rack 1.1.3 → 1.1.4

data/README

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface
+= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -9,16 +9,6 @@ middleware) into a single method call.
 The exact details of this are described in the Rack specification,
 which all Rack applications should conform to.
 
-== Specification changes in this release
-
-With Rack 1.1, the Rack specification (found in SPEC) changed in the
-following backward-incompatible ways.
-
-* Rack::VERSION has been pushed to [1,1].
-* rack.logger is now specified.
-* The SPEC now allows subclasses of the required types.
-* rack.input has to be opened in binary mode.
-
 == Supported web servers
 
 The included *handlers* connect all kinds of web servers to Rack:
@@ -37,8 +27,11 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
+* Puma
 * Rainbows!
 * Unicorn
+* unixrack
+* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -46,9 +39,6 @@ changing anything.
 
 == Supported web frameworks
 
-The included *adapters* connect Rack with existing Ruby web frameworks:
-* Camping
-
 These frameworks include Rack adapters in their distributions:
 * Camping
 * Coset
@@ -132,7 +122,7 @@ By default, the lobster is found at http://localhost:9292.
 
 == Installing with RubyGems
 
-A Gem of Rack is available at gemcutter.org.  You can install it with:
+A Gem of Rack is available at rubygems.org.  You can install it with:
 
     gem install rack
 
@@ -157,7 +147,6 @@ installation and test-spec.
 
 To run the test suite completely, you need:
 
-  * camping
   * fcgi
   * memcache-client
   * mongrel
@@ -278,7 +267,7 @@ run on port 11211) and memcache-client installed.
   * Make sure WEBrick respects the :Host option
   * Many Ruby 1.9 fixes.
 
-* January 3rd, 2009: Ninth public release 1.1.0.
+* January 3rd, 2010: Ninth public release 1.1.0.
   * Moved Auth::OpenID to rack-contrib.
   * SPEC change that relaxes Lint slightly to allow subclasses of the
     required types
@@ -313,25 +302,184 @@ run on port 11211) and memcache-client installed.
   * Enforce binary encoding in RewindableInput
   * Set correct external_encoding for handlers that don't use RewindableInput
 
+* June 13th, 2010: Tenth public release 1.2.0.
+  * Removed Camping adapter: Camping 2.0 supports Rack as-is
+  * Removed parsing of quoted values
+  * Add Request.trace? and Request.options?
+  * Add mime-type for .webm and .htc
+  * Fix HTTP_X_FORWARDED_FOR
+  * Various multipart fixes
+  * Switch test suite to bacon
+
+* June 15th, 2010: Eleventh public release 1.2.1.
+  * Make CGI handler rewindable
+  * Rename spec/ to test/ to not conflict with SPEC on lesser
+    operating systems
+
 * March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
   * Security fix in Rack::Auth::Digest::MD5: when authenticator
     returned nil, permission was granted on empty password.
 
+* May 22nd, 2011: Thirteenth public release 1.3.0
+  * Various performance optimizations
+  * Various multipart fixes
+  * Various multipart refactors
+  * Infinite loop fix for multipart
+  * Test coverage for Rack::Server returns
+  * Allow files with '..', but not path components that are '..'
+  * rackup accepts handler-specific options on the command line
+  * Request#params no longer merges POST into GET (but returns the same)
+  * Use URI.encode_www_form_component instead. Use core methods for escaping.
+  * Allow multi-line comments in the config file
+  * Bug L#94 reported by Nikolai Lugovoi, query parameter unescaping.
+  * Rack::Response now deletes Content-Length when appropriate
+  * Rack::Deflater now supports streaming
+  * Improved Rack::Handler loading and searching
+  * Support for the PATCH verb
+  * env['rack.session.options'] now contains session options
+  * Cookies respect renew
+  * Session middleware uses SecureRandom.hex
+
+* May 22nd, 2011: Fourteenth public release 1.2.3
+  * Pulled in relevant bug fixes from 1.3
+  * Fixed 1.8.6 support
+
+* July 13, 2011: Fifteenth public release 1.3.1
+  * Fix 1.9.1 support
+  * Fix JRuby support
+  * Properly handle $KCODE in Rack::Utils.escape
+  * Make method_missing/respond_to behavior consistent for Rack::Lock,
+    Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
+  * Reenable passing rack.session to session middleware
+  * Rack::CommonLogger handles streaming responses correctly
+  * Rack::MockResponse calls close on the body object
+  * Fix a DOS vector from MRI stdlib backport
+
+* July 16, 2011: Sixteenth public release 1.3.2
+  * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
+
+* Not Yet Released: Seventeenth public release 1.3.3
+  * Fix bug with broken query parameters in Rack::ShowExceptions
+  * Rack::Request#cookies no longer swallows exceptions on broken input
+  * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
+  * Rack::ConditionalGet handles broken If-Modified-Since helpers
+
+* September 16, 2011: Eighteenth public release 1.2.4
+  * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
+
+* October 1, 2011: Nineteenth public release 1.3.4
+  * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
+  * Small documentation update
+  * Fix an issue where BodyProxy could cause an infinite recursion
+  * Add some supporting files for travis-ci
+
+* October 17, 2011: Twentieth public release 1.3.5
+  * Fix annoying warnings caused by the backport in 1.3.4
+
 * December 28th, 2011: Twenty first public release: 1.1.3.
   * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
     Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
 
+* December 28th, 2011: Twenty fourth public release 1.4.0
+  * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
+  * Raise sane error messages for broken config.ru
+  * Allow combining run and map in a config.ru
+  * Rack::ContentType will not set Content-Type for responses without a body
+  * Status code 205 does not send a response body
+  * Rack::Response::Helpers will not rely on instance variables
+  * Rack::Utils.build_query no longer outputs '=' for nil query values
+  * Various mime types added
+  * Rack::MockRequest now supports HEAD
+  * Rack::Directory now supports files that contain RFC3986 reserved chars
+  * Rack::File now only supports GET and HEAD requests
+  * Rack::Server#start now passes the block to Rack::Handler::<h>#run
+  * Rack::Static now supports an index option
+  * Added the Teapot status code
+  * rackup now defaults to Thin instead of Mongrel (if installed)
+  * Support added for HTTP_X_FORWARDED_SCHEME
+  * Numerous bug fixes, including many fixes for new and alternate rubies
+
+* January 22nd, 2012: Twenty fifth public release 1.4.1
+  * Alter the keyspace limit calculations to reduce issues with nested params
+  * Add a workaround for multipart parsing where files contain unescaped "%"
+  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
+  * Rack::File now returns 404 for illegal directory traversals
+  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
+  * Rack::Cascade now catches 405 by default, as well as 404
+  * Cookies missing '--' no longer cause an exception to be raised
+  * Various style changes and documentation spelling errors
+  * Rack::BodyProxy always ensures to execute its block
+  * Additional test coverage around cookies and secrets
+  * Rack::Session::Cookie can now be supplied either secret or old_secret
+  * Tests are no longer dependent on set order
+  * Rack::Static no longer defaults to serving index files
+  * Rack.release was fixed
+
+* January 6th, 2013: Twenty sixth public release 1.1.4
+  * Add warnings when users do not provide a session secret
+
+* January 6th, 2013: Twenty seventh public release 1.2.6
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+
+* January 6th, 2013: Twenty eighth public release 1.3.7
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+
+* January 6th, 2013: Twenty ninth public release 1.4.2
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+  * Prevent errors from empty parameter keys
+  * Added PATCH verb to Rack::Request
+  * Various documentation updates
+  * Fix session merge semantics (fixes rack-test)
+  * Rack::Static :index can now handle multiple directories
+  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
+  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
+  * Correct Rack::Directory script name escaping
+  * Rack::Static supports header rules for sophisticated configurations
+  * Multipart parsing now works without a Content-Length header
+  * New logos courtesy of Zachary Scott!
+  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
+  * Cookies that are not URI escaped no longer cause exceptions
+
 == Contact
 
 Please post bugs, suggestions and patches to
-the bug tracker at <http://rack.lighthouseapp.com/>.
+the bug tracker at <http://github.com/rack/rack/issues>.
 
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 
 Git repository (send Git patches to the mailing list):
 * http://github.com/rack/rack
-* http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack.git
+* http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack-github.git
 
 You are also welcome to join the #rack channel on irc.freenode.net.
 
@@ -345,6 +493,8 @@ The Rack Core Team, consisting of
 * Michael Fellinger (manveru)
 * Ryan Tomayko (rtomayko)
 * Scytrin dai Kinthra (scytrin)
+* Aaron Patterson (tenderlove)
+* Konstantin Haase (rkh)
 
 would like to thank:
 
@@ -353,12 +503,14 @@ would like to thank:
 * Tim Fletcher, for the HTTP authentication code.
 * Luc Heinrich for the Cookie sessions, the static file handler and bugfixes.
 * Armin Ronacher, for the logo and racktools.
-* Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd,
-  Tom Robinson, Phil Hagelberg, S. Brent Faulkner, Bosko Milekic,
-  Daniel Rodríguez Troitiño, Genki Takiuchi, Geoffrey Grosenbach,
-  Julien Sanchez, Kamal Fariz Mahyuddin, Masayoshi Takahashi, Patrick
-  Aljordm, Mig, and Kazuhiro Nishiyama for bug fixing and other
-  improvements.
+* Alex Beregszaszi, Alexander Kahn, Anil Wadghule, Aredridel, Ben
+  Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd, Tom Robinson,
+  Phil Hagelberg, S. Brent Faulkner, Bosko Milekic, Daniel Rodríguez
+  Troitiño, Genki Takiuchi, Geoffrey Grosenbach, Julien Sanchez, Kamal
+  Fariz Mahyuddin, Masayoshi Takahashi, Patrick Aljordm, Mig, Kazuhiro
+  Nishiyama, Jon Bardin, Konstantin Haase, Larry Siden, Matias
+  Korhonen, Sam Ruby, Simon Chiang, Tim Connor, Timur Batyrshin, and
+  Zach Brock for bug fixing and other improvements.
 * Eric Wong, Hongli Lai, Jeremy Kemper for their continuous support
   and API improvements.
 * Yehuda Katz and Carl Lerche for refactoring rackup.
@@ -372,7 +524,7 @@ would like to thank:
 * Marcus Rückert, for help with configuring and debugging lighttpd.
 * The WSGI team for the well-done and documented work they've done and
   Rack builds up on.
-* All bug reporters and patch contributers not mentioned above.
+* All bug reporters and patch contributors not mentioned above.
 
 == Copyright
 
@@ -397,11 +549,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.rubyforge.org/>
-Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
+Rack:: <http://rack.github.com/>
 Official Rack repositories:: <http://github.com/rack>
-Rack Lighthouse Bug Tracking:: <http://rack.lighthouseapp.com/>
+Rack Bug Tracking:: <http://github.com/rack/rack/issues>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>
+Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
 
 Christian Neukirchen:: <http://chneukirchen.org/>
 

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.1.3"
+    "1.1.4"
   end
 
   autoload :Builder, "rack/builder"

data/lib/rack/session/cookie.rb

@@ -27,6 +27,15 @@ module Rack
         @app = app
         @key = options[:key] || "rack.session"
         @secret = options[:secret]
+        warn <<-MSG unless @secret
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
         @default_options = {:domain => nil,
           :path => "/",
           :expire_after => nil}.merge(options)

data/rack.gemspec

@@ -3,7 +3,7 @@ require 'rack' # For Rack.release
 
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = Rack.release
+  s.version         = "1.1.4"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_rack_session_cookie.rb

@@ -11,6 +11,25 @@ context "Rack::Session::Cookie" do
     Rack::Response.new(env["rack.session"].inspect).to_a
   }
 
+  before do
+    @warnings = warnings = []
+    Rack::Session::Cookie.class_eval do
+      define_method(:warn) { |m| warnings << m }
+    end
+  end
+
+  after do
+    Rack::Session::Cookie.class_eval { remove_method :warn }
+  end
+
+  specify "warns if no secret is given" do
+    cookie = Rack::Session::Cookie.new(incrementor)
+    @warnings.first.should =~ /no secret/i
+    @warnings.clear
+    cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
+    @warnings.should.be.empty?
+  end
+
   specify "creates a new cookie" do
     res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).get("/")
     res["Set-Cookie"].should.match("rack.session=")

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 27
   prerelease: 
   segments: 
   - 1
   - 1
-  - 3
-  version: 1.1.3
+  - 4
+  version: 1.1.4
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-12-28 00:00:00 Z
+date: 2013-01-07 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: test-spec
@@ -277,7 +277,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack
-rubygems_version: 1.8.12
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: a modular Ruby webserver interface
@@ -326,3 +326,4 @@ test_files:
 - test/spec_rack_utils.rb
 - test/spec_rack_webrick.rb
 - test/spec_rackup.rb
+has_rdoc: true