Merge remote-tracking branch 'upstream/master'

9 files changed, 212 insertions, 78 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 1c312f2587..51cec41a34 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -85,6 +85,7 @@ module ActionDispatch
     class CookieOverflow < StandardError; end
 
     class CookieJar #:nodoc:
+      include Enumerable
 
       # This regular expression is used to split the levels of a domain.
       # The top level domain can be any string without a period or
@@ -124,6 +125,10 @@ module ActionDispatch
       alias :closed? :closed
       def close!; @closed = true end
 
+      def each(&block)
+        @cookies.each(&block)
+      end
+
       # Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
       def [](name)
         @cookies[name.to_s]
@@ -169,7 +174,7 @@ module ActionDispatch
           options = { :value => value }
         end
 
-        value = @cookies[key.to_s] = value
+        @cookies[key.to_s] = value
 
         handle_options(options)
 
@@ -238,10 +243,13 @@ module ActionDispatch
         @delete_cookies.clear
       end
 
+      mattr_accessor :always_write_cookie
+      self.always_write_cookie = false
+
       private
 
         def write_cookie?(cookie)
-          @secure || !cookie[:secure] || defined?(Rails.env) && Rails.env.development?
+          @secure || !cookie[:secure] || always_write_cookie
         end
     end
 
diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 2adbce031b..e59404ef68 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -70,6 +70,10 @@ module ActionDispatch
       end
     end
 
+    # Implementation detail: please do not change the signature of the
+    # FlashHash class. Doing that will likely affect all Rails apps in
+    # production as the FlashHash currently stored in their sessions will
+    # become invalid.
     class FlashHash
       include Enumerable
 
diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb
index d4208ca96e..6ded9dbfed 100644
--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb
+++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb
@@ -52,14 +52,9 @@ module ActionDispatch
           false
         end
       rescue Exception => e # YAML, XML or Ruby code block errors
-        logger.debug "Error occurred while parsing request parameters.\nContents:\n\n#{request.raw_post}"
+        logger(env).debug "Error occurred while parsing request parameters.\nContents:\n\n#{request.raw_post}"
 
-        raise
-          { "body"           => request.raw_post,
-            "content_type"   => request.content_mime_type,
-            "content_length" => request.content_length,
-            "exception"      => "#{e.message} (#{e.class})",
-            "backtrace"      => e.backtrace }
+        raise e
       end
 
       def content_type_from_legacy_post_data_format_header(env)
@@ -73,8 +68,8 @@ module ActionDispatch
         nil
       end
 
-      def logger
-        defined?(Rails.logger) ? Rails.logger : Logger.new($stderr)
+      def logger(env)
+        env['action_dispatch.logger'] || Logger.new($stderr)
       end
   end
 end
diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
index c7d710b98e..66ece60860 100644
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -2,50 +2,80 @@ module ActionDispatch
   class RemoteIp
     class IpSpoofAttackError < StandardError ; end
 
-    class RemoteIpGetter
-      def initialize(env, check_ip_spoofing, trusted_proxies)
-        @env = env
-        @check_ip_spoofing = check_ip_spoofing
-        @trusted_proxies = trusted_proxies
+    # IP addresses that are "trusted proxies" that can be stripped from
+    # the comma-delimited list in the X-Forwarded-For header. See also:
+    # http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
+    TRUSTED_PROXIES = %r{
+      ^127\.0\.0\.1$                | # localhost
+      ^(10                          | # private IP 10.x.x.x
+        172\.(1[6-9]|2[0-9]|3[0-1]) | # private IP in the range 172.16.0.0 .. 172.31.255.255
+        192\.168                      # private IP 192.168.x.x
+       )\.
+    }x
+
+    attr_reader :check_ip, :proxies
+
+    def initialize(app, check_ip_spoofing = true, custom_proxies = nil)
+      @app = app
+      @check_ip = check_ip_spoofing
+      if custom_proxies
+        custom_regexp = Regexp.new(custom_proxies)
+        @proxies = Regexp.union(TRUSTED_PROXIES, custom_regexp)
+      else
+        @proxies = TRUSTED_PROXIES
       end
+    end
 
-      def remote_addrs
-        @remote_addrs ||= begin
-          list = @env['REMOTE_ADDR'] ? @env['REMOTE_ADDR'].split(/[,\s]+/) : []
-          list.reject { |addr| addr =~ @trusted_proxies }
-        end
+    def call(env)
+      env["action_dispatch.remote_ip"] = GetIp.new(env, self)
+      @app.call(env)
+    end
+
+    class GetIp
+      def initialize(env, middleware)
+        @env          = env
+        @middleware   = middleware
+        @calculated_ip = false
       end
 
-      def to_s
-        return remote_addrs.first if remote_addrs.any?
-
-        forwarded_ips = @env['HTTP_X_FORWARDED_FOR'] ? @env['HTTP_X_FORWARDED_FOR'].strip.split(/[,\s]+/) : []
-
-        if client_ip = @env['HTTP_CLIENT_IP']
-          if @check_ip_spoofing && !forwarded_ips.include?(client_ip)
-            # We don't know which came from the proxy, and which from the user
-            raise IpSpoofAttackError, "IP spoofing attack?!" \
-              "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}" \
-              "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
-          end
-          return client_ip
+      # Determines originating IP address. REMOTE_ADDR is the standard
+      # but will be wrong if the user is behind a proxy. Proxies will set
+      # HTTP_CLIENT_IP and/or HTTP_X_FORWARDED_FOR, so we prioritize those.
+      # HTTP_X_FORWARDED_FOR may be a comma-delimited list in the case of
+      # multiple chained proxies. The last address which is not a known proxy
+      # will be the originating IP.
+      def calculate_ip
+        client_ip     = @env['HTTP_CLIENT_IP']
+        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
+        remote_addrs  = ips_from('REMOTE_ADDR')
+
+        check_ip = client_ip && @middleware.check_ip
+        if check_ip && !forwarded_ips.include?(client_ip)
+          # We don't know which came from the proxy, and which from the user
+          raise IpSpoofAttackError, "IP spoofing attack?!" \
+            "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}" \
+            "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
         end
 
-        return forwarded_ips.reject { |ip| ip =~ @trusted_proxies }.last || @env["REMOTE_ADDR"]
+        not_proxy = client_ip || forwarded_ips.last || remote_addrs.first
+
+        # Return first REMOTE_ADDR if there are no other options
+        not_proxy || ips_from('REMOTE_ADDR', :allow_proxies).first
       end
-    end
 
-    def initialize(app, check_ip_spoofing = true, trusted_proxies = nil)
-      @app = app
-      @check_ip_spoofing = check_ip_spoofing
-      regex = '(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)'
-      regex << "|(#{trusted_proxies})" if trusted_proxies
-      @trusted_proxies = Regexp.new(regex, "i")
-    end
+      def to_s
+        return @ip if @calculated_ip
+        @calculated_ip = true
+        @ip = calculate_ip
+      end
 
-    def call(env)
-      env["action_dispatch.remote_ip"] = RemoteIpGetter.new(env, @check_ip_spoofing, @trusted_proxies)
-      @app.call(env)
+    protected
+
+      def ips_from(header, allow_proxies = false)
+        ips = @env[header] ? @env[header].strip.split(/[,\s]+/) : []
+        allow_proxies ? ips : ips.reject{|ip| ip =~ @middleware.proxies }
+      end
     end
+
   end
-end
\ No newline at end of file
+end
diff --git a/actionpack/lib/action_dispatch/middleware/request_id.rb b/actionpack/lib/action_dispatch/middleware/request_id.rb
new file mode 100644
index 0000000000..bee446c8a5
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/request_id.rb
@@ -0,0 +1,39 @@
+require 'securerandom'
+require 'active_support/core_ext/string/access'
+require 'active_support/core_ext/object/blank'
+
+module ActionDispatch
+  # Makes a unique request id available to the action_dispatch.request_id env variable (which is then accessible through
+  # ActionDispatch::Request#uuid) and sends the same id to the client via the X-Request-Id header.
+  #
+  # The unique request id is either based off the X-Request-Id header in the request, which would typically be generated
+  # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
+  # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
+  #
+  # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
+  # from multiple pieces of the stack.
+  class RequestId
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["action_dispatch.request_id"] = external_request_id(env) || internal_request_id
+      status, headers, body = @app.call(env)
+
+      headers["X-Request-Id"] = env["action_dispatch.request_id"]
+      [ status, headers, body ]
+    end
+
+    private
+      def external_request_id(env)
+        if request_id = env["HTTP_X_REQUEST_ID"].presence
+          request_id.gsub(/[^\w\-]/, "").first(255)
+        end
+      end
+
+      def internal_request_id
+        SecureRandom.hex(16)
+      end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
index a70d814749..6bcf099d2c 100644
--- a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -59,7 +59,10 @@ module ActionDispatch
             # Note that the regexp does not allow $1 to end with a ':'
             $1.constantize
           rescue LoadError, NameError => const_error
-            raise ActionDispatch::Session::SessionRestoreError, "Session contains objects whose class definition isn't available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: #{const_error.message} [#{const_error.class}])\n"
+            raise ActionDispatch::Session::SessionRestoreError,
+              "Session contains objects whose class definition isn't available.\n" +
+              "Remember to require the classes for all objects kept in the session.\n" +
+              "(Original exception: #{const_error.message} [#{const_error.class}])\n"
           end
           retry
         else
diff --git a/actionpack/lib/action_dispatch/middleware/session/cache_store.rb b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb
new file mode 100644
index 0000000000..d3b6fd12fa
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/session/cache_store.rb
@@ -0,0 +1,50 @@
+require 'action_dispatch/middleware/session/abstract_store'
+require 'rack/session/memcache'
+
+module ActionDispatch
+  module Session
+    # Session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
+    # if you don't store critical data in your sessions and you don't need them to live for extended periods
+    # of time.
+    class CacheStore < AbstractStore
+      # Create a new store. The cache to use can be passed in the <tt>:cache</tt> option. If it is
+      # not specified, <tt>Rails.cache</tt> will be used.
+      def initialize(app, options = {})
+        @cache = options[:cache] || Rails.cache
+        options[:expire_after] ||= @cache.options[:expires_in]
+        super
+      end
+
+      # Get a session from the cache.
+      def get_session(env, sid)
+        sid ||= generate_sid
+        session = @cache.read(cache_key(sid))
+        session ||= {}
+        [sid, session]
+      end
+
+      # Set a session in the cache.
+      def set_session(env, sid, session, options)
+        key = cache_key(sid)
+        if session
+          @cache.write(key, session, :expires_in => options[:expire_after])
+        else
+          @cache.delete(key)
+        end
+        sid
+      end
+
+      # Remove a session from the cache.
+      def destroy_session(env, sid, options)
+        @cache.delete(cache_key(sid))
+        generate_sid
+      end
+
+      private
+        # Turn the session id into a cache key.
+        def cache_key(sid)
+          "_session_id:#{sid}"
+        end
+    end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
index a765c23dae..c850e25507 100644
--- a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
@@ -2,6 +2,7 @@ require 'active_support/core_ext/exception'
 require 'action_controller/metal/exceptions'
 require 'active_support/notifications'
 require 'action_dispatch/http/request'
+require 'active_support/deprecation'
 
 module ActionDispatch
   # This middleware rescues any exception returned by the application and renders
@@ -38,9 +39,9 @@ module ActionDispatch
        "application's log file and/or the web server's log file to find out what " <<
        "went wrong.</body></html>"]]
 
-    def initialize(app, consider_all_requests_local = false)
+    def initialize(app, consider_all_requests_local = nil)
+      ActiveSupport::Deprecation.warn "Passing consider_all_requests_local option to ActionDispatch::ShowExceptions middleware no longer works" unless consider_all_requests_local.nil?
       @app = app
-      @consider_all_requests_local = consider_all_requests_local
     end
 
     def call(env)
@@ -62,14 +63,13 @@ module ActionDispatch
 
     private
       def render_exception(env, exception)
-        log_error(exception)
+        log_error(env, exception)
         exception = original_exception(exception)
 
-        request = Request.new(env)
-        if @consider_all_requests_local || request.local?
-          rescue_action_locally(request, exception)
+        if env['action_dispatch.show_detailed_exceptions'] == true
+          rescue_action_diagnostics(env, exception)
         else
-          rescue_action_in_public(exception)
+          rescue_action_error_page(exception)
         end
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
@@ -78,16 +78,16 @@ module ActionDispatch
 
       # Render detailed diagnostics for unhandled exceptions rescued from
       # a controller action.
-      def rescue_action_locally(request, exception)
+      def rescue_action_diagnostics(env, exception)
         template = ActionView::Base.new([RESCUES_TEMPLATE_PATH],
-          :request => request,
+          :request => Request.new(env),
           :exception => exception,
-          :application_trace => application_trace(exception),
-          :framework_trace => framework_trace(exception),
-          :full_trace => full_trace(exception)
+          :application_trace => application_trace(env, exception),
+          :framework_trace => framework_trace(env, exception),
+          :full_trace => full_trace(env, exception)
         )
-        file = "rescues/#{@@rescue_templates[exception.class.name]}.erb"
-        body = template.render(:file => file, :layout => 'rescues/layout.erb')
+        file = "rescues/#{@@rescue_templates[exception.class.name]}"
+        body = template.render(:template => file, :layout => 'rescues/layout')
         render(status_code(exception), body)
       end
 
@@ -98,7 +98,7 @@ module ActionDispatch
       # it will first attempt to render the file at <tt>public/500.da.html</tt>
       # then attempt to render <tt>public/500.html</tt>. If none of them exist,
       # the body of the response will be left empty.
-      def rescue_action_in_public(exception)
+      def rescue_action_error_page(exception)
         status = status_code(exception)
         locale_path = "#{public_path}/#{status}.#{I18n.locale}.html" if I18n.locale
         path = "#{public_path}/#{status}.html"
@@ -124,37 +124,41 @@ module ActionDispatch
         defined?(Rails.public_path) ? Rails.public_path : 'public_path'
       end
 
-      def log_error(exception)
-        return unless logger
+      def log_error(env, exception)
+        return unless logger(env)
 
         ActiveSupport::Deprecation.silence do
           message = "\n#{exception.class} (#{exception.message}):\n"
           message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
-          message << "  " << application_trace(exception).join("\n  ")
-          logger.fatal("#{message}\n\n")
+          message << "  " << application_trace(env, exception).join("\n  ")
+          logger(env).fatal("#{message}\n\n")
         end
       end
 
-      def application_trace(exception)
-        clean_backtrace(exception, :silent)
+      def application_trace(env, exception)
+        clean_backtrace(env, exception, :silent)
       end
 
-      def framework_trace(exception)
-        clean_backtrace(exception, :noise)
+      def framework_trace(env, exception)
+        clean_backtrace(env, exception, :noise)
       end
 
-      def full_trace(exception)
-        clean_backtrace(exception, :all)
+      def full_trace(env, exception)
+        clean_backtrace(env, exception, :all)
       end
 
-      def clean_backtrace(exception, *args)
-        defined?(Rails) && Rails.respond_to?(:backtrace_cleaner) ?
-          Rails.backtrace_cleaner.clean(exception.backtrace, *args) :
+      def clean_backtrace(env, exception, *args)
+        env['action_dispatch.backtrace_cleaner'] ?
+          env['action_dispatch.backtrace_cleaner'].clean(exception.backtrace, *args) :
           exception.backtrace
       end
 
-      def logger
-        defined?(Rails.logger) ? Rails.logger : Logger.new($stderr)
+      def logger(env)
+        env['action_dispatch.logger'] || stderr_logger
+      end
+
+      def stderr_logger
+        Logger.new($stderr)
       end
 
     def original_exception(exception)
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/layout.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/layout.erb
index 6e71fd7ddc..1a308707d1 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/layout.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/layout.erb
@@ -16,6 +16,7 @@
       background-color: #eee;
       padding: 10px;
       font-size: 11px;
+      white-space: pre-wrap;
     }
 
     a { color: #000; }