rack 1.1.6 → 1.6.9

data/lib/rack/utils.rb

@@ -1,28 +1,59 @@
 # -*- encoding: binary -*-
-
+require 'fileutils'
 require 'set'
 require 'tempfile'
+require 'rack/multipart'
+require 'time'
+
+major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
+
+if major == 1 && minor < 9
+  require 'rack/backports/uri/common_18'
+elsif major == 1 && minor == 9 && patch == 2 && RUBY_PATCHLEVEL <= 328 && RUBY_ENGINE != 'jruby'
+  require 'rack/backports/uri/common_192'
+elsif major == 1 && minor == 9 && patch == 3 && RUBY_PATCHLEVEL < 125
+  require 'rack/backports/uri/common_193'
+else
+  require 'uri/common'
+end
 
 module Rack
   # Rack::Utils contains a grab-bag of useful methods for writing web
   # applications adopted from all kinds of Ruby libraries.
 
   module Utils
-    # Performs URI escaping so that you can construct proper
-    # query strings faster.  Use this rather than the cgi.rb
-    # version since it's faster.  (Stolen from Camping).
+    # ParameterTypeError is the error that is raised when incoming structural
+    # parameters (parsed by parse_nested_query) contain conflicting types.
+    class ParameterTypeError < TypeError; end
+
+    # InvalidParameterError is the error that is raised when incoming structural
+    # parameters (parsed by parse_nested_query) contain invalid format or byte
+    # sequence.
+    class InvalidParameterError < ArgumentError; end
+
+    # URI escapes. (CGI style space to +)
     def escape(s)
-      s.to_s.gsub(/([^ a-zA-Z0-9_.-]+)/n) {
-        '%'+$1.unpack('H2'*bytesize($1)).join('%').upcase
-      }.tr(' ', '+')
+      URI.encode_www_form_component(s)
     end
     module_function :escape
 
-    # Unescapes a URI escaped string. (Stolen from Camping).
-    def unescape(s)
-      s.tr('+', ' ').gsub(/((?:%[0-9a-fA-F]{2})+)/n){
-        [$1.delete('%')].pack('H*')
-      }
+    # Like URI escaping, but with %20 instead of +. Strictly speaking this is
+    # true URI escaping.
+    def escape_path(s)
+      escape(s).gsub('+', '%20')
+    end
+    module_function :escape_path
+
+    # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
+    # target encoding of the string returned, and it defaults to UTF-8
+    if defined?(::Encoding)
+      def unescape(s, encoding = Encoding::UTF_8)
+        URI.decode_www_form_component(s, encoding)
+      end
+    else
+      def unescape(s, encoding = nil)
+        URI.decode_www_form_component(s, encoding)
+      end
     end
     module_function :unescape
 
@@ -30,32 +61,37 @@ module Rack
 
     class << self
       attr_accessor :key_space_limit
+      attr_accessor :param_depth_limit
+      attr_accessor :multipart_part_limit
     end
 
     # The default number of bytes to allow parameter keys to take up.
     # This helps prevent a rogue client from flooding a Request.
     self.key_space_limit = 65536
 
+    # Default depth at which the parameter parser will raise an exception for
+    # being too deep.  This helps prevent SystemStackErrors
+    self.param_depth_limit = 100
+
+    # The maximum number of parts a request can contain. Accepting too many part
+    # can lead to the server running out of file handles.
+    # Set to `0` for no limit.
+    # FIXME: RACK_MULTIPART_LIMIT was introduced by mistake and it will be removed in 1.7.0
+    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_LIMIT'] || 128).to_i
+
     # Stolen from Mongrel, with some small modifications:
     # Parses a query string by breaking it up at the '&'
     # and ';' characters.  You can also use this to parse
     # cookies by changing the characters used in the second
     # parameter (which defaults to '&;').
-    def parse_query(qs, d = nil)
-      params = {}
+    def parse_query(qs, d = nil, &unescaper)
+      unescaper ||= method(:unescape)
 
-      max_key_space = Utils.key_space_limit
-      bytes = 0
+      params = KeySpaceConstrainedParams.new
 
       (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
-        k, v = p.split('=', 2).map { |x| unescape(x) }
-
-        if k
-          bytes += k.size
-          if bytes > max_key_space
-            raise RangeError, "exceeded available parameter key space"
-          end
-        end
+        next if p.empty?
+        k, v = p.split('=', 2).map(&unescaper)
 
         if cur = params[k]
           if cur.class == Array
@@ -68,34 +104,36 @@ module Rack
         end
       end
 
-      return params
+      return params.to_params_hash
     end
     module_function :parse_query
 
+    # parse_nested_query expands a query string into structural types. Supported
+    # types are Arrays, Hashes and basic value types. It is possible to supply
+    # query strings with parameters of conflicting types, in this case a
+    # ParameterTypeError is raised. Users are encouraged to return a 400 in this
+    # case.
     def parse_nested_query(qs, d = nil)
-      params = {}
-
-      max_key_space = Utils.key_space_limit
-      bytes = 0
+      params = KeySpaceConstrainedParams.new
 
       (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
-        k, v = unescape(p).split('=', 2)
-
-        if k
-          bytes += k.size
-          if bytes > max_key_space
-            raise RangeError, "exceeded available parameter key space"
-          end
-        end
+        k, v = p.split('=', 2).map { |s| unescape(s) }
 
         normalize_params(params, k, v)
       end
 
-      return params
+      return params.to_params_hash
+    rescue ArgumentError => e
+      raise InvalidParameterError, e.message
     end
     module_function :parse_nested_query
 
-    def normalize_params(params, name, v = nil)
+    # normalize_params recursively expands parameters into structural types. If
+    # the structural types represented by two different parameter names are in
+    # conflict, a ParameterTypeError is raised.
+    def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
+      raise RangeError if depth <= 0
+
       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
       k = $1 || ''
       after = $' || ''
@@ -104,35 +142,42 @@ module Rack
 
       if after == ""
         params[k] = v
+      elsif after == "["
+        params[name] = v
       elsif after == "[]"
         params[k] ||= []
-        raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+        raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
         params[k] << v
       elsif after =~ %r(^\[\]\[([^\[\]]+)\]$) || after =~ %r(^\[\](.+)$)
         child_key = $1
         params[k] ||= []
-        raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
-        if params[k].last.is_a?(Hash) && !params[k].last.key?(child_key)
-          normalize_params(params[k].last, child_key, v)
+        raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+        if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
+          normalize_params(params[k].last, child_key, v, depth - 1)
         else
-          params[k] << normalize_params({}, child_key, v)
+          params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
         end
       else
-        params[k] ||= {}
-        raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Hash)
-        params[k] = normalize_params(params[k], after, v)
+        params[k] ||= params.class.new
+        raise ParameterTypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
+        params[k] = normalize_params(params[k], after, v, depth - 1)
       end
 
       return params
     end
     module_function :normalize_params
 
+    def params_hash_type?(obj)
+      obj.kind_of?(KeySpaceConstrainedParams) || obj.kind_of?(Hash)
+    end
+    module_function :params_hash_type?
+
     def build_query(params)
       params.map { |k, v|
         if v.class == Array
           build_query(v.map { |x| [k, x] })
         else
-          "#{escape(k)}=#{escape(v)}"
+          v.nil? ? escape(k) : "#{escape(k)}=#{escape(v)}"
         end
       }.join("&")
     end
@@ -147,23 +192,61 @@ module Rack
       when Hash
         value.map { |k, v|
           build_nested_query(v, prefix ? "#{prefix}[#{escape(k)}]" : escape(k))
-        }.join("&")
-      when String
+        }.reject(&:empty?).join('&')
+      when nil
+        prefix
+      else
         raise ArgumentError, "value must be a Hash" if prefix.nil?
         "#{prefix}=#{escape(value)}"
-      else
-        prefix
       end
     end
     module_function :build_nested_query
 
+    def q_values(q_value_header)
+      q_value_header.to_s.split(/\s*,\s*/).map do |part|
+        value, parameters = part.split(/\s*;\s*/, 2)
+        quality = 1.0
+        if md = /\Aq=([\d.]+)/.match(parameters)
+          quality = md[1].to_f
+        end
+        [value, quality]
+      end
+    end
+    module_function :q_values
+
+    def best_q_match(q_value_header, available_mimes)
+      values = q_values(q_value_header)
+
+      matches = values.map do |req_mime, quality|
+        match = available_mimes.find { |am| Rack::Mime.match?(am, req_mime) }
+        next unless match
+        [match, quality]
+      end.compact.sort_by do |match, quality|
+        (match.split('/', 2).count('*') * -10) + quality
+      end.last
+      matches && matches.first
+    end
+    module_function :best_q_match
+
+    ESCAPE_HTML = {
+      "&" => "&amp;",
+      "<" => "&lt;",
+      ">" => "&gt;",
+      "'" => "&#x27;",
+      '"' => "&quot;",
+      "/" => "&#x2F;"
+    }
+    if //.respond_to?(:encoding)
+      ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
+    else
+      # On 1.8, there is a kcode = 'u' bug that allows for XSS otherwise
+      # TODO doesn't apply to jruby, so a better condition above might be preferable?
+      ESCAPE_HTML_PATTERN = /#{Regexp.union(*ESCAPE_HTML.keys)}/n
+    end
+
     # Escape ampersands, brackets and quotes to their HTML/XML entities.
     def escape_html(string)
-      string.to_s.gsub("&", "&amp;").
-        gsub("<", "&lt;").
-        gsub(">", "&gt;").
-        gsub("'", "&#39;").
-        gsub('"', "&quot;")
+      string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
     end
     module_function :escape_html
 
@@ -187,10 +270,8 @@ module Rack
         encoding_candidates.push("identity")
       end
 
-      expanded_accept_encoding.find_all { |m, q|
-        q == 0.0
-      }.each { |m, _|
-        encoding_candidates.delete(m)
+      expanded_accept_encoding.each { |m, q|
+        encoding_candidates.delete(m) if q == 0.0
       }
 
       return (encoding_candidates & available_encodings)[0]
@@ -200,20 +281,53 @@ module Rack
     def set_cookie_header!(header, key, value)
       case value
       when Hash
-        domain  = "; domain="  + value[:domain] if value[:domain]
-        path    = "; path="    + value[:path]   if value[:path]
-        # According to RFC 2109, we need dashes here.
-        # N.B.: cgi.rb uses spaces...
+        domain  = "; domain="  + value[:domain]       if value[:domain]
+        path    = "; path="    + value[:path]         if value[:path]
+        max_age = "; max-age=" + value[:max_age].to_s if value[:max_age]
+        # There is an RFC mess in the area of date formatting for Cookies. Not
+        # only are there contradicting RFCs and examples within RFC text, but
+        # there are also numerous conflicting names of fields and partially
+        # cross-applicable specifications.
+        #
+        # These are best described in RFC 2616 3.3.1. This RFC text also
+        # specifies that RFC 822 as updated by RFC 1123 is preferred. That is a
+        # fixed length format with space-date delimeted fields.
+        #
+        # See also RFC 1123 section 5.2.14.
+        #
+        # RFC 6265 also specifies "sane-cookie-date" as RFC 1123 date, defined
+        # in RFC 2616 3.3.1. RFC 6265 also gives examples that clearly denote
+        # the space delimited format. These formats are compliant with RFC 2822.
+        #
+        # For reference, all involved RFCs are:
+        # RFC 822
+        # RFC 1123
+        # RFC 2109
+        # RFC 2616
+        # RFC 2822
+        # RFC 2965
+        # RFC 6265
         expires = "; expires=" +
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if value[:httponly]
+        httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
+        same_site =
+          case value[:same_site]
+          when false, nil
+            nil
+          when :lax, 'Lax', :Lax
+            '; SameSite=Lax'.freeze
+          when true, :strict, 'Strict', :Strict
+            '; SameSite=Strict'.freeze
+          else
+            raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
+          end
         value = value[:value]
       end
       value = [value] unless Array === value
       cookie = escape(key) + "=" +
         value.map { |v| escape v }.join("&") +
-        "#{domain}#{path}#{expires}#{secure}#{httponly}"
+        "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
 
       case header["Set-Cookie"]
       when nil, ''
@@ -241,6 +355,8 @@ module Rack
       cookies.reject! { |cookie|
         if value[:domain]
           cookie =~ /\A#{escape(key)}=.*domain=#{value[:domain]}/
+        elsif value[:path]
+          cookie =~ /\A#{escape(key)}=.*path=#{value[:path]}/
         else
           cookie =~ /\A#{escape(key)}=/
         end
@@ -250,42 +366,86 @@ module Rack
 
       set_cookie_header!(header, key,
                  {:value => '', :path => nil, :domain => nil,
+                   :max_age => '0',
                    :expires => Time.at(0) }.merge(value))
 
       nil
     end
     module_function :delete_cookie_header!
 
+    # Return the bytesize of String; uses String#size under Ruby 1.8 and
+    # String#bytesize under 1.9.
+    if ''.respond_to?(:bytesize)
+      def bytesize(string)
+        string.bytesize
+      end
+    else
+      def bytesize(string)
+        string.size
+      end
+    end
+    module_function :bytesize
+
+    def rfc2822(time)
+      time.rfc2822
+    end
+    module_function :rfc2822
+
     # Modified version of stdlib time.rb Time#rfc2822 to use '%d-%b-%Y' instead
     # of '% %b %Y'.
     # It assumes that the time is in GMT to comply to the RFC 2109.
     #
-    # NOTE: I'm not sure the RFC says it requires GMT, but is ambigous enough
+    # NOTE: I'm not sure the RFC says it requires GMT, but is ambiguous enough
     # that I'm certain someone implemented only that option.
     # Do not use %a and %b from Time.strptime, it would use localized names for
     # weekday and month.
     #
-    def rfc2822(time)
+    def rfc2109(time)
       wday = Time::RFC2822_DAY_NAME[time.wday]
       mon = Time::RFC2822_MONTH_NAME[time.mon - 1]
       time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
     end
-    module_function :rfc2822
-
-    # Return the bytesize of String; uses String#length under Ruby 1.8 and
-    # String#bytesize under 1.9.
-    if ''.respond_to?(:bytesize)
-      def bytesize(string)
-        string.bytesize
-      end
-    else
-      def bytesize(string)
-        string.size
+    module_function :rfc2109
+
+    # Parses the "Range:" header, if present, into an array of Range objects.
+    # Returns nil if the header is missing or syntactically invalid.
+    # Returns an empty array if none of the ranges are satisfiable.
+    def byte_ranges(env, size)
+      # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
+      http_range = env['HTTP_RANGE']
+      return nil unless http_range && http_range =~ /bytes=([^;]+)/
+      ranges = []
+      $1.split(/,\s*/).each do |range_spec|
+        return nil  unless range_spec =~ /(\d*)-(\d*)/
+        r0,r1 = $1, $2
+        if r0.empty?
+          return nil  if r1.empty?
+          # suffix-byte-range-spec, represents trailing suffix of file
+          r0 = size - r1.to_i
+          r0 = 0  if r0 < 0
+          r1 = size - 1
+        else
+          r0 = r0.to_i
+          if r1.empty?
+            r1 = size - 1
+          else
+            r1 = r1.to_i
+            return nil  if r1 < r0  # backwards range is syntactically invalid
+            r1 = size-1  if r1 >= size
+          end
+        end
+        ranges << (r0..r1)  if r0 <= r1
       end
+      ranges
     end
-    module_function :bytesize
+    module_function :byte_ranges
 
     # Constant time string comparison.
+    #
+    # NOTE: the values compared should be of fixed length, such as strings
+    # that have already been processed by HMAC. This should not be used
+    # on variable length plaintext strings because it could leak length info
+    # via timing attacks.
     def secure_compare(a, b)
       return false unless bytesize(a) == bytesize(b)
 
@@ -343,23 +503,19 @@ module Rack
       end
 
       def to_hash
-        inject({}) do |hash, (k,v)|
-          if v.respond_to? :to_ary
-            hash[k] = v.to_ary.join("\n")
-          else
-            hash[k] = v
-          end
-          hash
-        end
+        hash = {}
+        each { |k,v| hash[k] = v }
+        hash
       end
 
       def [](k)
-        super(@names[k] ||= @names[k.downcase])
+        super(k) || super(@names[k.downcase])
       end
 
       def []=(k, v)
-        delete k
-        @names[k] = @names[k.downcase] = k
+        canonical = k.downcase
+        delete k if @names[canonical] && @names[canonical] != k # .delete is expensive, don't invoke it unless necessary
+        @names[k] = @names[canonical] = k
         super k, v
       end
 
@@ -395,72 +551,116 @@ module Rack
       end
     end
 
+    class KeySpaceConstrainedParams
+      def initialize(limit = Utils.key_space_limit)
+        @limit  = limit
+        @size   = 0
+        @params = {}
+      end
+
+      def [](key)
+        @params[key]
+      end
+
+      def []=(key, value)
+        @size += key.size if key && !@params.key?(key)
+        raise RangeError, 'exceeded available parameter key space' if @size > @limit
+        @params[key] = value
+      end
+
+      def key?(key)
+        @params.key?(key)
+      end
+
+      def to_params_hash
+        hash = @params
+        hash.keys.each do |key|
+          value = hash[key]
+          if value.kind_of?(self.class)
+            if value.object_id == self.object_id
+              hash[key] = hash
+            else
+              hash[key] = value.to_params_hash
+            end
+          elsif value.kind_of?(Array)
+            value.map! {|x| x.kind_of?(self.class) ? x.to_params_hash : x}
+          end
+        end
+        hash
+      end
+    end
+
     # Every standard HTTP code mapped to the appropriate message.
     # Generated with:
-    #   curl -s http://www.iana.org/assignments/http-status-codes | \
-    #     ruby -ane 'm = /^(\d{3}) +(\S[^\[(]+)/.match($_) and
-    #                puts "      #{m[1]}  => \x27#{m[2].strip}x27,"'
+    # curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv | \
+    #   ruby -ne 'm = /^(\d{3}),(?!Unassigned|\(Unused\))([^,]+)/.match($_) and \
+    #             puts "#{m[1]} => \x27#{m[2].strip}\x27,"'
     HTTP_STATUS_CODES = {
-      100  => 'Continue',
-      101  => 'Switching Protocols',
-      102  => 'Processing',
-      200  => 'OK',
-      201  => 'Created',
-      202  => 'Accepted',
-      203  => 'Non-Authoritative Information',
-      204  => 'No Content',
-      205  => 'Reset Content',
-      206  => 'Partial Content',
-      207  => 'Multi-Status',
-      226  => 'IM Used',
-      300  => 'Multiple Choices',
-      301  => 'Moved Permanently',
-      302  => 'Found',
-      303  => 'See Other',
-      304  => 'Not Modified',
-      305  => 'Use Proxy',
-      306  => 'Reserved',
-      307  => 'Temporary Redirect',
-      400  => 'Bad Request',
-      401  => 'Unauthorized',
-      402  => 'Payment Required',
-      403  => 'Forbidden',
-      404  => 'Not Found',
-      405  => 'Method Not Allowed',
-      406  => 'Not Acceptable',
-      407  => 'Proxy Authentication Required',
-      408  => 'Request Timeout',
-      409  => 'Conflict',
-      410  => 'Gone',
-      411  => 'Length Required',
-      412  => 'Precondition Failed',
-      413  => 'Request Entity Too Large',
-      414  => 'Request-URI Too Long',
-      415  => 'Unsupported Media Type',
-      416  => 'Requested Range Not Satisfiable',
-      417  => 'Expectation Failed',
-      422  => 'Unprocessable Entity',
-      423  => 'Locked',
-      424  => 'Failed Dependency',
-      426  => 'Upgrade Required',
-      500  => 'Internal Server Error',
-      501  => 'Not Implemented',
-      502  => 'Bad Gateway',
-      503  => 'Service Unavailable',
-      504  => 'Gateway Timeout',
-      505  => 'HTTP Version Not Supported',
-      506  => 'Variant Also Negotiates',
-      507  => 'Insufficient Storage',
-      510  => 'Not Extended',
+      100 => 'Continue',
+      101 => 'Switching Protocols',
+      102 => 'Processing',
+      200 => 'OK',
+      201 => 'Created',
+      202 => 'Accepted',
+      203 => 'Non-Authoritative Information',
+      204 => 'No Content',
+      205 => 'Reset Content',
+      206 => 'Partial Content',
+      207 => 'Multi-Status',
+      208 => 'Already Reported',
+      226 => 'IM Used',
+      300 => 'Multiple Choices',
+      301 => 'Moved Permanently',
+      302 => 'Found',
+      303 => 'See Other',
+      304 => 'Not Modified',
+      305 => 'Use Proxy',
+      307 => 'Temporary Redirect',
+      308 => 'Permanent Redirect',
+      400 => 'Bad Request',
+      401 => 'Unauthorized',
+      402 => 'Payment Required',
+      403 => 'Forbidden',
+      404 => 'Not Found',
+      405 => 'Method Not Allowed',
+      406 => 'Not Acceptable',
+      407 => 'Proxy Authentication Required',
+      408 => 'Request Timeout',
+      409 => 'Conflict',
+      410 => 'Gone',
+      411 => 'Length Required',
+      412 => 'Precondition Failed',
+      413 => 'Payload Too Large',
+      414 => 'URI Too Long',
+      415 => 'Unsupported Media Type',
+      416 => 'Range Not Satisfiable',
+      417 => 'Expectation Failed',
+      422 => 'Unprocessable Entity',
+      423 => 'Locked',
+      424 => 'Failed Dependency',
+      426 => 'Upgrade Required',
+      428 => 'Precondition Required',
+      429 => 'Too Many Requests',
+      431 => 'Request Header Fields Too Large',
+      500 => 'Internal Server Error',
+      501 => 'Not Implemented',
+      502 => 'Bad Gateway',
+      503 => 'Service Unavailable',
+      504 => 'Gateway Timeout',
+      505 => 'HTTP Version Not Supported',
+      506 => 'Variant Also Negotiates',
+      507 => 'Insufficient Storage',
+      508 => 'Loop Detected',
+      510 => 'Not Extended',
+      511 => 'Network Authentication Required'
     }
 
     # Responses with HTTP status codes that should not have an entity body
-    STATUS_WITH_NO_ENTITY_BODY = Set.new((100..199).to_a << 204 << 304)
+    STATUS_WITH_NO_ENTITY_BODY = Set.new((100..199).to_a << 204 << 205 << 304)
 
-    SYMBOL_TO_STATUS_CODE = HTTP_STATUS_CODES.inject({}) { |hash, (code, message)|
-      hash[message.downcase.gsub(/\s|-/, '_').to_sym] = code
-      hash
-    }
+    SYMBOL_TO_STATUS_CODE = Hash[*HTTP_STATUS_CODES.map { |code, message|
+      [message.downcase.gsub(/\s|-|'/, '_').to_sym, code]
+    }.flatten]
 
     def status_code(status)
       if status.is_a?(Symbol)
@@ -471,223 +671,25 @@ module Rack
     end
     module_function :status_code
 
-    # A multipart form data parser, adapted from IOWA.
-    #
-    # Usually, Rack::Request#POST takes care of calling this.
-
-    module Multipart
-      class UploadedFile
-        # The filename, *not* including the path, of the "uploaded" file
-        attr_reader :original_filename
-
-        # The content type of the "uploaded" file
-        attr_accessor :content_type
-
-        def initialize(path, content_type = "text/plain", binary = false)
-          raise "#{path} file does not exist" unless ::File.exist?(path)
-          @content_type = content_type
-          @original_filename = ::File.basename(path)
-          @tempfile = Tempfile.new(@original_filename)
-          @tempfile.set_encoding(Encoding::BINARY) if @tempfile.respond_to?(:set_encoding)
-          @tempfile.binmode if binary
-          FileUtils.copy_file(path, @tempfile.path)
-        end
-
-        def path
-          @tempfile.path
-        end
-        alias_method :local_path, :path
-
-        def method_missing(method_name, *args, &block) #:nodoc:
-          @tempfile.__send__(method_name, *args, &block)
-        end
-      end
-
-      EOL = "\r\n"
-      MULTIPART_BOUNDARY = "AaB03x"
-
-      def self.parse_multipart(env)
-        unless env['CONTENT_TYPE'] =~
-            %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
-          nil
-        else
-          boundary = "--#{$1}"
-
-          params = {}
-          buf = ""
-          content_length = env['CONTENT_LENGTH'].to_i
-          input = env['rack.input']
-          input.rewind
-
-          boundary_size = Utils.bytesize(boundary) + EOL.size
-          bufsize = 16384
+    Multipart = Rack::Multipart
 
-          content_length -= boundary_size
+    PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
 
-          read_buffer = ''
+    def clean_path_info(path_info)
+      parts = path_info.split PATH_SEPS
 
-          status = input.read(boundary_size, read_buffer)
-          raise EOFError, "bad content body"  unless status == boundary + EOL
+      clean = []
 
-          rx = /(?:#{EOL})?#{Regexp.quote boundary}(#{EOL}|--)/n
-
-          max_key_space = Utils.key_space_limit
-          bytes = 0
-
-          loop {
-            head = nil
-            body = ''
-            filename = content_type = name = nil
-
-            until head && buf =~ rx
-              if !head && i = buf.index(EOL+EOL)
-                head = buf.slice!(0, i+2) # First \r\n
-                buf.slice!(0, 2)          # Second \r\n
-
-                filename = head[/Content-Disposition:.* filename=(?:"((?:\\.|[^\"])*)"|([^;\s]*))/ni, 1]
-                content_type = head[/Content-Type: (.*)#{EOL}/ni, 1]
-                name = head[/Content-Disposition:.*\s+name="?([^\";]*)"?/ni, 1] || head[/Content-ID:\s*([^#{EOL}]*)/ni, 1]
-
-                if name
-                  bytes += name.size
-                  if bytes > max_key_space
-                    raise RangeError, "exceeded available parameter key space"
-                  end
-                end
-
-                if content_type || filename
-                  body = Tempfile.new("RackMultipart")
-                  body.binmode  if body.respond_to?(:binmode)
-                end
-
-                next
-              end
-
-              # Save the read body part.
-              if head && (boundary_size+4 < buf.size)
-                body << buf.slice!(0, buf.size - (boundary_size+4))
-              end
-
-              c = input.read(bufsize < content_length ? bufsize : content_length, read_buffer)
-              raise EOFError, "bad content body"  if c.nil? || c.empty?
-              buf << c
-              content_length -= c.size
-            end
-
-            # Save the rest.
-            if i = buf.index(rx)
-              body << buf.slice!(0, i)
-              buf.slice!(0, boundary_size+2)
-
-              content_length = -1  if $1 == "--"
-            end
-
-            if filename == ""
-              # filename is blank which means no file has been selected
-              data = nil
-            elsif filename
-              body.rewind
-
-              # Take the basename of the upload's original filename.
-              # This handles the full Windows paths given by Internet Explorer
-              # (and perhaps other broken user agents) without affecting
-              # those which give the lone filename.
-              filename =~ /^(?:.*[:\\\/])?(.*)/m
-              filename = $1
-
-              data = {:filename => filename, :type => content_type,
-                      :name => name, :tempfile => body, :head => head}
-            elsif !filename && content_type
-              body.rewind
-
-              # Generic multipart cases, not coming from a form
-              data = {:type => content_type,
-                      :name => name, :tempfile => body, :head => head}
-            else
-              data = body
-            end
-
-            Utils.normalize_params(params, name, data) unless data.nil?
-
-            # break if we're at the end of a buffer, but not if it is the end of a field
-            break if (buf.empty? && $1 != EOL) || content_length == -1
-          }
-
-          input.rewind
-
-          params
-        end
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      def self.build_multipart(params, first = true)
-        if first
-          unless params.is_a?(Hash)
-            raise ArgumentError, "value must be a Hash"
-          end
+      clean.unshift '/' if parts.empty? || parts.first.empty?
 
-          multipart = false
-          query = lambda { |value|
-            case value
-            when Array
-              value.each(&query)
-            when Hash
-              value.values.each(&query)
-            when UploadedFile
-              multipart = true
-            end
-          }
-          params.values.each(&query)
-          return nil unless multipart
-        end
-
-        flattened_params = Hash.new
-
-        params.each do |key, value|
-          k = first ? key.to_s : "[#{key}]"
-
-          case value
-          when Array
-            value.map { |v|
-              build_multipart(v, false).each { |subkey, subvalue|
-                flattened_params["#{k}[]#{subkey}"] = subvalue
-              }
-            }
-          when Hash
-            build_multipart(value, false).each { |subkey, subvalue|
-              flattened_params[k + subkey] = subvalue
-            }
-          else
-            flattened_params[k] = value
-          end
-        end
-
-        if first
-          flattened_params.map { |name, file|
-            if file.respond_to?(:original_filename)
-              ::File.open(file.path, "rb") do |f|
-                f.set_encoding(Encoding::BINARY) if f.respond_to?(:set_encoding)
-<<-EOF
---#{MULTIPART_BOUNDARY}\r
-Content-Disposition: form-data; name="#{name}"; filename="#{Utils.escape(file.original_filename)}"\r
-Content-Type: #{file.content_type}\r
-Content-Length: #{::File.stat(file.path).size}\r
-\r
-#{f.read}\r
-EOF
-              end
-            else
-<<-EOF
---#{MULTIPART_BOUNDARY}\r
-Content-Disposition: form-data; name="#{name}"\r
-\r
-#{file}\r
-EOF
-            end
-          }.join + "--#{MULTIPART_BOUNDARY}--\r"
-        else
-          flattened_params
-        end
-      end
+      ::File.join(*clean)
     end
+    module_function :clean_path_info
+
   end
 end