rack 1.1.3 → 1.1.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

data/README CHANGED
@@ -1,4 +1,4 @@
1
- = Rack, a modular Ruby webserver interface
1
+ = Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
2
2
 
3
3
  Rack provides a minimal, modular and adaptable interface for developing
4
4
  web applications in Ruby. By wrapping HTTP requests and responses in
@@ -9,16 +9,6 @@ middleware) into a single method call.
9
9
  The exact details of this are described in the Rack specification,
10
10
  which all Rack applications should conform to.
11
11
 
12
- == Specification changes in this release
13
-
14
- With Rack 1.1, the Rack specification (found in SPEC) changed in the
15
- following backward-incompatible ways.
16
-
17
- * Rack::VERSION has been pushed to [1,1].
18
- * rack.logger is now specified.
19
- * The SPEC now allows subclasses of the required types.
20
- * rack.input has to be opened in binary mode.
21
-
22
12
  == Supported web servers
23
13
 
24
14
  The included *handlers* connect all kinds of web servers to Rack:
@@ -37,8 +27,11 @@ These web servers include Rack handlers in their distributions:
37
27
  * Fuzed
38
28
  * Glassfish v3
39
29
  * Phusion Passenger (which is mod_rack for Apache and for nginx)
30
+ * Puma
40
31
  * Rainbows!
41
32
  * Unicorn
33
+ * unixrack
34
+ * uWSGI
42
35
  * Zbatery
43
36
 
44
37
  Any valid Rack app will run the same on all these handlers, without
@@ -46,9 +39,6 @@ changing anything.
46
39
 
47
40
  == Supported web frameworks
48
41
 
49
- The included *adapters* connect Rack with existing Ruby web frameworks:
50
- * Camping
51
-
52
42
  These frameworks include Rack adapters in their distributions:
53
43
  * Camping
54
44
  * Coset
@@ -132,7 +122,7 @@ By default, the lobster is found at http://localhost:9292.
132
122
 
133
123
  == Installing with RubyGems
134
124
 
135
- A Gem of Rack is available at gemcutter.org. You can install it with:
125
+ A Gem of Rack is available at rubygems.org. You can install it with:
136
126
 
137
127
  gem install rack
138
128
 
@@ -157,7 +147,6 @@ installation and test-spec.
157
147
 
158
148
  To run the test suite completely, you need:
159
149
 
160
- * camping
161
150
  * fcgi
162
151
  * memcache-client
163
152
  * mongrel
@@ -278,7 +267,7 @@ run on port 11211) and memcache-client installed.
278
267
  * Make sure WEBrick respects the :Host option
279
268
  * Many Ruby 1.9 fixes.
280
269
 
281
- * January 3rd, 2009: Ninth public release 1.1.0.
270
+ * January 3rd, 2010: Ninth public release 1.1.0.
282
271
  * Moved Auth::OpenID to rack-contrib.
283
272
  * SPEC change that relaxes Lint slightly to allow subclasses of the
284
273
  required types
@@ -313,25 +302,184 @@ run on port 11211) and memcache-client installed.
313
302
  * Enforce binary encoding in RewindableInput
314
303
  * Set correct external_encoding for handlers that don't use RewindableInput
315
304
 
305
+ * June 13th, 2010: Tenth public release 1.2.0.
306
+ * Removed Camping adapter: Camping 2.0 supports Rack as-is
307
+ * Removed parsing of quoted values
308
+ * Add Request.trace? and Request.options?
309
+ * Add mime-type for .webm and .htc
310
+ * Fix HTTP_X_FORWARDED_FOR
311
+ * Various multipart fixes
312
+ * Switch test suite to bacon
313
+
314
+ * June 15th, 2010: Eleventh public release 1.2.1.
315
+ * Make CGI handler rewindable
316
+ * Rename spec/ to test/ to not conflict with SPEC on lesser
317
+ operating systems
318
+
316
319
  * March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
317
320
  * Security fix in Rack::Auth::Digest::MD5: when authenticator
318
321
  returned nil, permission was granted on empty password.
319
322
 
323
+ * May 22nd, 2011: Thirteenth public release 1.3.0
324
+ * Various performance optimizations
325
+ * Various multipart fixes
326
+ * Various multipart refactors
327
+ * Infinite loop fix for multipart
328
+ * Test coverage for Rack::Server returns
329
+ * Allow files with '..', but not path components that are '..'
330
+ * rackup accepts handler-specific options on the command line
331
+ * Request#params no longer merges POST into GET (but returns the same)
332
+ * Use URI.encode_www_form_component instead. Use core methods for escaping.
333
+ * Allow multi-line comments in the config file
334
+ * Bug L#94 reported by Nikolai Lugovoi, query parameter unescaping.
335
+ * Rack::Response now deletes Content-Length when appropriate
336
+ * Rack::Deflater now supports streaming
337
+ * Improved Rack::Handler loading and searching
338
+ * Support for the PATCH verb
339
+ * env['rack.session.options'] now contains session options
340
+ * Cookies respect renew
341
+ * Session middleware uses SecureRandom.hex
342
+
343
+ * May 22nd, 2011: Fourteenth public release 1.2.3
344
+ * Pulled in relevant bug fixes from 1.3
345
+ * Fixed 1.8.6 support
346
+
347
+ * July 13, 2011: Fifteenth public release 1.3.1
348
+ * Fix 1.9.1 support
349
+ * Fix JRuby support
350
+ * Properly handle $KCODE in Rack::Utils.escape
351
+ * Make method_missing/respond_to behavior consistent for Rack::Lock,
352
+ Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
353
+ * Reenable passing rack.session to session middleware
354
+ * Rack::CommonLogger handles streaming responses correctly
355
+ * Rack::MockResponse calls close on the body object
356
+ * Fix a DOS vector from MRI stdlib backport
357
+
358
+ * July 16, 2011: Sixteenth public release 1.3.2
359
+ * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
360
+
361
+ * Not Yet Released: Seventeenth public release 1.3.3
362
+ * Fix bug with broken query parameters in Rack::ShowExceptions
363
+ * Rack::Request#cookies no longer swallows exceptions on broken input
364
+ * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
365
+ * Rack::ConditionalGet handles broken If-Modified-Since helpers
366
+
367
+ * September 16, 2011: Eighteenth public release 1.2.4
368
+ * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
369
+
370
+ * October 1, 2011: Nineteenth public release 1.3.4
371
+ * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
372
+ * Small documentation update
373
+ * Fix an issue where BodyProxy could cause an infinite recursion
374
+ * Add some supporting files for travis-ci
375
+
376
+ * October 17, 2011: Twentieth public release 1.3.5
377
+ * Fix annoying warnings caused by the backport in 1.3.4
378
+
320
379
  * December 28th, 2011: Twenty first public release: 1.1.3.
321
380
  * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
322
381
  Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
323
382
 
383
+ * December 28th, 2011: Twenty fourth public release 1.4.0
384
+ * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
385
+ * Raise sane error messages for broken config.ru
386
+ * Allow combining run and map in a config.ru
387
+ * Rack::ContentType will not set Content-Type for responses without a body
388
+ * Status code 205 does not send a response body
389
+ * Rack::Response::Helpers will not rely on instance variables
390
+ * Rack::Utils.build_query no longer outputs '=' for nil query values
391
+ * Various mime types added
392
+ * Rack::MockRequest now supports HEAD
393
+ * Rack::Directory now supports files that contain RFC3986 reserved chars
394
+ * Rack::File now only supports GET and HEAD requests
395
+ * Rack::Server#start now passes the block to Rack::Handler::<h>#run
396
+ * Rack::Static now supports an index option
397
+ * Added the Teapot status code
398
+ * rackup now defaults to Thin instead of Mongrel (if installed)
399
+ * Support added for HTTP_X_FORWARDED_SCHEME
400
+ * Numerous bug fixes, including many fixes for new and alternate rubies
401
+
402
+ * January 22nd, 2012: Twenty fifth public release 1.4.1
403
+ * Alter the keyspace limit calculations to reduce issues with nested params
404
+ * Add a workaround for multipart parsing where files contain unescaped "%"
405
+ * Added Rack::Response::Helpers#method_not_allowed? (code 405)
406
+ * Rack::File now returns 404 for illegal directory traversals
407
+ * Rack::File now returns 405 for illegal methods (non HEAD/GET)
408
+ * Rack::Cascade now catches 405 by default, as well as 404
409
+ * Cookies missing '--' no longer cause an exception to be raised
410
+ * Various style changes and documentation spelling errors
411
+ * Rack::BodyProxy always ensures to execute its block
412
+ * Additional test coverage around cookies and secrets
413
+ * Rack::Session::Cookie can now be supplied either secret or old_secret
414
+ * Tests are no longer dependent on set order
415
+ * Rack::Static no longer defaults to serving index files
416
+ * Rack.release was fixed
417
+
418
+ * January 6th, 2013: Twenty sixth public release 1.1.4
419
+ * Add warnings when users do not provide a session secret
420
+
421
+ * January 6th, 2013: Twenty seventh public release 1.2.6
422
+ * Add warnings when users do not provide a session secret
423
+ * Fix parsing performance for unquoted filenames
424
+
425
+ * January 6th, 2013: Twenty eighth public release 1.3.7
426
+ * Add warnings when users do not provide a session secret
427
+ * Fix parsing performance for unquoted filenames
428
+ * Updated URI backports
429
+ * Fix URI backport version matching, and silence constant warnings
430
+ * Correct parameter parsing with empty values
431
+ * Correct rackup '-I' flag, to allow multiple uses
432
+ * Correct rackup pidfile handling
433
+ * Report rackup line numbers correctly
434
+ * Fix request loops caused by non-stale nonces with time limits
435
+ * Fix reloader on Windows
436
+ * Prevent infinite recursions from Response#to_ary
437
+ * Various middleware better conforms to the body close specification
438
+ * Updated language for the body close specification
439
+ * Additional notes regarding ECMA escape compatibility issues
440
+ * Fix the parsing of multiple ranges in range headers
441
+
442
+ * January 6th, 2013: Twenty ninth public release 1.4.2
443
+ * Add warnings when users do not provide a session secret
444
+ * Fix parsing performance for unquoted filenames
445
+ * Updated URI backports
446
+ * Fix URI backport version matching, and silence constant warnings
447
+ * Correct parameter parsing with empty values
448
+ * Correct rackup '-I' flag, to allow multiple uses
449
+ * Correct rackup pidfile handling
450
+ * Report rackup line numbers correctly
451
+ * Fix request loops caused by non-stale nonces with time limits
452
+ * Fix reloader on Windows
453
+ * Prevent infinite recursions from Response#to_ary
454
+ * Various middleware better conforms to the body close specification
455
+ * Updated language for the body close specification
456
+ * Additional notes regarding ECMA escape compatibility issues
457
+ * Fix the parsing of multiple ranges in range headers
458
+ * Prevent errors from empty parameter keys
459
+ * Added PATCH verb to Rack::Request
460
+ * Various documentation updates
461
+ * Fix session merge semantics (fixes rack-test)
462
+ * Rack::Static :index can now handle multiple directories
463
+ * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
464
+ * Rack::File cache_control parameter is now deprecated, and removed by 1.5
465
+ * Correct Rack::Directory script name escaping
466
+ * Rack::Static supports header rules for sophisticated configurations
467
+ * Multipart parsing now works without a Content-Length header
468
+ * New logos courtesy of Zachary Scott!
469
+ * Rack::BodyProxy now explicitly defines #each, useful for C extensions
470
+ * Cookies that are not URI escaped no longer cause exceptions
471
+
324
472
  == Contact
325
473
 
326
474
  Please post bugs, suggestions and patches to
327
- the bug tracker at <http://rack.lighthouseapp.com/>.
475
+ the bug tracker at <http://github.com/rack/rack/issues>.
328
476
 
329
477
  Mailing list archives are available at
330
478
  <http://groups.google.com/group/rack-devel>.
331
479
 
332
480
  Git repository (send Git patches to the mailing list):
333
481
  * http://github.com/rack/rack
334
- * http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack.git
482
+ * http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack-github.git
335
483
 
336
484
  You are also welcome to join the #rack channel on irc.freenode.net.
337
485
 
@@ -345,6 +493,8 @@ The Rack Core Team, consisting of
345
493
  * Michael Fellinger (manveru)
346
494
  * Ryan Tomayko (rtomayko)
347
495
  * Scytrin dai Kinthra (scytrin)
496
+ * Aaron Patterson (tenderlove)
497
+ * Konstantin Haase (rkh)
348
498
 
349
499
  would like to thank:
350
500
 
@@ -353,12 +503,14 @@ would like to thank:
353
503
  * Tim Fletcher, for the HTTP authentication code.
354
504
  * Luc Heinrich for the Cookie sessions, the static file handler and bugfixes.
355
505
  * Armin Ronacher, for the logo and racktools.
356
- * Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd,
357
- Tom Robinson, Phil Hagelberg, S. Brent Faulkner, Bosko Milekic,
358
- Daniel Rodríguez Troitiño, Genki Takiuchi, Geoffrey Grosenbach,
359
- Julien Sanchez, Kamal Fariz Mahyuddin, Masayoshi Takahashi, Patrick
360
- Aljordm, Mig, and Kazuhiro Nishiyama for bug fixing and other
361
- improvements.
506
+ * Alex Beregszaszi, Alexander Kahn, Anil Wadghule, Aredridel, Ben
507
+ Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd, Tom Robinson,
508
+ Phil Hagelberg, S. Brent Faulkner, Bosko Milekic, Daniel Rodríguez
509
+ Troitiño, Genki Takiuchi, Geoffrey Grosenbach, Julien Sanchez, Kamal
510
+ Fariz Mahyuddin, Masayoshi Takahashi, Patrick Aljordm, Mig, Kazuhiro
511
+ Nishiyama, Jon Bardin, Konstantin Haase, Larry Siden, Matias
512
+ Korhonen, Sam Ruby, Simon Chiang, Tim Connor, Timur Batyrshin, and
513
+ Zach Brock for bug fixing and other improvements.
362
514
  * Eric Wong, Hongli Lai, Jeremy Kemper for their continuous support
363
515
  and API improvements.
364
516
  * Yehuda Katz and Carl Lerche for refactoring rackup.
@@ -372,7 +524,7 @@ would like to thank:
372
524
  * Marcus Rückert, for help with configuring and debugging lighttpd.
373
525
  * The WSGI team for the well-done and documented work they've done and
374
526
  Rack builds up on.
375
- * All bug reporters and patch contributers not mentioned above.
527
+ * All bug reporters and patch contributors not mentioned above.
376
528
 
377
529
  == Copyright
378
530
 
@@ -397,11 +549,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
397
549
 
398
550
  == Links
399
551
 
400
- Rack:: <http://rack.rubyforge.org/>
401
- Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
552
+ Rack:: <http://rack.github.com/>
402
553
  Official Rack repositories:: <http://github.com/rack>
403
- Rack Lighthouse Bug Tracking:: <http://rack.lighthouseapp.com/>
554
+ Rack Bug Tracking:: <http://github.com/rack/rack/issues>
404
555
  rack-devel mailing list:: <http://groups.google.com/group/rack-devel>
556
+ Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
405
557
 
406
558
  Christian Neukirchen:: <http://chneukirchen.org/>
407
559
 
@@ -20,7 +20,7 @@ module Rack
20
20
 
21
21
  # Return the Rack release as a dotted string.
22
22
  def self.release
23
- "1.1.3"
23
+ "1.1.4"
24
24
  end
25
25
 
26
26
  autoload :Builder, "rack/builder"
@@ -27,6 +27,15 @@ module Rack
27
27
  @app = app
28
28
  @key = options[:key] || "rack.session"
29
29
  @secret = options[:secret]
30
+ warn <<-MSG unless @secret
31
+ SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
32
+ This poses a security threat. It is strongly recommended that you
33
+ provide a secret to prevent exploits that may be possible from crafted
34
+ cookies. This will not be supported in future versions of Rack, and
35
+ future versions will even invalidate your existing user cookies.
36
+
37
+ Called from: #{caller[0]}.
38
+ MSG
30
39
  @default_options = {:domain => nil,
31
40
  :path => "/",
32
41
  :expire_after => nil}.merge(options)
@@ -3,7 +3,7 @@ require 'rack' # For Rack.release
3
3
 
4
4
  Gem::Specification.new do |s|
5
5
  s.name = "rack"
6
- s.version = Rack.release
6
+ s.version = "1.1.4"
7
7
  s.platform = Gem::Platform::RUBY
8
8
  s.summary = "a modular Ruby webserver interface"
9
9
 
@@ -11,6 +11,25 @@ context "Rack::Session::Cookie" do
11
11
  Rack::Response.new(env["rack.session"].inspect).to_a
12
12
  }
13
13
 
14
+ before do
15
+ @warnings = warnings = []
16
+ Rack::Session::Cookie.class_eval do
17
+ define_method(:warn) { |m| warnings << m }
18
+ end
19
+ end
20
+
21
+ after do
22
+ Rack::Session::Cookie.class_eval { remove_method :warn }
23
+ end
24
+
25
+ specify "warns if no secret is given" do
26
+ cookie = Rack::Session::Cookie.new(incrementor)
27
+ @warnings.first.should =~ /no secret/i
28
+ @warnings.clear
29
+ cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
30
+ @warnings.should.be.empty?
31
+ end
32
+
14
33
  specify "creates a new cookie" do
15
34
  res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).get("/")
16
35
  res["Set-Cookie"].should.match("rack.session=")
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 21
4
+ hash: 27
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 1
9
- - 3
10
- version: 1.1.3
9
+ - 4
10
+ version: 1.1.4
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2011-12-28 00:00:00 Z
18
+ date: 2013-01-07 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: test-spec
@@ -277,7 +277,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
277
277
  requirements: []
278
278
 
279
279
  rubyforge_project: rack
280
- rubygems_version: 1.8.12
280
+ rubygems_version: 1.8.24
281
281
  signing_key:
282
282
  specification_version: 3
283
283
  summary: a modular Ruby webserver interface
@@ -326,3 +326,4 @@ test_files:
326
326
  - test/spec_rack_utils.rb
327
327
  - test/spec_rack_webrick.rb
328
328
  - test/spec_rackup.rb
329
+ has_rdoc: true