actionpack 7.2.3 → 8.0.0.beta1

data/lib/action_dispatch/constants.rb

@@ -30,11 +30,5 @@ module ActionDispatch
       SERVER_TIMING = "server-timing"
       STRICT_TRANSPORT_SECURITY = "strict-transport-security"
     end
-
-    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3.1")
-      UNPROCESSABLE_CONTENT = :unprocessable_entity
-    else
-      UNPROCESSABLE_CONTENT = :unprocessable_content
-    end
   end
 end

data/lib/action_dispatch/http/cache.rb

@@ -9,6 +9,8 @@ module ActionDispatch
         HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
         HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
 
+        mattr_accessor :strict_freshness, default: false
+
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
             Time.rfc2822(since) rescue nil
@@ -34,19 +36,32 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (`Last-Modified` and ETag) against request
-        # `If-Modified-Since` and `If-None-Match` conditions. If both headers are
-        # supplied, both must match, or the request is not considered fresh.
+        # Check response freshness (`Last-Modified` and `ETag`) against request
+        # `If-Modified-Since` and `If-None-Match` conditions.
+        # If both headers are supplied, based on configuration, either `ETag` is preferred over `Last-Modified`
+        # or both are considered equally. You can adjust the preference with
+        # `config.action_dispatch.strict_freshness`.
+        # Reference: http://tools.ietf.org/html/rfc7232#section-6
         def fresh?(response)
-          last_modified = if_modified_since
-          etag          = if_none_match
+          if Request.strict_freshness
+            if if_none_match
+              etag_matches?(response.etag)
+            elsif if_modified_since
+              not_modified?(response.last_modified)
+            else
+              false
+            end
+          else
+            last_modified = if_modified_since
+            etag          = if_none_match
 
-          return false unless last_modified || etag
+            return false unless last_modified || etag
 
-          success = true
-          success &&= not_modified?(response.last_modified) if last_modified
-          success &&= etag_matches?(response.etag) if etag
-          success
+            success = true
+            success &&= not_modified?(response.last_modified) if last_modified
+            success &&= etag_matches?(response.etag) if etag
+            success
+          end
         end
       end
 
@@ -171,6 +186,7 @@ module ActionDispatch
         PUBLIC                = "public"
         PRIVATE               = "private"
         MUST_REVALIDATE       = "must-revalidate"
+        IMMUTABLE             = "immutable"
 
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag middleware. But, if
@@ -221,6 +237,7 @@ module ActionDispatch
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
+            options << IMMUTABLE if control[:immutable]
             options.concat(extras) if extras
           end
 

data/lib/action_dispatch/http/content_security_policy.rb

@@ -8,7 +8,8 @@ require "active_support/core_ext/array/wrap"
 module ActionDispatch # :nodoc:
   # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # Configures the HTTP [Content-Security-Policy]
+  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
   # response header to help protect against XSS and
   # injection attacks.
   #
@@ -26,9 +27,6 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
-    class InvalidDirectiveError < StandardError
-    end
-
     class Middleware
       def initialize(app)
         @app = app
@@ -128,6 +126,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      wasm_unsafe_eval: "'wasm-unsafe-eval'",
       unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
@@ -228,7 +227,8 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # Enable the [report-uri]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
     # directive. Violation reports will be sent to the
     # specified URI:
     #
@@ -238,7 +238,8 @@ module ActionDispatch # :nodoc:
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
+    # Specify asset types for which [Subresource Integrity]
+    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
     #     policy.require_sri_for :script, :style
     #
@@ -254,7 +255,8 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
+    # Specify whether a [sandbox]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
     #     policy.sandbox
@@ -322,9 +324,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
+              "#{directive} #{build_directive(sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -334,22 +336,8 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def validate(directive, sources)
-        sources.flatten.each do |source|
-          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
-            raise InvalidDirectiveError, <<~MSG.squish
-              Invalid Content Security Policy #{directive}: "#{source}".
-              Directive values must not contain whitespace or semicolons.
-              Please use multiple arguments or other directive methods instead.
-            MSG
-          end
-        end
-      end
-
-      def build_directive(directive, sources, context)
-        resolved_sources = sources.map { |source| resolve_source(source, context) }
-
-        validate(directive, resolved_sources)
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
       end
 
       def resolve_source(source, context)

data/lib/action_dispatch/http/filter_parameters.rb

@@ -68,17 +68,12 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
+      KV_RE   = "[^&;=]+"
+      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        parts = query_string.split(/([&;])/)
-        filtered_parts = parts.map do |part|
-          if part.include?("=")
-            key, value = part.split("=", 2)
-            parameter_filter.filter(key => value).first.join("=")
-          else
-            part
-          end
+        query_string.gsub(PAIR_RE) do |_|
+          parameter_filter.filter($1 => $2).first.join("=")
         end
-        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -37,16 +37,9 @@ module ActionDispatch
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          parts = uri.query.split(/([&;])/)
-          filtered_parts = parts.map do |part|
-            if part.include?("=")
-              key, value = part.split("=", 2)
-              request.parameter_filter.filter(key => value).first.join("=")
-            else
-              part
-            end
+          uri.query.gsub!(FilterParameters::PAIR_RE) do
+            request.parameter_filter.filter($1 => $2).first.join("=")
           end
-          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -56,14 +56,9 @@ module ActionDispatch
 
       # Returns the MIME type for the format used in the request.
       #
-      #     # GET /posts/5.xml
-      #     request.format # => Mime[:xml]
-      #
-      #     # GET /posts/5.xhtml
-      #     request.format # => Mime[:html]
-      #
-      #     # GET /posts/5
-      #     request.format # => Mime[:html] or Mime[:js], or request.accepts.first
+      #     GET /posts/5.xml   | request.format => Mime[:xml]
+      #     GET /posts/5.xhtml | request.format => Mime[:html]
+      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(_view_path = nil)
         formats.first || Mime::NullType.instance

data/lib/action_dispatch/http/permissions_policy.rb

@@ -86,12 +86,14 @@ module ActionDispatch # :nodoc:
       ambient_light_sensor: "ambient-light-sensor",
       autoplay:             "autoplay",
       camera:               "camera",
+      display_capture:      "display-capture",
       encrypted_media:      "encrypted-media",
       fullscreen:           "fullscreen",
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
       hid:                  "hid",
       idle_detection:       "idle-detection",
+      keyboard_map:         "keyboard-map",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",

data/lib/action_dispatch/http/request.rb

@@ -55,6 +55,8 @@ module ActionDispatch
       METHOD
     end
 
+    TRANSFER_ENCODING = "HTTP_TRANSFER_ENCODING" # :nodoc:
+
     def self.empty
       new({})
     end
@@ -132,7 +134,7 @@ module ActionDispatch
 
     # Populate the HTTP method lookup cache.
     HTTP_METHODS.each { |method|
-      HTTP_METHOD_LOOKUP[method] = method.downcase.underscore.to_sym
+      HTTP_METHOD_LOOKUP[method] = method.underscore.to_sym
     }
 
     alias raw_request_method request_method # :nodoc:
@@ -236,9 +238,8 @@ module ActionDispatch
     #
     #     send_early_hints("link" => "</style.css>; rel=preload; as=style,</script.js>; rel=preload")
     #
-    # If you are using {javascript_include_tag}[rdoc-ref:ActionView::Helpers::AssetTagHelper#javascript_include_tag]
-    # or {stylesheet_link_tag}[rdoc-ref:ActionView::Helpers::AssetTagHelper#stylesheet_link_tag]
-    # the Early Hints headers are included by default if supported.
+    # If you are using `javascript_include_tag` or `stylesheet_link_tag` the Early
+    # Hints headers are included by default if supported.
     def send_early_hints(links)
       env["rack.early_hints"]&.call(links)
     end
@@ -283,7 +284,7 @@ module ActionDispatch
 
     # Returns the content length of the request as an integer.
     def content_length
-      return raw_post.bytesize if headers.key?("Transfer-Encoding")
+      return raw_post.bytesize if has_header?(TRANSFER_ENCODING)
       super.to_i
     end
 
@@ -469,7 +470,7 @@ module ActionDispatch
       def read_body_stream
         if body_stream
           reset_stream(body_stream) do
-            if headers.key?("Transfer-Encoding")
+            if has_header?(TRANSFER_ENCODING)
               body_stream.read # Read body stream until EOF if "Transfer-Encoding" is present
             else
               body_stream.read(content_length)

data/lib/action_dispatch/http/response.rb

@@ -46,20 +46,6 @@ module ActionDispatch # :nodoc:
       Headers = ::Rack::Utils::HeaderHash
     end
 
-    class << self
-      if ActionDispatch::Constants::UNPROCESSABLE_CONTENT == :unprocessable_content
-        def rack_status_code(status) # :nodoc:
-          status = :unprocessable_content if status == :unprocessable_entity
-          Rack::Utils.status_code(status)
-        end
-      else
-        def rack_status_code(status) # :nodoc:
-          status = :unprocessable_entity if status == :unprocessable_content
-          Rack::Utils.status_code(status)
-        end
-      end
-    end
-
     # To be deprecated:
     Header = Headers
 
@@ -259,7 +245,7 @@ module ActionDispatch # :nodoc:
 
     # Sets the HTTP status code.
     def status=(status)
-      @status = Response.rack_status_code(status)
+      @status = Rack::Utils.status_code(status)
     end
 
     # Sets the HTTP response's content MIME type. For example, in the controller you

data/lib/action_dispatch/http/url.rb

@@ -272,7 +272,7 @@ module ActionDispatch
         end
       end
 
-      # Returns whether this request is using the standard port.
+      # Returns whether this request is using the standard port
       #
       #     req = ActionDispatch::Request.new 'HTTP_HOST' => 'example.com:80'
       #     req.standard_port? # => true
@@ -307,7 +307,7 @@ module ActionDispatch
         standard_port? ? "" : ":#{port}"
       end
 
-      # Returns the requested port, such as 8080, based on SERVER_PORT.
+      # Returns the requested port, such as 8080, based on SERVER_PORT
       #
       #     req = ActionDispatch::Request.new 'SERVER_PORT' => '80'
       #     req.server_port # => 80

data/lib/action_dispatch/journey/formatter.rb

@@ -60,13 +60,8 @@ module ActionDispatch
 
       def generate(name, options, path_parameters)
         original_options = options.dup
-        path_params = options.delete(:path_params)
-        if path_params.is_a?(Hash)
-          options = path_params.merge(options)
-        else
-          path_params = nil
-          options = options.dup
-        end
+        path_params = options.delete(:path_params) || {}
+        options = path_params.merge(options)
         constraints = path_parameters.merge(options)
         missing_keys = nil
 
@@ -84,7 +79,7 @@ module ActionDispatch
             # top-level params' normal behavior of generating query_params should be
             # preserved even if the same key is also a bind_param
             parameterized_parts.key?(key) || route.defaults.key?(key) ||
-              (path_params&.key?(key) && !original_options.key?(key))
+              (path_params.key?(key) && !original_options.key?(key))
           end
 
           defaults       = route.defaults

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -107,10 +107,10 @@ module ActionDispatch
           end
 
           {
-            regexp_states:   simple_regexp.stringify_keys,
-            string_states:   @string_states.stringify_keys,
-            stdparam_states: @stdparam_states.stringify_keys,
-            accepting:       @accepting.stringify_keys
+            regexp_states:   simple_regexp,
+            string_states:   @string_states,
+            stdparam_states: @stdparam_states,
+            accepting:       @accepting
           }
         end