diff options
Diffstat (limited to 'actionpack')
10 files changed, 117 insertions, 58 deletions
| diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 63a208dbcf..b0b75f6909 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,13 @@ +*   Fix regex used to detect URI schemes in `redirect_to` to be consistent with +    RFC 3986. + +    *Derek Prior* + +*   Fix incorrect `assert_redirected_to` failure message for protocol-relative +    URLs. + +    *Derek Prior* +  *   Fix an issue where router can't recognize downcased url encoding path.      Fixes #12269 diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index e9031f3fac..ab14a61b97 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -71,6 +71,26 @@ module ActionController        self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(location)}\">redirected</a>.</body></html>"      end +    def _compute_redirect_to_location(options) #:nodoc: +      case options +      # The scheme name consist of a letter followed by any combination of +      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-") +      # characters; and is terminated by a colon (":"). +      # See http://tools.ietf.org/html/rfc3986#section-3.1 +      # The protocol relative scheme starts with a double slash "//". +      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i +        options +      when String +        request.protocol + request.host_with_port + options +      when :back +        request.headers["Referer"] or raise RedirectBackError +      when Proc +        _compute_redirect_to_location options.call +      else +        url_for(options) +      end.delete("\0\r\n") +    end +      private        def _extract_redirect_to_status(options, response_status)          if options.is_a?(Hash) && options.key?(:status) @@ -81,24 +101,5 @@ module ActionController            302          end        end - -      def _compute_redirect_to_location(options) -        case options -        # The scheme name consist of a letter followed by any combination of -        # letters, digits, and the plus ("+"), period ("."), or hyphen ("-") -        # characters; and is terminated by a colon (":"). -        # The protocol relative scheme starts with a double slash "//" -        when %r{\A(\w[\w+.-]*:|//).*} -          options -        when String -          request.protocol + request.host_with_port + options -        when :back -          request.headers["Referer"] or raise RedirectBackError -        when Proc -          _compute_redirect_to_location options.call -        else -          url_for(options) -        end.delete("\0\r\n") -      end    end  end diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 573c739da4..bd64b1f812 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -124,6 +124,9 @@ module ActionController #:nodoc:              @loaded = true            end +          # no-op +          def destroy; end +            def exists?              true            end diff --git a/actionpack/lib/action_dispatch/journey/router/utils.rb b/actionpack/lib/action_dispatch/journey/router/utils.rb index 80011597aa..1edf86cd88 100644 --- a/actionpack/lib/action_dispatch/journey/router/utils.rb +++ b/actionpack/lib/action_dispatch/journey/router/utils.rb @@ -7,11 +7,13 @@ module ActionDispatch          # Normalizes URI path.          #          # Strips off trailing slash and ensures there is a leading slash. +        # Also converts downcase url encoded string to uppercase.          #          #   normalize_path("/foo")  # => "/foo"          #   normalize_path("/foo/") # => "/foo"          #   normalize_path("foo")   # => "/foo"          #   normalize_path("")      # => "/" +        #   normalize_path("/%ab")  # => "/%AB"          def self.normalize_path(path)            path = "/#{path}"            path.squeeze!('/') @@ -36,7 +38,7 @@ module ActionDispatch            UNSAFE_FRAGMENT = Regexp.new("[^#{safe_fragment}]", false).freeze          end -        Parser = URI.const_defined?(:Parser) ? URI::Parser.new : URI +        Parser = URI::Parser.new          def self.escape_path(path)            Parser.escape(path.to_s, UriEscape::UNSAFE_SEGMENT) diff --git a/actionpack/lib/action_dispatch/journey/visitors.rb b/actionpack/lib/action_dispatch/journey/visitors.rb index 0a8cb1b4d4..a5b4679fae 100644 --- a/actionpack/lib/action_dispatch/journey/visitors.rb +++ b/actionpack/lib/action_dispatch/journey/visitors.rb @@ -84,44 +84,43 @@ module ActionDispatch        # Used for formatting urls (url_for)        class Formatter < Visitor # :nodoc: -        attr_reader :options, :consumed +        attr_reader :options          def initialize(options)            @options  = options -          @consumed = {}          end          private -          def visit_GROUP(node) -            if consumed == options -              nil -            else -              route = visit(node.left) -              route.include?("\0") ? nil : route +          def visit(node, optional = false) +            case node.type +            when :LITERAL, :SLASH, :DOT +              node.left +            when :STAR +              visit(node.left) +            when :GROUP +              visit(node.left, true) +            when :CAT +              visit_CAT(node, optional) +            when :SYMBOL +              visit_SYMBOL(node)              end            end -          def terminal(node) -            node.left -          end - -          def binary(node) -            [visit(node.left), visit(node.right)].join -          end +          def visit_CAT(node, optional) +            left = visit(node.left, optional) +            right = visit(node.right, optional) -          def nary(node) -            node.children.map { |c| visit(c) }.join +            if optional && !(right && left) +              "" +            else +              [left, right].join +            end            end            def visit_SYMBOL(node) -            key = node.to_sym - -            if value = options[key] -              consumed[key] = value +            if value = options[node.to_sym]                Router::Utils.escape_path(value) -            else -              "\0"              end            end        end diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb index 6d3f8da932..2fb03f2712 100644 --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb @@ -74,6 +74,19 @@ module ActionDispatch        # * <tt>:routing_type</tt> - Allowed values are <tt>:path</tt> or <tt>:url</tt>.        #   Default is <tt>:url</tt>.        # +      # Also includes all the options from <tt>url_for</tt>. These include such +      # things as <tt>:anchor</tt> or <tt>:trailing_slash</tt>. Example usage +      # is given below: +      # +      #   polymorphic_url([blog, post], anchor: 'my_anchor') +      #     # => "http://example.com/blogs/1/posts/1#my_anchor" +      #   polymorphic_url([blog, post], anchor: 'my_anchor', script_name: "/my_app") +      #     # => "http://example.com/my_app/blogs/1/posts/1#my_anchor" +      # +      # For all of these options, see the documentation for <tt>url_for</tt>. +      # +      # ==== Functionality +      #        #   # an Article record        #   polymorphic_url(record)  # same as article_url(record)        # diff --git a/actionpack/lib/action_dispatch/testing/assertions/response.rb b/actionpack/lib/action_dispatch/testing/assertions/response.rb index 44ed0ac1f3..93f9fab9c2 100644 --- a/actionpack/lib/action_dispatch/testing/assertions/response.rb +++ b/actionpack/lib/action_dispatch/testing/assertions/response.rb @@ -67,21 +67,11 @@ module ActionDispatch          end          def normalize_argument_to_redirection(fragment) -          normalized = case fragment -            when Regexp -              fragment -            when %r{^\w[A-Za-z\d+.-]*:.*} -              fragment -            when String -              @request.protocol + @request.host_with_port + fragment -            when :back -              raise RedirectBackError unless refer = @request.headers["Referer"] -              refer -            else -              @controller.url_for(fragment) -            end - -          normalized.respond_to?(:delete) ? normalized.delete("\0\r\n") : normalized +          if Regexp === fragment +            fragment +          else +            @controller._compute_redirect_to_location(fragment) +          end          end      end    end diff --git a/actionpack/test/controller/action_pack_assertions_test.rb b/actionpack/test/controller/action_pack_assertions_test.rb index 22a410db94..ba4cffcd3e 100644 --- a/actionpack/test/controller/action_pack_assertions_test.rb +++ b/actionpack/test/controller/action_pack_assertions_test.rb @@ -39,6 +39,8 @@ class ActionPackAssertionsController < ActionController::Base    def redirect_external() redirect_to "http://www.rubyonrails.org"; end +  def redirect_external_protocol_relative() redirect_to "//www.rubyonrails.org"; end +    def response404() head '404 AWOL' end    def response500() head '500 Sorry' end @@ -258,6 +260,19 @@ class ActionPackAssertionsControllerTest < ActionController::TestCase      end    end +  def test_assert_redirect_failure_message_with_protocol_relative_url +    begin +      process :redirect_external_protocol_relative +      assert_redirected_to "/foo" +    rescue ActiveSupport::TestCase::Assertion => ex +      assert_no_match( +        /#{request.protocol}#{request.host}\/\/www.rubyonrails.org/, +        ex.message, +        'protocol relative url was incorrectly normalized' +      ) +    end +  end +    def test_template_objects_exist      process :assign_this      assert !@controller.instance_variable_defined?(:"@hi") @@ -309,6 +324,9 @@ class ActionPackAssertionsControllerTest < ActionController::TestCase      process :redirect_external      assert_equal 'http://www.rubyonrails.org', @response.redirect_url + +    process :redirect_external_protocol_relative +    assert_equal '//www.rubyonrails.org', @response.redirect_url    end    def test_no_redirect_url diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index c272e785c2..727db79241 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -78,6 +78,11 @@ class RequestForgeryProtectionControllerUsingNullSession < ActionController::Bas      cookies.encrypted[:foo] = 'bar'      render :nothing => true    end + +  def try_to_reset_session +    reset_session +    render :nothing => true +  end  end  class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession @@ -320,6 +325,11 @@ class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController:      post :encrypted      assert_response :ok    end + +  test 'should allow reset_session' do +    post :try_to_reset_session +    assert_response :ok +  end  end  class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::TestCase diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb index e4c3ddd3f9..3e9e90a950 100644 --- a/actionpack/test/dispatch/routing_test.rb +++ b/actionpack/test/dispatch/routing_test.rb @@ -1102,6 +1102,19 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest      assert_equal 'projects#index', @response.body    end +  def test_scoped_root_as_name +    draw do +      scope '(:locale)', :locale => /en|pl/ do +        root :to => 'projects#index', :as => 'projects' +      end +    end + +    assert_equal '/en', projects_path(:locale => 'en') +    assert_equal '/', projects_path +    get '/en' +    assert_equal 'projects#index', @response.body +  end +    def test_scope_with_format_option      draw do        get "direct/index", as: :no_format_direct, format: false | 
