rack 1.4.1 → 1.4.5

data/lib/rack/etag.rb

@@ -28,8 +28,11 @@ module Rack
       end
 
       unless headers['Cache-Control']
-        headers['Cache-Control'] =
-          (digest ? @cache_control : @no_cache_control) || []
+        if digest
+          headers['Cache-Control'] = @cache_control if @cache_control
+        else
+          headers['Cache-Control'] = @no_cache_control if @no_cache_control
+        end
       end
 
       [status, headers, body]
@@ -46,7 +49,7 @@ module Rack
       end
 
       def skip_caching?(headers)
-        headers['Cache-Control'] == 'no-cache' ||
+        (headers['Cache-Control'] && headers['Cache-Control'].include?('no-cache')) ||
           headers.key?('ETag') || headers.key?('Last-Modified')
       end
 

data/lib/rack/file.rb

@@ -21,9 +21,16 @@ module Rack
 
     alias :to_path :path
 
-    def initialize(root, cache_control = nil)
+    def initialize(root, headers={})
       @root = root
-      @cache_control = cache_control
+      # Allow a cache_control string for backwards compatibility
+      if headers.instance_of? String
+        warn \
+          "Rack::File headers parameter replaces cache_control after Rack 1.5."
+        @headers = { 'Cache-Control' => headers }
+      else
+        @headers = headers
+      end
     end
 
     def call(env)
@@ -40,19 +47,14 @@ module Rack
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)
@@ -78,7 +80,9 @@ module Rack
         },
         env["REQUEST_METHOD"] == "HEAD" ? [] : self
       ]
-      response[1].merge! 'Cache-Control' => @cache_control if @cache_control
+
+      # Set custom headers
+      @headers.each { |field, content| response[1][field] = content } if @headers
 
       # NOTE:
       #   We check via File::size? whether this file provides size info
@@ -101,7 +105,7 @@ module Rack
         # Partial content:
         @range = ranges[0]
         response[0] = 206
-        response[1]["Content-Range"]  = "bytes #{@range.begin}-#{@range.end}/#{size}"
+        response[1]["Content-Range"] = "bytes #{@range.begin}-#{@range.end}/#{size}"
         size = @range.end - @range.begin + 1
       end
 

data/lib/rack/head.rb

@@ -9,6 +9,7 @@ class Head
     status, headers, body = @app.call(env)
 
     if env["REQUEST_METHOD"] == "HEAD"
+      body.close if body.respond_to? :close
       [status, headers, []]
     else
       [status, headers, body]

data/lib/rack/lint.rb

@@ -528,7 +528,9 @@ module Rack
       ## The Body itself should not be an instance of String, as this will
       ## break in Ruby 1.9.
       ##
-      ## If the Body responds to +close+, it will be called after iteration.
+      ## If the Body responds to +close+, it will be called after iteration. If
+      ## the body is replaced by a middleware after action, the original body
+      ## must be closed first, if it repsonds to close.
       # XXX howto: assert("Body has not been closed") { @closed }
 
 

data/lib/rack/lock.rb

@@ -13,12 +13,11 @@ module Rack
       old, env[FLAG] = env[FLAG], false
       @mutex.lock
       response = @app.call(env)
-      response[2] = BodyProxy.new(response[2]) { @mutex.unlock }
+      body = BodyProxy.new(response[2]) { @mutex.unlock }
+      response[2] = body
       response
-    rescue Exception
-      @mutex.unlock
-      raise
     ensure
+      @mutex.unlock unless body
       env[FLAG] = old
     end
   end

data/lib/rack/mime.rb

@@ -598,7 +598,7 @@ module Rack
       ".wmv"       => "video/x-ms-wmv",
       ".wmx"       => "video/x-ms-wmx",
       ".wmz"       => "application/x-ms-wmz",
-      ".woff"      => "application/octet-stream",
+      ".woff"      => "application/font-woff",
       ".wpd"       => "application/vnd.wordperfect",
       ".wpl"       => "application/vnd.ms-wpl",
       ".wps"       => "application/vnd.ms-works",

data/lib/rack/mock.rb

@@ -9,12 +9,12 @@ module Rack
   # Rack::MockRequest helps testing your Rack application without
   # actually using HTTP.
   #
-  # After performing a request on a URL with get/post/put/delete, it
+  # After performing a request on a URL with get/post/put/patch/delete, it
   # returns a MockResponse with useful helper methods for effective
   # testing.
   #
   # You can pass a hash with additional configuration to the
-  # get/post/put/delete.
+  # get/post/put/patch/delete.
   # <tt>:input</tt>:: A String or IO-like to be used as rack.input.
   # <tt>:fatal</tt>:: Raise a FatalWarning if the app writes to rack.errors.
   # <tt>:lint</tt>:: If true, wrap the application in a Rack::Lint.
@@ -56,6 +56,7 @@ module Rack
     def get(uri, opts={})    request("GET", uri, opts)    end
     def post(uri, opts={})   request("POST", uri, opts)   end
     def put(uri, opts={})    request("PUT", uri, opts)    end
+    def patch(uri, opts={})  request("PATCH", uri, opts)    end
     def delete(uri, opts={}) request("DELETE", uri, opts) end
     def head(uri, opts={})   request("HEAD", uri, opts)   end
 

data/lib/rack/multipart/parser.rb

@@ -48,13 +48,15 @@ module Rack
         @buf = ""
         @params = Utils::KeySpaceConstrainedParams.new
 
-        @content_length = @env['CONTENT_LENGTH'].to_i
         @io = @env['rack.input']
         @io.rewind
 
         @boundary_size = Utils.bytesize(@boundary) + EOL.size
 
-        @content_length -= @boundary_size
+        if @content_length = @env['CONTENT_LENGTH']
+          @content_length = @content_length.to_i
+          @content_length -= @boundary_size
+        end
         true
       end
 
@@ -68,9 +70,16 @@ module Rack
 
       def fast_forward_to_first_boundary
         loop do
-          read_buffer = @io.gets
-          break if read_buffer == full_boundary
-          raise EOFError, "bad content body" if read_buffer.nil?
+          content = @io.read(BUFSIZE)
+          raise EOFError, "bad content body" unless content
+          @buf << content
+
+          while @buf.gsub!(/\A([^\n]*\n)/, '')
+            read_buffer = $1
+            return if read_buffer == full_boundary
+          end
+
+          raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE
         end
       end
 
@@ -104,11 +113,11 @@ module Rack
             body << @buf.slice!(0, @buf.size - (@boundary_size+4))
           end
 
-          content = @io.read(BUFSIZE < @content_length ? BUFSIZE : @content_length)
+          content = @io.read(@content_length && BUFSIZE >= @content_length ? @content_length : BUFSIZE)
           raise EOFError, "bad content body"  if content.nil? || content.empty?
 
           @buf << content
-          @content_length -= content.size
+          @content_length -= content.size if @content_length
         end
 
         [head, filename, content_type, name, body]

data/lib/rack/multipart.rb

@@ -12,7 +12,7 @@ module Rack
     MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
-    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/
+    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
     BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
     BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
@@ -31,4 +31,4 @@ module Rack
     end
 
   end
-end
+end

data/lib/rack/reloader.rb

@@ -101,7 +101,7 @@ module Rack
         return unless file
         stat = ::File.stat(file)
         return file, stat if stat.file?
-      rescue Errno::ENOENT, Errno::ENOTDIR
+      rescue Errno::ENOENT, Errno::ENOTDIR, Errno::ESRCH
         @cache.delete(file) and false
       end
     end

data/lib/rack/request.rb

@@ -260,12 +260,10 @@ module Rack
       #   the Cookie header such that those with more specific Path attributes
       #   precede those with less specific.  Ordering with respect to other
       #   attributes (e.g., Domain) is unspecified.
-      Utils.parse_query(string, ';,').each { |k,v| hash[k] = Array === v ? v.first : v }
+      cookies = Utils.parse_query(string, ';,') { |s| Rack::Utils.unescape(s) rescue s }
+      cookies.each { |k,v| hash[k] = Array === v ? v.first : v }
       @env["rack.request.cookie_string"] = string
       hash
-    rescue => error
-      error.message.replace "cannot parse Cookie header: #{error.message}"
-      raise
     end
 
     def xhr?

data/lib/rack/response.rb

@@ -74,9 +74,10 @@ module Rack
       if [204, 205, 304].include?(status.to_i)
         header.delete "Content-Type"
         header.delete "Content-Length"
+        close
         [status.to_i, header, []]
       else
-        [status.to_i, header, self]
+        [status.to_i, header, BodyProxy.new(self){}]
       end
     end
     alias to_a finish           # For *response

data/lib/rack/server.rb

@@ -26,7 +26,7 @@ module Rack
 
           opts.on("-I", "--include PATH",
                   "specify $LOAD_PATH (may be used more than once)") { |path|
-            options[:include] = path.split(":")
+            (options[:include] ||= []).concat(path.split(":"))
           }
 
           opts.on("-r", "--require LIBRARY",
@@ -247,11 +247,14 @@ module Rack
         pp app
       end
 
+      check_pid! if options[:pid]
+
       # Touch the wrapped app, so that the config.ru is loaded before
       # daemonization (i.e. before chdir, etc).
       wrapped_app
 
       daemonize_app if options[:daemonize]
+
       write_pid if options[:pid]
 
       trap(:INT) do
@@ -274,7 +277,7 @@ module Rack
         options = default_options
 
         # Don't evaluate CGI ISINDEX parameters.
-        # http://hoohoo.ncsa.uiuc.edu/cgi/cl.html
+        # http://www.meb.uni-bonn.de/docs/cgi/cl.html
         args.clear if ENV.include?("REQUEST_METHOD")
 
         options.merge! opt_parser.parse!(args)
@@ -319,5 +322,28 @@ module Rack
         ::File.open(options[:pid], 'w'){ |f| f.write("#{Process.pid}") }
         at_exit { ::File.delete(options[:pid]) if ::File.exist?(options[:pid]) }
       end
+
+      def check_pid!
+        case pidfile_process_status
+        when :running, :not_owned
+          $stderr.puts "A server is already running. Check #{options[:pid]}."
+          exit(1)
+        when :dead
+          ::File.delete(options[:pid])
+        end
+      end
+
+      def pidfile_process_status
+        return :exited unless ::File.exist?(options[:pid])
+
+        pid = ::File.read(options[:pid]).to_i
+        Process.kill(0, pid)
+        :running
+      rescue Errno::ESRCH
+        :dead
+      rescue Errno::EPERM
+        :not_owned
+      end
+
   end
 end

data/lib/rack/session/abstract/id.rb

@@ -116,6 +116,11 @@ module Rack
           super
         end
 
+        def merge!(hash)
+          load_for_write!
+          super
+        end
+
       private
 
         def load_for_read!

data/lib/rack/session/cookie.rb

@@ -82,6 +82,15 @@ module Rack
 
       def initialize(app, options={})
         @secrets = options.values_at(:secret, :old_secret).compact
+        warn <<-MSG unless @secrets.size >= 1
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
         @coder  = options[:coder] ||= Base64::Marshal.new
         super(app, options.merge!(:cookie_only => true))
       end
@@ -108,7 +117,7 @@ module Rack
 
             if session_data && digest
               ok = @secrets.any? do |secret|
-                secret && digest == generate_hmac(session_data, secret)
+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
               end
             end
 

data/lib/rack/static.rb

@@ -26,13 +26,58 @@ module Rack
   # directory but uses index.html as default route for "/"
   #
   #     use Rack::Static, :urls => [""], :root => 'public', :index =>
-  #     'public/index.html'
+  #     'index.html'
   #
-  # Set a fixed Cache-Control header for all served files:
+  # Set custom HTTP Headers for based on rules:
   #
-  #     use Rack::Static, :root => 'public', :cache_control => 'public'
+  #     use Rack::Static, :root => 'public',
+  #         :header_rules => [
+  #           [rule, {header_field => content, header_field => content}],
+  #           [rule, {header_field => content}]
+  #         ]
+  #
+  #  Rules for selecting files:
+  #
+  #  1) All files
+  #     Provide the :all symbol
+  #     :all => Matches every file
+  #
+  #  2) Folders
+  #     Provide the folder path as a string
+  #     '/folder' or '/folder/subfolder' => Matches files in a certain folder
+  #
+  #  3) File Extensions
+  #     Provide the file extensions as an array
+  #     ['css', 'js'] or %w(css js) => Matches files ending in .css or .js
+  #
+  #  4) Regular Expressions / Regexp
+  #     Provide a regular expression
+  #     %r{\.(?:css|js)\z} => Matches files ending in .css or .js
+  #     /\.(?:eot|ttf|otf|woff|svg)\z/ => Matches files ending in
+  #       the most common web font formats (.eot, .ttf, .otf, .woff, .svg)
+  #       Note: This Regexp is available as a shortcut, using the :fonts rule
+  #
+  #  5) Font Shortcut
+  #     Provide the :fonts symbol
+  #     :fonts => Uses the Regexp rule stated right above to match all common web font endings
+  #
+  #  Rule Ordering:
+  #    Rules are applied in the order that they are provided.
+  #    List rather general rules above special ones.
+  #
+  #  Complete example use case including HTTP header rules:
+  #
+  #     use Rack::Static, :root => 'public',
+  #         :header_rules => [
+  #           # Cache all static files in public caches (e.g. Rack::Cache)
+  #           #  as well as in the browser
+  #           [:all, {'Cache-Control' => 'public, max-age=31536000'}],
+  #
+  #           # Provide web fonts with cross-origin access-control-headers
+  #           #  Firefox requires this when serving assets using a Content Delivery Network
+  #           [:fonts, {'Access-Control-Allow-Origin' => '*'}]
+  #         ]
   #
-
   class Static
 
     def initialize(app, options={})
@@ -40,12 +85,18 @@ module Rack
       @urls = options[:urls] || ["/favicon.ico"]
       @index = options[:index]
       root = options[:root] || Dir.pwd
-      cache_control = options[:cache_control]
-      @file_server = Rack::File.new(root, cache_control)
+
+      # HTTP Headers
+      @header_rules = options[:header_rules] || []
+      # Allow for legacy :cache_control option while prioritizing global header_rules setting
+      @header_rules.insert(0, [:all, {'Cache-Control' => options[:cache_control]}]) if options[:cache_control]
+      @headers = {}
+
+      @file_server = Rack::File.new(root, @headers)
     end
 
     def overwrite_file_path(path)
-      @urls.kind_of?(Hash) && @urls.key?(path) || @index && path == '/'
+      @urls.kind_of?(Hash) && @urls.key?(path) || @index && path =~ /\/$/
     end
 
     def route_file(path)
@@ -60,12 +111,43 @@ module Rack
       path = env["PATH_INFO"]
 
       if can_serve(path)
-        env["PATH_INFO"] = (path == '/' ? @index : @urls[path]) if overwrite_file_path(path)
+        env["PATH_INFO"] = (path =~ /\/$/ ? path + @index : @urls[path]) if overwrite_file_path(path)
+        @path = env["PATH_INFO"]
+        apply_header_rules
         @file_server.call(env)
       else
         @app.call(env)
       end
     end
 
+    # Convert HTTP header rules to HTTP headers
+    def apply_header_rules
+      @header_rules.each do |rule, headers|
+        apply_rule(rule, headers)
+      end
+    end
+
+    def apply_rule(rule, headers)
+      case rule
+      when :all    # All files
+        set_headers(headers)
+      when :fonts  # Fonts Shortcut
+        set_headers(headers) if @path.match(/\.(?:ttf|otf|eot|woff|svg)\z/)
+      when String  # Folder
+        path = ::Rack::Utils.unescape(@path)
+        set_headers(headers) if (path.start_with?(rule) || path.start_with?('/' + rule))
+      when Array   # Extension/Extensions
+        extensions = rule.join('|')
+        set_headers(headers) if @path.match(/\.(#{extensions})\z/)
+      when Regexp  # Flexible Regexp
+        set_headers(headers) if @path.match(rule)
+      else
+      end
+    end
+
+    def set_headers(headers)
+      headers.each { |field, content| @headers[field] = content }
+    end
+
   end
 end

data/lib/rack/utils.rb

@@ -8,8 +8,10 @@ major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
 
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'
-elsif major == 1 && minor == 9 && patch < 3
+elsif major == 1 && minor == 9 && patch == 2 && RUBY_PATCHLEVEL <= 320 && RUBY_ENGINE != 'jruby'
   require 'rack/backports/uri/common_192'
+elsif major == 1 && minor == 9 && patch == 3 && RUBY_PATCHLEVEL < 125
+  require 'rack/backports/uri/common_193'
 else
   require 'uri/common'
 end
@@ -60,11 +62,15 @@ module Rack
     # and ';' characters.  You can also use this to parse
     # cookies by changing the characters used in the second
     # parameter (which defaults to '&;').
-    def parse_query(qs, d = nil)
+    def parse_query(qs, d = nil, &unescaper)
+      unescaper ||= method(:unescape)
+
       params = KeySpaceConstrainedParams.new
 
       (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
-        k, v = p.split('=', 2).map { |x| unescape(x) }
+        next if p.empty?
+        k, v = p.split('=', 2).map(&unescaper)
+        next unless k || v
 
         if cur = params[k]
           if cur.class == Array
@@ -309,16 +315,16 @@ module Rack
     def byte_ranges(env, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       http_range = env['HTTP_RANGE']
-      return nil unless http_range
+      return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
-      http_range.split(/,\s*/).each do |range_spec|
-        matches = range_spec.match(/bytes=(\d*)-(\d*)/)
-        return nil  unless matches
-        r0,r1 = matches[1], matches[2]
+      $1.split(/,\s*/).each do |range_spec|
+        return nil  unless range_spec =~ /(\d*)-(\d*)/
+        r0,r1 = $1, $2
         if r0.empty?
           return nil  if r1.empty?
           # suffix-byte-range-spec, represents trailing suffix of file
-          r0 = [size - r1.to_i, 0].max
+          r0 = size - r1.to_i
+          r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
@@ -336,6 +342,18 @@ module Rack
     end
     module_function :byte_ranges
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which
@@ -442,7 +460,7 @@ module Rack
       end
 
       def []=(key, value)
-        @size += key.size unless @params.key?(key)
+        @size += key.size if key && !@params.key?(key)
         raise RangeError, 'exceeded available parameter key space' if @size > @limit
         @params[key] = value
       end

data/lib/rack.rb

@@ -73,6 +73,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+
+    # Not all of the following schemes are "standards", but they are used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+
+    def self.schemes
+      @schemes.dup
+    end
   end
 
   module Session

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.1"
+  s.version         = "1.4.5"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 
@@ -11,7 +11,7 @@ the simplest way possible, it unifies and distills the API for web
 servers, web frameworks, and software in between (the so-called
 middleware) into a single method call.
 
-Also see http://rack.rubyforge.org.
+Also see http://rack.github.com/.
 EOF
 
   s.files           = Dir['{bin/*,contrib/*,example/*,lib/**/*,test/**/*}'] +
@@ -24,7 +24,7 @@ EOF
 
   s.author          = 'Christian Neukirchen'
   s.email           = 'chneukirchen@gmail.com'
-  s.homepage        = 'http://rack.rubyforge.org'
+  s.homepage        = 'http://rack.github.com/'
   s.rubyforge_project = 'rack'
 
   s.add_development_dependency 'bacon'

data/test/builder/line.ru

@@ -0,0 +1 @@
+run lambda{ |env| [200, {'Content-Type' => 'text/plain'}, [__LINE__.to_s]] }

data/test/cgi/assets/folder/test.js

@@ -0,0 +1 @@
+### TestFile ###

data/test/cgi/assets/fonts/font.eot

@@ -0,0 +1 @@
+### TestFile ###

data/test/cgi/assets/images/image.png

@@ -0,0 +1 @@
+### TestFile ###

data/test/cgi/assets/index.html

@@ -0,0 +1 @@
+### TestFile ###

data/test/cgi/assets/javascripts/app.js

@@ -0,0 +1 @@
+### TestFile ###

data/test/cgi/assets/stylesheets/app.css

@@ -0,0 +1 @@
+### TestFile ###