rack 1.6.4 → 1.6.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +20 -0
- data/lib/rack.rb +1 -1
- data/lib/rack/handler.rb +13 -1
- data/lib/rack/reloader.rb +2 -1
- data/lib/rack/utils.rb +12 -1
- data/rack.gemspec +1 -1
- data/test/spec_handler.rb +12 -3
- data/test/spec_response.rb +64 -0
- metadata +4 -4
- data/test/cgi/lighttpd.errors +0 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 20cfbff780d181ef57fe493c5d9d52586cb65bae
|
4
|
+
data.tar.gz: f57c4e0262ec3491683ea83e9823e9fe49973fbe
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2dc649b00ffb1811ad6c49a0aa9c48376b9f8dd3b5b15d1f19cd5005f60e31f0e7d00af3d17de5acd646bebd806ef16a61b111c0d3aa7303578c2b743c646509
|
7
|
+
data.tar.gz: 74489fbf35da911d31a85f69737e9ac4aecb10d1cc05394041e0b5f24b323266d64e80481dcd4f8a3064b9d5e7c5ba10b2aa059b4d81eb5c13a459e1843ac3ab
|
data/HISTORY.md
CHANGED
@@ -1,3 +1,23 @@
|
|
1
|
+
Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremydaer@gmail.com>
|
2
|
+
|
3
|
+
* First-party "SameSite" cookies. Browsers omit SameSite cookies
|
4
|
+
from third-party requests, closing the door on many CSRF attacks.
|
5
|
+
|
6
|
+
Pass `same_site: true` (or `:strict`) to enable:
|
7
|
+
response.set_cookie 'foo', value: 'bar', same_site: true
|
8
|
+
or `same_site: :lax` to use Lax enforcement:
|
9
|
+
response.set_cookie 'foo', value: 'bar', same_site: :lax
|
10
|
+
|
11
|
+
Based on version 7 of the Same-site Cookies internet draft:
|
12
|
+
https://tools.ietf.org/html/draft-west-first-party-cookies-07
|
13
|
+
|
14
|
+
Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
|
15
|
+
updating to drafts 5 and 7.
|
16
|
+
|
17
|
+
Wed Jun 24 12:13:37 2015 Aaron Patterson <tenderlove@ruby-lang.org>
|
18
|
+
|
19
|
+
* Fix Ruby 1.8 backwards compatibility
|
20
|
+
|
1
21
|
Fri Jun 19 07:14:50 2015 Matthew Draper <matthew@trebex.net>
|
2
22
|
|
3
23
|
* Work around a Rails incompatibility in our private API
|
data/lib/rack.rb
CHANGED
data/lib/rack/handler.rb
CHANGED
@@ -19,13 +19,25 @@ module Rack
|
|
19
19
|
if klass = @handlers[server]
|
20
20
|
klass.split("::").inject(Object) { |o, x| o.const_get(x) }
|
21
21
|
else
|
22
|
-
|
22
|
+
_const_get(server, false)
|
23
23
|
end
|
24
24
|
|
25
25
|
rescue NameError => name_error
|
26
26
|
raise load_error || name_error
|
27
27
|
end
|
28
28
|
|
29
|
+
begin
|
30
|
+
::Object.const_get("Object", false)
|
31
|
+
def self._const_get(str, inherit = true)
|
32
|
+
const_get(str, inherit)
|
33
|
+
end
|
34
|
+
rescue
|
35
|
+
def self._const_get(str, inherit = true)
|
36
|
+
const_get(str)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
|
29
41
|
# Select first available Rack handler given an `Array` of server names.
|
30
42
|
# Raises `LoadError` if no handler was found.
|
31
43
|
#
|
data/lib/rack/reloader.rb
CHANGED
@@ -26,6 +26,7 @@ module Rack
|
|
26
26
|
@last = (Time.now - cooldown)
|
27
27
|
@cache = {}
|
28
28
|
@mtimes = {}
|
29
|
+
@reload_mutex = Mutex.new
|
29
30
|
|
30
31
|
extend backend
|
31
32
|
end
|
@@ -33,7 +34,7 @@ module Rack
|
|
33
34
|
def call(env)
|
34
35
|
if @cooldown and Time.now > @last + @cooldown
|
35
36
|
if Thread.list.size > 1
|
36
|
-
|
37
|
+
@reload_mutex.synchronize{ reload! }
|
37
38
|
else
|
38
39
|
reload!
|
39
40
|
end
|
data/lib/rack/utils.rb
CHANGED
@@ -311,12 +311,23 @@ module Rack
|
|
311
311
|
rfc2822(value[:expires].clone.gmtime) if value[:expires]
|
312
312
|
secure = "; secure" if value[:secure]
|
313
313
|
httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
|
314
|
+
same_site =
|
315
|
+
case value[:same_site]
|
316
|
+
when false, nil
|
317
|
+
nil
|
318
|
+
when :lax, 'Lax', :Lax
|
319
|
+
'; SameSite=Lax'.freeze
|
320
|
+
when true, :strict, 'Strict', :Strict
|
321
|
+
'; SameSite=Strict'.freeze
|
322
|
+
else
|
323
|
+
raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
|
324
|
+
end
|
314
325
|
value = value[:value]
|
315
326
|
end
|
316
327
|
value = [value] unless Array === value
|
317
328
|
cookie = escape(key) + "=" +
|
318
329
|
value.map { |v| escape v }.join("&") +
|
319
|
-
"#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}"
|
330
|
+
"#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
|
320
331
|
|
321
332
|
case header["Set-Cookie"]
|
322
333
|
when nil, ''
|
data/rack.gemspec
CHANGED
data/test/spec_handler.rb
CHANGED
@@ -23,10 +23,19 @@ describe Rack::Handler do
|
|
23
23
|
lambda {
|
24
24
|
Rack::Handler.get('boom')
|
25
25
|
}.should.raise(LoadError)
|
26
|
+
end
|
26
27
|
|
27
|
-
|
28
|
-
|
29
|
-
|
28
|
+
should "raise LoadError if handler isn't nested under Rack::Handler" do
|
29
|
+
# Feature-detect whether Ruby can do non-inherited const lookups.
|
30
|
+
# If it can't, then Rack::Handler may lookup non-handler toplevel
|
31
|
+
# constants, so the best we can do is no-op here and not test it.
|
32
|
+
begin
|
33
|
+
Rack::Handler._const_get('Object', false)
|
34
|
+
rescue NameError
|
35
|
+
lambda {
|
36
|
+
Rack::Handler.get('Object')
|
37
|
+
}.should.raise(LoadError)
|
38
|
+
end
|
30
39
|
end
|
31
40
|
|
32
41
|
should "get unregistered, but already required, handler by name" do
|
data/test/spec_response.rb
CHANGED
@@ -97,6 +97,70 @@ describe Rack::Response do
|
|
97
97
|
response["Set-Cookie"].should.equal "foo=bar"
|
98
98
|
end
|
99
99
|
|
100
|
+
it "can set SameSite cookies with symbol value :lax" do
|
101
|
+
response = Rack::Response.new
|
102
|
+
response.set_cookie "foo", {:value => "bar", :same_site => :lax}
|
103
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
|
104
|
+
end
|
105
|
+
|
106
|
+
it "can set SameSite cookies with symbol value :Lax" do
|
107
|
+
response = Rack::Response.new
|
108
|
+
response.set_cookie "foo", {:value => "bar", :same_site => :lax}
|
109
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
|
110
|
+
end
|
111
|
+
|
112
|
+
it "can set SameSite cookies with string value 'Lax'" do
|
113
|
+
response = Rack::Response.new
|
114
|
+
response.set_cookie "foo", {:value => "bar", :same_site => "Lax"}
|
115
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
|
116
|
+
end
|
117
|
+
|
118
|
+
it "can set SameSite cookies with boolean value true" do
|
119
|
+
response = Rack::Response.new
|
120
|
+
response.set_cookie "foo", {:value => "bar", :same_site => true}
|
121
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
|
122
|
+
end
|
123
|
+
|
124
|
+
it "can set SameSite cookies with symbol value :strict" do
|
125
|
+
response = Rack::Response.new
|
126
|
+
response.set_cookie "foo", {:value => "bar", :same_site => :strict}
|
127
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
|
128
|
+
end
|
129
|
+
|
130
|
+
it "can set SameSite cookies with symbol value :Strict" do
|
131
|
+
response = Rack::Response.new
|
132
|
+
response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
|
133
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
|
134
|
+
end
|
135
|
+
|
136
|
+
it "can set SameSite cookies with string value 'Strict'" do
|
137
|
+
response = Rack::Response.new
|
138
|
+
response.set_cookie "foo", {:value => "bar", :same_site => "Strict"}
|
139
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
|
140
|
+
end
|
141
|
+
|
142
|
+
it "validates the SameSite option value" do
|
143
|
+
response = Rack::Response.new
|
144
|
+
lambda {
|
145
|
+
response.set_cookie "foo", {:value => "bar", :same_site => "Foo"}
|
146
|
+
}.should.raise(ArgumentError).
|
147
|
+
message.should.match(/Invalid SameSite value: "Foo"/)
|
148
|
+
end
|
149
|
+
|
150
|
+
it "can set SameSite cookies with symbol value" do
|
151
|
+
response = Rack::Response.new
|
152
|
+
response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
|
153
|
+
response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
|
154
|
+
end
|
155
|
+
|
156
|
+
[ nil, false ].each do |non_truthy|
|
157
|
+
it "omits SameSite attribute given a #{non_truthy.inspect} value" do
|
158
|
+
response = Rack::Response.new
|
159
|
+
response.set_cookie "foo", {:value => "bar", :same_site => non_truthy}
|
160
|
+
response["Set-Cookie"].should.equal "foo=bar"
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
100
164
|
it "can delete cookies" do
|
101
165
|
response = Rack::Response.new
|
102
166
|
response.set_cookie "foo", "bar"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Christian Neukirchen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2016-11-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bacon
|
@@ -148,7 +148,6 @@ files:
|
|
148
148
|
- test/cgi/assets/javascripts/app.js
|
149
149
|
- test/cgi/assets/stylesheets/app.css
|
150
150
|
- test/cgi/lighttpd.conf
|
151
|
-
- test/cgi/lighttpd.errors
|
152
151
|
- test/cgi/rackup_stub.rb
|
153
152
|
- test/cgi/sample_rackup.ru
|
154
153
|
- test/cgi/test
|
@@ -256,7 +255,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
256
255
|
version: '0'
|
257
256
|
requirements: []
|
258
257
|
rubyforge_project: rack
|
259
|
-
rubygems_version: 2.
|
258
|
+
rubygems_version: 2.5.1
|
260
259
|
signing_key:
|
261
260
|
specification_version: 4
|
262
261
|
summary: a modular Ruby webserver interface
|
@@ -310,3 +309,4 @@ test_files:
|
|
310
309
|
- test/spec_utils.rb
|
311
310
|
- test/spec_version.rb
|
312
311
|
- test/spec_webrick.rb
|
312
|
+
has_rdoc:
|
data/test/cgi/lighttpd.errors
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
2015-06-16 14:11:43: (log.c.164) server started
|