RubyGems - eactionpack - Versions diffs - 2.1.2 - Mend

eactionpack 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (338) hide show

data/CHANGELOG +7 -0
data/MIT-LICENSE +21 -0
data/README +469 -0
data/RUNNING_UNIT_TESTS +24 -0
data/Rakefile +146 -0
data/install.rb +30 -0
data/lib/action_controller.rb +79 -0
data/lib/action_controller/assertions.rb +69 -0
data/lib/action_controller/assertions/dom_assertions.rb +39 -0
data/lib/action_controller/assertions/model_assertions.rb +20 -0
data/lib/action_controller/assertions/response_assertions.rb +172 -0
data/lib/action_controller/assertions/routing_assertions.rb +146 -0
data/lib/action_controller/assertions/selector_assertions.rb +491 -0
data/lib/action_controller/assertions/tag_assertions.rb +130 -0
data/lib/action_controller/base.rb +1288 -0
data/lib/action_controller/benchmarking.rb +94 -0
data/lib/action_controller/caching.rb +72 -0
data/lib/action_controller/caching/actions.rb +144 -0
data/lib/action_controller/caching/fragments.rb +138 -0
data/lib/action_controller/caching/pages.rb +154 -0
data/lib/action_controller/caching/sql_cache.rb +18 -0
data/lib/action_controller/caching/sweeping.rb +97 -0
data/lib/action_controller/cgi_ext.rb +16 -0
data/lib/action_controller/cgi_ext/cookie.rb +110 -0
data/lib/action_controller/cgi_ext/query_extension.rb +22 -0
data/lib/action_controller/cgi_ext/session.rb +73 -0
data/lib/action_controller/cgi_ext/stdinput.rb +24 -0
data/lib/action_controller/cgi_process.rb +223 -0
data/lib/action_controller/components.rb +166 -0
data/lib/action_controller/cookies.rb +96 -0
data/lib/action_controller/dispatcher.rb +162 -0
data/lib/action_controller/filters.rb +642 -0
data/lib/action_controller/flash.rb +172 -0
data/lib/action_controller/headers.rb +31 -0
data/lib/action_controller/helpers.rb +221 -0
data/lib/action_controller/http_authentication.rb +124 -0
data/lib/action_controller/integration.rb +634 -0
data/lib/action_controller/layout.rb +309 -0
data/lib/action_controller/mime_responds.rb +173 -0
data/lib/action_controller/mime_type.rb +186 -0
data/lib/action_controller/mime_types.rb +20 -0
data/lib/action_controller/polymorphic_routes.rb +191 -0
data/lib/action_controller/record_identifier.rb +102 -0
data/lib/action_controller/request.rb +764 -0
data/lib/action_controller/request_forgery_protection.rb +140 -0
data/lib/action_controller/request_profiler.rb +169 -0
data/lib/action_controller/rescue.rb +258 -0
data/lib/action_controller/resources.rb +572 -0
data/lib/action_controller/response.rb +76 -0
data/lib/action_controller/routing.rb +387 -0
data/lib/action_controller/routing/builder.rb +203 -0
data/lib/action_controller/routing/optimisations.rb +120 -0
data/lib/action_controller/routing/recognition_optimisation.rb +162 -0
data/lib/action_controller/routing/route.rb +240 -0
data/lib/action_controller/routing/route_set.rb +436 -0
data/lib/action_controller/routing/routing_ext.rb +46 -0
data/lib/action_controller/routing/segments.rb +283 -0
data/lib/action_controller/session/active_record_store.rb +340 -0
data/lib/action_controller/session/cookie_store.rb +166 -0
data/lib/action_controller/session/drb_server.rb +32 -0
data/lib/action_controller/session/drb_store.rb +35 -0
data/lib/action_controller/session/mem_cache_store.rb +98 -0
data/lib/action_controller/session_management.rb +158 -0
data/lib/action_controller/status_codes.rb +88 -0
data/lib/action_controller/streaming.rb +155 -0
data/lib/action_controller/templates/rescues/_request_and_response.erb +24 -0
data/lib/action_controller/templates/rescues/_trace.erb +26 -0
data/lib/action_controller/templates/rescues/diagnostics.erb +11 -0
data/lib/action_controller/templates/rescues/layout.erb +29 -0
data/lib/action_controller/templates/rescues/missing_template.erb +2 -0
data/lib/action_controller/templates/rescues/routing_error.erb +10 -0
data/lib/action_controller/templates/rescues/template_error.erb +21 -0
data/lib/action_controller/templates/rescues/unknown_action.erb +2 -0
data/lib/action_controller/test_case.rb +83 -0
data/lib/action_controller/test_process.rb +526 -0
data/lib/action_controller/url_rewriter.rb +142 -0
data/lib/action_controller/vendor/html-scanner/html/document.rb +68 -0
data/lib/action_controller/vendor/html-scanner/html/node.rb +537 -0
data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +173 -0
data/lib/action_controller/vendor/html-scanner/html/selector.rb +828 -0
data/lib/action_controller/vendor/html-scanner/html/tokenizer.rb +105 -0
data/lib/action_controller/vendor/html-scanner/html/version.rb +11 -0
data/lib/action_controller/verification.rb +130 -0
data/lib/action_pack.rb +24 -0
data/lib/action_pack/version.rb +9 -0
data/lib/action_view.rb +44 -0
data/lib/action_view/base.rb +335 -0
data/lib/action_view/helpers/active_record_helper.rb +276 -0
data/lib/action_view/helpers/asset_tag_helper.rb +599 -0
data/lib/action_view/helpers/atom_feed_helper.rb +143 -0
data/lib/action_view/helpers/benchmark_helper.rb +33 -0
data/lib/action_view/helpers/cache_helper.rb +40 -0
data/lib/action_view/helpers/capture_helper.rb +161 -0
data/lib/action_view/helpers/date_helper.rb +711 -0
data/lib/action_view/helpers/debug_helper.rb +31 -0
data/lib/action_view/helpers/form_helper.rb +767 -0
data/lib/action_view/helpers/form_options_helper.rb +458 -0
data/lib/action_view/helpers/form_tag_helper.rb +458 -0
data/lib/action_view/helpers/javascript_helper.rb +148 -0
data/lib/action_view/helpers/number_helper.rb +186 -0
data/lib/action_view/helpers/record_identification_helper.rb +20 -0
data/lib/action_view/helpers/record_tag_helper.rb +59 -0
data/lib/action_view/helpers/sanitize_helper.rb +229 -0
data/lib/action_view/helpers/tag_helper.rb +134 -0
data/lib/action_view/helpers/text_helper.rb +507 -0
data/lib/action_view/helpers/url_helper.rb +573 -0
data/lib/action_view/inline_template.rb +20 -0
data/lib/action_view/partial_template.rb +70 -0
data/lib/action_view/partials.rb +158 -0
data/lib/action_view/template.rb +125 -0
data/lib/action_view/template_error.rb +110 -0
data/lib/action_view/template_finder.rb +176 -0
data/lib/action_view/template_handler.rb +34 -0
data/lib/action_view/template_handlers/builder.rb +27 -0
data/lib/action_view/template_handlers/compilable.rb +128 -0
data/lib/action_view/template_handlers/erb.rb +56 -0
data/lib/action_view/test_case.rb +58 -0
data/lib/actionpack.rb +1 -0
data/test/abstract_unit.rb +36 -0
data/test/active_record_unit.rb +105 -0
data/test/activerecord/active_record_store_test.rb +141 -0
data/test/activerecord/render_partial_with_record_identification_test.rb +191 -0
data/test/adv_attr_test.rb +20 -0
data/test/controller/action_pack_assertions_test.rb +543 -0
data/test/controller/addresses_render_test.rb +43 -0
data/test/controller/assert_select_test.rb +331 -0
data/test/controller/base_test.rb +219 -0
data/test/controller/benchmark_test.rb +32 -0
data/test/controller/caching_test.rb +581 -0
data/test/controller/capture_test.rb +89 -0
data/test/controller/cgi_test.rb +116 -0
data/test/controller/components_test.rb +140 -0
data/test/controller/content_type_test.rb +139 -0
data/test/controller/controller_fixtures/app/controllers/admin/user_controller.rb +0 -0
data/test/controller/controller_fixtures/app/controllers/user_controller.rb +0 -0
data/test/controller/controller_fixtures/vendor/plugins/bad_plugin/lib/plugin_controller.rb +0 -0
data/test/controller/cookie_test.rb +146 -0
data/test/controller/custom_handler_test.rb +45 -0
data/test/controller/deprecation/deprecated_base_methods_test.rb +37 -0
data/test/controller/dispatcher_test.rb +105 -0
data/test/controller/fake_controllers.rb +33 -0
data/test/controller/fake_models.rb +11 -0
data/test/controller/filter_params_test.rb +49 -0
data/test/controller/filters_test.rb +881 -0
data/test/controller/flash_test.rb +146 -0
data/test/controller/header_test.rb +14 -0
data/test/controller/helper_test.rb +210 -0
data/test/controller/html-scanner/cdata_node_test.rb +15 -0
data/test/controller/html-scanner/document_test.rb +148 -0
data/test/controller/html-scanner/node_test.rb +89 -0
data/test/controller/html-scanner/sanitizer_test.rb +269 -0
data/test/controller/html-scanner/tag_node_test.rb +238 -0
data/test/controller/html-scanner/text_node_test.rb +50 -0
data/test/controller/html-scanner/tokenizer_test.rb +131 -0
data/test/controller/http_authentication_test.rb +54 -0
data/test/controller/integration_test.rb +252 -0
data/test/controller/integration_upload_test.rb +43 -0
data/test/controller/layout_test.rb +255 -0
data/test/controller/mime_responds_test.rb +514 -0
data/test/controller/mime_type_test.rb +84 -0
data/test/controller/new_render_test.rb +843 -0
data/test/controller/polymorphic_routes_test.rb +174 -0
data/test/controller/record_identifier_test.rb +139 -0
data/test/controller/redirect_test.rb +289 -0
data/test/controller/render_test.rb +484 -0
data/test/controller/request_forgery_protection_test.rb +305 -0
data/test/controller/request_test.rb +928 -0
data/test/controller/rescue_test.rb +517 -0
data/test/controller/resources_test.rb +873 -0
data/test/controller/routing_test.rb +2464 -0
data/test/controller/selector_test.rb +628 -0
data/test/controller/send_file_test.rb +138 -0
data/test/controller/session/cookie_store_test.rb +258 -0
data/test/controller/session/mem_cache_store_test.rb +181 -0
data/test/controller/session_fixation_test.rb +89 -0
data/test/controller/session_management_test.rb +178 -0
data/test/controller/test_test.rb +695 -0
data/test/controller/url_rewriter_test.rb +310 -0
data/test/controller/verification_test.rb +270 -0
data/test/controller/view_paths_test.rb +140 -0
data/test/controller/webservice_test.rb +229 -0
data/test/fixtures/addresses/list.erb +1 -0
data/test/fixtures/bad_customers/_bad_customer.html.erb +1 -0
data/test/fixtures/companies.yml +24 -0
data/test/fixtures/company.rb +10 -0
data/test/fixtures/content_type/render_default_content_types_for_respond_to.rhtml +1 -0
data/test/fixtures/content_type/render_default_for_js.js.erb +1 -0
data/test/fixtures/content_type/render_default_for_rhtml.rhtml +1 -0
data/test/fixtures/content_type/render_default_for_rxml.rxml +1 -0
data/test/fixtures/customers/_customer.html.erb +1 -0
data/test/fixtures/db_definitions/sqlite.sql +49 -0
data/test/fixtures/developer.rb +9 -0
data/test/fixtures/developers.yml +21 -0
data/test/fixtures/developers_projects.yml +13 -0
data/test/fixtures/fun/games/hello_world.erb +1 -0
data/test/fixtures/functional_caching/_partial.erb +3 -0
data/test/fixtures/functional_caching/fragment_cached.html.erb +2 -0
data/test/fixtures/functional_caching/html_fragment_cached_with_partial.html.erb +1 -0
data/test/fixtures/functional_caching/js_fragment_cached_with_partial.js.rjs +1 -0
data/test/fixtures/good_customers/_good_customer.html.erb +1 -0
data/test/fixtures/helpers/abc_helper.rb +5 -0
data/test/fixtures/helpers/fun/games_helper.rb +3 -0
data/test/fixtures/helpers/fun/pdf_helper.rb +3 -0
data/test/fixtures/layout_tests/alt/hello.rhtml +1 -0
data/test/fixtures/layout_tests/layouts/controller_name_space/nested.rhtml +1 -0
data/test/fixtures/layout_tests/layouts/item.rhtml +1 -0
data/test/fixtures/layout_tests/layouts/layout_test.rhtml +1 -0
data/test/fixtures/layout_tests/layouts/multiple_extensions.html.erb +1 -0
data/test/fixtures/layout_tests/layouts/third_party_template_library.mab +1 -0
data/test/fixtures/layout_tests/views/hello.rhtml +1 -0
data/test/fixtures/layouts/block_with_layout.erb +3 -0
data/test/fixtures/layouts/builder.builder +3 -0
data/test/fixtures/layouts/partial_with_layout.erb +3 -0
data/test/fixtures/layouts/standard.erb +1 -0
data/test/fixtures/layouts/talk_from_action.erb +2 -0
data/test/fixtures/layouts/yield.erb +2 -0
data/test/fixtures/mascot.rb +3 -0
data/test/fixtures/mascots.yml +4 -0
data/test/fixtures/mascots/_mascot.html.erb +1 -0
data/test/fixtures/multipart/binary_file +0 -0
data/test/fixtures/multipart/boundary_problem_file +10 -0
data/test/fixtures/multipart/bracketed_param +5 -0
data/test/fixtures/multipart/large_text_file +10 -0
data/test/fixtures/multipart/mixed_files +0 -0
data/test/fixtures/multipart/mona_lisa.jpg +0 -0
data/test/fixtures/multipart/single_parameter +5 -0
data/test/fixtures/multipart/text_file +10 -0
data/test/fixtures/override/test/hello_world.erb +1 -0
data/test/fixtures/override2/layouts/test/sub.erb +1 -0
data/test/fixtures/post_test/layouts/post.html.erb +1 -0
data/test/fixtures/post_test/layouts/super_post.iphone.erb +1 -0
data/test/fixtures/post_test/post/index.html.erb +1 -0
data/test/fixtures/post_test/post/index.iphone.erb +1 -0
data/test/fixtures/post_test/super_post/index.html.erb +1 -0
data/test/fixtures/post_test/super_post/index.iphone.erb +1 -0
data/test/fixtures/project.rb +3 -0
data/test/fixtures/projects.yml +7 -0
data/test/fixtures/public/404.html +1 -0
data/test/fixtures/public/500.html +1 -0
data/test/fixtures/public/images/rails.png +0 -0
data/test/fixtures/public/javascripts/application.js +1 -0
data/test/fixtures/public/javascripts/bank.js +1 -0
data/test/fixtures/public/javascripts/robber.js +1 -0
data/test/fixtures/public/javascripts/version.1.0.js +1 -0
data/test/fixtures/public/stylesheets/bank.css +1 -0
data/test/fixtures/public/stylesheets/robber.css +1 -0
data/test/fixtures/public/stylesheets/version.1.0.css +1 -0
data/test/fixtures/replies.yml +15 -0
data/test/fixtures/reply.rb +7 -0
data/test/fixtures/respond_to/all_types_with_layout.html.erb +1 -0
data/test/fixtures/respond_to/custom_constant_handling_without_block.mobile.erb +1 -0
data/test/fixtures/respond_to/iphone_with_html_response_type.html.erb +1 -0
data/test/fixtures/respond_to/iphone_with_html_response_type.iphone.erb +1 -0
data/test/fixtures/respond_to/layouts/missing.html.erb +1 -0
data/test/fixtures/respond_to/layouts/standard.html.erb +1 -0
data/test/fixtures/respond_to/layouts/standard.iphone.erb +1 -0
data/test/fixtures/respond_to/using_defaults.html.erb +1 -0
data/test/fixtures/respond_to/using_defaults.js.rjs +1 -0
data/test/fixtures/respond_to/using_defaults.xml.builder +1 -0
data/test/fixtures/respond_to/using_defaults_with_type_list.html.erb +1 -0
data/test/fixtures/respond_to/using_defaults_with_type_list.js.rjs +1 -0
data/test/fixtures/respond_to/using_defaults_with_type_list.xml.builder +1 -0
data/test/fixtures/scope/test/modgreet.erb +1 -0
data/test/fixtures/shared.html.erb +1 -0
data/test/fixtures/symlink_parent/symlinked_layout.erb +5 -0
data/test/fixtures/test/_customer.erb +1 -0
data/test/fixtures/test/_customer_counter.erb +1 -0
data/test/fixtures/test/_customer_greeting.erb +1 -0
data/test/fixtures/test/_form.erb +1 -0
data/test/fixtures/test/_hash_greeting.erb +1 -0
data/test/fixtures/test/_hash_object.erb +2 -0
data/test/fixtures/test/_hello.builder +1 -0
data/test/fixtures/test/_labelling_form.erb +1 -0
data/test/fixtures/test/_layout_for_partial.html.erb +3 -0
data/test/fixtures/test/_partial.erb +1 -0
data/test/fixtures/test/_partial.html.erb +1 -0
data/test/fixtures/test/_partial.js.erb +1 -0
data/test/fixtures/test/_partial_for_use_in_layout.html.erb +1 -0
data/test/fixtures/test/_partial_only.erb +1 -0
data/test/fixtures/test/_person.erb +2 -0
data/test/fixtures/test/_raise.html.erb +1 -0
data/test/fixtures/test/action_talk_to_layout.erb +2 -0
data/test/fixtures/test/block_content_for.erb +2 -0
data/test/fixtures/test/calling_partial_with_layout.html.erb +1 -0
data/test/fixtures/test/capturing.erb +4 -0
data/test/fixtures/test/content_for.erb +2 -0
data/test/fixtures/test/content_for_concatenated.erb +3 -0
data/test/fixtures/test/content_for_with_parameter.erb +2 -0
data/test/fixtures/test/delete_with_js.rjs +2 -0
data/test/fixtures/test/dot.directory/render_file_with_ivar.erb +1 -0
data/test/fixtures/test/enum_rjs_test.rjs +6 -0
data/test/fixtures/test/erb_content_for.erb +2 -0
data/test/fixtures/test/formatted_html_erb.html.erb +1 -0
data/test/fixtures/test/formatted_xml_erb.builder +1 -0
data/test/fixtures/test/formatted_xml_erb.html.erb +1 -0
data/test/fixtures/test/formatted_xml_erb.xml.erb +1 -0
data/test/fixtures/test/greeting.erb +1 -0
data/test/fixtures/test/greeting.js.rjs +1 -0
data/test/fixtures/test/hello.builder +4 -0
data/test/fixtures/test/hello_world.erb +1 -0
data/test/fixtures/test/hello_world_container.builder +3 -0
data/test/fixtures/test/hello_world_from_rxml.builder +4 -0
data/test/fixtures/test/hello_world_with_layout_false.erb +1 -0
data/test/fixtures/test/hello_xml_world.builder +11 -0
data/test/fixtures/test/list.erb +1 -0
data/test/fixtures/test/non_erb_block_content_for.builder +4 -0
data/test/fixtures/test/potential_conflicts.erb +4 -0
data/test/fixtures/test/render_file_from_template.html.erb +1 -0
data/test/fixtures/test/render_file_with_ivar.erb +1 -0
data/test/fixtures/test/render_file_with_locals.erb +1 -0
data/test/fixtures/test/render_to_string_test.erb +1 -0
data/test/fixtures/test/update_element_with_capture.erb +9 -0
data/test/fixtures/test/using_layout_around_block.html.erb +1 -0
data/test/fixtures/topic.rb +3 -0
data/test/fixtures/topics.yml +22 -0
data/test/fixtures/topics/_topic.html.erb +1 -0
data/test/template/active_record_helper_test.rb +268 -0
data/test/template/asset_tag_helper_test.rb +514 -0
data/test/template/atom_feed_helper_test.rb +179 -0
data/test/template/benchmark_helper_test.rb +60 -0
data/test/template/date_helper_test.rb +1791 -0
data/test/template/deprecated_erb_variable_test.rb +9 -0
data/test/template/erb_util_test.rb +24 -0
data/test/template/form_helper_test.rb +885 -0
data/test/template/form_options_helper_test.rb +1333 -0
data/test/template/form_tag_helper_test.rb +272 -0
data/test/template/javascript_helper_test.rb +73 -0
data/test/template/number_helper_test.rb +97 -0
data/test/template/record_tag_helper_test.rb +54 -0
data/test/template/sanitize_helper_test.rb +48 -0
data/test/template/tag_helper_test.rb +77 -0
data/test/template/template_finder_test.rb +73 -0
data/test/template/template_object_test.rb +95 -0
data/test/template/test_test.rb +56 -0
data/test/template/text_helper_test.rb +367 -0
data/test/template/url_helper_test.rb +544 -0
data/test/testing_sandbox.rb +15 -0
metadata +469 -0

data/test/controller/request_forgery_protection_test.rb ADDED Viewed

@@ -0,0 +1,305 @@
+require 'abstract_unit'
+require 'digest/sha1'
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+end
+# simulates cookie session store
+class FakeSessionDbMan
+  def self.generate_digest(data)
+    Digest::SHA1.hexdigest("secure")
+  end
+end
+# common controller actions
+module RequestForgeryProtectionActions
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+  def unsafe
+    render :text => 'pwn'
+  end
+  def rescue_action(e) raise e end
+end
+# sample controllers
+class RequestForgeryProtectionController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index, :secret => 'abc'
+end
+class RequestForgeryProtectionWithoutSecretController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery
+end
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index
+end
+# sessions are turned off
+class SessionOffController < ActionController::Base
+  protect_from_forgery :secret => 'foobar'
+  session :off
+  def rescue_action(e) raise e end
+  include RequestForgeryProtectionActions
+end
+class FreeCookieController < CsrfCookieMonsterController
+  self.allow_forgery_protection = false
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+end
+# common test methods
+module RequestForgeryProtectionTests
+  def teardown
+    ActionController::Base.request_forgery_protection_token = nil
+  end
+  def test_should_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
+  def test_should_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
+  def test_should_allow_get
+    get :index
+    assert_response :success
+  end
+  def test_should_allow_post_without_token_on_unsafe_action
+    post :unsafe
+    assert_response :success
+  end
+  def test_should_not_allow_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
+  end
+  def test_should_not_allow_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
+  end
+  def test_should_not_allow_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
+  end
+  def test_should_not_allow_api_formatted_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      post :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      put :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      delete :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+      delete :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      post :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      put :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      @request.env['CONTENT_TYPE'] = Mime::MULTIPART_FORM.to_s
+      delete :index, :format => 'xml'
+    end
+  end
+  def test_should_not_allow_xhr_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
+  end
+  def test_should_not_allow_xhr_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
+  end
+  def test_should_not_allow_xhr_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
+  end
+  def test_should_allow_post_with_token
+    post :index, :authenticity_token => @token
+    assert_response :success
+  end
+  def test_should_allow_put_with_token
+    put :index, :authenticity_token => @token
+    assert_response :success
+  end
+  def test_should_allow_delete_with_token
+    delete :index, :authenticity_token => @token
+    assert_response :success
+  end
+  def test_should_allow_post_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
+    post :index, :format => 'xml'
+    assert_response :success
+  end
+  def test_should_allow_put_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
+    put :index, :format => 'xml'
+    assert_response :success
+  end
+  def test_should_allow_delete_with_xml
+    @request.env['CONTENT_TYPE'] = Mime::XML.to_s
+    delete :index, :format => 'xml'
+    assert_response :success
+  end
+end
+# OK let's get our test on
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+class RequestForgeryProtectionWithoutSecretControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = RequestForgeryProtectionWithoutSecretController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+  def test_should_raise_error_without_secret
+    assert_raises ActionController::InvalidAuthenticityToken do
+      get :index
+    end
+  end
+end
+class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = CsrfCookieMonsterController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      attr_accessor :dbman
+    end
+    # simulate a cookie session store
+    @request.session.dbman = FakeSessionDbMan
+    @token = Digest::SHA1.hexdigest("secure")
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+class FreeCookieControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = FreeCookieController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @token      = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+  end
+  def test_should_not_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  def test_should_not_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  def test_should_allow_all_methods_without_token
+    [:post, :put, :delete].each do |method|
+      assert_nothing_raised { send(method, :index)}
+    end
+  end
+end
+class SessionOffControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = SessionOffController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @token      = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+  end
+  def test_should_raise_correct_exception
+    @request.session = {} # session(:off) doesn't appear to work with controller tests
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      post :index, :authenticity_token => @token
+    end
+  end
+end

data/test/controller/request_test.rb ADDED Viewed

@@ -0,0 +1,928 @@
+require 'abstract_unit'
+require 'action_controller/integration'
+class RequestTest < Test::Unit::TestCase
+  def setup
+    @request = ActionController::TestRequest.new
+  end
+  def test_remote_ip
+    assert_equal '0.0.0.0', @request.remote_ip
+    @request.remote_addr = '1.2.3.4'
+    assert_equal '1.2.3.4', @request.remote_ip
+    @request.remote_addr = '1.2.3.4,3.4.5.6'
+    assert_equal '1.2.3.4', @request.remote_ip
+    @request.env['HTTP_CLIENT_IP'] = '2.3.4.5'
+    assert_equal '1.2.3.4', @request.remote_ip
+    @request.remote_addr = '192.168.0.1'
+    assert_equal '2.3.4.5', @request.remote_ip
+    @request.env.delete 'HTTP_CLIENT_IP'
+    @request.remote_addr = '1.2.3.4'
+    @request.env['HTTP_X_FORWARDED_FOR'] = '3.4.5.6'
+    assert_equal '1.2.3.4', @request.remote_ip
+    @request.remote_addr = '127.0.0.1'
+    @request.env['HTTP_X_FORWARDED_FOR'] = '3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = 'unknown,3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '172.16.0.1,3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '192.168.0.1,3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '10.0.0.1,3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '10.0.0.1, 10.0.0.1, 3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '127.0.0.1,3.4.5.6'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = 'unknown,192.168.0.1'
+    assert_equal 'unknown', @request.remote_ip
+    @request.env['HTTP_X_FORWARDED_FOR'] = '9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4'
+    assert_equal '3.4.5.6', @request.remote_ip
+    @request.env['HTTP_CLIENT_IP'] = '8.8.8.8'
+    e = assert_raises(ActionController::ActionControllerError) {
+      @request.remote_ip
+    }
+    assert_match /IP spoofing attack/, e.message
+    assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
+    assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
+    @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
+    assert_equal '8.8.8.8', @request.remote_ip
+    @request.env.delete 'HTTP_CLIENT_IP'
+    @request.env.delete 'HTTP_X_FORWARDED_FOR'
+  end
+  def test_domains
+    @request.host = "www.rubyonrails.org"
+    assert_equal "rubyonrails.org", @request.domain
+    @request.host = "www.rubyonrails.co.uk"
+    assert_equal "rubyonrails.co.uk", @request.domain(2)
+    @request.host = "192.168.1.200"
+    assert_nil @request.domain
+    @request.host = "foo.192.168.1.200"
+    assert_nil @request.domain
+    @request.host = "192.168.1.200.com"
+    assert_equal "200.com", @request.domain
+    @request.host = nil
+    assert_nil @request.domain
+  end
+  def test_subdomains
+    @request.host = "www.rubyonrails.org"
+    assert_equal %w( www ), @request.subdomains
+    @request.host = "www.rubyonrails.co.uk"
+    assert_equal %w( www ), @request.subdomains(2)
+    @request.host = "dev.www.rubyonrails.co.uk"
+    assert_equal %w( dev www ), @request.subdomains(2)
+    @request.host = "foobar.foobar.com"
+    assert_equal %w( foobar ), @request.subdomains
+    @request.host = "192.168.1.200"
+    assert_equal [], @request.subdomains
+    @request.host = "foo.192.168.1.200"
+    assert_equal [], @request.subdomains
+    @request.host = "192.168.1.200.com"
+    assert_equal %w( 192 168 1 ), @request.subdomains
+    @request.host = nil
+    assert_equal [], @request.subdomains
+  end
+  def test_port_string
+    @request.port = 80
+    assert_equal "", @request.port_string
+    @request.port = 8080
+    assert_equal ":8080", @request.port_string
+  end
+  def test_relative_url_root
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    @request.env['SERVER_SOFTWARE'] = 'lighttpd/1.2.3'
+    assert_equal '', @request.relative_url_root, "relative_url_root should be disabled on lighttpd"
+    @request.env['SERVER_SOFTWARE'] = 'apache/1.2.3 some random text'
+    @request.env['SCRIPT_NAME'] = nil
+    assert_equal "", @request.relative_url_root
+    @request.env['SCRIPT_NAME'] = "/dispatch.cgi"
+    assert_equal "", @request.relative_url_root
+    @request.env['SCRIPT_NAME'] = "/myapp.rb"
+    assert_equal "", @request.relative_url_root
+    @request.relative_url_root = nil
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    assert_equal "/hieraki", @request.relative_url_root
+    @request.relative_url_root = nil
+    @request.env['SCRIPT_NAME'] = "/collaboration/hieraki/dispatch.cgi"
+    assert_equal "/collaboration/hieraki", @request.relative_url_root
+    # apache/scgi case
+    @request.relative_url_root = nil
+    @request.env['SCRIPT_NAME'] = "/collaboration/hieraki"
+    assert_equal "/collaboration/hieraki", @request.relative_url_root
+    @request.relative_url_root = nil
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    @request.env['SERVER_SOFTWARE'] = 'lighttpd/1.2.3'
+    @request.env['RAILS_RELATIVE_URL_ROOT'] = "/hieraki"
+    assert_equal "/hieraki", @request.relative_url_root
+    # @env overrides path guess
+    @request.relative_url_root = nil
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    @request.env['SERVER_SOFTWARE'] = 'apache/1.2.3 some random text'
+    @request.env['RAILS_RELATIVE_URL_ROOT'] = "/real_url"
+    assert_equal "/real_url", @request.relative_url_root
+  end
+  def test_request_uri
+    @request.env['SERVER_SOFTWARE'] = 'Apache 42.342.3432'
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "http://www.rubyonrails.org/path/of/some/uri?mapped=1"
+    assert_equal "/path/of/some/uri?mapped=1", @request.request_uri
+    assert_equal "/path/of/some/uri", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "http://www.rubyonrails.org/path/of/some/uri"
+    assert_equal "/path/of/some/uri", @request.request_uri
+    assert_equal "/path/of/some/uri", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/path/of/some/uri"
+    assert_equal "/path/of/some/uri", @request.request_uri
+    assert_equal "/path/of/some/uri", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/"
+    assert_equal "/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/?m=b"
+    assert_equal "/?m=b", @request.request_uri
+    assert_equal "/", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/"
+    @request.env['SCRIPT_NAME'] = "/dispatch.cgi"
+    assert_equal "/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/hieraki/"
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    assert_equal "/hieraki/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI "/collaboration/hieraki/books/edit/2"
+    @request.env['SCRIPT_NAME'] = "/collaboration/hieraki/dispatch.cgi"
+    assert_equal "/collaboration/hieraki/books/edit/2", @request.request_uri
+    assert_equal "/books/edit/2", @request.path
+    # The following tests are for when REQUEST_URI is not supplied (as in IIS)
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI nil
+    @request.env['PATH_INFO'] = "/path/of/some/uri?mapped=1"
+    @request.env['SCRIPT_NAME'] = nil #"/path/dispatch.rb"
+    assert_equal "/path/of/some/uri?mapped=1", @request.request_uri
+    assert_equal "/path/of/some/uri", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/path/of/some/uri?mapped=1"
+    @request.env['SCRIPT_NAME'] = "/path/dispatch.rb"
+    assert_equal "/path/of/some/uri?mapped=1", @request.request_uri
+    assert_equal "/of/some/uri", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/path/of/some/uri"
+    @request.env['SCRIPT_NAME'] = nil
+    assert_equal "/path/of/some/uri", @request.request_uri
+    assert_equal "/path/of/some/uri", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/"
+    assert_equal "/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/?m=b"
+    assert_equal "/?m=b", @request.request_uri
+    assert_equal "/", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/"
+    @request.env['SCRIPT_NAME'] = "/dispatch.cgi"
+    assert_equal "/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.set_REQUEST_URI nil
+    @request.relative_url_root = nil
+    @request.env['PATH_INFO'] = "/hieraki/"
+    @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi"
+    assert_equal "/hieraki/", @request.request_uri
+    assert_equal "/", @request.path
+    @request.set_REQUEST_URI '/hieraki/dispatch.cgi'
+    @request.relative_url_root = '/hieraki'
+    assert_equal "/dispatch.cgi", @request.path
+    @request.relative_url_root = nil
+    @request.set_REQUEST_URI '/hieraki/dispatch.cgi'
+    @request.relative_url_root = '/foo'
+    assert_equal "/hieraki/dispatch.cgi", @request.path
+    @request.relative_url_root = nil
+    # This test ensures that Rails uses REQUEST_URI over PATH_INFO
+    @request.relative_url_root = nil
+    @request.env['REQUEST_URI'] = "/some/path"
+    @request.env['PATH_INFO'] = "/another/path"
+    @request.env['SCRIPT_NAME'] = "/dispatch.cgi"
+    assert_equal "/some/path", @request.request_uri
+    assert_equal "/some/path", @request.path
+  end
+  def test_host_with_default_port
+    @request.host = "rubyonrails.org"
+    @request.port = 80
+    assert_equal "rubyonrails.org", @request.host_with_port
+  end
+  def test_host_with_non_default_port
+    @request.host = "rubyonrails.org"
+    @request.port = 81
+    assert_equal "rubyonrails.org:81", @request.host_with_port
+  end
+  def test_server_software
+    assert_equal nil, @request.server_software
+    @request.env['SERVER_SOFTWARE'] = 'Apache3.422'
+    assert_equal 'apache', @request.server_software
+    @request.env['SERVER_SOFTWARE'] = 'lighttpd(1.1.4)'
+    assert_equal 'lighttpd', @request.server_software
+  end
+  def test_xml_http_request
+    assert !@request.xml_http_request?
+    assert !@request.xhr?
+    @request.env['HTTP_X_REQUESTED_WITH'] = "DefinitelyNotAjax1.0"
+    assert !@request.xml_http_request?
+    assert !@request.xhr?
+    @request.env['HTTP_X_REQUESTED_WITH'] = "XMLHttpRequest"
+    assert @request.xml_http_request?
+    assert @request.xhr?
+  end
+  def test_reports_ssl
+    assert !@request.ssl?
+    @request.env['HTTPS'] = 'on'
+    assert @request.ssl?
+  end
+  def test_reports_ssl_when_proxied_via_lighttpd
+    assert !@request.ssl?
+    @request.env['HTTP_X_FORWARDED_PROTO'] = 'https'
+    assert @request.ssl?
+  end
+  def test_symbolized_request_methods
+    [:get, :post, :put, :delete].each do |method|
+      set_request_method_to method
+      assert_equal method, @request.method
+    end
+  end
+  def test_invalid_http_method_raises_exception
+    set_request_method_to :random_method
+    assert_raises(ActionController::UnknownHttpMethod) do
+      @request.method
+    end
+  end
+  def test_allow_method_hacking_on_post
+    set_request_method_to :post
+    [:get, :head, :options, :put, :post, :delete].each do |method|
+      @request.instance_eval { @parameters = { :_method => method } ; @request_method = nil }
+      assert_equal(method == :head ? :get : method, @request.method)
+    end
+  end
+  def test_invalid_method_hacking_on_post_raises_exception
+    set_request_method_to :post
+    @request.instance_eval { @parameters = { :_method => :random_method } ; @request_method = nil }
+    assert_raises(ActionController::UnknownHttpMethod) do
+      @request.method
+    end
+  end
+  def test_restrict_method_hacking
+    @request.instance_eval { @parameters = { :_method => 'put' } }
+    [:get, :put, :delete].each do |method|
+      set_request_method_to method
+      assert_equal method, @request.method
+    end
+  end
+  def test_head_masquarading_as_get
+    set_request_method_to :head
+    assert_equal :get, @request.method
+    assert @request.get?
+    assert @request.head?
+  end
+  def test_xml_format
+    @request.instance_eval { @parameters = { :format => 'xml' } }
+    assert_equal Mime::XML, @request.format
+  end
+  def test_xhtml_format
+    @request.instance_eval { @parameters = { :format => 'xhtml' } }
+    assert_equal Mime::HTML, @request.format
+  end
+  def test_txt_format
+    @request.instance_eval { @parameters = { :format => 'txt' } }
+    assert_equal Mime::TEXT, @request.format
+  end
+  def test_nil_format
+    @request.instance_eval { @parameters = { :format => nil } }
+    @request.env["HTTP_ACCEPT"] = "text/javascript"
+    assert_equal Mime::JS, @request.format
+  end
+  def test_content_type
+    @request.env["CONTENT_TYPE"] = "text/html"
+    assert_equal Mime::HTML, @request.content_type
+  end
+  def test_format_assignment_should_set_format
+    @request.instance_eval { self.format = :txt }
+    assert !@request.format.xml?
+    @request.instance_eval { self.format = :xml }
+    assert @request.format.xml?
+  end
+  def test_content_no_type
+    assert_equal nil, @request.content_type
+  end
+  def test_content_type_xml
+    @request.env["CONTENT_TYPE"] = "application/xml"
+    assert_equal Mime::XML, @request.content_type
+  end
+  def test_content_type_with_charset
+    @request.env["CONTENT_TYPE"] = "application/xml; charset=UTF-8"
+    assert_equal Mime::XML, @request.content_type
+  end
+  def test_user_agent
+    assert_not_nil @request.user_agent
+  end
+  def test_parameters
+    @request.instance_eval { @request_parameters = { "foo" => 1 } }
+    @request.instance_eval { @query_parameters = { "bar" => 2 } }
+    assert_equal({"foo" => 1, "bar" => 2}, @request.parameters)
+    assert_equal({"foo" => 1}, @request.request_parameters)
+    assert_equal({"bar" => 2}, @request.query_parameters)
+  end
+  protected
+    def set_request_method_to(method)
+      @request.env['REQUEST_METHOD'] = method.to_s.upcase
+      @request.instance_eval { @request_method = nil }
+    end
+end
+class UrlEncodedRequestParameterParsingTest < Test::Unit::TestCase
+  def setup
+    @query_string = "action=create_customer&full_name=David%20Heinemeier%20Hansson&customerId=1"
+    @query_string_with_empty = "action=create_customer&full_name="
+    @query_string_with_array = "action=create_customer&selected[]=1&selected[]=2&selected[]=3"
+    @query_string_with_amps  = "action=create_customer&name=Don%27t+%26+Does"
+    @query_string_with_multiple_of_same_name =
+      "action=update_order&full_name=Lau%20Taarnskov&products=4&products=2&products=3"
+    @query_string_with_many_equal = "action=create_customer&full_name=abc=def=ghi"
+    @query_string_without_equal = "action"
+    @query_string_with_many_ampersands =
+      "&action=create_customer&&&full_name=David%20Heinemeier%20Hansson"
+    @query_string_with_empty_key = "action=create_customer&full_name=David%20Heinemeier%20Hansson&=Save"
+  end
+  def test_query_string
+    assert_equal(
+      { "action" => "create_customer", "full_name" => "David Heinemeier Hansson", "customerId" => "1"},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string)
+    )
+  end
+  def test_deep_query_string
+    expected = {'x' => {'y' => {'z' => '10'}}}
+    assert_equal(expected, ActionController::AbstractRequest.parse_query_parameters('x[y][z]=10'))
+  end
+  def test_deep_query_string_with_array
+    assert_equal({'x' => {'y' => {'z' => ['10']}}}, ActionController::AbstractRequest.parse_query_parameters('x[y][z][]=10'))
+    assert_equal({'x' => {'y' => {'z' => ['10', '5']}}}, ActionController::AbstractRequest.parse_query_parameters('x[y][z][]=10&x[y][z][]=5'))
+  end
+  def test_deep_query_string_with_array_of_hash
+    assert_equal({'x' => {'y' => [{'z' => '10'}]}}, ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10'))
+    assert_equal({'x' => {'y' => [{'z' => '10', 'w' => '10'}]}}, ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10&x[y][][w]=10'))
+  end
+  def test_deep_query_string_with_array_of_hashes_with_one_pair
+    assert_equal({'x' => {'y' => [{'z' => '10'}, {'z' => '20'}]}}, ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10&x[y][][z]=20'))
+    assert_equal("10", ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10&x[y][][z]=20')["x"]["y"].first["z"])
+    assert_equal("10", ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10&x[y][][z]=20').with_indifferent_access[:x][:y].first[:z])
+  end
+  def test_deep_query_string_with_array_of_hashes_with_multiple_pairs
+    assert_equal(
+      {'x' => {'y' => [{'z' => '10', 'w' => 'a'}, {'z' => '20', 'w' => 'b'}]}},
+      ActionController::AbstractRequest.parse_query_parameters('x[y][][z]=10&x[y][][w]=a&x[y][][z]=20&x[y][][w]=b')
+    )
+  end
+  def test_query_string_with_nil
+    assert_equal(
+      { "action" => "create_customer", "full_name" => ''},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_empty)
+    )
+  end
+  def test_query_string_with_array
+    assert_equal(
+      { "action" => "create_customer", "selected" => ["1", "2", "3"]},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_array)
+    )
+  end
+  def test_query_string_with_amps
+    assert_equal(
+      { "action" => "create_customer", "name" => "Don't & Does"},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_amps)
+    )
+  end
+  def test_query_string_with_many_equal
+    assert_equal(
+      { "action" => "create_customer", "full_name" => "abc=def=ghi"},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_many_equal)
+    )
+  end
+  def test_query_string_without_equal
+    assert_equal(
+      { "action" => nil },
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_without_equal)
+    )
+  end
+  def test_query_string_with_empty_key
+    assert_equal(
+      { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_empty_key)
+    )
+  end
+  def test_query_string_with_many_ampersands
+    assert_equal(
+      { "action" => "create_customer", "full_name" => "David Heinemeier Hansson"},
+      ActionController::AbstractRequest.parse_query_parameters(@query_string_with_many_ampersands)
+    )
+  end
+  def test_unbalanced_query_string_with_array
+   assert_equal(
+     {'location' => ["1", "2"], 'age_group' => ["2"]},
+  ActionController::AbstractRequest.parse_query_parameters("location[]=1&location[]=2&age_group[]=2")
+   )
+   assert_equal(
+     {'location' => ["1", "2"], 'age_group' => ["2"]},
+     ActionController::AbstractRequest.parse_request_parameters({'location[]' => ["1", "2"],
+  'age_group[]' => ["2"]})
+   )
+  end
+  def test_request_hash_parsing
+    query = {
+      "note[viewers][viewer][][type]" => ["User", "Group"],
+      "note[viewers][viewer][][id]"   => ["1", "2"]
+    }
+    expected = { "note" => { "viewers"=>{"viewer"=>[{ "id"=>"1", "type"=>"User"}, {"type"=>"Group", "id"=>"2"} ]} } }
+    assert_equal(expected, ActionController::AbstractRequest.parse_request_parameters(query))
+  end
+  def test_parse_params
+    input = {
+      "customers[boston][first][name]" => [ "David" ],
+      "customers[boston][first][url]" => [ "http://David" ],
+      "customers[boston][second][name]" => [ "Allan" ],
+      "customers[boston][second][url]" => [ "http://Allan" ],
+      "something_else" => [ "blah" ],
+      "something_nil" => [ nil ],
+      "something_empty" => [ "" ],
+      "products[first]" => [ "Apple Computer" ],
+      "products[second]" => [ "Pc" ],
+      "" => [ 'Save' ]
+    }
+    expected_output =  {
+      "customers" => {
+        "boston" => {
+          "first" => {
+            "name" => "David",
+            "url" => "http://David"
+          },
+          "second" => {
+            "name" => "Allan",
+            "url" => "http://Allan"
+          }
+        }
+      },
+      "something_else" => "blah",
+      "something_empty" => "",
+      "something_nil" => "",
+      "products" => {
+        "first" => "Apple Computer",
+        "second" => "Pc"
+      }
+    }
+    assert_equal expected_output, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  UploadedStringIO = ActionController::UploadedStringIO
+  class MockUpload < UploadedStringIO
+    def initialize(content_type, original_path, *args)
+      self.content_type = content_type
+      self.original_path = original_path
+      super *args
+    end
+  end
+  def test_parse_params_from_multipart_upload
+    file = MockUpload.new('img/jpeg', 'foo.jpg')
+    ie_file = MockUpload.new('img/jpeg', 'c:\\Documents and Settings\\foo\\Desktop\\bar.jpg')
+    non_file_text_part = MockUpload.new('text/plain', '', 'abc')
+    input = {
+      "something" => [ UploadedStringIO.new("") ],
+      "array_of_stringios" => [[ UploadedStringIO.new("One"), UploadedStringIO.new("Two") ]],
+      "mixed_types_array" => [[ UploadedStringIO.new("Three"), "NotStringIO" ]],
+      "mixed_types_as_checkboxes[strings][nested]" => [[ file, "String", UploadedStringIO.new("StringIO")]],
+      "ie_mixed_types_as_checkboxes[strings][nested]" => [[ ie_file, "String", UploadedStringIO.new("StringIO")]],
+      "products[string]" => [ UploadedStringIO.new("Apple Computer") ],
+      "products[file]" => [ file ],
+      "ie_products[string]" => [ UploadedStringIO.new("Microsoft") ],
+      "ie_products[file]" => [ ie_file ],
+      "text_part" => [non_file_text_part]
+      }
+    expected_output =  {
+      "something" => "",
+      "array_of_stringios" => ["One", "Two"],
+      "mixed_types_array" => [ "Three", "NotStringIO" ],
+      "mixed_types_as_checkboxes" => {
+         "strings" => {
+            "nested" => [ file, "String", "StringIO" ]
+         },
+      },
+      "ie_mixed_types_as_checkboxes" => {
+         "strings" => {
+            "nested" => [ ie_file, "String", "StringIO" ]
+         },
+      },
+      "products" => {
+        "string" => "Apple Computer",
+        "file" => file
+      },
+      "ie_products" => {
+        "string" => "Microsoft",
+        "file" => ie_file
+      },
+      "text_part" => "abc"
+    }
+    params = ActionController::AbstractRequest.parse_request_parameters(input)
+    assert_equal expected_output, params
+    # Lone filenames are preserved.
+    assert_equal 'foo.jpg', params['mixed_types_as_checkboxes']['strings']['nested'].first.original_filename
+    assert_equal 'foo.jpg', params['products']['file'].original_filename
+    # But full Windows paths are reduced to their basename.
+    assert_equal 'bar.jpg', params['ie_mixed_types_as_checkboxes']['strings']['nested'].first.original_filename
+    assert_equal 'bar.jpg', params['ie_products']['file'].original_filename
+  end
+  def test_parse_params_with_file
+    input = {
+      "customers[boston][first][name]" => [ "David" ],
+      "something_else" => [ "blah" ],
+      "logo" => [ File.new(File.dirname(__FILE__) + "/cgi_test.rb").path ]
+    }
+    expected_output = {
+      "customers" => {
+        "boston" => {
+          "first" => {
+            "name" => "David"
+          }
+        }
+      },
+      "something_else" => "blah",
+      "logo" => File.new(File.dirname(__FILE__) + "/cgi_test.rb").path,
+    }
+    assert_equal expected_output, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_array
+    input = { "selected[]" =>  [ "1", "2", "3" ] }
+    expected_output = { "selected" => [ "1", "2", "3" ] }
+    assert_equal expected_output, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_non_alphanumeric_name
+    input     = { "a/b[c]" =>  %w(d) }
+    expected  = { "a/b" => { "c" => "d" }}
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_single_brackets_in_middle
+    input     = { "a/b[c]d" =>  %w(e) }
+    expected  = { "a/b" => {} }
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_separated_brackets
+    input     = { "a/b@[c]d[e]" =>  %w(f) }
+    expected  = { "a/b@" => { }}
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_separated_brackets_and_array
+    input     = { "a/b@[c]d[e][]" =>  %w(f) }
+    expected  = { "a/b@" => { }}
+    assert_equal expected , ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_unmatched_brackets_and_array
+    input     = { "a/b@[c][d[e][]" =>  %w(f) }
+    expected  = { "a/b@" => { "c" => { }}}
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_nil_key
+    input = { nil => nil, "test2" => %w(value1) }
+    expected = { "test2" => "value1" }
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_array_prefix_and_hashes
+    input = { "a[][b][c]" => %w(d) }
+    expected = {"a" => [{"b" => {"c" => "d"}}]}
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+  def test_parse_params_with_complex_nesting
+    input = { "a[][b][c][][d][]" => %w(e) }
+    expected = {"a" => [{"b" => {"c" => [{"d" => ["e"]}]}}]}
+    assert_equal expected, ActionController::AbstractRequest.parse_request_parameters(input)
+  end
+end
+class MultipartRequestParameterParsingTest < Test::Unit::TestCase
+  FIXTURE_PATH = File.dirname(__FILE__) + '/../fixtures/multipart'
+  def test_single_parameter
+    params = process('single_parameter')
+    assert_equal({ 'foo' => 'bar' }, params)
+  end
+  def test_bracketed_param
+    assert_equal({ 'foo' => { 'baz' => 'bar'}}, process('bracketed_param'))
+  end
+  def test_text_file
+    params = process('text_file')
+    assert_equal %w(file foo), params.keys.sort
+    assert_equal 'bar', params['foo']
+    file = params['file']
+    assert_kind_of StringIO, file
+    assert_equal 'file.txt', file.original_filename
+    assert_equal "text/plain", file.content_type
+    assert_equal 'contents', file.read
+  end
+  def test_boundary_problem_file
+    params = process('boundary_problem_file')
+    assert_equal %w(file foo), params.keys.sort
+    file = params['file']
+    foo  = params['foo']
+    if RUBY_VERSION > '1.9'
+      assert_kind_of File, file
+    else
+      assert_kind_of Tempfile, file
+    end
+    assert_equal 'file.txt', file.original_filename
+    assert_equal "text/plain", file.content_type
+    assert_equal 'bar', foo
+  end
+  def test_large_text_file
+    params = process('large_text_file')
+    assert_equal %w(file foo), params.keys.sort
+    assert_equal 'bar', params['foo']
+    file = params['file']
+    if RUBY_VERSION > '1.9'
+      assert_kind_of File, file
+    else
+      assert_kind_of Tempfile, file
+    end
+    assert_equal 'file.txt', file.original_filename
+    assert_equal "text/plain", file.content_type
+    assert ('a' * 20480) == file.read
+  end
+  uses_mocha "test_no_rewind_stream" do
+    def test_no_rewind_stream
+      # Ensures that parse_multipart_form_parameters works with streams that cannot be rewound
+      file = File.open(File.join(FIXTURE_PATH, 'large_text_file'), 'rb')
+      file.expects(:rewind).raises(Errno::ESPIPE)
+      params = ActionController::AbstractRequest.parse_multipart_form_parameters(file, 'AaB03x', file.stat.size, {})
+      assert_not_equal 0, file.pos  # file was not rewound after reading
+    end
+  end
+  def test_binary_file
+    params = process('binary_file')
+    assert_equal %w(file flowers foo), params.keys.sort
+    assert_equal 'bar', params['foo']
+    file = params['file']
+    assert_kind_of StringIO, file
+    assert_equal 'file.csv', file.original_filename
+    assert_nil file.content_type
+    assert_equal 'contents', file.read
+    file = params['flowers']
+    assert_kind_of StringIO, file
+    assert_equal 'flowers.jpg', file.original_filename
+    assert_equal "image/jpeg", file.content_type
+    assert_equal 19512, file.size
+    #assert_equal File.read(File.dirname(__FILE__) + '/../../../activerecord/test/fixtures/flowers.jpg'), file.read
+  end
+  def test_mixed_files
+    params = process('mixed_files')
+    assert_equal %w(files foo), params.keys.sort
+    assert_equal 'bar', params['foo']
+    # Ruby CGI doesn't handle multipart/mixed for us.
+    files = params['files']
+    assert_kind_of String, files
+    files.force_encoding('ASCII-8BIT') if files.respond_to?(:force_encoding)
+    assert_equal 19756, files.size
+  end
+  private
+    def process(name)
+      File.open(File.join(FIXTURE_PATH, name), 'rb') do |file|
+        params = ActionController::AbstractRequest.parse_multipart_form_parameters(file, 'AaB03x', file.stat.size, {})
+        assert_equal 0, file.pos  # file was rewound after reading
+        params
+      end
+    end
+end
+class XmlParamsParsingTest < Test::Unit::TestCase
+  def test_hash_params
+    person = parse_body("<person><name>David</name></person>")[:person]
+    assert_kind_of Hash, person
+    assert_equal 'David', person['name']
+  end
+  def test_single_file
+    person = parse_body("<person><name>David</name><avatar type='file' name='me.jpg' content_type='image/jpg'>#{ActiveSupport::Base64.encode64('ABC')}</avatar></person>")
+    assert_equal "image/jpg", person['person']['avatar'].content_type
+    assert_equal "me.jpg", person['person']['avatar'].original_filename
+    assert_equal "ABC", person['person']['avatar'].read
+  end
+  def test_multiple_files
+    person = parse_body(<<-end_body)
+      <person>
+        <name>David</name>
+        <avatars>
+          <avatar type='file' name='me.jpg' content_type='image/jpg'>#{ActiveSupport::Base64.encode64('ABC')}</avatar>
+          <avatar type='file' name='you.gif' content_type='image/gif'>#{ActiveSupport::Base64.encode64('DEF')}</avatar>
+        </avatars>
+      </person>
+    end_body
+    assert_equal "image/jpg", person['person']['avatars']['avatar'].first.content_type
+    assert_equal "me.jpg", person['person']['avatars']['avatar'].first.original_filename
+    assert_equal "ABC", person['person']['avatars']['avatar'].first.read
+    assert_equal "image/gif", person['person']['avatars']['avatar'].last.content_type
+    assert_equal "you.gif", person['person']['avatars']['avatar'].last.original_filename
+    assert_equal "DEF", person['person']['avatars']['avatar'].last.read
+  end
+  private
+    def parse_body(body)
+      env = { 'CONTENT_TYPE'   => 'application/xml',
+              'CONTENT_LENGTH' => body.size.to_s }
+      cgi = ActionController::Integration::Session::StubCGI.new(env, body)
+      ActionController::CgiRequest.new(cgi).request_parameters
+    end
+end
+class LegacyXmlParamsParsingTest < XmlParamsParsingTest
+  private
+    def parse_body(body)
+      env = { 'HTTP_X_POST_DATA_FORMAT' => 'xml',
+              'CONTENT_LENGTH' => body.size.to_s }
+      cgi = ActionController::Integration::Session::StubCGI.new(env, body)
+      ActionController::CgiRequest.new(cgi).request_parameters
+    end
+end
+class JsonParamsParsingTest < Test::Unit::TestCase
+  def test_hash_params
+    person = parse_body({:person => {:name => "David"}}.to_json)[:person]
+    assert_kind_of Hash, person
+    assert_equal 'David', person['name']
+  end
+  private
+    def parse_body(body)
+      env = { 'CONTENT_TYPE'   => 'application/json',
+              'CONTENT_LENGTH' => body.size.to_s }
+      cgi = ActionController::Integration::Session::StubCGI.new(env, body)
+      ActionController::CgiRequest.new(cgi).request_parameters
+    end
+end