7 files changed, 295 insertions, 4 deletions

diff --git a/actionpack/test/controller/mime_responds_test.rb b/actionpack/test/controller/mime_responds_test.rb
index 2aa73f1650..e91e11a8a7 100644
--- a/actionpack/test/controller/mime_responds_test.rb
+++ b/actionpack/test/controller/mime_responds_test.rb
@@ -656,7 +656,9 @@ class RespondWithControllerTest < ActionController::TestCase
     @request.accept = "application/json"
     get :using_hash_resource
     assert_equal "application/json", @response.content_type
-    assert_equal %Q[{"result":{"name":"david","id":13}}], @response.body
+    assert @response.body.include?("result")
+    assert @response.body.include?('"name":"david"')
+    assert @response.body.include?('"id":13')
   end
 
   def test_using_hash_resource_with_post
diff --git a/actionpack/test/controller/url_rewriter_test.rb b/actionpack/test/controller/url_rewriter_test.rb
index 89de4c1da4..f88903b10e 100644
--- a/actionpack/test/controller/url_rewriter_test.rb
+++ b/actionpack/test/controller/url_rewriter_test.rb
@@ -70,9 +70,9 @@ class UrlRewriterTests < ActionController::TestCase
     )
   end
 
-  def test_anchor_should_be_cgi_escaped
+  def test_anchor_should_be_uri_escaped
     assert_equal(
-      'http://test.host/c/a/i#anc%2Fhor',
+      'http://test.host/c/a/i#anc/hor',
       @rewriter.rewrite(@routes, :controller => 'c', :action => 'a', :id => 'i', :anchor => Struct.new(:to_param).new('anc/hor'))
     )
   end
diff --git a/actionpack/test/dispatch/request_id_test.rb b/actionpack/test/dispatch/request_id_test.rb
new file mode 100644
index 0000000000..b6e8b6c3ad
--- /dev/null
+++ b/actionpack/test/dispatch/request_id_test.rb
@@ -0,0 +1,65 @@
+require 'abstract_unit'
+
+class RequestIdTest < ActiveSupport::TestCase
+  test "passing on the request id from the outside" do
+    assert_equal "external-uu-rid", stub_request('HTTP_X_REQUEST_ID' => 'external-uu-rid').uuid
+  end
+
+  test "ensure that only alphanumeric uurids are accepted" do
+    assert_equal "X-Hacked-HeaderStuff", stub_request('HTTP_X_REQUEST_ID' => '; X-Hacked-Header: Stuff').uuid
+  end
+
+  test "ensure that 255 char limit on the request id is being enforced" do
+    assert_equal "X" * 255, stub_request('HTTP_X_REQUEST_ID' => 'X' * 500).uuid
+  end
+
+  test "generating a request id when none is supplied" do
+    assert_match(/\w+/, stub_request.uuid)
+  end
+
+  private
+
+  def stub_request(env = {})
+    ActionDispatch::RequestId.new(lambda { |environment| [ 200, environment, [] ] }).call(env)
+    ActionDispatch::Request.new(env)
+  end
+end
+
+class RequestIdResponseTest < ActionDispatch::IntegrationTest
+  class TestController < ActionController::Base
+    def index
+      head :ok
+    end
+  end
+
+  test "request id is passed all the way to the response" do
+    with_test_route_set do
+      get '/'
+      assert_match(/\w+/, @response.headers["X-Request-Id"])
+    end
+  end
+
+  test "request id given on request is passed all the way to the response" do
+    with_test_route_set do
+      get '/', {}, 'HTTP_X_REQUEST_ID' => 'X' * 500
+      assert_equal "X" * 255, @response.headers["X-Request-Id"]
+    end
+  end
+
+
+  private
+
+  def with_test_route_set
+    with_routing do |set|
+      set.draw do
+        match '/', :to => ::RequestIdResponseTest::TestController.action(:index)
+      end
+
+      @app = self.class.build_app(set) do |middleware|
+        middleware.use ActionDispatch::RequestId
+      end
+
+      yield
+    end
+  end
+end
\ No newline at end of file
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index a71ac1bdc1..cf22731823 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -2528,3 +2528,40 @@ class TestHttpMethods < ActionDispatch::IntegrationTest
     end
   end
 end
+
+class TestUriPathEscaping < ActionDispatch::IntegrationTest
+  Routes = ActionDispatch::Routing::RouteSet.new.tap do |app|
+    app.draw do
+      match '/:segment' => lambda { |env|
+        path_params = env['action_dispatch.request.path_parameters']
+        [200, { 'Content-Type' => 'text/plain' }, [path_params[:segment]]]
+      }, :as => :segment
+
+      match '/*splat' => lambda { |env|
+        path_params = env['action_dispatch.request.path_parameters']
+        [200, { 'Content-Type' => 'text/plain' }, [path_params[:splat]]]
+      }, :as => :splat
+    end
+  end
+
+  include Routes.url_helpers
+  def app; Routes end
+
+  test 'escapes generated path segment' do
+    assert_equal '/a%20b/c+d', segment_path(:segment => 'a b/c+d')
+  end
+
+  test 'unescapes recognized path segment' do
+    get '/a%20b%2Fc+d'
+    assert_equal 'a b/c+d', @response.body
+  end
+
+  test 'escapes generated path splat' do
+    assert_equal '/a%20b/c+d', splat_path(:splat => 'a b/c+d')
+  end
+
+  test 'unescapes recognized path splat' do
+    get '/a%20b/c+d'
+    assert_equal 'a b/c+d', @response.body
+  end
+end
diff --git a/actionpack/test/dispatch/session/cache_store_test.rb b/actionpack/test/dispatch/session/cache_store_test.rb
new file mode 100644
index 0000000000..73e056de23
--- /dev/null
+++ b/actionpack/test/dispatch/session/cache_store_test.rb
@@ -0,0 +1,181 @@
+require 'abstract_unit'
+
+class CacheStoreTest < ActionDispatch::IntegrationTest
+  class TestController < ActionController::Base
+    def no_session_access
+      head :ok
+    end
+
+    def set_session_value
+      session[:foo] = "bar"
+      head :ok
+    end
+
+    def set_serialized_session_value
+      session[:foo] = SessionAutoloadTest::Foo.new
+      head :ok
+    end
+
+    def get_session_value
+      render :text => "foo: #{session[:foo].inspect}"
+    end
+
+    def get_session_id
+      render :text => "#{request.session_options[:id]}"
+    end
+
+    def call_reset_session
+      session[:bar]
+      reset_session
+      session[:bar] = "baz"
+      head :ok
+    end
+
+    def rescue_action(e) raise end
+  end
+
+  def test_setting_and_getting_session_value
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: "bar"', response.body
+    end
+  end
+
+  def test_getting_nil_session_value
+    with_test_route_set do
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body
+    end
+  end
+
+  def test_getting_session_value_after_session_reset
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+      session_cookie = cookies.send(:hash_for)['_session_id']
+
+      get '/call_reset_session'
+      assert_response :success
+      assert_not_equal [], headers['Set-Cookie']
+
+      cookies << session_cookie # replace our new session_id with our old, pre-reset session_id
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body, "data for this session should have been obliterated from cache"
+    end
+  end
+
+  def test_getting_from_nonexistent_session
+    with_test_route_set do
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body
+      assert_nil cookies['_session_id'], "should only create session on write, not read"
+    end
+  end
+
+  def test_setting_session_value_after_session_reset
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+      session_id = cookies['_session_id']
+
+      get '/call_reset_session'
+      assert_response :success
+      assert_not_equal [], headers['Set-Cookie']
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body
+
+      get '/get_session_id'
+      assert_response :success
+      assert_not_equal session_id, response.body
+    end
+  end
+
+  def test_getting_session_id
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+      session_id = cookies['_session_id']
+
+      get '/get_session_id'
+      assert_response :success
+      assert_equal session_id, response.body, "should be able to read session id without accessing the session hash"
+    end
+  end
+
+  def test_deserializes_unloaded_class
+    with_test_route_set do
+      with_autoload_path "session_autoload_test" do
+        get '/set_serialized_session_value'
+        assert_response :success
+        assert cookies['_session_id']
+      end
+      with_autoload_path "session_autoload_test" do
+        get '/get_session_id'
+        assert_response :success
+      end
+      with_autoload_path "session_autoload_test" do
+        get '/get_session_value'
+        assert_response :success
+        assert_equal 'foo: #<SessionAutoloadTest::Foo bar:"baz">', response.body, "should auto-load unloaded class"
+      end
+    end
+  end
+
+  def test_doesnt_write_session_cookie_if_session_id_is_already_exists
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+
+      get '/get_session_value'
+      assert_response :success
+      assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
+    end
+  end
+
+  def test_prevents_session_fixation
+    with_test_route_set do
+      get '/get_session_value'
+      assert_response :success
+      assert_equal 'foo: nil', response.body
+      session_id = cookies['_session_id']
+
+      reset!
+
+      get '/set_session_value', :_session_id => session_id
+      assert_response :success
+      assert_not_equal session_id, cookies['_session_id']
+    end
+  end
+
+  private
+    def with_test_route_set
+      with_routing do |set|
+        set.draw do
+          match ':action', :to => ::CacheStoreTest::TestController
+        end
+
+        @app = self.class.build_app(set) do |middleware|
+          cache = ActiveSupport::Cache::MemoryStore.new
+          middleware.use ActionDispatch::Session::CacheStore, :key => '_session_id', :cache => cache
+          middleware.delete "ActionDispatch::ShowExceptions"
+        end
+
+        yield
+      end
+    end
+end
diff --git a/actionpack/test/template/html-scanner/tag_node_test.rb b/actionpack/test/template/html-scanner/tag_node_test.rb
index 0d87f1bd42..3b72243e7d 100644
--- a/actionpack/test/template/html-scanner/tag_node_test.rb
+++ b/actionpack/test/template/html-scanner/tag_node_test.rb
@@ -55,7 +55,12 @@ class TagNodeTest < Test::Unit::TestCase
 
   def test_to_s
     node = tag("<a b=c d='f' g=\"h 'i'\" />")
-    assert_equal %(<a b="c" d="f" g="h 'i'" />), node.to_s
+    node = node.to_s
+    assert node.include?('a')
+    assert node.include?('b="c"')
+    assert node.include?('d="f"')
+    assert node.include?('g="h')
+    assert node.include?('i')
   end
 
   def test_tag
diff --git a/actionpack/test/template/number_helper_test.rb b/actionpack/test/template/number_helper_test.rb
index 0e3475d98b..8d679aac1d 100644
--- a/actionpack/test/template/number_helper_test.rb
+++ b/actionpack/test/template/number_helper_test.rb
@@ -27,6 +27,7 @@ class NumberHelperTest < ActionView::TestCase
     assert_equal("800 555 1212", number_to_phone(8005551212, {:delimiter => " "}))
     assert_equal("(800) 555-1212 x 123", number_to_phone(8005551212, {:area_code => true, :extension => 123}))
     assert_equal("800-555-1212", number_to_phone(8005551212, :extension => "  "))
+    assert_equal("555.1212", number_to_phone(5551212, :delimiter => '.'))
     assert_equal("800-555-1212", number_to_phone("8005551212"))
     assert_equal("+1-800-555-1212", number_to_phone(8005551212, :country_code => 1))
     assert_equal("+18005551212", number_to_phone(8005551212, :country_code => 1, :delimiter => ''))