Merge branch 'master' of git://github.com/rails/rails

Author: methodmissing

actionmailer/CHANGELOG

@@ -1,10 +1,7 @@
-*2.3.1 [RC2] (March 5, 2009)*
+*2.3.2 [Final] (March 15, 2009)*
 
 * Fixed that ActionMailer should send correctly formatted Return-Path in MAIL FROM for SMTP #1842 [Matt Jones]
 
-
-*2.3.0 [RC1] (February 1st, 2009)*
-
 * Fixed RFC-2045 quoted-printable bug #1421 [squadette]
 
 * Fixed that no body charset would be set when there are attachments present #740 [Paweł Kondzior]

actionmailer/Rakefile

@@ -55,7 +55,7 @@ spec = Gem::Specification.new do |s|
   s.rubyforge_project = "actionmailer"
   s.homepage = "http://www.rubyonrails.org"
 
-  s.add_dependency('actionpack', '= 2.3.1' + PKG_BUILD)
+  s.add_dependency('actionpack', '= 2.3.2' + PKG_BUILD)
 
   s.has_rdoc = true
   s.requirements << 'none'

actionmailer/lib/action_mailer/version.rb

@@ -2,7 +2,7 @@ module ActionMailer
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 1
+    TINY  = 2
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

actionpack/CHANGELOG

@@ -1,4 +1,4 @@
-*2.3.1 [RC2] (March 5, 2009)*
+*2.3.2 [Final] (March 15, 2009)*
 
 * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH]
 
@@ -14,9 +14,6 @@
 
 * Added localized rescue template when I18n.locale is set (ex: public/404.da.html) #1835 [José Valim]
 
-
-*2.3.0 [RC1] (February 1st, 2009)*
-
 * Make the form_for and fields_for helpers support the new Active Record nested update options.  #1202 [Eloy Duran]
 
 		<% form_for @person do |person_form| %>

actionpack/Rakefile

@@ -80,7 +80,7 @@ spec = Gem::Specification.new do |s|
   s.has_rdoc = true
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.1' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.2' + PKG_BUILD)
 
   s.require_path = 'lib'
   s.autorequire = 'action_controller'

actionpack/lib/action_controller/http_authentication.rb

@@ -68,8 +68,11 @@ module HttpAuthentication
     #
     # Simple Digest example:
     #
+    #   require 'digest/md5'
     #   class PostsController < ApplicationController
-    #     USERS = {"dhh" => "secret"}
+    #     REALM = "SuperSecret"
+    #     USERS = {"dhh" => "secret", #plain text password
+    #              "dap" => Digest:MD5::hexdigest(["dap",REALM,"secret"].join(":"))  #ha1 digest password
     #
     #     before_filter :authenticate, :except => [:index]
     #
@@ -83,14 +86,18 @@ module HttpAuthentication
     #
     #     private
     #       def authenticate
-    #         authenticate_or_request_with_http_digest(realm) do |username|
+    #         authenticate_or_request_with_http_digest(REALM) do |username|
     #           USERS[username]
     #         end
     #       end
     #   end
     #
-    # NOTE: The +authenticate_or_request_with_http_digest+ block must return the user's password so the framework can appropriately
-    #       hash it to check the user's credentials. Returning +nil+ will cause authentication to fail.
+    # NOTE: The +authenticate_or_request_with_http_digest+ block must return the user's password or the ha1 digest hash so the framework can appropriately
+    #       hash to check the user's credentials. Returning +nil+ will cause authentication to fail.
+    #       Storing the ha1 hash: MD5(username:realm:password), is better than storing a plain password. If
+    #       the password file or database is compromised, the attacker would be able to use the ha1 hash to
+    #       authenticate as the user at this +realm+, but would not have the user's password to try using at
+    #       other sites.
     #
     # On shared hosts, Apache sometimes doesn't pass authentication headers to
     # FCGI instances. If your environment matches this description and you cannot
@@ -177,26 +184,37 @@ def authorization(request)
       end
 
       # Raises error unless the request credentials response value matches the expected value.
+      # First try the password as a ha1 digest password. If this fails, then try it as a plain
+      # text password.
       def validate_digest_response(request, realm, &password_procedure)
         credentials = decode_credentials_header(request)
         valid_nonce = validate_nonce(request, credentials[:nonce])
 
-        if valid_nonce && realm == credentials[:realm] && opaque(request.session.session_id) == credentials[:opaque]
+        if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
-          expected = expected_response(request.env['REQUEST_METHOD'], credentials[:uri], credentials, password)
-          expected == credentials[:response]
+
+         [true, false].any? do |password_is_ha1|
+           expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
+           expected == credentials[:response]
+         end
         end
       end
 
       # Returns the expected response for a request of +http_method+ to +uri+ with the decoded +credentials+ and the expected +password+
-      def expected_response(http_method, uri, credentials, password)
-        ha1 = ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(':'))
+      # Optional parameter +password_is_ha1+ is set to +true+ by default, since best practice is to store ha1 digest instead
+      # of a plain-text password.
+      def expected_response(http_method, uri, credentials, password, password_is_ha1=true)
+        ha1 = password_is_ha1 ? password : ha1(credentials, password)
         ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(':'))
         ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(':'))
       end
 
-      def encode_credentials(http_method, credentials, password)
-        credentials[:response] = expected_response(http_method, credentials[:uri], credentials, password)
+      def ha1(credentials, password)
+        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(':'))
+      end
+
+      def encode_credentials(http_method, credentials, password, password_is_ha1)
+        credentials[:response] = expected_response(http_method, credentials[:uri], credentials, password, password_is_ha1)
         "Digest " + credentials.sort_by {|x| x[0].to_s }.inject([]) {|a, v| a << "#{v[0]}='#{v[1]}'" }.join(', ')
       end
 
@@ -213,8 +231,7 @@ def decode_credentials(header)
       end
 
       def authentication_header(controller, realm)
-        session_id = controller.request.session.session_id
-        controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce(session_id)}", opaque="#{opaque(session_id)}")
+        controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}")
       end
 
       def authentication_request(controller, realm, message = nil)
@@ -252,23 +269,36 @@ def authentication_request(controller, realm, message = nil)
       # POST or PUT requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
       # of this document.
       #
-      # The nonce is opaque to the client.
-      def nonce(session_id, time = Time.now)
+      # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
+      # key from the Rails session secret generated upon creation of project. Ensures
+      # the time cannot be modifed by client.
+      def nonce(time = Time.now)
         t = time.to_i
-        hashed = [t, session_id]
+        hashed = [t, secret_key]
         digest = ::Digest::MD5.hexdigest(hashed.join(":"))
         Base64.encode64("#{t}:#{digest}").gsub("\n", '')
       end
 
-      def validate_nonce(request, value)
+      # Might want a shorter timeout depending on whether the request
+      # is a PUT or POST, and if client is browser or web service.
+      # Can be much shorter if the Stale directive is implemented. This would
+      # allow a user to use new nonce without prompting user again for their
+      # username and password.
+      def validate_nonce(request, value, seconds_to_timeout=5*60)
         t = Base64.decode64(value).split(":").first.to_i
-        nonce(request.session.session_id, t) == value && (t - Time.now.to_i).abs <= 10 * 60
+        nonce(t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
       end
 
-      # Opaque based on digest of session_id
-      def opaque(session_id)
-        Base64.encode64(::Digest::MD5::hexdigest(session_id)).gsub("\n", '')
+      # Opaque based on random generation - but changing each request?
+      def opaque()
+        ::Digest::MD5.hexdigest(secret_key)
       end
+
+      # Set in /initializers/session_store.rb, and loaded even if sessions are not in use.
+      def secret_key
+        ActionController::Base.session_options[:secret]
+      end
+
     end
   end
 end

actionpack/lib/action_controller/integration.rb

@@ -5,7 +5,7 @@
 module ActionController
   module Integration #:nodoc:
     # An integration Session instance represents a set of requests and responses
-    # performed sequentially by some virtual user. Becase you can instantiate
+    # performed sequentially by some virtual user. Because you can instantiate
     # multiple sessions and run them side-by-side, you can also mimic (to some
     # limited extent) multiple simultaneous users interacting with your system.
     #

actionpack/lib/action_controller/polymorphic_routes.rb

@@ -163,15 +163,18 @@ def build_named_route_call(records, namespace, inflection, options = {})
             if parent.is_a?(Symbol) || parent.is_a?(String)
               string << "#{parent}_"
             else
-              string << "#{RecordIdentifier.__send__("singular_class_name", parent)}_"
+              string << "#{RecordIdentifier.__send__("plural_class_name", parent)}".singularize
+              string << "_"
             end
           end
         end
 
         if record.is_a?(Symbol) || record.is_a?(String)
           route << "#{record}_"
         else
-          route << "#{RecordIdentifier.__send__("#{inflection}_class_name", record)}_"
+          route << "#{RecordIdentifier.__send__("plural_class_name", record)}"
+          route = route.singularize if inflection == :singular
+          route << "_"
         end
 
         action_prefix(options) + namespace + route + routing_type(options).to_s

actionpack/lib/action_controller/resources.rb

@@ -630,7 +630,7 @@ def map_member_actions(map, resource)
               action_path = resource.options[:path_names][action] if resource.options[:path_names].is_a?(Hash)
               action_path ||= Base.resources_path_names[action] || action
 
-              map_resource_routes(map, resource, action, "#{resource.member_path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.shallow_name_prefix}#{resource.singular}", m)
+              map_resource_routes(map, resource, action, "#{resource.member_path}#{resource.action_separator}#{action_path}", "#{action}_#{resource.shallow_name_prefix}#{resource.singular}", m, { :force_id => true })
             end
           end
         end
@@ -641,9 +641,9 @@ def map_member_actions(map, resource)
         map_resource_routes(map, resource, :destroy, resource.member_path, route_path)
       end
 
-      def map_resource_routes(map, resource, action, route_path, route_name = nil, method = nil)
+      def map_resource_routes(map, resource, action, route_path, route_name = nil, method = nil, resource_options = {} )
         if resource.has_action?(action)
-          action_options = action_options_for(action, resource, method)
+          action_options = action_options_for(action, resource, method, resource_options)
           formatted_route_path = "#{route_path}.:format"
 
           if route_name && @set.named_routes[route_name.to_sym].nil?
@@ -660,22 +660,18 @@ def add_conditions_for(conditions, method)
         end
       end
 
-      def action_options_for(action, resource, method = nil)
+      def action_options_for(action, resource, method = nil, resource_options = {})
         default_options = { :action => action.to_s }
         require_id = !resource.kind_of?(SingletonResource)
+        force_id = resource_options[:force_id] && !resource.kind_of?(SingletonResource)
 
         case default_options[:action]
           when "index", "new"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements)
           when "create";       default_options.merge(add_conditions_for(resource.conditions, method || :post)).merge(resource.requirements)
           when "show", "edit"; default_options.merge(add_conditions_for(resource.conditions, method || :get)).merge(resource.requirements(require_id))
           when "update";       default_options.merge(add_conditions_for(resource.conditions, method || :put)).merge(resource.requirements(require_id))
           when "destroy";      default_options.merge(add_conditions_for(resource.conditions, method || :delete)).merge(resource.requirements(require_id))
-          else
-              if method.nil? || resource.member_methods.nil? || resource.member_methods[method.to_sym].nil?
-                default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements)
-              else                 
-                resource.member_methods[method.to_sym].include?(action) ? default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements(require_id)) : default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements)
-              end
+          else                 default_options.merge(add_conditions_for(resource.conditions, method)).merge(resource.requirements(force_id))
         end
       end
   end

actionpack/lib/action_controller/vendor/rack-1.0/rack.rb

@@ -23,11 +23,12 @@ def self.version
 
   # Return the Rack release as a dotted string.
   def self.release
-    "0.4"
+    "1.0 bundled"
   end
 
   autoload :Builder, "rack/builder"
   autoload :Cascade, "rack/cascade"
+  autoload :Chunked, "rack/chunked"
   autoload :CommonLogger, "rack/commonlogger"
   autoload :ConditionalGet, "rack/conditionalget"
   autoload :ContentLength, "rack/content_length"

actionpack/lib/action_controller/vendor/rack-1.0/rack/chunked.rb

@@ -0,0 +1,49 @@
+require 'rack/utils'
+
+module Rack
+
+  # Middleware that applies chunked transfer encoding to response bodies
+  # when the response does not include a Content-Length header.
+  class Chunked
+    include Rack::Utils
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+      headers = HeaderHash.new(headers)
+
+      if env['HTTP_VERSION'] == 'HTTP/1.0' ||
+         STATUS_WITH_NO_ENTITY_BODY.include?(status) ||
+         headers['Content-Length'] ||
+         headers['Transfer-Encoding']
+        [status, headers.to_hash, body]
+      else
+        dup.chunk(status, headers, body)
+      end
+    end
+
+    def chunk(status, headers, body)
+      @body = body
+      headers.delete('Content-Length')
+      headers['Transfer-Encoding'] = 'chunked'
+      [status, headers.to_hash, self]
+    end
+
+    def each
+      term = "\r\n"
+      @body.each do |chunk|
+        size = bytesize(chunk)
+        next if size == 0
+        yield [size.to_s(16), term, chunk, term].join
+      end
+      yield ["0", term, "", term].join
+    end
+
+    def close
+      @body.close if @body.respond_to?(:close)
+    end
+  end
+end

actionpack/lib/action_controller/vendor/rack-1.0/rack/content_length.rb

@@ -3,21 +3,23 @@
 module Rack
   # Sets the Content-Length header on responses with fixed-length bodies.
   class ContentLength
+    include Rack::Utils
+
     def initialize(app)
       @app = app
     end
 
     def call(env)
       status, headers, body = @app.call(env)
-      headers = Utils::HeaderHash.new(headers)
+      headers = HeaderHash.new(headers)
 
-      if !Utils::STATUS_WITH_NO_ENTITY_BODY.include?(status) &&
+      if !STATUS_WITH_NO_ENTITY_BODY.include?(status) &&
          !headers['Content-Length'] &&
          !headers['Transfer-Encoding'] &&
          (body.respond_to?(:to_ary) || body.respond_to?(:to_str))
 
         body = [body] if body.respond_to?(:to_str) # rack 0.4 compat
-        length = body.to_ary.inject(0) { |len, part| len + part.length }
+        length = body.to_ary.inject(0) { |len, part| len + bytesize(part) }
         headers['Content-Length'] = length.to_s
       end
 

actionpack/lib/action_controller/vendor/rack-1.0/rack/deflater.rb

@@ -36,12 +36,12 @@ def call(env)
         mtime = headers.key?("Last-Modified") ?
           Time.httpdate(headers["Last-Modified"]) : Time.now
         body = self.class.gzip(body, mtime)
-        size = body.respond_to?(:bytesize) ? body.bytesize : body.size
+        size = Rack::Utils.bytesize(body)
         headers = headers.merge("Content-Encoding" => "gzip", "Content-Length" => size.to_s)
         [status, headers, [body]]
       when "deflate"
         body = self.class.deflate(body)
-        size = body.respond_to?(:bytesize) ? body.bytesize : body.size
+        size = Rack::Utils.bytesize(body)
         headers = headers.merge("Content-Encoding" => "deflate", "Content-Length" => size.to_s)
         [status, headers, [body]]
       when "identity"

actionpack/lib/action_controller/vendor/rack-1.0/rack/directory.rb

@@ -70,7 +70,7 @@ def check_forbidden
       return unless @path_info.include? ".."
 
       body = "Forbidden\n"
-      size = body.respond_to?(:bytesize) ? body.bytesize : body.size
+      size = Rack::Utils.bytesize(body)
       return [403, {"Content-Type" => "text/plain","Content-Length" => size.to_s}, [body]]
     end
 
@@ -122,7 +122,7 @@ def list_path
 
     def entity_not_found
       body = "Entity not found: #{@path_info}\n"
-      size = body.respond_to?(:bytesize) ? body.bytesize : body.size
+      size = Rack::Utils.bytesize(body)
       return [404, {"Content-Type" => "text/plain", "Content-Length" => size.to_s}, [body]]
     end
 

actionpack/lib/action_controller/vendor/rack-1.0/rack/file.rb

@@ -60,7 +60,7 @@ def serving
         body = self
       else
         body = [F.read(@path)]
-        size = body.first.size
+        size = Utils.bytesize(body.first)
       end
 
       [200, {