Merge branch 'master' of git@github.com:rails/rails

author: rick <rick@spacemonkey.local> 2008-05-13 09:41:10 -0700
committer: rick <rick@spacemonkey.local> 2008-05-13 09:41:10 -0700
commit: 74fd17346f30fddba0e174ae17f5697f2c22279e (patch)
tree: 1267cea613ee4a73a2f5ddf3fb24d224dc8bbded /actionpack/lib
parent: d09a8446d5606a5a0b5c024224b09a1318e9cf4d (diff)
parent: 4dedc7ddcaffa8c606af11ae2d32707131b99a2e (diff)
download: rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.gz
rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.bz2
rails-74fd17346f30fddba0e174ae17f5697f2c22279e.zip
14 files changed, 30 insertions, 24 deletions
diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index 919fbc6c6a..810a5fb9b5 100755
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
diff --git a/actionpack/lib/action_controller/cgi_ext/cookie.rb b/actionpack/lib/action_controller/cgi_ext/cookie.rb
index 3dd374f126..e35bab5f5a 100644
--- a/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/actionpack/lib/action_controller/cgi_ext/cookie.rb
@@ -37,7 +37,7 @@ class CGI #:nodoc:
         @path = nil
       else
         @name = name['name']
-        @value = Array(name['value'])
+        @value = name['value'].kind_of?(String) ? [name['value']] : Array(name['value'])
         @domain = name['domain']
         @expires = name['expires']
         @secure = name['secure'] || false
diff --git a/actionpack/lib/action_controller/flash.rb b/actionpack/lib/action_controller/flash.rb
index 692168f230..0148fb5c04 100644
--- a/actionpack/lib/action_controller/flash.rb
+++ b/actionpack/lib/action_controller/flash.rb
@@ -28,7 +28,6 @@ module ActionController #:nodoc:
       base.class_eval do
         include InstanceMethods
         alias_method_chain :assign_shortcuts, :flash
-        alias_method_chain :process_cleanup,  :flash
         alias_method_chain :reset_session,    :flash
       end
     end
@@ -166,11 +165,7 @@ module ActionController #:nodoc:
         def assign_shortcuts_with_flash(request, response) #:nodoc:
           assign_shortcuts_without_flash(request, response)
           flash(:refresh)
-        end
-    
-        def process_cleanup_with_flash
-          flash.sweep if @_session
-          process_cleanup_without_flash
+          flash.sweep if @_session && !component_request?
         end
     end
   end
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index 946a0ed152..02c9d59d07 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -105,12 +105,12 @@ module ActionController #:nodoc:
       # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
       # in +protect_from_forgery+ to add a custom salt to the hash.
       def form_authenticity_token
-        @form_authenticity_token ||= if request_forgery_protection_options[:secret]
+        @form_authenticity_token ||= if !session.respond_to?(:session_id)
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        elsif request_forgery_protection_options[:secret]
           authenticity_token_from_session_id
         elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
           authenticity_token_from_cookie_session
-        elsif session.nil?
-          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
         else
           raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
         end
diff --git a/actionpack/lib/action_controller/rescue.rb b/actionpack/lib/action_controller/rescue.rb
index 5022c9a815..40ef4ea044 100644
--- a/actionpack/lib/action_controller/rescue.rb
+++ b/actionpack/lib/action_controller/rescue.rb
@@ -199,10 +199,8 @@ module ActionController #:nodoc:
     private
       def perform_action_with_rescue #:nodoc:
         perform_action_without_rescue
-      rescue Exception => exception  # errors from action performed
-        return if rescue_action_with_handler(exception)
-        
-        rescue_action(exception)
+      rescue Exception => exception
+        rescue_action_with_handler(exception) || rescue_action(exception)
       end
 
       def rescues_path(template_name)
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 560491f996..ada1862c3e 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -130,17 +130,20 @@ class CGI::Session::CookieStore
     # Marshal a session hash into safe cookie data. Include an integrity hash.
     def marshal(session)
       data = ActiveSupport::Base64.encode64(Marshal.dump(session)).chop
-      CGI.escape "#{data}--#{generate_digest(data)}"
+      "#{data}--#{generate_digest(data)}"
     end
 
     # Unmarshal cookie data to a hash and verify its integrity.
     def unmarshal(cookie)
       if cookie
-        data, digest = CGI.unescape(cookie).split('--')
-        unless digest == generate_digest(data)
+        data, digest = cookie.split('--')
+
+        # Do two checks to transparently support old double-escaped data.
+        unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data))
           delete
           raise TamperedWithCookie
         end
+
         Marshal.load(ActiveSupport::Base64.decode64(data))
       end
     end
diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb
index 8680104420..80a3ddd2c5 100644
--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -69,11 +69,16 @@ module ActionController #:nodoc:
       #   session :off, 
       #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
       #
+      #   # turn the session back on, useful when it was turned off in the
+      #   # application controller, and you need it on in another controller
+      #   session :on
+      #
       # All session options described for ActionController::Base.process_cgi
       # are valid arguments.
       def session(*args)
         options = args.extract_options!
 
+        options[:disabled] = false if args.delete(:on)
         options[:disabled] = true if !args.empty?
         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
         options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]
diff --git a/actionpack/lib/action_pack.rb b/actionpack/lib/action_pack.rb
index 006c83dbc8..c7fd3092e7 100644
--- a/actionpack/lib/action_pack.rb
+++ b/actionpack/lib/action_pack.rb
@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 7aa6a5db96..70fc1ced8c 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 0
-    TINY  = 2
+    TINY  = 991
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end
diff --git a/actionpack/lib/action_view.rb b/actionpack/lib/action_view.rb
index 609334d52d..5f4126e4e9 100644
--- a/actionpack/lib/action_view.rb
+++ b/actionpack/lib/action_view.rb
@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
diff --git a/actionpack/lib/action_view/helpers/javascripts/controls.js b/actionpack/lib/action_view/helpers/javascripts/controls.js
index fbc4418b83..5aaf0bb2b7 100644
--- a/actionpack/lib/action_view/helpers/javascripts/controls.js
+++ b/actionpack/lib/action_view/helpers/javascripts/controls.js
@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 //           (c) 2005-2007 Ivan Krstic (http://blogs.law.harvard.edu/ivan)
 //           (c) 2005-2007 Jon Tirsen (http://www.tirsen.com)
 // Contributors:
diff --git a/actionpack/lib/action_view/helpers/javascripts/dragdrop.js b/actionpack/lib/action_view/helpers/javascripts/dragdrop.js
index ccf4a1e45c..bf5cfea66c 100644
--- a/actionpack/lib/action_view/helpers/javascripts/dragdrop.js
+++ b/actionpack/lib/action_view/helpers/javascripts/dragdrop.js
@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 //           (c) 2005-2007 Sammi Williams (http://www.oriontransfer.co.nz, sammi@oriontransfer.co.nz)
 // 
 // script.aculo.us is freely distributable under the terms of an MIT-style license.
diff --git a/actionpack/lib/action_view/helpers/javascripts/effects.js b/actionpack/lib/action_view/helpers/javascripts/effects.js
index 65aed23957..f030b5dbe9 100644
--- a/actionpack/lib/action_view/helpers/javascripts/effects.js
+++ b/actionpack/lib/action_view/helpers/javascripts/effects.js
@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 // Contributors:
 //  Justin Palmer (http://encytemedia.com/)
 //  Mark Pilgrim (http://diveintomark.org/)
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
index 3129ff414e..6c0a7ec25c 100644
--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -48,6 +48,11 @@ module ActionView
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       # 
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options)
       end
author	rick <rick@spacemonkey.local>	2008-05-13 09:41:10 -0700
committer	rick <rick@spacemonkey.local>	2008-05-13 09:41:10 -0700
commit	74fd17346f30fddba0e174ae17f5697f2c22279e (patch)
tree	1267cea613ee4a73a2f5ddf3fb24d224dc8bbded /actionpack/lib
parent	d09a8446d5606a5a0b5c024224b09a1318e9cf4d (diff)
parent	4dedc7ddcaffa8c606af11ae2d32707131b99a2e (diff)
download	rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.gz rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.bz2 rails-74fd17346f30fddba0e174ae17f5697f2c22279e.zip