4 files changed, 31 insertions, 14 deletions

diff --git a/actionpack/lib/action_dispatch/journey/route.rb b/actionpack/lib/action_dispatch/journey/route.rb
index fee08fc3db..cfd6681dd1 100644
--- a/actionpack/lib/action_dispatch/journey/route.rb
+++ b/actionpack/lib/action_dispatch/journey/route.rb
@@ -82,7 +82,7 @@ module ActionDispatch
       end
 
       def requirements # :nodoc:
-        # needed for rails `rake routes`
+        # needed for rails `rails routes`
         @defaults.merge(path.requirements).delete_if { |_,v|
           /.+?/ == v
         }
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 735b5939dd..711d8b016a 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -23,7 +23,7 @@ module ActionDispatch
   #     preload lists is `18.weeks`.
   #   * `subdomains`: Set to `true` to tell the browser to apply these settings
   #     to all subdomains. This protects your cookies from interception by a
-  #     vulnerable site on a subdomain. Defaults to `false`.
+  #     vulnerable site on a subdomain. Defaults to `true`.
   #   * `preload`: Advertise that this site may be included in browsers'
   #     preloaded HSTS lists. HSTS protects your site on every visit *except the
   #     first visit* since it hasn't seen your HSTS header yet. To close this
@@ -49,7 +49,7 @@ module ActionDispatch
       if options[:host] || options[:port]
         ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
           The `:host` and `:port` options are moving within `:redirect`:
-          `config.ssl_options = { redirect: { host: …, port: … }}`.
+          `config.ssl_options = { redirect: { host: …, port: … } }`.
         end_warning
         @redirect = options.slice(:host, :port)
       else
@@ -57,6 +57,17 @@ module ActionDispatch
       end
 
       @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
+
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
+          unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
+          of this behavior.
+        end_warning
+      end
+
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
diff --git a/actionpack/lib/action_dispatch/request/session.rb b/actionpack/lib/action_dispatch/request/session.rb
index 38d0da3e67..42890225fa 100644
--- a/actionpack/lib/action_dispatch/request/session.rb
+++ b/actionpack/lib/action_dispatch/request/session.rb
@@ -9,7 +9,7 @@ module ActionDispatch
 
       # Singleton object used to determine if an optional param wasn't specified
       Unspecified = Object.new
-
+      
       # Creates a session hash, merging the properties of the previous session if any
       def self.create(store, req, default_options)
         session_was = find req
@@ -61,7 +61,7 @@ module ActionDispatch
       def initialize(by, req)
         @by       = by
         @req      = req
-        @delegate = {}.with_indifferent_access
+        @delegate = {}
         @loaded   = false
         @exists   = nil # we haven't checked yet
       end
@@ -88,13 +88,13 @@ module ActionDispatch
       # nil if the given key is not found in the session.
       def [](key)
         load_for_read!
-        @delegate[key]
+        @delegate[key.to_s]
       end
 
       # Returns true if the session has the given key or false.
       def has_key?(key)
         load_for_read!
-        @delegate.key?(key)
+        @delegate.key?(key.to_s)
       end
       alias :key? :has_key?
       alias :include? :has_key?
@@ -112,7 +112,7 @@ module ActionDispatch
       # Writes given value to given key of the session.
       def []=(key, value)
         load_for_write!
-        @delegate[key] = value
+        @delegate[key.to_s] = value
       end
 
       # Clears the session.
@@ -139,13 +139,13 @@ module ActionDispatch
       #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
       def update(hash)
         load_for_write!
-        @delegate.update hash
+        @delegate.update stringify_keys(hash)
       end
 
       # Deletes given key from the session.
       def delete(key)
         load_for_write!
-        @delegate.delete key
+        @delegate.delete key.to_s
       end
 
       # Returns value of the given key from the session, or raises +KeyError+
@@ -165,9 +165,9 @@ module ActionDispatch
       def fetch(key, default=Unspecified, &block)
         load_for_read!
         if default == Unspecified
-          @delegate.fetch(key, &block)
+          @delegate.fetch(key.to_s, &block)
         else
-          @delegate.fetch(key, default, &block)
+          @delegate.fetch(key.to_s, default, &block)
         end
       end
 
@@ -211,9 +211,15 @@ module ActionDispatch
       def load!
         id, session = @by.load_session @req
         options[:id] = id
-        @delegate.replace(session)
+        @delegate.replace(stringify_keys(session))
         @loaded = true
       end
+
+      def stringify_keys(other)
+        other.each_with_object({}) { |(key, value), hash|
+          hash[key.to_s] = value
+        }
+      end
     end
   end
 end
diff --git a/actionpack/lib/action_dispatch/routing/inspector.rb b/actionpack/lib/action_dispatch/routing/inspector.rb
index 6f651a5689..5d30a545a2 100644
--- a/actionpack/lib/action_dispatch/routing/inspector.rb
+++ b/actionpack/lib/action_dispatch/routing/inspector.rb
@@ -51,7 +51,7 @@ module ActionDispatch
 
     ##
     # This class is just used for displaying route information when someone
-    # executes `rake routes` or looks at the RoutingError page.
+    # executes `rails routes` or looks at the RoutingError page.
     # People should not use this class.
     class RoutesInspector # :nodoc:
       def initialize(routes)