1 files changed, 34 insertions, 30 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 6586985ff5..3d3c121280 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -1,6 +1,6 @@
-require 'rack/session/abstract/id'
-require 'action_controller/metal/exceptions'
-require 'active_support/security_utils'
+require "rack/session/abstract/id"
+require "action_controller/metal/exceptions"
+require "active_support/security_utils"
 
 module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
@@ -109,10 +109,10 @@ module ActionController #:nodoc:
       # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
       # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
       # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
-      #    protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
-      #    when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
+      #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
+      #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
       #
-      #    If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
+      #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
       # Valid unverified request handling methods are:
@@ -130,11 +130,11 @@ module ActionController #:nodoc:
 
       private
 
-      def protection_method_class(name)
-        ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-      rescue NameError
-        raise ArgumentError, 'Invalid request forgery protection method, use :null_session, :exception, or :reset_session'
-      end
+        def protection_method_class(name)
+          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
+        rescue NameError
+          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+        end
     end
 
     module ProtectionMethods
@@ -154,26 +154,26 @@ module ActionController #:nodoc:
 
         protected
 
-        class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
-          def initialize(req)
-            super(nil, req)
-            @data = {}
-            @loaded = true
-          end
+          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+            def initialize(req)
+              super(nil, req)
+              @data = {}
+              @loaded = true
+            end
 
-          # no-op
-          def destroy; end
+            # no-op
+            def destroy; end
 
-          def exists?
-            true
+            def exists?
+              true
+            end
           end
-        end
 
-        class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
-          def write(*)
-            # nothing
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+            def write(*)
+              # nothing
+            end
           end
-        end
       end
 
       class ResetSession
@@ -213,7 +213,7 @@ module ActionController #:nodoc:
 
         if !verified_request?
           if logger && log_warning_on_csrf_failure
-            logger.warn "Can't verify CSRF token authenticity"
+            logger.warn "Can't verify CSRF token authenticity."
           end
           handle_unverified_request
         end
@@ -235,7 +235,9 @@ module ActionController #:nodoc:
       # we aren't serving an unauthorized cross-origin response.
       def verify_same_origin_request
         if marked_for_same_origin_verification? && non_xhr_javascript_response?
-          logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
+          if logger && log_warning_on_csrf_failure
+            logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING
+          end
           raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
         end
       end
@@ -379,7 +381,8 @@ module ActionController #:nodoc:
 
       def xor_byte_strings(s1, s2)
         s2_bytes = s2.bytes
-        s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
+        s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
+        s2_bytes.pack("C*")
       end
 
       # The form's authenticity parameter. Override to provide your own.
@@ -404,7 +407,8 @@ module ActionController #:nodoc:
       end
 
       def normalize_action_path(action_path)
-        action_path.split('?').first.to_s.chomp('/')
+        uri = URI.parse(action_path)
+        uri.path.chomp("/")
       end
   end
 end