RubyGems - actionpack - Versions diffs - 7.0.8 → 7.1.1 - Mend

actionpack 7.0.8 → 7.1.1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (135) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +327 -371
data/MIT-LICENSE +1 -1
data/README.rdoc +2 -2
data/lib/abstract_controller/base.rb +20 -11
data/lib/abstract_controller/caching/fragments.rb +2 -0
data/lib/abstract_controller/callbacks.rb +31 -6
data/lib/abstract_controller/deprecator.rb +7 -0
data/lib/abstract_controller/helpers.rb +61 -18
data/lib/abstract_controller/railties/routes_helpers.rb +1 -16
data/lib/abstract_controller/rendering.rb +3 -3
data/lib/abstract_controller/translation.rb +1 -5
data/lib/abstract_controller/url_for.rb +2 -0
data/lib/abstract_controller.rb +6 -0
data/lib/action_controller/api.rb +5 -3
data/lib/action_controller/base.rb +3 -17
data/lib/action_controller/caching.rb +2 -0
data/lib/action_controller/deprecator.rb +7 -0
data/lib/action_controller/form_builder.rb +2 -0
data/lib/action_controller/log_subscriber.rb +16 -4
data/lib/action_controller/metal/content_security_policy.rb +1 -1
data/lib/action_controller/metal/data_streaming.rb +2 -0
data/lib/action_controller/metal/default_headers.rb +2 -0
data/lib/action_controller/metal/etag_with_flash.rb +2 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +2 -0
data/lib/action_controller/metal/exceptions.rb +8 -0
data/lib/action_controller/metal/head.rb +8 -6
data/lib/action_controller/metal/helpers.rb +3 -14
data/lib/action_controller/metal/http_authentication.rb +16 -7
data/lib/action_controller/metal/implicit_render.rb +5 -3
data/lib/action_controller/metal/instrumentation.rb +8 -1
data/lib/action_controller/metal/live.rb +24 -0
data/lib/action_controller/metal/mime_responds.rb +2 -2
data/lib/action_controller/metal/params_wrapper.rb +3 -1
data/lib/action_controller/metal/permissions_policy.rb +1 -1
data/lib/action_controller/metal/redirecting.rb +6 -6
data/lib/action_controller/metal/renderers.rb +2 -2
data/lib/action_controller/metal/rendering.rb +0 -7
data/lib/action_controller/metal/request_forgery_protection.rb +139 -50
data/lib/action_controller/metal/rescue.rb +2 -0
data/lib/action_controller/metal/streaming.rb +70 -30
data/lib/action_controller/metal/strong_parameters.rb +126 -52
data/lib/action_controller/metal/url_for.rb +7 -0
data/lib/action_controller/metal.rb +79 -21
data/lib/action_controller/railtie.rb +22 -9
data/lib/action_controller/renderer.rb +98 -65
data/lib/action_controller/test_case.rb +15 -5
data/lib/action_controller.rb +8 -1
data/lib/action_dispatch/constants.rb +32 -0
data/lib/action_dispatch/deprecator.rb +7 -0
data/lib/action_dispatch/http/cache.rb +1 -3
data/lib/action_dispatch/http/content_security_policy.rb +9 -8
data/lib/action_dispatch/http/filter_parameters.rb +11 -5
data/lib/action_dispatch/http/headers.rb +2 -0
data/lib/action_dispatch/http/mime_negotiation.rb +21 -21
data/lib/action_dispatch/http/mime_type.rb +35 -12
data/lib/action_dispatch/http/mime_types.rb +3 -1
data/lib/action_dispatch/http/parameters.rb +1 -1
data/lib/action_dispatch/http/permissions_policy.rb +39 -17
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +48 -14
data/lib/action_dispatch/http/response.rb +78 -59
data/lib/action_dispatch/http/upload.rb +2 -0
data/lib/action_dispatch/journey/formatter.rb +8 -2
data/lib/action_dispatch/journey/path/pattern.rb +14 -14
data/lib/action_dispatch/journey/route.rb +3 -2
data/lib/action_dispatch/journey/router.rb +9 -8
data/lib/action_dispatch/journey/routes.rb +2 -2
data/lib/action_dispatch/log_subscriber.rb +23 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +5 -6
data/lib/action_dispatch/middleware/assume_ssl.rb +24 -0
data/lib/action_dispatch/middleware/callbacks.rb +2 -0
data/lib/action_dispatch/middleware/cookies.rb +81 -98
data/lib/action_dispatch/middleware/debug_exceptions.rb +26 -25
data/lib/action_dispatch/middleware/debug_locks.rb +4 -1
data/lib/action_dispatch/middleware/debug_view.rb +7 -2
data/lib/action_dispatch/middleware/exception_wrapper.rb +181 -27
data/lib/action_dispatch/middleware/executor.rb +1 -1
data/lib/action_dispatch/middleware/flash.rb +7 -0
data/lib/action_dispatch/middleware/host_authorization.rb +6 -3
data/lib/action_dispatch/middleware/public_exceptions.rb +5 -3
data/lib/action_dispatch/middleware/reloader.rb +7 -5
data/lib/action_dispatch/middleware/remote_ip.rb +17 -16
data/lib/action_dispatch/middleware/request_id.rb +2 -0
data/lib/action_dispatch/middleware/server_timing.rb +4 -4
data/lib/action_dispatch/middleware/session/abstract_store.rb +5 -0
data/lib/action_dispatch/middleware/session/cache_store.rb +2 -0
data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -5
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +3 -1
data/lib/action_dispatch/middleware/show_exceptions.rb +19 -15
data/lib/action_dispatch/middleware/ssl.rb +18 -6
data/lib/action_dispatch/middleware/stack.rb +7 -2
data/lib/action_dispatch/middleware/static.rb +12 -8
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +8 -1
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +7 -7
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +17 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +16 -12
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +3 -0
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +46 -37
data/lib/action_dispatch/railtie.rb +14 -4
data/lib/action_dispatch/request/session.rb +16 -6
data/lib/action_dispatch/request/utils.rb +8 -3
data/lib/action_dispatch/routing/inspector.rb +54 -6
data/lib/action_dispatch/routing/mapper.rb +26 -14
data/lib/action_dispatch/routing/polymorphic_routes.rb +2 -0
data/lib/action_dispatch/routing/redirection.rb +15 -6
data/lib/action_dispatch/routing/route_set.rb +52 -22
data/lib/action_dispatch/routing/routes_proxy.rb +1 -1
data/lib/action_dispatch/routing/url_for.rb +5 -1
data/lib/action_dispatch/routing.rb +4 -4
data/lib/action_dispatch/system_test_case.rb +3 -3
data/lib/action_dispatch/system_testing/browser.rb +5 -6
data/lib/action_dispatch/system_testing/driver.rb +13 -21
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +27 -16
data/lib/action_dispatch/testing/assertions/response.rb +13 -6
data/lib/action_dispatch/testing/assertions/routing.rb +67 -28
data/lib/action_dispatch/testing/assertions.rb +3 -1
data/lib/action_dispatch/testing/integration.rb +27 -17
data/lib/action_dispatch/testing/request_encoder.rb +4 -1
data/lib/action_dispatch/testing/test_process.rb +4 -3
data/lib/action_dispatch/testing/test_request.rb +1 -1
data/lib/action_dispatch/testing/test_response.rb +23 -9
data/lib/action_dispatch.rb +37 -4
data/lib/action_pack/gem_version.rb +3 -3
data/lib/action_pack/version.rb +1 -1
data/lib/action_pack.rb +1 -1
metadata +49 -27

data/lib/action_dispatch/journey/formatter.rb CHANGED Viewed

@@ -57,6 +57,9 @@ module ActionDispatch
       end
       def generate(name, options, path_parameters)
+        original_options = options.dup
+        path_params = options.delete(:path_params) || {}
+        options = path_params.merge(options)
         constraints = path_parameters.merge(options)
         missing_keys = nil
@@ -70,8 +73,11 @@ module ActionDispatch
           missing_keys = missing_keys(route, parameterized_parts)
           next if missing_keys && !missing_keys.empty?
-          params = options.dup.delete_if do |key, _|
-            parameterized_parts.key?(key) || route.defaults.key?(key)
+          params = options.delete_if do |key, _|
+            # top-level params' normal behavior of generating query_params
+            # should be preserved even if the same key is also a bind_param
+            parameterized_parts.key?(key) || route.defaults.key?(key) ||
+              (path_params.key?(key) && !original_options.key?(key))
           end
           defaults       = route.defaults

data/lib/action_dispatch/journey/path/pattern.rb CHANGED Viewed

@@ -183,22 +183,22 @@ module ActionDispatch
           end
           def offsets
-            return @offsets if @offsets
-            @offsets = [0]
-            spec.find_all(&:symbol?).each do |node|
-              node = node.to_sym
-              if @requirements.key?(node)
-                re = /#{Regexp.union(@requirements[node])}|/
-                @offsets.push((re.match("").length - 1) + @offsets.last)
-              else
-                @offsets << @offsets.last
+            @offsets ||= begin
+              offsets = [0]
+              spec.find_all(&:symbol?).each do |node|
+                node = node.to_sym
+                if @requirements.key?(node)
+                  re = /#{Regexp.union(@requirements[node])}|/
+                  offsets.push((re.match("").length - 1) + offsets.last)
+                else
+                  offsets << offsets.last
+                end
               end
-            end
-            @offsets
+              offsets
+            end
           end
       end
     end

data/lib/action_dispatch/journey/route.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module ActionDispatch
   module Journey
     class Route
       attr_reader :app, :path, :defaults, :name, :precedence, :constraints,
-                  :internal, :scope_options, :ast
+                  :internal, :scope_options, :ast, :source_location
       alias :conditions :constraints
@@ -53,7 +53,7 @@ module ActionDispatch
       ##
       # +path+ is a path constraint.
       # +constraints+ is a hash of constraints to be applied to this route.
-      def initialize(name:, app: nil, path:, constraints: {}, required_defaults: [], defaults: {}, request_method_match: nil, precedence: 0, scope_options: {}, internal: false)
+      def initialize(name:, app: nil, path:, constraints: {}, required_defaults: [], defaults: {}, request_method_match: nil, precedence: 0, scope_options: {}, internal: false, source_location: nil)
         @name        = name
         @app         = app
         @path        = path
@@ -69,6 +69,7 @@ module ActionDispatch
         @path_formatter    = @path.build_formatter
         @scope_options     = scope_options
         @internal          = internal
+        @source_location   = source_location
         @ast = @path.ast.root
         @path.ast.route = self

data/lib/action_dispatch/journey/router.rb CHANGED Viewed

@@ -29,7 +29,7 @@ module ActionDispatch
       end
       def serve(req)
-        find_routes(req).each do |match, parameters, route|
+        find_routes(req) do |match, parameters, route|
           set_params  = req.path_parameters
           path_info   = req.path_info
           script_name = req.script_name
@@ -46,24 +46,25 @@ module ActionDispatch
           }
           req.path_parameters = tmp_params
+          req.route_uri_pattern = route.path.spec.to_s
-          status, headers, body = route.app.serve(req)
+          _, headers, _ = response = route.app.serve(req)
-          if "pass" == headers["X-Cascade"]
+          if "pass" == headers[Constants::X_CASCADE]
             req.script_name     = script_name
             req.path_info       = path_info
             req.path_parameters = set_params
             next
           end
-          return [status, headers, body]
+          return response
         end
-        [404, { "X-Cascade" => "pass" }, ["Not Found"]]
+        [404, { Constants::X_CASCADE => "pass" }, ["Not Found"]]
       end
       def recognize(rails_req)
-        find_routes(rails_req).each do |match, parameters, route|
+        find_routes(rails_req) do |match, parameters, route|
           unless route.path.anchored
             rails_req.script_name = match.to_s
             rails_req.path_info   = match.post_match
@@ -120,14 +121,14 @@ module ActionDispatch
           routes.sort_by!(&:precedence)
-          routes.map! { |r|
+          routes.each { |r|
             match_data = r.path.match(path_info)
             path_parameters = {}
             match_data.names.each_with_index { |name, i|
               val = match_data[i + 1]
               path_parameters[name.to_sym] = Utils.unescape_uri(val) if val
             }
-            [match_data, path_parameters, r]
+            yield [match_data, path_parameters, r]
           }
         end

data/lib/action_dispatch/journey/routes.rb CHANGED Viewed

@@ -9,8 +9,8 @@ module ActionDispatch
       attr_reader :routes, :custom_routes, :anchored_routes
-      def initialize
-        @routes             = []
+      def initialize(routes = [])
+        @routes             = routes
         @ast                = nil
         @anchored_routes    = []
         @custom_routes      = []

data/lib/action_dispatch/log_subscriber.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module ActionDispatch
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def redirect(event)
+      payload = event.payload
+      info { "Redirected to #{payload[:location]}" }
+      info do
+        status = payload[:status]
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+        message
+      end
+    end
+    subscribe_log_level :redirect, :info
+  end
+end
+ActionDispatch::LogSubscriber.attach_to :action_dispatch

data/lib/action_dispatch/middleware/actionable_exceptions.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
-require "erb"
 require "uri"
 require "active_support/actionable_error"
@@ -30,15 +29,15 @@ module ActionDispatch
         uri = URI.parse location
         if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
-          body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+          body = ""
         else
-          return [400, { "Content-Type" => "text/plain" }, ["Invalid redirection URI"]]
+          return [400, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" }, ["Invalid redirection URI"]]
         end
         [302, {
-          "Content-Type" => "text/html; charset=#{Response.default_charset}",
-          "Content-Length" => body.bytesize.to_s,
-          "Location" => location,
+          Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+          Rack::CONTENT_LENGTH => body.bytesize.to_s,
+          ActionDispatch::Constants::LOCATION => location,
         }, [body]]
       end
   end

data/lib/action_dispatch/middleware/assume_ssl.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module ActionDispatch
+  # = Action Dispatch \AssumeSSL
+  #
+  # When proxying through a load balancer that terminates SSL, the forwarded request will appear
+  # as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
+  # security target HTTP instead of HTTPS. This middleware makes the server assume that the
+  # proxy already terminated SSL, and that the request really is HTTPS.
+  class AssumeSSL
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      env["HTTPS"] = "on"
+      env["HTTP_X_FORWARDED_PORT"] = "443"
+      env["HTTP_X_FORWARDED_PROTO"] = "https"
+      env["rack.url_scheme"] = "https"
+      @app.call(env)
+    end
+  end
+end

data/lib/action_dispatch/middleware/callbacks.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 module ActionDispatch
+  # = Action Dispatch \Callbacks
+  #
   # Provides callbacks to be executed before and after dispatching the request.
   class Callbacks
     include ActiveSupport::Callbacks

data/lib/action_dispatch/middleware/cookies.rb CHANGED Viewed

@@ -70,7 +70,7 @@ module ActionDispatch
     end
     def cookies_same_site_protection
-      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION) || Proc.new { }
+      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION)&.call(self)
     end
     def cookies_digest
@@ -92,7 +92,7 @@ module ActionDispatch
     include RequestCookieMethods
   end
-  # Read and write data to cookies through ActionController::Base#cookies.
+  # Read and write data to cookies through ActionController::Cookies#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
   # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
@@ -160,13 +160,18 @@ module ActionDispatch
   #   to <tt>:all</tt>. To support multiple domains, provide an array, and
   #   the first domain matching <tt>request.host</tt> will be used. Make
   #   sure to specify the <tt>:domain</tt> option with <tt>:all</tt> or
-  #   <tt>Array</tt> again when deleting cookies.
+  #   <tt>Array</tt> again when deleting cookies. For more flexibility you
+  #   can set the domain on a per-request basis by specifying <tt>:domain</tt>
+  #   with a proc.
   #
   #     domain: nil  # Does not set cookie domain. (default)
   #     domain: :all # Allow the cookie for the top most level
   #                  # domain and subdomains.
   #     domain: %w(.example.com .example.org) # Allow the cookie
   #                                           # for concrete domain names.
+  #     domain: proc { Tenant.current.cookie_domain } # Set cookie domain dynamically
+  #     domain: proc { |req| ".sub.#{req.host}" }     # Set cookie domain dynamically based on request
+  #
   #
   # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly
   #   set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD.
@@ -178,7 +183,8 @@ module ActionDispatch
   #   only HTTP. Defaults to +false+.
   # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
   #   determines how this cookie should be restricted in cross-site contexts.
-  #   Possible values are +:none+, +:lax+, and +:strict+. Defaults to +:lax+.
+  #   Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
+  #   +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"
@@ -376,6 +382,8 @@ module ActionDispatch
       # Removes the cookie on the client machine by setting the value to an empty string
       # and the expiration date in the past. Like <tt>[]=</tt>, you can pass in
       # an options hash to delete cookies with extra data such as a <tt>:path</tt>.
+      #
+      # Returns the value of the cookie, or +nil+ if the cookie does not exist.
       def delete(name, options = {})
         return unless @cookies.has_key? name.to_s
@@ -401,9 +409,15 @@ module ActionDispatch
         @cookies.each_key { |k| delete(k, options) }
       end
-      def write(headers)
-        if header = make_set_cookie_header(headers[HTTP_HEADER])
-          headers[HTTP_HEADER] = header
+      def write(response)
+        @set_cookies.each do |name, value|
+          if write_cookie?(value)
+            response.set_cookie(name, value)
+          end
+        end
+        @delete_cookies.each do |name, value|
+          response.delete_cookie(name, value)
         end
       end
@@ -414,19 +428,6 @@ module ActionDispatch
           ::Rack::Utils.escape(string)
         end
-        def make_set_cookie_header(header)
-          header = @set_cookies.inject(header) { |m, (k, v)|
-            if write_cookie?(v)
-              ::Rack::Utils.add_cookie_to_header(m, k, v)
-            else
-              m
-            end
-          }
-          @delete_cookies.inject(header) { |m, (k, v)|
-            ::Rack::Utils.add_remove_cookie_to_header(m, k, v)
-          }
-        end
         def write_cookie?(cookie)
           request.ssl? || !cookie[:secure] || always_write_cookie || request.host.end_with?(".onion")
         end
@@ -438,8 +439,9 @@ module ActionDispatch
           options[:path]      ||= "/"
-          cookies_same_site_protection = request.cookies_same_site_protection
-          options[:same_site] ||= cookies_same_site_protection.call(request)
+          unless options.key?(:same_site)
+            options[:same_site] = request.cookies_same_site_protection
+          end
           if options[:domain] == :all || options[:domain] == "all"
             cookie_domain = ""
@@ -470,7 +472,7 @@ module ActionDispatch
             end
             options[:domain] = if cookie_domain.present?
-              ".#{cookie_domain}"
+              cookie_domain
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.
@@ -478,6 +480,8 @@ module ActionDispatch
               domain = domain.delete_prefix(".")
               request.host == domain || request.host.end_with?(".#{domain}")
             end
+          elsif options[:domain].respond_to?(:call)
+            options[:domain] = options[:domain].call(request)
           end
         end
     end
@@ -541,75 +545,57 @@ module ActionDispatch
         end
     end
-    class MarshalWithJsonFallback # :nodoc:
-      def self.load(value)
-        Marshal.load(value)
-      rescue TypeError => e
-        ActiveSupport::JSON.decode(value) rescue raise e
-      end
-      def self.dump(value)
-        Marshal.dump(value)
-      end
-    end
-    class JsonSerializer # :nodoc:
-      def self.load(value)
-        ActiveSupport::JSON.decode(value)
-      end
-      def self.dump(value)
-        ActiveSupport::JSON.encode(value)
-      end
-    end
     module SerializedCookieJars # :nodoc:
-      MARSHAL_SIGNATURE = "\x04\x08"
       SERIALIZER = ActiveSupport::MessageEncryptor::NullSerializer
       protected
-        def needs_migration?(value)
-          request.cookies_serializer == :hybrid && value.start_with?(MARSHAL_SIGNATURE)
+        def digest
+          request.cookies_digest || "SHA1"
         end
-        def serialize(value)
-          serializer.dump(value)
+      private
+        def serializer
+          @serializer ||=
+            case request.cookies_serializer
+            when nil
+              ActiveSupport::Messages::SerializerWithFallback[:marshal]
+            when :hybrid
+              ActiveSupport::Messages::SerializerWithFallback[:json_allow_marshal]
+            when Symbol
+              ActiveSupport::Messages::SerializerWithFallback[request.cookies_serializer]
+            else
+              request.cookies_serializer
+            end
         end
-        def deserialize(name)
-          rotate = false
-          value  = yield -> { rotate = true }
+        def reserialize?(dumped)
+          serializer.is_a?(ActiveSupport::Messages::SerializerWithFallback) &&
+            serializer != ActiveSupport::Messages::SerializerWithFallback[:marshal] &&
+            !serializer.dumped?(dumped)
+        end
-          if value
-            case
-            when needs_migration?(value)
-              Marshal.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            when rotate
-              serializer.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            else
-              serializer.load(value)
+        def parse(name, dumped, force_reserialize: false, **)
+          if dumped
+            begin
+              value = serializer.load(dumped)
+            rescue StandardError
+              return
             end
+            self[name] = { value: value } if force_reserialize || reserialize?(dumped)
+            value
           end
         end
-        def serializer
-          serializer = request.cookies_serializer || :marshal
-          case serializer
-          when :marshal
-            MarshalWithJsonFallback
-          when :json, :hybrid
-            JsonSerializer
-          else
-            serializer
-          end
+        def commit(name, options)
+          options[:value] = serializer.dump(options[:value])
         end
-        def digest
-          request.cookies_digest || "SHA1"
+        def check_for_overflow!(name, options)
+          if options[:value].bytesize > MAX_COOKIE_SIZE
+            raise CookieOverflow, "#{name} cookie overflowed with size #{options[:value].bytesize} bytes"
+          end
         end
     end
@@ -630,15 +616,15 @@ module ActionDispatch
       private
         def parse(name, signed_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @verifier.verified(signed_message, on_rotation: rotate, purpose: purpose)
-          end
+          rotated = false
+          data = @verifier.verified(signed_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
         end
         def commit(name, options)
-          options[:value] = @verifier.generate(serialize(options[:value]), **cookie_metadata(name, options))
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @verifier.generate(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
@@ -680,17 +666,17 @@ module ActionDispatch
       private
         def parse(name, encrypted_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
-          end
-        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature, JSON::ParserError
+          rotated = false
+          data = @encryptor.decrypt_and_verify(encrypted_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
+        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
         def commit(name, options)
-          options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]), **cookie_metadata(name, options))
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @encryptor.encrypt_and_sign(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
@@ -699,21 +685,18 @@ module ActionDispatch
     end
     def call(env)
-      request = ActionDispatch::Request.new env
-      status, headers, body = @app.call(env)
+      request = ActionDispatch::Request.new(env)
+      response = @app.call(env)
       if request.have_cookie_jar?
         cookie_jar = request.cookie_jar
         unless cookie_jar.committed?
-          cookie_jar.write(headers)
-          if headers[HTTP_HEADER].respond_to?(:join)
-            headers[HTTP_HEADER] = headers[HTTP_HEADER].join("\n")
-          end
+          response = Rack::Response[*response]
+          cookie_jar.write(response)
         end
       end
-      [status, headers, body]
+      response.to_a
     end
   end
 end