6 files changed, 59 insertions, 3 deletions

diff --git a/actionpack/test/assertions/response_assertions_test.rb b/actionpack/test/assertions/response_assertions_test.rb
index e76c222824..841fa6aaad 100644
--- a/actionpack/test/assertions/response_assertions_test.rb
+++ b/actionpack/test/assertions/response_assertions_test.rb
@@ -19,6 +19,11 @@ module ActionDispatch
         end
       end
 
+      def setup
+        @controller = nil
+        @request = nil
+      end
+
       def test_assert_response_predicate_methods
         [:success, :missing, :redirect, :error].each do |sym|
           @response = FakeResponse.new RESPONSE_PREDICATES[sym].to_s.sub(/\?/, '').to_sym
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 87816515e7..f23aa599c1 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -297,4 +297,32 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert @params.to_h.is_a? ActiveSupport::HashWithIndifferentAccess
     assert_not @params.to_h.is_a? ActionController::Parameters
   end
+
+  test "to_h only deep dups Ruby collections" do
+    company = Class.new do
+      attr_reader :dupped
+      def dup; @dupped = true; end
+    end.new
+
+    params = ActionController::Parameters.new(prem: { likes: %i( dancing ) })
+    assert_equal({ 'prem' => { 'likes' => %i( dancing ) } }, params.permit!.to_h)
+
+    params = ActionController::Parameters.new(companies: [ company, :acme ])
+    assert_equal({ 'companies' => [ company, :acme ] }, params.permit!.to_h)
+    assert_not company.dupped
+  end
+
+  test "to_unsafe_h only deep dups Ruby collections" do
+    company = Class.new do
+      attr_reader :dupped
+      def dup; @dupped = true; end
+    end.new
+
+    params = ActionController::Parameters.new(prem: { likes: %i( dancing ) })
+    assert_equal({ 'prem' => { 'likes' => %i( dancing ) } }, params.to_unsafe_h)
+
+    params = ActionController::Parameters.new(companies: [ company, :acme ])
+    assert_equal({ 'companies' => [ company, :acme ] }, params.to_unsafe_h)
+    assert_not company.dupped
+  end
 end
diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
index 21dfd9cd03..0b184eace9 100644
--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
@@ -307,10 +307,10 @@ class RedirectTest < ActionController::TestCase
   end
 
   def test_redirect_to_params
-    error = assert_raise(ActionController::ActionControllerError) do
+    error = assert_raise(ArgumentError) do
       get :redirect_to_params
     end
-    assert_equal "Cannot redirect to a parameter hash!", error.message
+    assert_equal "Generating an URL from non sanitized request parameters is insecure!", error.message
   end
 
   def test_redirect_to_with_block
diff --git a/actionpack/test/controller/test_case_test.rb b/actionpack/test/controller/test_case_test.rb
index e50373a0cc..b9caddcdb7 100644
--- a/actionpack/test/controller/test_case_test.rb
+++ b/actionpack/test/controller/test_case_test.rb
@@ -172,7 +172,7 @@ XML
     before_action { @dynamic_opt = 'opt' }
 
     def test_url_options_reset
-      render plain: url_for(params)
+      render plain: url_for
     end
 
     def default_url_options
diff --git a/actionpack/test/controller/url_for_test.rb b/actionpack/test/controller/url_for_test.rb
index 78e883f134..67212fea38 100644
--- a/actionpack/test/controller/url_for_test.rb
+++ b/actionpack/test/controller/url_for_test.rb
@@ -375,6 +375,13 @@ module AbstractController
         assert_equal({'query[person][position][]' => 'prof'        }.to_query, params[3])
       end
 
+      def test_url_action_controller_parameters
+        add_host!
+        assert_raise(ArgumentError) do
+          W.new.url_for(ActionController::Parameters.new(:controller => 'c', :action => 'a', protocol: 'javascript', f: '%0Aeval(name)'))
+        end
+      end
+
       def test_path_generation_for_symbol_parameter_keys
         assert_generates("/image", :controller=> :image)
       end
diff --git a/actionpack/test/dispatch/middleware_stack_test.rb b/actionpack/test/dispatch/middleware_stack_test.rb
index 33aa616474..a8c8e0784f 100644
--- a/actionpack/test/dispatch/middleware_stack_test.rb
+++ b/actionpack/test/dispatch/middleware_stack_test.rb
@@ -131,4 +131,20 @@ class MiddlewareStackTest < ActiveSupport::TestCase
       assert_equal BazMiddleware, @stack.last.klass
     end
   end
+
+  test "can check if Middleware are equal - Class" do
+    assert_equal @stack.last, BarMiddleware
+  end
+
+  test "includes a class" do
+    assert_equal true, @stack.include?(BarMiddleware)
+  end
+
+  test "can check if Middleware are equal - Middleware" do
+    assert_equal @stack.last, @stack.last
+  end
+
+  test "includes a middleware" do
+    assert_equal true, @stack.include?(ActionDispatch::MiddlewareStack::Middleware.new(BarMiddleware, nil, nil))
+  end
 end