Rails 2.3.11, S5 Editing bug.

Upgrade to Rails 2.3.11.
Fix a bug where the SVG-Edit button would not appear
when editing S5 slideshows.

vendor/rails/actionpack/lib/action_controller/cookies.rb

@@ -60,7 +60,7 @@ module ActionController #:nodoc:
     attr_reader :controller
     
     def initialize(controller)
-      @controller, @cookies = controller, controller.request.cookies
+      @controller, @cookies, @secure = controller, controller.request.cookies, controller.request.ssl?
       super()
       update(@cookies)
     end
@@ -81,7 +81,7 @@ module ActionController #:nodoc:
 
       options[:path] = "/" unless options.has_key?(:path)
       super(key.to_s, options[:value])
-      @controller.response.set_cookie(key, options)
+      @controller.response.set_cookie(key, options) if write_cookie?(options)
     end
 
     # Removes the cookie on the client machine by setting the value to an empty string
@@ -126,6 +126,12 @@ module ActionController #:nodoc:
     def signed
       @signed ||= SignedCookieJar.new(self)
     end
+
+    private
+
+      def write_cookie?(cookie)
+        @secure || !cookie[:secure] || defined?(Rails.env) && Rails.env.development?
+      end
   end
   
   class PermanentCookieJar < CookieJar #:nodoc:

vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb

@@ -76,7 +76,11 @@ module ActionController #:nodoc:
     protected
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
-        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+        verified_request? || handle_unverified_request
+      end
+
+      def handle_unverified_request
+        reset_session
       end
       
       # Returns true or false if a request is verified.  Checks:
@@ -85,11 +89,10 @@ module ActionController #:nodoc:
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       def verified_request?
-        !protect_against_forgery?     ||
-          request.method == :get      ||
-          request.xhr?                ||
-          !verifiable_request_format? ||
-          form_authenticity_token == form_authenticity_param
+        !protect_against_forgery?                            ||
+          request.get?                                       ||
+          form_authenticity_token == form_authenticity_param ||
+          form_authenticity_token == request.headers['X-CSRF-Token']
       end
 
       def form_authenticity_param

vendor/rails/actionpack/lib/action_controller/session/abstract_store.rb

@@ -195,22 +195,8 @@ module ActionController
           request_cookies = env["rack.request.cookie_hash"]
 
           if (request_cookies.nil? || request_cookies[@key] != sid) || options[:expire_after]
-            cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
-            cookie << "; domain=#{options[:domain]}" if options[:domain]
-            cookie << "; path=#{options[:path]}" if options[:path]
-            if options[:expire_after]
-              expiry = Time.now + options[:expire_after]
-              cookie << "; expires=#{expiry.httpdate}"
-            end
-            cookie << "; secure" if options[:secure]
-            cookie << "; HttpOnly" if options[:httponly]
-
-            headers = response[1]
-            unless headers[SET_COOKIE].blank?
-              headers[SET_COOKIE] << "\n#{cookie}"
-            else
-              headers[SET_COOKIE] = cookie
-            end
+            cookie = {:value => sid}
+            Rack::Utils.set_cookie_header!(response[1], @key, cookie.merge(options))
           end
         end
 

vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb

@@ -52,7 +52,6 @@ module ActionController
 
       ENV_SESSION_KEY = "rack.session".freeze
       ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
-      HTTP_SET_COOKIE = "Set-Cookie".freeze
 
       # Raised when storing more than 4K of session data.
       class CookieOverflow < StandardError; end
@@ -116,9 +115,7 @@ module ActionController
             cookie[:expires] = Time.now + options[:expire_after]
           end
 
-          cookie = build_cookie(@key, cookie.merge(options))
-          headers[HTTP_SET_COOKIE] = [] if headers[HTTP_SET_COOKIE].blank?
-          headers[HTTP_SET_COOKIE] << cookie
+          Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
         end
 
         [status, headers, body]
@@ -130,26 +127,6 @@ module ActionController
           env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
           env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
         end
-      
-        # Should be in Rack::Utils soon
-        def build_cookie(key, value)
-          case value
-          when Hash
-            domain  = "; domain="  + value[:domain] if value[:domain]
-            path    = "; path="    + value[:path]   if value[:path]
-            # According to RFC 2109, we need dashes here.
-            # N.B.: cgi.rb uses spaces...
-            expires = "; expires=" + value[:expires].clone.gmtime.
-              strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
-            secure = "; secure" if value[:secure]
-            httponly = "; HttpOnly" if value[:httponly]
-            value = value[:value]
-          end
-          value = [value] unless Array === value
-          cookie = Rack::Utils.escape(key) + "=" +
-            value.map { |v| Rack::Utils.escape(v) }.join("&") +
-            "#{domain}#{path}#{expires}#{secure}#{httponly}"
-        end
 
         def load_session(env)
           data = unpacked_cookie_data(env)

vendor/rails/actionpack/lib/action_controller/session/mem_cache_store.rb

@@ -1,6 +1,6 @@
 begin
   require_library_or_gem 'memcache'
-
+  require 'thread'
   module ActionController
     module Session
       class MemCacheStore < AbstractStore