4 files changed, 232 insertions, 1 deletions

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 87a8ed3dc9..1984ad8825 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -128,6 +128,23 @@ class CustomAuthenticityParamController < RequestForgeryProtectionControllerUsin
   end
 end
 
+class PerFormTokensController < ActionController::Base
+  protect_from_forgery :with => :exception
+  self.per_form_csrf_tokens = true
+
+  def index
+    render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>"
+  end
+
+  def post_one
+    render plain: ''
+  end
+
+  def post_two
+    render plain: ''
+  end
+end
+
 # common test methods
 module RequestForgeryProtectionTests
   def setup
@@ -623,3 +640,158 @@ class CustomAuthenticityParamControllerTest < ActionController::TestCase
     end
   end
 end
+
+class PerFormTokensControllerTest < ActionController::TestCase
+  def test_per_form_token_is_same_size_as_global_token
+    get :index
+    expected = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH
+    actual = @controller.send(:per_form_csrf_token, session, '/path', 'post').size
+    assert_equal expected, actual
+  end
+
+  def test_accepts_token_for_correct_path_and_method
+    get :index
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
+    expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'post')
+    assert_equal expected, actual
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: form_token}
+    end
+    assert_response :success
+  end
+
+  def test_rejects_token_for_incorrect_path
+    get :index
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
+    expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'post')
+    assert_equal expected, actual
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_two'
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      post :post_two, params: {custom_authenticity_token: form_token}
+    end
+  end
+
+  def test_rejects_token_for_incorrect_method
+    get :index
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
+    expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'post')
+    assert_equal expected, actual
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      patch :post_one, params: {custom_authenticity_token: form_token}
+    end
+  end
+
+  def test_accepts_global_csrf_token
+    get :index
+
+    token = @controller.send(:form_authenticity_token)
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: token}
+    end
+    assert_response :success
+  end
+
+  def test_ignores_params
+    get :index, params: {form_path: '/per_form_tokens/post_one?foo=bar'}
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
+    expected = @controller.send(:per_form_csrf_token, session, '/per_form_tokens/post_one', 'post')
+    assert_equal expected, actual
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one?foo=baz'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: form_token, baz: 'foo'}
+    end
+    assert_response :success
+  end
+
+  def test_ignores_trailing_slash_during_generation
+    get :index, params: {form_path: '/per_form_tokens/post_one/'}
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: form_token}
+    end
+    assert_response :success
+  end
+
+  def test_ignores_trailing_slash_during_validation
+    get :index
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one/'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: form_token}
+    end
+    assert_response :success
+  end
+
+  def test_method_is_case_insensitive
+    get :index, params: {form_method: "POST"}
+
+    form_token = nil
+    assert_select 'input[name=custom_authenticity_token]' do |elts|
+      form_token = elts.first['value']
+      assert_not_nil form_token
+    end
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one/'
+    assert_nothing_raised do
+      post :post_one, params: {custom_authenticity_token: form_token}
+    end
+    assert_response :success
+  end
+end
diff --git a/actionpack/test/dispatch/routing/inspector_test.rb b/actionpack/test/dispatch/routing/inspector_test.rb
index a17d07c40b..7382c267c7 100644
--- a/actionpack/test/dispatch/routing/inspector_test.rb
+++ b/actionpack/test/dispatch/routing/inspector_test.rb
@@ -7,6 +7,9 @@ class MountedRackApp
   end
 end
 
+class Rails::DummyController
+end
+
 module ActionDispatch
   module Routing
     class RoutesInspectorTest < ActiveSupport::TestCase
@@ -331,6 +334,41 @@ module ActionDispatch
           "  cart GET  /cart(.:format) cart#show"
         ], output
       end
+
+      def test_routes_with_undefined_filter
+        output = draw(:filter => 'Rails::MissingController') do
+          get 'photos/:id' => 'photos#show', :id => /[A-Z]\d{5}/
+        end
+
+        assert_equal [
+          "The controller Rails::MissingController does not exist!",
+          "For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html."
+        ], output
+      end
+
+      def test_no_routes_matched_filter
+        output = draw(:filter => 'rails/dummy') do
+          get 'photos/:id' => 'photos#show', :id => /[A-Z]\d{5}/
+        end
+
+        assert_equal [
+          "No routes were found for this controller",
+          "For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html."
+        ], output
+      end
+
+      def test_no_routes_were_defined
+        output = draw(:filter => 'Rails::DummyController') { }
+
+        assert_equal [
+          "You don't have any routes defined!",
+          "",
+          "Please add some routes in config/routes.rb.",
+          "",
+          "For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html."
+        ], output
+      end
+
     end
   end
 end
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index 82222a141c..62d65ec5c0 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -3578,6 +3578,27 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
     assert_equal 'HEAD', @response.body
   end
 
+  def test_passing_action_parameters_to_url_helpers_raises_error_if_parameters_are_not_permitted
+    draw do
+      root :to => 'projects#index'
+    end
+    params = ActionController::Parameters.new(id: '1')
+
+    assert_raises ArgumentError do
+      root_path(params)
+    end
+  end
+
+  def test_passing_action_parameters_to_url_helpers_is_allowed_if_parameters_are_permitted
+    draw do
+      root :to => 'projects#index'
+    end
+    params = ActionController::Parameters.new(id: '1')
+    params.permit!
+
+    assert_equal '/?id=1', root_path(params)
+  end
+
 private
 
   def draw(&block)
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index 11251c86e7..c66a0e6a7a 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -199,7 +199,7 @@ class SecureCookiesTest < SSLTest
 
   def test_cookies_as_not_secure_with_secure_cookies_disabled
     get headers: { 'Set-Cookie' => DEFAULT }, ssl_options: { secure_cookies: false }
-    assert_cookies *DEFAULT.split("\n")
+    assert_cookies(*DEFAULT.split("\n"))
   end
 
   def test_no_cookies