rack 1.4.0 → 1.4.5

data/lib/rack/deflater.rb

@@ -45,6 +45,7 @@ module Rack
       when "identity"
         [status, headers, body]
       when nil
+        body.close if body.respond_to?(:close)
         message = "An acceptable encoding for the requested resource #{request.fullpath} could not be found."
         [406, {"Content-Type" => "text/plain", "Content-Length" => message.length.to_s}, [message]]
       end
@@ -64,6 +65,7 @@ module Rack
           gzip.write(part)
           gzip.flush
         }
+      ensure
         @body.close if @body.respond_to?(:close)
         gzip.close
         @writer = nil
@@ -90,9 +92,11 @@ module Rack
       def each
         deflater = ::Zlib::Deflate.new(*DEFLATE_ARGS)
         @body.each { |part| yield deflater.deflate(part, Zlib::SYNC_FLUSH) }
-        @body.close if @body.respond_to?(:close)
         yield deflater.finish
         nil
+      ensure
+        @body.close if @body.respond_to?(:close)
+        deflater.close
       end
     end
   end

data/lib/rack/directory.rb

@@ -80,7 +80,7 @@ table { width:100%%; }
       @files = [['../','Parent Directory','','','']]
       glob = F.join(@path, '*')
 
-      url_head = ([@script_name] + @path_info.split('/')).map do |part|
+      url_head = (@script_name.split('/') + @path_info.split('/')).map do |part|
         Rack::Utils.escape part
       end
 

data/lib/rack/etag.rb

@@ -28,8 +28,11 @@ module Rack
       end
 
       unless headers['Cache-Control']
-        headers['Cache-Control'] =
-          (digest ? @cache_control : @no_cache_control) || []
+        if digest
+          headers['Cache-Control'] = @cache_control if @cache_control
+        else
+          headers['Cache-Control'] = @no_cache_control if @no_cache_control
+        end
       end
 
       [status, headers, body]
@@ -46,7 +49,7 @@ module Rack
       end
 
       def skip_caching?(headers)
-        headers['Cache-Control'] == 'no-cache' ||
+        (headers['Cache-Control'] && headers['Cache-Control'].include?('no-cache')) ||
           headers.key?('ETag') || headers.key?('Last-Modified')
       end
 

data/lib/rack/file.rb

@@ -21,9 +21,16 @@ module Rack
 
     alias :to_path :path
 
-    def initialize(root, cache_control = nil)
+    def initialize(root, headers={})
       @root = root
-      @cache_control = cache_control
+      # Allow a cache_control string for backwards compatibility
+      if headers.instance_of? String
+        warn \
+          "Rack::File headers parameter replaces cache_control after Rack 1.5."
+        @headers = { 'Cache-Control' => headers }
+      else
+        @headers = headers
+      end
     end
 
     def call(env)
@@ -34,25 +41,20 @@ module Rack
 
     def _call(env)
       unless ALLOWED_VERBS.include? env["REQUEST_METHOD"]
-        return fail(403, "Forbidden")
+        return fail(405, "Method Not Allowed")
       end
 
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(403, "Forbidden") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)
@@ -78,7 +80,9 @@ module Rack
         },
         env["REQUEST_METHOD"] == "HEAD" ? [] : self
       ]
-      response[1].merge! 'Cache-Control' => @cache_control if @cache_control
+
+      # Set custom headers
+      @headers.each { |field, content| response[1][field] = content } if @headers
 
       # NOTE:
       #   We check via File::size? whether this file provides size info
@@ -101,7 +105,7 @@ module Rack
         # Partial content:
         @range = ranges[0]
         response[0] = 206
-        response[1]["Content-Range"]  = "bytes #{@range.begin}-#{@range.end}/#{size}"
+        response[1]["Content-Range"] = "bytes #{@range.begin}-#{@range.end}/#{size}"
         size = @range.end - @range.begin + 1
       end
 

data/lib/rack/head.rb

@@ -9,6 +9,7 @@ class Head
     status, headers, body = @app.call(env)
 
     if env["REQUEST_METHOD"] == "HEAD"
+      body.close if body.respond_to? :close
       [status, headers, []]
     else
       [status, headers, body]

data/lib/rack/lint.rb

@@ -528,7 +528,9 @@ module Rack
       ## The Body itself should not be an instance of String, as this will
       ## break in Ruby 1.9.
       ##
-      ## If the Body responds to +close+, it will be called after iteration.
+      ## If the Body responds to +close+, it will be called after iteration. If
+      ## the body is replaced by a middleware after action, the original body
+      ## must be closed first, if it repsonds to close.
       # XXX howto: assert("Body has not been closed") { @closed }
 
 

data/lib/rack/lock.rb

@@ -13,12 +13,11 @@ module Rack
       old, env[FLAG] = env[FLAG], false
       @mutex.lock
       response = @app.call(env)
-      response[2] = BodyProxy.new(response[2]) { @mutex.unlock }
+      body = BodyProxy.new(response[2]) { @mutex.unlock }
+      response[2] = body
       response
-    rescue Exception
-      @mutex.unlock
-      raise
     ensure
+      @mutex.unlock unless body
       env[FLAG] = old
     end
   end

data/lib/rack/mime.rb

@@ -598,7 +598,7 @@ module Rack
       ".wmv"       => "video/x-ms-wmv",
       ".wmx"       => "video/x-ms-wmx",
       ".wmz"       => "application/x-ms-wmz",
-      ".woff"      => "application/octet-stream",
+      ".woff"      => "application/font-woff",
       ".wpd"       => "application/vnd.wordperfect",
       ".wpl"       => "application/vnd.ms-wpl",
       ".wps"       => "application/vnd.ms-works",

data/lib/rack/mock.rb

@@ -9,12 +9,12 @@ module Rack
   # Rack::MockRequest helps testing your Rack application without
   # actually using HTTP.
   #
-  # After performing a request on a URL with get/post/put/delete, it
+  # After performing a request on a URL with get/post/put/patch/delete, it
   # returns a MockResponse with useful helper methods for effective
   # testing.
   #
   # You can pass a hash with additional configuration to the
-  # get/post/put/delete.
+  # get/post/put/patch/delete.
   # <tt>:input</tt>:: A String or IO-like to be used as rack.input.
   # <tt>:fatal</tt>:: Raise a FatalWarning if the app writes to rack.errors.
   # <tt>:lint</tt>:: If true, wrap the application in a Rack::Lint.
@@ -56,6 +56,7 @@ module Rack
     def get(uri, opts={})    request("GET", uri, opts)    end
     def post(uri, opts={})   request("POST", uri, opts)   end
     def put(uri, opts={})    request("PUT", uri, opts)    end
+    def patch(uri, opts={})  request("PATCH", uri, opts)    end
     def delete(uri, opts={}) request("DELETE", uri, opts) end
     def head(uri, opts={})   request("HEAD", uri, opts)   end
 

data/lib/rack/multipart/parser.rb

@@ -14,9 +14,6 @@ module Rack
 
         fast_forward_to_first_boundary
 
-        max_key_space = Utils.key_space_limit
-        bytes = 0
-
         loop do
           head, filename, content_type, name, body =
             get_current_head_and_filename_and_content_type_and_name_and_body
@@ -31,13 +28,6 @@ module Rack
 
           filename, data = get_data(filename, body, content_type, name, head)
 
-          if name
-            bytes += name.size
-            if bytes > max_key_space
-              raise RangeError, "exceeded available parameter key space"
-            end
-          end
-
           Utils.normalize_params(@params, name, data) unless data.nil?
 
           # break if we're at the end of a buffer, but not if it is the end of a field
@@ -46,7 +36,7 @@ module Rack
 
         @io.rewind
 
-        @params
+        @params.to_params_hash
       end
 
       private
@@ -56,15 +46,17 @@ module Rack
         @boundary = "--#{$1}"
 
         @buf = ""
-        @params = {}
+        @params = Utils::KeySpaceConstrainedParams.new
 
-        @content_length = @env['CONTENT_LENGTH'].to_i
         @io = @env['rack.input']
         @io.rewind
 
         @boundary_size = Utils.bytesize(@boundary) + EOL.size
 
-        @content_length -= @boundary_size
+        if @content_length = @env['CONTENT_LENGTH']
+          @content_length = @content_length.to_i
+          @content_length -= @boundary_size
+        end
         true
       end
 
@@ -78,9 +70,16 @@ module Rack
 
       def fast_forward_to_first_boundary
         loop do
-          read_buffer = @io.gets
-          break if read_buffer == full_boundary
-          raise EOFError, "bad content body" if read_buffer.nil?
+          content = @io.read(BUFSIZE)
+          raise EOFError, "bad content body" unless content
+          @buf << content
+
+          while @buf.gsub!(/\A([^\n]*\n)/, '')
+            read_buffer = $1
+            return if read_buffer == full_boundary
+          end
+
+          raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE
         end
       end
 
@@ -114,11 +113,11 @@ module Rack
             body << @buf.slice!(0, @buf.size - (@boundary_size+4))
           end
 
-          content = @io.read(BUFSIZE < @content_length ? BUFSIZE : @content_length)
+          content = @io.read(@content_length && BUFSIZE >= @content_length ? @content_length : BUFSIZE)
           raise EOFError, "bad content body"  if content.nil? || content.empty?
 
           @buf << content
-          @content_length -= content.size
+          @content_length -= content.size if @content_length
         end
 
         [head, filename, content_type, name, body]
@@ -135,8 +134,11 @@ module Rack
           filename = $1
         end
 
+        if filename && filename.scan(/%.?.?/).all? { |s| s =~ /%[0-9a-fA-F]{2}/ }
+          filename = Utils.unescape(filename)
+        end
         if filename && filename !~ /\\[^\\"]/
-          filename = Utils.unescape(filename).gsub(/\\(.)/, '\1')
+          filename = filename.gsub(/\\(.)/, '\1')
         end
         filename
       end

data/lib/rack/multipart.rb

@@ -12,7 +12,7 @@ module Rack
     MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
-    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/
+    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
     BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
     BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
@@ -31,4 +31,4 @@ module Rack
     end
 
   end
-end
+end

data/lib/rack/reloader.rb

@@ -101,7 +101,7 @@ module Rack
         return unless file
         stat = ::File.stat(file)
         return file, stat if stat.file?
-      rescue Errno::ENOENT, Errno::ENOTDIR
+      rescue Errno::ENOENT, Errno::ENOTDIR, Errno::ESRCH
         @cache.delete(file) and false
       end
     end

data/lib/rack/request.rb

@@ -177,7 +177,7 @@ module Rack
       PARSEABLE_DATA_MEDIA_TYPES.include?(media_type)
     end
 
-    # Returns the data recieved in the query string.
+    # Returns the data received in the query string.
     def GET
       if @env["rack.request.query_string"] == query_string
         @env["rack.request.query_hash"]
@@ -187,7 +187,7 @@ module Rack
       end
     end
 
-    # Returns the data recieved in the request body.
+    # Returns the data received in the request body.
     #
     # This method support both application/x-www-form-urlencoded and
     # multipart/form-data.
@@ -260,12 +260,10 @@ module Rack
       #   the Cookie header such that those with more specific Path attributes
       #   precede those with less specific.  Ordering with respect to other
       #   attributes (e.g., Domain) is unspecified.
-      Utils.parse_query(string, ';,').each { |k,v| hash[k] = Array === v ? v.first : v }
+      cookies = Utils.parse_query(string, ';,') { |s| Rack::Utils.unescape(s) rescue s }
+      cookies.each { |k,v| hash[k] = Array === v ? v.first : v }
       @env["rack.request.cookie_string"] = string
       hash
-    rescue => error
-      error.message.replace "cannot parse Cookie header: #{error.message}"
-      raise
     end
 
     def xhr?

data/lib/rack/response.rb

@@ -12,7 +12,7 @@ module Rack
   # You can use Response#write to iteratively generate your response,
   # but note that this is buffered by Rack::Response until you call
   # +finish+.  +finish+ however can take a block inside which calls to
-  # +write+ are syncronous with the Rack response.
+  # +write+ are synchronous with the Rack response.
   #
   # Your application's +call+ should end returning Response#finish.
 
@@ -74,9 +74,10 @@ module Rack
       if [204, 205, 304].include?(status.to_i)
         header.delete "Content-Type"
         header.delete "Content-Length"
+        close
         [status.to_i, header, []]
       else
-        [status.to_i, header, self]
+        [status.to_i, header, BodyProxy.new(self){}]
       end
     end
     alias to_a finish           # For *response
@@ -112,21 +113,22 @@ module Rack
     alias headers header
 
     module Helpers
-      def invalid?;       status < 100 || status >= 600;        end
-
-      def informational?; status >= 100 && status < 200;        end
-      def successful?;    status >= 200 && status < 300;        end
-      def redirection?;   status >= 300 && status < 400;        end
-      def client_error?;  status >= 400 && status < 500;        end
-      def server_error?;  status >= 500 && status < 600;        end
-
-      def ok?;            status == 200;                        end
-      def bad_request?;   status == 400;                        end
-      def forbidden?;     status == 403;                        end
-      def not_found?;     status == 404;                        end
-      def unprocessable?; status == 422;                        end
-
-      def redirect?;      [301, 302, 303, 307].include? status; end
+      def invalid?;            status < 100 || status >= 600;        end
+
+      def informational?;      status >= 100 && status < 200;        end
+      def successful?;         status >= 200 && status < 300;        end
+      def redirection?;        status >= 300 && status < 400;        end
+      def client_error?;       status >= 400 && status < 500;        end
+      def server_error?;       status >= 500 && status < 600;        end
+
+      def ok?;                 status == 200;                        end
+      def bad_request?;        status == 400;                        end
+      def forbidden?;          status == 403;                        end
+      def not_found?;          status == 404;                        end
+      def method_not_allowed?; status == 405;                        end
+      def unprocessable?;      status == 422;                        end
+
+      def redirect?;           [301, 302, 303, 307].include? status; end
 
       # Headers
       attr_reader :headers, :original_headers

data/lib/rack/server.rb

@@ -26,7 +26,7 @@ module Rack
 
           opts.on("-I", "--include PATH",
                   "specify $LOAD_PATH (may be used more than once)") { |path|
-            options[:include] = path.split(":")
+            (options[:include] ||= []).concat(path.split(":"))
           }
 
           opts.on("-r", "--require LIBRARY",
@@ -247,11 +247,14 @@ module Rack
         pp app
       end
 
+      check_pid! if options[:pid]
+
       # Touch the wrapped app, so that the config.ru is loaded before
       # daemonization (i.e. before chdir, etc).
       wrapped_app
 
       daemonize_app if options[:daemonize]
+
       write_pid if options[:pid]
 
       trap(:INT) do
@@ -274,7 +277,7 @@ module Rack
         options = default_options
 
         # Don't evaluate CGI ISINDEX parameters.
-        # http://hoohoo.ncsa.uiuc.edu/cgi/cl.html
+        # http://www.meb.uni-bonn.de/docs/cgi/cl.html
         args.clear if ENV.include?("REQUEST_METHOD")
 
         options.merge! opt_parser.parse!(args)
@@ -319,5 +322,28 @@ module Rack
         ::File.open(options[:pid], 'w'){ |f| f.write("#{Process.pid}") }
         at_exit { ::File.delete(options[:pid]) if ::File.exist?(options[:pid]) }
       end
+
+      def check_pid!
+        case pidfile_process_status
+        when :running, :not_owned
+          $stderr.puts "A server is already running. Check #{options[:pid]}."
+          exit(1)
+        when :dead
+          ::File.delete(options[:pid])
+        end
+      end
+
+      def pidfile_process_status
+        return :exited unless ::File.exist?(options[:pid])
+
+        pid = ::File.read(options[:pid]).to_i
+        Process.kill(0, pid)
+        :running
+      rescue Errno::ESRCH
+        :dead
+      rescue Errno::EPERM
+        :not_owned
+      end
+
   end
 end

data/lib/rack/session/abstract/id.rb

@@ -36,7 +36,7 @@ module Rack
       private
 
         def session_id_not_loaded?
-          !key?(:id) && !@session_id_loaded
+          !(@session_id_loaded || key?(:id))
         end
 
         def load_session_id!
@@ -116,6 +116,11 @@ module Rack
           super
         end
 
+        def merge!(hash)
+          load_for_write!
+          super
+        end
+
       private
 
         def load_for_read!
@@ -183,7 +188,7 @@ module Rack
           :renew =>         false,
           :sidbits =>       128,
           :cookie_only =>   true,
-          :secure_random => begin ::SecureRandom rescue false end
+          :secure_random => (::SecureRandom rescue false)
         }
 
         attr_reader :key, :default_options
@@ -191,7 +196,7 @@ module Rack
         def initialize(app, options={})
           @app = app
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
-          @key = options[:key] || "rack.session"
+          @key = @default_options.delete(:key)
           @cookie_only = @default_options.delete(:cookie_only)
           initialize_sid
         end

data/lib/rack/session/cookie.rb

@@ -81,8 +81,16 @@ module Rack
       attr_reader :coder
 
       def initialize(app, options={})
-        @secret = options[:secret]
-        @old_secret = options[:old_secret]
+        @secrets = options.values_at(:secret, :old_secret).compact
+        warn <<-MSG unless @secrets.size >= 1
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
         @coder  = options[:coder] ||= Base64::Marshal.new
         super(app, options.merge!(:cookie_only => true))
       end
@@ -104,11 +112,16 @@ module Rack
           request = Rack::Request.new(env)
           session_data = request.cookies[@key]
 
-          if (@secret || @old_secret) && session_data
+          if @secrets.size > 0 && session_data
             session_data, digest = session_data.split("--")
-            if (digest != generate_hmac(session_data, @secret)) && (digest != generate_hmac(session_data, @old_secret))
-              session_data = nil
+
+            if session_data && digest
+              ok = @secrets.any? do |secret|
+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
+              end
             end
+
+            session_data = nil unless ok
           end
 
           coder.decode(session_data) || {}
@@ -131,8 +144,8 @@ module Rack
         session = session.merge("session_id" => session_id)
         session_data = coder.encode(session)
 
-        if @secret
-          session_data = "#{session_data}--#{generate_hmac(session_data, @secret)}"
+        if @secrets.first
+          session_data = "#{session_data}--#{generate_hmac(session_data, @secrets.first)}"
         end
 
         if session_data.size > (4096 - @key.size)

data/lib/rack/showstatus.rb

@@ -3,8 +3,8 @@ require 'rack/request'
 require 'rack/utils'
 
 module Rack
-  # Rack::ShowStatus catches all empty responses the app it wraps and
-  # replaces them with a site explaining the error.
+  # Rack::ShowStatus catches all empty responses and replaces them 
+  # with a site explaining the error.
   #
   # Additional details can be put into <tt>rack.showstatus.detail</tt>
   # and will be shown as HTML.  If such details exist, the error page