rack 1.1.3 → 1.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/README CHANGED
@@ -1,4 +1,4 @@
1
- = Rack, a modular Ruby webserver interface
1
+ = Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
2
2
 
3
3
  Rack provides a minimal, modular and adaptable interface for developing
4
4
  web applications in Ruby. By wrapping HTTP requests and responses in
@@ -9,16 +9,6 @@ middleware) into a single method call.
9
9
  The exact details of this are described in the Rack specification,
10
10
  which all Rack applications should conform to.
11
11
 
12
- == Specification changes in this release
13
-
14
- With Rack 1.1, the Rack specification (found in SPEC) changed in the
15
- following backward-incompatible ways.
16
-
17
- * Rack::VERSION has been pushed to [1,1].
18
- * rack.logger is now specified.
19
- * The SPEC now allows subclasses of the required types.
20
- * rack.input has to be opened in binary mode.
21
-
22
12
  == Supported web servers
23
13
 
24
14
  The included *handlers* connect all kinds of web servers to Rack:
@@ -37,8 +27,11 @@ These web servers include Rack handlers in their distributions:
37
27
  * Fuzed
38
28
  * Glassfish v3
39
29
  * Phusion Passenger (which is mod_rack for Apache and for nginx)
30
+ * Puma
40
31
  * Rainbows!
41
32
  * Unicorn
33
+ * unixrack
34
+ * uWSGI
42
35
  * Zbatery
43
36
 
44
37
  Any valid Rack app will run the same on all these handlers, without
@@ -46,9 +39,6 @@ changing anything.
46
39
 
47
40
  == Supported web frameworks
48
41
 
49
- The included *adapters* connect Rack with existing Ruby web frameworks:
50
- * Camping
51
-
52
42
  These frameworks include Rack adapters in their distributions:
53
43
  * Camping
54
44
  * Coset
@@ -132,7 +122,7 @@ By default, the lobster is found at http://localhost:9292.
132
122
 
133
123
  == Installing with RubyGems
134
124
 
135
- A Gem of Rack is available at gemcutter.org. You can install it with:
125
+ A Gem of Rack is available at rubygems.org. You can install it with:
136
126
 
137
127
  gem install rack
138
128
 
@@ -157,7 +147,6 @@ installation and test-spec.
157
147
 
158
148
  To run the test suite completely, you need:
159
149
 
160
- * camping
161
150
  * fcgi
162
151
  * memcache-client
163
152
  * mongrel
@@ -278,7 +267,7 @@ run on port 11211) and memcache-client installed.
278
267
  * Make sure WEBrick respects the :Host option
279
268
  * Many Ruby 1.9 fixes.
280
269
 
281
- * January 3rd, 2009: Ninth public release 1.1.0.
270
+ * January 3rd, 2010: Ninth public release 1.1.0.
282
271
  * Moved Auth::OpenID to rack-contrib.
283
272
  * SPEC change that relaxes Lint slightly to allow subclasses of the
284
273
  required types
@@ -313,25 +302,217 @@ run on port 11211) and memcache-client installed.
313
302
  * Enforce binary encoding in RewindableInput
314
303
  * Set correct external_encoding for handlers that don't use RewindableInput
315
304
 
305
+ * June 13th, 2010: Tenth public release 1.2.0.
306
+ * Removed Camping adapter: Camping 2.0 supports Rack as-is
307
+ * Removed parsing of quoted values
308
+ * Add Request.trace? and Request.options?
309
+ * Add mime-type for .webm and .htc
310
+ * Fix HTTP_X_FORWARDED_FOR
311
+ * Various multipart fixes
312
+ * Switch test suite to bacon
313
+
314
+ * June 15th, 2010: Eleventh public release 1.2.1.
315
+ * Make CGI handler rewindable
316
+ * Rename spec/ to test/ to not conflict with SPEC on lesser
317
+ operating systems
318
+
316
319
  * March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
317
320
  * Security fix in Rack::Auth::Digest::MD5: when authenticator
318
321
  returned nil, permission was granted on empty password.
319
322
 
323
+ * May 22nd, 2011: Thirteenth public release 1.3.0
324
+ * Various performance optimizations
325
+ * Various multipart fixes
326
+ * Various multipart refactors
327
+ * Infinite loop fix for multipart
328
+ * Test coverage for Rack::Server returns
329
+ * Allow files with '..', but not path components that are '..'
330
+ * rackup accepts handler-specific options on the command line
331
+ * Request#params no longer merges POST into GET (but returns the same)
332
+ * Use URI.encode_www_form_component instead. Use core methods for escaping.
333
+ * Allow multi-line comments in the config file
334
+ * Bug L#94 reported by Nikolai Lugovoi, query parameter unescaping.
335
+ * Rack::Response now deletes Content-Length when appropriate
336
+ * Rack::Deflater now supports streaming
337
+ * Improved Rack::Handler loading and searching
338
+ * Support for the PATCH verb
339
+ * env['rack.session.options'] now contains session options
340
+ * Cookies respect renew
341
+ * Session middleware uses SecureRandom.hex
342
+
343
+ * May 22nd, 2011: Fourteenth public release 1.2.3
344
+ * Pulled in relevant bug fixes from 1.3
345
+ * Fixed 1.8.6 support
346
+
347
+ * July 13, 2011: Fifteenth public release 1.3.1
348
+ * Fix 1.9.1 support
349
+ * Fix JRuby support
350
+ * Properly handle $KCODE in Rack::Utils.escape
351
+ * Make method_missing/respond_to behavior consistent for Rack::Lock,
352
+ Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
353
+ * Reenable passing rack.session to session middleware
354
+ * Rack::CommonLogger handles streaming responses correctly
355
+ * Rack::MockResponse calls close on the body object
356
+ * Fix a DOS vector from MRI stdlib backport
357
+
358
+ * July 16, 2011: Sixteenth public release 1.3.2
359
+ * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
360
+
361
+ * Not Yet Released: Seventeenth public release 1.3.3
362
+ * Fix bug with broken query parameters in Rack::ShowExceptions
363
+ * Rack::Request#cookies no longer swallows exceptions on broken input
364
+ * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
365
+ * Rack::ConditionalGet handles broken If-Modified-Since helpers
366
+
367
+ * September 16, 2011: Eighteenth public release 1.2.4
368
+ * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
369
+
370
+ * October 1, 2011: Nineteenth public release 1.3.4
371
+ * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
372
+ * Small documentation update
373
+ * Fix an issue where BodyProxy could cause an infinite recursion
374
+ * Add some supporting files for travis-ci
375
+
376
+ * October 17, 2011: Twentieth public release 1.3.5
377
+ * Fix annoying warnings caused by the backport in 1.3.4
378
+
320
379
  * December 28th, 2011: Twenty first public release: 1.1.3.
321
380
  * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
322
381
  Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
323
382
 
383
+ * December 28th, 2011: Twenty fourth public release 1.4.0
384
+ * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
385
+ * Raise sane error messages for broken config.ru
386
+ * Allow combining run and map in a config.ru
387
+ * Rack::ContentType will not set Content-Type for responses without a body
388
+ * Status code 205 does not send a response body
389
+ * Rack::Response::Helpers will not rely on instance variables
390
+ * Rack::Utils.build_query no longer outputs '=' for nil query values
391
+ * Various mime types added
392
+ * Rack::MockRequest now supports HEAD
393
+ * Rack::Directory now supports files that contain RFC3986 reserved chars
394
+ * Rack::File now only supports GET and HEAD requests
395
+ * Rack::Server#start now passes the block to Rack::Handler::<h>#run
396
+ * Rack::Static now supports an index option
397
+ * Added the Teapot status code
398
+ * rackup now defaults to Thin instead of Mongrel (if installed)
399
+ * Support added for HTTP_X_FORWARDED_SCHEME
400
+ * Numerous bug fixes, including many fixes for new and alternate rubies
401
+
402
+ * January 22nd, 2012: Twenty fifth public release 1.4.1
403
+ * Alter the keyspace limit calculations to reduce issues with nested params
404
+ * Add a workaround for multipart parsing where files contain unescaped "%"
405
+ * Added Rack::Response::Helpers#method_not_allowed? (code 405)
406
+ * Rack::File now returns 404 for illegal directory traversals
407
+ * Rack::File now returns 405 for illegal methods (non HEAD/GET)
408
+ * Rack::Cascade now catches 405 by default, as well as 404
409
+ * Cookies missing '--' no longer cause an exception to be raised
410
+ * Various style changes and documentation spelling errors
411
+ * Rack::BodyProxy always ensures to execute its block
412
+ * Additional test coverage around cookies and secrets
413
+ * Rack::Session::Cookie can now be supplied either secret or old_secret
414
+ * Tests are no longer dependent on set order
415
+ * Rack::Static no longer defaults to serving index files
416
+ * Rack.release was fixed
417
+
418
+ * January 6th, 2013: Twenty sixth public release 1.1.4
419
+ * Add warnings when users do not provide a session secret
420
+
421
+ * January 6th, 2013: Twenty seventh public release 1.2.6
422
+ * Add warnings when users do not provide a session secret
423
+ * Fix parsing performance for unquoted filenames
424
+
425
+ * January 6th, 2013: Twenty eighth public release 1.3.7
426
+ * Add warnings when users do not provide a session secret
427
+ * Fix parsing performance for unquoted filenames
428
+ * Updated URI backports
429
+ * Fix URI backport version matching, and silence constant warnings
430
+ * Correct parameter parsing with empty values
431
+ * Correct rackup '-I' flag, to allow multiple uses
432
+ * Correct rackup pidfile handling
433
+ * Report rackup line numbers correctly
434
+ * Fix request loops caused by non-stale nonces with time limits
435
+ * Fix reloader on Windows
436
+ * Prevent infinite recursions from Response#to_ary
437
+ * Various middleware better conforms to the body close specification
438
+ * Updated language for the body close specification
439
+ * Additional notes regarding ECMA escape compatibility issues
440
+ * Fix the parsing of multiple ranges in range headers
441
+
442
+ * January 6th, 2013: Twenty ninth public release 1.4.2
443
+ * Add warnings when users do not provide a session secret
444
+ * Fix parsing performance for unquoted filenames
445
+ * Updated URI backports
446
+ * Fix URI backport version matching, and silence constant warnings
447
+ * Correct parameter parsing with empty values
448
+ * Correct rackup '-I' flag, to allow multiple uses
449
+ * Correct rackup pidfile handling
450
+ * Report rackup line numbers correctly
451
+ * Fix request loops caused by non-stale nonces with time limits
452
+ * Fix reloader on Windows
453
+ * Prevent infinite recursions from Response#to_ary
454
+ * Various middleware better conforms to the body close specification
455
+ * Updated language for the body close specification
456
+ * Additional notes regarding ECMA escape compatibility issues
457
+ * Fix the parsing of multiple ranges in range headers
458
+ * Prevent errors from empty parameter keys
459
+ * Added PATCH verb to Rack::Request
460
+ * Various documentation updates
461
+ * Fix session merge semantics (fixes rack-test)
462
+ * Rack::Static :index can now handle multiple directories
463
+ * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
464
+ * Rack::File cache_control parameter is now deprecated, and removed by 1.5
465
+ * Correct Rack::Directory script name escaping
466
+ * Rack::Static supports header rules for sophisticated configurations
467
+ * Multipart parsing now works without a Content-Length header
468
+ * New logos courtesy of Zachary Scott!
469
+ * Rack::BodyProxy now explicitly defines #each, useful for C extensions
470
+ * Cookies that are not URI escaped no longer cause exceptions
471
+
472
+ * January 7th, 2013: Thirtieth public release 1.3.8
473
+ * Security: Prevent unbounded reads in large multipart boundaries
474
+
475
+ * January 7th, 2013: Thirty first public release 1.4.3
476
+ * Security: Prevent unbounded reads in large multipart boundaries
477
+
478
+ * January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
479
+ * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
480
+ * Fixed erroneous test case in the 1.3.x series
481
+
482
+ * February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
483
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
484
+
485
+ * February 7th, Thirty fifth public release 1.4.5
486
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
487
+ * Fix CVE-2013-0262, symlink path traversal in Rack::File
488
+
489
+ * February 7th, Thirty fifth public release 1.5.2
490
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
491
+ * Fix CVE-2013-0262, symlink path traversal in Rack::File
492
+ * Add various methods to Session for enhanced Rails compatibility
493
+ * Request#trusted_proxy? now only matches whole stirngs
494
+ * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
495
+ * URLMap host matching in environments that don't set the Host header fixed
496
+ * Fix a race condition that could result in overwritten pidfiles
497
+ * Various documentation additions
498
+
324
499
  == Contact
325
500
 
326
501
  Please post bugs, suggestions and patches to
327
- the bug tracker at <http://rack.lighthouseapp.com/>.
502
+ the bug tracker at <http://github.com/rack/rack/issues>.
503
+
504
+ Please post security related bugs and suggestions to the core team at
505
+ <https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
506
+ to wide usage of the library, it is strongly preferred that we manage timing in
507
+ order to provide viable patches at the time of disclosure. Your assistance in
508
+ this matter is greatly appreciated.
328
509
 
329
510
  Mailing list archives are available at
330
511
  <http://groups.google.com/group/rack-devel>.
331
512
 
332
513
  Git repository (send Git patches to the mailing list):
333
514
  * http://github.com/rack/rack
334
- * http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack.git
515
+ * http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack-github.git
335
516
 
336
517
  You are also welcome to join the #rack channel on irc.freenode.net.
337
518
 
@@ -345,6 +526,8 @@ The Rack Core Team, consisting of
345
526
  * Michael Fellinger (manveru)
346
527
  * Ryan Tomayko (rtomayko)
347
528
  * Scytrin dai Kinthra (scytrin)
529
+ * Aaron Patterson (tenderlove)
530
+ * Konstantin Haase (rkh)
348
531
 
349
532
  would like to thank:
350
533
 
@@ -353,12 +536,14 @@ would like to thank:
353
536
  * Tim Fletcher, for the HTTP authentication code.
354
537
  * Luc Heinrich for the Cookie sessions, the static file handler and bugfixes.
355
538
  * Armin Ronacher, for the logo and racktools.
356
- * Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd,
357
- Tom Robinson, Phil Hagelberg, S. Brent Faulkner, Bosko Milekic,
358
- Daniel Rodríguez Troitiño, Genki Takiuchi, Geoffrey Grosenbach,
359
- Julien Sanchez, Kamal Fariz Mahyuddin, Masayoshi Takahashi, Patrick
360
- Aljordm, Mig, and Kazuhiro Nishiyama for bug fixing and other
361
- improvements.
539
+ * Alex Beregszaszi, Alexander Kahn, Anil Wadghule, Aredridel, Ben
540
+ Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd, Tom Robinson,
541
+ Phil Hagelberg, S. Brent Faulkner, Bosko Milekic, Daniel Rodríguez
542
+ Troitiño, Genki Takiuchi, Geoffrey Grosenbach, Julien Sanchez, Kamal
543
+ Fariz Mahyuddin, Masayoshi Takahashi, Patrick Aljordm, Mig, Kazuhiro
544
+ Nishiyama, Jon Bardin, Konstantin Haase, Larry Siden, Matias
545
+ Korhonen, Sam Ruby, Simon Chiang, Tim Connor, Timur Batyrshin, and
546
+ Zach Brock for bug fixing and other improvements.
362
547
  * Eric Wong, Hongli Lai, Jeremy Kemper for their continuous support
363
548
  and API improvements.
364
549
  * Yehuda Katz and Carl Lerche for refactoring rackup.
@@ -372,7 +557,7 @@ would like to thank:
372
557
  * Marcus Rückert, for help with configuring and debugging lighttpd.
373
558
  * The WSGI team for the well-done and documented work they've done and
374
559
  Rack builds up on.
375
- * All bug reporters and patch contributers not mentioned above.
560
+ * All bug reporters and patch contributors not mentioned above.
376
561
 
377
562
  == Copyright
378
563
 
@@ -397,11 +582,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
397
582
 
398
583
  == Links
399
584
 
400
- Rack:: <http://rack.rubyforge.org/>
401
- Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
585
+ Rack:: <http://rack.github.com/>
402
586
  Official Rack repositories:: <http://github.com/rack>
403
- Rack Lighthouse Bug Tracking:: <http://rack.lighthouseapp.com/>
587
+ Rack Bug Tracking:: <http://github.com/rack/rack/issues>
404
588
  rack-devel mailing list:: <http://groups.google.com/group/rack-devel>
589
+ Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
405
590
 
406
591
  Christian Neukirchen:: <http://chneukirchen.org/>
407
592
 
@@ -15,7 +15,11 @@ module Rack
15
15
  end
16
16
 
17
17
  def scheme
18
- @scheme ||= parts.first.downcase.to_sym
18
+ @scheme ||=
19
+ begin
20
+ s = parts.first.downcase
21
+ Rack::Auth.schemes.include?(s) ? s.to_sym : s
22
+ end
19
23
  end
20
24
 
21
25
  def params
@@ -27,6 +27,15 @@ module Rack
27
27
  @app = app
28
28
  @key = options[:key] || "rack.session"
29
29
  @secret = options[:secret]
30
+ warn <<-MSG unless @secret
31
+ SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
32
+ This poses a security threat. It is strongly recommended that you
33
+ provide a secret to prevent exploits that may be possible from crafted
34
+ cookies. This will not be supported in future versions of Rack, and
35
+ future versions will even invalidate your existing user cookies.
36
+
37
+ Called from: #{caller[0]}.
38
+ MSG
30
39
  @default_options = {:domain => nil,
31
40
  :path => "/",
32
41
  :expire_after => nil}.merge(options)
@@ -46,7 +55,7 @@ module Rack
46
55
 
47
56
  if @secret && session_data
48
57
  session_data, digest = session_data.split("--")
49
- session_data = nil unless digest == generate_hmac(session_data)
58
+ session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
50
59
  end
51
60
 
52
61
  begin
data/lib/rack/utils.rb CHANGED
@@ -285,6 +285,18 @@ module Rack
285
285
  end
286
286
  module_function :bytesize
287
287
 
288
+ # Constant time string comparison.
289
+ def secure_compare(a, b)
290
+ return false unless bytesize(a) == bytesize(b)
291
+
292
+ l = a.unpack("C*")
293
+
294
+ r, i = 0, -1
295
+ b.each_byte { |v| r |= v ^ l[i+=1] }
296
+ r == 0
297
+ end
298
+ module_function :secure_compare
299
+
288
300
  # Context allows the use of a compatible middleware at different points
289
301
  # in a request handling stack. A compatible middleware must define
290
302
  # #context which should take the arguments env and app. The first of which
data/lib/rack.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
 
21
21
  # Return the Rack release as a dotted string.
22
22
  def self.release
23
- "1.1.3"
23
+ "1.1.6"
24
24
  end
25
25
 
26
26
  autoload :Builder, "rack/builder"
@@ -71,6 +71,18 @@ module Rack
71
71
  autoload :Params, "rack/auth/digest/params"
72
72
  autoload :Request, "rack/auth/digest/request"
73
73
  end
74
+
75
+ # Not all of the following schemes are "standards", but they are used often.
76
+ @schemes = %w[basic digest bearer mac token oauth oauth2]
77
+
78
+ def self.add_scheme scheme
79
+ @schemes << scheme
80
+ @schemes.uniq!
81
+ end
82
+
83
+ def self.schemes
84
+ @schemes.dup
85
+ end
74
86
  end
75
87
 
76
88
  module Session
data/rack.gemspec CHANGED
@@ -3,7 +3,7 @@ require 'rack' # For Rack.release
3
3
 
4
4
  Gem::Specification.new do |s|
5
5
  s.name = "rack"
6
- s.version = Rack.release
6
+ s.version = "1.1.6"
7
7
  s.platform = Gem::Platform::RUBY
8
8
  s.summary = "a modular Ruby webserver interface"
9
9
 
data/test/spec_auth.rb ADDED
@@ -0,0 +1,57 @@
1
+ require 'rack'
2
+
3
+ context "Rack::Auth" do
4
+ specify "should have all common authentication schemes" do
5
+ Rack::Auth.schemes.should.include? 'basic'
6
+ Rack::Auth.schemes.should.include? 'digest'
7
+ Rack::Auth.schemes.should.include? 'bearer'
8
+ Rack::Auth.schemes.should.include? 'token'
9
+ end
10
+
11
+ specify "should allow registration of new auth schemes" do
12
+ Rack::Auth.schemes.should.not.include "test"
13
+ Rack::Auth.add_scheme "test"
14
+ Rack::Auth.schemes.should.include "test"
15
+ end
16
+ end
17
+
18
+ context "Rack::Auth::AbstractRequest" do
19
+ specify "should symbolize known auth schemes" do
20
+ env = Rack::MockRequest.env_for('/')
21
+ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
22
+ req = Rack::Auth::AbstractRequest.new(env)
23
+ req.scheme.should.equal :basic
24
+
25
+
26
+ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
27
+ req = Rack::Auth::AbstractRequest.new(env)
28
+ req.scheme.should.equal :digest
29
+
30
+ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
31
+ req = Rack::Auth::AbstractRequest.new(env)
32
+ req.scheme.should.equal :bearer
33
+
34
+ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
35
+ req = Rack::Auth::AbstractRequest.new(env)
36
+ req.scheme.should.equal :mac
37
+
38
+ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
39
+ req = Rack::Auth::AbstractRequest.new(env)
40
+ req.scheme.should.equal :token
41
+
42
+ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
43
+ req = Rack::Auth::AbstractRequest.new(env)
44
+ req.scheme.should.equal :oauth
45
+
46
+ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
47
+ req = Rack::Auth::AbstractRequest.new(env)
48
+ req.scheme.should.equal :oauth2
49
+ end
50
+
51
+ specify "should not symbolize unknown auth schemes" do
52
+ env = Rack::MockRequest.env_for('/')
53
+ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
54
+ req = Rack::Auth::AbstractRequest.new(env)
55
+ req.scheme.should == "magic"
56
+ end
57
+ end
@@ -11,6 +11,25 @@ context "Rack::Session::Cookie" do
11
11
  Rack::Response.new(env["rack.session"].inspect).to_a
12
12
  }
13
13
 
14
+ before do
15
+ @warnings = warnings = []
16
+ Rack::Session::Cookie.class_eval do
17
+ define_method(:warn) { |m| warnings << m }
18
+ end
19
+ end
20
+
21
+ after do
22
+ Rack::Session::Cookie.class_eval { remove_method :warn }
23
+ end
24
+
25
+ specify "warns if no secret is given" do
26
+ cookie = Rack::Session::Cookie.new(incrementor)
27
+ @warnings.first.should =~ /no secret/i
28
+ @warnings.clear
29
+ cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
30
+ @warnings.should.be.empty?
31
+ end
32
+
14
33
  specify "creates a new cookie" do
15
34
  res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).get("/")
16
35
  res["Set-Cookie"].should.match("rack.session=")
@@ -205,6 +205,11 @@ context "Rack::Utils" do
205
205
  Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
206
206
  end
207
207
 
208
+ specify "should perform constant time string comparison" do
209
+ Rack::Utils.secure_compare('a', 'a').should.equal true
210
+ Rack::Utils.secure_compare('a', 'b').should.equal false
211
+ end
212
+
208
213
  specify "should return status code for integer" do
209
214
  Rack::Utils.status_code(200).should.equal 200
210
215
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 21
4
+ hash: 31
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 1
9
- - 3
10
- version: 1.1.3
9
+ - 6
10
+ version: 1.1.6
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2011-12-28 00:00:00 Z
18
+ date: 2013-02-08 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: test-spec
@@ -204,6 +204,7 @@ files:
204
204
  - RDOX
205
205
  - README
206
206
  - SPEC
207
+ - test/spec_auth.rb
207
208
  - test/spec_rack_auth_basic.rb
208
209
  - test/spec_rack_auth_digest.rb
209
210
  - test/spec_rack_builder.rb
@@ -277,11 +278,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
277
278
  requirements: []
278
279
 
279
280
  rubyforge_project: rack
280
- rubygems_version: 1.8.12
281
+ rubygems_version: 1.8.24
281
282
  signing_key:
282
283
  specification_version: 3
283
284
  summary: a modular Ruby webserver interface
284
285
  test_files:
286
+ - test/spec_auth.rb
285
287
  - test/spec_rack_auth_basic.rb
286
288
  - test/spec_rack_auth_digest.rb
287
289
  - test/spec_rack_builder.rb
@@ -326,3 +328,4 @@ test_files:
326
328
  - test/spec_rack_utils.rb
327
329
  - test/spec_rack_webrick.rb
328
330
  - test/spec_rackup.rb
331
+ has_rdoc: true