/lib/action_dispatch/http/upload.rb

@@ -28,6 +28,8 @@ module ActionDispatch
         @tempfile = hash[:tempfile]
         raise(ArgumentError, ":tempfile is required") unless @tempfile
 
+        @content_type = hash[:type]
+
         if hash[:filename]
           @original_filename = hash[:filename].dup
 
@@ -40,8 +42,17 @@ module ActionDispatch
           @original_filename = nil
         end
 
-        @content_type      = hash[:type]
-        @headers           = hash[:head]
+        if hash[:head]
+          @headers = hash[:head].dup
+
+          begin
+            @headers.encode!(Encoding::UTF_8)
+          rescue EncodingError
+            @headers.force_encoding(Encoding::UTF_8)
+          end
+        else
+          @headers = nil
+        end
       end
 
       # Shortcut for +tempfile.read+.

data/lib/action_dispatch/middleware/cookies.rb

@@ -95,7 +95,7 @@ module ActionDispatch
   # Read and write data to cookies through ActionController::Base#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
-  # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
+  # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
   #
   # Examples of writing:
   #
@@ -443,7 +443,7 @@ module ActionDispatch
 
           if options[:domain] == :all || options[:domain] == "all"
             cookie_domain = ""
-            dot_splitted_host = request.host.split('.', -1)
+            dot_splitted_host = request.host.split(".", -1)
 
             # Case where request.host is not an IP address or it's an invalid domain
             # (ip confirms to the domain structure we expect so we explicitly check for ip)
@@ -453,10 +453,10 @@ module ActionDispatch
             end
 
             # If there is a provided tld length then we use it otherwise default domain.
-            if options[:tld_length].present? 
+            if options[:tld_length].present?
               # Case where the tld_length provided is valid
               if dot_splitted_host.length >= options[:tld_length]
-                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join(".")
               end
             # Case where tld_length is not provided
             else
@@ -465,7 +465,7 @@ module ActionDispatch
                 cookie_domain = dot_splitted_host.last(2).join(".")
               # **.**, ***.** style TLDs like co.uk and com.au
               else
-                cookie_domain = dot_splitted_host.last(3).join('.')
+                cookie_domain = dot_splitted_host.last(3).join(".")
               end
             end
 
@@ -683,7 +683,7 @@ module ActionDispatch
           deserialize(name) do |rotate|
             @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
           end
-        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
+        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature, JSON::ParserError
           nil
         end
 

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -95,7 +95,7 @@ module ActionDispatch
         def response_body(request)
           return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
 
-          template = DebugView.new(host: request.host)
+          template = DebugView.new(hosts: request.env["action_dispatch.blocked_hosts"])
           template.render(template: "rescues/blocked_host", layout: "rescues/layout")
         end
 
@@ -111,7 +111,7 @@ module ActionDispatch
 
           return unless logger
 
-          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
+          logger.error("[#{self.class.name}] Blocked hosts: #{request.env["action_dispatch.blocked_hosts"].join(", ")}")
         end
 
         def available_logger(request)
@@ -131,21 +131,28 @@ module ActionDispatch
       return @app.call(env) if @permissions.empty?
 
       request = Request.new(env)
+      hosts = blocked_hosts(request)
 
-      if authorized?(request) || excluded?(request)
+      if hosts.empty? || excluded?(request)
         mark_as_authorized(request)
         @app.call(env)
       else
+        env["action_dispatch.blocked_hosts"] = hosts
         @response_app.call(env)
       end
     end
 
     private
-      def authorized?(request)
+      def blocked_hosts(request)
+        hosts = []
+
         origin_host = request.get_header("HTTP_HOST")
+        hosts << origin_host unless @permissions.allows?(origin_host)
+
         forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+        hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host)
 
-        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+        hosts
       end
 
       def excluded?(request)

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -22,7 +22,7 @@ module ActionDispatch
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
   # sometime before this middleware runs.
   class RemoteIp
@@ -53,7 +53,7 @@ module ActionDispatch
     #
     # The +custom_proxies+ argument can take an enumerable which will be used
     # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the X-Forwarded-For list,
+    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
     # ignore those IP addresses, and return the one that you want.
@@ -110,9 +110,9 @@ module ActionDispatch
       # REMOTE_ADDR will be correct if the request is made directly against the
       # Ruby process, on e.g. Heroku. When the request is proxied by another
       # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an X-Forwarded-For header. If there are multiple
+      # request will be put in an +X-Forwarded-For+ header. If there are multiple
       # proxies, that header may contain a list of IPs. Other proxy services
-      # set the Client-Ip header instead, so we check that too.
+      # set the +Client-Ip+ header instead, so we check that too.
       #
       # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,

data/lib/action_dispatch/middleware/request_id.rb

@@ -6,9 +6,9 @@ require "active_support/core_ext/string/access"
 module ActionDispatch
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
   # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
-  # the same id to the client via the X-Request-Id header.
+  # the same id to the client via the +X-Request-Id+ header.
   #
-  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
+  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
   # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
   # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
   #

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -6,14 +6,17 @@ module ActionDispatch
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
-  # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Every time there is an exception, ShowExceptions will
-  # store the exception in env["action_dispatch.exception"], rewrite the
-  # PATH_INFO to the exception status code and call the Rack app.
+  # The exceptions app should be passed as a parameter on initialization of
+  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
+  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
+  # the +PATH_INFO+ to the exception status code and call the Rack app.
   #
-  # If the application returns a "X-Cascade" pass response, this middleware
-  # will send an empty response as result with the correct status code.
-  # If any exception happens inside the exceptions app, this middleware
+  # In \Rails applications, the exceptions app can be configured with
+  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
+  #
+  # If the application returns an <tt>"X-Cascade" => "pass"</tt> response, this
+  # middleware will send an empty response as a result with the correct status
+  # code. If any exception happens inside the exceptions app, this middleware
   # catches the exceptions and returns a failsafe response.
   class ShowExceptions
     def initialize(app, exceptions_app)

data/lib/action_dispatch/middleware/static.rb

@@ -24,7 +24,7 @@ module ActionDispatch
     end
   end
 
-  # This endpoint serves static files from disk using Rack::File.
+  # This endpoint serves static files from disk using +Rack::File+.
   #
   # URL paths are matched with static files according to expected
   # conventions: +path+, +path+.html, +path+/index.html.
@@ -33,13 +33,13 @@ module ActionDispatch
   # and gzip (.gz) files are supported. If +path+.br exists, this
   # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
   #
-  # If no matching file is found, this endpoint responds 404 Not Found.
+  # If no matching file is found, this endpoint responds <tt>404 Not Found</tt>.
   #
   # Pass the +root+ directory to search for matching files, an optional
   # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
   # additional response headers.
   class FileHandler
-    # Accept-Encoding value -> file extension
+    # +Accept-Encoding+ value -> file extension
     PRECOMPRESSED = {
       "br" => ".br",
       "gzip" => ".gz",

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -1,8 +1,12 @@
 <header>
-  <h1>Blocked host: <%= @host %></h1>
+  <h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
 </header>
 <main role="main" id="container">
-  <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
-  <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
+  <h2>To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
+  <pre>
+  <% @hosts.each do |host| %>
+    config.hosts &lt;&lt; "<%= host %>"
+  <% end %>
+  </pre>
   <p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
 </main>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -1,7 +1,9 @@
-Blocked host: <%= @host %>
+Blocked hosts: <%= @hosts.join(", ") %>
 
-To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
+To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
 
-  config.hosts << "<%= @host %>"
+<% @hosts.each do |host| %>
+  config.hosts << "<%= host %>"
+<% end %>
 
 For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -102,9 +102,9 @@
   // Enables path search functionality
   function setupMatchPaths() {
     // Check if there are any matched results in a section
-    function checkNoMatch(section, noMatchText) {
+    function checkNoMatch(section, trElement) {
       if (section.children.length <= 1) {
-        section.innerHTML += noMatchText;
+        section.appendChild(trElement);
       }
     }
 
@@ -145,21 +145,30 @@
       }
     }
 
+    function buildTr(string) {
+      var tr = document.createElement('tr');
+      var th = document.createElement('th');
+      th.setAttribute('colspan', 4);
+      tr.appendChild(th);
+      th.innerText = string;
+      return tr;
+    }
+
     // On key press perform a search for matching paths
     delayedKeyup(searchElem, function() {
       var path = sanitizePath(searchElem.value),
-          defaultExactMatch = '<tr><th colspan="4">Paths Matching (' + path +'):</th></tr>',
-          defaultFuzzyMatch = '<tr><th colspan="4">Paths Containing (' + path +'):</th></tr>',
-          noExactMatch      = '<tr><th colspan="4">No Exact Matches Found</th></tr>',
-          noFuzzyMatch      = '<tr><th colspan="4">No Fuzzy Matches Found</th></tr>';
+          defaultExactMatch = buildTr('Paths Matching (' + path + '):'),
+          defaultFuzzyMatch = buildTr('Paths Containing (' + path +'):'),
+          noExactMatch      = buildTr('No Exact Matches Found'),
+          noFuzzyMatch      = buildTr('No Fuzzy Matches Found');
 
       if (!path)
         return searchElem.onblur();
 
       getJSON('/rails/info/routes?path=' + path, function(matches){
         // Clear out results section
-        exactSection.innerHTML = defaultExactMatch;
-        fuzzySection.innerHTML = defaultFuzzyMatch;
+        exactSection.replaceChildren(defaultExactMatch);
+        fuzzySection.replaceChildren(defaultFuzzyMatch);
 
         // Display exact matches and fuzzy matches
         pathElements.forEach(function(elem) {

data/lib/action_dispatch/routing/mapper.rb

@@ -1584,6 +1584,29 @@ module ActionDispatch
           !parent_resource.singleton? && @scope[:shallow]
         end
 
+        # Loads another routes file with the given +name+ located inside the
+        # +config/routes+ directory. In that file, you can use the normal
+        # routing DSL, but <i>do not</i> surround it with a
+        # +Rails.application.routes.draw+ block.
+        #
+        #   # config/routes.rb
+        #   Rails.application.routes.draw do
+        #     draw :admin                 # Loads `config/routes/admin.rb`
+        #     draw "third_party/some_gem" # Loads `config/routes/third_party/some_gem.rb`
+        #   end
+        #
+        #   # config/routes/admin.rb
+        #   namespace :admin do
+        #     resources :accounts
+        #   end
+        #
+        #   # config/routes/third_party/some_gem.rb
+        #   mount SomeGem::Engine, at: "/some_gem"
+        #
+        # <b>CAUTION:</b> Use this feature with care. Having multiple routes
+        # files can negatively impact discoverability and readability. For most
+        # applications — even those with a few hundred routes — it's easier for
+        # developers to have a single routes file.
         def draw(name)
           path = @draw_paths.find do |_path|
             File.exist? "#{_path}/#{name}.rb"

data/lib/action_dispatch/routing/url_for.rb

@@ -6,16 +6,16 @@ module ActionDispatch
     # is also possible: a URL can be generated from one of your routing definitions.
     # URL generation functionality is centralized in this module.
     #
-    # See ActionDispatch::Routing for general information about routing and routes.rb.
+    # See ActionDispatch::Routing for general information about routing and <tt>config/routes.rb</tt>.
     #
     # <b>Tip:</b> If you need to generate URLs from your models or some other place,
-    # then ActionController::UrlFor is what you're looking for. Read on for
+    # then ActionDispatch::Routing::UrlFor is what you're looking for. Read on for
     # an introduction. In general, this module should not be included on its own,
-    # as it is usually included by url_helpers (as in Rails.application.routes.url_helpers).
+    # as it is usually included by +url_helpers+ (as in <tt>Rails.application.routes.url_helpers</tt>).
     #
     # == URL generation from parameters
     #
-    # As you may know, some functions, such as ActionController::Base#url_for
+    # As you may know, some functions, such as <tt>ActionController::Base#url_for</tt>
     # and ActionView::Helpers::UrlHelper#link_to, can generate URLs given a set
     # of parameters. For example, you've probably had the chance to write code
     # like this in one of your views:
@@ -24,12 +24,12 @@ module ActionDispatch
     #           action: 'new', message: 'Welcome!') %>
     #   # => <a href="/users/new?message=Welcome%21">Click here</a>
     #
-    # link_to, and all other functions that require URL generation functionality,
-    # actually use ActionController::UrlFor under the hood. And in particular,
-    # they use the ActionController::UrlFor#url_for method. One can generate
+    # +link_to+, and all other functions that require URL generation functionality,
+    # actually use ActionDispatch::Routing::UrlFor under the hood. And in particular,
+    # they use the ActionDispatch::Routing::UrlFor#url_for method. One can generate
     # the same path as the above example by using the following code:
     #
-    #   include UrlFor
+    #   include ActionDispatch::Routing::UrlFor
     #   url_for(controller: 'users',
     #           action: 'new',
     #           message: 'Welcome!',
@@ -48,17 +48,17 @@ module ActionDispatch
     #           host: 'www.example.com')
     #   # => "http://www.example.com/users/new?message=Welcome%21"
     #
-    # By default, all controllers and views have access to a special version of url_for,
-    # that already knows what the current hostname is. So if you use url_for in your
+    # By default, all controllers and views have access to a special version of +url_for+,
+    # that already knows what the current hostname is. So if you use +url_for+ in your
     # controllers or your views, then you don't need to explicitly pass the <tt>:host</tt>
     # argument.
     #
-    # For convenience reasons, mailers provide a shortcut for ActionController::UrlFor#url_for.
-    # So within mailers, you only have to type +url_for+ instead of 'ActionController::UrlFor#url_for'
-    # in full. However, mailers don't have hostname information, and you still have to provide
-    # the +:host+ argument or set the default host that will be used in all mailers using the
-    # configuration option +config.action_mailer.default_url_options+. For more information on
-    # url_for in mailers read the ActionMailer#Base documentation.
+    # For convenience, mailers also include ActionDispatch::Routing::UrlFor. So
+    # within mailers, you can use url_for. However, mailers cannot access
+    # incoming web requests in order to derive hostname information, so you have
+    # to provide the +:host+ option or set the default host using
+    # +default_url_options+. For more information on url_for in mailers see the
+    # ActionMailer::Base documentation.
     #
     #
     # == URL generation for named routes
@@ -72,7 +72,7 @@ module ActionDispatch
     # This generates, among other things, the method <tt>users_path</tt>. By default,
     # this method is accessible from your controllers, views, and mailers. If you need
     # to access this auto-generated method from other places (such as a model), then
-    # you can do that by including Rails.application.routes.url_helpers in your class:
+    # you can do that by including <tt>Rails.application.routes.url_helpers</tt> in your class:
     #
     #   class User < ActiveRecord::Base
     #     include Rails.application.routes.url_helpers
@@ -115,11 +115,11 @@ module ActionDispatch
         default_url_options
       end
 
-      # Generate a URL based on the options provided, default_url_options, and the
-      # routes defined in routes.rb. The following options are supported:
+      # Generate a URL based on the options provided, +default_url_options+, and the
+      # routes defined in <tt>config/routes.rb</tt>. The following options are supported:
       #
       # * <tt>:only_path</tt> - If true, the relative URL is returned. Defaults to +false+.
-      # * <tt>:protocol</tt> - The protocol to connect to. Defaults to 'http'.
+      # * <tt>:protocol</tt> - The protocol to connect to. Defaults to <tt>"http"</tt>.
       # * <tt>:host</tt> - Specifies the host the link should be targeted at.
       #   If <tt>:only_path</tt> is false, this option must be
       #   provided either explicitly, or via +default_url_options+.
@@ -134,7 +134,7 @@ module ActionDispatch
       # * <tt>:port</tt> - Optionally specify the port to connect to.
       # * <tt>:anchor</tt> - An anchor name to be appended to the path.
       # * <tt>:params</tt> - The query parameters to be appended to the path.
-      # * <tt>:trailing_slash</tt> - If true, adds a trailing slash, as in "/archive/2009/"
+      # * <tt>:trailing_slash</tt> - If true, adds a trailing slash, as in <tt>"/archive/2009/"</tt>.
       # * <tt>:script_name</tt> - Specifies application path relative to domain root. If provided, prepends application path.
       #
       # Any other key (<tt>:controller</tt>, <tt>:action</tt>, etc.) given to

data/lib/action_dispatch/system_testing/browser.rb

@@ -26,7 +26,7 @@ module ActionDispatch
         yield options if block_given? && options
       end
 
-      # driver_path can be configured as a proc. The webdrivers gem uses this
+      # driver_path can be configured as a proc.
       # proc to update web drivers. Running this proc early allows us to only
       # update the webdriver once and avoid race conditions when using
       # parallel tests.

data/lib/action_dispatch/system_testing/driver.rb

@@ -56,7 +56,7 @@ module ActionDispatch
         end
 
         def browser_options
-          @options.merge(capabilities: @browser.options).compact
+          @options.merge(options: @browser.options).compact
         end
 
         def register_selenium(app)

data/lib/action_dispatch/testing/assertions/response.rb

@@ -20,7 +20,7 @@ module ActionDispatch
       #
       # You can also pass an explicit status number like <tt>assert_response(501)</tt>
       # or its symbolic equivalent <tt>assert_response(:not_implemented)</tt>.
-      # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list.
+      # See +Rack::Utils::SYMBOL_TO_STATUS_CODE+ for a full list.
       #
       #   # Asserts that the response was a redirection
       #   assert_response :redirect

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 0
-    TINY  = 4
-    PRE   = "3"
+    TINY  = 8
+    PRE   = "6"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end