From 746abbcc31f795eaa8e31d7b3a94d63cc4d5c581 Mon Sep 17 00:00:00 2001
From: Amr Tamimi <amrnt0@gmail.com>
Date: Mon, 21 Oct 2013 15:40:39 +0300
Subject: Automatically convert dashes to underscores for url helpers

---
 actionpack/lib/action_dispatch/routing/mapper.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index 18f37dc732..d724633245 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1440,7 +1440,7 @@ module ActionDispatch
           path = path_for_action(action, options.delete(:path))
           action = action.to_s.dup
 
-          if action =~ /^[\w\/]+$/
+          if action =~ /^[\w\-\/]+$/
             options[:action] ||= action unless action.include?("/")
           else
             action = nil
@@ -1636,6 +1636,7 @@ module ActionDispatch
             when :root
               [name_prefix, collection_name, prefix]
             else
+              prefix.gsub!(/\-/, '_') if prefix.is_a?(String)
               [name_prefix, member_name, prefix]
             end
 
-- 
cgit v1.2.3


From f9f32e04ad57c37353a756673794a41026f65a34 Mon Sep 17 00:00:00 2001
From: Mikko Johansson <mikko.johansson@gmail.com>
Date: Mon, 20 Jan 2014 17:31:11 +0200
Subject: Automatically convert dashes to underscores in shorthand routes

---
 actionpack/lib/action_dispatch/routing/mapper.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index d724633245..6a4d7c3afa 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1410,6 +1410,7 @@ module ActionDispatch
             path_without_format = _path.to_s.sub(/\(\.:format\)$/, '')
             if using_match_shorthand?(path_without_format, route_options)
               route_options[:to] ||= path_without_format.gsub(%r{^/}, "").sub(%r{/([^/]*)$}, '#\1')
+              route_options[:to].tr!("-", "_")
             end
 
             decomposed_match(_path, route_options)
-- 
cgit v1.2.3


From c1f8a0d61409b6c9fa16847b0ecf694cc4d4cecf Mon Sep 17 00:00:00 2001
From: Maurizio De Santis <m.desantis@morganspa.com>
Date: Thu, 23 Jan 2014 14:50:29 +0100
Subject: Fix `rake routes` error when `Rails::Engine` with empty routes is
 mounted; fixes rails/rails#13810

Squash
---
 actionpack/lib/action_dispatch/routing/inspector.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/routing/inspector.rb b/actionpack/lib/action_dispatch/routing/inspector.rb
index f612e91aef..71a0c5e826 100644
--- a/actionpack/lib/action_dispatch/routing/inspector.rb
+++ b/actionpack/lib/action_dispatch/routing/inspector.rb
@@ -194,9 +194,9 @@ module ActionDispatch
         end
 
         def widths(routes)
-          [routes.map { |r| r[:name].length }.max,
-           routes.map { |r| r[:verb].length }.max,
-           routes.map { |r| r[:path].length }.max]
+          [routes.map { |r| r[:name].length }.max || 0,
+           routes.map { |r| r[:verb].length }.max || 0,
+           routes.map { |r| r[:path].length }.max || 0]
         end
     end
 
-- 
cgit v1.2.3


From 345555cd4cfd6fad68752292e5780387672e167e Mon Sep 17 00:00:00 2001
From: Byron Bischoff <byronb@gmail.com>
Date: Fri, 24 Jan 2014 13:07:02 -0800
Subject: Transform dashes to underscores in resource route names

Fixes #13824
---
 actionpack/lib/action_dispatch/routing/mapper.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index 6a4d7c3afa..d5eb770cb1 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1442,7 +1442,7 @@ module ActionDispatch
           action = action.to_s.dup
 
           if action =~ /^[\w\-\/]+$/
-            options[:action] ||= action unless action.include?("/")
+            options[:action] ||= action.tr('-', '_') unless action.include?("/")
           else
             action = nil
           end
@@ -1607,10 +1607,11 @@ module ActionDispatch
 
           def prefix_name_for_action(as, action) #:nodoc:
             if as
-              as.to_s
+              prefix = as
             elsif !canonical_action?(action, @scope[:scope_level])
-              action.to_s
+              prefix = action
             end
+            prefix.to_s.tr('-', '_') if prefix
           end
 
           def name_for_action(as, action) #:nodoc:
@@ -1637,7 +1638,6 @@ module ActionDispatch
             when :root
               [name_prefix, collection_name, prefix]
             else
-              prefix.gsub!(/\-/, '_') if prefix.is_a?(String)
               [name_prefix, member_name, prefix]
             end
 
-- 
cgit v1.2.3


From 31616068032beb537768787ff3a206b062eb192e Mon Sep 17 00:00:00 2001
From: Andrew White <andyw@pixeltrix.co.uk>
Date: Mon, 27 Jan 2014 09:08:56 +0000
Subject: Clear filtered request attributes between requests in tests

The request attributes filtered_parameters, filtered_env and filtered_path
are memoized for performance reasons. However this can cause unusual
behavior in tests where there are multiple calls to get, post, etc.

Fixes #13803.
---
 actionpack/lib/action_controller/test_case.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index 5ed3d2ebc1..cf11ce1a9b 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -213,6 +213,9 @@ module ActionController
       # Clear the combined params hash in case it was already referenced.
       @env.delete("action_dispatch.request.parameters")
 
+      # Clear the filter cache variables so they're not stale
+      @filtered_parameters = @filtered_env = @filtered_path = nil
+
       params = self.request_parameters.dup
       %w(controller action only_path).each do |k|
         params.delete(k)
-- 
cgit v1.2.3


From 69ab91ae9396f0101afd13871f179a7f779d3178 Mon Sep 17 00:00:00 2001
From: Lukasz Sarnacki <lukesarnacki@gmail.com>
Date: Thu, 23 Jan 2014 16:31:52 +0100
Subject: Log which keys were set to nil in deep_munge

deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.

Also mentions in guides were added.
---
 actionpack/lib/action_controller/log_subscriber.rb |  9 +++++++++
 actionpack/lib/action_dispatch/request/utils.rb    | 13 +++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb
index 9279d8bcea..823a1050b5 100644
--- a/actionpack/lib/action_controller/log_subscriber.rb
+++ b/actionpack/lib/action_controller/log_subscriber.rb
@@ -53,6 +53,15 @@ module ActionController
       debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}")
     end
 
+    def deep_munge(event)
+      message = "Value for params[:#{event.payload[:keys].join('][:')}] was set"\
+                "to nil, because it was one of [], [null] or [null, null, ...]."\
+                "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation"\
+                "for more information."\
+
+      debug(message)
+    end
+
     %w(write_fragment read_fragment exist_fragment?
        expire_fragment expire_page write_page).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb
index a6dca9741c..9d4f1aa3c5 100644
--- a/actionpack/lib/action_dispatch/request/utils.rb
+++ b/actionpack/lib/action_dispatch/request/utils.rb
@@ -7,18 +7,23 @@ module ActionDispatch
 
       class << self
         # Remove nils from the params hash
-        def deep_munge(hash)
+        def deep_munge(hash, keys = [])
           return hash unless perform_deep_munge
 
           hash.each do |k, v|
+            keys << k
             case v
             when Array
-              v.grep(Hash) { |x| deep_munge(x) }
+              v.grep(Hash) { |x| deep_munge(x, keys) }
               v.compact!
-              hash[k] = nil if v.empty?
+              if v.empty?
+                hash[k] = nil
+                ActiveSupport::Notifications.instrument("deep_munge.action_controller", keys: keys)
+              end
             when Hash
-              deep_munge(v)
+              deep_munge(v, keys)
             end
+            keys.pop
           end
 
           hash
-- 
cgit v1.2.3


From dd6488de51461ff660f49110bec091317efaca08 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Tue, 28 Jan 2014 17:36:03 -0800
Subject: scope is not necessary

---
 actionpack/lib/action_dispatch/middleware/reloader.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/reloader.rb b/actionpack/lib/action_dispatch/middleware/reloader.rb
index 2f6968eb2e..432a072b1b 100644
--- a/actionpack/lib/action_dispatch/middleware/reloader.rb
+++ b/actionpack/lib/action_dispatch/middleware/reloader.rb
@@ -26,8 +26,8 @@ module ActionDispatch
   class Reloader
     include ActiveSupport::Callbacks
 
-    define_callbacks :prepare, :scope => :name
-    define_callbacks :cleanup, :scope => :name
+    define_callbacks :prepare
+    define_callbacks :cleanup
 
     # Add a prepare callback. Prepare callbacks are run before each request, prior
     # to ActionDispatch::Callback's before callbacks.
-- 
cgit v1.2.3


From f142527eb30626904cb1e655a1a28801f08b8acf Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Tue, 28 Jan 2014 17:42:26 -0800
Subject: always use a block for cleanup / prepare callbacks so we can clean
 the method signature

---
 actionpack/lib/action_dispatch/middleware/reloader.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/reloader.rb b/actionpack/lib/action_dispatch/middleware/reloader.rb
index 432a072b1b..15b5a48535 100644
--- a/actionpack/lib/action_dispatch/middleware/reloader.rb
+++ b/actionpack/lib/action_dispatch/middleware/reloader.rb
@@ -1,3 +1,5 @@
+require 'active_support/deprecation/reporting'
+
 module ActionDispatch
   # ActionDispatch::Reloader provides prepare and cleanup callbacks,
   # intended to assist with code reloading during development.
@@ -25,6 +27,7 @@ module ActionDispatch
   #
   class Reloader
     include ActiveSupport::Callbacks
+    include ActiveSupport::Deprecation::Reporting
 
     define_callbacks :prepare
     define_callbacks :cleanup
@@ -32,12 +35,18 @@ module ActionDispatch
     # Add a prepare callback. Prepare callbacks are run before each request, prior
     # to ActionDispatch::Callback's before callbacks.
     def self.to_prepare(*args, &block)
+      unless block_given?
+        warn "to_prepare without a block is deprecated. Please use a block"
+      end
       set_callback(:prepare, *args, &block)
     end
 
     # Add a cleanup callback. Cleanup callbacks are run after each request is
     # complete (after #close is called on the response body).
     def self.to_cleanup(*args, &block)
+      unless block_given?
+        warn "to_cleanup without a block is deprecated. Please use a block"
+      end
       set_callback(:cleanup, *args, &block)
     end
 
-- 
cgit v1.2.3


From b23ffd0dac895aa3fd3afd8d9be36794941731b2 Mon Sep 17 00:00:00 2001
From: Lukasz Sarnacki <lukesarnacki@gmail.com>
Date: Fri, 10 Jan 2014 12:57:50 +0100
Subject: Allow session serializer key in config.session_store

MessageEncryptor has :serializer option, where any serializer object can
be passed. This commit make it possible to set this serializer from configuration
level.

There are predefined serializers (:marshal_serializer, :json_serialzier)
and custom serializer can be passed as String, Symbol (camelized and
constantized in ActionDispatch::Session namepspace) or serializer object.

Default :json_serializer was also added to generators to provide secure
defalt.
---
 actionpack/lib/action_dispatch.rb                        | 10 ++++++----
 actionpack/lib/action_dispatch/middleware/cookies.rb     | 16 ++++++++++++++--
 .../middleware/session/json_serializer.rb                | 13 +++++++++++++
 .../middleware/session/marshal_serializer.rb             | 14 ++++++++++++++
 4 files changed, 47 insertions(+), 6 deletions(-)
 create mode 100644 actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
 create mode 100644 actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 920e651b08..36dcca2905 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -82,10 +82,12 @@ module ActionDispatch
   end
 
   module Session
-    autoload :AbstractStore, 'action_dispatch/middleware/session/abstract_store'
-    autoload :CookieStore,   'action_dispatch/middleware/session/cookie_store'
-    autoload :MemCacheStore, 'action_dispatch/middleware/session/mem_cache_store'
-    autoload :CacheStore,    'action_dispatch/middleware/session/cache_store'
+    autoload :AbstractStore,     'action_dispatch/middleware/session/abstract_store'
+    autoload :CookieStore,       'action_dispatch/middleware/session/cookie_store'
+    autoload :MemCacheStore,     'action_dispatch/middleware/session/mem_cache_store'
+    autoload :CacheStore,        'action_dispatch/middleware/session/cache_store'
+    autoload :JsonSerializer,    'action_dispatch/middleware/session/json_serializer'
+    autoload :MarshalSerializer, 'action_dispatch/middleware/session/marshal_serializer'
   end
 
   mattr_accessor :test_app
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index fe110d7938..f9f034952e 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -89,6 +89,7 @@ module ActionDispatch
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
+    SESSION_SERIALIZER = "action_dispatch.session_serializer".freeze
 
     # Cookies can typically store 4096 bytes.
     MAX_COOKIE_SIZE = 4096
@@ -210,7 +211,8 @@ module ActionDispatch
           encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] || '',
           secret_token: env[SECRET_TOKEN],
           secret_key_base: env[SECRET_KEY_BASE],
-          upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?
+          upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?,
+          session_serializer: env[SESSION_SERIALIZER]
         }
       end
 
@@ -435,7 +437,7 @@ module ActionDispatch
         @options = options
         secret = key_generator.generate_key(@options[:encrypted_cookie_salt])
         sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt])
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: serializer)
       end
 
       def [](name)
@@ -462,6 +464,16 @@ module ActionDispatch
         rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
           nil
         end
+
+        def serializer
+          serializer = @options[:session_serializer] || :marshal_serializer
+          case serializer
+          when Symbol, String
+            ActionDispatch::Session.const_get(serializer.to_s.camelize)
+          else
+            serializer
+          end
+        end
     end
 
     # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
diff --git a/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb b/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
new file mode 100644
index 0000000000..d341853f7a
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
@@ -0,0 +1,13 @@
+module ActionDispatch
+  module Session
+    class JsonSerializer
+      def self.load(value)
+        JSON.parse(value, quirks_mode: true)
+      end
+
+      def self.dump(value)
+        JSON.generate(value, quirks_mode: true)
+      end
+    end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb b/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb
new file mode 100644
index 0000000000..26622f682d
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb
@@ -0,0 +1,14 @@
+module ActionDispatch
+  module Session
+    class MarshalSerializer
+      def self.load(value)
+        Marshal.load(value)
+      end
+
+      def self.dump(value)
+        Marshal.dump(value)
+      end
+    end
+  end
+end
+
-- 
cgit v1.2.3


From fd487860db3097104cdb8d589f3931d75b767721 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Thu, 30 Jan 2014 01:12:23 -0500
Subject: Modify the session serializer implementation

Rename allowed options to :marshal and :json, for custom serializers
only allow the use of custom classes.
---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index f9f034952e..23d0ecd529 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -466,10 +466,12 @@ module ActionDispatch
         end
 
         def serializer
-          serializer = @options[:session_serializer] || :marshal_serializer
+          serializer = @options[:session_serializer] || :marshal
           case serializer
-          when Symbol, String
-            ActionDispatch::Session.const_get(serializer.to_s.camelize)
+          when :marshal
+            ActionDispatch::Session::MarshalSerializer
+          when :json
+            ActionDispatch::Session::JsonSerializer
           else
             serializer
           end
-- 
cgit v1.2.3


From 1f9586fd4725f5e81177cc6adba879b4869f71af Mon Sep 17 00:00:00 2001
From: Josh Jordan <josh.jordan@gmail.com>
Date: Tue, 28 Jan 2014 16:51:01 -0500
Subject: Do not discard query parameters on requests that use wrap_parameters

---
 actionpack/lib/action_controller/metal/params_wrapper.rb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/params_wrapper.rb b/actionpack/lib/action_controller/metal/params_wrapper.rb
index c9f1d8dcb4..2ca8955741 100644
--- a/actionpack/lib/action_controller/metal/params_wrapper.rb
+++ b/actionpack/lib/action_controller/metal/params_wrapper.rb
@@ -231,7 +231,12 @@ module ActionController
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
+        if request.parameters[_wrapper_key].present?
+          wrapped_hash = _extract_parameters(request.parameters)
+        else
+          wrapped_hash = _wrap_parameters request.request_parameters
+        end
+
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -259,14 +264,16 @@ module ActionController
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        value = if include_only = _wrapper_options.include
+        { _wrapper_key => _extract_parameters(parameters) }
+      end
+
+      def _extract_parameters(parameters)
+        if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
           exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
-
-        { _wrapper_key => value }
       end
 
       # Checks if we should perform parameters wrapping.
-- 
cgit v1.2.3


From 0b101804444e2cc57740b1c79cbd19f340f46cbf Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 31 Jan 2014 11:54:42 -0800
Subject: FilterRedirect is referenced at the class level from the Response

We can just require the file rather than going through the autoload
indirection
---
 actionpack/lib/action_dispatch.rb               | 1 -
 actionpack/lib/action_dispatch/http/response.rb | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 36dcca2905..9b26845190 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -75,7 +75,6 @@ module ActionDispatch
     autoload :Parameters
     autoload :ParameterFilter
     autoload :FilterParameters
-    autoload :FilterRedirect
     autoload :Upload
     autoload :UploadedFile, 'action_dispatch/http/upload'
     autoload :URL
diff --git a/actionpack/lib/action_dispatch/http/response.rb b/actionpack/lib/action_dispatch/http/response.rb
index 7b2655b2d8..bc13ee00f1 100644
--- a/actionpack/lib/action_dispatch/http/response.rb
+++ b/actionpack/lib/action_dispatch/http/response.rb
@@ -1,4 +1,5 @@
 require 'active_support/core_ext/module/attribute_accessors'
+require 'action_dispatch/http/filter_redirect'
 require 'monitor'
 
 module ActionDispatch # :nodoc:
-- 
cgit v1.2.3


From e8fcd599ba6a301dbddb084f7369320ca3c49ff3 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 31 Jan 2014 12:00:54 -0800
Subject: only ask for the location filters once

---
 actionpack/lib/action_dispatch/http/filter_redirect.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/filter_redirect.rb b/actionpack/lib/action_dispatch/http/filter_redirect.rb
index 900ce1c646..cd603649c3 100644
--- a/actionpack/lib/action_dispatch/http/filter_redirect.rb
+++ b/actionpack/lib/action_dispatch/http/filter_redirect.rb
@@ -5,7 +5,8 @@ module ActionDispatch
       FILTERED = '[FILTERED]'.freeze # :nodoc:
 
       def filtered_location
-        if !location_filter.empty? && location_filter_match?
+        filters = location_filter
+        if !filters.empty? && location_filter_match?(filters)
           FILTERED
         else
           location
@@ -15,15 +16,15 @@ module ActionDispatch
     private
 
       def location_filter
-        if request.present?
+        if request
           request.env['action_dispatch.redirect_filter'] || []
         else
           []
         end
       end
 
-      def location_filter_match?
-        location_filter.any? do |filter|
+      def location_filter_match?(filters)
+        filters.any? do |filter|
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-- 
cgit v1.2.3


From 47860b62b3c9a915c00fd379b705c545d4c6eb0d Mon Sep 17 00:00:00 2001
From: Philipe Fatio <me@phili.pe>
Date: Fri, 7 Feb 2014 11:06:55 +0100
Subject: Require action_view to fix missing constant

Previously, requiring action_view/view_paths did cause an uninitialized
constant error for ENCODING_FLAG, which is defined in action_view.
---
 actionpack/lib/abstract_controller/rendering.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb
index 7be61d94c9..f24b03ad16 100644
--- a/actionpack/lib/abstract_controller/rendering.rb
+++ b/actionpack/lib/abstract_controller/rendering.rb
@@ -1,5 +1,6 @@
 require 'active_support/concern'
 require 'active_support/core_ext/class/attribute'
+require 'action_view'
 require 'action_view/view_paths'
 require 'set'
 
-- 
cgit v1.2.3


From 519deb6f509e804ad2c937df4f583785f2168c9c Mon Sep 17 00:00:00 2001
From: Yves Senn <yves.senn@gmail.com>
Date: Sat, 8 Feb 2014 13:42:10 +0100
Subject: docs, Cookie values are String based. Closes #12860. [ci skip]

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 23d0ecd529..b3c3ab6bb9 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -23,8 +23,8 @@ module ActionDispatch
   #   # This cookie will be deleted when the user's browser is closed.
   #   cookies[:user_name] = "david"
   #
-  #   # Assign an array of values to a cookie.
-  #   cookies[:lat_lon] = [47.68, -122.37]
+  #   # Cookie values are String based. Other data types need to be serialized.
+  #   cookies[:lat_lon] = JSON.dump([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
   #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
@@ -42,10 +42,10 @@ module ActionDispatch
   #
   # Examples of reading:
   #
-  #   cookies[:user_name]    # => "david"
-  #   cookies.size           # => 2
-  #   cookies[:lat_lon]      # => [47.68, -122.37]
-  #   cookies.signed[:login] # => "XJ-122"
+  #   cookies[:user_name]          # => "david"
+  #   cookies.size                 # => 2
+  #   JSON.load(cookies[:lat_lon]) # => [47.68, -122.37]
+  #   cookies.signed[:login]       # => "XJ-122"
   #
   # Example for deleting:
   #
@@ -63,7 +63,7 @@ module ActionDispatch
   #
   # The option symbols for setting cookies are:
   #
-  # * <tt>:value</tt> - The cookie's value or list of values (as an array).
+  # * <tt>:value</tt> - The cookie's value.
   # * <tt>:path</tt> - The path for which this cookie applies. Defaults to the root
   #   of the application.
   # * <tt>:domain</tt> - The domain for which this cookie applies so you can
-- 
cgit v1.2.3


From 50d828c0afe9c0fb94d4c1e86fb6c71916a32ab6 Mon Sep 17 00:00:00 2001
From: Robin Dupret <robin.dupret@gmail.com>
Date: Sat, 8 Feb 2014 16:31:12 +0100
Subject: Rely on backticks instead of tt tags [ci skip]

Since the language in code blocks is inferred, if the code contains tt
tags, the block will be parsed as XML for instance while it is Ruby.
---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index b3c3ab6bb9..3d1614142d 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -30,8 +30,8 @@ module ActionDispatch
   #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
   #
   #   # Sets a signed cookie, which prevents users from tampering with its value.
-  #   # The cookie is signed by your app's <tt>secrets.secret_key_base</tt> value.
-  #   # It can be read using the signed method <tt>cookies.signed[:name]</tt>
+  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
+  #   # It can be read using the signed method `cookies.signed[:name]`
   #   cookies.signed[:user_id] = current_user.id
   #
   #   # Sets a "permanent" cookie (which expires in 20 years from now).
-- 
cgit v1.2.3


From 77577149f71e1fa0df15dbc02ae7c33349dddba8 Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Sat, 8 Feb 2014 10:00:09 -0800
Subject: Updated the cookie docs to use the safer JSON.{generate,parse}

cc @senny
---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 3d1614142d..531654895b 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -24,7 +24,7 @@ module ActionDispatch
   #   cookies[:user_name] = "david"
   #
   #   # Cookie values are String based. Other data types need to be serialized.
-  #   cookies[:lat_lon] = JSON.dump([47.68, -122.37])
+  #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
   #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
@@ -42,10 +42,10 @@ module ActionDispatch
   #
   # Examples of reading:
   #
-  #   cookies[:user_name]          # => "david"
-  #   cookies.size                 # => 2
-  #   JSON.load(cookies[:lat_lon]) # => [47.68, -122.37]
-  #   cookies.signed[:login]       # => "XJ-122"
+  #   cookies[:user_name]           # => "david"
+  #   cookies.size                  # => 2
+  #   JSON.parse(cookies[:lat_lon]) # => [47.68, -122.37]
+  #   cookies.signed[:login]        # => "XJ-122"
   #
   # Example for deleting:
   #
-- 
cgit v1.2.3


From 069bc273853c90194606b1725113d77ae39e2edd Mon Sep 17 00:00:00 2001
From: Dan Kang <dan@dskang.com>
Date: Sat, 8 Feb 2014 17:40:08 -0800
Subject: Prevent [response].flatten from recursing infinitely.

Returning `self` from within the array returned by `to_ary`
caused this. Instead, we can just substitute another object.
It provides the `each` behavior required by the rack spec.
---
 actionpack/lib/action_dispatch/http/response.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/response.rb b/actionpack/lib/action_dispatch/http/response.rb
index bc13ee00f1..2c6bcf7b7b 100644
--- a/actionpack/lib/action_dispatch/http/response.rb
+++ b/actionpack/lib/action_dispatch/http/response.rb
@@ -313,7 +313,7 @@ module ActionDispatch # :nodoc:
         header.delete CONTENT_TYPE
         [status, header, []]
       else
-        [status, header, self]
+        [status, header, Rack::BodyProxy.new(self){}]
       end
     end
   end
-- 
cgit v1.2.3


From 8d7923b7eb0dd638d1426aadde2b2d9835ecf68d Mon Sep 17 00:00:00 2001
From: Zachary Scott <zachary@zacharyscott.net>
Date: Sun, 9 Feb 2014 11:30:49 +0200
Subject: FilterParameters is referenced at the class level from the Request

Since it's already required in the file, we don't need to use autoload
too. This commit is symmetrical change to 0b10180 for Response.
---
 actionpack/lib/action_dispatch.rb | 1 -
 1 file changed, 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 9b26845190..a56d827b1a 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -74,7 +74,6 @@ module ActionDispatch
     autoload :MimeNegotiation
     autoload :Parameters
     autoload :ParameterFilter
-    autoload :FilterParameters
     autoload :Upload
     autoload :UploadedFile, 'action_dispatch/http/upload'
     autoload :URL
-- 
cgit v1.2.3


From 462d7cb3148e95c9a793d33fd882a99f0d9c57c2 Mon Sep 17 00:00:00 2001
From: Andrew White <andyw@pixeltrix.co.uk>
Date: Sun, 9 Feb 2014 10:36:45 -0800
Subject: Set the :shallow_path as each scope is generated

If we set :shallow_path when shallow is called it can result in incorrect
paths if the resource is inside a namespace because namespace itself sets
the :shallow_path option to the namespace path.

We fix this by removing the :shallow_path option from shallow as that should
only be turning shallow routes on and not otherwise affecting the scope.
To do this we need to treat the :shallow option to resources differently to
other scope options and move it to before the nested block is called.

This change also has the positive side effect of making the behavior of the
:shallow option consistent with the shallow method.

Fixes #12498.
---
 actionpack/lib/action_dispatch/routing/mapper.rb | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index d5eb770cb1..0b762aa9a4 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -707,6 +707,10 @@ module ActionDispatch
           options[:path] = args.flatten.join('/') if args.any?
           options[:constraints] ||= {}
 
+          unless shallow?
+            options[:shallow_path] = options[:path] if args.any?
+          end
+
           if options[:constraints].is_a?(Hash)
             defaults = options[:constraints].select do
               |k, v| URL_OPTIONS.include?(k) && (v.is_a?(String) || v.is_a?(Fixnum))
@@ -1369,7 +1373,7 @@ module ActionDispatch
         end
 
         def shallow
-          scope(:shallow => true, :shallow_path => @scope[:path]) do
+          scope(:shallow => true) do
             yield
           end
         end
@@ -1490,6 +1494,13 @@ module ActionDispatch
               return true
             end
 
+            if options.delete(:shallow)
+              shallow do
+                send(method, resources.pop, options, &block)
+              end
+              return true
+            end
+
             if resource_scope?
               nested { send(method, resources.pop, options, &block) }
               return true
-- 
cgit v1.2.3


From b927d67decb9d4e5103b5991b7e26a4dab4eca92 Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 4 Feb 2014 09:31:48 -0800
Subject: Renamed session_serializer option to cookies_serializer

---
 actionpack/lib/action_dispatch.rb                  |  2 -
 .../lib/action_dispatch/middleware/cookies.rb      | 45 ++++++++++++++--------
 .../middleware/session/json_serializer.rb          | 13 -------
 .../middleware/session/marshal_serializer.rb       | 14 -------
 4 files changed, 30 insertions(+), 44 deletions(-)
 delete mode 100644 actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
 delete mode 100644 actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index a56d827b1a..3dd2e2a45c 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -84,8 +84,6 @@ module ActionDispatch
     autoload :CookieStore,       'action_dispatch/middleware/session/cookie_store'
     autoload :MemCacheStore,     'action_dispatch/middleware/session/mem_cache_store'
     autoload :CacheStore,        'action_dispatch/middleware/session/cache_store'
-    autoload :JsonSerializer,    'action_dispatch/middleware/session/json_serializer'
-    autoload :MarshalSerializer, 'action_dispatch/middleware/session/marshal_serializer'
   end
 
   mattr_accessor :test_app
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 531654895b..7e8a395d93 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -89,7 +89,7 @@ module ActionDispatch
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
-    SESSION_SERIALIZER = "action_dispatch.session_serializer".freeze
+    COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
 
     # Cookies can typically store 4096 bytes.
     MAX_COOKIE_SIZE = 4096
@@ -212,7 +212,7 @@ module ActionDispatch
           secret_token: env[SECRET_TOKEN],
           secret_key_base: env[SECRET_KEY_BASE],
           upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?,
-          session_serializer: env[SESSION_SERIALIZER]
+          serializer: env[COOKIES_SERIALIZER]
         }
       end
 
@@ -374,14 +374,40 @@ module ActionDispatch
       end
     end
 
+    class JsonSerializer
+      def self.load(value)
+        JSON.parse(value, quirks_mode: true)
+      end
+
+      def self.dump(value)
+        JSON.generate(value, quirks_mode: true)
+      end
+    end
+
+    module SerializedCookieJars
+      protected
+        def serializer
+          serializer = @options[:serializer] || :marshal
+          case serializer
+          when :marshal
+            Marshal
+          when :json
+            JsonSerializer
+          else
+            serializer
+          end
+        end
+    end
+
     class SignedCookieJar #:nodoc:
       include ChainedCookieJars
+      include SerializedCookieJars
 
       def initialize(parent_jar, key_generator, options = {})
         @parent_jar = parent_jar
         @options = options
         secret = key_generator.generate_key(@options[:signed_cookie_salt])
-        @verifier   = ActiveSupport::MessageVerifier.new(secret)
+        @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: serializer)
       end
 
       def [](name)
@@ -426,6 +452,7 @@ module ActionDispatch
 
     class EncryptedCookieJar #:nodoc:
       include ChainedCookieJars
+      include SerializedCookieJars
 
       def initialize(parent_jar, key_generator, options = {})
         if ActiveSupport::LegacyKeyGenerator === key_generator
@@ -464,18 +491,6 @@ module ActionDispatch
         rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
           nil
         end
-
-        def serializer
-          serializer = @options[:session_serializer] || :marshal
-          case serializer
-          when :marshal
-            ActionDispatch::Session::MarshalSerializer
-          when :json
-            ActionDispatch::Session::JsonSerializer
-          else
-            serializer
-          end
-        end
     end
 
     # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
diff --git a/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb b/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
deleted file mode 100644
index d341853f7a..0000000000
--- a/actionpack/lib/action_dispatch/middleware/session/json_serializer.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-module ActionDispatch
-  module Session
-    class JsonSerializer
-      def self.load(value)
-        JSON.parse(value, quirks_mode: true)
-      end
-
-      def self.dump(value)
-        JSON.generate(value, quirks_mode: true)
-      end
-    end
-  end
-end
diff --git a/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb b/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb
deleted file mode 100644
index 26622f682d..0000000000
--- a/actionpack/lib/action_dispatch/middleware/session/marshal_serializer.rb
+++ /dev/null
@@ -1,14 +0,0 @@
-module ActionDispatch
-  module Session
-    class MarshalSerializer
-      def self.load(value)
-        Marshal.load(value)
-      end
-
-      def self.dump(value)
-        Marshal.dump(value)
-      end
-    end
-  end
-end
-
-- 
cgit v1.2.3


From fafe8ece9d406cfbb197cc424baaa15a5772fae5 Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Wed, 5 Feb 2014 03:17:28 -0800
Subject: Added HybridSerializer to upgrade existing marshal cookies (wip: need
 tests)

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 7e8a395d93..fa94f9c9e4 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -384,6 +384,18 @@ module ActionDispatch
       end
     end
 
+    class HybridSerializer < JsonSerializer
+      MARSHAL_SIGNATURE = "\x04\x08".freeze
+
+      def self.load(value)
+        if value.start_with?(MARSHAL_SIGNATURE)
+          Marshal.load(value)
+        else
+          super
+        end
+      end
+    end
+
     module SerializedCookieJars
       protected
         def serializer
@@ -393,6 +405,8 @@ module ActionDispatch
             Marshal
           when :json
             JsonSerializer
+          when :hybrid
+            HybridSerializer
           else
             serializer
           end
-- 
cgit v1.2.3


From a6ce984b49519de7701aa13d04300c9d03cf8f72 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Sat, 8 Feb 2014 23:56:40 -0500
Subject: Convert FlashHash in a Hash with indifferent access

---
 actionpack/lib/action_dispatch/middleware/flash.rb | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 89003e7a5e..419bcb8a73 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -50,13 +50,14 @@ module ActionDispatch
       end
 
       def []=(k, v)
+        k = k.to_s
         @flash[k] = v
         @flash.discard(k)
         v
       end
 
       def [](k)
-        @flash[k]
+        @flash[k.to_s]
       end
 
       # Convenience accessor for <tt>flash.now[:alert]=</tt>.
@@ -92,7 +93,7 @@ module ActionDispatch
       end
 
       def initialize(flashes = {}, discard = []) #:nodoc:
-        @discard = Set.new(discard)
+        @discard = Set.new(stringify_array(discard))
         @flashes = flashes
         @now     = nil
       end
@@ -106,16 +107,17 @@ module ActionDispatch
       end
 
       def []=(k, v)
+        k = k.to_s
         @discard.delete k
         @flashes[k] = v
       end
 
       def [](k)
-        @flashes[k]
+        @flashes[k.to_s]
       end
 
       def update(h) #:nodoc:
-        @discard.subtract h.keys
+        @discard.subtract stringify_array(h.keys)
         @flashes.update h
         self
       end
@@ -129,6 +131,7 @@ module ActionDispatch
       end
 
       def delete(key)
+        key = key.to_s
         @discard.delete key
         @flashes.delete key
         self
@@ -186,6 +189,7 @@ module ActionDispatch
       #    flash.keep            # keeps the entire flash
       #    flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
       def keep(k = nil)
+        k = k.to_s if k
         @discard.subtract Array(k || keys)
         k ? self[k] : self
       end
@@ -195,6 +199,7 @@ module ActionDispatch
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
       def discard(k = nil)
+        k = k.to_s if k
         @discard.merge Array(k || keys)
         k ? self[k] : self
       end
@@ -231,6 +236,12 @@ module ActionDispatch
       def now_is_loaded?
         @now
       end
+
+      def stringify_array(array)
+        array.map do |item|
+          item.kind_of?(Symbol) ? item.to_s : item
+        end
+      end
     end
 
     def initialize(app)
-- 
cgit v1.2.3


From a668beffd64106a1e1fedb71cc25eaaa11baf0c1 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Sun, 9 Feb 2014 00:35:10 -0500
Subject: Stringify the incoming hash in FlashHash

Stringify the incoming as well to handle incoming symbol keys from
marshalled sessions
---
 actionpack/lib/action_dispatch/middleware/flash.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 419bcb8a73..1e45a38e5f 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -1,3 +1,5 @@
+require 'active_support/core_ext/hash/keys'
+
 module ActionDispatch
   class Request < Rack::Request
     # Access the contents of the flash. Use <tt>flash["notice"]</tt> to
@@ -94,7 +96,7 @@ module ActionDispatch
 
       def initialize(flashes = {}, discard = []) #:nodoc:
         @discard = Set.new(stringify_array(discard))
-        @flashes = flashes
+        @flashes = flashes.stringify_keys
         @now     = nil
       end
 
-- 
cgit v1.2.3


From ead947a3b2bc672b6064a6d0d33905d45299d22e Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Sun, 9 Feb 2014 01:12:11 -0800
Subject: Re-write legacy (marshal) cookies on read

---
 .../lib/action_dispatch/middleware/cookies.rb      | 60 ++++++++++++++--------
 1 file changed, 40 insertions(+), 20 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index fa94f9c9e4..2af45d43bb 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -384,29 +384,48 @@ module ActionDispatch
       end
     end
 
-    class HybridSerializer < JsonSerializer
-      MARSHAL_SIGNATURE = "\x04\x08".freeze
-
+    # Passing the NullSerializer downstream to the Message{Encryptor,Verifier}
+    # allows us to handle the (de)serialization step within the cookie jar,
+    # which gives us the opportunity to detect and migrate legacy cookies.
+    class NullSerializer
       def self.load(value)
-        if value.start_with?(MARSHAL_SIGNATURE)
-          Marshal.load(value)
-        else
-          super
-        end
+        value
+      end
+
+      def self.dump(value)
+        value
       end
     end
 
     module SerializedCookieJars
+      MARSHAL_SIGNATURE = "\x04\x08".freeze
+
       protected
+        def needs_migration?(value)
+          @options[:serializer] == :hybrid && value.start_with?(MARSHAL_SIGNATURE)
+        end
+
+        def serialize(name, value)
+          serializer.dump(value)
+        end
+
+        def deserialize(name, value)
+          if value
+            if needs_migration?(value)
+              self[name] = Marshal.load(value)
+            else
+              serializer.load(value)
+            end
+          end
+        end
+
         def serializer
           serializer = @options[:serializer] || :marshal
           case serializer
           when :marshal
             Marshal
-          when :json
+          when :json, :hybrid
             JsonSerializer
-          when :hybrid
-            HybridSerializer
           else
             serializer
           end
@@ -421,21 +440,21 @@ module ActionDispatch
         @parent_jar = parent_jar
         @options = options
         secret = key_generator.generate_key(@options[:signed_cookie_salt])
-        @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: serializer)
+        @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: NullSerializer)
       end
 
       def [](name)
         if signed_message = @parent_jar[name]
-          verify(signed_message)
+          deserialize name, verify(signed_message)
         end
       end
 
       def []=(name, options)
         if options.is_a?(Hash)
           options.symbolize_keys!
-          options[:value] = @verifier.generate(options[:value])
+          options[:value] = @verifier.generate(serialize(name, options[:value]))
         else
-          options = { :value => @verifier.generate(options) }
+          options = { :value => @verifier.generate(serialize(name, options)) }
         end
 
         raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
@@ -459,7 +478,7 @@ module ActionDispatch
 
       def [](name)
         if signed_message = @parent_jar[name]
-          verify(signed_message) || verify_and_upgrade_legacy_signed_message(name, signed_message)
+          deserialize(name, verify(signed_message)) || verify_and_upgrade_legacy_signed_message(name, signed_message)
         end
       end
     end
@@ -478,12 +497,12 @@ module ActionDispatch
         @options = options
         secret = key_generator.generate_key(@options[:encrypted_cookie_salt])
         sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt])
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: serializer)
+        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: NullSerializer)
       end
 
       def [](name)
         if encrypted_message = @parent_jar[name]
-          decrypt_and_verify(encrypted_message)
+          deserialize name, decrypt_and_verify(encrypted_message)
         end
       end
 
@@ -493,7 +512,8 @@ module ActionDispatch
         else
           options = { :value => options }
         end
-        options[:value] = @encryptor.encrypt_and_sign(options[:value])
+
+        options[:value] = @encryptor.encrypt_and_sign(serialize(name, options[:value]))
 
         raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
         @parent_jar[name] = options
@@ -516,7 +536,7 @@ module ActionDispatch
 
       def [](name)
         if encrypted_or_signed_message = @parent_jar[name]
-          decrypt_and_verify(encrypted_or_signed_message) || verify_and_upgrade_legacy_signed_message(name, encrypted_or_signed_message)
+          deserialize(name, decrypt_and_verify(encrypted_or_signed_message)) || verify_and_upgrade_legacy_signed_message(name, encrypted_or_signed_message)
         end
       end
     end
-- 
cgit v1.2.3


From b97e087321f33283d836c5b5964976c88230349a Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 11 Feb 2014 00:38:36 -0800
Subject: Fixed broken flash tests

---
 actionpack/lib/action_dispatch/middleware/flash.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 1e45a38e5f..b82f0f0825 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -120,7 +120,7 @@ module ActionDispatch
 
       def update(h) #:nodoc:
         @discard.subtract stringify_array(h.keys)
-        @flashes.update h
+        @flashes.update h.stringify_keys
         self
       end
 
-- 
cgit v1.2.3


From 9fc7a6fcedd3adc820d9d481d9362313c356747b Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 11 Feb 2014 00:43:37 -0800
Subject: Missed FlashHash#replace

---
 actionpack/lib/action_dispatch/middleware/flash.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index b82f0f0825..4821d2a899 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -160,7 +160,7 @@ module ActionDispatch
 
       def replace(h) #:nodoc:
         @discard.clear
-        @flashes.replace h
+        @flashes.replace h.stringify_keys
         self
       end
 
-- 
cgit v1.2.3


From 7a3ef9842b3cbfe6dbe14700086824d163ce4d51 Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 11 Feb 2014 02:55:48 -0800
Subject: Migrate hash-based cookie values correctly

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 2af45d43bb..31341dba63 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -181,7 +181,7 @@ module ActionDispatch
 
       def verify_and_upgrade_legacy_signed_message(name, signed_message)
         @legacy_verifier.verify(signed_message).tap do |value|
-          self[name] = value
+          self[name] = { value: value }
         end
       rescue ActiveSupport::MessageVerifier::InvalidSignature
         nil
@@ -412,7 +412,9 @@ module ActionDispatch
         def deserialize(name, value)
           if value
             if needs_migration?(value)
-              self[name] = Marshal.load(value)
+              Marshal.load(value).tap do |value|
+                self[name] = { value: value }
+              end
             else
               serializer.load(value)
             end
-- 
cgit v1.2.3


From dafc0eef4dd3393864e7b28bf74c8e7834083d60 Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 11 Feb 2014 03:56:35 -0800
Subject: rm warning about variable shadowing

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 31341dba63..18e64704f6 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -412,8 +412,8 @@ module ActionDispatch
         def deserialize(name, value)
           if value
             if needs_migration?(value)
-              Marshal.load(value).tap do |value|
-                self[name] = { value: value }
+              Marshal.load(value).tap do |v|
+                self[name] = { value: v }
               end
             else
               serializer.load(value)
-- 
cgit v1.2.3


From f9b6b865e60ea770cc34e9946f6df1604f20dd27 Mon Sep 17 00:00:00 2001
From: Lukasz Strzalkowski <lukaszstrzalkowski@squareup.com>
Date: Thu, 13 Feb 2014 15:59:09 +0100
Subject: Variant negotiation

Allow setting `request.variant` as an array - an order in which they will be
rendered.

For example:

  request.variant = [:tablet, :phone]

  respond_to do |format|
    format.html.none
    format.html.phone # this gets rendered
  end
---
 .../lib/action_controller/metal/mime_responds.rb   | 28 +++++++++++++++-------
 .../lib/action_dispatch/http/mime_negotiation.rb   |  6 +++--
 2 files changed, 24 insertions(+), 10 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/mime_responds.rb b/actionpack/lib/action_controller/metal/mime_responds.rb
index d5e08b7034..c8076af0c8 100644
--- a/actionpack/lib/action_controller/metal/mime_responds.rb
+++ b/actionpack/lib/action_controller/metal/mime_responds.rb
@@ -236,6 +236,18 @@ module ActionController #:nodoc:
     #     end
     #   end
     #
+    # You can also set an array of variants:
+    #
+    #   request.variant = [:tablet, :phone]
+    #
+    # which will work similarly to formats and MIME types negotiation. If there will be no
+    # :tablet variant declared, :phone variant will be picked:
+    #
+    #   respond_to do |format|
+    #     format.html.none
+    #     format.html.phone # this gets rendered
+    #   end
+    #
     # Be sure to check the documentation of +respond_with+ and
     # <tt>ActionController::MimeResponds.respond_to</tt> for more examples.
     def respond_to(*mimes, &block)
@@ -488,7 +500,7 @@ module ActionController #:nodoc:
           response
         else # `format.html{ |variant| variant.phone }` - variant block syntax
           variant_collector = VariantCollector.new(@variant)
-          response.call(variant_collector) #call format block with variants collector
+          response.call(variant_collector) # call format block with variants collector
           variant_collector.variant
         end
       end
@@ -519,15 +531,15 @@ module ActionController #:nodoc:
         end
 
         def variant
-          key = if @variant.nil?
-            :none
-          elsif @variants.has_key?(@variant)
-            @variant
+          if @variant.nil?
+            @variants[:none]
+          elsif (@variants.keys & @variant).any?
+            @variant.each do |v|
+              return @variants[v] if @variants.key?(v)
+            end
           else
-            :any
+            @variants[:any]
           end
-
-          @variants[key]
         end
       end
     end
diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index c33ba201e1..b75d7ffe9d 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -68,10 +68,12 @@ module ActionDispatch
 
       # Sets the \variant for template.
       def variant=(variant)
-        if variant.is_a? Symbol
+        if variant.is_a?(Symbol)
+          @variant = [variant]
+        elsif variant.is_a?(Array)
           @variant = variant
         else
-          raise ArgumentError, "request.variant must be set to a Symbol, not a #{variant.class}. " \
+          raise ArgumentError, "request.variant must be set to a Symbol or Array, not a #{variant.class}. " \
             "For security reasons, never directly set the variant to a user-provided value, " \
             "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
             "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
-- 
cgit v1.2.3


From 00a4af9ab7e2008fe4e1a0cb1f31109a231d7279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Strza=C5=82kowski?=
 <lukasz.strzalkowski@gmail.com>
Date: Thu, 13 Feb 2014 18:05:55 +0100
Subject: Check if variant array contains only symbols

---
 actionpack/lib/action_dispatch/http/mime_negotiation.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index b75d7ffe9d..b803ce8b6f 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -70,10 +70,10 @@ module ActionDispatch
       def variant=(variant)
         if variant.is_a?(Symbol)
           @variant = [variant]
-        elsif variant.is_a?(Array)
+        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
           @variant = variant
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or Array, not a #{variant.class}. " \
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
             "For security reasons, never directly set the variant to a user-provided value, " \
             "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
             "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
-- 
cgit v1.2.3


From bfc34fc0050ce61650701676dd45553aa82214c0 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Thu, 13 Feb 2014 20:38:33 +0100
Subject: No variant should also be picked up by variant.any if variant.none is
 not defined (just like any other variant)

---
 actionpack/lib/action_controller/metal/mime_responds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/mime_responds.rb b/actionpack/lib/action_controller/metal/mime_responds.rb
index c8076af0c8..1974bbf529 100644
--- a/actionpack/lib/action_controller/metal/mime_responds.rb
+++ b/actionpack/lib/action_controller/metal/mime_responds.rb
@@ -532,7 +532,7 @@ module ActionController #:nodoc:
 
         def variant
           if @variant.nil?
-            @variants[:none]
+            @variants[:none] || @variants[:any]
           elsif (@variants.keys & @variant).any?
             @variant.each do |v|
               return @variants[v] if @variants.key?(v)
-- 
cgit v1.2.3