9 files changed, 55 insertions, 24 deletions

diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index ebd87c40b5..4ca1d35489 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -22,6 +22,7 @@ module ActionDispatch
     include ActionDispatch::Http::URL
 
     autoload :Session, 'action_dispatch/request/session'
+    autoload :Utils,   'action_dispatch/request/utils'
 
     LOCALHOST   = Regexp.union [/^127\.0\.0\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/]
 
@@ -299,26 +300,10 @@ module ActionDispatch
       LOCALHOST =~ remote_addr && LOCALHOST =~ remote_ip
     end
 
-    # Remove nils from the params hash
-    def deep_munge(hash)
-      hash.each do |k, v|
-        case v
-        when Array
-          v.grep(Hash) { |x| deep_munge(x) }
-          v.compact!
-          hash[k] = nil if v.empty?
-        when Hash
-          deep_munge(v)
-        end
-      end
-
-      hash
-    end
-
     protected
 
     def parse_query(qs)
-      deep_munge(super)
+      Utils.deep_munge(super)
     end
 
     private
diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb
index 0fa1e9b859..fb70b60ef6 100644
--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb
+++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb
@@ -43,7 +43,7 @@ module ActionDispatch
         when :json
           data = ActiveSupport::JSON.decode(request.body)
           data = {:_json => data} unless data.is_a?(Hash)
-          request.deep_munge(data).with_indifferent_access
+          Request::Utils.deep_munge(data).with_indifferent_access
         else
           false
         end
diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb
new file mode 100644
index 0000000000..8b43cdada8
--- /dev/null
+++ b/actionpack/lib/action_dispatch/request/utils.rb
@@ -0,0 +1,24 @@
+module ActionDispatch
+  class Request < Rack::Request
+    class Utils # :nodoc:
+      class << self
+        # Remove nils from the params hash
+        def deep_munge(hash)
+          hash.each do |k, v|
+            case v
+            when Array
+              v.grep(Hash) { |x| deep_munge(x) }
+              v.compact!
+              hash[k] = nil if v.empty?
+            when Hash
+              deep_munge(v)
+            end
+          end
+
+          hash
+        end
+      end
+    end
+  end
+end
+
diff --git a/actionpack/lib/action_dispatch/routing/inspector.rb b/actionpack/lib/action_dispatch/routing/inspector.rb
index d251de33df..cffb814e1e 100644
--- a/actionpack/lib/action_dispatch/routing/inspector.rb
+++ b/actionpack/lib/action_dispatch/routing/inspector.rb
@@ -69,7 +69,7 @@ module ActionDispatch
       end
 
       def internal?
-        controller =~ %r{\Arails/(info|welcome)} || path =~ %r{\A#{Rails.application.config.assets.prefix}}
+        controller.to_s =~ %r{\Arails/(info|welcome)} || path =~ %r{\A#{Rails.application.config.assets.prefix}}
       end
 
       def engine?
diff --git a/actionpack/test/dispatch/routing/inspector_test.rb b/actionpack/test/dispatch/routing/inspector_test.rb
index 234ae5764f..4f97d28d2b 100644
--- a/actionpack/test/dispatch/routing/inspector_test.rb
+++ b/actionpack/test/dispatch/routing/inspector_test.rb
@@ -234,6 +234,15 @@ module ActionDispatch
                       "          PUT    /posts/:id(.:format)      posts#update",
                       "          DELETE /posts/:id(.:format)      posts#destroy"], output
       end
+
+      def test_regression_route_with_controller_regexp
+        output = draw do
+          get ':controller(/:action)', controller: /api\/[^\/]+/, format: false
+        end
+
+        assert_equal ["Prefix Verb URI Pattern            Controller#Action",
+                      " GET /:controller(/:action) (?-mix:api\\/[^\\/]+)#:action"], output
+      end
     end
   end
 end
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 8c7af2d078..6fc34ecd60 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Fix regression in has_secure_password. When a password is set, but a
+    confirmation is an empty string, it would incorrectly save.
+
+    *Steve Klabnik* and *Phillip Calvin*
+
 *   Deprecate `Validator#setup`. This should be done manually now in the validator's constructor.
 
     *Nick Sutterer*
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index 750fd723a0..e553590671 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -56,8 +56,9 @@ module ActiveModel
         include InstanceMethodsOnActivation
 
         if options.fetch(:validations, true)
-          validates_confirmation_of :password
+          validates_confirmation_of :password, if: lambda { |m| m.password.present? }
           validates_presence_of     :password, on: :create
+          validates_presence_of     :password_confirmation, if: lambda { |m| m.password.present? }
 
           before_create { raise "Password digest missing on new record" if password_digest.blank? }
         end
@@ -106,9 +107,7 @@ module ActiveModel
       end
 
       def password_confirmation=(unencrypted_password)
-        unless unencrypted_password.blank?
-          @password_confirmation = unencrypted_password
-        end
+        @password_confirmation = unencrypted_password
       end
     end
   end
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
index 02cd3b8a93..0b900d934d 100644
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@@ -94,4 +94,13 @@ class SecurePasswordTest < ActiveModel::TestCase
     @user.password_confirmation = ""
     assert @user.valid?(:update), "user should be valid"
   end
+
+  test "will not save if confirmation is blank but password is not" do
+    @user.password = "password"
+    @user.password_confirmation = ""
+    assert_not @user.valid?(:create)
+
+    @user.password_confirmation = "password"
+    assert @user.valid?(:create)
+  end
 end
diff --git a/activerecord/lib/active_record/locking/pessimistic.rb b/activerecord/lib/active_record/locking/pessimistic.rb
index 8e4ddcac82..ddf2afca0c 100644
--- a/activerecord/lib/active_record/locking/pessimistic.rb
+++ b/activerecord/lib/active_record/locking/pessimistic.rb
@@ -64,7 +64,7 @@ module ActiveRecord
       end
 
       # Wraps the passed block in a transaction, locking the object
-      # before yielding. You pass can the SQL locking clause
+      # before yielding. You can pass the SQL locking clause
       # as argument (see <tt>lock!</tt>).
       def with_lock(lock = true)
         transaction do