diff options
Diffstat (limited to 'actionpack')
19 files changed, 125 insertions, 49 deletions
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec index 620fdc4a72..02758148c0 100644 --- a/actionpack/actionpack.gemspec +++ b/actionpack/actionpack.gemspec @@ -24,7 +24,7 @@ Gem::Specification.new do |s| s.add_dependency('rack', '~> 1.3.2') s.add_dependency('rack-test', '~> 0.6.0') s.add_dependency('rack-mount', '~> 0.8.1') - s.add_dependency('sprockets', '~> 2.0.0.beta.12') + s.add_dependency('sprockets', '~> 2.0.0.beta.14') s.add_dependency('erubis', '~> 2.7.0') s.add_development_dependency('tzinfo', '~> 0.3.29') diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index ce56d8bc71..da93c988c4 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -63,7 +63,7 @@ module ActionController # # == Sessions # - # Sessions allows you to store objects in between requests. This is useful for objects that are not yet ready to be persisted, + # Sessions allow you to store objects in between requests. This is useful for objects that are not yet ready to be persisted, # such as a Signup object constructed in a multi-paged process, or objects that don't change much and are needed all the time, such # as a User object for a system that requires login. The session should not be used, however, as a cache for objects where it's likely # they could be changed unknowingly. It's usually too much work to keep it all synchronized -- something databases already excel at. diff --git a/actionpack/lib/action_controller/metal/instrumentation.rb b/actionpack/lib/action_controller/metal/instrumentation.rb index 85d0f5f699..777a0ab343 100644 --- a/actionpack/lib/action_controller/metal/instrumentation.rb +++ b/actionpack/lib/action_controller/metal/instrumentation.rb @@ -58,8 +58,8 @@ module ActionController def redirect_to(*args) ActiveSupport::Notifications.instrument("redirect_to.action_controller") do |payload| result = super - payload[:status] = self.status - payload[:location] = self.location + payload[:status] = response.status + payload[:location] = response.location result end end @@ -97,4 +97,4 @@ module ActionController end end end -end
\ No newline at end of file +end diff --git a/actionpack/lib/action_controller/metal/params_wrapper.rb b/actionpack/lib/action_controller/metal/params_wrapper.rb index 2d8afc3a78..f24203db3a 100644 --- a/actionpack/lib/action_controller/metal/params_wrapper.rb +++ b/actionpack/lib/action_controller/metal/params_wrapper.rb @@ -9,10 +9,9 @@ module ActionController # Wraps parameters hash into nested hash. This will allow client to submit # POST request without having to specify a root element in it. # - # By default this functionality won't be enabled. You can enable - # it globally by setting +ActionController::Base.wrap_parameters+: - # - # ActionController::Base.wrap_parameters = [:json] + # This functionality is enabled in +config/initializers/wrap_parameters.rb+ + # and can be customized. If you are upgrading to Rails 3.1, this file will + # need to be created for the functionality to be enabled. # # You could also turn it on per controller by setting the format array to # non-empty array: diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index dee7eb1ec8..4f311a1cf5 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -45,7 +45,7 @@ module ActionController # integer, or a symbol representing the downcased, underscored and symbolized description. # Note that the status code must be a 3xx HTTP code, or redirection will not occur. # - # It is also possible to assign a flash message as part of the redirection. There are two special accessors for commonly used the flash names + # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names # +alert+ and +notice+ as well as a general purpose +flash+ bucket. # # Examples: diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb index 22b3243104..4e1f016431 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb @@ -156,7 +156,7 @@ module HTML #:nodoc: end closing = ( scanner.scan(/\//) ? :close : nil ) - return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/) + return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/) name.downcase! unless closing diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb index 4484390fde..f1b071caf7 100644 --- a/actionpack/lib/action_view/helpers/javascript_helper.rb +++ b/actionpack/lib/action_view/helpers/javascript_helper.rb @@ -10,7 +10,8 @@ module ActionView "\n" => '\n', "\r" => '\n', '"' => '\\"', - "'" => "\\'" } + "'" => "\\'", + "\342\200\250" => '
' } # Escape carrier returns and single and double quotes for JavaScript segments. # Also available through the alias j(). This is particularly helpful in JavaScript responses, like: @@ -18,7 +19,7 @@ module ActionView # $('some_element').replaceWith('<%=j render 'some/element_template' %>'); def escape_javascript(javascript) if javascript - result = javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] } + result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] } javascript.html_safe? ? result.html_safe : result else '' diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 51baca8e03..4dbb0135f6 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -268,7 +268,7 @@ module ActionView # to change the HTTP verb used to submit the form. # # ==== Options - # The +options+ hash accepts the same options as url_for. + # The +options+ hash accepts the same options as +url_for+. # # There are a few special +html_options+: # * <tt>:method</tt> - Symbol of HTTP verb. Supported verbs are <tt>:post</tt>, <tt>:get</tt>, diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index 7abaa07bc7..f855ea257c 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -142,8 +142,12 @@ module ActionView # Helper for building query glob string based on resolver's pattern. def build_query(path, details) query = @pattern.dup - query.gsub!(/\:prefix(\/)?/, path.prefix.empty? ? "" : "#{path.prefix}\\1") # prefix can be empty... - query.gsub!(/\:action/, path.partial? ? "_#{path.name}" : path.name) + + prefix = path.prefix.empty? ? "" : "#{escape_entry(path.prefix)}\\1" + query.gsub!(/\:prefix(\/)?/, prefix) + + partial = escape_entry(path.partial? ? "_#{path.name}" : path.name) + query.gsub!(/\:action/, partial) details.each do |ext, variants| query.gsub!(/\:#{ext}/, "{#{variants.compact.uniq.join(',')}}") @@ -152,6 +156,10 @@ module ActionView File.expand_path(query, @path) end + def escape_entry(entry) + entry.gsub(/[*?{}\[\]]/, '\\\\\\&') + end + # Returns the file mtime from the filesystem. def mtime(p) File.mtime(p) @@ -228,8 +236,9 @@ module ActionView class OptimizedFileSystemResolver < FileSystemResolver #:nodoc: def build_query(path, details) exts = EXTENSIONS.map { |ext| details[ext] } + query = escape_entry(File.join(@path, path)) - File.join(@path, path) + exts.map { |ext| + query + exts.map { |ext| "{#{ext.compact.uniq.map { |e| ".#{e}," }.join}}" }.join end diff --git a/actionpack/lib/sprockets/assets.rake b/actionpack/lib/sprockets/assets.rake index 01132d218f..acf2f256c2 100644 --- a/actionpack/lib/sprockets/assets.rake +++ b/actionpack/lib/sprockets/assets.rake @@ -1,24 +1,32 @@ namespace :assets do - task :ensure_env do - ENV["RAILS_GROUPS"] ||= "assets" - ENV["RAILS_ENV"] ||= "production" - end - desc "Compile all the assets named in config.assets.precompile" - task :precompile => :ensure_env do - Rake::Task["environment"].invoke - Sprockets::Helpers::RailsHelper + task :precompile do + # We need to do this dance because RAILS_GROUPS is used + # too early in the boot process and changing here is already too late. + if ENV["RAILS_GROUPS"].to_s.empty? || ENV["RAILS_ENV"].to_s.empty? + ENV["RAILS_GROUPS"] ||= "assets" + ENV["RAILS_ENV"] ||= "production" + Kernel.exec $0, *ARGV + else + Rake::Task["environment"].invoke + + # Ensure that action view is loaded and the appropriate sprockets hooks get executed + ActionView::Base + + # Always perform caching so that asset_path appends the timestamps to file references. + Rails.application.config.action_controller.perform_caching = true - assets = Rails.application.config.assets.precompile - # Always perform caching so that asset_path appends the timestamps to file references. - Rails.application.config.action_controller.perform_caching = true - Rails.application.assets.precompile(*assets) + config = Rails.application.config + assets = config.assets.precompile.dup + assets << {:to => File.join(Rails.public_path, config.assets.prefix)} + Rails.application.assets.precompile(*assets) + end end desc "Remove compiled assets" task :clean => [:environment, 'tmp:cache:clear'] do - assets = Rails.application.config.assets - public_asset_path = Rails.public_path + assets.prefix + config = Rails.application.config + public_asset_path = File.join(Rails.public_path, config.assets.prefix) rm_rf public_asset_path, :secure => true end end diff --git a/actionpack/lib/sprockets/helpers/rails_helper.rb b/actionpack/lib/sprockets/helpers/rails_helper.rb index ec3d36d5ad..c239af77bc 100644 --- a/actionpack/lib/sprockets/helpers/rails_helper.rb +++ b/actionpack/lib/sprockets/helpers/rails_helper.rb @@ -70,8 +70,8 @@ module Sprockets private def debug_assets? - params[:debug_assets] == '1' || - params[:debug_assets] == 'true' + Rails.env.development? || Rails.env.test? || + params[:debug_assets] == '1' || params[:debug_assets] == 'true' rescue NoMethodError false end @@ -112,11 +112,22 @@ module Sprockets asset_environment[source] end + def digest_for(logical_path) + if asset = asset_environment[logical_path] + return asset.digest_path + end + + logical_path + end + def rewrite_asset_path(source, dir) if source[0] == ?/ source else - asset_environment.path(source, performing_caching?, dir) + source = digest_for(source) if performing_caching? + source = File.join(dir, source) + source = "/#{source}" unless source =~ /^\// + source end end @@ -128,9 +139,14 @@ module Sprockets end end - # When included in Sprockets::Context, we need to ask the top-level config as the controller is not available def performing_caching? - config.action_controller.present? ? config.action_controller.perform_caching : config.perform_caching + # When included in Sprockets::Context, we need to ask the + # top-level config as the controller is not available. + if config.action_controller.present? + config.action_controller.perform_caching + else + config.perform_caching + end end end end diff --git a/actionpack/lib/sprockets/railtie.rb b/actionpack/lib/sprockets/railtie.rb index 0a2c8c1ea3..c21bf57935 100644 --- a/actionpack/lib/sprockets/railtie.rb +++ b/actionpack/lib/sprockets/railtie.rb @@ -18,9 +18,8 @@ module Sprockets require 'sprockets' app.assets = Sprockets::Environment.new(app.root.to_s) do |env| - env.static_root = File.join(app.root.join('public'), config.assets.prefix) - env.logger = ::Rails.logger - env.version = ::Rails.env + "#{'-' + config.assets.version if config.assets.version.present?}" + env.logger = ::Rails.logger + env.version = ::Rails.env + "-#{config.assets.version}" if config.assets.cache_store != false env.cache = ActiveSupport::Cache.lookup_store(config.assets.cache_store) || ::Rails.cache diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb index 92d4a6d98b..79041055bd 100644 --- a/actionpack/test/controller/redirect_test.rb +++ b/actionpack/test/controller/redirect_test.rb @@ -4,6 +4,11 @@ class WorkshopsController < ActionController::Base end class RedirectController < ActionController::Base + # empty method not used anywhere to ensure methods like + # `status` and `location` aren't called on `redirect_to` calls + def status; render :text => 'called status'; end + def location; render :text => 'called location'; end + def simple_redirect redirect_to :action => "hello_world" end diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index ce4b407c7d..6bcd606bf4 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -405,6 +405,14 @@ class TestController < ActionController::Base render :template => "test/hello_world" end + def render_with_explicit_unescaped_template + render :template => "test/h*llo_world" + end + + def render_with_explicit_escaped_template + render :template => "test/hello_w*rld" + end + def render_with_explicit_string_template render "test/hello_world" end @@ -1057,6 +1065,12 @@ class RenderTest < ActionController::TestCase assert_response :success end + def test_render_with_explicit_unescaped_template + assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template } + get :render_with_explicit_escaped_template + assert_equal "Hello w*rld!", @response.body + end + def test_render_with_explicit_string_template get :render_with_explicit_string_template assert_equal "<html>Hello world!</html>", @response.body diff --git a/actionpack/test/fixtures/test/hello_w*rld.erb b/actionpack/test/fixtures/test/hello_w*rld.erb new file mode 100644 index 0000000000..bc8fa5e0ca --- /dev/null +++ b/actionpack/test/fixtures/test/hello_w*rld.erb @@ -0,0 +1 @@ +Hello w*rld!
\ No newline at end of file diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index ad31812273..eb569c7308 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -508,25 +508,25 @@ class FormTagHelperTest < ActionView::TestCase def test_text_area_tag_options_symbolize_keys_side_effects options = { :option => "random_option" } - actual = text_area_tag "body", "hello world", options + text_area_tag "body", "hello world", options assert_equal options, { :option => "random_option" } end def test_submit_tag_options_symbolize_keys_side_effects options = { :option => "random_option" } - actual = submit_tag "submit value", options + submit_tag "submit value", options assert_equal options, { :option => "random_option" } end def test_button_tag_options_symbolize_keys_side_effects options = { :option => "random_option" } - actual = button_tag "button value", options + button_tag "button value", options assert_equal options, { :option => "random_option" } end def test_image_submit_tag_options_symbolize_keys_side_effects options = { :option => "random_option" } - actual = image_submit_tag "submit source", options + image_submit_tag "submit source", options assert_equal options, { :option => "random_option" } end diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 678cb9eeeb..62ad6be680 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase @sanitizer = nil # used by assert_sanitizer end + def test_strip_tags_with_quote + sanitizer = HTML::FullSanitizer.new + string = '<" <img src="trollface.gif" onload="alert(1)"> hi' + + assert_equal ' hi', sanitizer.sanitize(string) + end + def test_strip_tags sanitizer = HTML::FullSanitizer.new assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html")) diff --git a/actionpack/test/template/javascript_helper_test.rb b/actionpack/test/template/javascript_helper_test.rb index dd8b7b7cd5..bab9d42472 100644 --- a/actionpack/test/template/javascript_helper_test.rb +++ b/actionpack/test/template/javascript_helper_test.rb @@ -27,6 +27,7 @@ class JavaScriptHelperTest < ActionView::TestCase assert_equal %(This \\"thing\\" is really\\n netos\\'), escape_javascript(%(This "thing" is really\n netos')) assert_equal %(backslash\\\\test), escape_javascript( %(backslash\\test) ) assert_equal %(dont <\\/close> tags), escape_javascript(%(dont </close> tags)) + assert_equal %(unicode 
 newline), escape_javascript(%(unicode \342\200\250 newline)) assert_equal %(dont <\\/close> tags), j(%(dont </close> tags)) end diff --git a/actionpack/test/template/sprockets_helper_test.rb b/actionpack/test/template/sprockets_helper_test.rb index dfa635335e..d303acad0f 100644 --- a/actionpack/test/template/sprockets_helper_test.rb +++ b/actionpack/test/template/sprockets_helper_test.rb @@ -141,6 +141,8 @@ class SprocketsHelperTest < ActionView::TestCase end test "javascript include tag" do + Rails.env.stubs(:test?).returns(false) + assert_match %r{<script src="/assets/application-[0-9a-f]+.js" type="text/javascript"></script>}, javascript_include_tag(:application) @@ -151,11 +153,17 @@ class SprocketsHelperTest < ActionView::TestCase assert_equal '<script src="http://www.example.com/xmlhr" type="text/javascript"></script>', javascript_include_tag("http://www.example.com/xmlhr") + assert_match %r{<script src=\"/assets/xmlhr-[0-9a-f]+.js" type=\"text/javascript\"></script>\n<script src=\"/assets/extra-[0-9a-f]+.js" type=\"text/javascript\"></script>}, + javascript_include_tag("xmlhr", "extra") + + Rails.env.stubs(:test?).returns(true) + assert_match %r{<script src="/assets/xmlhr-[0-9a-f]+.js\?body=1" type="text/javascript"></script>\n<script src="/assets/application-[0-9a-f]+.js\?body=1" type="text/javascript"></script>}, - javascript_include_tag(:application, :debug => true) + javascript_include_tag(:application) + + assert_match %r{<script src="/assets/application-[0-9a-f]+.js\" type="text/javascript"></script>}, + javascript_include_tag(:application, :debug => false) - assert_match %r{<script src=\"/assets/xmlhr-[0-9a-f]+.js\" type=\"text/javascript\"></script>\n<script src=\"/assets/extra-[0-9a-f]+.js\" type=\"text/javascript\"></script>}, - javascript_include_tag("xmlhr", "extra") end test "stylesheet path" do @@ -172,6 +180,8 @@ class SprocketsHelperTest < ActionView::TestCase end test "stylesheet link tag" do + Rails.env.stubs(:test?).returns(false) + assert_match %r{<link href="/assets/application-[0-9a-f]+.css" media="screen" rel="stylesheet" type="text/css" />}, stylesheet_link_tag(:application) @@ -187,11 +197,17 @@ class SprocketsHelperTest < ActionView::TestCase assert_match %r{<link href="/assets/style-[0-9a-f]+.css" media="print" rel="stylesheet" type="text/css" />}, stylesheet_link_tag("style", :media => "print") - assert_match %r{<link href="/assets/style-[0-9a-f]+.css\?body=1" media="screen" rel="stylesheet" type="text/css" />\n<link href="/assets/application-[0-9a-f]+.css\?body=1" media="screen" rel="stylesheet" type="text/css" />}, - stylesheet_link_tag(:application, :debug => true) - assert_match %r{<link href="/assets/style-[0-9a-f]+.css" media="screen" rel="stylesheet" type="text/css" />\n<link href="/assets/extra-[0-9a-f]+.css" media="screen" rel="stylesheet" type="text/css" />}, stylesheet_link_tag("style", "extra") + + Rails.env.stubs(:test?).returns(true) + + assert_match %r{<link href="/assets/style-[0-9a-f]+.css\?body=1" media="screen" rel="stylesheet" type="text/css" />\n<link href="/assets/application-[0-9a-f]+.css\?body=1" media="screen" rel="stylesheet" type="text/css" />}, + stylesheet_link_tag(:application) + + assert_match %r{<link href="/assets/application-[0-9a-f]+.css" media="screen" rel="stylesheet" type="text/css" />}, + stylesheet_link_tag(:application, :debug => false) + end test "alternate asset prefix" do |