rack 1.5.5 → 1.6.0.beta

data/test/spec_response.rb

@@ -85,6 +85,18 @@ describe Rack::Response do
     response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
   end
 
+  it "can set http only cookies with :http_only" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar; HttpOnly"
+  end
+
+  it "can set prefers :httponly for http only cookie setting when :httponly and :http_only provided" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :httponly => false, :http_only => true}
+    response["Set-Cookie"].should.equal "foo=bar"
+  end
+
   it "can delete cookies" do
     response = Rack::Response.new
     response.set_cookie "foo", "bar"
@@ -211,11 +223,24 @@ describe Rack::Response do
     res.should.be.successful
     res.should.be.ok
 
+    res.status = 201
+    res.should.be.successful
+    res.should.be.created
+
+    res.status = 202
+    res.should.be.successful
+    res.should.be.accepted
+
     res.status = 400
     res.should.not.be.successful
     res.should.be.client_error
     res.should.be.bad_request
 
+    res.status = 401
+    res.should.not.be.successful
+    res.should.be.client_error
+    res.should.be.unauthorized
+
     res.status = 404
     res.should.not.be.successful
     res.should.be.client_error
@@ -226,6 +251,11 @@ describe Rack::Response do
     res.should.be.client_error
     res.should.be.method_not_allowed
 
+    res.status = 418
+    res.should.not.be.successful
+    res.should.be.client_error
+    res.should.be.i_m_a_teapot
+
     res.status = 422
     res.should.not.be.successful
     res.should.be.client_error

data/test/spec_server.rb

@@ -30,14 +30,24 @@ describe Rack::Server do
 
   should "not include Rack::Lint in deployment or none environments" do
     server = Rack::Server.new(:app => 'foo')
-    server.middleware['deployment'].flatten.should.not.include(Rack::Lint)
-    server.middleware['none'].flatten.should.not.include(Rack::Lint)
+    server.default_middleware_by_environment['deployment'].flatten.should.not.include(Rack::Lint)
+    server.default_middleware_by_environment['none'].flatten.should.not.include(Rack::Lint)
   end
 
   should "not include Rack::ShowExceptions in deployment or none environments" do
     server = Rack::Server.new(:app => 'foo')
-    server.middleware['deployment'].flatten.should.not.include(Rack::ShowExceptions)
-    server.middleware['none'].flatten.should.not.include(Rack::ShowExceptions)
+    server.default_middleware_by_environment['deployment'].flatten.should.not.include(Rack::ShowExceptions)
+    server.default_middleware_by_environment['none'].flatten.should.not.include(Rack::ShowExceptions)
+  end
+
+  should "always return an empty array for unknown environments" do
+    server = Rack::Server.new(:app => 'foo')
+    server.default_middleware_by_environment['production'].should.equal []
+  end
+
+  should "include Rack::TempfileReaper in deployment environment" do
+    server = Rack::Server.new(:app => 'foo')
+    server.middleware['deployment'].flatten.should.include(Rack::TempfileReaper)
   end
 
   should "support CGI" do
@@ -51,9 +61,14 @@ describe Rack::Server do
     end
   end
 
+  should "be quiet if said so" do
+    server = Rack::Server.new(:app => "FOO", :quiet => true)
+    Rack::Server.logging_middleware.call(server).should.eql(nil)
+  end
+
   should "not force any middleware under the none configuration" do
     server = Rack::Server.new(:app => 'foo')
-    server.middleware['none'].should.be.empty
+    server.default_middleware_by_environment['none'].should.be.empty
   end
 
   should "use a full path to the pidfile" do

data/test/spec_session_cookie.rb

@@ -119,13 +119,35 @@ describe Rack::Session::Cookie do
         coder.decode('lulz').should.equal nil
       end
     end
+
+    describe 'ZipJSON' do
+      it 'jsons, deflates, and base64 encodes' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        obj   = %w[fuuuuu]
+        json = Rack::Utils::OkJson.encode(obj)
+        coder.encode(obj).should.equal [Zlib::Deflate.deflate(json)].pack('m')
+      end
+
+      it 'base64 decodes, inflates, and decodes json' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        obj   = %w[fuuuuu]
+        json  = Rack::Utils::OkJson.encode(obj)
+        b64   = [Zlib::Deflate.deflate(json)].pack('m')
+        coder.decode(b64).should.equal obj
+      end
+
+      it 'rescues failures on decode' do
+        coder = Rack::Session::Cookie::Base64::ZipJSON.new
+        coder.decode('lulz').should.equal nil
+      end
+    end
   end
 
   it "warns if no secret is given" do
-    cookie = Rack::Session::Cookie.new(incrementor)
+    Rack::Session::Cookie.new(incrementor)
     @warnings.first.should =~ /no secret/i
     @warnings.clear
-    cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
+    Rack::Session::Cookie.new(incrementor, :secret => 'abc')
     @warnings.should.be.empty?
   end
 
@@ -364,4 +386,25 @@ describe Rack::Session::Cookie do
     response.body.should.match(/counter/)
     response.body.should.match(/foo/)
   end
+
+  it "allows more than one '--' in the cookie when calculating digests" do
+    @counter = 0
+    app = lambda do |env|
+      env["rack.session"]["message"] ||= ""
+      env["rack.session"]["message"] << "#{(@counter += 1).to_s}--"
+      hash = env["rack.session"].dup
+      hash.delete("session_id")
+      Rack::Response.new(hash["message"]).to_a
+    end
+    # another example of an unsafe coder is Base64.urlsafe_encode64
+    unsafe_coder = Class.new {
+      def encode(hash); hash.inspect end
+      def decode(str); eval(str) if str; end
+    }.new
+    _app = [ app, { :secret => "test", :coder => unsafe_coder } ]
+    response = response_for(:app => _app)
+    response.body.should.equal "1--"
+    response = response_for(:app => _app, :cookie => response)
+    response.body.should.equal "1--2--"
+  end
 end

data/test/spec_session_memcache.rb

@@ -274,7 +274,7 @@ begin
       session['counter'].should.equal 2 # meeeh
 
       tnum = rand(7).to_i+5
-      r = Array.new(tnum) do |i|
+      r = Array.new(tnum) do
         app = Rack::Utils::Context.new pool, time_delta
         req = Rack::MockRequest.new app
         Thread.new(req) do |run|

data/test/spec_showexceptions.rb

@@ -16,7 +16,7 @@ describe Rack::ShowExceptions do
     ))
 
     lambda{
-      res = req.get("/")
+      res = req.get("/", "HTTP_ACCEPT" => "text/html")
     }.should.not.raise
 
     res.should.be.a.server_error
@@ -26,7 +26,7 @@ describe Rack::ShowExceptions do
     res.should =~ /ShowExceptions/
   end
 
-  it "responds with plain text on AJAX requests accepting anything but HTML" do
+  it "responds with HTML only to requests accepting HTML" do
     res = nil
 
     req = Rack::MockRequest.new(
@@ -34,39 +34,32 @@ describe Rack::ShowExceptions do
         lambda{|env| raise RuntimeError, "It was never supposed to work" }
     ))
 
-    lambda{
-      res = req.get("/", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest")
-    }.should.not.raise
-
-    res.should.be.a.server_error
-    res.status.should.equal 500
-
-    res.content_type.should.equal "text/plain"
-
-    res.body.should.include "RuntimeError: It was never supposed to work\n"
-    res.body.should.include __FILE__
-  end
-
-  it "responds with HTML on AJAX requests accepting HTML" do
-    res = nil
-
-    req = Rack::MockRequest.new(
-      show_exceptions(
-        lambda{|env| raise RuntimeError, "It was never supposed to work" }
-    ))
-
-    lambda{
-      res = req.get("/", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest", "HTTP_ACCEPT" => "text/html")
-    }.should.not.raise
-
-    res.should.be.a.server_error
-    res.status.should.equal 500
-
-    res.content_type.should.equal "text/html"
-
-    res.body.should.include "RuntimeError"
-    res.body.should.include "It was never supposed to work"
-    res.body.should.include Rack::Utils.escape_html(__FILE__)
+    [
+      # Serve text/html when the client accepts text/html
+      ["text/html", ["/", {"HTTP_ACCEPT" => "text/html"}]],
+      ["text/html", ["/", {"HTTP_ACCEPT" => "*/*"}]],
+      # Serve text/plain when the client does not accept text/html
+      ["text/plain", ["/"]],
+      ["text/plain", ["/", {"HTTP_ACCEPT" => "application/json"}]]
+    ].each do |exmime, rargs|
+      lambda{
+        res = req.get(*rargs)
+      }.should.not.raise
+
+      res.should.be.a.server_error
+      res.status.should.equal 500
+
+      res.content_type.should.equal exmime
+
+      res.body.should.include "RuntimeError"
+      res.body.should.include "It was never supposed to work"
+
+      if exmime == "text/html"
+        res.body.should.include '</html>'
+      else
+        res.body.should.not.include '</html>'
+      end
+    end
   end
 
   it "handles exceptions without a backtrace" do
@@ -79,7 +72,7 @@ describe Rack::ShowExceptions do
     )
 
     lambda{
-      res = req.get("/")
+      res = req.get("/", "HTTP_ACCEPT" => "text/html")
     }.should.not.raise
 
     res.should.be.a.server_error

data/test/spec_showstatus.rb

@@ -1,6 +1,7 @@
 require 'rack/showstatus'
 require 'rack/lint'
 require 'rack/mock'
+require 'rack/utils'
 
 describe Rack::ShowStatus do
   def show_status(app)
@@ -40,6 +41,24 @@ describe Rack::ShowStatus do
     res.should =~ /too meta/
   end
 
+  should "escape error" do
+    detail = "<script>alert('hi \"')</script>"
+    req = Rack::MockRequest.new(
+      show_status(
+        lambda{|env|
+          env["rack.showstatus.detail"] = detail
+          [500, {"Content-Type" => "text/plain", "Content-Length" => "0"}, []]
+    }))
+
+    res = req.get("/", :lint => true)
+    res.should.be.not.empty
+
+    res["Content-Type"].should.equal("text/html")
+    res.should =~ /500/
+    res.should.not.include detail
+    res.body.should.include Rack::Utils.escape_html(detail)
+  end
+
   should "not replace existing messages" do
     req = Rack::MockRequest.new(
       show_status(

data/test/spec_tempfile_reaper.rb

@@ -0,0 +1,63 @@
+require 'rack/tempfile_reaper'
+require 'rack/lint'
+require 'rack/mock'
+
+describe Rack::TempfileReaper do
+  class MockTempfile
+    attr_reader :closed
+
+    def initialize
+      @closed = false
+    end
+
+    def close!
+      @closed = true
+    end
+  end
+
+  before do
+    @env = Rack::MockRequest.env_for
+  end
+
+  def call(app)
+    Rack::Lint.new(Rack::TempfileReaper.new(app)).call(@env)
+  end
+
+  should 'do nothing (i.e. not bomb out) without env[rack.tempfiles]' do
+    app = lambda { |_| [200, {}, ['Hello, World!']] }
+    response = call(app)
+    response[2].close
+    response[0].should.equal(200)
+  end
+
+  should 'close env[rack.tempfiles] when body is closed' do
+    tempfile1, tempfile2 = MockTempfile.new, MockTempfile.new
+    @env['rack.tempfiles'] = [ tempfile1, tempfile2 ]
+    app = lambda { |_| [200, {}, ['Hello, World!']] }
+    call(app)[2].close
+    tempfile1.closed.should.equal true
+    tempfile2.closed.should.equal true
+  end
+
+  should 'initialize env[rack.tempfiles] when not already present' do
+    tempfile = MockTempfile.new
+    app = lambda do |env|
+      env['rack.tempfiles'] << tempfile
+      [200, {}, ['Hello, World!']]
+    end
+    call(app)[2].close
+    tempfile.closed.should.equal true
+  end
+
+  should 'append env[rack.tempfiles] when already present' do
+    tempfile1, tempfile2 = MockTempfile.new, MockTempfile.new
+    @env['rack.tempfiles'] = [ tempfile1 ]
+    app = lambda do |env|
+      env['rack.tempfiles'] << tempfile2
+      [200, {}, ['Hello, World!']]
+    end
+    call(app)[2].close
+    tempfile1.closed.should.equal true
+    tempfile2.closed.should.equal true
+  end
+end

data/test/spec_urlmap.rb

@@ -210,4 +210,27 @@ describe Rack::URLMap do
     res["X-PathInfo"].should.equal "/http://example.org/bar"
     res["X-ScriptName"].should.equal ""
   end
+
+  should "not be case sensitive with hosts" do
+    map = Rack::Lint.new(Rack::URLMap.new("http://example.org/" => lambda { |env|
+                             [200,
+                              { "Content-Type" => "text/plain",
+                                "X-Position" => "root",
+                                "X-PathInfo" => env["PATH_INFO"],
+                                "X-ScriptName" => env["SCRIPT_NAME"]
+                              }, [""]]}
+                           ))
+
+    res = Rack::MockRequest.new(map).get("http://example.org/")
+    res.should.be.ok
+    res["X-Position"].should.equal "root"
+    res["X-PathInfo"].should.equal "/"
+    res["X-ScriptName"].should.equal ""
+
+    res = Rack::MockRequest.new(map).get("http://EXAMPLE.ORG/")
+    res.should.be.ok
+    res["X-Position"].should.equal "root"
+    res["X-PathInfo"].should.equal "/"
+    res["X-ScriptName"].should.equal ""
+  end
 end

data/test/spec_utils.rb

@@ -123,15 +123,14 @@ describe Rack::Utils do
     Rack::Utils.parse_query(",foo=bar;,", ";,").should.equal "foo" => "bar"
   end
 
-  should "raise an exception if the params are too deep" do
-    len = Rack::Utils.param_depth_limit
+  should "not create infinite loops with cycle structures" do
+    ex = { "foo" => nil }
+    ex["foo"] = ex
 
+    params = Rack::Utils::KeySpaceConstrainedParams.new
+    params['foo'] = params
     lambda {
-      Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
-    }.should.raise(RangeError)
-
-    lambda {
-      Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
+      params.to_params_hash.to_s.should.equal ex.to_s
     }.should.not.raise
   end
 
@@ -169,6 +168,16 @@ describe Rack::Utils do
       should.equal "foo" => [""]
     Rack::Utils.parse_nested_query("foo[]=bar").
       should.equal "foo" => ["bar"]
+    Rack::Utils.parse_nested_query("foo[]=bar&foo").
+      should.equal "foo" => nil
+    Rack::Utils.parse_nested_query("foo[]=bar&foo[").
+      should.equal "foo" => ["bar"], "foo[" => nil
+    Rack::Utils.parse_nested_query("foo[]=bar&foo[=baz").
+      should.equal "foo" => ["bar"], "foo[" => "baz"
+    Rack::Utils.parse_nested_query("foo[]=bar&foo[]").
+      should.equal "foo" => ["bar", nil]
+    Rack::Utils.parse_nested_query("foo[]=bar&foo[]=").
+      should.equal "foo" => ["bar", ""]
 
     Rack::Utils.parse_nested_query("foo[]=1&foo[]=2").
       should.equal "foo" => ["1", "2"]
@@ -204,16 +213,22 @@ describe Rack::Utils do
       should.equal "x" => {"y" => [{"z" => "1", "w" => "a"}, {"z" => "2", "w" => "3"}]}
 
     lambda { Rack::Utils.parse_nested_query("x[y]=1&x[y]z=2") }.
-      should.raise(TypeError).
+      should.raise(Rack::Utils::ParameterTypeError).
       message.should.equal "expected Hash (got String) for param `y'"
 
     lambda { Rack::Utils.parse_nested_query("x[y]=1&x[]=1") }.
-      should.raise(TypeError).
+      should.raise(Rack::Utils::ParameterTypeError).
       message.should.match(/expected Array \(got [^)]*\) for param `x'/)
 
     lambda { Rack::Utils.parse_nested_query("x[y]=1&x[y][][w]=2") }.
-      should.raise(TypeError).
+      should.raise(Rack::Utils::ParameterTypeError).
       message.should.equal "expected Array (got String) for param `y'"
+
+    if RUBY_VERSION.to_f > 1.9
+      lambda { Rack::Utils.parse_nested_query("foo%81E=1") }.
+        should.raise(Rack::Utils::InvalidParameterError).
+        message.should.equal "invalid byte sequence in UTF-8"
+    end
   end
 
   should "build query strings correctly" do
@@ -233,6 +248,8 @@ describe Rack::Utils do
 
     Rack::Utils.build_nested_query("foo" => "1", "bar" => "2").
       should.be equal_query_to("foo=1&bar=2")
+    Rack::Utils.build_nested_query("foo" => 1, "bar" => 2).
+      should.be equal_query_to("foo=1&bar=2")
     Rack::Utils.build_nested_query("my weird field" => "q1!2\"'w$5&7/z8)?").
       should.be equal_query_to("my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F")
 
@@ -242,6 +259,14 @@ describe Rack::Utils do
       should.equal "foo[]="
     Rack::Utils.build_nested_query("foo" => ["bar"]).
       should.equal "foo[]=bar"
+    Rack::Utils.build_nested_query('foo' => []).
+      should.equal ''
+    Rack::Utils.build_nested_query('foo' => {}).
+      should.equal ''
+    Rack::Utils.build_nested_query('foo' => 'bar', 'baz' => []).
+      should.equal 'foo=bar'
+    Rack::Utils.build_nested_query('foo' => 'bar', 'baz' => {}).
+      should.equal 'foo=bar'
 
     # The ordering of the output query string is unpredictable with 1.8's
     # unordered hash. Test that build_nested_query performs the inverse
@@ -302,9 +327,15 @@ describe Rack::Utils do
     # Higher quality matches are preferred
     Rack::Utils.best_q_match("text/*;q=0.5,text/plain;q=1.0", %w[text/plain text/html]).should.equal "text/plain"
 
+    # Respect requested content type
+    Rack::Utils.best_q_match("application/json", %w[application/vnd.lotus-1-2-3 application/json]).should.equal "application/json"
+
     # All else equal, the available mimes are preferred in order
     Rack::Utils.best_q_match("text/*", %w[text/html text/plain]).should.equal "text/html"
     Rack::Utils.best_q_match("text/plain,text/html", %w[text/html text/plain]).should.equal "text/html"
+
+    # When there are no matches, return nil:
+    Rack::Utils.best_q_match("application/json", %w[text/html text/plain]).should.equal nil
   end
 
   should "escape html entities [&><'\"/]" do
@@ -390,6 +421,25 @@ describe Rack::Utils do
   should "return rfc2109 format from rfc2109 helper" do
     Rack::Utils.rfc2109(Time.at(0).gmtime).should == "Thu, 01-Jan-1970 00:00:00 GMT"
   end
+
+  should "clean directory traversal" do
+    Rack::Utils.clean_path_info("/cgi/../cgi/test").should.equal "/cgi/test"
+    Rack::Utils.clean_path_info(".").should.empty
+    Rack::Utils.clean_path_info("test/..").should.empty
+  end
+
+  should "clean unsafe directory traversal to safe path" do
+    Rack::Utils.clean_path_info("/../README.rdoc").should.equal "/README.rdoc"
+    Rack::Utils.clean_path_info("../test/spec_utils.rb").should.equal "test/spec_utils.rb"
+  end
+
+  should "not clean directory traversal with encoded periods" do
+    Rack::Utils.clean_path_info("/%2E%2E/README").should.equal "/%2E%2E/README"
+  end
+
+  should "clean slash only paths" do
+    Rack::Utils.clean_path_info("/").should.equal "/"
+  end
 end
 
 describe Rack::Utils, "byte_range" do