1 files changed, 14 insertions, 5 deletions

diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index 796e0dbc45..aa5ba3e8a5 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -17,6 +17,8 @@ module ActionDispatch
     include ActionDispatch::Http::Upload
     include ActionDispatch::Http::URL
 
+    autoload :Session, 'action_dispatch/request/session'
+
     LOCALHOST   = Regexp.union [/^127\.0\.0\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/]
 
     ENV_METHODS = %w[ AUTH_TYPE GATEWAY_INTERFACE
@@ -220,26 +222,33 @@ module ActionDispatch
     end
 
     def session=(session) #:nodoc:
-      @env['rack.session'] = session
+      Session.set @env, session
     end
 
     def session_options=(options)
-      @env['rack.session.options'] = options
+      Session::Options.set @env, options
     end
 
     # Override Rack's GET method to support indifferent access
     def GET
-      @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
+      begin
+        @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
+      rescue TypeError => e
+        raise ActionController::BadRequest, "Invalid query parameters: #{e.message}"
+      end
     end
     alias :query_parameters :GET
 
     # Override Rack's POST method to support indifferent access
     def POST
-      @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
+      begin
+        @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
+      rescue TypeError => e
+        raise ActionController::BadRequest, "Invalid request parameters: #{e.message}"
+      end
     end
     alias :request_parameters :POST
 
-
     # Returns the authorization header regardless of whether it was specified directly or through one of the
     # proxy alternatives.
     def authorization