actionpack 7.0.4 → 7.1.5.1

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -3,14 +3,14 @@
 require "ipaddr"
 
 module ActionDispatch
+  # = Action Dispatch \RemoteIp
+  #
   # This middleware calculates the IP address of the remote client that is
   # making the request. It does this by checking various headers that could
   # contain the address, and then picking the last-set address that is not
   # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
-  # by @gingerlime. A more detailed explanation of the algorithm is given
-  # at GetIp#calculate_ip.
+  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453].
+  # A more detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
   # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
   # requires. Some Rack servers simply drop preceding headers, and only report
@@ -22,9 +22,10 @@ module ActionDispatch
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs.
+  # sometime before this middleware runs. Alternatively, remove this middleware
+  # to avoid inadvertently relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
@@ -53,7 +54,7 @@ module ActionDispatch
     #
     # The +custom_proxies+ argument can take an enumerable which will be used
     # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the X-Forwarded-For list,
+    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
     # ignore those IP addresses, and return the one that you want.
@@ -65,9 +66,9 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
-        ActiveSupport::Deprecation.warn(<<~EOM)
-          Setting config.action_dispatch.trusted_proxies to a single value has
-          been deprecated. Please set this to an enumerable instead. For
+        raise(ArgumentError, <<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value isn't
+          supported. Please set this to an enumerable instead. For
           example, instead of:
 
           config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
@@ -76,10 +77,8 @@ module ActionDispatch
 
           config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
 
-          Note that unlike passing a single argument, passing an enumerable
-          will *replace* the default set of trusted proxies.
+          Note that passing an enumerable will *replace* the default set of trusted proxies.
         EOM
-        Array(custom_proxies) + TRUSTED_PROXIES
       end
     end
 
@@ -110,11 +109,11 @@ module ActionDispatch
       # REMOTE_ADDR will be correct if the request is made directly against the
       # Ruby process, on e.g. Heroku. When the request is proxied by another
       # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an X-Forwarded-For header. If there are multiple
+      # request will be put in an +X-Forwarded-For+ header. If there are multiple
       # proxies, that header may contain a list of IPs. Other proxy services
-      # set the Client-Ip header instead, so we check that too.
+      # set the +Client-Ip+ header instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # As discussed in {this post about Rails IP Spoofing}[https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,
       # it could also have been set by the client maliciously.
       #
@@ -126,8 +125,8 @@ module ActionDispatch
         remote_addr = ips_from(@req.remote_addr).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse
+        client_ips    = ips_from(@req.client_ip).reverse!
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
         # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
         # If they are both set, it means that either:
@@ -155,7 +154,8 @@ module ActionDispatch
         #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
         #   - Client-Ip is propagated from the outermost proxy, or is blank
         #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips].flatten.compact
+        ips = forwarded_ips + client_ips
+        ips.compact!
 
         # If every single IP option is in the trusted list, return the IP
         # that's furthest away
@@ -173,7 +173,7 @@ module ActionDispatch
         return [] unless header
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
-        ips.select do |ip|
+        ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range
           # We want to make sure nobody is sneaking a netmask in.
@@ -181,6 +181,7 @@ module ActionDispatch
         rescue ArgumentError
           nil
         end
+        ips
       end
 
       def filter_proxies(ips) # :doc:

data/lib/action_dispatch/middleware/request_id.rb

@@ -4,11 +4,13 @@ require "securerandom"
 require "active_support/core_ext/string/access"
 
 module ActionDispatch
+  # = Action Dispatch \RequestId
+  #
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
   # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
-  # the same id to the client via the X-Request-Id header.
+  # the same id to the client via the +X-Request-Id+ header.
   #
-  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
+  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
   # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
   # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
   #

data/lib/action_dispatch/middleware/server_timing.rb

@@ -4,8 +4,6 @@ require "active_support/notifications"
 
 module ActionDispatch
   class ServerTiming
-    SERVER_TIMING_HEADER = "Server-Timing"
-
     class Subscriber # :nodoc:
       include Singleton
       KEY = :action_dispatch_server_timing_events
@@ -67,8 +65,10 @@ module ActionDispatch
         "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
       end
 
-      header_info.prepend(headers[SERVER_TIMING_HEADER]) if headers[SERVER_TIMING_HEADER].present?
-      headers[SERVER_TIMING_HEADER] = header_info.join(", ")
+      if headers[ActionDispatch::Constants::SERVER_TIMING].present?
+        header_info.prepend(headers[ActionDispatch::Constants::SERVER_TIMING])
+      end
+      headers[ActionDispatch::Constants::SERVER_TIMING] = header_info.join(", ")
 
       response
     end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -67,6 +67,11 @@ module ActionDispatch
     end
 
     module SessionObject # :nodoc:
+      def commit_session(req, res)
+        req.commit_csrf_token
+        super(req, res)
+      end
+
       def prepare_session(req)
         Request::Session.create(self, req, @default_options)
       end

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -4,6 +4,8 @@ require "action_dispatch/middleware/session/abstract_store"
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \CacheStore
+    #
     # A session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
     # if you don't store critical data in your sessions and you don't need them to live for extended periods
     # of time.

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -6,7 +6,9 @@ require "rack/session/cookie"
 
 module ActionDispatch
   module Session
-    # This cookie-based session store is the Rails default. It is
+    # = Action Dispatch Session \CookieStore
+    #
+    # This cookie-based session store is the \Rails default. It is
     # dramatically faster than the alternatives.
     #
     # Sessions typically contain at most a user ID and flash message; both fit
@@ -18,18 +20,18 @@ module ActionDispatch
     #
     # Your cookies will be encrypted using your application's +secret_key_base+. This
     # goes a step further than signed cookies in that encrypted cookies cannot
-    # be altered or read by users. This is the default starting in Rails 4.
+    # be altered or read by users. This is the default starting in \Rails 4.
     #
     # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
     # In the development and test environments your application's +secret_key_base+ is
-    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
+    # generated by \Rails and stored in a temporary file in <tt>tmp/local_secret.txt</tt>.
     # In all other environments, it is stored encrypted in the
     # <tt>config/credentials.yml.enc</tt> file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the +secret_key_base+
+    # If your application was not updated to \Rails 5.2 defaults, the +secret_key_base+
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
     # Note that changing your +secret_key_base+ will invalidate all existing session.
@@ -56,8 +58,12 @@ module ActionDispatch
         end
       end
 
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
       def initialize(app, options = {})
-        super(app, options.merge!(cookie_only: true))
+        options[:cookie_only] = true
+        options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
+        super
       end
 
       def delete_session(req, session_id, options)

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -4,12 +4,14 @@ require "action_dispatch/middleware/session/abstract_store"
 begin
   require "rack/session/dalli"
 rescue LoadError => e
-  $stderr.puts "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  warn "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
   raise e
 end
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \MemCacheStore
+    #
     # A session store that uses MemCache to implement storage.
     #
     # ==== Options

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -3,18 +3,24 @@
 require "action_dispatch/middleware/exception_wrapper"
 
 module ActionDispatch
+  # = Action Dispatch \ShowExceptions
+  #
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
-  # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Every time there is an exception, ShowExceptions will
-  # store the exception in env["action_dispatch.exception"], rewrite the
-  # PATH_INFO to the exception status code and call the Rack app.
+  # The exceptions app should be passed as a parameter on initialization of
+  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
+  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
+  # the +PATH_INFO+ to the exception status code, and call the Rack app.
+  #
+  # In \Rails applications, the exceptions app can be configured with
+  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
   #
-  # If the application returns a "X-Cascade" pass response, this middleware
-  # will send an empty response as result with the correct status code.
-  # If any exception happens inside the exceptions app, this middleware
-  # catches the exceptions and returns a failsafe response.
+  # If the application returns a response with the <tt>X-Cascade</tt> header
+  # set to <tt>"pass"</tt>, this middleware will send an empty response as a
+  # result with the correct status code. If any exception happens inside the
+  # exceptions app, this middleware catches the exceptions and returns a
+  # failsafe response.
   class ShowExceptions
     def initialize(app, exceptions_app)
       @app = app
@@ -22,33 +28,35 @@ module ActionDispatch
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
       @app.call(env)
     rescue Exception => exception
-      if request.show_exceptions?
-        render_exception(request, exception)
+      request = ActionDispatch::Request.new env
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      request.set_header "action_dispatch.report_exception", !wrapper.rescue_response?
+
+      if wrapper.show?(request)
+        render_exception(request.dup, wrapper)
       else
         raise exception
       end
     end
 
     private
-      def render_exception(request, exception)
-        backtrace_cleaner = request.get_header "action_dispatch.backtrace_cleaner"
-        wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
-        status  = wrapper.status_code
-        request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      def render_exception(request, wrapper)
+        status = wrapper.status_code
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
         fallback_to_html_format_if_invalid_mime_type(request)
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
-        response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
+        response[1][Constants::X_CASCADE] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
 
-        [500, { "Content-Type" => "text/plain" },
+        [500, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" },
           ["500 Internal Server Error\n" \
           "If you are the administrator of this website, then please read this web " \
           "application's log file and/or the web server's log file to find out what " \
@@ -59,13 +67,22 @@ module ActionDispatch
         # If the MIME type for the request is invalid then the
         # @exceptions_app may not be able to handle it. To make it
         # easier to handle, we switch to HTML.
-        request.formats
-      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
-        request.set_header "HTTP_ACCEPT", "text/html"
+        begin
+          request.content_mime_type
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "CONTENT_TYPE", "text/html"
+        end
+
+        begin
+          request.formats
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "HTTP_ACCEPT", "text/html"
+        end
       end
 
       def pass_response(status)
-        [status, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => "0" }, []]
+        [status, { Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+                  Rack::CONTENT_LENGTH => "0" }, []]
       end
   end
 end

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \SSL
+  #
   # This middleware is added to the stack when <tt>config.force_ssl = true</tt>, and is passed
   # the options set in +config.ssl_options+. It does three jobs to enforce secure HTTP
   # requests:
@@ -86,7 +88,7 @@ module ActionDispatch
 
     private
       def set_hsts_header!(headers)
-        headers["Strict-Transport-Security"] ||= @hsts_header
+        headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header
       end
 
       def normalize_hsts_options(options)
@@ -112,23 +114,33 @@ module ActionDispatch
       end
 
       def flag_cookies_as_secure!(headers)
-        if cookies = headers["Set-Cookie"]
-          cookies = cookies.split("\n")
+        cookies = headers[Rack::SET_COOKIE]
+        return unless cookies
 
-          headers["Set-Cookie"] = cookies.map { |cookie|
+        if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+          cookies = cookies.split("\n")
+          headers[Rack::SET_COOKIE] = cookies.map { |cookie|
             if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
           }.join("\n")
+        else
+          headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          end
         end
       end
 
       def redirect_to_https(request)
         [ @redirect.fetch(:status, redirection_status(request)),
-          { "Content-Type" => "text/html",
-            "Location" => https_location_for(request) },
+          { Rack::CONTENT_TYPE => "text/html; charset=utf-8",
+            Constants::LOCATION => https_location_for(request) },
           (@redirect[:body] || []) ]
       end
 

data/lib/action_dispatch/middleware/stack.rb

@@ -4,6 +4,11 @@ require "active_support/inflector/methods"
 require "active_support/dependencies"
 
 module ActionDispatch
+  # = Action Dispatch \MiddlewareStack
+  #
+  # Read more about {Rails middleware
+  # stack}[https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack]
+  # in the guides.
   class MiddlewareStack
     class Middleware
       attr_reader :args, :block, :klass
@@ -20,13 +25,13 @@ module ActionDispatch
         case middleware
         when Middleware
           klass == middleware.klass
-        when Class
+        when Module
           klass == middleware
         end
       end
 
       def inspect
-        if klass.is_a?(Class)
+        if klass.is_a?(Module)
           klass.to_s
         else
           klass.class.to_s

data/lib/action_dispatch/middleware/static.rb

@@ -3,10 +3,12 @@
 require "rack/utils"
 
 module ActionDispatch
+  # = Action Dispatch \Static
+  #
   # This middleware serves static files from disk, if available.
   # If no file is found, it hands off to the main app.
   #
-  # In Rails apps, this middleware is configured to serve assets from
+  # In \Rails apps, this middleware is configured to serve assets from
   # the +public/+ directory.
   #
   # Only GET and HEAD requests are served. POST and other HTTP methods
@@ -24,22 +26,24 @@ module ActionDispatch
     end
   end
 
-  # This endpoint serves static files from disk using Rack::File.
+  # = Action Dispatch \FileHandler
+  #
+  # This endpoint serves static files from disk using +Rack::Files+.
   #
   # URL paths are matched with static files according to expected
   # conventions: +path+, +path+.html, +path+/index.html.
   #
   # Precompressed versions of these files are checked first. Brotli (.br)
   # and gzip (.gz) files are supported. If +path+.br exists, this
-  # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
+  # endpoint returns that file with a <tt>content-encoding: br</tt> header.
   #
-  # If no matching file is found, this endpoint responds 404 Not Found.
+  # If no matching file is found, this endpoint responds <tt>404 Not Found</tt>.
   #
   # Pass the +root+ directory to search for matching files, an optional
   # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
   # additional response headers.
   class FileHandler
-    # Accept-Encoding value -> file extension
+    # +Accept-Encoding+ value -> file extension
     PRECOMPRESSED = {
       "br" => ".br",
       "gzip" => ".gz",
@@ -53,7 +57,7 @@ module ActionDispatch
       @precompressed = Array(precompressed).map(&:to_s) | %w[ identity ]
       @compressible_content_types = compressible_content_types
 
-      @file_server = ::Rack::File.new(@root, headers)
+      @file_server = ::Rack::Files.new(@root, headers)
     end
 
     def call(env)
@@ -76,7 +80,7 @@ module ActionDispatch
           request.path_info, ::Rack::Utils.escape_path(filepath).b
 
         @file_server.call(request.env).tap do |status, headers, body|
-          # Omit Content-Encoding/Type/etc headers for 304 Not Modified
+          # Omit content-encoding/type/etc headers for 304 Not Modified
           if status != 304
             headers.update(content_headers)
           end
@@ -104,7 +108,7 @@ module ActionDispatch
       end
 
       def try_files(filepath, content_type, accept_encoding:)
-        headers = { "Content-Type" => content_type }
+        headers = { Rack::CONTENT_TYPE => content_type }
 
         if compressible? content_type
           try_precompressed_files filepath, headers, accept_encoding: accept_encoding
@@ -124,10 +128,10 @@ module ActionDispatch
             if content_encoding == "identity"
               return precompressed_filepath, headers
             else
-              headers["Vary"] = "Accept-Encoding"
+              headers[ActionDispatch::Constants::VARY] = "accept-encoding"
 
               if accept_encoding.any? { |enc, _| /\b#{content_encoding}\b/i.match?(enc) }
-                headers["Content-Encoding"] = content_encoding
+                headers[ActionDispatch::Constants::CONTENT_ENCODING] = content_encoding
                 return precompressed_filepath, headers
               end
             end

data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb

@@ -1,10 +1,10 @@
-<% actions = ActiveSupport::ActionableError.actions(exception) %>
+<% actions = exception_wrapper.actions %>
 
 <% if actions.any? %>
   <div class="actions">
     <% actions.each do |action, _| %>
       <%= button_to action, ActionDispatch::ActionableExceptions.endpoint, params: {
-        error: exception.class.name,
+        error: exception_wrapper.exception_class_name,
         action: action,
         location: request.path
       } %>

data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb

@@ -1,11 +1,11 @@
-<% if exception.respond_to?(:original_message) && exception.respond_to?(:corrections) %>
+<% if exception_wrapper.has_corrections? %>
   <div class="exception-message">
-    <%= simple_format h(exception.original_message), { class: "message" }, wrapper_tag: "div" %>
+    <%= simple_format h(exception_wrapper.original_message), { class: "message" }, wrapper_tag: "div" %>
   </div>
   <%
     # The 'did_you_mean' gem can raise exceptions when calling #corrections on
     # the exception. If it does there are no corrections to show.
-    corrections = exception.corrections rescue []
+    corrections = exception_wrapper.corrections rescue []
   %>
   <% if corrections.any? %>
     <b>Did you mean?</b>
@@ -17,6 +17,6 @@
   <% end %>
 <% else %>
   <div class="exception-message">
-    <%= simple_format h(exception.message), { class: "message" }, wrapper_tag: "div" %>
+    <%= simple_format h(exception_wrapper.message), { class: "message" }, wrapper_tag: "div" %>
   </div>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -18,12 +18,19 @@
             </td>
 <td width="100%">
 <pre>
-<% source_extract[:code].each do |line, source| -%><div class="line<%= " active" if line == source_extract[:line_number] -%>"><%= source -%></div><% end -%>
+<% source_extract[:code].each do |line, source| -%>
+<div class="line<%= " active" if line == source_extract[:line_number] -%>"><% if source.is_a?(Array) -%><%= source[0] -%><span class="error_highlight"><%= source[1] -%></span><%= source[2] -%>
+<% else -%>
+<%= source -%>
+<% end -%></div><% end -%>
 </pre>
 </td>
           </tr>
         </table>
       </div>
+      <%- unless self.error_highlight_available? -%>
+        <p class="error_highlight_tip">Tip: You may want to add <code>gem 'error_highlight', '&gt;= 0.4.0'</code> into your Gemfile, which will display the fine-grained error location.</p>
+      <%- end -%>
     </div>
   <% end %>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -1,8 +1,12 @@
 <header>
-  <h1>Blocked host: <%= @host %></h1>
+  <h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
 </header>
 <main role="main" id="container">
-  <h2>To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
-  <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
+  <h2>To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:</h2>
+  <pre>
+  <% @hosts.each do |host| %>
+    config.hosts &lt;&lt; "<%= host %>"
+  <% end %>
+  </pre>
   <p>For more details view: <a href="https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization">the Host Authorization guide</a></p>
 </main>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -1,7 +1,9 @@
-Blocked host: <%= @host %>
+Blocked hosts: <%= @hosts.join(", ") %>
 
-To allow requests to <%= @host %> make sure it is a valid hostname (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
+To allow requests to these hosts, make sure they are valid hostnames (containing only numbers, letters, dashes and dots), then add the following to your environment configuration:
 
-  config.hosts << "<%= @host %>"
+<% @hosts.each do |host| %>
+  config.hosts << "<%= host %>"
+<% end %>
 
 For more details on host authorization view: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -1,6 +1,6 @@
 <header>
   <h1>
-    <%= @exception.class.to_s %>
+    <%= @exception_wrapper.exception_class_name %>
     <% if params_valid? && @request.parameters['controller'] %>
       in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
     <% end %>
@@ -8,24 +8,24 @@
 </header>
 
 <main role="main" id="container">
-  <%= render "rescues/message_and_suggestions", exception: @exception %>
-  <%= render "rescues/actions", exception: @exception, request: @request %>
+  <%= render "rescues/message_and_suggestions", exception: @exception, exception_wrapper: @exception_wrapper %>
+  <%= render "rescues/actions", exception: @exception, request: @request, exception_wrapper: @exception_wrapper %>
 
   <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx, error_index: 0 %>
   <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show, error_index: 0 %>
 
-  <% if @exception.cause %>
+  <% if @exception_wrapper.has_cause? %>
     <h2>Exception Causes</h2>
   <% end %>
 
   <% @exception_wrapper.wrapped_causes.each.with_index(1) do |wrapper, index| %>
     <div class="details">
-      <a class="summary" href="#" onclick="return toggle(<%= wrapper.exception.object_id %>)">
-        <%= wrapper.exception.class.name %>: <%= h wrapper.exception.message %>
+      <a class="summary" href="#" onclick="return toggle(<%= wrapper.exception_id %>)">
+        <%= wrapper.exception_class_name %>: <%= h wrapper.message %>
       </a>
     </div>
 
-    <div id="<%= wrapper.exception.object_id %>" class="hidden">
+    <div id="<%= wrapper.exception_id %>" class="hidden">
       <%= render "rescues/source", source_extracts: wrapper.source_extracts, show_source_idx: wrapper.source_to_show_id, error_index: index %>
       <%= render "rescues/trace", traces: wrapper.traces, trace_to_show: wrapper.trace_to_show, error_index: index %>
     </div>