7 files changed, 90 insertions, 6 deletions

diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb
index ddc93464cd..7d73c6af8d 100644
--- a/actionpack/lib/abstract_controller/rendering.rb
+++ b/actionpack/lib/abstract_controller/rendering.rb
@@ -105,6 +105,7 @@ module AbstractController
     # Find and renders a template based on the options given.
     # :api: private
     def _render_template(options) #:nodoc:
+      lookup_context.rendered_format = nil if options[:formats]
       view_renderer.render(view_context, options)
     end
 
diff --git a/actionpack/lib/action_controller/caching/sweeping.rb b/actionpack/lib/action_controller/caching/sweeping.rb
index 808a6fe5f3..bb176ca3f9 100644
--- a/actionpack/lib/action_controller/caching/sweeping.rb
+++ b/actionpack/lib/action_controller/caching/sweeping.rb
@@ -54,6 +54,11 @@ module ActionController #:nodoc:
       class Sweeper < ActiveRecord::Observer #:nodoc:
         attr_accessor :controller
 
+        def initialize(*args)
+          super
+          @controller = nil
+        end
+
         def before(controller)
           self.controller = controller
           callback(:before) if controller.perform_caching
diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index a9542a7d1b..e3b04ac097 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -61,6 +61,7 @@ module ActionDispatch
     autoload :Reloader
     autoload :RemoteIp
     autoload :ShowExceptions
+    autoload :SSL
     autoload :Static
   end
 
diff --git a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
index 836136eb95..ab740a0190 100644
--- a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
@@ -9,7 +9,7 @@ module ActionDispatch
   # of ShowExceptions. Everytime there is an exception, ShowExceptions will
   # store the exception in env["action_dispatch.exception"], rewrite the
   # PATH_INFO to the exception status code and call the rack app.
-  # 
+  #
   # If the application returns a "X-Cascade" pass response, this middleware
   # will send an empty response as result with the correct status code.
   # If any exception happens inside the exceptions app, this middleware
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
new file mode 100644
index 0000000000..c758110367
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -0,0 +1,77 @@
+module ActionDispatch
+  class SSL
+    YEAR = 31536000
+
+    def self.default_hsts_options
+      { :expires => YEAR, :subdomains => false }
+    end
+
+    def initialize(app, options = {})
+      @app = app
+
+      @hsts = options.fetch(:hsts, {})
+      @hsts = {} if @hsts == true
+      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+
+      @exclude = options[:exclude]
+      @host    = options[:host]
+      @port    = options[:port]
+    end
+
+    def call(env)
+      return @app.call(env) if exclude?(env)
+
+      request = Request.new(env)
+
+      if request.ssl?
+        status, headers, body = @app.call(env)
+        headers = hsts_headers.merge(headers)
+        flag_cookies_as_secure!(headers)
+        [status, headers, body]
+      else
+        redirect_to_https(request)
+      end
+    end
+
+    private
+      def exclude?(env)
+        @exclude && @exclude.call(env)
+      end
+
+      def redirect_to_https(request)
+        url        = URI(request.url)
+        url.scheme = "https"
+        url.host   = @host if @host
+        url.port   = @port if @port
+        headers    = hsts_headers.merge('Content-Type' => 'text/html',
+                                        'Location'     => url.to_s)
+
+        [301, headers, []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        if @hsts
+          value = "max-age=#{@hsts[:expires]}"
+          value += "; includeSubDomains" if @hsts[:subdomains]
+          { 'Strict-Transport-Security' => value }
+        else
+          {}
+        end
+      end
+
+      def flag_cookies_as_secure!(headers)
+        if cookies = headers['Set-Cookie']
+          cookies = cookies.split("\n")
+
+          headers['Set-Cookie'] = cookies.map { |cookie|
+            if cookie !~ /; secure(;|$)/
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        end
+      end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index cd215034dc..cdc29fb304 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1,6 +1,6 @@
 require 'active_support/core_ext/hash/except'
 require 'active_support/core_ext/object/blank'
-require 'active_support/core_ext/object/inclusion'
+require 'active_support/core_ext/enumerable'
 require 'active_support/inflector'
 require 'action_dispatch/routing/redirection'
 
diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index 7fa86866a7..8ea2e5bfe4 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -176,7 +176,7 @@ module ActionView
     end
   end
 
-  # A resolver that loads files from the filesystem. It allows to set your own
+  # A resolver that loads files from the filesystem. It allows setting your own
   # resolving pattern. Such pattern can be a glob string supported by some variables.
   #
   # ==== Examples
@@ -192,7 +192,7 @@ module ActionView
   #
   #   FileSystemResolver.new("/path/to/views", ":prefix/{:formats/,}:action{.:locale,}{.:formats,}{.:handlers,}")
   #
-  # If you don't specify pattern then the default will be used.
+  # If you don't specify a pattern then the default will be used.
   #
   # In order to use any of the customized resolvers above in a Rails application, you just need
   # to configure ActionController::Base.view_paths in an initializer, for example:
@@ -204,10 +204,10 @@ module ActionView
   #
   # ==== Pattern format and variables
   #
-  # Pattern have to be a valid glob string, and it allows you to use the
+  # Pattern has to be a valid glob string, and it allows you to use the
   # following variables:
   #
-  # * <tt>:prefix</tt> - usualy the controller path
+  # * <tt>:prefix</tt> - usually the controller path
   # * <tt>:action</tt> - name of the action
   # * <tt>:locale</tt> - possible locale versions
   # * <tt>:formats</tt> - possible request formats (for example html, json, xml...)