Merge branch 'master' of git@github.com:rails/rails

actionmailer/CHANGELOG

@@ -1,4 +1,4 @@
-*SVN*
+*2.1.0 RC1 (May 11th, 2008)*
 
 * Fixed that a return-path header would be ignored #7572 [joost]
 

actionmailer/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2007 David Heinemeier Hansson
+Copyright (c) 2004-2008 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

actionmailer/Rakefile

@@ -55,7 +55,7 @@ spec = Gem::Specification.new do |s|
   s.rubyforge_project = "actionmailer"
   s.homepage = "http://www.rubyonrails.org"
 
-  s.add_dependency('actionpack', '= 2.0.2' + PKG_BUILD)
+  s.add_dependency('actionpack', '= 2.0.991' + PKG_BUILD)
 
   s.has_rdoc = true
   s.requirements << 'none'

actionmailer/lib/action_mailer.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

actionmailer/lib/action_mailer/version.rb

@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 0
-    TINY  = 2
+    TINY  = 991
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

actionpack/CHANGELOG

@@ -1,4 +1,8 @@
-*SVN*
+*2.1.0 RC1 (May 11th, 2008)*
+
+* Fixed that forgery protection can be used without session tracking (Peter Jones) [#139]
+
+* Added session(:on) to turn session management back on in a controller subclass if the superclass turned it off (Peter Jones) [#136]
 
 * Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [rick]
 * InstanceTag#default_time_from_options with hash args uses Time.current as default; respects hash settings when time falls in system local spring DST gap [Geoff Buesing]

actionpack/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2007 David Heinemeier Hansson
+Copyright (c) 2004-2008 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

actionpack/Rakefile

@@ -76,7 +76,7 @@ spec = Gem::Specification.new do |s|
   s.has_rdoc = true
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.0.2' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.0.991' + PKG_BUILD)
 
   s.require_path = 'lib'
   s.autorequire = 'action_controller'

actionpack/lib/action_controller.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

actionpack/lib/action_controller/cgi_ext/cookie.rb

@@ -37,7 +37,7 @@ def initialize(name = '', *value)
         @path = nil
       else
         @name = name['name']
-        @value = Array(name['value'])
+        @value = name['value'].kind_of?(String) ? [name['value']] : Array(name['value'])
         @domain = name['domain']
         @expires = name['expires']
         @secure = name['secure'] || false

actionpack/lib/action_controller/flash.rb

@@ -28,7 +28,6 @@ def self.included(base)
       base.class_eval do
         include InstanceMethods
         alias_method_chain :assign_shortcuts, :flash
-        alias_method_chain :process_cleanup,  :flash
         alias_method_chain :reset_session,    :flash
       end
     end
@@ -166,11 +165,7 @@ def flash(refresh = false) #:doc:
         def assign_shortcuts_with_flash(request, response) #:nodoc:
           assign_shortcuts_without_flash(request, response)
           flash(:refresh)
-        end
-
-        def process_cleanup_with_flash
-          flash.sweep if @_session
-          process_cleanup_without_flash
+          flash.sweep if @_session && !component_request?
         end
     end
   end

actionpack/lib/action_controller/request_forgery_protection.rb

@@ -105,12 +105,12 @@ def verifiable_request_format?
       # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
       # in +protect_from_forgery+ to add a custom salt to the hash.
       def form_authenticity_token
-        @form_authenticity_token ||= if request_forgery_protection_options[:secret]
+        @form_authenticity_token ||= if !session.respond_to?(:session_id)
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        elsif request_forgery_protection_options[:secret]
           authenticity_token_from_session_id
         elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
           authenticity_token_from_cookie_session
-        elsif session.nil?
-          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
         else
           raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
         end

actionpack/lib/action_controller/rescue.rb

@@ -199,10 +199,8 @@ def rescue_action_with_handler(exception)
     private
       def perform_action_with_rescue #:nodoc:
         perform_action_without_rescue
-      rescue Exception => exception  # errors from action performed
-        return if rescue_action_with_handler(exception)
-
-        rescue_action(exception)
+      rescue Exception => exception
+        rescue_action_with_handler(exception) || rescue_action(exception)
       end
 
       def rescues_path(template_name)

actionpack/lib/action_controller/session/cookie_store.rb

@@ -130,17 +130,20 @@ def generate_digest(data)
     # Marshal a session hash into safe cookie data. Include an integrity hash.
     def marshal(session)
       data = ActiveSupport::Base64.encode64(Marshal.dump(session)).chop
-      CGI.escape "#{data}--#{generate_digest(data)}"
+      "#{data}--#{generate_digest(data)}"
     end
 
     # Unmarshal cookie data to a hash and verify its integrity.
     def unmarshal(cookie)
       if cookie
-        data, digest = CGI.unescape(cookie).split('--')
-        unless digest == generate_digest(data)
+        data, digest = cookie.split('--')
+
+        # Do two checks to transparently support old double-escaped data.
+        unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data))
           delete
           raise TamperedWithCookie
         end
+
         Marshal.load(ActiveSupport::Base64.decode64(data))
       end
     end

actionpack/lib/action_controller/session_management.rb

@@ -69,11 +69,16 @@ def session_options
       #   session :off, 
       #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
       #
+      #   # turn the session back on, useful when it was turned off in the
+      #   # application controller, and you need it on in another controller
+      #   session :on
+      #
       # All session options described for ActionController::Base.process_cgi
       # are valid arguments.
       def session(*args)
         options = args.extract_options!
 
+        options[:disabled] = false if args.delete(:on)
         options[:disabled] = true if !args.empty?
         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
         options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]

actionpack/lib/action_pack.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

actionpack/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 0
-    TINY  = 2
+    TINY  = 991
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

actionpack/lib/action_view.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

actionpack/lib/action_view/helpers/javascripts/controls.js

@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 //           (c) 2005-2007 Ivan Krstic (http://blogs.law.harvard.edu/ivan)
 //           (c) 2005-2007 Jon Tirsen (http://www.tirsen.com)
 // Contributors:

actionpack/lib/action_view/helpers/javascripts/dragdrop.js

@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 //           (c) 2005-2007 Sammi Williams (http://www.oriontransfer.co.nz, sammi@oriontransfer.co.nz)
 // 
 // script.aculo.us is freely distributable under the terms of an MIT-style license.

actionpack/lib/action_view/helpers/javascripts/effects.js

@@ -1,4 +1,4 @@
-// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// Copyright (c) 2005-2008 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
 // Contributors:
 //  Justin Palmer (http://encytemedia.com/)
 //  Mark Pilgrim (http://diveintomark.org/)

actionpack/lib/action_view/helpers/sanitize_helper.rb

@@ -48,6 +48,11 @@ def self.included(base)
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       # 
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options)
       end

actionpack/test/controller/cookie_test.rb

@@ -137,4 +137,9 @@ def test_cookies_should_not_be_split_on_ampersand_values
     cookies = CGI::Cookie.parse('return_to=http://rubyonrails.org/search?term=api&scope=all&global=true')
     assert_equal({"return_to" => ["http://rubyonrails.org/search?term=api&scope=all&global=true"]}, cookies)
   end
+
+  def test_cookies_should_not_be_split_on_values_with_newlines
+    cookies = CGI::Cookie.new("name" => "val", "value" => "this\nis\na\ntest")
+    assert cookies.size == 1
+  end
 end

actionpack/test/controller/request_forgery_protection_test.rb

@@ -50,6 +50,14 @@ class CsrfCookieMonsterController < ActionController::Base
   protect_from_forgery :only => :index
 end
 
+# sessions are turned off
+class SessionOffController < ActionController::Base
+  protect_from_forgery :secret => 'foobar'
+  session :off
+  def rescue_action(e) raise e end
+  include RequestForgeryProtectionActions
+end
+
 class FreeCookieController < CsrfCookieMonsterController
   self.allow_forgery_protection = false
 
@@ -287,3 +295,19 @@ def test_should_allow_all_methods_without_token
     end
   end
 end
+
+class SessionOffControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = SessionOffController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @token      = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+  end
+
+  def test_should_raise_correct_exception
+    @request.session = {} # session(:off) doesn't appear to work with controller tests
+    assert_raises(ActionController::InvalidAuthenticityToken) do
+      post :index, :authenticity_token => @token
+    end
+  end
+end

actionpack/test/controller/session/cookie_store_test.rb

@@ -43,7 +43,9 @@ def self.cookies
     { :empty => ['BAgw--0686dcaccc01040f4bd4f35fe160afe9bc04c330', {}],
       :a_one => ['BAh7BiIGYWkG--5689059497d7f122a7119f171aef81dcfd807fec', { 'a' => 1 }],
       :typical => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7BiILbm90aWNlIgxIZXkgbm93--9d20154623b9eeea05c62ab819be0e2483238759', { 'user_id' => 123, 'flash' => { 'notice' => 'Hey now' }}],
-      :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA%3D%3D--bf9785a666d3c4ac09f7fe3353496b437546cfbf', { 'user_id' => 123, 'flash' => {} }] }
+      :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA==--bf9785a666d3c4ac09f7fe3353496b437546cfbf', { 'user_id' => 123, 'flash' => {} }],
+      :double_escaped => [CGI.escape('BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA%3D%3D--bf9785a666d3c4ac09f7fe3353496b437546cfbf'), { 'user_id' => 123, 'flash' => {} }] }
+
   end
 
   def setup
@@ -101,6 +103,15 @@ def test_restore_deletes_tampered_cookies
     end
   end
 
+  def test_restores_double_encoded_cookies
+    set_cookie! cookie_value(:double_escaped)
+    new_session do |session|
+      session.dbman.restore
+      assert_equal session["user_id"], 123
+      assert_equal session["flash"], {}
+    end
+  end
+
   def test_close_doesnt_write_cookie_if_data_is_blank
     new_session do |session|
       assert_no_cookies session
@@ -241,6 +252,7 @@ def self.cookies
     { :empty => ['BAgw--0415cc0be9579b14afc22ee2d341aa21', {}],
       :a_one => ['BAh7BiIGYWkG--5a0ed962089cc6600ff44168a5d59bc8', { 'a' => 1 }],
       :typical => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7BiILbm90aWNlIgxIZXkgbm93--f426763f6ef435b3738b493600db8d64', { 'user_id' => 123, 'flash' => { 'notice' => 'Hey now' }}],
-      :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA%3D%3D--0af9156650dab044a53a91a4ddec2c51', { 'user_id' => 123, 'flash' => {} }] }
+      :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA==--0af9156650dab044a53a91a4ddec2c51', { 'user_id' => 123, 'flash' => {} }],
+      :double_escaped => [CGI.escape('BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA%3D%3D--0af9156650dab044a53a91a4ddec2c51'), { 'user_id' => 123, 'flash' => {} }] }
   end
 end

actionpack/test/controller/session_management_test.rb

@@ -13,6 +13,19 @@ def tell
     end
   end
 
+  class SessionOffOnController < ActionController::Base
+    session :off
+    session :on, :only => :tell
+
+    def show
+      render :text => "done"
+    end
+
+    def tell
+      render :text => "done"
+    end
+  end
+
   class TestController < ActionController::Base
     session :off, :only => :show
     session :session_secure => true, :except => :show
@@ -100,6 +113,15 @@ def test_session_off_globally
     assert_equal false, @request.session_options
   end
 
+  def test_session_off_then_on_globally
+    @controller = SessionOffOnController.new
+    get :show
+    assert_equal false, @request.session_options
+    get :tell
+    assert_instance_of Hash, @request.session_options
+    assert_equal false, @request.session_options[:disabled]
+  end
+
   def test_session_off_conditionally
     @controller = TestController.new
     get :show

actionpack/test/controller/test_test.rb

@@ -12,6 +12,11 @@ def set_flash
       render :text => 'ignore me'
     end
 
+    def set_flash_now
+      flash.now["test_now"] = ">#{flash["test_now"]}<"
+      render :text => 'ignore me'
+    end
+
     def set_session
       session['string'] = 'A wonder'
       session[:symbol] = 'it works'
@@ -145,6 +150,11 @@ def test_process_with_flash
     assert_equal '>value<', flash['test']
   end
 
+  def test_process_with_flash_now
+    process :set_flash_now, nil, nil, { "test_now" => "value_now" }
+    assert_equal '>value_now<', flash['test_now']
+  end
+
   def test_process_with_session
     process :set_session
     assert_equal 'A wonder', session['string'], "A value stored in the session should be available by string key"

activerecord/CHANGELOG

@@ -1,4 +1,8 @@
-*SVN*
+*2.1.0 RC1 (May 11th, 2008)*
+
+* Ensure hm:t preloading honours reflection options. Resolves #137. [Frederick Cheung]
+
+* Added protection against duplicate migration names (Aslak Hellesøy) [#112]
 
 * Base#instantiate_time_object: eliminate check for Time.zone, since we can assume this is set if time_zone_aware_attributes is set to true [Geoff Buesing]
 

activerecord/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2007 David Heinemeier Hansson
+Copyright (c) 2004-2008 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

activerecord/Rakefile

@@ -171,7 +171,7 @@ spec = Gem::Specification.new do |s|
     s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
   end
 
-  s.add_dependency('activesupport', '= 2.0.2' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.0.991' + PKG_BUILD)
 
   s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
   s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"

activerecord/lib/active_record.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2007 David Heinemeier Hansson
+# Copyright (c) 2004-2008 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the