8 files changed, 49 insertions, 27 deletions

diff --git a/.codeclimate.yml b/.codeclimate.yml
index 877c67873d..17fcaa4360 100644
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@@ -7,20 +7,6 @@ ratings:
   - "**.rb"
 
 exclude_paths:
-  - actioncable/lib/rails/generators/
-  - actioncable/test/
-  - actionmailer/lib/rails/generators/
-  - actionmailer/test/
-  - actionpack/test/
-  - actionview/test/
-  - activejob/lib/rails/generators/
-  - activejob/test/
-  - activemodel/test/
-  - activerecord/lib/rails/generators/
-  - activerecord/test/
-  - activesupport/test/
-  - railties/lib/rails/generators/
-  - railties/test/
   - ci/
   - guides/
   - tasks/
diff --git a/Gemfile.lock b/Gemfile.lock
index 10bc8b1898..0a3d91ca29 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -103,7 +103,7 @@ GEM
   specs:
     addressable (2.4.0)
     amq-protocol (2.0.1)
-    arel (7.1.0)
+    arel (7.1.1)
     backburner (1.3.0)
       beaneater (~> 1.0)
       dante (> 0.1.5)
@@ -401,4 +401,4 @@ DEPENDENCIES
   wdm (>= 0.1.0)
 
 BUNDLED WITH
-   1.11.2
+   1.12.5
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d50cbaee38..7bb9b62468 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   Fix 'defaults' option for root route.
+
+    A regression from some refactoring for the 5.0 release, this change
+    fixes the use of 'defaults' (default parameters) in the 'root' routing method.
+
+    *Chris Arcand*
+
 *   Check `request.path_parameters` encoding at the point they're set.
 
     Check for any non-UTF8 characters in path parameters at the point they're
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index 73b4864e45..12ddd0f148 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1923,7 +1923,14 @@ to this:
 
         def match_root_route(options)
           name = has_named_route?(:root) ? nil : :root
-          match '/', { :as => name, :via => :get }.merge!(options)
+          defaults_option = options.delete(:defaults)
+          args = ['/', { as: name, via: :get }.merge!(options)]
+
+          if defaults_option
+            defaults(defaults_option) { match(*args) }
+          else
+            match(*args)
+          end
         end
       end
 
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index 5298e63fef..cac89417a5 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -1759,6 +1759,24 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
     assert_equal 1, @request.params[:page]
   end
 
+  def test_keyed_default_string_params_with_root
+    draw do
+      root to: 'pages#show', defaults: { id: 'home' }
+    end
+
+    get '/'
+    assert_equal 'home', @request.params[:id]
+  end
+
+  def test_default_string_params_with_root
+    draw do
+      root to: 'pages#show', id: 'home'
+    end
+
+    get '/'
+    assert_equal 'home', @request.params[:id]
+  end
+
   def test_resource_constraints
     draw do
       resources :products, :constraints => { :id => /\d{4}/ } do
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
index 74aae3a1e4..621f737a5e 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -18,11 +18,12 @@ module ActiveRecord
 
       # This is used in the StatementCache object. It returns an object that
       # can be used to query the database repeatedly.
-      def cacheable_query(arel) # :nodoc:
+      def cacheable_query(klass, arel) # :nodoc:
+        collected = visitor.accept(arel.ast, collector)
         if prepared_statements
-          ActiveRecord::StatementCache.query visitor, arel.ast
+          klass.query(collected.value)
         else
-          ActiveRecord::StatementCache.partial_query visitor, arel.ast, collector
+          klass.partial_query(collected.value)
         end
       end
 
diff --git a/activerecord/lib/active_record/statement_cache.rb b/activerecord/lib/active_record/statement_cache.rb
index 6c896ccea6..5607be6d12 100644
--- a/activerecord/lib/active_record/statement_cache.rb
+++ b/activerecord/lib/active_record/statement_cache.rb
@@ -40,7 +40,7 @@ module ActiveRecord
     end
 
     class PartialQuery < Query # :nodoc:
-      def initialize values
+      def initialize(values)
         @values = values
         @indexes = values.each_with_index.find_all { |thing,i|
           Arel::Nodes::BindParam === thing
@@ -55,13 +55,12 @@ module ActiveRecord
       end
     end
 
-    def self.query(visitor, ast)
-      Query.new visitor.accept(ast, Arel::Collectors::SQLString.new).value
+    def self.query(sql)
+      Query.new(sql)
     end
 
-    def self.partial_query(visitor, ast, collector)
-      collected = visitor.accept(ast, collector).value
-      PartialQuery.new collected
+    def self.partial_query(values)
+      PartialQuery.new(values)
     end
 
     class Params # :nodoc:
@@ -92,7 +91,7 @@ module ActiveRecord
     def self.create(connection, block = Proc.new)
       relation      = block.call Params.new
       bind_map      = BindMap.new relation.bound_attributes
-      query_builder = connection.cacheable_query relation.arel
+      query_builder = connection.cacheable_query(self, relation.arel)
       new query_builder, bind_map
     end
 
diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb
index 87efe117c5..1f2736388d 100644
--- a/activesupport/lib/active_support/message_encryptor.rb
+++ b/activesupport/lib/active_support/message_encryptor.rb
@@ -99,6 +99,10 @@ module ActiveSupport
     def _decrypt(encrypted_message)
       cipher = new_cipher
       encrypted_data, iv, auth_tag = encrypted_message.split("--".freeze).map {|v| ::Base64.strict_decode64(v)}
+
+      # Currently the OpenSSL bindings do not raise an error if auth_tag is
+      # truncated, which would allow an attacker to easily forge it. See
+      # https://github.com/ruby/openssl/issues/63
       raise InvalidMessage if aead_mode? && auth_tag.bytes.length != 16
 
       cipher.decrypt