Merge branch 'main' into Ridhwana/active-record-validations

Author: p8

actionmailer/lib/action_mailer/mail_helper.rb

@@ -25,10 +25,18 @@ def block_format(text)
       }.join("\n\n")
 
       # Make list points stand on their own line
-      formatted.gsub!(/[ ]*([*]+) ([^*]*)/) { "  #{$1} #{$2.strip}\n" }
-      formatted.gsub!(/[ ]*([#]+) ([^#]*)/) { "  #{$1} #{$2.strip}\n" }
+      output = +""
+      splits = formatted.split(/(\*+|\#+)/)
+      while line = splits.shift
+        if line.start_with?("*", "#") && splits.first&.start_with?(" ")
+          output.chomp!(" ") while output.end_with?(" ")
+          output << "  #{line} #{splits.shift.strip}\n"
+        else
+          output << line
+        end
+      end
 
-      formatted
+      output
     end
 
     # Access the mailer instance.

actionmailer/test/mail_helper_test.rb

@@ -121,4 +121,17 @@ def test_use_cache
       assert_equal "Greetings from a cache helper block", mail.body.encoded
     end
   end
+
+  def helper
+    Object.new.extend(ActionMailer::MailHelper)
+  end
+
+  def test_block_format
+    assert_equal "  * foo\n", helper.block_format(" * foo")
+    assert_equal "  * foo\n", helper.block_format("   * foo")
+    assert_equal "  * foo\n", helper.block_format("* foo")
+    assert_equal "  * foo\n*bar", helper.block_format("* foo*bar")
+    assert_equal "  * foo\n  * bar\n", helper.block_format("* foo * bar")
+    assert_equal "  *", helper.block_format("* ")
+  end
 end

actionpack/lib/action_controller/metal/http_authentication.rb

@@ -513,14 +513,11 @@ def rewrite_param_values(array_params)
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
-      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
-      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
-
       # This method takes an authorization body and splits up the key-value pairs by
       # the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)

actionpack/lib/action_controller/metal/strong_parameters.rb

@@ -95,6 +95,8 @@ class InvalidParameterKey < ArgumentError
   # *   `permit` to filter params for mass assignment.
   # *   `require` to require a parameter or raise an error.
   #
+  # Examples:
+  #
   #     params = ActionController::Parameters.new({
   #       person: {
   #         name: "Francesco",
@@ -109,7 +111,7 @@ class InvalidParameterKey < ArgumentError
   #     Person.first.update!(permitted)
   #     # => #<Person id: 1, name: "Francesco", age: 22, role: "user">
   #
-  # Paramaters provides two options that control the top-level behavior of new
+  # Parameters provides two options that control the top-level behavior of new
   # instances:
   #
   # *   `permit_all_parameters` - If it's `true`, all the parameters will be

actionpack/lib/action_dispatch/http/filter_parameters.rb

@@ -68,12 +68,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

actionpack/lib/action_dispatch/http/filter_redirect.rb

@@ -37,9 +37,16 @@ def location_filter_match?
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          uri.query.gsub!(FilterParameters::PAIR_RE) do
-            request.parameter_filter.filter($1 => $2).first.join("=")
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
           end
+          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error

actionpack/lib/action_dispatch/http/param_builder.rb

@@ -2,6 +2,10 @@
 
 module ActionDispatch
   class ParamBuilder
+    # --
+    # This implementation is based on Rack::QueryParser,
+    # Copyright (C) 2007-2021 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
+
     def self.make_default(param_depth_limit)
       new param_depth_limit
     end
@@ -12,6 +16,10 @@ def initialize(param_depth_limit)
       @param_depth_limit = param_depth_limit
     end
 
+    cattr_accessor :ignore_leading_brackets
+
+    LEADING_BRACKETS_COMPAT = defined?(::Rack::RELEASE) && ::Rack::RELEASE.to_s.start_with?("2.")
+
     cattr_accessor :default
     self.default = make_default(100)
 
@@ -61,15 +69,30 @@ def store_nested_param(params, name, v, depth, encoding_template = nil)
           # nil name, treat same as empty string (required by tests)
           k = after = ""
         elsif depth == 0
-          # Start of parsing, don't treat [] or [ at start of string specially
-          if start = name.index("[", 1)
-            # Start of parameter nesting, use part before brackets as key
-            k = name[0, start]
-            after = name[start, name.length]
+          if ignore_leading_brackets || (ignore_leading_brackets.nil? && LEADING_BRACKETS_COMPAT)
+            # Rack 2 compatible behavior, ignore leading brackets
+            if name =~ /\A[\[\]]*([^\[\]]+)\]*/
+              k = $1
+              after = $' || ""
+
+              if !ignore_leading_brackets && (k != $& || !after.empty? && !after.start_with?("["))
+                ActionDispatch.deprecator.warn("Skipping over leading brackets in parameter name #{name.inspect} is deprecated and will parse differently in Rails 8.1 or Rack 3.0.")
+              end
+            else
+              k = name
+              after = ""
+            end
           else
-            # Plain parameter with no nesting
-            k = name
-            after = ""
+            # Start of parsing, don't treat [] or [ at start of string specially
+            if start = name.index("[", 1)
+              # Start of parameter nesting, use part before brackets as key
+              k = name[0, start]
+              after = name[start, name.length]
+            else
+              # Plain parameter with no nesting
+              k = name
+              after = ""
+            end
           end
         elsif name.start_with?("[]")
           # Array nesting

actionpack/lib/action_dispatch/http/query_parser.rb

@@ -1,11 +1,17 @@
 # frozen_string_literal: true
 
 require "uri"
+require "rack"
 
 module ActionDispatch
   class QueryParser
     DEFAULT_SEP = /& */n
-    COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n }
+    COMPAT_SEP = /[&;] */n
+    COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n, "&;" => /[&;] */n }
+
+    cattr_accessor :strict_query_string_separator
+
+    SEMICOLON_COMPAT = defined?(::Rack::QueryParser::DEFAULT_SEP) && ::Rack::QueryParser::DEFAULT_SEP.to_s.include?(";")
 
     #--
     # Note this departs from WHATWG's specified parsing algorithm by
@@ -14,7 +20,23 @@ class QueryParser
     def self.each_pair(s, separator = nil)
       return enum_for(:each_pair, s, separator) unless block_given?
 
-      (s || "").split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |part|
+      s ||= ""
+
+      splitter =
+        if separator
+          COMMON_SEP[separator] || /[#{separator}] */n
+        elsif strict_query_string_separator
+          DEFAULT_SEP
+        elsif SEMICOLON_COMPAT && s.include?(";")
+          if strict_query_string_separator.nil?
+            ActionDispatch.deprecator.warn("Using semicolon as a query string separator is deprecated and will not be supported in Rails 8.1 or Rack 3.0. Use `&` instead.")
+          end
+          COMPAT_SEP
+        else
+          DEFAULT_SEP
+        end
+
+      s.split(splitter).each do |part|
         next if part.empty?
 
         k, v = part.split("=", 2)

actionpack/lib/action_dispatch/journey/scanner.rb

@@ -55,7 +55,7 @@ def last_literal
         def scan
           next_byte = @scanner.peek_byte
           case
-          when (token = STATIC_TOKENS[next_byte])
+          when (token = STATIC_TOKENS[next_byte]) && (token != :SYMBOL || next_byte_is_not_a_token?)
             @scanner.pos += 1
             @length = @scanner.skip(/\w+/).to_i + 1 if token == :SYMBOL || token == :STAR
             token
@@ -65,6 +65,10 @@ def scan
             :LITERAL
           end
         end
+
+        def next_byte_is_not_a_token?
+          !STATIC_TOKENS[@scanner.string.getbyte(@scanner.pos + 1)]
+        end
     end
   end
 end

actionpack/lib/action_dispatch/railtie.rb

@@ -31,6 +31,9 @@ class Railtie < Rails::Railtie # :nodoc:
     config.action_dispatch.debug_exception_log_level = :fatal
     config.action_dispatch.strict_freshness = false
 
+    config.action_dispatch.ignore_leading_brackets = nil
+    config.action_dispatch.strict_query_string_separator = nil
+
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
       "X-XSS-Protection" => "1; mode=block",
@@ -52,6 +55,9 @@ class Railtie < Rails::Railtie # :nodoc:
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
 
+      ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
+      ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
+
       ActiveSupport.on_load(:action_dispatch_request) do
         self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
         ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge