Update to Rails 2.3.9 and itextomml 1.3.27

vendor/rails/actionpack/lib/action_controller/caching/fragments.rb

@@ -65,8 +65,8 @@ module ActionController #:nodoc:
       def read_fragment(key, options = nil)
         return unless cache_configured?
 
+        key = fragment_cache_key(key)
         self.class.benchmark "Cached fragment hit: #{key}" do
-          key = fragment_cache_key(key)
           result = cache_store.read(key, options)
           result.respond_to?(:html_safe) ? result.html_safe : result
         end

vendor/rails/actionpack/lib/action_controller/integration.rb

@@ -414,15 +414,25 @@ module ActionController
         end
 
         def multipart_requestify(params, first=true)
-          returning Hash.new do |p|
+          Array.new.tap do |p|
             params.each do |key, value|
               k = first ? key.to_s : "[#{key.to_s}]"
               if Hash === value
                 multipart_requestify(value, false).each do |subkey, subvalue|
-                  p[k + subkey] = subvalue
+                  p << [k + subkey, subvalue]
+                end
+              elsif Array === value
+                value.each do |element|
+                  if Hash === element || Array === element
+                    multipart_requestify(element, false).each do |subkey, subvalue|
+                      p << ["#{k}[]#{subkey}", subvalue]
+                    end
+                  else
+                    p << ["#{k}[]", element]
+                  end
                 end
               else
-                p[k] = value
+                p << [k, value]
               end
             end
           end
@@ -453,6 +463,7 @@ EOF
             end
           end.join("")+"--#{boundary}--\r"
         end
+
     end
 
     # A module used to extend ActionController::Base, so that integration tests
@@ -500,7 +511,7 @@ EOF
           reset! unless @integration_session
           # reset the html_document variable, but only for new get/post calls
           @html_document = nil unless %w(cookies assigns).include?(method)
-          returning @integration_session.__send__(method, *args) do
+          @integration_session.__send__(method, *args).tap do
             copy_session_variables!
           end
         end
@@ -556,7 +567,7 @@ EOF
       def method_missing(sym, *args, &block)
         reset! unless @integration_session
         if @integration_session.respond_to?(sym)
-          returning @integration_session.__send__(sym, *args, &block) do
+          @integration_session.__send__(sym, *args, &block).tap do
             copy_session_variables!
           end
         else

vendor/rails/actionpack/lib/action_controller/request.rb

@@ -446,8 +446,8 @@ EOM
     end
 
     def reset_session
-      @env['rack.session.options'].delete(:id)
-      @env['rack.session'] = {}
+      session.destroy if session
+      self.session = {}
     end
 
     def session_options

vendor/rails/actionpack/lib/action_controller/rescue.rb

@@ -15,7 +15,7 @@ module ActionController #:nodoc:
   # behavior is achieved by overriding the <tt>rescue_action_in_public</tt>
   # and <tt>rescue_action_locally</tt> methods.
   module Rescue
-    LOCALHOST = ['127.0.0.1', '::1'].freeze
+    LOCALHOST = [/^127\.0\.0\.\d{1,3}$/, /^::1$/, /^0:0:0:0:0:0:0:1(%.*)?$/].freeze
 
     DEFAULT_RESCUE_RESPONSE = :internal_server_error
     DEFAULT_RESCUE_RESPONSES = {
@@ -122,7 +122,7 @@ module ActionController #:nodoc:
       # method if you wish to redefine the meaning of a local request to
       # include remote IP addresses or other criteria.
       def local_request? #:doc:
-        LOCALHOST.any?{ |local_ip| request.remote_addr == local_ip && request.remote_ip == local_ip }
+        LOCALHOST.any?{ |local_ip| request.remote_addr =~ local_ip && request.remote_ip =~ local_ip }
       end
 
       # Render detailed diagnostics for unhandled exceptions rescued from

vendor/rails/actionpack/lib/action_controller/resources.rb

@@ -659,7 +659,7 @@ module ActionController
       end
 
       def add_conditions_for(conditions, method)
-        returning({:conditions => conditions.dup}) do |options|
+        ({:conditions => conditions.dup}).tap do |options|
           options[:conditions][:method] = method unless method == :any
         end
       end

vendor/rails/actionpack/lib/action_controller/routing.rb

@@ -377,7 +377,7 @@ module ActionController
     ActiveSupport::Inflector.module_eval do
       # Ensures that routes are reloaded when Rails inflections are updated.
       def inflections_with_route_reloading(&block)
-        returning(inflections_without_route_reloading(&block)) {
+        (inflections_without_route_reloading(&block)).tap {
           ActionController::Routing::Routes.reload! if block_given?
         }
       end

vendor/rails/actionpack/lib/action_controller/routing/route.rb

@@ -65,7 +65,7 @@ module ActionController
       #   map.connect '/page/:id', :controller => 'pages', :action => 'show', :id => /\d+/
       #
       def parameter_shell
-        @parameter_shell ||= returning({}) do |shell|
+        @parameter_shell ||= {}.tap do |shell|
           requirements.each do |key, requirement|
             shell[key] = requirement unless requirement.is_a? Regexp
           end
@@ -76,7 +76,7 @@ module ActionController
       # includes keys that appear inside the path, and keys that have requirements
       # placed upon them.
       def significant_keys
-        @significant_keys ||= returning([]) do |sk|
+        @significant_keys ||= [].tap do |sk|
           segments.each { |segment| sk << segment.key if segment.respond_to? :key }
           sk.concat requirements.keys
           sk.uniq!
@@ -86,7 +86,7 @@ module ActionController
       # Return a hash of key/value pairs representing the keys in the route that
       # have defaults, or which are specified by non-regexp requirements.
       def defaults
-        @defaults ||= returning({}) do |hash|
+        @defaults ||= {}.tap do |hash|
           segments.each do |segment|
             next unless segment.respond_to? :default
             hash[segment.key] = segment.default unless segment.default.nil?

vendor/rails/actionpack/lib/action_controller/session/abstract_store.rb

@@ -2,13 +2,42 @@ require 'rack/utils'
 
 module ActionController
   module Session
-    class AbstractStore
+    class AbstractStore  
       ENV_SESSION_KEY = 'rack.session'.freeze
       ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze
 
       HTTP_COOKIE = 'HTTP_COOKIE'.freeze
       SET_COOKIE = 'Set-Cookie'.freeze
 
+      # thin wrapper around Hash that allows us to lazily
+      # load session id into session_options
+      class OptionsHash < Hash
+        def initialize(by, env, default_options)
+          @by = by
+          @env = env
+          @session_id_loaded = false
+          merge!(default_options)
+        end
+
+        def [](key)
+          if key == :id
+            load_session_id! unless super(:id) || has_session_id?
+          end
+          super(key)
+        end
+
+        private
+
+          def has_session_id?
+            @session_id_loaded
+          end
+
+          def load_session_id!
+            self[:id] = @by.send(:extract_session_id, @env)
+            @session_id_loaded = true
+          end
+      end
+
       class SessionHash < Hash
         def initialize(by, env)
           super()
@@ -25,21 +54,42 @@ module ActionController
         end
 
         def [](key)
-          load! unless @loaded
+          load_for_read!
+          super
+        end
+
+        def has_key?(key)
+          load_for_read!
           super
         end
 
         def []=(key, value)
-          load! unless @loaded
+          load_for_write!
+          super
+        end
+
+        def clear
+          load_for_write!
           super
         end
 
         def to_hash
+          load_for_read!
           h = {}.replace(self)
           h.delete_if { |k,v| v.nil? }
           h
         end
 
+        def update(hash)
+          load_for_write!
+          super
+        end
+
+        def delete(key)
+          load_for_write!
+          super
+        end
+
         def data
          ActiveSupport::Deprecation.warn(
            "ActionController::Session::AbstractStore::SessionHash#data " +
@@ -48,40 +98,43 @@ module ActionController
         end
 
         def inspect
-          load! unless @loaded
+          load_for_read!
           super
         end
 
+        def exists?
+          return @exists if instance_variable_defined?(:@exists)
+          @exists = @by.send(:exists?, @env)
+        end
+
+        def loaded?
+          @loaded
+        end
+
+        def destroy
+          clear
+          @by.send(:destroy, @env) if @by
+          @env[ENV_SESSION_OPTIONS_KEY][:id] = nil if @env && @env[ENV_SESSION_OPTIONS_KEY]
+          @loaded = false
+        end
+
         private
-          def loaded?
-            @loaded
+          
+          def load_for_read!
+            load! if !loaded? && exists?
+          end
+
+          def load_for_write!
+            load! unless loaded?
           end
 
           def load!
-            stale_session_check! do
-              id, session = @by.send(:load_session, @env)
-              (@env[ENV_SESSION_OPTIONS_KEY] ||= {})[:id] = id
-              replace(session)
-              @loaded = true
-            end
+            id, session = @by.send(:load_session, @env)
+            @env[ENV_SESSION_OPTIONS_KEY][:id] = id
+            replace(session)
+            @loaded = true
           end
 
-          def stale_session_check!
-            yield
-          rescue ArgumentError => argument_error
-            if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
-              begin
-                # Note that the regexp does not allow $1 to end with a ':'
-                $1.constantize
-              rescue LoadError, NameError => const_error
-                raise ActionController::SessionRestoreError, "Session contains objects whose class definition isn\\'t available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: \#{const_error.message} [\#{const_error.class}])\n"
-              end
-
-              retry
-            else
-              raise
-            end
-          end
       end
 
       DEFAULT_OPTIONS = {
@@ -120,18 +173,14 @@ module ActionController
       end
 
       def call(env)
-        session = SessionHash.new(self, env)
-
-        env[ENV_SESSION_KEY] = session
-        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
-
+        prepare!(env)
         response = @app.call(env)
 
         session_data = env[ENV_SESSION_KEY]
         options = env[ENV_SESSION_OPTIONS_KEY]
 
-        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
-          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
+        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after]
+          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
 
           sid = options[:id] || generate_sid
 
@@ -139,21 +188,23 @@ module ActionController
             return response
           end
 
-          cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
-          cookie << "; domain=#{options[:domain]}" if options[:domain]
-          cookie << "; path=#{options[:path]}" if options[:path]
-          if options[:expire_after]
-            expiry = Time.now + options[:expire_after]
-            cookie << "; expires=#{expiry.httpdate}"
-          end
-          cookie << "; Secure" if options[:secure]
-          cookie << "; HttpOnly" if options[:httponly]
+          if (env["rack.request.cookie_hash"] && env["rack.request.cookie_hash"][@key] != sid) || options[:expire_after]
+            cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
+            cookie << "; domain=#{options[:domain]}" if options[:domain]
+            cookie << "; path=#{options[:path]}" if options[:path]
+            if options[:expire_after]
+              expiry = Time.now + options[:expire_after]
+              cookie << "; expires=#{expiry.httpdate}"
+            end
+            cookie << "; Secure" if options[:secure]
+            cookie << "; HttpOnly" if options[:httponly]
 
-          headers = response[1]
-          unless headers[SET_COOKIE].blank?
-            headers[SET_COOKIE] << "\n#{cookie}"
-          else
-            headers[SET_COOKIE] = cookie
+            headers = response[1]
+            unless headers[SET_COOKIE].blank?
+              headers[SET_COOKIE] << "\n#{cookie}"
+            else
+              headers[SET_COOKIE] = cookie
+            end
           end
         end
 
@@ -161,18 +212,39 @@ module ActionController
       end
 
       private
+      
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
+        end
+      
         def generate_sid
           ActiveSupport::SecureRandom.hex(16)
         end
 
         def load_session(env)
-          request = Rack::Request.new(env)
-          sid = request.cookies[@key]
-          unless @cookie_only
-            sid ||= request.params[@key]
+          stale_session_check! do
+            sid = current_session_id(env)
+            sid, session = get_session(env, sid)
+            [sid, session]
           end
-          sid, session = get_session(env, sid)
-          [sid, session]
+        end
+        
+        def extract_session_id(env)
+          stale_session_check! do
+            request = Rack::Request.new(env)
+            sid = request.cookies[@key]
+            sid ||= request.params[@key] unless @cookie_only
+            sid
+          end
+        end
+
+        def current_session_id(env)
+          env[ENV_SESSION_OPTIONS_KEY][:id]
+        end
+        
+        def exists?(env)
+          current_session_id(env).present?
         end
 
         def get_session(env, sid)
@@ -182,6 +254,30 @@ module ActionController
         def set_session(env, sid, session_data)
           raise '#set_session needs to be implemented.'
         end
+        
+        def destroy(env)
+          raise '#destroy needs to be implemented.'
+        end
+        
+        module SessionUtils
+          private
+          def stale_session_check!
+            yield
+          rescue ArgumentError => argument_error
+            if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
+              begin
+                # Note that the regexp does not allow $1 to end with a ':'
+                $1.constantize
+              rescue LoadError, NameError => const_error
+                raise ActionController::SessionRestoreError, "Session contains objects whose class definition isn\\'t available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: \#{const_error.message} [\#{const_error.class}])\n"
+              end
+              retry
+            else
+              raise
+            end
+          end
+        end
+        include SessionUtils
     end
   end
 end

vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb

@@ -36,6 +36,8 @@ module ActionController
     #
     # Note that changing digest or secret invalidates all existing sessions!
     class CookieStore
+      include AbstractStore::SessionUtils
+      
       # Cookies can typically store 4096 bytes.
       MAX = 4096
       SECRET_MIN_LENGTH = 30 # characters
@@ -93,20 +95,20 @@ module ActionController
       end
 
       def call(env)
-        env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
-        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
-
+        prepare!(env)
+        
         status, headers, body = @app.call(env)
 
         session_data = env[ENV_SESSION_KEY]
         options = env[ENV_SESSION_OPTIONS_KEY]
 
-        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
-          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
+        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after]
+          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
+
+          persistent_session_id!(session_data)
           session_data = marshal(session_data.to_hash)
 
           raise CookieOverflow if session_data.size > MAX
-
           cookie = Hash.new
           cookie[:value] = session_data
           unless options[:expire_after].nil?
@@ -114,17 +116,20 @@ module ActionController
           end
 
           cookie = build_cookie(@key, cookie.merge(options))
-          unless headers[HTTP_SET_COOKIE].blank?
-            headers[HTTP_SET_COOKIE] << "\n#{cookie}"
-          else
-            headers[HTTP_SET_COOKIE] = cookie
-          end
+          headers[HTTP_SET_COOKIE] = [] if headers[HTTP_SET_COOKIE].blank?
+          headers[HTTP_SET_COOKIE] << cookie
         end
 
         [status, headers, body]
       end
 
       private
+      
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = AbstractStore::OptionsHash.new(self, env, @default_options)
+        end
+      
         # Should be in Rack::Utils soon
         def build_cookie(key, value)
           case value
@@ -146,20 +151,46 @@ module ActionController
         end
 
         def load_session(env)
-          request = Rack::Request.new(env)
-          session_data = request.cookies[@key]
-          data = unmarshal(session_data) || persistent_session_id!({})
+          data = unpacked_cookie_data(env)
+          data = persistent_session_id!(data)
           [data[:session_id], data]
         end
+        
+        def extract_session_id(env)
+          if data = unpacked_cookie_data(env)
+            persistent_session_id!(data) unless data.empty?
+            data[:session_id]
+          else
+            nil
+          end
+        end
+
+        def current_session_id(env)
+          env[ENV_SESSION_OPTIONS_KEY][:id]
+        end
+
+        def exists?(env)
+          current_session_id(env).present?
+        end
+
+        def unpacked_cookie_data(env)
+          env["action_dispatch.request.unsigned_session_cookie"] ||= begin
+            stale_session_check! do
+              request = Rack::Request.new(env)
+              session_data = request.cookies[@key]
+              unmarshal(session_data) || {}
+            end
+          end
+        end
 
         # Marshal a session hash into safe cookie data. Include an integrity hash.
         def marshal(session)
-          @verifier.generate(persistent_session_id!(session))
+          @verifier.generate(session)
         end
 
         # Unmarshal cookie data to a hash and verify its integrity.
         def unmarshal(cookie)
-          persistent_session_id!(@verifier.verify(cookie)) if cookie
+          @verifier.verify(cookie) if cookie
         rescue ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
@@ -207,6 +238,10 @@ module ActionController
           ActiveSupport::SecureRandom.hex(16)
         end
 
+        def destroy(env)
+          # session data is stored on client; nothing to do here
+        end
+
         def persistent_session_id!(data)
           (data ||= {}).merge!(inject_persistent_session_id(data))
         end

vendor/rails/actionpack/lib/action_controller/session/mem_cache_store.rb

@@ -43,6 +43,15 @@ begin
           rescue MemCache::MemCacheError, Errno::ECONNREFUSED
             return false
           end
+          
+          def destroy(env)
+            if sid = current_session_id(env)
+              @pool.delete(sid)
+            end
+          rescue MemCache::MemCacheError, Errno::ECONNREFUSED
+            false
+          end
+          
       end
     end
   end

vendor/rails/actionpack/lib/action_controller/test_process.rb

@@ -450,7 +450,7 @@ module ActionController #:nodoc:
     def xml_http_request(request_method, action, parameters = nil, session = nil, flash = nil)
       @request.env['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
       @request.env['HTTP_ACCEPT'] =  [Mime::JS, Mime::HTML, Mime::XML, 'text/xml', Mime::ALL].join(', ')
-      returning __send__(request_method, action, parameters, session, flash) do
+      __send__(request_method, action, parameters, session, flash).tap do
         @request.env.delete 'HTTP_X_REQUESTED_WITH'
         @request.env.delete 'HTTP_ACCEPT'
       end

vendor/rails/actionpack/lib/action_controller/url_rewriter.rb

@@ -92,6 +92,14 @@ module ActionController
   #     end
   #   end
   module UrlWriter
+    RESERVED_PCHAR = ':@&=+$,;%'
+    SAFE_PCHAR = "#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}"
+    if RUBY_VERSION >= '1.9'
+      UNSAFE_PCHAR = Regexp.new("[^#{SAFE_PCHAR}]", false).freeze
+    else
+      UNSAFE_PCHAR = Regexp.new("[^#{SAFE_PCHAR}]", false, 'N').freeze
+    end
+
     def self.included(base) #:nodoc:
       ActionController::Routing::Routes.install_helpers(base)
       base.mattr_accessor :default_url_options
@@ -142,7 +150,7 @@ module ActionController
       end
       trailing_slash = options.delete(:trailing_slash) if options.key?(:trailing_slash)
       url << ActionController::Base.relative_url_root.to_s unless options[:skip_relative_url_root]
-      anchor = "##{CGI.escape options.delete(:anchor).to_param.to_s}" if options[:anchor]
+      anchor = "##{URI.escape(options.delete(:anchor).to_param.to_s, UNSAFE_PCHAR)}" if options[:anchor]
       generated = Routing::Routes.generate(options, {})
       url << (trailing_slash ? generated.sub(/\?|\z/) { "/" + $& } : generated)
       url << anchor if anchor