rack 1.3.10 → 1.4.0

data/test/spec_cascade.rb

@@ -1,9 +1,14 @@
 require 'rack/cascade'
 require 'rack/file'
+require 'rack/lint'
 require 'rack/urlmap'
 require 'rack/mock'
 
 describe Rack::Cascade do
+  def cascade(*args)
+    Rack::Lint.new Rack::Cascade.new(*args)
+  end
+  
   docroot = File.expand_path(File.dirname(__FILE__))
   app1 = Rack::File.new(docroot)
 
@@ -13,20 +18,20 @@ describe Rack::Cascade do
                             [200, { "Content-Type" => "text/plain"}, [""]]})
 
   should "dispatch onward on 404 by default" do
-    cascade = Rack::Cascade.new([app1, app2, app3])
+    cascade = cascade([app1, app2, app3])
     Rack::MockRequest.new(cascade).get("/cgi/test").should.be.ok
     Rack::MockRequest.new(cascade).get("/foo").should.be.ok
     Rack::MockRequest.new(cascade).get("/toobad").should.be.not_found
-    Rack::MockRequest.new(cascade).get("/cgi/../bla").should.be.forbidden
+    Rack::MockRequest.new(cascade).get("/cgi/../..").should.be.forbidden
   end
 
   should "dispatch onward on whatever is passed" do
-    cascade = Rack::Cascade.new([app1, app2, app3], [404, 403])
+    cascade = cascade([app1, app2, app3], [404, 403])
     Rack::MockRequest.new(cascade).get("/cgi/../bla").should.be.not_found
   end
 
   should "return 404 if empty" do
-    Rack::MockRequest.new(Rack::Cascade.new([])).get('/').should.be.not_found
+    Rack::MockRequest.new(cascade([])).get('/').should.be.not_found
   end
 
   should "append new app" do
@@ -37,17 +42,9 @@ describe Rack::Cascade do
     Rack::MockRequest.new(cascade).get('/cgi/../bla').should.be.not_found
     cascade << app1
     Rack::MockRequest.new(cascade).get('/cgi/test').should.be.ok
-    Rack::MockRequest.new(cascade).get('/cgi/../bla').should.be.forbidden
+    Rack::MockRequest.new(cascade).get('/cgi/../..').should.be.forbidden
     Rack::MockRequest.new(cascade).get('/foo').should.be.not_found
     cascade << app3
     Rack::MockRequest.new(cascade).get('/foo').should.be.ok
   end
-
-  should "close the body on cascade" do
-    body = StringIO.new
-    closer = lambda { |env| [404, {}, body] }
-    cascade = Rack::Cascade.new([closer, app3], [404])
-    Rack::MockRequest.new(cascade).get("/foo").should.be.ok
-    body.should.be.closed
-  end
 end

data/test/spec_cgi.rb

@@ -5,7 +5,7 @@ require 'rack/handler/cgi'
 describe Rack::Handler::CGI do
   extend TestRequest::Helpers
 
-  @host = '0.0.0.0'
+  @host = '127.0.0.1'
   @port = 9203
 
   if `which lighttpd` && !$?.success?

data/test/spec_chunked.rb

@@ -1,31 +1,56 @@
 require 'rack/chunked'
+require 'rack/lint'
 require 'rack/mock'
 
 describe Rack::Chunked do
+  Enumerator = ::Enumerable::Enumerator unless defined?(Enumerator)
+
+  def chunked(app)
+    proc do |env|
+      app = Rack::Chunked.new(app)
+      Rack::Lint.new(app).call(env).tap do |response|
+        # we want to use body like an array, but it only has #each
+        response[2] = Enumerator.new(response[2]).to_a
+      end
+    end
+  end
+  
   before do
     @env = Rack::MockRequest.
       env_for('/', 'HTTP_VERSION' => '1.1', 'REQUEST_METHOD' => 'GET')
   end
 
   should 'chunk responses with no Content-Length' do
-    app = lambda { |env| [200, {}, ['Hello', ' ', 'World!']] }
-    response = Rack::MockResponse.new(*Rack::Chunked.new(app).call(@env))
+    app = lambda { |env| [200, {"Content-Type" => "text/plain"}, ['Hello', ' ', 'World!']] }
+    response = Rack::MockResponse.new(*chunked(app).call(@env))
     response.headers.should.not.include 'Content-Length'
     response.headers['Transfer-Encoding'].should.equal 'chunked'
     response.body.should.equal "5\r\nHello\r\n1\r\n \r\n6\r\nWorld!\r\n0\r\n\r\n"
   end
 
   should 'chunks empty bodies properly' do
-    app = lambda { |env| [200, {}, []] }
-    response = Rack::MockResponse.new(*Rack::Chunked.new(app).call(@env))
+    app = lambda { |env| [200, {"Content-Type" => "text/plain"}, []] }
+    response = Rack::MockResponse.new(*chunked(app).call(@env))
     response.headers.should.not.include 'Content-Length'
     response.headers['Transfer-Encoding'].should.equal 'chunked'
     response.body.should.equal "0\r\n\r\n"
   end
 
+  should 'chunks encoded bodies properly' do
+    body = ["\uFFFEHello", " ", "World"].map {|t| t.encode("UTF-16LE") }
+    app  = lambda { |env| [200, {"Content-Type" => "text/plain"}, body] }
+    response = Rack::MockResponse.new(*chunked(app).call(@env))
+    response.headers.should.not.include 'Content-Length'
+    response.headers['Transfer-Encoding'].should.equal 'chunked'
+    response.body.encoding.to_s.should == "ASCII-8BIT"
+    response.body.should.equal "c\r\n\xFE\xFFH\x00e\x00l\x00l\x00o\x00\r\n2\r\n \x00\r\na\r\nW\x00o\x00r\x00l\x00d\x00\r\n0\r\n\r\n"
+  end if RUBY_VERSION >= "1.9"
+
   should 'not modify response when Content-Length header present' do
-    app = lambda { |env| [200, {'Content-Length'=>'12'}, ['Hello', ' ', 'World!']] }
-    status, headers, body = Rack::Chunked.new(app).call(@env)
+    app = lambda { |env|
+      [200, {"Content-Type" => "text/plain", 'Content-Length'=>'12'}, ['Hello', ' ', 'World!']]
+    }
+    status, headers, body = chunked(app).call(@env)
     status.should.equal 200
     headers.should.not.include 'Transfer-Encoding'
     headers.should.include 'Content-Length'
@@ -33,26 +58,28 @@ describe Rack::Chunked do
   end
 
   should 'not modify response when client is HTTP/1.0' do
-    app = lambda { |env| [200, {}, ['Hello', ' ', 'World!']] }
+    app = lambda { |env| [200, {"Content-Type" => "text/plain"}, ['Hello', ' ', 'World!']] }
     @env['HTTP_VERSION'] = 'HTTP/1.0'
-    status, headers, body = Rack::Chunked.new(app).call(@env)
+    status, headers, body = chunked(app).call(@env)
     status.should.equal 200
     headers.should.not.include 'Transfer-Encoding'
     body.join.should.equal 'Hello World!'
   end
 
   should 'not modify response when Transfer-Encoding header already present' do
-    app = lambda { |env| [200, {'Transfer-Encoding' => 'identity'}, ['Hello', ' ', 'World!']] }
-    status, headers, body = Rack::Chunked.new(app).call(@env)
+    app = lambda { |env|
+      [200, {"Content-Type" => "text/plain", 'Transfer-Encoding' => 'identity'}, ['Hello', ' ', 'World!']]
+    }
+    status, headers, body = chunked(app).call(@env)
     status.should.equal 200
     headers['Transfer-Encoding'].should.equal 'identity'
     body.join.should.equal 'Hello World!'
   end
 
-  [100, 204, 304].each do |status_code|
+  [100, 204, 205, 304].each do |status_code|
     should "not modify response when status code is #{status_code}" do
       app = lambda { |env| [status_code, {}, []] }
-      status, headers, _ = Rack::Chunked.new(app).call(@env)
+      status, headers, _ = chunked(app).call(@env)
       status.should.equal status_code
       headers.should.not.include 'Transfer-Encoding'
     end

data/test/spec_commonlogger.rb

@@ -1,19 +1,20 @@
 require 'rack/commonlogger'
+require 'rack/lint'
 require 'rack/mock'
 
 describe Rack::CommonLogger do
   obj = 'foobar'
   length = obj.size
 
-  app = lambda { |env|
+  app = Rack::Lint.new lambda { |env|
     [200,
      {"Content-Type" => "text/html", "Content-Length" => length.to_s},
      [obj]]}
-  app_without_length = lambda { |env|
+  app_without_length = Rack::Lint.new lambda { |env|
     [200,
      {"Content-Type" => "text/html"},
      []]}
-  app_with_zero_length = lambda { |env|
+  app_with_zero_length = Rack::Lint.new lambda { |env|
     [200,
      {"Content-Type" => "text/html", "Content-Length" => "0"},
      []]}

data/test/spec_conditionalget.rb

@@ -3,9 +3,13 @@ require 'rack/conditionalget'
 require 'rack/mock'
 
 describe Rack::ConditionalGet do
+  def conditional_get(app)
+    Rack::Lint.new Rack::ConditionalGet.new(app)
+  end
+  
   should "set a 304 status and truncate body when If-Modified-Since hits" do
     timestamp = Time.now.httpdate
-    app = Rack::ConditionalGet.new(lambda { |env|
+    app = conditional_get(lambda { |env|
       [200, {'Last-Modified'=>timestamp}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
@@ -16,7 +20,7 @@ describe Rack::ConditionalGet do
   end
 
   should "set a 304 status and truncate body when If-Modified-Since hits and is higher than current time" do
-    app = Rack::ConditionalGet.new(lambda { |env|
+    app = conditional_get(lambda { |env|
       [200, {'Last-Modified'=>(Time.now - 3600).httpdate}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
@@ -27,7 +31,7 @@ describe Rack::ConditionalGet do
   end
 
   should "set a 304 status and truncate body when If-None-Match hits" do
-    app = Rack::ConditionalGet.new(lambda { |env|
+    app = conditional_get(lambda { |env|
       [200, {'Etag'=>'1234'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
@@ -39,8 +43,8 @@ describe Rack::ConditionalGet do
 
   should "not set a 304 status if If-Modified-Since hits but Etag does not" do
     timestamp = Time.now.httpdate
-    app = Rack::ConditionalGet.new(lambda { |env|
-      [200, {'Last-Modified'=>timestamp, 'Etag'=>'1234'}, ['TEST']] })
+    app = conditional_get(lambda { |env|
+      [200, {'Last-Modified'=>timestamp, 'Etag'=>'1234', 'Content-Type' => 'text/plain'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
       get("/", 'HTTP_IF_MODIFIED_SINCE' => timestamp, 'HTTP_IF_NONE_MATCH' => '4321')
@@ -51,7 +55,7 @@ describe Rack::ConditionalGet do
 
   should "set a 304 status and truncate body when both If-None-Match and If-Modified-Since hits" do
     timestamp = Time.now.httpdate
-    app = Rack::ConditionalGet.new(lambda { |env|
+    app = conditional_get(lambda { |env|
       [200, {'Last-Modified'=>timestamp, 'Etag'=>'1234'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
@@ -62,8 +66,8 @@ describe Rack::ConditionalGet do
   end
 
   should "not affect non-GET/HEAD requests" do
-    app = Rack::ConditionalGet.new(lambda { |env|
-      [200, {'Etag'=>'1234'}, ['TEST']] })
+    app = conditional_get(lambda { |env|
+      [200, {'Etag'=>'1234', 'Content-Type' => 'text/plain'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
       post("/", 'HTTP_IF_NONE_MATCH' => '1234')
@@ -73,8 +77,8 @@ describe Rack::ConditionalGet do
   end
 
   should "not affect non-200 requests" do
-    app = Rack::ConditionalGet.new(lambda { |env|
-      [302, {'Etag'=>'1234'}, ['TEST']] })
+    app = conditional_get(lambda { |env|
+      [302, {'Etag'=>'1234', 'Content-Type' => 'text/plain'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
       get("/", 'HTTP_IF_NONE_MATCH' => '1234')
@@ -85,8 +89,8 @@ describe Rack::ConditionalGet do
 
   should "not affect requests with malformed HTTP_IF_NONE_MATCH" do
     bad_timestamp = Time.now.strftime('%Y-%m-%d %H:%M:%S %z')
-    app = Rack::ConditionalGet.new(lambda { |env|
-      [200,{'Last-Modified'=>(Time.now - 3600).httpdate}, ['TEST']] })
+    app = conditional_get(lambda { |env|
+      [200,{'Last-Modified'=>(Time.now - 3600).httpdate, 'Content-Type' => 'text/plain'}, ['TEST']] })
 
     response = Rack::MockRequest.new(app).
       get("/", 'HTTP_IF_MODIFIED_SINCE' => bad_timestamp)

data/test/spec_content_length.rb

@@ -52,7 +52,7 @@ describe Rack::ContentLength do
     end.new(%w[one two three])
 
     app = lambda { |env| [200, {}, body] }
-    response = Rack::ContentLength.new(app).call({})
+    Rack::ContentLength.new(app).call({})
     body.closed.should.equal true
   end
 

data/test/spec_content_type.rb

@@ -26,4 +26,10 @@ describe Rack::ContentType do
     headers.to_a.select { |k,v| k.downcase == "content-type" }.
       should.equal [["CONTENT-Type","foo/bar"]]
   end
+
+  should "not set Content-Type on 304 responses" do
+    app = lambda { |env| [304, {}, []] }
+    response = Rack::ContentType.new(app, "text/html").call({})
+    response[1]['Content-Type'].should.equal nil
+  end
 end

data/test/spec_deflater.rb

@@ -51,7 +51,7 @@ describe Rack::Deflater do
     response[2].each { |part| buf << inflater.inflate(part) }
     buf << inflater.finish
     buf.delete_if { |part| part.empty? }
-    buf.should.equal(%w(foo bar))
+    buf.join.should.equal("foobar")
   end
 
   # TODO: This is really just a special case of the above...
@@ -104,7 +104,7 @@ describe Rack::Deflater do
     response[2].each { |part| buf << inflater.inflate(part) }
     buf << inflater.finish
     buf.delete_if { |part| part.empty? }
-    buf.should.equal(%w(foo bar))
+    buf.join.should.equal("foobar")
   end
 
   should "be able to fallback to no deflation" do

data/test/spec_directory.rb

@@ -54,4 +54,16 @@ describe Rack::Directory do
 
     res.should.be.not_found
   end
+
+  should "uri escape path parts" do # #265, properly escape file names
+    mr = Rack::MockRequest.new(Rack::Lint.new(app))
+
+    res = mr.get("/cgi/test%2bdirectory")
+
+    res.should.be.ok
+    res.body.should =~ %r[/cgi/test%2Bdirectory/test%2Bfile]
+
+    res = mr.get("/cgi/test%2bdirectory/test%2bfile")
+    res.should.be.ok
+  end
 end

data/test/spec_fastcgi.rb

@@ -5,7 +5,7 @@ require 'rack/handler/fastcgi'
 describe Rack::Handler::FastCGI do
   extend TestRequest::Helpers
 
-  @host = '0.0.0.0'
+  @host = '127.0.0.1'
   @port = 9203
 
   if `which lighttpd` && !$?.success?

data/test/spec_file.rb

@@ -22,6 +22,23 @@ describe Rack::File do
     res["Last-Modified"].should.equal File.mtime(path).httpdate
   end
 
+  should "return 304 if file isn't modified since last serve" do
+    path = File.join(DOCROOT, "/cgi/test")
+    res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
+      get("/cgi/test", 'HTTP_IF_MODIFIED_SINCE' => File.mtime(path).httpdate)
+
+    res.status.should.equal 304
+    res.body.should.be.empty
+  end
+
+  should "return the file if it's modified since last serve" do
+    path = File.join(DOCROOT, "/cgi/test")
+    res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
+      get("/cgi/test", 'HTTP_IF_MODIFIED_SINCE' => (File.mtime(path) - 100).httpdate)
+
+    res.should.be.ok
+  end
+
   should "serve files with URL encoded filenames" do
     res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
       get("/cgi/%74%65%73%74") # "/cgi/test"
@@ -30,9 +47,23 @@ describe Rack::File do
     res.should =~ /ruby/
   end
 
-  should "not allow directory traversal" do
+  should "allow safe directory traversal" do
+    req = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT)))
+
+    res = req.get('/cgi/../cgi/test')
+    res.should.be.successful
+
+    res = req.get('.')
+    res.should.be.not_found
+
+    res = req.get("test/..")
+    res.should.be.not_found
+  end
+
+  should "not allow unsafe directory traversal" do
     req = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT)))
-    res = req.get("/cgi/../test")
+
+    res = req.get("/../README")
     res.should.be.forbidden
 
     res = req.get("../test")
@@ -40,9 +71,6 @@ describe Rack::File do
 
     res = req.get("..")
     res.should.be.forbidden
-
-    res = req.get("test/..")
-    res.should.be.forbidden
   end
 
   should "allow files with .. in their name" do
@@ -57,13 +85,20 @@ describe Rack::File do
     res.should.be.not_found
   end
 
-  should "not allow directory traversal with encoded periods" do
+  should "not allow unsafe directory traversal with encoded periods" do
     res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
       get("/%2E%2E/README")
 
     res.should.be.forbidden
   end
 
+  should "allow safe directory traversal with encoded periods" do
+    res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
+      get("/cgi/%2E%2E/cgi/test")
+
+    res.should.be.successful
+  end
+
   should "404 if it can't find the file" do
     res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
       get("/cgi/blubb")
@@ -113,10 +148,25 @@ describe Rack::File do
     env = Rack::MockRequest.env_for("/cgi/test")
     status, heads, _ = Rack::File.new(DOCROOT, 'public, max-age=38').call(env)
 
-    path = File.join(DOCROOT, "/cgi/test")
-
     status.should.equal 200
     heads['Cache-Control'].should.equal 'public, max-age=38'
   end
 
+  should "only support GET and HEAD requests" do
+    req = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT)))
+
+    forbidden = %w[post put delete]
+    forbidden.each do |method|
+
+      res = req.send(method, "/cgi/test")
+      res.should.be.forbidden
+    end
+
+    allowed = %w[get head]
+    allowed.each do |method|
+      res = req.send(method, "/cgi/test")
+      res.should.be.successful
+    end
+  end
+
 end