8 files changed, 37 insertions, 24 deletions

diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb
index d3f93a5352..87609d8aa7 100644
--- a/actionpack/lib/action_controller/log_subscriber.rb
+++ b/actionpack/lib/action_controller/log_subscriber.rb
@@ -53,15 +53,6 @@ module ActionController
       end
     end
 
-    def deep_munge(event)
-      debug do
-        "Value for params[:#{event.payload[:keys].join('][:')}] was set "\
-        "to nil, because it was one of [], [null] or [null, null, ...]. "\
-        "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation "\
-        "for more information."\
-      end
-    end
-
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index a5ee1e2159..f08c84de5b 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -100,7 +100,6 @@ module ActionController
   #   params[:key]  # => "value"
   #   params["key"] # => "value"
   class Parameters < ActiveSupport::HashWithIndifferentAccess
-    cattr_accessor :permit_all_parameters, instance_accessor: false
     cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
 
     # By default, never raise an UnpermittedParameters exception if these
@@ -123,6 +122,16 @@ module ActionController
       always_permitted_parameters
     end
 
+    # Returns the value of +permit_all_parameters+.
+    def self.permit_all_parameters
+      Thread.current[:action_controller_permit_all_parameters]
+    end
+
+    # Sets the value of +permit_all_parameters+.
+    def self.permit_all_parameters=(value)
+      Thread.current[:action_controller_permit_all_parameters] = value
+    end
+
     # Returns a new instance of <tt>ActionController::Parameters</tt>.
     # Also, sets the +permitted+ attribute to the default value of
     # <tt>ActionController::Parameters.permit_all_parameters</tt>.
@@ -163,6 +172,12 @@ module ActionController
       end
     end
 
+    # Returns an unsafe, unfiltered +Hash+ representation of this parameter.
+    def to_unsafe_h
+      to_hash
+    end
+    alias_method :to_unsafe_hash, :to_unsafe_h
+
     # Convert all hashes in values into parameters, then yield each pair like
     # the same way as <tt>Hash#each_pair</tt>
     def each_pair(&block)
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index cd92962dc3..b9172f8fa3 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -145,6 +145,8 @@ module ActionController
             assert(@_layouts.keys.any? {|l| l =~ expected_layout }, msg)
           when nil, false
             assert(@_layouts.empty?, msg)
+          else
+            raise ArgumentError, "assert_template only accepts a String, Symbol, Regexp, nil or false for :layout"
           end
         end
 
diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 9c8f65deac..53a98c5d0a 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -72,11 +72,12 @@ module ActionDispatch
           end
         end
       end
+
       # Sets the \variant for template.
       def variant=(variant)
         if variant.is_a?(Symbol)
           @variant = [variant]
-        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
+        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
           @variant = variant
         else
           raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
diff --git a/actionpack/lib/action_dispatch/http/parameter_filter.rb b/actionpack/lib/action_dispatch/http/parameter_filter.rb
index b655a54865..df4b073a17 100644
--- a/actionpack/lib/action_dispatch/http/parameter_filter.rb
+++ b/actionpack/lib/action_dispatch/http/parameter_filter.rb
@@ -56,7 +56,7 @@ module ActionDispatch
             elsif value.is_a?(Array)
               value = value.map { |v| v.is_a?(Hash) ? call(v) : v }
             elsif blocks.any?
-              key = key.dup
+              key = key.dup if key.duplicable?
               value = value.dup if value.duplicable?
               blocks.each { |b| b.call(key, value) }
             end
diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb
index 9d4f1aa3c5..1c9371d89c 100644
--- a/actionpack/lib/action_dispatch/request/utils.rb
+++ b/actionpack/lib/action_dispatch/request/utils.rb
@@ -16,10 +16,6 @@ module ActionDispatch
             when Array
               v.grep(Hash) { |x| deep_munge(x, keys) }
               v.compact!
-              if v.empty?
-                hash[k] = nil
-                ActiveSupport::Notifications.instrument("deep_munge.action_controller", keys: keys)
-              end
             when Hash
               deep_munge(v, keys)
             end
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index f07a4aa674..b9e916078c 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -579,14 +579,15 @@ module ActionDispatch
 
           raise "A rack application must be specified" unless path
 
-          options[:as] ||= app_name(app)
+          rails_app = rails_app? app
+          options[:as] ||= app_name(app, rails_app)
 
           target_as       = name_for_action(options[:as], path)
           options[:via] ||= :all
 
           match(path, options.merge(:to => app, :anchor => false, :format => false))
 
-          define_generate_prefix(app, target_as) if rails_app?(app)
+          define_generate_prefix(app, target_as) if rails_app
           self
         end
 
@@ -611,10 +612,11 @@ module ActionDispatch
             app.is_a?(Class) && app < Rails::Railtie
           end
 
-          def app_name(app)
-            if rails_app?(app)
+          def app_name(app, rails_app)
+            if rails_app
               app.railtie_name
-            elsif class_name = app.try(:name)
+            elsif app.is_a?(Class)
+              class_name = app.name
               ActiveSupport::Inflector.underscore(class_name).tr("/", "_")
             end
           end
diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb
index f3144dc2d3..d7693bdcee 100644
--- a/actionpack/lib/action_dispatch/routing/route_set.rb
+++ b/actionpack/lib/action_dispatch/routing/route_set.rb
@@ -280,14 +280,20 @@ module ActionDispatch
           end
 
           def handle_positional_args(controller_options, inner_options, args, result, path_params)
-
             if args.size > 0
-              if args.size < path_params.size - 1 # take format into account
+              # take format into account
+              if path_params.include?(:format)
+                path_params_size = path_params.size - 1
+              else
+                path_params_size = path_params.size
+              end
+
+              if args.size < path_params_size
                 path_params -= controller_options.keys
                 path_params -= result.keys
               end
               path_params.each { |param|
-                result[param] = inner_options[param] || args.shift
+                result[param] = inner_options.fetch(param) { args.shift }
               }
             end