rack 1.2.8 → 1.3.0.beta

data/lib/rack/session/cookie.rb

@@ -1,14 +1,18 @@
 require 'openssl'
 require 'rack/request'
 require 'rack/response'
+require 'rack/session/abstract/id'
 
 module Rack
 
   module Session
 
     # Rack::Session::Cookie provides simple cookie based session management.
-    # The session is a Ruby Hash stored as base64 encoded marshalled data
-    # set to :key (default: rack.session).
+    # By default, the session is a Ruby Hash stored as base64 encoded marshalled
+    # data set to :key (default: rack.session).  The object that encodes the
+    # session data is configurable and must respond to +encode+ and +decode+.
+    # Both methods must take a string and return a string.
+    #
     # When the secret key is set, cookie data is checked for data integrity.
     #
     # Example:
@@ -20,74 +24,123 @@ module Rack
     #                                :secret => 'change_me'
     #
     #     All parameters are optional.
+    #
+    # Example of a cookie with no encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Racke::Session::Cookie::Identity.new
+    #   })
+    #
+    # Example of a cookie with custom encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Class.new {
+    #       def encode(str); str.reverse; end
+    #       def decode(str); str.reverse; end
+    #     }.new
+    #   })
+    #
+
+    class Cookie < Abstract::ID
+      # Encode session cookies as Base64
+      class Base64
+        def encode(str)
+          [str].pack('m')
+        end
+
+        def decode(str)
+          str.unpack('m').first
+        end
 
-    class Cookie
+        # Encode session cookies as Marshaled Base64 data
+        class Marshal < Base64
+          def encode(str)
+            super(::Marshal.dump(str))
+          end
 
-      def initialize(app, options={})
-        @app = app
-        @key = options[:key] || "rack.session"
-        @secret = options[:secret]
-        warn <<-MSG unless @secret
-        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
-        This poses a security threat. It is strongly recommended that you
-        provide a secret to prevent exploits that may be possible from crafted
-        cookies. This will not be supported in future versions of Rack, and
-        future versions will even invalidate your existing user cookies.
-
-        Called from: #{caller[0]}.
-        MSG
-        @default_options = {:domain => nil,
-          :path => "/",
-          :expire_after => nil}.merge(options)
+          def decode(str)
+            ::Marshal.load(super(str)) rescue nil
+          end
+        end
+      end
+
+      # Use no encoding for session cookies
+      class Identity
+        def encode(str); str; end
+        def decode(str); str; end
       end
 
-      def call(env)
-        load_session(env)
-        status, headers, body = @app.call(env)
-        commit_session(env, status, headers, body)
+      # Reverse string encoding. (trollface)
+      class Reverse
+        def encode(str); str.reverse; end
+        def decode(str); str.reverse; end
+      end
+
+      attr_reader :coder
+
+      def initialize(app, options={})
+        @secret = options.delete(:secret)
+        @coder  = options.delete(:coder) || Base64::Marshal.new
+        super(app, options.merge!(:cookie_only => true))
       end
 
       private
 
       def load_session(env)
-        request = Rack::Request.new(env)
-        session_data = request.cookies[@key]
+        data = unpacked_cookie_data(env)
+        data = persistent_session_id!(data)
+        [data["session_id"], data]
+      end
 
-        if @secret && session_data
-          session_data, digest = session_data.split("--")
-          session_data = nil  unless Utils.secure_compare(digest, generate_hmac(session_data))
-        end
+      def extract_session_id(env)
+        unpacked_cookie_data(env)["session_id"]
+      end
 
-        begin
-          session_data = session_data.unpack("m*").first
-          session_data = Marshal.load(session_data)
-          env["rack.session"] = session_data
-        rescue
-          env["rack.session"] = Hash.new
+      def unpacked_cookie_data(env)
+        env["rack.session.unpacked_cookie_data"] ||= begin
+          request = Rack::Request.new(env)
+          session_data = request.cookies[@key]
+
+          if @secret && session_data
+            session_data, digest = session_data.split("--")
+            session_data = nil  unless digest == generate_hmac(session_data)
+          end
+
+          coder.decode(session_data) || {}
         end
+      end
 
-        env["rack.session.options"] = @default_options.dup
+      def persistent_session_id!(data, sid=nil)
+        data ||= {}
+        data["session_id"] ||= sid || generate_sid
+        data
       end
 
-      def commit_session(env, status, headers, body)
-        session_data = Marshal.dump(env["rack.session"])
-        session_data = [session_data].pack("m*")
+      # Overwrite set cookie to bypass content equality and always stream the cookie.
+
+      def set_cookie(env, headers, cookie)
+        Utils.set_cookie_header!(headers, @key, cookie)
+      end
+
+      def set_session(env, session_id, session, options)
+        session = persistent_session_id!(session, session_id)
+        session_data = coder.encode(session)
 
         if @secret
           session_data = "#{session_data}--#{generate_hmac(session_data)}"
         end
 
         if session_data.size > (4096 - @key.size)
-          env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K. Content dropped.")
+          env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
+          nil
         else
-          options = env["rack.session.options"]
-          cookie = Hash.new
-          cookie[:value] = session_data
-          cookie[:expires] = Time.now + options[:expire_after] unless options[:expire_after].nil?
-          Utils.set_cookie_header!(headers, @key, cookie.merge(options))
+          session_data
         end
+      end
 
-        [status, headers, body]
+      def destroy_session(env, session_id, options)
+        # Nothing to do here, data is in the client
+        generate_sid unless options[:drop]
       end
 
       def generate_hmac(data)

data/lib/rack/session/memcache.rb

@@ -21,6 +21,7 @@ module Rack
 
     class Memcache < Abstract::ID
       attr_reader :mutex, :pool
+
       DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge \
         :namespace => 'rack:session',
         :memcache_server => 'localhost:11211'
@@ -30,9 +31,9 @@ module Rack
 
         @mutex = Mutex.new
         mserv = @default_options[:memcache_server]
-        mopts = @default_options.
-          reject{|k,v| !MemCache::DEFAULT_OPTIONS.include? k }
-        @pool = MemCache.new mserv, mopts
+        mopts = @default_options.reject{|k,v| !MemCache::DEFAULT_OPTIONS.include? k }
+
+        @pool = options[:cache] || MemCache.new(mserv, mopts)
         unless @pool.active? and @pool.servers.any?{|c| c.alive? }
           raise 'No memcache servers'
         end
@@ -45,75 +46,48 @@ module Rack
         end
       end
 
-      def get_session(env, session_id)
-        @mutex.lock if env['rack.multithread']
-        unless session_id and session = @pool.get(session_id)
-          session_id, session = generate_sid, {}
-          unless /^STORED/ =~ @pool.add(session_id, session)
-            raise "Session collision on '#{session_id.inspect}'"
+      def get_session(env, sid)
+        with_lock(env, [nil, {}]) do
+          unless sid and session = @pool.get(sid)
+            sid, session = generate_sid, {}
+            unless /^STORED/ =~ @pool.add(sid, session)
+              raise "Session collision on '#{sid.inspect}'"
+            end
           end
+          [sid, session]
         end
-        session.instance_variable_set '@old', @pool.get(session_id, true)
-        return [session_id, session]
-      rescue MemCache::MemCacheError, Errno::ECONNREFUSED
-        # MemCache server cannot be contacted
-        warn "#{self} is unable to find memcached server."
-        warn $!.inspect
-        return [ nil, {} ]
-      ensure
-        @mutex.unlock if @mutex.locked?
       end
 
       def set_session(env, session_id, new_session, options)
         expiry = options[:expire_after]
         expiry = expiry.nil? ? 0 : expiry + 1
 
-        @mutex.lock if env['rack.multithread']
-        if options[:renew] or options[:drop]
-          @pool.delete session_id
-          return false if options[:drop]
-          session_id = generate_sid
-          @pool.add session_id, {} # so we don't worry about cache miss on #set
+        with_lock(env, false) do
+          @pool.set session_id, new_session, expiry
+          session_id
         end
+      end
 
-        session = @pool.get(session_id) || {}
-        old_session = new_session.instance_variable_get '@old'
-        old_session = old_session ? Marshal.load(old_session) : {}
-
-        unless Hash === old_session and Hash === new_session
-          env['rack.errors'].
-            puts 'Bad old_session or new_session sessions provided.'
-        else # merge sessions
-          # alterations are either update or delete, making as few changes as
-          # possible to prevent possible issues.
-
-          # removed keys
-          delete = old_session.keys - new_session.keys
-          if $VERBOSE and not delete.empty?
-            env['rack.errors'].
-              puts "//@#{session_id}: delete #{delete*','}"
-          end
-          delete.each{|k| session.delete k }
-
-          # added or altered keys
-          update = new_session.keys.
-            select{|k| new_session[k] != old_session[k] }
-          if $VERBOSE and not update.empty?
-            env['rack.errors'].puts "//@#{session_id}: update #{update*','}"
-          end
-          update.each{|k| session[k] = new_session[k] }
+      def destroy_session(env, session_id, options)
+        with_lock(env) do
+          @pool.delete(session_id)
+          generate_sid unless options[:drop]
         end
+      end
 
-        @pool.set session_id, session, expiry
-        return session_id
+      def with_lock(env, default=nil)
+        @mutex.lock if env['rack.multithread']
+        yield
       rescue MemCache::MemCacheError, Errno::ECONNREFUSED
-        # MemCache server cannot be contacted
-        warn "#{self} is unable to find memcached server."
-        warn $!.inspect
-        return false
+        if $VERBOSE
+          warn "#{self} is unable to find memcached server."
+          warn $!.inspect
+        end
+        default
       ensure
         @mutex.unlock if @mutex.locked?
       end
+
     end
   end
 end

data/lib/rack/session/pool.rb

@@ -42,59 +42,38 @@ module Rack
       end
 
       def get_session(env, sid)
-        session = @pool[sid] if sid
-        @mutex.lock if env['rack.multithread']
-        unless sid and session
-          env['rack.errors'].puts("Session '#{sid.inspect}' not found, initializing...") if $VERBOSE and not sid.nil?
-          session = {}
-          sid = generate_sid
-          @pool.store sid, session
+        with_lock(env, [nil, {}]) do
+          unless sid and session = @pool[sid]
+            sid, session = generate_sid, {}
+            @pool.store sid, session
+          end
+          [sid, session]
         end
-        session.instance_variable_set('@old', {}.merge(session))
-        return [sid, session]
-      ensure
-        @mutex.unlock if env['rack.multithread']
       end
 
       def set_session(env, session_id, new_session, options)
-        @mutex.lock if env['rack.multithread']
-        session = @pool[session_id]
-        if options[:renew] or options[:drop]
-          @pool.delete session_id
-          return false if options[:drop]
-          session_id = generate_sid
-          @pool.store session_id, 0
+        with_lock(env, false) do
+          @pool.store session_id, new_session
+          session_id
         end
-        old_session = new_session.instance_variable_get('@old') || {}
-        session = merge_sessions session_id, old_session, new_session, session
-        @pool.store session_id, session
-        return session_id
-      rescue
-        warn "#{new_session.inspect} has been lost."
-        warn $!.inspect
-      ensure
-        @mutex.unlock if env['rack.multithread']
       end
 
-      private
-
-      def merge_sessions sid, old, new, cur=nil
-        cur ||= {}
-        unless Hash === old and Hash === new
-          warn 'Bad old or new sessions provided.'
-          return cur
+      def destroy_session(env, session_id, options)
+        with_lock(env) do
+          @pool.delete(session_id)
+          generate_sid unless options[:drop]
         end
+      end
 
-        delete = old.keys - new.keys
-        warn "//@#{sid}: dropping #{delete*','}" if $DEBUG and not delete.empty?
-        delete.each{|k| cur.delete k }
-
-        update = new.keys.select{|k| new[k] != old[k] }
-        warn "//@#{sid}: updating #{update*','}" if $DEBUG and not update.empty?
-        update.each{|k| cur[k] = new[k] }
-
-        cur
+      def with_lock(env, default=nil)
+        @mutex.lock if env['rack.multithread']
+        yield
+      rescue
+        default
+      ensure
+        @mutex.unlock if @mutex.locked?
       end
+
     end
   end
 end

data/lib/rack/showexceptions.rb

@@ -23,18 +23,45 @@ module Rack
     def call(env)
       @app.call(env)
     rescue StandardError, LoadError, SyntaxError => e
-      backtrace = pretty(env, e)
+      exception_string = dump_exception(e)
+
+      env["rack.errors"].puts(exception_string)
+      env["rack.errors"].flush
+
+      if prefers_plain_text?(env)
+        content_type = "text/plain"
+        body = [exception_string]
+      else
+        content_type = "text/html"
+        body = pretty(env, e)
+      end
+
       [500,
-       {"Content-Type" => "text/html",
-        "Content-Length" => backtrace.join.size.to_s},
-       backtrace]
+       {"Content-Type" => content_type,
+        "Content-Length" => Rack::Utils.bytesize(body.join).to_s},
+       body]
+    end
+
+    def prefers_plain_text?(env)
+      env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" && (!env["HTTP_ACCEPT"] || !env["HTTP_ACCEPT"].include?("text/html"))
+    end
+
+    def dump_exception(exception)
+      string = "#{exception.class}: #{exception.message}\n"
+      string << exception.backtrace.map { |l| "\t#{l}" }.join("\n")
+      string
     end
 
     def pretty(env, exception)
       req = Rack::Request.new(env)
-      path = (req.script_name + req.path_info).squeeze("/")
 
-      frames = exception.backtrace.map { |line|
+      # This double assignment is to prevent an "unused variable" warning on
+      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      path = path = (req.script_name + req.path_info).squeeze("/")
+
+      # This double assignment is to prevent an "unused variable" warning on
+      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      frames = frames = exception.backtrace.map { |line|
         frame = OpenStruct.new
         if line =~ /(.*?):(\d+)(:in `(.*)')?/
           frame.filename = $1
@@ -58,10 +85,6 @@ module Rack
         end
       }.compact
 
-      env["rack.errors"].puts "#{exception.class}: #{exception.message}"
-      env["rack.errors"].puts exception.backtrace.map { |l| "\t" + l }
-      env["rack.errors"].flush
-
       [@template.result(binding)]
     end
 
@@ -195,7 +218,13 @@ TEMPLATE = <<'HTML'
   <h2><%=h exception.message %></h2>
   <table><tr>
     <th>Ruby</th>
-    <td><code><%=h frames.first.filename %></code>: in <code><%=h frames.first.function %></code>, line <%=h frames.first.lineno %></td>
+    <td>
+<% if first = frames.first %>
+      <code><%=h first.filename %></code>: in <code><%=h first.function %></code>, line <%=h frames.first.lineno %>
+<% else %>
+      unknown location
+<% end %>
+    </td>
   </tr><tr>
     <th>Web</th>
     <td><code><%=h req.request_method %> <%=h(req.host + path)%></code></td>