rack 1.6.13 → 2.0.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1284c246863ad0e0c1472c12dc028993a5c84223a53deb943183f396c21f05ec
-  data.tar.gz: 6aba4634a7f953dff80b391f999eae11404516f22158d6b2931f8fc7d65aa02b
+  metadata.gz: 60eb430d14b80b4cc729d7a97bdf1a56196fa854ff5bd0a23f4fd21ecabd92ec
+  data.tar.gz: 373f537c5b38c9cf1f307dcc8876ff52e4dc67235bfcd554a0f6e35c854ee4c0
 SHA512:
-  metadata.gz: 81f24112cf528aa9f672dede1598fe9527a7d3aa5578e11fe6d6064a96d3091f0afae7f9d4bf453f1eff8c9a3d2ce4bb57991e5a45d41abfdc1948a62c8f65e2
-  data.tar.gz: bfde816a21a1293b1b8be7e7f3fd583887e854c57c96afc2d9b823cf16eb40938ef563294bb323389ab241322cfd3add5503e69e3e0ce8678739988d4990e43d
+  metadata.gz: d8d221546080d35fe8e9e4eb0810b02d0996b912874c408a7a5d270d6e26453430f0f05108ba41d8de40088b882db1de9f1efcac4e6b7e63a01431b6e4bd5f09
+  data.tar.gz: f4ba080150f27b7d2ffb4babc9707c0e539a7464bb4377df192122d8484158d188be57474ba9b5af3f72eaebb7257977f2ad43ba7effe3068decccba84caa0ea

data/COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2015 Christian Neukirchen <purl.org/net/chneukirchen>
+Copyright (c) 2007-2016 Christian Neukirchen <purl.org/net/chneukirchen>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/HISTORY.md

@@ -1,3 +1,18 @@
+Thu Mar  2 14:50:46 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
+Tue Jan 17 12:27:04 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+        * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+        * [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+        * [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+Fri May 27 08:27:04 2022  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2022-30123] Fix shell escaping issue in Common Logger
+	* [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
 Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
 
 	* First-party "SameSite" cookies. Browsers omit SameSite cookies
@@ -14,21 +29,149 @@ Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
 	Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
 	updating to drafts 5 and 7.
 
-Wed Jun 24 12:13:37 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+Tue Nov  3 16:17:26 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Add `Rack::Events` middleware for adding event based middleware:
+	middleware that does not care about the response body, but only cares
+	about doing work at particular points in the request / response
+	lifecycle.
+
+Thu Oct  8 14:58:46 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Add `Rack::Request#authority` to calculate the authority under which
+	the response is being made (this will be handy for h2 pushes).
+
+Tue Oct  6 13:19:04 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Add `Rack::Response::Helpers#cache_control` and `cache_control=`.
+	Use this for setting cache control headers on your response objects.
+
+Tue Oct  6 13:12:21 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Add `Rack::Response::Helpers#etag` and `etag=`.  Use this for
+	setting etag values on the response.
+
+Sun Oct 3 18:25:03 2015  Jeremy Daer <jeremydaer@gmail.com>
+
+	* Introduce `Rack::Response::Helpers#add_header` to add a value to a
+	multi-valued response header. Implemented in terms of other
+	`Response#*_header` methods, so it's available to any response-like
+	class that includes the `Helpers` module.
+
+	* Add `Rack::Request#add_header` to match.
+
+Fri Sep  4 18:34:53 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* `Rack::Session::Abstract::ID` IS DEPRECATED.  Please switch to
+	`Rack::Session::Abstract::Persisted`.
+	`Rack::Session::Abstract::Persisted` uses a request object rather than
+	the `env` hash.
+
+Fri Sep  4 17:32:12 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Pull `ENV` access inside the request object in to a module.  This
+	will help with legacy Request objects that are ENV based but don't
+	want to inherit from Rack::Request
 
-	* Fix Ruby 1.8 backwards compatibility
+Fri Sep  4 16:09:11 2015  Aaron Patterson <tenderlove@ruby-lang.org>
 
-Fri Jun 19 07:14:50 2015  Matthew Draper <matthew@trebex.net>
+	* Move most methods on the `Rack::Request` to a module
+	`Rack::Request::Helpers` and use public API to get values from the
+	request object.  This enables users to mix `Rack::Request::Helpers` in
+	to their own objects so they can implement
+	`(get|set|fetch|each)_header` as they see fit (for example a proxy
+	object).
 
-	* Work around a Rails incompatibility in our private API
+Fri Sep  4 14:15:32 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Files and directories with + in the name are served correctly.
+	Rather than unescaping paths like a form, we unescape with a URI
+	parser using `Rack::Utils.unescape_path`. Fixes #265
+
+Thu Aug 27 15:43:48 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Tempfiles are automatically closed in the case that there were too
+	many posted.
+
+Thu Aug 27 11:00:03 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Added methods for manipulating response headers that don't assume
+	they're stored as a Hash. Response-like classes may include the
+	Rack::Response::Helpers module if they define these methods:
+
+	  * Rack::Response#has_header?
+	  * Rack::Response#get_header
+	  * Rack::Response#set_header
+	  * Rack::Response#delete_header
+
+Mon Aug 24 18:05:23 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Introduce Util.get_byte_ranges that will parse the value of the
+	HTTP_RANGE string passed to it without depending on the `env` hash.
+	`byte_ranges` is deprecated in favor of this method.
+
+Sat Aug 22 17:49:49 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Change Session internals to use Request objects for looking up
+	session information. This allows us to only allocate one request
+	object when dealing with session objects (rather than doing it every
+	time we need to manipulate cookies, etc).
+
+Fri Aug 21 16:30:51 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Add `Rack::Request#initialize_copy` so that the env is duped when
+	the request gets duped.
+
+Thu Aug 20 16:20:58 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Added methods for manipulating request specific data.  This includes
+	data set as CGI parameters, and just any arbitrary data the user wants
+	to associate with a particular request.  New methods:
+
+	  * Rack::Request#has_header?
+	  * Rack::Request#get_header
+	  * Rack::Request#fetch_header
+	  * Rack::Request#each_header
+	  * Rack::Request#set_header
+	  * Rack::Request#delete_header
+
+Thu Jun 18 16:00:05 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	*  lib/rack/utils.rb: add a method for constructing "delete" cookie
+	headers.  This allows us to construct cookie headers without depending
+	on the side effects of mutating a hash.
 
 Fri Jun 12 11:37:41 2015  Aaron Patterson <tenderlove@ruby-lang.org>
 
 	* Prevent extremely deep parameters from being parsed. CVE-2015-3225
 
-### December 18th, Thirty sixth public release 1.6.0
-
-### February 7th, Thirty fifth public release 1.5.2
+### May 6th, 2015, Thirty seventh public release 1.6.1
+  - Fix CVE-2014-9490, denial of service attack in OkJson ([8cd610](https://github.com/rack/rack/commit/8cd61062954f70e0a03e2855704e95ff4bdd4f6e))
+  - Use a monotonic time for Rack::Runtime, if available ([d170b2](https://github.com/rack/rack/commit/d170b2363c949dce60871f9d5a6bfc83da2bedb5))
+  - RACK_MULTIPART_LIMIT changed to RACK_MULTIPART_PART_LIMIT (RACK_MULTIPART_LIMIT is deprecated and will be removed in 1.7.0) ([c096c5](https://github.com/rack/rack/commit/c096c50c00230d8eee13ad5f79ad027d9a3f3ca9))
+  - See the full [git history](https://github.com/rack/rack/compare/1.6.0...1.6.1) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22)
+
+### May 6th, 2015, Thirty seventh public release 1.5.3
+  - Fix CVE-2014-9490, denial of service attack in OkJson ([99f725](https://github.com/rack/rack/commit/99f725b583b357376ffbb7b3b042c5daa3106ad6))
+  - Backport bug fixes to 1.5 series ([#585](https://github.com/rack/rack/pull/585), [#711](https://github.com/rack/rack/pull/711), [#756](https://github.com/rack/rack/pull/756))
+  - See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.5.3) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.5.3%22)
+
+### December 18th, 2014, Thirty sixth public release 1.6.0
+  - Response#unauthorized? helper ([#580](https://github.com/rack/rack/pull/580))
+  - Deflater now accepts an options hash to control compression on a per-request level ([#457](https://github.com/rack/rack/pull/457))
+  - Builder#warmup method for app preloading ([#617](https://github.com/rack/rack/pull/617))
+  - Request#accept_language method to extract HTTP_ACCEPT_LANGUAGE ([#623](https://github.com/rack/rack/pull/623))
+  - Add quiet mode of rack server, rackup --quiet ([#674](https://github.com/rack/rack/pull/674))
+  - Update HTTP Status Codes to RFC 7231 ([#754](https://github.com/rack/rack/pull/754))
+  - Less strict header name validation according to [RFC 2616](https://tools.ietf.org/html/rfc2616) ([#399](https://github.com/rack/rack/pull/399))
+    - SPEC updated to specify headers conform to RFC7230 specification ([6839fc](https://github.com/rack/rack/commit/6839fc203339f021cb3267fb09cba89410f086e9))
+  - Etag correctly marks etags as weak ([#681](https://github.com/rack/rack/issues/681))
+  - Request#port supports multiple x-http-forwarded-proto values ([#669](https://github.com/rack/rack/pull/669))
+  - Utils#multipart_part_limit configures the maximum number of parts a request can contain ([#684](https://github.com/rack/rack/pull/684))
+  - Default host to localhost when in development mode ([#514](https://github.com/rack/rack/pull/514))
+  - Various bugfixes and performance improvements (See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.6.0) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22))
+
+### February 7th, 2013, Thirty fifth public release 1.5.2
   - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
   - Fix CVE-2013-0262, symlink path traversal in Rack::File
   - Add various methods to Session for enhanced Rails compatibility
@@ -38,7 +181,7 @@ Fri Jun 12 11:37:41 2015  Aaron Patterson <tenderlove@ruby-lang.org>
   - Fix a race condition that could result in overwritten pidfiles
   - Various documentation additions
 
-### February 7th, Thirty fifth public release 1.4.5
+### February 7th, 2013, Thirty fifth public release 1.4.5
   - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
   - Fix CVE-2013-0262, symlink path traversal in Rack::File
 
@@ -373,3 +516,5 @@ Fri Jun 12 11:37:41 2015  Aaron Patterson <tenderlove@ruby-lang.org>
   - Removed Rails adapter, was too alpha.
 
 ### March 3rd, 2007: First public release 0.1.
+
+/* vim: set filetype=changelog */

data/README.rdoc

@@ -1,6 +1,6 @@
 = Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.svg" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.svg" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
 
-Rack provides a minimal, modular and adaptable interface for developing
+Rack provides a minimal, modular, and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
 the simplest way possible, it unifies and distills the API for web
 servers, web frameworks, and software in between (the so-called
@@ -12,9 +12,6 @@ which all Rack applications should conform to.
 == Supported web servers
 
 The included *handlers* connect all kinds of web servers to Rack:
-* Mongrel
-* EventedMongrel
-* SwiftipliedMongrel
 * WEBrick
 * FCGI
 * CGI
@@ -28,13 +25,11 @@ These web servers include Rack handlers in their distributions:
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
 * Puma
-* Rainbows!
 * Reel
 * Unicorn
 * unixrack
 * uWSGI
 * yahns
-* Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
 changing anything.
@@ -103,8 +98,8 @@ Rack::Builder DSL to configure middleware and build up applications
 easily.
 
 rackup automatically figures out the environment it is run in, and
-runs your application as FastCGI, CGI, or standalone with Mongrel or
-WEBrick---all from the same configuration.
+runs your application as FastCGI, CGI, or WEBrick---all from the
+same configuration.
 
 == Quick start
 
@@ -141,19 +136,17 @@ Or:
 
     bundle install # this assumes that you have installed native extensions!
 
-There are two rake-based test tasks:
+There is a rake-based test task:
 
-    rake test       tests all the fast tests (no Handlers or Adapters)
-    rake fulltest   runs all the tests
+    rake test       tests all the tests
 
-The fast testsuite has no dependencies outside of the core Ruby
+The testsuite has no dependencies outside of the core Ruby
 installation and bacon.
 
 To run the test suite completely, you need:
 
   * fcgi
   * memcache-client
-  * mongrel
   * thin
 
 The full set of tests test FCGI access with lighttpd (on port
@@ -196,20 +189,34 @@ This helps prevent a rogue client from flooding a Request.
 
 Default to 65536 characters (4 kiB in worst case).
 
-=== multipart_part_limit
+=== multipart_file_limit
 
-The maximum number of parts a request can contain.
+The maximum number of parts with a filename a request can contain.
 Accepting too many part can lead to the server running out of file handles.
 
 The default is 128, which means that a single request can't upload more than 128 files at once.
 
 Set to 0 for no limit.
 
-Can also be set via the RACK_MULTIPART_PART_LIMIT environment variable.
+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
+
+(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
+
+=== multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
 
 == History
 
-See <https://github.com/rack/HISTORY.md>.
+See <https://github.com/rack/rack/blob/master/HISTORY.md>.
 
 == Contact
 
@@ -235,19 +242,19 @@ You are also welcome to join the #rack channel on irc.freenode.net.
 
 The Rack Core Team, consisting of
 
-* Christian Neukirchen (chneukirchen)
-* James Tucker (raggi)
-* Josh Peek (josh)
-* José Valim (josevalim)
-* Michael Fellinger (manveru)
-* Aaron Patterson (tenderlove)
-* Santiago Pastorino (spastorino)
-* Konstantin Haase (rkh)
+* Leah Neukirchen (chneukirchen[https://github.com/chneukirchen])
+* James Tucker (raggi[https://github.com/raggi])
+* Josh Peek (josh[https://github.com/josh])
+* José Valim (josevalim[https://github.com/josevalim])
+* Michael Fellinger (manveru[https://github.com/manveru])
+* Aaron Patterson (tenderlove[https://github.com/tenderlove])
+* Santiago Pastorino (spastorino[https://github.com/spastorino])
+* Konstantin Haase (rkh[https://github.com/rkh])
 
 and the Rack Alumnis
 
-* Ryan Tomayko (rtomayko)
-* Scytrin dai Kinthra (scytrin)
+* Ryan Tomayko (rtomayko[https://github.com/rtomayko])
+* Scytrin dai Kinthra (scytrin[https://github.com/scytrin])
 
 would like to thank:
 
@@ -302,11 +309,8 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.io/>
+Rack:: <https://rack.github.io/>
 Official Rack repositories:: <https://github.com/rack>
 Rack Bug Tracking:: <https://github.com/rack/rack/issues>
 rack-devel mailing list:: <https://groups.google.com/group/rack-devel>
 Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
-
-Christian Neukirchen:: <http://chneukirchen.org/>
-

data/Rakefile

@@ -36,7 +36,7 @@ task :officialrelease_really => %w[SPEC dist gem] do
 end
 
 def release
-  "rack-#{File.read("rack.gemspec")[/s.version *= *"(.*?)"/, 1]}"
+  "rack-" + File.read('lib/rack.rb')[/RELEASE += +([\"\'])([\d][\w\.]+)\1/, 2]
 end
 
 desc "Make binaries executable"
@@ -52,7 +52,7 @@ file '.git/index'
 file "ChangeLog" => '.git/index' do
   File.open("ChangeLog", "w") { |out|
     log = `git log -z`
-    log.force_encoding(Encoding::BINARY) if log.respond_to?(:force_encoding)
+    log.force_encoding(Encoding::BINARY)
     log.split("\0").map { |chunk|
       author = chunk[/Author: (.*)/, 1].strip
       date = chunk[/Date: (.*)/, 1].strip
@@ -82,22 +82,14 @@ end
 
 desc "Run all the fast + platform agnostic tests"
 task :test => 'SPEC' do
-  opts     = ENV['TEST'] || '-a'
-  specopts = ENV['TESTOPTS'] ||
-    "-q -t '^(?!Rack::Adapter|Rack::Session::Memcache|Rack::Server|Rack::Handler)'"
+  opts     = ENV['TEST'] || ''
+  specopts = ENV['TESTOPTS']
 
-  sh "bacon -w -I./lib:./test #{opts} #{specopts}"
+  sh "ruby -I./lib:./test -S minitest #{opts} #{specopts} test/gemloader.rb test/spec*.rb"
 end
 
 desc "Run all the tests we run on CI"
-task :ci => :fulltest
-
-desc "Run all the tests"
-task :fulltest => %w[SPEC chmod] do
-  opts     = ENV['TEST'] || '-a'
-  specopts = ENV['TESTOPTS'] || '-q'
-  sh "bacon -r./test/gemloader -I./lib:./test -w #{opts} #{specopts}"
-end
+task :ci => :test
 
 task :gem => ["SPEC"] do
   sh "gem build rack.gemspec"

data/SPEC

@@ -35,7 +35,7 @@ below.
                      empty string, if the request URL targets
                      the application root and does not have a
                      trailing slash. This value may be
-                     percent-encoded when I originating from
+                     percent-encoded when originating from
                      a URL.
 <tt>QUERY_STRING</tt>:: The portion of the request URL that
                         follows the <tt>?</tt>, if any. May be
@@ -60,8 +60,8 @@ below.
                            the presence or absence of the
                            appropriate HTTP header in the
                            request. See
-                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
-                           RFC3875 section 4.1.18</a> for
+                           {https://tools.ietf.org/html/rfc3875#section-4.1.18
+                           RFC3875 section 4.1.18} for
                            specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
@@ -98,13 +98,12 @@ Rack-specific variables:
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing
-                        request session data.
+<tt>rack.session</tt>:: A hash like interface for storing request session data.
                         The store must implement:
-                        store(key, value)         (aliased as []=);
-                        fetch(key, default = nil) (aliased as []);
-                        delete(key);
-                        clear;
+                         store(key, value)         (aliased as []=);
+                         fetch(key, default = nil) (aliased as []);
+                         delete(key);
+                         clear;
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)
@@ -238,10 +237,10 @@ consisting of lines (for multiple header values, e.g. multiple
 The lines must not contain characters below 037.
 === The Content-Type
 There must not be a <tt>Content-Type</tt>, when the +Status+ is 1xx,
-204, 205 or 304.
+204 or 304.
 === The Content-Length
 There must not be a <tt>Content-Length</tt> header when the
-+Status+ is 1xx, 204, 205 or 304.
++Status+ is 1xx, 204 or 304.
 === The Body
 The Body must respond to +each+
 and must only yield String values.