rack 1.5.5 → 1.6.0.beta

data/lib/rack/session/memcache.rb

@@ -47,7 +47,7 @@ module Rack
       end
 
       def get_session(env, sid)
-        with_lock(env, [nil, {}]) do
+        with_lock(env) do
           unless sid and session = @pool.get(sid)
             sid, session = generate_sid, {}
             unless /^STORED/ =~ @pool.add(sid, session)
@@ -62,7 +62,7 @@ module Rack
         expiry = options[:expire_after]
         expiry = expiry.nil? ? 0 : expiry + 1
 
-        with_lock(env, false) do
+        with_lock(env) do
           @pool.set session_id, new_session, expiry
           session_id
         end
@@ -75,7 +75,7 @@ module Rack
         end
       end
 
-      def with_lock(env, default=nil)
+      def with_lock(env)
         @mutex.lock if env['rack.multithread']
         yield
       rescue MemCache::MemCacheError, Errno::ECONNREFUSED
@@ -83,7 +83,7 @@ module Rack
           warn "#{self} is unable to find memcached server."
           warn $!.inspect
         end
-        default
+        raise
       ensure
         @mutex.unlock if @mutex.locked?
       end

data/lib/rack/session/pool.rb

@@ -42,7 +42,7 @@ module Rack
       end
 
       def get_session(env, sid)
-        with_lock(env, [nil, {}]) do
+        with_lock(env) do
           unless sid and session = @pool[sid]
             sid, session = generate_sid, {}
             @pool.store sid, session
@@ -52,7 +52,7 @@ module Rack
       end
 
       def set_session(env, session_id, new_session, options)
-        with_lock(env, false) do
+        with_lock(env) do
           @pool.store session_id, new_session
           session_id
         end
@@ -65,15 +65,12 @@ module Rack
         end
       end
 
-      def with_lock(env, default=nil)
+      def with_lock(env)
         @mutex.lock if env['rack.multithread']
         yield
-      rescue
-        default
       ensure
         @mutex.unlock if @mutex.locked?
       end
-
     end
   end
 end

data/lib/rack/showexceptions.rb

@@ -28,23 +28,32 @@ module Rack
       env["rack.errors"].puts(exception_string)
       env["rack.errors"].flush
 
-      if prefers_plain_text?(env)
-        content_type = "text/plain"
-        body = [exception_string]
-      else
+      if accepts_html?(env)
         content_type = "text/html"
         body = pretty(env, e)
+      else
+        content_type = "text/plain"
+        body = exception_string
       end
 
-      [500,
-       {"Content-Type" => content_type,
-        "Content-Length" => Rack::Utils.bytesize(body.join).to_s},
-       body]
+      [
+        500,
+        {
+          "Content-Type" => content_type,
+          "Content-Length" => Rack::Utils.bytesize(body).to_s,
+        },
+        [body],
+      ]
+    end
+
+    def prefers_plaintext?(env)
+      !accepts_html(env)
     end
 
-    def prefers_plain_text?(env)
-      env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" && (!env["HTTP_ACCEPT"] || !env["HTTP_ACCEPT"].include?("text/html"))
+    def accepts_html?(env)
+      Rack::Utils.best_q_match(env["HTTP_ACCEPT"], %w[text/html])
     end
+    private :accepts_html?
 
     def dump_exception(exception)
       string = "#{exception.class}: #{exception.message}\n"
@@ -85,7 +94,7 @@ module Rack
         end
       }.compact
 
-      [@template.result(binding)]
+      @template.result(binding)
     end
 
     def h(obj)                  # :nodoc:

data/lib/rack/showstatus.rb

@@ -96,7 +96,7 @@ TEMPLATE = <<'HTML'
     </table>
   </div>
   <div id="info">
-    <p><%= detail %></p>
+    <p><%=h detail %></p>
   </div>
 
   <div id="explanation">

data/lib/rack/static.rb

@@ -90,9 +90,8 @@ module Rack
       @header_rules = options[:header_rules] || []
       # Allow for legacy :cache_control option while prioritizing global header_rules setting
       @header_rules.insert(0, [:all, {'Cache-Control' => options[:cache_control]}]) if options[:cache_control]
-      @headers = {}
 
-      @file_server = Rack::File.new(root, @headers)
+      @file_server = Rack::File.new(root)
     end
 
     def overwrite_file_path(path)
@@ -112,42 +111,40 @@ module Rack
 
       if can_serve(path)
         env["PATH_INFO"] = (path =~ /\/$/ ? path + @index : @urls[path]) if overwrite_file_path(path)
-        @path = env["PATH_INFO"]
-        apply_header_rules
-        @file_server.call(env)
+        path = env["PATH_INFO"]
+        response = @file_server.call(env)
+
+        headers = response[1]
+        applicable_rules(path).each do |rule, new_headers|
+          new_headers.each { |field, content| headers[field] = content }
+        end
+
+        response
       else
         @app.call(env)
       end
     end
 
     # Convert HTTP header rules to HTTP headers
-    def apply_header_rules
-      @header_rules.each do |rule, headers|
-        apply_rule(rule, headers)
-      end
-    end
-
-    def apply_rule(rule, headers)
-      case rule
-      when :all    # All files
-        set_headers(headers)
-      when :fonts  # Fonts Shortcut
-        set_headers(headers) if @path.match(/\.(?:ttf|otf|eot|woff|svg)\z/)
-      when String  # Folder
-        path = ::Rack::Utils.unescape(@path)
-        set_headers(headers) if (path.start_with?(rule) || path.start_with?('/' + rule))
-      when Array   # Extension/Extensions
-        extensions = rule.join('|')
-        set_headers(headers) if @path.match(/\.(#{extensions})\z/)
-      when Regexp  # Flexible Regexp
-        set_headers(headers) if @path.match(rule)
-      else
+    def applicable_rules(path)
+      @header_rules.find_all do |rule, new_headers|
+        case rule
+        when :all
+          true
+        when :fonts
+          path =~ /\.(?:ttf|otf|eot|woff|svg)\z/
+        when String
+          path = ::Rack::Utils.unescape(path)
+          path.start_with?(rule) || path.start_with?('/' + rule)
+        when Array
+          path =~ /\.(#{rule.join('|')})\z/
+        when Regexp
+          path =~ rule
+        else
+          false
+        end
       end
     end
 
-    def set_headers(headers)
-      headers.each { |field, content| @headers[field] = content }
-    end
-
   end
 end

data/lib/rack/tempfile_reaper.rb

@@ -0,0 +1,22 @@
+require 'rack/body_proxy'
+
+module Rack
+
+  # Middleware tracks and cleans Tempfiles created throughout a request (i.e. Rack::Multipart)
+  # Ideas/strategy based on posts by Eric Wong and Charles Oliver Nutter
+  # https://groups.google.com/forum/#!searchin/rack-devel/temp/rack-devel/brK8eh-MByw/sw61oJJCGRMJ
+  class TempfileReaper
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env['rack.tempfiles'] ||= []
+      status, headers, body = @app.call(env)
+      body_proxy = BodyProxy.new(body) do
+        env['rack.tempfiles'].each { |f| f.close! } unless env['rack.tempfiles'].nil?
+      end
+      [status, headers, body_proxy]
+    end
+  end
+end

data/lib/rack/urlmap.rb

@@ -48,9 +48,10 @@ module Rack
       sPort = env['SERVER_PORT']
 
       @mapping.each do |host, location, match, app|
-        unless hHost == host \
-            || sName == host \
-            || (!host && (hHost == sName || hHost == sName+':'+sPort))
+        unless casecmp?(hHost, host) \
+            || casecmp?(sName, host) \
+            || (!host && (casecmp?(hHost, sName) ||
+                          casecmp?(hHost, sName+':'+sPort)))
           next
         end
 
@@ -71,6 +72,19 @@ module Rack
       env['PATH_INFO'] = path
       env['SCRIPT_NAME'] = script_name
     end
+
+    private
+    def casecmp?(v1, v2)
+      # if both nil, or they're the same string
+      return true if v1 == v2
+
+      # if either are nil... (but they're not the same)
+      return false if v1.nil?
+      return false if v2.nil?
+
+      # otherwise check they're not case-insensitive the same
+      v1.casecmp(v2).zero?
+    end
   end
 end
 

data/lib/rack/utils.rb

@@ -9,7 +9,7 @@ major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
 
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'
-elsif major == 1 && minor == 9 && patch == 2 && RUBY_PATCHLEVEL <= 320 && RUBY_ENGINE != 'jruby'
+elsif major == 1 && minor == 9 && patch == 2 && RUBY_PATCHLEVEL <= 328 && RUBY_ENGINE != 'jruby'
   require 'rack/backports/uri/common_192'
 elsif major == 1 && minor == 9 && patch == 3 && RUBY_PATCHLEVEL < 125
   require 'rack/backports/uri/common_193'
@@ -22,6 +22,15 @@ module Rack
   # applications adopted from all kinds of Ruby libraries.
 
   module Utils
+    # ParameterTypeError is the error that is raised when incoming structural
+    # parameters (parsed by parse_nested_query) contain conflicting types.
+    class ParameterTypeError < TypeError; end
+
+    # InvalidParameterError is the error that is raised when incoming structural
+    # parameters (parsed by parse_nested_query) contain invalid format or byte
+    # sequence.
+    class InvalidParameterError < ArgumentError; end
+
     # URI escapes. (CGI style space to +)
     def escape(s)
       URI.encode_www_form_component(s)
@@ -52,23 +61,12 @@ module Rack
 
     class << self
       attr_accessor :key_space_limit
-      attr_accessor :param_depth_limit
-      attr_accessor :multipart_part_limit
     end
 
     # The default number of bytes to allow parameter keys to take up.
     # This helps prevent a rogue client from flooding a Request.
     self.key_space_limit = 65536
 
-    # Default depth at which the parameter parser will raise an exception for
-    # being too deep.  This helps prevent SystemStackErrors
-    self.param_depth_limit = 100
-    #
-    # The maximum number of parts a request can contain. Accepting to many part
-    # can lead to the server running out of file handles.
-    # Set to `0` for no limit.
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
-
     # Stolen from Mongrel, with some small modifications:
     # Parses a query string by breaking it up at the '&'
     # and ';' characters.  You can also use this to parse
@@ -98,6 +96,11 @@ module Rack
     end
     module_function :parse_query
 
+    # parse_nested_query expands a query string into structural types. Supported
+    # types are Arrays, Hashes and basic value types. It is possible to supply
+    # query strings with parameters of conflicting types, in this case a
+    # ParameterTypeError is raised. Users are encouraged to return a 400 in this
+    # case.
     def parse_nested_query(qs, d = nil)
       params = KeySpaceConstrainedParams.new
 
@@ -108,12 +111,15 @@ module Rack
       end
 
       return params.to_params_hash
+    rescue ArgumentError => e
+      raise InvalidParameterError, e.message
     end
     module_function :parse_nested_query
 
-    def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
-      raise RangeError if depth <= 0
-
+    # normalize_params recursively expands parameters into structural types. If
+    # the structural types represented by two different parameter names are in
+    # conflict, a ParameterTypeError is raised.
+    def normalize_params(params, name, v = nil)
       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
       k = $1 || ''
       after = $' || ''
@@ -122,23 +128,25 @@ module Rack
 
       if after == ""
         params[k] = v
+      elsif after == "["
+        params[name] = v
       elsif after == "[]"
         params[k] ||= []
-        raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+        raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
         params[k] << v
       elsif after =~ %r(^\[\]\[([^\[\]]+)\]$) || after =~ %r(^\[\](.+)$)
         child_key = $1
         params[k] ||= []
-        raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+        raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
         if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
-          normalize_params(params[k].last, child_key, v, depth - 1)
+          normalize_params(params[k].last, child_key, v)
         else
-          params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
+          params[k] << normalize_params(params.class.new, child_key, v)
         end
       else
         params[k] ||= params.class.new
-        raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
-        params[k] = normalize_params(params[k], after, v, depth - 1)
+        raise ParameterTypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
+        params[k] = normalize_params(params[k], after, v)
       end
 
       return params
@@ -170,12 +178,12 @@ module Rack
       when Hash
         value.map { |k, v|
           build_nested_query(v, prefix ? "#{prefix}[#{escape(k)}]" : escape(k))
-        }.join("&")
-      when String
+        }.reject(&:empty?).join('&')
+      when nil
+        prefix
+      else
         raise ArgumentError, "value must be a Hash" if prefix.nil?
         "#{prefix}=#{escape(value)}"
-      else
-        prefix
       end
     end
     module_function :build_nested_query
@@ -195,13 +203,14 @@ module Rack
     def best_q_match(q_value_header, available_mimes)
       values = q_values(q_value_header)
 
-      values.map do |req_mime, quality|
-        match = available_mimes.first { |am| Rack::Mime.match?(am, req_mime) }
+      matches = values.map do |req_mime, quality|
+        match = available_mimes.find { |am| Rack::Mime.match?(am, req_mime) }
         next unless match
         [match, quality]
       end.compact.sort_by do |match, quality|
         (match.split('/', 2).count('*') * -10) + quality
-      end.last.first
+      end.last
+      matches && matches.first
     end
     module_function :best_q_match
 
@@ -216,7 +225,7 @@ module Rack
     if //.respond_to?(:encoding)
       ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
     else
-      # On 1.8, there is a kcode = 'u' bug that allows for XSS otherwhise
+      # On 1.8, there is a kcode = 'u' bug that allows for XSS otherwise
       # TODO doesn't apply to jruby, so a better condition above might be preferable?
       ESCAPE_HTML_PATTERN = /#{Regexp.union(*ESCAPE_HTML.keys)}/n
     end
@@ -247,10 +256,8 @@ module Rack
         encoding_candidates.push("identity")
       end
 
-      expanded_accept_encoding.find_all { |m, q|
-        q == 0.0
-      }.each { |m, _|
-        encoding_candidates.delete(m)
+      expanded_accept_encoding.each { |m, q|
+        encoding_candidates.delete(m) if q == 0.0
       }
 
       return (encoding_candidates & available_encodings)[0]
@@ -260,9 +267,9 @@ module Rack
     def set_cookie_header!(header, key, value)
       case value
       when Hash
-        domain  = "; domain="  + value[:domain] if value[:domain]
-        path    = "; path="    + value[:path]   if value[:path]
-        max_age = "; max-age=" + value[:max_age] if value[:max_age]
+        domain  = "; domain="  + value[:domain]       if value[:domain]
+        path    = "; path="    + value[:path]         if value[:path]
+        max_age = "; max-age=" + value[:max_age].to_s if value[:max_age]
         # There is an RFC mess in the area of date formatting for Cookies. Not
         # only are there contradicting RFCs and examples within RFC text, but
         # there are also numerous conflicting names of fields and partially
@@ -289,7 +296,7 @@ module Rack
         expires = "; expires=" +
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if value[:httponly]
+        httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
         value = value[:value]
       end
       value = [value] unless Array === value
@@ -363,7 +370,7 @@ module Rack
     # of '% %b %Y'.
     # It assumes that the time is in GMT to comply to the RFC 2109.
     #
-    # NOTE: I'm not sure the RFC says it requires GMT, but is ambigous enough
+    # NOTE: I'm not sure the RFC says it requires GMT, but is ambiguous enough
     # that I'm certain someone implemented only that option.
     # Do not use %a and %b from Time.strptime, it would use localized names for
     # weekday and month.
@@ -409,6 +416,11 @@ module Rack
     module_function :byte_ranges
 
     # Constant time string comparison.
+    #
+    # NOTE: the values compared should be of fixed length, such as strings
+    # that have aready been processed by HMAC.  This should not be used
+    # on variable length plaintext strings because it could leak length info
+    # via timing attacks.
     def secure_compare(a, b)
       return false unless bytesize(a) == bytesize(b)
 
@@ -540,7 +552,11 @@ module Rack
         hash.keys.each do |key|
           value = hash[key]
           if value.kind_of?(self.class)
-            hash[key] = value.to_params_hash
+            if value.object_id == self.object_id
+              hash[key] = hash
+            else
+              hash[key] = value.to_params_hash
+            end
           elsif value.kind_of?(Array)
             value.map! {|x| x.kind_of?(self.class) ? x.to_params_hash : x}
           end
@@ -551,9 +567,9 @@ module Rack
 
     # Every standard HTTP code mapped to the appropriate message.
     # Generated with:
-    # irb -ropen-uri -rnokogiri
-    # > Nokogiri::XML(open("http://www.iana.org/assignments/http-status-codes/http-status-codes.xml")).css("record").each{|r|
-    #         puts "#{r.css('value').text} => '#{r.css('description').text}'"}
+    # ruby -ropen-uri -rnokogiri -e "Nokogiri::XML(open(
+    #   'http://www.iana.org/assignments/http-status-codes/http-status-codes.xml')).css('record').each{|r|
+    #   name = r.css('description').text; puts %Q[#{r.css('value').text} => '#{name}',] unless name == 'Unassigned' }"
     HTTP_STATUS_CODES = {
       100 => 'Continue',
       101 => 'Switching Protocols',
@@ -595,15 +611,13 @@ module Rack
       415 => 'Unsupported Media Type',
       416 => 'Requested Range Not Satisfiable',
       417 => 'Expectation Failed',
+      418 => 'I\'m a teapot',
       422 => 'Unprocessable Entity',
       423 => 'Locked',
       424 => 'Failed Dependency',
-      425 => 'Reserved for WebDAV advanced collections expired proposal',
       426 => 'Upgrade Required',
-      427 => 'Unassigned',
       428 => 'Precondition Required',
       429 => 'Too Many Requests',
-      430 => 'Unassigned',
       431 => 'Request Header Fields Too Large',
       500 => 'Internal Server Error',
       501 => 'Not Implemented',
@@ -614,7 +628,6 @@ module Rack
       506 => 'Variant Also Negotiates (Experimental)',
       507 => 'Insufficient Storage',
       508 => 'Loop Detected',
-      509 => 'Unassigned',
       510 => 'Not Extended',
       511 => 'Network Authentication Required'
     }
@@ -623,7 +636,7 @@ module Rack
     STATUS_WITH_NO_ENTITY_BODY = Set.new((100..199).to_a << 204 << 205 << 304)
 
     SYMBOL_TO_STATUS_CODE = Hash[*HTTP_STATUS_CODES.map { |code, message|
-      [message.downcase.gsub(/\s|-/, '_').to_sym, code]
+      [message.downcase.gsub(/\s|-|'/, '_').to_sym, code]
     }.flatten]
 
     def status_code(status)
@@ -637,5 +650,23 @@ module Rack
 
     Multipart = Rack::Multipart
 
+    PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
+
+    def clean_path_info(path_info)
+      parts = path_info.split PATH_SEPS
+
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
+      end
+
+      clean.unshift '/' if parts.empty? || parts.first.empty?
+
+      ::File.join(*clean)
+    end
+    module_function :clean_path_info
+
   end
 end