cc @rafaelfranca
[skip ci]

Reverts some of the changes from #23242.

A backport of #23247 to 4-1-stable.

Fix undefined error for `ActionController::Parameters`

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.

Previously, calling `render "foo/bar"` in a controller action is
equivalent to `render file: "foo/bar"`. This has been changed to
mean `render template: "foo/bar"` instead. If you need to render a
file, please change your code to use the explicit form
(`render file: "foo/bar"`) instead.

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.

Fix CVE-2016-2097.

Generated engines should call `protect_from_forgery`.  If this method
isn't called, then the Engine could be susceptible to XSS attacks.
Thanks @tomekr for reporting this to us!

Conflicts:
	railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
	railties/test/generators/plugin_generator_test.rb

Fix custom primary keys when calling `Relation#where`

calling `Relation#where`

Reverts some of the changes from #23242.

A backport of #23247 to 4-1-stable.

This works on OSX but for some reason travis is throwing a
```
  1) Error:
ExpiresInRenderTest#test_dynamic_render_with_absolute_path:
NoMethodError: undefined method `unlink' for nil:NilClass
```
Looking at other tests in Railties the file has a name and we close
it before unlinking, so I'm going to try that.

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.

This reverts commit 585e7569.

Conflicts:
	actionview/CHANGELOG.md
	guides/source/4_2_release_notes.md

The cache for `render file:` seems to also be used in the case of
`render(string)`.  If one is supposed to be a hit and the other is
supposed to be a miss, and they both reference the same file, then the
cache could return incorrect values.  This commit clears the cache
between runs so that we get non-cached behavior.

Fix img alt attribute generation when using Sprockets >= 3.0

Fix undefined error for `ActionController::Parameters`

* 4-1-sec:
  bumping version
  Remove unnecessary caching
  Eliminate instance level writers for class accessors
  allow :file to be outside rails root, but anything else must be inside the rails view directory
  Don't short-circuit reject_if proc
  stop caching mime types globally
  use secure string comparisons for basic auth username / password

`ActiveSupport::Dependencies.constantize(const_name)` calls
`Reference.new` which is defined as
`ActiveSupport::Dependencies.constantize(const_name)` meaning this call
is already cached and we're doing caching that isn't necessary.

Conflicts:
	actionpack/lib/action_dispatch/routing/route_set.rb

Conflicts:
	actionpack/lib/action_dispatch/routing/route_set.rb

CVE-2015-7581

Instance level writers can have an impact on how the Active Model /
Record objects are saved.  Specifically, they can be used to bypass
validations.  This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.

Conflicts:
	activerecord/lib/active_record/scoping/default.rb
	activesupport/lib/active_support/callbacks.rb

CVE-2016-0753

Conflicts:
	actionpack/test/controller/render_test.rb
	actionview/lib/action_view/template/resolver.rb

CVE-2016-0752

When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.

The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.

CVE-2015-7577

Unknown mime types should not be cached globally.  This global cache
leads to a memory leak and a denial of service vulnerability.

CVE-2016-0751

this will avoid timing attacks against applications that use basic auth.

Conflicts:
	activesupport/lib/active_support/security_utils.rb

CVE-2015-7576

4.1 Backport of LoggerSilence#silence Threadsafety patch (see: PR #20507)

- Uses Logger instance defined level if no custom local log level defined
- Keeps track of local log level per logger instance + thread id
- Prevents memory leakage by removing local level hash key/value on #silence method exit
- Test case for threadsafety issue added (and passes with these changes), based @rdubya's tests
- Fixes #20490 and supersedes https://github.com/rails/rails/pull/16885

When we are rescuing from an error, it's a brittle approach to do checks
with regular expressions on the raised message because it may change in
in the future and error messages are different across implementations.

The NameError API could be improved at the MRI level but for now we need
to rely on its #name. A #== check will only pass for top level constants
or only when the last constant of the path is missing so we need to rely
on #include? instead. For instance:

    begin
      Namespace::Foo
    rescue NameError => e
      e.name # => :Namespace
    end

However, if the name-space already exists, only the name of the first
missing constant in the path is returned (e.g. for Math::PHI, the name
would be :PHI). JRuby will return a fully qualified name (:"Math::PHI").

We need to keep the == check for 1.9 compatibility since const_get will
raise a NameError with a name attribute set to the given string if it's
one of "::" or "".

See http://git.io/jnSN7g for further information.