rack 1.1.6 → 1.2.0

data/README

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
+= Rack, a modular Ruby webserver interface
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -27,11 +27,8 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
-* Puma
 * Rainbows!
 * Unicorn
-* unixrack
-* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -122,7 +119,7 @@ By default, the lobster is found at http://localhost:9292.
 
 == Installing with RubyGems
 
-A Gem of Rack is available at rubygems.org.  You can install it with:
+A Gem of Rack is available at gemcutter.org.  You can install it with:
 
     gem install rack
 
@@ -133,9 +130,9 @@ at my site:
 
 == Running the tests
 
-Testing Rack requires the test/spec testing framework:
+Testing Rack requires the bacon testing framework:
 
-    gem install test-spec
+    gem install bacon
 
 There are two rake-based test tasks:
 
@@ -143,7 +140,7 @@ There are two rake-based test tasks:
     rake fulltest   runs all the tests
 
 The fast testsuite has no dependencies outside of the core Ruby
-installation and test-spec.
+installation and bacon.
 
 To run the test suite completely, you need:
 
@@ -311,202 +308,11 @@ run on port 11211) and memcache-client installed.
   * Various multipart fixes
   * Switch test suite to bacon
 
-* June 15th, 2010: Eleventh public release 1.2.1.
-  * Make CGI handler rewindable
-  * Rename spec/ to test/ to not conflict with SPEC on lesser
-    operating systems
-
-* March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
-  * Security fix in Rack::Auth::Digest::MD5: when authenticator
-    returned nil, permission was granted on empty password.
-
-* May 22nd, 2011: Thirteenth public release 1.3.0
-  * Various performance optimizations
-  * Various multipart fixes
-  * Various multipart refactors
-  * Infinite loop fix for multipart
-  * Test coverage for Rack::Server returns
-  * Allow files with '..', but not path components that are '..'
-  * rackup accepts handler-specific options on the command line
-  * Request#params no longer merges POST into GET (but returns the same)
-  * Use URI.encode_www_form_component instead. Use core methods for escaping.
-  * Allow multi-line comments in the config file
-  * Bug L#94 reported by Nikolai Lugovoi, query parameter unescaping.
-  * Rack::Response now deletes Content-Length when appropriate
-  * Rack::Deflater now supports streaming
-  * Improved Rack::Handler loading and searching
-  * Support for the PATCH verb
-  * env['rack.session.options'] now contains session options
-  * Cookies respect renew
-  * Session middleware uses SecureRandom.hex
-
-* May 22nd, 2011: Fourteenth public release 1.2.3
-  * Pulled in relevant bug fixes from 1.3
-  * Fixed 1.8.6 support
-
-* July 13, 2011: Fifteenth public release 1.3.1
-  * Fix 1.9.1 support
-  * Fix JRuby support
-  * Properly handle $KCODE in Rack::Utils.escape
-  * Make method_missing/respond_to behavior consistent for Rack::Lock,
-    Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
-  * Reenable passing rack.session to session middleware
-  * Rack::CommonLogger handles streaming responses correctly
-  * Rack::MockResponse calls close on the body object
-  * Fix a DOS vector from MRI stdlib backport
-
-* July 16, 2011: Sixteenth public release 1.3.2
-  * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
-
-* Not Yet Released: Seventeenth public release 1.3.3
-  * Fix bug with broken query parameters in Rack::ShowExceptions
-  * Rack::Request#cookies no longer swallows exceptions on broken input
-  * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
-  * Rack::ConditionalGet handles broken If-Modified-Since helpers
-
-* September 16, 2011: Eighteenth public release 1.2.4
-  * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
-
-* October 1, 2011: Nineteenth public release 1.3.4
-  * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
-  * Small documentation update
-  * Fix an issue where BodyProxy could cause an infinite recursion
-  * Add some supporting files for travis-ci
-
-* October 17, 2011: Twentieth public release 1.3.5
-  * Fix annoying warnings caused by the backport in 1.3.4
-
-* December 28th, 2011: Twenty first public release: 1.1.3.
-  * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
-    Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
-
-* December 28th, 2011: Twenty fourth public release 1.4.0
-  * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
-  * Raise sane error messages for broken config.ru
-  * Allow combining run and map in a config.ru
-  * Rack::ContentType will not set Content-Type for responses without a body
-  * Status code 205 does not send a response body
-  * Rack::Response::Helpers will not rely on instance variables
-  * Rack::Utils.build_query no longer outputs '=' for nil query values
-  * Various mime types added
-  * Rack::MockRequest now supports HEAD
-  * Rack::Directory now supports files that contain RFC3986 reserved chars
-  * Rack::File now only supports GET and HEAD requests
-  * Rack::Server#start now passes the block to Rack::Handler::<h>#run
-  * Rack::Static now supports an index option
-  * Added the Teapot status code
-  * rackup now defaults to Thin instead of Mongrel (if installed)
-  * Support added for HTTP_X_FORWARDED_SCHEME
-  * Numerous bug fixes, including many fixes for new and alternate rubies
-
-* January 22nd, 2012: Twenty fifth public release 1.4.1
-  * Alter the keyspace limit calculations to reduce issues with nested params
-  * Add a workaround for multipart parsing where files contain unescaped "%"
-  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
-  * Rack::File now returns 404 for illegal directory traversals
-  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
-  * Rack::Cascade now catches 405 by default, as well as 404
-  * Cookies missing '--' no longer cause an exception to be raised
-  * Various style changes and documentation spelling errors
-  * Rack::BodyProxy always ensures to execute its block
-  * Additional test coverage around cookies and secrets
-  * Rack::Session::Cookie can now be supplied either secret or old_secret
-  * Tests are no longer dependent on set order
-  * Rack::Static no longer defaults to serving index files
-  * Rack.release was fixed
-
-* January 6th, 2013: Twenty sixth public release 1.1.4
-  * Add warnings when users do not provide a session secret
-
-* January 6th, 2013: Twenty seventh public release 1.2.6
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-
-* January 6th, 2013: Twenty eighth public release 1.3.7
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-
-* January 6th, 2013: Twenty ninth public release 1.4.2
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-  * Prevent errors from empty parameter keys
-  * Added PATCH verb to Rack::Request
-  * Various documentation updates
-  * Fix session merge semantics (fixes rack-test)
-  * Rack::Static :index can now handle multiple directories
-  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
-  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
-  * Correct Rack::Directory script name escaping
-  * Rack::Static supports header rules for sophisticated configurations
-  * Multipart parsing now works without a Content-Length header
-  * New logos courtesy of Zachary Scott!
-  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
-  * Cookies that are not URI escaped no longer cause exceptions
-
-* January 7th, 2013: Thirtieth public release 1.3.8
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 7th, 2013: Thirty first public release 1.4.3
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
-  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
-  * Fixed erroneous test case in the 1.3.x series
-
-* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-
-* February 7th, Thirty fifth public release 1.4.5
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-
-* February 7th, Thirty fifth public release 1.5.2
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-  * Add various methods to Session for enhanced Rails compatibility
-  * Request#trusted_proxy? now only matches whole stirngs
-  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
-  * URLMap host matching in environments that don't set the Host header fixed
-  * Fix a race condition that could result in overwritten pidfiles
-  * Various documentation additions
-
 == Contact
 
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
 
-Please post security related bugs and suggestions to the core team at
-<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
-to wide usage of the library, it is strongly preferred that we manage timing in
-order to provide viable patches at the time of disclosure. Your assistance in
-this matter is greatly appreciated.
-
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 
@@ -526,8 +332,6 @@ The Rack Core Team, consisting of
 * Michael Fellinger (manveru)
 * Ryan Tomayko (rtomayko)
 * Scytrin dai Kinthra (scytrin)
-* Aaron Patterson (tenderlove)
-* Konstantin Haase (rkh)
 
 would like to thank:
 
@@ -557,7 +361,7 @@ would like to thank:
 * Marcus Rückert, for help with configuring and debugging lighttpd.
 * The WSGI team for the well-done and documented work they've done and
   Rack builds up on.
-* All bug reporters and patch contributors not mentioned above.
+* All bug reporters and patch contributers not mentioned above.
 
 == Copyright
 
@@ -582,11 +386,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.com/>
+Rack:: <http://rack.rubyforge.org/>
+Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
 Official Rack repositories:: <http://github.com/rack>
-Rack Bug Tracking:: <http://github.com/rack/rack/issues>
+Rack Lighthouse Bug Tracking:: <http://rack.lighthouseapp.com/>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>
-Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
 
 Christian Neukirchen:: <http://chneukirchen.org/>
 

data/SPEC

@@ -11,9 +11,9 @@ The *status*,
 the *headers*,
 and the *body*.
 == The Environment
-The environment must be an true instance of Hash (no
-subclassing allowed) that includes CGI-like headers.
-The application is free to modify the environment.
+The environment must be an instance of Hash that includes
+CGI-like headers.  The application is free to modify the
+environment.
 The environment is required to include these variables
 (adopted from PEP333), except when they'd be empty, but see
 below.

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.1.6"
+    "1.2"
   end
 
   autoload :Builder, "rack/builder"
@@ -71,18 +71,6 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
-
-    # Not all of the following schemes are "standards", but they are used often.
-    @schemes = %w[basic digest bearer mac token oauth oauth2]
-
-    def self.add_scheme scheme
-      @schemes << scheme
-      @schemes.uniq!
-    end
-
-    def self.schemes
-      @schemes.dup
-    end
   end
 
   module Session
@@ -90,15 +78,4 @@ module Rack
     autoload :Pool, "rack/session/pool"
     autoload :Memcache, "rack/session/memcache"
   end
-
-  # *Adapters* connect Rack with third party web frameworks.
-  #
-  # Rack includes an adapter for Camping, see README for other
-  # frameworks supporting Rack in their code bases.
-  #
-  # Refer to the submodules for framework-specific calling details.
-
-  module Adapter
-    autoload :Camping, "rack/adapter/camping"
-  end
 end

data/lib/rack/auth/abstract/request.rb

@@ -15,11 +15,7 @@ module Rack
       end
 
       def scheme
-        @scheme ||=
-          begin
-            s = parts.first.downcase
-            Rack::Auth.schemes.include?(s) ? s.to_sym : s
-          end
+        @scheme ||= parts.first.downcase.to_sym
       end
 
       def params

data/lib/rack/auth/digest/md5.rb

@@ -91,8 +91,7 @@ module Rack
         end
 
         def valid_digest?(auth)
-          pw = @authenticator.call(auth.username)
-          pw && digest(auth, pw) == auth.response
+          digest(auth, @authenticator.call(auth.username)) == auth.response
         end
 
         def md5(data)

data/lib/rack/auth/digest/params.rb

@@ -35,7 +35,7 @@ module Rack
           super k.to_s, v.to_s
         end
 
-        UNQUOTED = ['qop', 'nc', 'stale']
+        UNQUOTED = ['nc', 'stale']
 
         def to_s
           inject([]) do |parts, (k, v)|

data/lib/rack/content_length.rb

@@ -13,7 +13,7 @@ module Rack
       status, headers, body = @app.call(env)
       headers = HeaderHash.new(headers)
 
-      if !STATUS_WITH_NO_ENTITY_BODY.include?(status) &&
+      if !STATUS_WITH_NO_ENTITY_BODY.include?(status.to_i) &&
          !headers['Content-Length'] &&
          !headers['Transfer-Encoding'] &&
          (body.respond_to?(:to_ary) || body.respond_to?(:to_str))

data/lib/rack/etag.rb

@@ -11,13 +11,22 @@ module Rack
       status, headers, body = @app.call(env)
 
       if !headers.has_key?('ETag')
-        parts = []
-        body.each { |part| parts << part.to_s }
-        headers['ETag'] = %("#{Digest::MD5.hexdigest(parts.join(""))}")
-        [status, headers, parts]
-      else
-        [status, headers, body]
+        digest, body = digest_body(body)
+        headers['ETag'] = %("#{digest}")
       end
+
+      [status, headers, body]
     end
+
+    private
+      def digest_body(body)
+        digest = Digest::MD5.new
+        parts = []
+        body.each do |part|
+          digest << part
+          parts << part
+        end
+        [digest.hexdigest, parts]
+      end
   end
 end

data/lib/rack/file.rb

@@ -3,8 +3,10 @@ require 'rack/utils'
 require 'rack/mime'
 
 module Rack
-  # Rack::File serves files below the +root+ given, according to the
+  # Rack::File serves files below the +root+ directory given, according to the
   # path info of the Rack request.
+  # e.g. when Rack::File.new("/etc") is used, you can access 'passwd' file
+  # as http://localhost:9292/passwd
   #
   # Handlers can detect if bodies are a Rack::File, and use mechanisms
   # like sendfile on the +path+.

data/lib/rack/handler/cgi.rb

@@ -4,6 +4,7 @@ module Rack
   module Handler
     class CGI
       def self.run(app, options=nil)
+        $stdin.binmode
         serve app
       end
 
@@ -15,7 +16,7 @@ module Rack
 
         env["SCRIPT_NAME"] = ""  if env["SCRIPT_NAME"] == "/"
 
-        env.update({"rack.version" => [1,1],
+        env.update({"rack.version" => Rack::VERSION,
                      "rack.input" => $stdin,
                      "rack.errors" => $stderr,
 
@@ -40,20 +41,20 @@ module Rack
       end
 
       def self.send_headers(status, headers)
-        STDOUT.print "Status: #{status}\r\n"
+        $stdout.print "Status: #{status}\r\n"
         headers.each { |k, vs|
           vs.split("\n").each { |v|
-            STDOUT.print "#{k}: #{v}\r\n"
+            $stdout.print "#{k}: #{v}\r\n"
           }
         }
-        STDOUT.print "\r\n"
-        STDOUT.flush
+        $stdout.print "\r\n"
+        $stdout.flush
       end
 
       def self.send_body(body)
         body.each { |part|
-          STDOUT.print part
-          STDOUT.flush
+          $stdout.print part
+          $stdout.flush
         }
       end
     end