4 files changed, 66 insertions, 8 deletions
diff --git a/activesupport/lib/active_support/core_ext/module/delegation.rb b/activesupport/lib/active_support/core_ext/module/delegation.rb
index 54271a3970..14d7f0c484 100644
--- a/activesupport/lib/active_support/core_ext/module/delegation.rb
+++ b/activesupport/lib/active_support/core_ext/module/delegation.rb
@@ -276,6 +276,11 @@ class Module
   # The delegated method must be public on the target, otherwise it will
   # raise +DelegationError+. If you wish to instead return +nil+,
   # use the <tt>:allow_nil</tt> option.
+  #
+  # The <tt>marshal_dump</tt> and <tt>_dump</tt> methods are exempt from
+  # delegation due to possible interference when calling
+  # <tt>Marshal.dump(object)</tt>, should the delegation target method
+  # of <tt>object</tt> add or remove instance variables.
   def delegate_missing_to(target, allow_nil: nil)
     target = target.to_s
     target = "self.#{target}" if DELEGATION_RESERVED_METHOD_NAMES.include?(target)
@@ -285,6 +290,7 @@ class Module
         # It may look like an oversight, but we deliberately do not pass
         # +include_private+, because they do not get delegated.
 
+        return false if name == :marshal_dump || name == :_dump
         #{target}.respond_to?(name) || super
       end
 
diff --git a/activesupport/lib/active_support/inflector/transliterate.rb b/activesupport/lib/active_support/inflector/transliterate.rb
index ea7161a6ba..ec6e9ccb59 100644
--- a/activesupport/lib/active_support/inflector/transliterate.rb
+++ b/activesupport/lib/active_support/inflector/transliterate.rb
@@ -5,9 +5,8 @@ require "active_support/i18n"
 
 module ActiveSupport
   module Inflector
-    # Replaces non-ASCII characters in a UTF-8 encoded string with an ASCII
-    # approximation, or if none exists, a replacement character which
-    # defaults to "?".
+    # Replaces non-ASCII characters with an ASCII approximation, or if none
+    # exists, a replacement character which defaults to "?".
     #
     #    transliterate('Ærøskøbing')
     #    # => "AEroskobing"
@@ -57,12 +56,8 @@ module ActiveSupport
     #
     #   transliterate('Jürgen', locale: :de)
     #   # => "Juergen"
-    #
-    # This method requires that `string` be UTF-8 encoded. Passing an argument
-    # with a different string encoding will raise an ArgumentError.
     def transliterate(string, replacement = "?", locale: nil)
       raise ArgumentError, "Can only transliterate strings. Received #{string.class.name}" unless string.is_a?(String)
-      raise ArgumentError, "Can only transliterate UTF-8 strings. Received string with encoding #{string.encoding}" unless string.encoding == ::Encoding::UTF_8
 
       I18n.transliterate(
         ActiveSupport::Multibyte::Unicode.tidy_bytes(string).unicode_normalize(:nfc),
diff --git a/activesupport/lib/active_support/parameter_filter.rb b/activesupport/lib/active_support/parameter_filter.rb
index 8e5595babf..e1cd7c46c1 100644
--- a/activesupport/lib/active_support/parameter_filter.rb
+++ b/activesupport/lib/active_support/parameter_filter.rb
@@ -109,7 +109,12 @@ module ActiveSupport
         elsif value.is_a?(Hash)
           value = call(value, parents, original_params)
         elsif value.is_a?(Array)
-          value = value.map { |v| v.is_a?(Hash) ? call(v, parents, original_params) : v }
+          # If we don't pop the current parent it will be duplicated as we
+          # process each array value.
+          parents.pop if deep_regexps
+          value = value.map { |v| value_for_key(key, v, parents, original_params) }
+          # Restore the parent stack after processing the array.
+          parents.push(key) if deep_regexps
         elsif blocks.any?
           key = key.dup if key.duplicable?
           value = value.dup if value.duplicable?
diff --git a/activesupport/lib/active_support/secure_compare_rotator.rb b/activesupport/lib/active_support/secure_compare_rotator.rb
new file mode 100644
index 0000000000..14a0aee947
--- /dev/null
+++ b/activesupport/lib/active_support/secure_compare_rotator.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "active_support/security_utils"
+require "active_support/messages/rotator"
+
+module ActiveSupport
+  # The ActiveSupport::SecureCompareRotator is a wrapper around +ActiveSupport::SecurityUtils.secure_compare+
+  # and allows you to rotate a previously defined value to a new one.
+  #
+  # It can be used as follow:
+  #
+  #   rotator = ActiveSupport::SecureCompareRotator.new('new_production_value')
+  #   rotator.rotate('previous_production_value')
+  #   rotator.secure_compare!('previous_production_value')
+  #
+  # One real use case example would be to rotate a basic auth credentials:
+  #
+  #   class MyController < ApplicationController
+  #     def authenticate_request
+  #       rotator = ActiveSupport::SecureComparerotator.new('new_password')
+  #       rotator.rotate('old_password')
+  #
+  #       authenticate_or_request_with_http_basic do |username, password|
+  #         rotator.secure_compare!(password)
+  #       rescue ActiveSupport::SecureCompareRotator::InvalidMatch
+  #         false
+  #       end
+  #     end
+  #   end
+  class SecureCompareRotator
+    include SecurityUtils
+    prepend Messages::Rotator
+
+    InvalidMatch = Class.new(StandardError)
+
+    def initialize(value, **_options)
+      @value = value
+    end
+
+    def secure_compare!(other_value, on_rotation: @rotation)
+      secure_compare(@value, other_value) ||
+        run_rotations(on_rotation) { |wrapper| wrapper.secure_compare!(other_value) } ||
+        raise(InvalidMatch)
+    end
+
+    private
+
+      def build_rotation(previous_value, _options)
+        self.class.new(previous_value)
+      end
+  end
+end