4 files changed, 78 insertions, 17 deletions

diff --git a/railties/test/application/middleware/cache_test.rb b/railties/test/application/middleware/cache_test.rb
index b8e0c9be60..b4db840e68 100644
--- a/railties/test/application/middleware/cache_test.rb
+++ b/railties/test/application/middleware/cache_test.rb
@@ -45,7 +45,7 @@ module ApplicationTests
       RUBY
 
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get ':controller(/:action)'
         end
       RUBY
diff --git a/railties/test/application/middleware/cookies_test.rb b/railties/test/application/middleware/cookies_test.rb
index 18af7abafc..bbb7627be9 100644
--- a/railties/test/application/middleware/cookies_test.rb
+++ b/railties/test/application/middleware/cookies_test.rb
@@ -33,7 +33,7 @@ module ApplicationTests
       assert_equal false, ActionDispatch::Cookies::CookieJar.always_write_cookie
     end
 
-    test 'always_write_cookie can be overrided' do
+    test 'always_write_cookie can be overridden' do
       add_to_config <<-RUBY
         config.action_dispatch.always_write_cookie = false
       RUBY
diff --git a/railties/test/application/middleware/remote_ip_test.rb b/railties/test/application/middleware/remote_ip_test.rb
index f0d3438aa4..946b82eeb3 100644
--- a/railties/test/application/middleware/remote_ip_test.rb
+++ b/railties/test/application/middleware/remote_ip_test.rb
@@ -1,5 +1,4 @@
 require 'isolation/abstract_unit'
-# FIXME remove DummyKeyGenerator and this require in 4.1
 require 'active_support/key_generator'
 
 module ApplicationTests
@@ -10,7 +9,7 @@ module ApplicationTests
       remote_ip = nil
       env = Rack::MockRequest.env_for("/").merge(env).merge!(
         'action_dispatch.show_exceptions' => false,
-        'action_dispatch.key_generator'   => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
+        'action_dispatch.key_generator'   => ActiveSupport::LegacyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
       )
 
       endpoint = Proc.new do |e|
@@ -34,6 +33,16 @@ module ApplicationTests
       end
     end
 
+    test "works with both headers individually" do
+      make_basic_app
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")
+      end
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")
+      end
+    end
+
     test "can disable IP spoofing check" do
       make_basic_app do |app|
         app.config.action_dispatch.ip_spoofing_check = false
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index a5fdfbf887..14a56176f5 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -49,7 +49,7 @@ module ApplicationTests
 
     test "session is empty and isn't saved on unverified request when using :null_session protect method" do
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get  ':controller(/:action)'
           post ':controller(/:action)'
         end
@@ -90,7 +90,7 @@ module ApplicationTests
 
     test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get  ':controller(/:action)'
           post ':controller(/:action)'
         end
@@ -131,7 +131,7 @@ module ApplicationTests
 
     test "session using encrypted cookie store" do
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get ':controller(/:action)'
         end
       RUBY
@@ -157,10 +157,6 @@ module ApplicationTests
         end
       RUBY
 
-      add_to_config <<-RUBY
-        config.session_store :encrypted_cookie_store, key: '_myapp_session'
-      RUBY
-
       require "#{app_path}/config/environment"
 
       get '/foo/write_session'
@@ -178,9 +174,9 @@ module ApplicationTests
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
     end
 
-    test "session using upgrade signature to encryption cookie store works the same way as encrypted cookie store" do
+    test "session upgrading signature to encryption cookie store works the same way as encrypted cookie store" do
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get ':controller(/:action)'
         end
       RUBY
@@ -208,7 +204,6 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
-        config.session_store :upgrade_signature_to_encryption_cookie_store, key: '_myapp_session'
       RUBY
 
       require "#{app_path}/config/environment"
@@ -228,9 +223,9 @@ module ApplicationTests
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
     end
 
-    test "session using upgrade signature to encryption cookie store upgrades session to encrypted mode" do
+    test "session upgrading signature to encryption cookie store upgrades session to encrypted mode" do
       app_file 'config/routes.rb', <<-RUBY
-        AppTemplate::Application.routes.draw do
+        Rails.application.routes.draw do
           get ':controller(/:action)'
         end
       RUBY
@@ -264,7 +259,6 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
-        config.session_store :upgrade_signature_to_encryption_cookie_store, key: '_myapp_session'
       RUBY
 
       require "#{app_path}/config/environment"
@@ -287,5 +281,63 @@ module ApplicationTests
       get '/foo/read_raw_cookie'
       assert_equal 2, encryptor.decrypt_and_verify(last_response.body)['foo']
     end
+
+    test "session upgrading legacy signed cookies to new signed cookies" do
+      app_file 'config/routes.rb', <<-RUBY
+        Rails.application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_raw_session
+            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
+            cookies[:_myapp_session] = "BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTE5NjVkOTU3MjBmZmZjMTIzOTQxYmRmYjdkMmU2ODcwBjsAVEkiCGZvbwY7AEZpBg==--315fb9931921a87ae7421aec96382f0294119749"
+            render nothing: true
+          end
+
+          def write_session
+            session[:foo] = session[:foo] + 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo]
+          end
+
+          def read_signed_cookie
+            render text: cookies.signed[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render text: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_key_base = nil
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_raw_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '2', last_response.body
+
+      get '/foo/read_signed_cookie'
+      assert_equal '2', last_response.body
+
+      verifier = ActiveSupport::MessageVerifier.new(app.config.secret_token)
+
+      get '/foo/read_raw_cookie'
+      assert_equal 2, verifier.verify(last_response.body)['foo']
+    end
   end
 end