rack 1.6.11 → 2.2.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

Files changed (190) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +694 -0
  3. data/CONTRIBUTING.md +136 -0
  4. data/{COPYING → MIT-LICENSE} +4 -2
  5. data/README.rdoc +157 -163
  6. data/Rakefile +38 -32
  7. data/{SPEC → SPEC.rdoc} +41 -13
  8. data/bin/rackup +1 -0
  9. data/contrib/rack_logo.svg +164 -111
  10. data/example/lobster.ru +2 -0
  11. data/example/protectedlobster.rb +4 -2
  12. data/example/protectedlobster.ru +3 -1
  13. data/lib/rack/auth/abstract/handler.rb +3 -1
  14. data/lib/rack/auth/abstract/request.rb +6 -2
  15. data/lib/rack/auth/basic.rb +7 -4
  16. data/lib/rack/auth/digest/md5.rb +13 -11
  17. data/lib/rack/auth/digest/nonce.rb +6 -3
  18. data/lib/rack/auth/digest/params.rb +5 -4
  19. data/lib/rack/auth/digest/request.rb +6 -4
  20. data/lib/rack/body_proxy.rb +21 -15
  21. data/lib/rack/builder.rb +119 -26
  22. data/lib/rack/cascade.rb +28 -12
  23. data/lib/rack/chunked.rb +70 -22
  24. data/lib/rack/common_logger.rb +80 -0
  25. data/lib/rack/{conditionalget.rb → conditional_get.rb} +20 -16
  26. data/lib/rack/config.rb +2 -0
  27. data/lib/rack/content_length.rb +9 -8
  28. data/lib/rack/content_type.rb +5 -4
  29. data/lib/rack/core_ext/regexp.rb +14 -0
  30. data/lib/rack/deflater.rb +60 -70
  31. data/lib/rack/directory.rb +117 -85
  32. data/lib/rack/etag.rb +9 -7
  33. data/lib/rack/events.rb +153 -0
  34. data/lib/rack/file.rb +4 -149
  35. data/lib/rack/files.rb +218 -0
  36. data/lib/rack/handler/cgi.rb +17 -19
  37. data/lib/rack/handler/fastcgi.rb +17 -18
  38. data/lib/rack/handler/lsws.rb +14 -14
  39. data/lib/rack/handler/scgi.rb +22 -21
  40. data/lib/rack/handler/thin.rb +6 -3
  41. data/lib/rack/handler/webrick.rb +39 -32
  42. data/lib/rack/handler.rb +9 -26
  43. data/lib/rack/head.rb +16 -18
  44. data/lib/rack/lint.rb +110 -64
  45. data/lib/rack/lobster.rb +10 -10
  46. data/lib/rack/lock.rb +17 -11
  47. data/lib/rack/logger.rb +4 -2
  48. data/lib/rack/media_type.rb +43 -0
  49. data/lib/rack/{methodoverride.rb → method_override.rb} +10 -8
  50. data/lib/rack/mime.rb +27 -6
  51. data/lib/rack/mock.rb +124 -65
  52. data/lib/rack/multipart/generator.rb +20 -16
  53. data/lib/rack/multipart/parser.rb +273 -162
  54. data/lib/rack/multipart/uploaded_file.rb +15 -8
  55. data/lib/rack/multipart.rb +39 -8
  56. data/lib/rack/{nulllogger.rb → null_logger.rb} +3 -1
  57. data/lib/rack/query_parser.rb +217 -0
  58. data/lib/rack/recursive.rb +11 -9
  59. data/lib/rack/reloader.rb +8 -4
  60. data/lib/rack/request.rb +553 -305
  61. data/lib/rack/response.rb +244 -88
  62. data/lib/rack/rewindable_input.rb +5 -15
  63. data/lib/rack/runtime.rb +12 -18
  64. data/lib/rack/sendfile.rb +17 -15
  65. data/lib/rack/server.rb +125 -47
  66. data/lib/rack/session/abstract/id.rb +217 -93
  67. data/lib/rack/session/cookie.rb +46 -31
  68. data/lib/rack/session/memcache.rb +4 -87
  69. data/lib/rack/session/pool.rb +26 -17
  70. data/lib/rack/show_exceptions.rb +390 -0
  71. data/lib/rack/{showstatus.rb → show_status.rb} +12 -12
  72. data/lib/rack/static.rb +48 -11
  73. data/lib/rack/tempfile_reaper.rb +3 -3
  74. data/lib/rack/urlmap.rb +26 -19
  75. data/lib/rack/utils.rb +212 -294
  76. data/lib/rack/version.rb +29 -0
  77. data/lib/rack.rb +76 -33
  78. data/rack.gemspec +43 -30
  79. metadata +65 -186
  80. data/HISTORY.md +0 -375
  81. data/KNOWN-ISSUES +0 -44
  82. data/lib/rack/backports/uri/common_18.rb +0 -56
  83. data/lib/rack/backports/uri/common_192.rb +0 -52
  84. data/lib/rack/backports/uri/common_193.rb +0 -29
  85. data/lib/rack/commonlogger.rb +0 -72
  86. data/lib/rack/handler/evented_mongrel.rb +0 -8
  87. data/lib/rack/handler/mongrel.rb +0 -106
  88. data/lib/rack/handler/swiftiplied_mongrel.rb +0 -8
  89. data/lib/rack/showexceptions.rb +0 -387
  90. data/lib/rack/utils/okjson.rb +0 -600
  91. data/test/builder/anything.rb +0 -5
  92. data/test/builder/comment.ru +0 -4
  93. data/test/builder/end.ru +0 -5
  94. data/test/builder/line.ru +0 -1
  95. data/test/builder/options.ru +0 -2
  96. data/test/cgi/assets/folder/test.js +0 -1
  97. data/test/cgi/assets/fonts/font.eot +0 -1
  98. data/test/cgi/assets/images/image.png +0 -1
  99. data/test/cgi/assets/index.html +0 -1
  100. data/test/cgi/assets/javascripts/app.js +0 -1
  101. data/test/cgi/assets/stylesheets/app.css +0 -1
  102. data/test/cgi/lighttpd.conf +0 -26
  103. data/test/cgi/rackup_stub.rb +0 -6
  104. data/test/cgi/sample_rackup.ru +0 -5
  105. data/test/cgi/test +0 -9
  106. data/test/cgi/test+directory/test+file +0 -1
  107. data/test/cgi/test.fcgi +0 -8
  108. data/test/cgi/test.ru +0 -5
  109. data/test/gemloader.rb +0 -10
  110. data/test/multipart/bad_robots +0 -259
  111. data/test/multipart/binary +0 -0
  112. data/test/multipart/content_type_and_no_filename +0 -6
  113. data/test/multipart/empty +0 -10
  114. data/test/multipart/fail_16384_nofile +0 -814
  115. data/test/multipart/file1.txt +0 -1
  116. data/test/multipart/filename_and_modification_param +0 -7
  117. data/test/multipart/filename_and_no_name +0 -6
  118. data/test/multipart/filename_with_escaped_quotes +0 -6
  119. data/test/multipart/filename_with_escaped_quotes_and_modification_param +0 -7
  120. data/test/multipart/filename_with_null_byte +0 -7
  121. data/test/multipart/filename_with_percent_escaped_quotes +0 -6
  122. data/test/multipart/filename_with_unescaped_percentages +0 -6
  123. data/test/multipart/filename_with_unescaped_percentages2 +0 -6
  124. data/test/multipart/filename_with_unescaped_percentages3 +0 -6
  125. data/test/multipart/filename_with_unescaped_quotes +0 -6
  126. data/test/multipart/ie +0 -6
  127. data/test/multipart/invalid_character +0 -6
  128. data/test/multipart/mixed_files +0 -21
  129. data/test/multipart/nested +0 -10
  130. data/test/multipart/none +0 -9
  131. data/test/multipart/semicolon +0 -6
  132. data/test/multipart/text +0 -15
  133. data/test/multipart/three_files_three_fields +0 -31
  134. data/test/multipart/webkit +0 -32
  135. data/test/rackup/config.ru +0 -31
  136. data/test/registering_handler/rack/handler/registering_myself.rb +0 -8
  137. data/test/spec_auth_basic.rb +0 -81
  138. data/test/spec_auth_digest.rb +0 -259
  139. data/test/spec_body_proxy.rb +0 -85
  140. data/test/spec_builder.rb +0 -223
  141. data/test/spec_cascade.rb +0 -61
  142. data/test/spec_cgi.rb +0 -102
  143. data/test/spec_chunked.rb +0 -101
  144. data/test/spec_commonlogger.rb +0 -93
  145. data/test/spec_conditionalget.rb +0 -102
  146. data/test/spec_config.rb +0 -22
  147. data/test/spec_content_length.rb +0 -85
  148. data/test/spec_content_type.rb +0 -45
  149. data/test/spec_deflater.rb +0 -339
  150. data/test/spec_directory.rb +0 -88
  151. data/test/spec_etag.rb +0 -107
  152. data/test/spec_fastcgi.rb +0 -107
  153. data/test/spec_file.rb +0 -221
  154. data/test/spec_handler.rb +0 -72
  155. data/test/spec_head.rb +0 -45
  156. data/test/spec_lint.rb +0 -550
  157. data/test/spec_lobster.rb +0 -58
  158. data/test/spec_lock.rb +0 -164
  159. data/test/spec_logger.rb +0 -23
  160. data/test/spec_methodoverride.rb +0 -111
  161. data/test/spec_mime.rb +0 -51
  162. data/test/spec_mock.rb +0 -297
  163. data/test/spec_mongrel.rb +0 -182
  164. data/test/spec_multipart.rb +0 -600
  165. data/test/spec_nulllogger.rb +0 -20
  166. data/test/spec_recursive.rb +0 -72
  167. data/test/spec_request.rb +0 -1232
  168. data/test/spec_response.rb +0 -407
  169. data/test/spec_rewindable_input.rb +0 -118
  170. data/test/spec_runtime.rb +0 -49
  171. data/test/spec_sendfile.rb +0 -130
  172. data/test/spec_server.rb +0 -167
  173. data/test/spec_session_abstract_id.rb +0 -53
  174. data/test/spec_session_cookie.rb +0 -410
  175. data/test/spec_session_memcache.rb +0 -321
  176. data/test/spec_session_pool.rb +0 -209
  177. data/test/spec_showexceptions.rb +0 -98
  178. data/test/spec_showstatus.rb +0 -103
  179. data/test/spec_static.rb +0 -145
  180. data/test/spec_tempfile_reaper.rb +0 -63
  181. data/test/spec_thin.rb +0 -91
  182. data/test/spec_urlmap.rb +0 -236
  183. data/test/spec_utils.rb +0 -647
  184. data/test/spec_version.rb +0 -17
  185. data/test/spec_webrick.rb +0 -184
  186. data/test/static/another/index.html +0 -1
  187. data/test/static/index.html +0 -1
  188. data/test/testrequest.rb +0 -78
  189. data/test/unregistered_handler/rack/handler/unregistered.rb +0 -7
  190. data/test/unregistered_handler/rack/handler/unregistered_long_one.rb +0 -7
data/HISTORY.md DELETED
@@ -1,375 +0,0 @@
1
- Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremydaer@gmail.com>
2
-
3
- * First-party "SameSite" cookies. Browsers omit SameSite cookies
4
- from third-party requests, closing the door on many CSRF attacks.
5
-
6
- Pass `same_site: true` (or `:strict`) to enable:
7
- response.set_cookie 'foo', value: 'bar', same_site: true
8
- or `same_site: :lax` to use Lax enforcement:
9
- response.set_cookie 'foo', value: 'bar', same_site: :lax
10
-
11
- Based on version 7 of the Same-site Cookies internet draft:
12
- https://tools.ietf.org/html/draft-west-first-party-cookies-07
13
-
14
- Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
15
- updating to drafts 5 and 7.
16
-
17
- Wed Jun 24 12:13:37 2015 Aaron Patterson <tenderlove@ruby-lang.org>
18
-
19
- * Fix Ruby 1.8 backwards compatibility
20
-
21
- Fri Jun 19 07:14:50 2015 Matthew Draper <matthew@trebex.net>
22
-
23
- * Work around a Rails incompatibility in our private API
24
-
25
- Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
26
-
27
- * Prevent extremely deep parameters from being parsed. CVE-2015-3225
28
-
29
- ### December 18th, Thirty sixth public release 1.6.0
30
-
31
- ### February 7th, Thirty fifth public release 1.5.2
32
- - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
33
- - Fix CVE-2013-0262, symlink path traversal in Rack::File
34
- - Add various methods to Session for enhanced Rails compatibility
35
- - Request#trusted_proxy? now only matches whole stirngs
36
- - Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
37
- - URLMap host matching in environments that don't set the Host header fixed
38
- - Fix a race condition that could result in overwritten pidfiles
39
- - Various documentation additions
40
-
41
- ### February 7th, Thirty fifth public release 1.4.5
42
- - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
43
- - Fix CVE-2013-0262, symlink path traversal in Rack::File
44
-
45
- ### February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
46
- - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
47
-
48
- ### January 28th, 2013: Thirty fourth public release 1.5.1
49
- - Rack::Lint check_hijack now conforms to other parts of SPEC
50
- - Added hash-like methods to Abstract::ID::SessionHash for compatibility
51
- - Various documentation corrections
52
-
53
- ### January 21st, 2013: Thirty third public release 1.5.0
54
- - Introduced hijack SPEC, for before-response and after-response hijacking
55
- - SessionHash is no longer a Hash subclass
56
- - Rack::File cache_control parameter is removed, in place of headers options
57
- - Rack::Auth::AbstractRequest#scheme now yields strings, not symbols
58
- - Rack::Utils cookie functions now format expires in RFC 2822 format
59
- - Rack::File now has a default mime type
60
- - rackup -b 'run Rack::File.new(".")', option provides command line configs
61
- - Rack::Deflater will no longer double encode bodies
62
- - Rack::Mime#match? provides convenience for Accept header matching
63
- - Rack::Utils#q_values provides splitting for Accept headers
64
- - Rack::Utils#best_q_match provides a helper for Accept headers
65
- - Rack::Handler.pick provides convenience for finding available servers
66
- - Puma added to the list of default servers (preferred over Webrick)
67
- - Various middleware now correctly close body when replacing it
68
- - Rack::Request#params is no longer persistent with only GET params
69
- - Rack::Request#update_param and #delete_param provide persistent operations
70
- - Rack::Request#trusted_proxy? now returns true for local unix sockets
71
- - Rack::Response no longer forces Content-Types
72
- - Rack::Sendfile provides local mapping configuration options
73
- - Rack::Utils#rfc2109 provides old netscape style time output
74
- - Updated HTTP status codes
75
- - Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported
76
-
77
- ### January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
78
- - [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
79
- - Fixed erroneous test case in the 1.3.x series
80
-
81
- ### January 7th, 2013: Thirty first public release 1.4.3
82
- - Security: Prevent unbounded reads in large multipart boundaries
83
-
84
- ### January 7th, 2013: Thirtieth public release 1.3.8
85
- - Security: Prevent unbounded reads in large multipart boundaries
86
-
87
- ### January 6th, 2013: Twenty ninth public release 1.4.2
88
- - Add warnings when users do not provide a session secret
89
- - Fix parsing performance for unquoted filenames
90
- - Updated URI backports
91
- - Fix URI backport version matching, and silence constant warnings
92
- - Correct parameter parsing with empty values
93
- - Correct rackup '-I' flag, to allow multiple uses
94
- - Correct rackup pidfile handling
95
- - Report rackup line numbers correctly
96
- - Fix request loops caused by non-stale nonces with time limits
97
- - Fix reloader on Windows
98
- - Prevent infinite recursions from Response#to_ary
99
- - Various middleware better conforms to the body close specification
100
- - Updated language for the body close specification
101
- - Additional notes regarding ECMA escape compatibility issues
102
- - Fix the parsing of multiple ranges in range headers
103
- - Prevent errors from empty parameter keys
104
- - Added PATCH verb to Rack::Request
105
- - Various documentation updates
106
- - Fix session merge semantics (fixes rack-test)
107
- - Rack::Static :index can now handle multiple directories
108
- - All tests now utilize Rack::Lint (special thanks to Lars Gierth)
109
- - Rack::File cache_control parameter is now deprecated, and removed by 1.5
110
- - Correct Rack::Directory script name escaping
111
- - Rack::Static supports header rules for sophisticated configurations
112
- - Multipart parsing now works without a Content-Length header
113
- - New logos courtesy of Zachary Scott!
114
- - Rack::BodyProxy now explicitly defines #each, useful for C extensions
115
- - Cookies that are not URI escaped no longer cause exceptions
116
-
117
- ### January 6th, 2013: Twenty eighth public release 1.3.7
118
- - Add warnings when users do not provide a session secret
119
- - Fix parsing performance for unquoted filenames
120
- - Updated URI backports
121
- - Fix URI backport version matching, and silence constant warnings
122
- - Correct parameter parsing with empty values
123
- - Correct rackup '-I' flag, to allow multiple uses
124
- - Correct rackup pidfile handling
125
- - Report rackup line numbers correctly
126
- - Fix request loops caused by non-stale nonces with time limits
127
- - Fix reloader on Windows
128
- - Prevent infinite recursions from Response#to_ary
129
- - Various middleware better conforms to the body close specification
130
- - Updated language for the body close specification
131
- - Additional notes regarding ECMA escape compatibility issues
132
- - Fix the parsing of multiple ranges in range headers
133
-
134
- ### January 6th, 2013: Twenty seventh public release 1.2.6
135
- - Add warnings when users do not provide a session secret
136
- - Fix parsing performance for unquoted filenames
137
-
138
- ### January 6th, 2013: Twenty sixth public release 1.1.4
139
- - Add warnings when users do not provide a session secret
140
-
141
- ### January 22nd, 2012: Twenty fifth public release 1.4.1
142
- - Alter the keyspace limit calculations to reduce issues with nested params
143
- - Add a workaround for multipart parsing where files contain unescaped "%"
144
- - Added Rack::Response::Helpers#method_not_allowed? (code 405)
145
- - Rack::File now returns 404 for illegal directory traversals
146
- - Rack::File now returns 405 for illegal methods (non HEAD/GET)
147
- - Rack::Cascade now catches 405 by default, as well as 404
148
- - Cookies missing '--' no longer cause an exception to be raised
149
- - Various style changes and documentation spelling errors
150
- - Rack::BodyProxy always ensures to execute its block
151
- - Additional test coverage around cookies and secrets
152
- - Rack::Session::Cookie can now be supplied either secret or old_secret
153
- - Tests are no longer dependent on set order
154
- - Rack::Static no longer defaults to serving index files
155
- - Rack.release was fixed
156
-
157
- ### December 28th, 2011: Twenty fourth public release 1.4.0
158
- - Ruby 1.8.6 support has officially been dropped. Not all tests pass.
159
- - Raise sane error messages for broken config.ru
160
- - Allow combining run and map in a config.ru
161
- - Rack::ContentType will not set Content-Type for responses without a body
162
- - Status code 205 does not send a response body
163
- - Rack::Response::Helpers will not rely on instance variables
164
- - Rack::Utils.build_query no longer outputs '=' for nil query values
165
- - Various mime types added
166
- - Rack::MockRequest now supports HEAD
167
- - Rack::Directory now supports files that contain RFC3986 reserved chars
168
- - Rack::File now only supports GET and HEAD requests
169
- - Rack::Server#start now passes the block to Rack::Handler::<h>#run
170
- - Rack::Static now supports an index option
171
- - Added the Teapot status code
172
- - rackup now defaults to Thin instead of Mongrel (if installed)
173
- - Support added for HTTP_X_FORWARDED_SCHEME
174
- - Numerous bug fixes, including many fixes for new and alternate rubies
175
-
176
- ### December 28th, 2011: Twenty first public release: 1.1.3.
177
- - Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
178
- Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
179
-
180
- ### October 17, 2011: Twentieth public release 1.3.5
181
- - Fix annoying warnings caused by the backport in 1.3.4
182
-
183
- ### October 1, 2011: Nineteenth public release 1.3.4
184
- - Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
185
- - Small documentation update
186
- - Fix an issue where BodyProxy could cause an infinite recursion
187
- - Add some supporting files for travis-ci
188
-
189
- ### September 16, 2011: Eighteenth public release 1.2.4
190
- - Fix a bug with MRI regex engine to prevent XSS by malformed unicode
191
-
192
- ### September 16, 2011: Seventeenth public release 1.3.3
193
- - Fix bug with broken query parameters in Rack::ShowExceptions
194
- - Rack::Request#cookies no longer swallows exceptions on broken input
195
- - Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
196
- - Rack::ConditionalGet handles broken If-Modified-Since helpers
197
-
198
- ### July 16, 2011: Sixteenth public release 1.3.2
199
- - Fix for Rails and rack-test, Rack::Utils#escape calls to_s
200
-
201
- ### July 13, 2011: Fifteenth public release 1.3.1
202
- - Fix 1.9.1 support
203
- - Fix JRuby support
204
- - Properly handle $KCODE in Rack::Utils.escape
205
- - Make method_missing/respond_to behavior consistent for Rack::Lock,
206
- Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
207
- - Reenable passing rack.session to session middleware
208
- - Rack::CommonLogger handles streaming responses correctly
209
- - Rack::MockResponse calls close on the body object
210
- - Fix a DOS vector from MRI stdlib backport
211
-
212
- ### May 22nd, 2011: Fourteenth public release 1.2.3
213
- - Pulled in relevant bug fixes from 1.3
214
- - Fixed 1.8.6 support
215
-
216
- ### May 22nd, 2011: Thirteenth public release 1.3.0
217
- - Various performance optimizations
218
- - Various multipart fixes
219
- - Various multipart refactors
220
- - Infinite loop fix for multipart
221
- - Test coverage for Rack::Server returns
222
- - Allow files with '..', but not path components that are '..'
223
- - rackup accepts handler-specific options on the command line
224
- - Request#params no longer merges POST into GET (but returns the same)
225
- - Use URI.encode_www_form_component instead. Use core methods for escaping.
226
- - Allow multi-line comments in the config file
227
- - Bug L#94 reported by Nikolai Lugovoi, query parameter unescaping.
228
- - Rack::Response now deletes Content-Length when appropriate
229
- - Rack::Deflater now supports streaming
230
- - Improved Rack::Handler loading and searching
231
- - Support for the PATCH verb
232
- - env['rack.session.options'] now contains session options
233
- - Cookies respect renew
234
- - Session middleware uses SecureRandom.hex
235
-
236
- ### March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
237
- - Security fix in Rack::Auth::Digest::MD5: when authenticator
238
- returned nil, permission was granted on empty password.
239
-
240
- ### June 15th, 2010: Eleventh public release 1.2.1.
241
- - Make CGI handler rewindable
242
- - Rename spec/ to test/ to not conflict with SPEC on lesser
243
- operating systems
244
-
245
- ### June 13th, 2010: Tenth public release 1.2.0.
246
- - Removed Camping adapter: Camping 2.0 supports Rack as-is
247
- - Removed parsing of quoted values
248
- - Add Request.trace? and Request.options?
249
- - Add mime-type for .webm and .htc
250
- - Fix HTTP_X_FORWARDED_FOR
251
- - Various multipart fixes
252
- - Switch test suite to bacon
253
-
254
- ### January 3rd, 2010: Ninth public release 1.1.0.
255
- - Moved Auth::OpenID to rack-contrib.
256
- - SPEC change that relaxes Lint slightly to allow subclasses of the
257
- required types
258
- - SPEC change to document rack.input binary mode in greator detail
259
- - SPEC define optional rack.logger specification
260
- - File servers support X-Cascade header
261
- - Imported Config middleware
262
- - Imported ETag middleware
263
- - Imported Runtime middleware
264
- - Imported Sendfile middleware
265
- - New Logger and NullLogger middlewares
266
- - Added mime type for .ogv and .manifest.
267
- - Don't squeeze PATH_INFO slashes
268
- - Use Content-Type to determine POST params parsing
269
- - Update Rack::Utils::HTTP_STATUS_CODES hash
270
- - Add status code lookup utility
271
- - Response should call #to_i on the status
272
- - Add Request#user_agent
273
- - Request#host knows about forwared host
274
- - Return an empty string for Request#host if HTTP_HOST and
275
- SERVER_NAME are both missing
276
- - Allow MockRequest to accept hash params
277
- - Optimizations to HeaderHash
278
- - Refactored rackup into Rack::Server
279
- - Added Utils.build_nested_query to complement Utils.parse_nested_query
280
- - Added Utils::Multipart.build_multipart to complement
281
- Utils::Multipart.parse_multipart
282
- - Extracted set and delete cookie helpers into Utils so they can be
283
- used outside Response
284
- - Extract parse_query and parse_multipart in Request so subclasses
285
- can change their behavior
286
- - Enforce binary encoding in RewindableInput
287
- - Set correct external_encoding for handlers that don't use RewindableInput
288
-
289
- ### October 18th, 2009: Eighth public release 1.0.1.
290
- - Bump remainder of rack.versions.
291
- - Support the pure Ruby FCGI implementation.
292
- - Fix for form names containing "=": split first then unescape components
293
- - Fixes the handling of the filename parameter with semicolons in names.
294
- - Add anchor to nested params parsing regexp to prevent stack overflows
295
- - Use more compatible gzip write api instead of "<<".
296
- - Make sure that Reloader doesn't break when executed via ruby -e
297
- - Make sure WEBrick respects the :Host option
298
- - Many Ruby 1.9 fixes.
299
-
300
- ### April 25th, 2009: Seventh public release 1.0.0.
301
- - SPEC change: Rack::VERSION has been pushed to [1,0].
302
- - SPEC change: header values must be Strings now, split on "\n".
303
- - SPEC change: Content-Length can be missing, in this case chunked transfer
304
- encoding is used.
305
- - SPEC change: rack.input must be rewindable and support reading into
306
- a buffer, wrap with Rack::RewindableInput if it isn't.
307
- - SPEC change: rack.session is now specified.
308
- - SPEC change: Bodies can now additionally respond to #to_path with
309
- a filename to be served.
310
- - NOTE: String bodies break in 1.9, use an Array consisting of a
311
- single String instead.
312
- - New middleware Rack::Lock.
313
- - New middleware Rack::ContentType.
314
- - Rack::Reloader has been rewritten.
315
- - Major update to Rack::Auth::OpenID.
316
- - Support for nested parameter parsing in Rack::Response.
317
- - Support for redirects in Rack::Response.
318
- - HttpOnly cookie support in Rack::Response.
319
- - The Rakefile has been rewritten.
320
- - Many bugfixes and small improvements.
321
-
322
- ### January 9th, 2009: Sixth public release 0.9.1.
323
- - Fix directory traversal exploits in Rack::File and Rack::Directory.
324
-
325
- ### January 6th, 2009: Fifth public release 0.9.
326
- - Rack is now managed by the Rack Core Team.
327
- - Rack::Lint is stricter and follows the HTTP RFCs more closely.
328
- - Added ConditionalGet middleware.
329
- - Added ContentLength middleware.
330
- - Added Deflater middleware.
331
- - Added Head middleware.
332
- - Added MethodOverride middleware.
333
- - Rack::Mime now provides popular MIME-types and their extension.
334
- - Mongrel Header now streams.
335
- - Added Thin handler.
336
- - Official support for swiftiplied Mongrel.
337
- - Secure cookies.
338
- - Made HeaderHash case-preserving.
339
- - Many bugfixes and small improvements.
340
-
341
- ### August 21st, 2008: Fourth public release 0.4.
342
- - New middleware, Rack::Deflater, by Christoffer Sawicki.
343
- - OpenID authentication now needs ruby-openid 2.
344
- - New Memcache sessions, by blink.
345
- - Explicit EventedMongrel handler, by Joshua Peek <josh@joshpeek.com>
346
- - Rack::Reloader is not loaded in rackup development mode.
347
- - rackup can daemonize with -D.
348
- - Many bugfixes, especially for pool sessions, URLMap, thread safety
349
- and tempfile handling.
350
- - Improved tests.
351
- - Rack moved to Git.
352
-
353
- ### February 26th, 2008: Third public release 0.3.
354
- - LiteSpeed handler, by Adrian Madrid.
355
- - SCGI handler, by Jeremy Evans.
356
- - Pool sessions, by blink.
357
- - OpenID authentication, by blink.
358
- - :Port and :File options for opening FastCGI sockets, by blink.
359
- - Last-Modified HTTP header for Rack::File, by blink.
360
- - Rack::Builder#use now accepts blocks, by Corey Jewett.
361
- (See example/protectedlobster.ru)
362
- - HTTP status 201 can contain a Content-Type and a body now.
363
- - Many bugfixes, especially related to Cookie handling.
364
-
365
- ### May 16th, 2007: Second public release 0.2.
366
- - HTTP Basic authentication.
367
- - Cookie Sessions.
368
- - Static file handler.
369
- - Improved Rack::Request.
370
- - Improved Rack::Response.
371
- - Added Rack::ShowStatus, for better default error messages.
372
- - Bug fixes in the Camping adapter.
373
- - Removed Rails adapter, was too alpha.
374
-
375
- ### March 3rd, 2007: First public release 0.1.
data/KNOWN-ISSUES DELETED
@@ -1,44 +0,0 @@
1
- = Known issues with Rack and ECMA-262
2
-
3
- * Many users expect the escape() function defined in ECMA-262 to be compatible
4
- with URI. Confusion is especially strong because the documentation for the
5
- escape function includes a reference to the URI specifications. ECMA-262
6
- escape is not however a URI escape function, it is a javascript escape
7
- function, and is not fully compatible. Most notably, for characters outside of
8
- the BMP. Users should use the more correct encodeURI functions.
9
-
10
- = Known issues with Rack and Web servers
11
-
12
- * Lighttpd sets wrong SCRIPT_NAME and PATH_INFO if you mount your
13
- FastCGI app at "/". This can be fixed by using this middleware:
14
-
15
- class LighttpdScriptNameFix
16
- def initialize(app)
17
- @app = app
18
- end
19
-
20
- def call(env)
21
- env["PATH_INFO"] = env["SCRIPT_NAME"].to_s + env["PATH_INFO"].to_s
22
- env["SCRIPT_NAME"] = ""
23
- @app.call(env)
24
- end
25
- end
26
-
27
- Of course, use this only when your app runs at "/".
28
-
29
- Since lighttpd 1.4.23, you also can use the "fix-root-scriptname" flag
30
- in fastcgi.server.
31
-
32
- = Known conflicts regarding parameter parsing
33
-
34
- * Many users have differing opinions about parameter parsing. The current
35
- parameter parsers in Rack are based on a combination of the HTTP and CGI
36
- specs, and are intended to round-trip encoding and decoding. There are some
37
- choices that may be viewed as deficiencies, specifically:
38
- - Rack does not create implicit arrays for multiple instances of a parameter
39
- - Rack returns nil when a value is not given
40
- - Rack does not support multi-type keys in parameters
41
- These issues or choices, will not be fixed before 2.0, if at all. They are
42
- very major breaking changes. Users are free to write alternative parameter
43
- parsers, and their own Request and Response wrappers. Moreover, users are
44
- encouraged to do so.
@@ -1,56 +0,0 @@
1
- # :stopdoc:
2
-
3
- # Stolen from ruby core's uri/common.rb, with modifications to support 1.8.x
4
- #
5
- # https://github.com/ruby/ruby/blob/trunk/lib/uri/common.rb
6
- #
7
- #
8
-
9
- module URI
10
- TBLENCWWWCOMP_ = {} # :nodoc:
11
- 256.times do |i|
12
- TBLENCWWWCOMP_[i.chr] = '%%%02X' % i
13
- end
14
- TBLENCWWWCOMP_[' '] = '+'
15
- TBLENCWWWCOMP_.freeze
16
- TBLDECWWWCOMP_ = {} # :nodoc:
17
- 256.times do |i|
18
- h, l = i>>4, i&15
19
- TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
20
- TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
21
- TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
22
- TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
23
- end
24
- TBLDECWWWCOMP_['+'] = ' '
25
- TBLDECWWWCOMP_.freeze
26
-
27
- # Encode given +s+ to URL-encoded form data.
28
- #
29
- # This method doesn't convert *, -, ., 0-9, A-Z, _, a-z, but does convert SP
30
- # (ASCII space) to + and converts others to %XX.
31
- #
32
- # This is an implementation of
33
- # http://www.w3.org/TR/html5/forms.html#url-encoded-form-data
34
- #
35
- # See URI.decode_www_form_component, URI.encode_www_form
36
- def self.encode_www_form_component(s)
37
- str = s.to_s
38
- if RUBY_VERSION < "1.9" && $KCODE =~ /u/i
39
- str.gsub(/([^ a-zA-Z0-9_.-]+)/) do
40
- '%' + $1.unpack('H2' * Rack::Utils.bytesize($1)).join('%').upcase
41
- end.tr(' ', '+')
42
- else
43
- str.gsub(/[^*\-.0-9A-Z_a-z]/) {|m| TBLENCWWWCOMP_[m]}
44
- end
45
- end
46
-
47
- # Decode given +str+ of URL-encoded form data.
48
- #
49
- # This decodes + to SP.
50
- #
51
- # See URI.encode_www_form_component, URI.decode_www_form
52
- def self.decode_www_form_component(str, enc=nil)
53
- raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/ =~ str
54
- str.gsub(/\+|%[0-9a-fA-F]{2}/) {|m| TBLDECWWWCOMP_[m]}
55
- end
56
- end
@@ -1,52 +0,0 @@
1
- # :stopdoc:
2
-
3
- # Stolen from ruby core's uri/common.rb @32618ba to fix DoS issues in 1.9.2
4
- #
5
- # https://github.com/ruby/ruby/blob/32618ba7438a2247042bba9b5d85b5d49070f5e5/lib/uri/common.rb
6
- #
7
- # Issue:
8
- # http://redmine.ruby-lang.org/issues/5149
9
- #
10
- # Relevant Fixes:
11
- # https://github.com/ruby/ruby/commit/b5f91deee04aa6ccbe07c23c8222b937c22a799b
12
- # https://github.com/ruby/ruby/commit/93177c1e5c3906abf14472ae0b905d8b5c72ce1b
13
- #
14
- # This should probably be removed once there is a Ruby 1.9.2 patch level that
15
- # includes this fix.
16
-
17
- require 'uri/common'
18
-
19
- module URI
20
- TBLDECWWWCOMP_ = {} unless const_defined?(:TBLDECWWWCOMP_) #:nodoc:
21
- if TBLDECWWWCOMP_.empty?
22
- 256.times do |i|
23
- h, l = i>>4, i&15
24
- TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
25
- TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
26
- TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
27
- TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
28
- end
29
- TBLDECWWWCOMP_['+'] = ' '
30
- TBLDECWWWCOMP_.freeze
31
- end
32
-
33
- def self.decode_www_form(str, enc=Encoding::UTF_8)
34
- return [] if str.empty?
35
- unless /\A#{WFKV_}=#{WFKV_}(?:[;&]#{WFKV_}=#{WFKV_})*\z/o =~ str
36
- raise ArgumentError, "invalid data of application/x-www-form-urlencoded (#{str})"
37
- end
38
- ary = []
39
- $&.scan(/([^=;&]+)=([^;&]*)/) do
40
- ary << [decode_www_form_component($1, enc), decode_www_form_component($2, enc)]
41
- end
42
- ary
43
- end
44
-
45
- def self.decode_www_form_component(str, enc=Encoding::UTF_8)
46
- raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str
47
- str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc)
48
- end
49
-
50
- remove_const :WFKV_ if const_defined?(:WFKV_)
51
- WFKV_ = '(?:[^%#=;&]*(?:%\h\h[^%#=;&]*)*)' # :nodoc:
52
- end
@@ -1,29 +0,0 @@
1
- # :stopdoc:
2
-
3
- require 'uri/common'
4
-
5
- # Issue:
6
- # http://bugs.ruby-lang.org/issues/5925
7
- #
8
- # Relevant commit:
9
- # https://github.com/ruby/ruby/commit/edb7cdf1eabaff78dfa5ffedfbc2e91b29fa9ca1
10
-
11
- module URI
12
- 256.times do |i|
13
- TBLENCWWWCOMP_[i.chr] = '%%%02X' % i
14
- end
15
- TBLENCWWWCOMP_[' '] = '+'
16
- TBLENCWWWCOMP_.freeze
17
-
18
- 256.times do |i|
19
- h, l = i>>4, i&15
20
- TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
21
- TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
22
- TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
23
- TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
24
- end
25
- TBLDECWWWCOMP_['+'] = ' '
26
- TBLDECWWWCOMP_.freeze
27
- end
28
-
29
- # :startdoc:
@@ -1,72 +0,0 @@
1
- require 'rack/body_proxy'
2
-
3
- module Rack
4
- # Rack::CommonLogger forwards every request to the given +app+, and
5
- # logs a line in the
6
- # {Apache common log format}[http://httpd.apache.org/docs/1.3/logs.html#common]
7
- # to the +logger+.
8
- #
9
- # If +logger+ is nil, CommonLogger will fall back +rack.errors+, which is
10
- # an instance of Rack::NullLogger.
11
- #
12
- # +logger+ can be any class, including the standard library Logger, and is
13
- # expected to have either +write+ or +<<+ method, which accepts the CommonLogger::FORMAT.
14
- # According to the SPEC, the error stream must also respond to +puts+
15
- # (which takes a single argument that responds to +to_s+), and +flush+
16
- # (which is called without arguments in order to make the error appear for
17
- # sure)
18
- class CommonLogger
19
- # Common Log Format: http://httpd.apache.org/docs/1.3/logs.html#common
20
- #
21
- # lilith.local - - [07/Aug/2006 23:58:02 -0400] "GET / HTTP/1.1" 500 -
22
- #
23
- # %{%s - %s [%s] "%s %s%s %s" %d %s\n} %
24
- FORMAT = %{%s - %s [%s] "%s %s%s %s" %d %s %0.4f\n}
25
-
26
- def initialize(app, logger=nil)
27
- @app = app
28
- @logger = logger
29
- end
30
-
31
- def call(env)
32
- began_at = Time.now
33
- status, header, body = @app.call(env)
34
- header = Utils::HeaderHash.new(header)
35
- body = BodyProxy.new(body) { log(env, status, header, began_at) }
36
- [status, header, body]
37
- end
38
-
39
- private
40
-
41
- def log(env, status, header, began_at)
42
- now = Time.now
43
- length = extract_content_length(header)
44
-
45
- msg = FORMAT % [
46
- env['HTTP_X_FORWARDED_FOR'] || env["REMOTE_ADDR"] || "-",
47
- env["REMOTE_USER"] || "-",
48
- now.strftime("%d/%b/%Y:%H:%M:%S %z"),
49
- env[REQUEST_METHOD],
50
- env[PATH_INFO],
51
- env[QUERY_STRING].empty? ? "" : "?"+env[QUERY_STRING],
52
- env["HTTP_VERSION"],
53
- status.to_s[0..3],
54
- length,
55
- now - began_at ]
56
-
57
- logger = @logger || env['rack.errors']
58
- # Standard library logger doesn't support write but it supports << which actually
59
- # calls to write on the log device without formatting
60
- if logger.respond_to?(:write)
61
- logger.write(msg)
62
- else
63
- logger << msg
64
- end
65
- end
66
-
67
- def extract_content_length(headers)
68
- value = headers[CONTENT_LENGTH] or return '-'
69
- value.to_s == '0' ? '-' : value
70
- end
71
- end
72
- end
@@ -1,8 +0,0 @@
1
- require 'swiftcore/evented_mongrel'
2
-
3
- module Rack
4
- module Handler
5
- class EventedMongrel < Handler::Mongrel
6
- end
7
- end
8
- end