actionpack 8.0.0.beta1 → 8.0.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4392b60cf6c4af7ed943daf2c4e438440689b8f869a859510b1e0e5808204cf2
-  data.tar.gz: ee9993b25b397af527f1730dc439a0425a81d4b03afb148e310dac8862003261
+  metadata.gz: 76724412ee5fbe34b92080713c9e9fab617fe1a81c4400ba2ee252d55020a6e3
+  data.tar.gz: 14b34e7e8e188f66b7f7da1542301fa5856fb0b14cb6213282c07c30fffbd76f
 SHA512:
-  metadata.gz: 2063ad6ca3243b066226af6a1d1ad616d808c48a18f80df374d02b064ad4839a971e4eff804321621d910111829b0c1130b5a05f5a44afabb380ec9f7d5985b7
-  data.tar.gz: f3f1e1ce84c47654f69cf3f3ada2afa48e412dac1b7a5abd10c4d0fc34b66b7574f2454410c323cfa26a000005da585815db8a27dc3f1e9c2a71a504b0f3021d
+  metadata.gz: d13e4c2bc63c93db23db2ab94786700542926ba9c200f611985dd524fe7cd11602bc592a9124c14d7f08e39bf7e95ed56fbebdadb6c8391d5712bbad47fb62bf
+  data.tar.gz: 8f90ce2cd483f2ac438680310306293ccf733b0052f064bfb265a74a65c81e8bab5a32d699914a6f5c713974367d3ae5756a11e0e88210f4198e0d195339ce9b

data/CHANGELOG.md

@@ -1,3 +1,51 @@
+## Rails 8.0.0.rc2 (October 30, 2024) ##
+
+*   Fix routes with `::` in the path.
+
+    *Rafael Mendonça França*
+
+*   Maintain Rack 2 parameter parsing behaviour.
+
+    *Matthew Draper*
+
+
+## Rails 8.0.0.rc1 (October 19, 2024) ##
+
+*   Remove `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
+
+    *Rafael Mendonça França*
+
+*   Improve `ActionController::TestCase` to expose a binary encoded `request.body`.
+
+    The rack spec clearly states:
+
+    > The input stream is an IO-like object which contains the raw HTTP POST data.
+    > When applicable, its external encoding must be “ASCII-8BIT” and it must be opened in binary mode.
+
+    Until now its encoding was generally UTF-8, which doesn't accurately reflect production
+    behavior.
+
+    *Jean Boussier*
+
+*   Update `ActionController::AllowBrowser` to support passing method names to `:block`
+
+    ```ruby
+    class ApplicationController < ActionController::Base
+      allow_browser versions: :modern, block: :handle_outdated_browser
+
+      private
+        def handle_outdated_browser
+          render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+        end
+    end
+    ```
+
+    *Sean Doyle*
+
+*   Raise an `ArgumentError` when invalid `:only` or `:except` options are passed into `#resource` and `#resources`.
+
+    *Joshua Young*
+
 ## Rails 8.0.0.beta1 (September 26, 2024) ##
 
 *   Fix non-GET requests not updating cookies in `ActionController::TestCase`.

data/lib/abstract_controller/helpers.rb

@@ -104,6 +104,7 @@ module AbstractController
       # Declare a controller method as a helper. For example, the following
       # makes the `current_user` and `logged_in?` controller methods available
       # to the view:
+      #
       #     class ApplicationController < ActionController::Base
       #       helper_method :current_user, :logged_in?
       #
@@ -118,6 +119,7 @@ module AbstractController
       #     end
       #
       # In a view:
+      #
       #     <% if logged_in? -%>Welcome, <%= current_user.name %><% end -%>
       #
       # #### Parameters

data/lib/abstract_controller/rendering.rb

@@ -5,7 +5,6 @@
 require "abstract_controller/error"
 require "action_view"
 require "action_view/view_paths"
-require "set"
 
 module AbstractController
   class DoubleRenderError < Error

data/lib/action_controller/form_builder.rb

@@ -22,10 +22,10 @@ module ActionController
   #       default_form_builder AdminFormBuilder
   #     end
   #
-  # Then in the view any form using `form_for` will be an instance of the
-  # specified form builder:
+  # Then in the view any form using `form_with` or `form_for` will be an
+  # instance of the specified form builder:
   #
-  #     <%= form_for(@instance) do |builder| %>
+  #     <%= form_with(model: @instance) do |builder| %>
   #       <%= builder.special_field(:name) %>
   #     <% end %>
   module FormBuilder

data/lib/action_controller/metal/allow_browser.rb

@@ -36,6 +36,16 @@ module ActionController # :nodoc:
       #     end
       #
       #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern, block: :handle_outdated_browser
+      #
+      #       private
+      #         def handle_outdated_browser
+      #           render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+      #         end
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
       #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
       #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
       #     end
@@ -55,12 +65,12 @@ module ActionController # :nodoc:
 
         if BrowserBlocker.new(request, versions: versions).blocked?
           ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
-            instance_exec(&block)
+            block.is_a?(Symbol) ? send(block) : instance_exec(&block)
           end
         end
       end
 
-      class BrowserBlocker
+      class BrowserBlocker # :nodoc:
         SETS = {
           modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
         }

data/lib/action_controller/metal/http_authentication.rb

@@ -513,14 +513,11 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
-      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
-      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
-
       # This method takes an authorization body and splits up the key-value pairs by
       # the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)

data/lib/action_controller/metal/rate_limiting.rb

@@ -30,7 +30,7 @@ module ActionController # :nodoc:
       # parameter.
       #
       # If you want to use multiple rate limits per controller, you need to give each of
-      # them and explicit name via the `name:` option.
+      # them an explicit name via the `name:` option.
       #
       # Examples:
       #

data/lib/action_controller/metal/renderers.rb

@@ -2,8 +2,6 @@
 
 # :markup: markdown
 
-require "set"
-
 module ActionController
   # See Renderers.add
   def self.add_renderer(key, &block)

data/lib/action_controller/metal/strong_parameters.rb

@@ -10,7 +10,6 @@ require "active_support/deep_mergeable"
 require "action_dispatch/http/upload"
 require "rack/test"
 require "stringio"
-require "set"
 require "yaml"
 
 module ActionController
@@ -96,6 +95,8 @@ module ActionController
   # *   `permit` to filter params for mass assignment.
   # *   `require` to require a parameter or raise an error.
   #
+  # Examples:
+  #
   #     params = ActionController::Parameters.new({
   #       person: {
   #         name: "Francesco",
@@ -110,7 +111,7 @@ module ActionController
   #     Person.first.update!(permitted)
   #     # => #<Person id: 1, name: "Francesco", age: 22, role: "user">
   #
-  # Paramaters provides two options that control the top-level behavior of new
+  # Parameters provides two options that control the top-level behavior of new
   # instances:
   #
   # *   `permit_all_parameters` - If it's `true`, all the parameters will be
@@ -262,20 +263,6 @@ module ActionController
     cattr_accessor :always_permitted_parameters, default: %w( controller action )
 
     class << self
-      def allow_deprecated_parameters_hash_equality
-        ActionController.deprecator.warn <<-WARNING.squish
-          `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality` is
-          deprecated and will be removed in Rails 8.0.
-        WARNING
-      end
-
-      def allow_deprecated_parameters_hash_equality=(value)
-        ActionController.deprecator.warn <<-WARNING.squish
-          `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`
-          is deprecated and will be removed in Rails 8.0.
-        WARNING
-      end
-
       def nested_attribute?(key, value) # :nodoc:
         /\A-?\d+\z/.match?(key) && (value.is_a?(Hash) || value.is_a?(Parameters))
       end

data/lib/action_controller/railtie.rb

@@ -48,11 +48,6 @@ module ActionController
         end
 
         ActionController::Parameters.action_on_unpermitted_parameters = action_on_unpermitted_parameters
-
-        unless options.allow_deprecated_parameters_hash_equality.nil?
-          ActionController::Parameters.allow_deprecated_parameters_hash_equality =
-            options.allow_deprecated_parameters_hash_equality
-        end
       end
     end
 
@@ -85,7 +80,6 @@ module ActionController
           :action_on_unpermitted_parameters,
           :always_permitted_parameters,
           :wrap_parameters_by_default,
-          :allow_deprecated_parameters_hash_equality
         )
 
         filtered_options.each do |k, v|

data/lib/action_controller/test_case.rb

@@ -108,7 +108,7 @@ module ActionController
             set_header k, "application/x-www-form-urlencoded"
           end
 
-          case content_mime_type.to_sym
+          case content_mime_type&.to_sym
           when nil
             raise "Unknown Content-Type: #{content_type}"
           when :json
@@ -123,7 +123,7 @@ module ActionController
           end
         end
 
-        data_stream = StringIO.new(data)
+        data_stream = StringIO.new(data.b)
         set_header "CONTENT_LENGTH", data_stream.length.to_s
         set_header "rack.input", data_stream
       end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -8,8 +8,7 @@ require "active_support/core_ext/array/wrap"
 module ActionDispatch # :nodoc:
   # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP [Content-Security-Policy]
-  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
   # response header to help protect against XSS and
   # injection attacks.
   #
@@ -227,8 +226,7 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the [report-uri]
-    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
     # directive. Violation reports will be sent to the
     # specified URI:
     #
@@ -238,8 +236,7 @@ module ActionDispatch # :nodoc:
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which [Subresource Integrity]
-    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
+    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
     #     policy.require_sri_for :script, :style
     #
@@ -255,8 +252,7 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a [sandbox]
-    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
+    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
     #     policy.sandbox

data/lib/action_dispatch/http/filter_parameters.rb

@@ -68,12 +68,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -37,9 +37,16 @@ module ActionDispatch
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          uri.query.gsub!(FilterParameters::PAIR_RE) do
-            request.parameter_filter.filter($1 => $2).first.join("=")
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
           end
+          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error

data/lib/action_dispatch/http/param_builder.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  class ParamBuilder
+    # --
+    # This implementation is based on Rack::QueryParser,
+    # Copyright (C) 2007-2021 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
+
+    def self.make_default(param_depth_limit)
+      new param_depth_limit
+    end
+
+    attr_reader :param_depth_limit
+
+    def initialize(param_depth_limit)
+      @param_depth_limit = param_depth_limit
+    end
+
+    cattr_accessor :ignore_leading_brackets
+
+    LEADING_BRACKETS_COMPAT = defined?(::Rack::RELEASE) && ::Rack::RELEASE.to_s.start_with?("2.")
+
+    cattr_accessor :default
+    self.default = make_default(100)
+
+    class << self
+      delegate :from_query_string, :from_pairs, :from_hash, to: :default
+    end
+
+    def from_query_string(qs, separator: nil, encoding_template: nil)
+      from_pairs QueryParser.each_pair(qs, separator), encoding_template: encoding_template
+    end
+
+    def from_pairs(pairs, encoding_template: nil)
+      params = make_params
+
+      pairs.each do |k, v|
+        if Hash === v
+          v = ActionDispatch::Http::UploadedFile.new(v)
+        end
+
+        store_nested_param(params, k, v, 0, encoding_template)
+      end
+
+      params
+    rescue ArgumentError => e
+      raise InvalidParameterError, e.message, e.backtrace
+    end
+
+    def from_hash(hash, encoding_template: nil)
+      # Force encodings from encoding template
+      hash = Request::Utils::CustomParamEncoder.encode_for_template(hash, encoding_template)
+
+      # Assert valid encoding
+      Request::Utils.check_param_encoding(hash)
+
+      # Convert hashes to HWIA (or UploadedFile), and deep-munge nils
+      # out of arrays
+      hash = Request::Utils.normalize_encode_params(hash)
+
+      hash
+    end
+
+    private
+      def store_nested_param(params, name, v, depth, encoding_template = nil)
+        raise ParamsTooDeepError if depth >= param_depth_limit
+
+        if !name
+          # nil name, treat same as empty string (required by tests)
+          k = after = ""
+        elsif depth == 0
+          if ignore_leading_brackets || (ignore_leading_brackets.nil? && LEADING_BRACKETS_COMPAT)
+            # Rack 2 compatible behavior, ignore leading brackets
+            if name =~ /\A[\[\]]*([^\[\]]+)\]*/
+              k = $1
+              after = $' || ""
+
+              if !ignore_leading_brackets && (k != $& || !after.empty? && !after.start_with?("["))
+                ActionDispatch.deprecator.warn("Skipping over leading brackets in parameter name #{name.inspect} is deprecated and will parse differently in Rails 8.1 or Rack 3.0.")
+              end
+            else
+              k = name
+              after = ""
+            end
+          else
+            # Start of parsing, don't treat [] or [ at start of string specially
+            if start = name.index("[", 1)
+              # Start of parameter nesting, use part before brackets as key
+              k = name[0, start]
+              after = name[start, name.length]
+            else
+              # Plain parameter with no nesting
+              k = name
+              after = ""
+            end
+          end
+        elsif name.start_with?("[]")
+          # Array nesting
+          k = "[]"
+          after = name[2, name.length]
+        elsif name.start_with?("[") && (start = name.index("]", 1))
+          # Hash nesting, use the part inside brackets as the key
+          k = name[1, start - 1]
+          after = name[start + 1, name.length]
+        else
+          # Probably malformed input, nested but not starting with [
+          # treat full name as key for backwards compatibility.
+          k = name
+          after = ""
+        end
+
+        return if k.empty?
+
+        if depth == 0 && String === v
+          # We have to wait until we've found the top part of the name,
+          # because that's what the encoding template is configured with
+          if encoding_template && (designated_encoding = encoding_template[k]) && !v.frozen?
+            v.force_encoding(designated_encoding)
+          end
+
+          # ... and we can't validate the encoding until after we've
+          # applied any template override
+          unless v.valid_encoding?
+            raise InvalidParameterError, "Invalid encoding for parameter: #{v.scrub}"
+          end
+        end
+
+        if after == ""
+          if k == "[]" && depth != 0
+            return (v || !ActionDispatch::Request::Utils.perform_deep_munge) ? [v] : []
+          else
+            params[k] = v
+          end
+        elsif after == "["
+          params[name] = v
+        elsif after == "[]"
+          params[k] ||= []
+          raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+          params[k] << v if v || !ActionDispatch::Request::Utils.perform_deep_munge
+        elsif after.start_with?("[]")
+          # Recognize x[][y] (hash inside array) parameters
+          unless after[2] == "[" && after.end_with?("]") && (child_key = after[3, after.length - 4]) && !child_key.empty? && !child_key.index("[") && !child_key.index("]")
+            # Handle other nested array parameters
+            child_key = after[2, after.length]
+          end
+          params[k] ||= []
+          raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+          if params_hash_type?(params[k].last) && !params_hash_has_key?(params[k].last, child_key)
+            store_nested_param(params[k].last, child_key, v, depth + 1)
+          else
+            params[k] << store_nested_param(make_params, child_key, v, depth + 1)
+          end
+        else
+          params[k] ||= make_params
+          raise ParameterTypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
+          params[k] = store_nested_param(params[k], after, v, depth + 1)
+        end
+
+        params
+      end
+
+      def make_params
+        ActiveSupport::HashWithIndifferentAccess.new
+      end
+
+      def new_depth_limit(param_depth_limit)
+        self.class.new @params_class, param_depth_limit
+      end
+
+      def params_hash_type?(obj)
+        Hash === obj
+      end
+
+      def params_hash_has_key?(hash, key)
+        return false if key.include?("[]")
+
+        key.split(/[\[\]]+/).inject(hash) do |h, part|
+          next h if part == ""
+          return false unless params_hash_type?(h) && h.key?(part)
+          h[part]
+        end
+
+        true
+      end
+  end
+end

data/lib/action_dispatch/http/param_error.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  class ParamError < ActionDispatch::Http::Parameters::ParseError
+    def initialize(message = nil)
+      super
+    end
+
+    def self.===(other)
+      super || (
+        defined?(Rack::Utils::ParameterTypeError) && Rack::Utils::ParameterTypeError === other ||
+        defined?(Rack::Utils::InvalidParameterError) && Rack::Utils::InvalidParameterError === other ||
+        defined?(Rack::QueryParser::ParamsTooDeepError) && Rack::QueryParser::ParamsTooDeepError === other
+      )
+    end
+  end
+
+  class ParameterTypeError < ParamError
+  end
+
+  class InvalidParameterError < ParamError
+  end
+
+  class ParamsTooDeepError < ParamError
+  end
+end

data/lib/action_dispatch/http/query_parser.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "uri"
+require "rack"
+
+module ActionDispatch
+  class QueryParser
+    DEFAULT_SEP = /& */n
+    COMPAT_SEP = /[&;] */n
+    COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n, "&;" => /[&;] */n }
+
+    cattr_accessor :strict_query_string_separator
+
+    SEMICOLON_COMPAT = defined?(::Rack::QueryParser::DEFAULT_SEP) && ::Rack::QueryParser::DEFAULT_SEP.to_s.include?(";")
+
+    #--
+    # Note this departs from WHATWG's specified parsing algorithm by
+    # giving a nil value for keys that do not use '='. Callers that need
+    # the standard's interpretation can use `v.to_s`.
+    def self.each_pair(s, separator = nil)
+      return enum_for(:each_pair, s, separator) unless block_given?
+
+      s ||= ""
+
+      splitter =
+        if separator
+          COMMON_SEP[separator] || /[#{separator}] */n
+        elsif strict_query_string_separator
+          DEFAULT_SEP
+        elsif SEMICOLON_COMPAT && s.include?(";")
+          if strict_query_string_separator.nil?
+            ActionDispatch.deprecator.warn("Using semicolon as a query string separator is deprecated and will not be supported in Rails 8.1 or Rack 3.0. Use `&` instead.")
+          end
+          COMPAT_SEP
+        else
+          DEFAULT_SEP
+        end
+
+      s.split(splitter).each do |part|
+        next if part.empty?
+
+        k, v = part.split("=", 2)
+
+        k = URI.decode_www_form_component(k)
+        v &&= URI.decode_www_form_component(v)
+
+        yield k, v
+      end
+
+      nil
+    end
+  end
+end

data/lib/action_dispatch/http/request.rb

@@ -63,6 +63,9 @@ module ActionDispatch
 
     def initialize(env)
       super
+
+      @rack_request = Rack::Request.new(env)
+
       @method            = nil
       @request_method    = nil
       @remote_ip         = nil
@@ -71,6 +74,8 @@ module ActionDispatch
       @ip                = nil
     end
 
+    attr_reader :rack_request
+
     def commit_cookie_jar! # :nodoc:
     end
 
@@ -388,15 +393,12 @@ module ActionDispatch
     # Override Rack's GET method to support indifferent access.
     def GET
       fetch_header("action_dispatch.request.query_parameters") do |k|
-        rack_query_params = super || {}
-        controller = path_parameters[:controller]
-        action = path_parameters[:action]
-        rack_query_params = Request::Utils.set_binary_encoding(self, rack_query_params, controller, action)
-        # Check for non UTF-8 parameter values, which would cause errors later
-        Request::Utils.check_param_encoding(rack_query_params)
-        set_header k, Request::Utils.normalize_encode_params(rack_query_params)
+        encoding_template = Request::Utils::CustomParamEncoder.action_encoding_template(self, path_parameters[:controller], path_parameters[:action])
+        rack_query_params = ActionDispatch::ParamBuilder.from_query_string(rack_request.query_string, encoding_template: encoding_template)
+
+        set_header k, rack_query_params
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
+    rescue ActionDispatch::ParamError => e
       raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
     end
     alias :query_parameters :GET
@@ -404,18 +406,54 @@ module ActionDispatch
     # Override Rack's POST method to support indifferent access.
     def POST
       fetch_header("action_dispatch.request.request_parameters") do
-        pr = parse_formatted_parameters(params_parsers) do |params|
-          super || {}
+        encoding_template = Request::Utils::CustomParamEncoder.action_encoding_template(self, path_parameters[:controller], path_parameters[:action])
+
+        param_list = nil
+        pr = parse_formatted_parameters(params_parsers) do
+          if param_list = request_parameters_list
+            ActionDispatch::ParamBuilder.from_pairs(param_list, encoding_template: encoding_template)
+          else
+            # We're not using a version of Rack that provides raw form
+            # pairs; we must use its hash (and thus post-process it below).
+            fallback_request_parameters
+          end
+        end
+
+        # If the request body was parsed by a custom parser like JSON
+        # (and thus the above block was not run), we need to
+        # post-process the result hash.
+        if param_list.nil?
+          pr = ActionDispatch::ParamBuilder.from_hash(pr, encoding_template: encoding_template)
         end
-        pr = Request::Utils.set_binary_encoding(self, pr, path_parameters[:controller], path_parameters[:action])
-        Request::Utils.check_param_encoding(pr)
-        self.request_parameters = Request::Utils.normalize_encode_params(pr)
+
+        self.request_parameters = pr
       end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
+    rescue ActionDispatch::ParamError, EOFError => e
       raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
     end
     alias :request_parameters :POST
 
+    def request_parameters_list
+      # We don't use Rack's parse result, but we must call it so Rack
+      # can populate the rack.request.* keys we need.
+      rack_post = rack_request.POST
+
+      if form_pairs = get_header("rack.request.form_pairs")
+        # Multipart
+        form_pairs
+      elsif form_vars = get_header("rack.request.form_vars")
+        # URL-encoded
+        ActionDispatch::QueryParser.each_pair(form_vars)
+      elsif rack_post && !rack_post.empty?
+        # It was multipart, but Rack did not preserve a pair list
+        # (probably too old). Flat parameter list is not available.
+        nil
+      else
+        # No request body, or not a format Rack knows
+        []
+      end
+    end
+
     # Returns the authorization header regardless of whether it was specified
     # directly or through one of the proxy alternatives.
     def authorization
@@ -492,6 +530,10 @@ module ActionDispatch
           yield
         end
       end
+
+      def fallback_request_parameters
+        rack_request.POST
+      end
   end
 end
 

data/lib/action_dispatch/journey/scanner.rb

@@ -55,7 +55,7 @@ module ActionDispatch
         def scan
           next_byte = @scanner.peek_byte
           case
-          when (token = STATIC_TOKENS[next_byte])
+          when (token = STATIC_TOKENS[next_byte]) && (token != :SYMBOL || next_byte_is_not_a_token?)
             @scanner.pos += 1
             @length = @scanner.skip(/\w+/).to_i + 1 if token == :SYMBOL || token == :STAR
             token
@@ -65,6 +65,10 @@ module ActionDispatch
             :LITERAL
           end
         end
+
+        def next_byte_is_not_a_token?
+          !STATIC_TOKENS[@scanner.string.getbyte(@scanner.pos + 1)]
+        end
     end
   end
 end

data/lib/action_dispatch/middleware/debug_view.rb

@@ -15,17 +15,12 @@ module ActionDispatch
       paths = RESCUES_TEMPLATE_PATHS.dup
       lookup_context = ActionView::LookupContext.new(paths)
       super(lookup_context, assigns, nil)
-      @exception_wrapper = assigns[:exception_wrapper]
     end
 
     def compiled_method_container
       self.class
     end
 
-    def error_highlight_available?
-      @exception_wrapper.error_highlight_available?
-    end
-
     def debug_params(params)
       clean_params = params.clone
       clean_params.delete("action")

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -201,12 +201,6 @@ module ActionDispatch
       end
     end
 
-    def error_highlight_available?
-      # ErrorHighlight.spot with backtrace_location keyword is available since
-      # error_highlight 0.4.0
-      defined?(ErrorHighlight) && Gem::Version.new(ErrorHighlight::VERSION) >= Gem::Version.new("0.4.0")
-    end
-
     def trace_to_show
       if traces["Application Trace"].empty? && rescue_template != "routing_error"
         "Full Trace"

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -28,9 +28,6 @@
           </tr>
         </table>
       </div>
-      <%- unless self.error_highlight_available? -%>
-        <p class="error_highlight_tip">Tip: You may want to add <code>gem "error_highlight", "&gt;= 0.4.0"</code> into your Gemfile, which will display the fine-grained error location.</p>
-      <%- end -%>
     </div>
   <% end %>
 <% end %>

data/lib/action_dispatch/railtie.rb

@@ -31,6 +31,9 @@ module ActionDispatch
     config.action_dispatch.debug_exception_log_level = :fatal
     config.action_dispatch.strict_freshness = false
 
+    config.action_dispatch.ignore_leading_brackets = nil
+    config.action_dispatch.strict_query_string_separator = nil
+
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
       "X-XSS-Protection" => "1; mode=block",
@@ -52,6 +55,9 @@ module ActionDispatch
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
 
+      ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
+      ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
+
       ActiveSupport.on_load(:action_dispatch_request) do
         self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
         ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge

data/lib/action_dispatch/request/utils.rb

@@ -83,8 +83,8 @@ module ActionDispatch
       end
 
       class CustomParamEncoder # :nodoc:
-        def self.encode(request, params, controller, action)
-          return params unless controller && controller.valid_encoding? && encoding_template = action_encoding_template(request, controller, action)
+        def self.encode_for_template(params, encoding_template)
+          return params unless encoding_template
           params.except(:controller, :action).each do |key, value|
             ActionDispatch::Request::Utils.each_param_value(value) do |param|
               # If `param` is frozen, it comes from the router defaults
@@ -98,8 +98,14 @@ module ActionDispatch
           params
         end
 
+        def self.encode(request, params, controller, action)
+          encoding_template = action_encoding_template(request, controller, action)
+          encode_for_template(params, encoding_template)
+        end
+
         def self.action_encoding_template(request, controller, action) # :nodoc:
-          request.controller_class_for(controller).action_encoding_template(action)
+          controller && controller.valid_encoding? &&
+            request.controller_class_for(controller).action_encoding_template(action)
         rescue MissingController
           nil
         end

data/lib/action_dispatch/routing/mapper.rb

@@ -375,35 +375,18 @@ module ActionDispatch
             Routing::RouteSet::Dispatcher.new raise_on_name_error
           end
 
-          if Thread.respond_to?(:each_caller_location)
-            def route_source_location
-              if Mapper.route_source_locations
-                action_dispatch_dir = File.expand_path("..", __dir__)
-                Thread.each_caller_location do |location|
-                  next if location.path.start_with?(action_dispatch_dir)
+          def route_source_location
+            if Mapper.route_source_locations
+              action_dispatch_dir = File.expand_path("..", __dir__)
+              Thread.each_caller_location do |location|
+                next if location.path.start_with?(action_dispatch_dir)
 
-                  cleaned_path = Mapper.backtrace_cleaner.clean_frame(location.path)
-                  next if cleaned_path.nil?
+                cleaned_path = Mapper.backtrace_cleaner.clean_frame(location.path)
+                next if cleaned_path.nil?
 
-                  return "#{cleaned_path}:#{location.lineno}"
-                end
-                nil
-              end
-            end
-          else
-            def route_source_location
-              if Mapper.route_source_locations
-                action_dispatch_dir = File.expand_path("..", __dir__)
-                caller_locations.each do |location|
-                  next if location.path.start_with?(action_dispatch_dir)
-
-                  cleaned_path = Mapper.backtrace_cleaner.clean_frame(location.path)
-                  next if cleaned_path.nil?
-
-                  return "#{cleaned_path}:#{location.lineno}"
-                end
-                nil
+                return "#{cleaned_path}:#{location.lineno}"
               end
+              nil
             end
           end
       end
@@ -1179,6 +1162,16 @@ module ActionDispatch
         CANONICAL_ACTIONS = %w(index create new show update destroy)
 
         class Resource # :nodoc:
+          class << self
+            def default_actions(api_only)
+              if api_only
+                [:index, :create, :show, :update, :destroy]
+              else
+                [:index, :create, :new, :show, :update, :destroy, :edit]
+              end
+            end
+          end
+
           attr_reader :controller, :path, :param
 
           def initialize(entities, api_only, shallow, options = {})
@@ -1186,6 +1179,11 @@ module ActionDispatch
               raise ArgumentError, ":param option can't contain colons"
             end
 
+            valid_actions = self.class.default_actions(false) # ignore api_only for this validation
+            if invalid_actions = invalid_only_except_options(options, valid_actions).presence
+              raise ArgumentError, ":only and :except must include only #{valid_actions}, but also included #{invalid_actions}"
+            end
+
             @name       = entities.to_s
             @path       = (options[:path] || @name).to_s
             @controller = (options[:controller] || @name).to_s
@@ -1199,11 +1197,7 @@ module ActionDispatch
           end
 
           def default_actions
-            if @api_only
-              [:index, :create, :show, :update, :destroy]
-            else
-              [:index, :create, :new, :show, :update, :destroy, :edit]
-            end
+            self.class.default_actions(@api_only)
           end
 
           def actions
@@ -1271,9 +1265,24 @@ module ActionDispatch
           end
 
           def singleton?; false; end
+
+          private
+            def invalid_only_except_options(options, valid_actions)
+              options.values_at(:only, :except).flatten.compact.uniq.map(&:to_sym) - valid_actions
+            end
         end
 
         class SingletonResource < Resource # :nodoc:
+          class << self
+            def default_actions(api_only)
+              if api_only
+                [:show, :create, :update, :destroy]
+              else
+                [:show, :create, :update, :destroy, :new, :edit]
+              end
+            end
+          end
+
           def initialize(entities, api_only, shallow, options)
             super
             @as         = nil
@@ -1282,11 +1291,7 @@ module ActionDispatch
           end
 
           def default_actions
-            if @api_only
-              [:show, :create, :update, :destroy]
-            else
-              [:show, :create, :update, :destroy, :new, :edit]
-            end
+            self.class.default_actions(@api_only)
           end
 
           def plural
@@ -1347,7 +1352,7 @@ module ActionDispatch
           end
 
           with_scope_level(:resource) do
-            options = apply_action_options options
+            options = apply_action_options :resource, options
             resource_scope(SingletonResource.new(resources.pop, api_only?, @scope[:shallow], options)) do
               yield if block_given?
 
@@ -1517,7 +1522,7 @@ module ActionDispatch
           end
 
           with_scope_level(:resources) do
-            options = apply_action_options options
+            options = apply_action_options :resources, options
             resource_scope(Resource.new(resources.pop, api_only?, @scope[:shallow], options)) do
               yield if block_given?
 
@@ -1786,17 +1791,32 @@ module ActionDispatch
             false
           end
 
-          def apply_action_options(options)
+          def apply_action_options(method, options)
             return options if action_options? options
-            options.merge scope_action_options
+            options.merge scope_action_options(method)
           end
 
           def action_options?(options)
             options[:only] || options[:except]
           end
 
-          def scope_action_options
-            @scope[:action_options] || {}
+          def scope_action_options(method)
+            return {} unless @scope[:action_options]
+
+            actions = applicable_actions_for(method)
+            @scope[:action_options].dup.tap do |options|
+              (options[:only] = Array(options[:only]) & actions) if options[:only]
+              (options[:except] = Array(options[:except]) & actions) if options[:except]
+            end
+          end
+
+          def applicable_actions_for(method)
+            case method
+            when :resource
+              SingletonResource.default_actions(api_only?)
+            when :resources
+              Resource.default_actions(api_only?)
+            end
           end
 
           def resource_scope?
@@ -2209,8 +2229,8 @@ module ActionDispatch
         end
 
         # Define custom polymorphic mappings of models to URLs. This alters the behavior
-        # of `polymorphic_url` and consequently the behavior of `link_to` and `form_for`
-        # when passed a model instance, e.g:
+        # of `polymorphic_url` and consequently the behavior of `link_to`, `form_with`
+        # and `form_for` when passed a model instance, e.g:
         #
         #     resource :basket
         #
@@ -2219,7 +2239,7 @@ module ActionDispatch
         #     end
         #
         # This will now generate "/basket" when a `Basket` instance is passed to
-        # `link_to` or `form_for` instead of the standard "/baskets/:id".
+        # `link_to`, `form_with` or `form_for` instead of the standard "/baskets/:id".
         #
         # NOTE: This custom behavior only applies to simple polymorphic URLs where a
         # single model instance is passed and not more complicated forms, e.g:

data/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -31,7 +31,7 @@ module ActionDispatch
     # *   `url_for`, so you can use it with a record as the argument, e.g.
     #     `url_for(@article)`;
     # *   ActionView::Helpers::FormHelper uses `polymorphic_path`, so you can write
-    #     `form_for(@article)` without having to specify `:url` parameter for the
+    #     `form_with(model: @article)` without having to specify `:url` parameter for the
     #     form action;
     # *   `redirect_to` (which, in fact, uses `url_for`) so you can write
     #     `redirect_to(post)` in your controllers;
@@ -61,7 +61,7 @@ module ActionDispatch
     # argument to the method. For example:
     #
     #     polymorphic_url([blog, @post])  # calls blog.post_path(@post)
-    #     form_for([blog, @post])         # => "/blog/posts/1"
+    #     form_with(model: [blog, @post]) # => "/blog/posts/1"
     #
     module PolymorphicRoutes
       # Constructs a call to a named RESTful route for the given record and returns

data/lib/action_dispatch/routing/route_set.rb

@@ -659,14 +659,14 @@ module ActionDispatch
         if route.segment_keys.include?(:controller)
           ActionDispatch.deprecator.warn(<<-MSG.squish)
             Using a dynamic :controller segment in a route is deprecated and
-            will be removed in Rails 7.2.
+            will be removed in Rails 8.1.
           MSG
         end
 
         if route.segment_keys.include?(:action)
           ActionDispatch.deprecator.warn(<<-MSG.squish)
             Using a dynamic :action segment in a route is deprecated and
-            will be removed in Rails 7.2.
+            will be removed in Rails 8.1.
           MSG
         end
 

data/lib/action_dispatch/testing/assertions/response.rb

@@ -87,8 +87,13 @@ module ActionDispatch
         end
 
         def generate_response_message(expected, actual = @response.response_code)
-          (+"Expected response to be a <#{code_with_name(expected)}>,"\
-          " but was a <#{code_with_name(actual)}>").concat(location_if_redirected).concat(response_body_if_short)
+          lambda do
+            (+"Expected response to be a <#{code_with_name(expected)}>,"\
+             " but was a <#{code_with_name(actual)}>").
+              concat(location_if_redirected).
+              concat(exception_if_present).
+              concat(response_body_if_short)
+          end
         end
 
         def response_body_if_short
@@ -96,6 +101,11 @@ module ActionDispatch
           "\nResponse body: #{@response.body}"
         end
 
+        def exception_if_present
+          return "" unless ex = @request&.env&.[]("action_dispatch.exception")
+          "\n\nException while processing request: #{Minitest::UnexpectedError.new(ex).message}\n"
+        end
+
         def location_if_redirected
           return "" unless @response.redirection? && @response.location.present?
           location = normalize_argument_to_redirection(@response.location)

data/lib/action_dispatch/testing/assertions/routing.rb

@@ -118,9 +118,9 @@ module ActionDispatch
       #       assert_equal "/users", users_path
       #     end
       #
-      def with_routing(&block)
+      def with_routing(config = nil, &block)
         old_routes, old_controller = @routes, @controller
-        create_routes(&block)
+        create_routes(config, &block)
       ensure
         reset_routes(old_routes, old_controller)
       end
@@ -267,8 +267,8 @@ module ActionDispatch
       end
 
       private
-        def create_routes
-          @routes = ActionDispatch::Routing::RouteSet.new
+        def create_routes(config = nil)
+          @routes = ActionDispatch::Routing::RouteSet.new(config || ActionDispatch::Routing::RouteSet::DEFAULT_CONFIG)
           if @controller
             @controller = @controller.clone
             _routes = @routes

data/lib/action_dispatch/testing/integration.rb

@@ -284,7 +284,17 @@ module ActionDispatch
 
         # NOTE: rack-test v0.5 doesn't build a default uri correctly Make sure requested
         # path is always a full URI.
-        session.request(build_full_uri(path, request_env), request_env)
+        uri = build_full_uri(path, request_env)
+
+        if method == :get && String === request_env[:params]
+          # rack-test will needlessly parse and rebuild a :params
+          # querystring, using Rack's query parser. At best that's a
+          # waste of time; at worst it can change the value.
+
+          uri << "?" << request_env.delete(:params)
+        end
+
+        session.request(uri, request_env)
 
         @request_count += 1
         @request = ActionDispatch::Request.new(session.last_request.env)

data/lib/action_dispatch.rb

@@ -53,7 +53,13 @@ module ActionDispatch
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy
+      autoload :InvalidParameterError, "action_dispatch/http/param_error"
+      autoload :ParamBuilder
+      autoload :ParamError
+      autoload :ParameterTypeError, "action_dispatch/http/param_error"
+      autoload :ParamsTooDeepError, "action_dispatch/http/param_error"
       autoload :PermissionsPolicy
+      autoload :QueryParser
       autoload :Request
       autoload :Response
     end

data/lib/action_pack/gem_version.rb

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 8
     MINOR = 0
     TINY  = 0
-    PRE   = "beta1"
+    PRE   = "rc2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 8.0.0.beta1
+  version: 8.0.0.rc2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-09-26 00:00:00.000000000 Z
+date: 2024-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0.beta1
+        version: 8.0.0.rc2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -233,8 +233,11 @@ files:
 - lib/action_dispatch/http/mime_negotiation.rb
 - lib/action_dispatch/http/mime_type.rb
 - lib/action_dispatch/http/mime_types.rb
+- lib/action_dispatch/http/param_builder.rb
+- lib/action_dispatch/http/param_error.rb
 - lib/action_dispatch/http/parameters.rb
 - lib/action_dispatch/http/permissions_policy.rb
+- lib/action_dispatch/http/query_parser.rb
 - lib/action_dispatch/http/rack_cache.rb
 - lib/action_dispatch/http/request.rb
 - lib/action_dispatch/http/response.rb
@@ -347,10 +350,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.beta1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.0.0.beta1/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.rc2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.0.rc2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.beta1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.rc2/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []