6 files changed, 52 insertions, 23 deletions
diff --git a/actionpack/test/controller/action_pack_assertions_test.rb b/actionpack/test/controller/action_pack_assertions_test.rb
index ecb8c37e6b..c7aae034dd 100644
--- a/actionpack/test/controller/action_pack_assertions_test.rb
+++ b/actionpack/test/controller/action_pack_assertions_test.rb
@@ -28,13 +28,13 @@ class ActionPackAssertionsController < ActionController::Base
 
   def redirect_to_path() redirect_to "/some/path" end
 
-  def redirect_invalid_external_route() redirect_to "ht_tp://www.rubyonrails.org" end
+  def redirect_invalid_external_route() redirect_to "ht_tp://www.rubyonrails.org", allow_other_host: true end
 
   def redirect_to_named_route() redirect_to route_one_url end
 
-  def redirect_external() redirect_to "http://www.rubyonrails.org"; end
+  def redirect_external() redirect_to "http://www.rubyonrails.org", allow_other_host: true; end
 
-  def redirect_external_protocol_relative() redirect_to "//www.rubyonrails.org"; end
+  def redirect_external_protocol_relative() redirect_to "//www.rubyonrails.org", allow_other_host: true; end
 
   def response404() head "404 AWOL" end
 
diff --git a/actionpack/test/controller/caching_test.rb b/actionpack/test/controller/caching_test.rb
index 6fe036dd15..5543f9120f 100644
--- a/actionpack/test/controller/caching_test.rb
+++ b/actionpack/test/controller/caching_test.rb
@@ -60,14 +60,6 @@ class FragmentCachingTest < ActionController::TestCase
     @m2v2 = ModelWithKeyAndVersion.new("model/2", "2")
   end
 
-  def test_fragment_cache_key
-    assert_deprecated do
-      assert_equal "views/what a key", @controller.fragment_cache_key("what a key")
-      assert_equal "views/test.host/fragment_caching_test/some_action",
-        @controller.fragment_cache_key(controller: "fragment_caching_test", action: "some_action")
-    end
-  end
-
   def test_combined_fragment_cache_key
     assert_equal [ :views, "what a key" ], @controller.combined_fragment_cache_key("what a key")
     assert_equal [ :views, "test.host/fragment_caching_test/some_action" ],
diff --git a/actionpack/test/controller/flash_test.rb b/actionpack/test/controller/flash_test.rb
index 409a4ec2e6..bf95c633e5 100644
--- a/actionpack/test/controller/flash_test.rb
+++ b/actionpack/test/controller/flash_test.rb
@@ -242,8 +242,11 @@ end
 
 class FlashIntegrationTest < ActionDispatch::IntegrationTest
   SessionKey = "_myapp_session"
-  Generator  = ActiveSupport::LegacyKeyGenerator.new("b3c631c314c0bbca50c1b2843150fe33")
-  Rotations  = ActiveSupport::Messages::RotationConfiguration.new
+  Generator = ActiveSupport::CachingKeyGenerator.new(
+    ActiveSupport::KeyGenerator.new("b3c631c314c0bbca50c1b2843150fe33", iterations: 1000)
+ )
+  Rotations = ActiveSupport::Messages::RotationConfiguration.new
+  SIGNED_COOKIE_SALT = "signed cookie"
 
   class TestController < ActionController::Base
     add_flash_types :bar
@@ -365,6 +368,7 @@ class FlashIntegrationTest < ActionDispatch::IntegrationTest
       args[0][:env] ||= {}
       args[0][:env]["action_dispatch.key_generator"] ||= Generator
       args[0][:env]["action_dispatch.cookies_rotations"] = Rotations
+      args[0][:env]["action_dispatch.signed_cookie_salt"] = SIGNED_COOKIE_SALT
       super(path, *args)
     end
 
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index b133afb343..dd4ff85d11 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -44,7 +44,10 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
   setup do
     # Used as secret in generating nonce to prevent tampering of timestamp
     @secret = "4fb45da9e4ab4ddeb7580d6a35503d99"
-    @request.env["action_dispatch.key_generator"] = ActiveSupport::LegacyKeyGenerator.new(@secret)
+    @request.env["action_dispatch.key_generator"] = ActiveSupport::CachingKeyGenerator.new(
+      ActiveSupport::KeyGenerator.new(@secret)
+    )
+    @request.env["action_dispatch.http_auth_salt"] = "http authentication"
   end
 
   teardown do
diff --git a/actionpack/test/controller/log_subscriber_test.rb b/actionpack/test/controller/log_subscriber_test.rb
index 0562c16284..cbebc6b59c 100644
--- a/actionpack/test/controller/log_subscriber_test.rb
+++ b/actionpack/test/controller/log_subscriber_test.rb
@@ -25,11 +25,11 @@ module Another
     end
 
     def redirector
-      redirect_to "http://foo.bar/"
+      redirect_to "http://foo.bar/", allow_other_host: true
     end
 
     def filterable_redirector
-      redirect_to "http://secret.foo.bar/"
+      redirect_to "http://secret.foo.bar/", allow_other_host: true
     end
 
     def data_sender
diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
index 998498e1b2..945d2275c0 100644
--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
@@ -49,11 +49,11 @@ class RedirectController < ActionController::Base
   end
 
   def url_redirect_with_status
-    redirect_to("http://www.example.com", status: :moved_permanently)
+    redirect_to("http://www.example.com", status: :moved_permanently, allow_other_host: true)
   end
 
   def url_redirect_with_status_hash
-    redirect_to("http://www.example.com", status: 301)
+    redirect_to("http://www.example.com", status: 301, allow_other_host: true)
   end
 
   def relative_url_redirect_with_status
@@ -81,19 +81,27 @@ class RedirectController < ActionController::Base
   end
 
   def redirect_to_url
+    redirect_to "http://www.rubyonrails.org/", allow_other_host: true
+  end
+
+  def redirect_to_unsafe_url
     redirect_to "http://www.rubyonrails.org/"
   end
 
+  def redirect_to_relative_unsafe_url
+    redirect_to ".br"
+  end
+
   def redirect_to_url_with_unescaped_query_string
-    redirect_to "http://example.com/query?status=new"
+    redirect_to "http://example.com/query?status=new", allow_other_host: true
   end
 
   def redirect_to_url_with_complex_scheme
-    redirect_to "x-test+scheme.complex:redirect"
+    redirect_to "x-test+scheme.complex:redirect", allow_other_host: true
   end
 
   def redirect_to_url_with_network_path_reference
-    redirect_to "//www.rubyonrails.org/"
+    redirect_to "//www.rubyonrails.org/", allow_other_host: true
   end
 
   def redirect_to_existing_record
@@ -113,12 +121,12 @@ class RedirectController < ActionController::Base
   end
 
   def redirect_to_with_block
-    redirect_to proc { "http://www.rubyonrails.org/" }
+    redirect_to proc { "http://www.rubyonrails.org/" }, allow_other_host: true
   end
 
   def redirect_to_with_block_and_assigns
     @url = "http://www.rubyonrails.org/"
-    redirect_to proc { @url }
+    redirect_to proc { @url }, allow_other_host: true
   end
 
   def redirect_to_with_block_and_options
@@ -245,6 +253,28 @@ class RedirectTest < ActionController::TestCase
     assert_redirected_to "http://www.rubyonrails.org/"
   end
 
+  def test_redirect_to_unsafe_url
+    error = assert_raises(ArgumentError) do
+      get :redirect_to_unsafe_url
+    end
+    assert_equal <<~MSG.squish, error.message
+      Unsafe redirect \"http://www.rubyonrails.org/\",
+      use :fallback_location to specify a fallback or
+      :allow_other_host to redirect anyway.
+    MSG
+  end
+
+  def test_redirect_to_relative_unsafe_url
+    error = assert_raises(ArgumentError) do
+      get :redirect_to_relative_unsafe_url
+    end
+    assert_equal <<~MSG.squish, error.message
+      Unsafe redirect \"http://test.host.br\",
+      use :fallback_location to specify a fallback or
+      :allow_other_host to redirect anyway.
+    MSG
+  end
+
   def test_redirect_to_url_with_unescaped_query_string
     get :redirect_to_url_with_unescaped_query_string
     assert_response :redirect