rack 2.0.3 → 2.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 17cc155727caff77770fb98d752892acbb5c3a77
-  data.tar.gz: 60a9aec0727551bc33323e06b30e930027f2d5c1
+SHA256:
+  metadata.gz: e9142cfb8ba777286d8118d2b094a23c1fe4698b302c99966cb80670041c67f5
+  data.tar.gz: 341991ef42232bfecf702d98a17e671ffbbf6a95a8ff70bcca40f7c9aa9f5e85
 SHA512:
-  metadata.gz: 84cc54271f0d00b51ef4be8c1f3e35a90ada7d88918653ed35276db93c2cac66f004fa4c6c092ac92a0fced6da86ebc65b11e83a0aa6be6143bdcc82d938b27b
-  data.tar.gz: c6cabd254ed040468806288a9765002a5d029ab35239280cfd2877f773b543b6d32489945cc78e8a0b09f6b494790da2963b73d5d1f61be5c8a4f2b3563ed2c0
+  metadata.gz: 012e3ac8b25a2fa3c75e7cfbed5f5f4875010ecf96ee887aa9d4ed844badc614fa7decf04bfb889983004d0c310780763e8f9328c4dfb5243388a086f05ef059
+  data.tar.gz: 312252b7e153667c49c11fea9bdceaf679813d6e3176c6e8599fbe4741c326abc43510c3c0a48136a36d2027393e8286f11771a5c353c68269088a6f606b8372

data/README.rdoc

@@ -228,7 +228,7 @@ You are also welcome to join the #rack channel on irc.freenode.net.
 
 The Rack Core Team, consisting of
 
-* Christian Neukirchen (chneukirchen[https://github.com/chneukirchen])
+* Leah Neukirchen (chneukirchen[https://github.com/chneukirchen])
 * James Tucker (raggi[https://github.com/raggi])
 * Josh Peek (josh[https://github.com/josh])
 * José Valim (josevalim[https://github.com/josevalim])
@@ -295,10 +295,8 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.io/>
+Rack:: <https://rack.github.io/>
 Official Rack repositories:: <https://github.com/rack>
 Rack Bug Tracking:: <https://github.com/rack/rack/issues>
 rack-devel mailing list:: <https://groups.google.com/group/rack-devel>
 Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
-
-Christian Neukirchen:: <http://chneukirchen.org/>

data/SPEC

@@ -60,8 +60,8 @@ below.
                            the presence or absence of the
                            appropriate HTTP header in the
                            request. See
-                           {https://tools.ietf.org/html/rfc3875#section-4.1.18
-                           RFC3875 section 4.1.18} for
+                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
+                           RFC3875 section 4.1.18</a> for
                            specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
@@ -98,12 +98,13 @@ Rack-specific variables:
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing request session data.
+<tt>rack.session</tt>:: A hash like interface for storing
+                        request session data.
                         The store must implement:
-                         store(key, value)         (aliased as []=);
-                         fetch(key, default = nil) (aliased as []);
-                         delete(key);
-                         clear;
+                        store(key, value)         (aliased as []=);
+                        fetch(key, default = nil) (aliased as []);
+                        delete(key);
+                        clear;
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.3"
+  RELEASE = "2.0.8"
 
   # Return the Rack release as a dotted string.
   def self.release

data/lib/rack/chunked.rb

@@ -24,7 +24,7 @@ module Rack
           size = chunk.bytesize
           next if size == 0
 
-          chunk = chunk.dup.force_encoding(Encoding::BINARY)
+          chunk = chunk.b
           yield [size.to_s(16), term, chunk, term].join
         end
         yield TAIL

data/lib/rack/etag.rb

@@ -1,5 +1,5 @@
 require 'rack'
-require 'digest/md5'
+require 'digest/sha2'
 
 module Rack
   # Automatically sets the ETag header on all String bodies.

data/lib/rack/lock.rb

@@ -11,12 +11,21 @@ module Rack
 
     def call(env)
       @mutex.lock
+      @env = env
+      @old_rack_multithread = env[RACK_MULTITHREAD]
       begin
-        response = @app.call(env.merge(RACK_MULTITHREAD => false))
-        returned = response << BodyProxy.new(response.pop) { @mutex.unlock }
+        response = @app.call(env.merge!(RACK_MULTITHREAD => false))
+        returned = response << BodyProxy.new(response.pop) { unlock }
       ensure
-        @mutex.unlock unless returned
+        unlock unless returned
       end
     end
+
+    private
+
+    def unlock
+      @mutex.unlock
+      @env[RACK_MULTITHREAD] = @old_rack_multithread
+    end
   end
 end

data/lib/rack/method_override.rb

@@ -26,7 +26,11 @@ module Rack
       req = Request.new(env)
       method = method_override_param(req) ||
         env[HTTP_METHOD_OVERRIDE_HEADER]
-      method.to_s.upcase
+      begin
+        method.to_s.upcase
+      rescue ArgumentError
+        env[RACK_ERRORS].puts "Invalid string for method"
+      end
     end
 
     private

data/lib/rack/mock.rb

@@ -128,7 +128,7 @@ module Rack
         end
       end
 
-      empty_str = String.new.force_encoding(Encoding::ASCII_8BIT)
+      empty_str = String.new
       opts[:input] ||= empty_str
       if String === opts[:input]
         rack_input = StringIO.new(opts[:input])

data/lib/rack/multipart/parser.rb

@@ -39,8 +39,6 @@ module Rack
           str
         end
 
-        def eof?; @content_length == @cursor; end
-
         def rewind
           @io.rewind
         end
@@ -65,11 +63,11 @@ module Rack
         io = BoundedIO.new(io, content_length) if content_length
 
         parser = new(boundary, tmpfile, bufsize, qp)
-        parser.on_read io.read(bufsize), io.eof?
+        parser.on_read io.read(bufsize)
 
         loop do
           break if parser.state == :DONE
-          parser.on_read io.read(bufsize), io.eof?
+          parser.on_read io.read(bufsize)
         end
 
         io.rewind
@@ -135,7 +133,7 @@ module Rack
             klass = TempfilePart
             @open_files += 1
           else
-            body = ''.force_encoding(Encoding::ASCII_8BIT)
+            body = String.new
             klass = BufferPart
           end
 
@@ -165,15 +163,15 @@ module Rack
       attr_reader :state
 
       def initialize(boundary, tempfile, bufsize, query_parser)
-        @buf            = "".force_encoding(Encoding::ASCII_8BIT)
+        @buf            = String.new
 
         @query_parser   = query_parser
         @params         = query_parser.make_params
         @boundary       = "--#{boundary}"
-        @boundary_size  = @boundary.bytesize + EOL.size
         @bufsize        = bufsize
 
         @rx = /(?:#{EOL})?#{Regexp.quote(@boundary)}(#{EOL}|--)/n
+        @rx_max_size = EOL.size + @boundary.bytesize + [EOL.size, '--'.size].max
         @full_boundary = @boundary
         @end_boundary = @boundary + '--'
         @state = :FAST_FORWARD
@@ -181,8 +179,8 @@ module Rack
         @collector = Collector.new tempfile
       end
 
-      def on_read content, eof
-        handle_empty_content!(content, eof)
+      def on_read content
+        handle_empty_content!(content)
         @buf << content
         run_parser
       end
@@ -263,15 +261,17 @@ module Rack
       end
 
       def handle_mime_body
-        if @buf =~ rx
+        if i = @buf.index(rx)
           # Save the rest.
-          if i = @buf.index(rx)
-            @collector.on_mime_body @mime_index, @buf.slice!(0, i)
-            @buf.slice!(0, 2) # Remove \r\n after the content
-          end
+          @collector.on_mime_body @mime_index, @buf.slice!(0, i)
+          @buf.slice!(0, 2) # Remove \r\n after the content
           @state = :CONSUME_TOKEN
           @mime_index += 1
         else
+          # Save the read body part.
+          if @rx_max_size < @buf.size
+            @collector.on_mime_body @mime_index, @buf.slice!(0, @buf.size - @rx_max_size)
+          end
           :want_read
         end
       end
@@ -356,10 +356,9 @@ module Rack
       end
 
 
-      def handle_empty_content!(content, eof)
+      def handle_empty_content!(content)
         if content.nil? || content.empty?
-          raise EOFError if eof
-          return true
+          raise EOFError
         end
       end
     end

data/lib/rack/request.rb

@@ -11,6 +11,8 @@ module Rack
   #   req.params["data"]
 
   class Request
+    SCHEME_WHITELIST = %w(https http).freeze
+
     def initialize(env)
       @params = nil
       super(env)
@@ -188,10 +190,8 @@ module Rack
           'https'
         elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
           'https'
-        elsif get_header(HTTP_X_FORWARDED_SCHEME)
-          get_header(HTTP_X_FORWARDED_SCHEME)
-        elsif get_header(HTTP_X_FORWARDED_PROTO)
-          get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
+        elsif forwarded_scheme
+          forwarded_scheme
         else
           get_header(RACK_URL_SCHEME)
         end
@@ -261,7 +261,7 @@ module Rack
 
         forwarded_ips = split_ip_addresses(get_header('HTTP_X_FORWARDED_FOR'))
 
-        return reject_trusted_ip_addresses(forwarded_ips).last || get_header("REMOTE_ADDR")
+        return reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR")
       end
 
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -479,6 +479,19 @@ module Rack
       def reject_trusted_ip_addresses(ip_addresses)
         ip_addresses.reject { |ip| trusted_proxy?(ip) }
       end
+
+      def forwarded_scheme
+        scheme_headers = [
+          get_header(HTTP_X_FORWARDED_SCHEME),
+          get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
+        ]
+
+        scheme_headers.each do |header|
+          return header if SCHEME_WHITELIST.include?(header)
+        end
+
+        nil
+      end
     end
 
     include Env

data/lib/rack/session/abstract/id.rb

@@ -6,11 +6,38 @@ require 'time'
 require 'rack/request'
 require 'rack/response'
 require 'securerandom'
+require 'digest/sha2'
 
 module Rack
 
   module Session
 
+    class SessionId
+      ID_VERSION = 2
+
+      attr_reader :public_id
+
+      def initialize(public_id)
+        @public_id = public_id
+      end
+
+      def private_id
+        "#{ID_VERSION}::#{hash_sid(public_id)}"
+      end
+
+      alias :cookie_value :public_id
+
+      def empty?; false; end
+      def to_s; raise; end
+      def inspect; public_id.inspect; end
+
+      private
+
+      def hash_sid(sid)
+        Digest::SHA256.hexdigest(sid)
+      end
+    end
+
     module Abstract
       # SessionHash is responsible to lazily load the session from store.
 
@@ -357,7 +384,7 @@ module Rack
             req.get_header(RACK_ERRORS).puts("Deferring cookie for #{session_id}") if $VERBOSE
           else
             cookie = Hash.new
-            cookie[:value] = data
+            cookie[:value] = cookie_value(data)
             cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
             cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
             set_cookie(req, res, cookie.merge!(options))
@@ -365,6 +392,10 @@ module Rack
         end
         public :commit_session
 
+        def cookie_value(data)
+          data
+        end
+
         # Sets the cookie back to the client with session id. We skip the cookie
         # setting if the value didn't change (sid is the same) or expires was given.
 
@@ -406,6 +437,40 @@ module Rack
         end
       end
 
+      class PersistedSecure < Persisted
+        class SecureSessionHash < SessionHash
+          def [](key)
+            if key == "session_id"
+              load_for_read!
+              id.public_id
+            else
+              super
+            end
+          end
+        end
+
+        def generate_sid(*)
+          public_id = super
+
+          SessionId.new(public_id)
+        end
+
+        def extract_session_id(*)
+          public_id = super
+          public_id && SessionId.new(public_id)
+        end
+
+        private
+
+        def session_class
+          SecureSessionHash
+        end
+
+        def cookie_value(data)
+          data.cookie_value
+        end
+      end
+
       class ID < Persisted
         def self.inherited(klass)
           k = klass.ancestors.find { |kl| kl.respond_to?(:superclass) && kl.superclass == ID }

data/lib/rack/session/cookie.rb

@@ -45,7 +45,7 @@ module Rack
     #   })
     #
 
-    class Cookie < Abstract::Persisted
+    class Cookie < Abstract::PersistedSecure
       # Encode session cookies as Base64
       class Base64
         def encode(str)
@@ -153,6 +153,15 @@ module Rack
         data
       end
 
+      class SessionId < DelegateClass(Session::SessionId)
+        attr_reader :cookie_value
+
+        def initialize(session_id, cookie_value)
+          super(session_id)
+          @cookie_value = cookie_value
+        end
+      end
+
       def write_session(req, session_id, session, options)
         session = session.merge("session_id" => session_id)
         session_data = coder.encode(session)
@@ -165,7 +174,7 @@ module Rack
           req.get_header(RACK_ERRORS).puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
           nil
         else
-          session_data
+          SessionId.new(session_id, session_data)
         end
       end
 

data/lib/rack/session/memcache.rb

@@ -19,7 +19,7 @@ module Rack
     # Note that memcache does drop data before it may be listed to expire. For
     # a full description of behaviour, please see memcache's documentation.
 
-    class Memcache < Abstract::ID
+    class Memcache < Abstract::PersistedSecure
       attr_reader :mutex, :pool
 
       DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge \
@@ -42,15 +42,15 @@ module Rack
       def generate_sid
         loop do
           sid = super
-          break sid unless @pool.get(sid, true)
+          break sid unless @pool.get(sid.private_id, true)
         end
       end
 
-      def get_session(env, sid)
-        with_lock(env) do
-          unless sid and session = @pool.get(sid)
+      def find_session(req, sid)
+        with_lock(req) do
+          unless sid and session = get_session_with_fallback(sid)
             sid, session = generate_sid, {}
-            unless /^STORED/ =~ @pool.add(sid, session)
+            unless /^STORED/ =~ @pool.add(sid.private_id, session)
               raise "Session collision on '#{sid.inspect}'"
             end
           end
@@ -58,25 +58,26 @@ module Rack
         end
       end
 
-      def set_session(env, session_id, new_session, options)
+      def write_session(req, session_id, new_session, options)
         expiry = options[:expire_after]
         expiry = expiry.nil? ? 0 : expiry + 1
 
-        with_lock(env) do
-          @pool.set session_id, new_session, expiry
+        with_lock(req) do
+          @pool.set session_id.private_id, new_session, expiry
           session_id
         end
       end
 
-      def destroy_session(env, session_id, options)
-        with_lock(env) do
-          @pool.delete(session_id)
+      def delete_session(req, session_id, options)
+        with_lock(req) do
+          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
           generate_sid unless options[:drop]
         end
       end
 
-      def with_lock(env)
-        @mutex.lock if env[RACK_MULTITHREAD]
+      def with_lock(req)
+        @mutex.lock if req.multithread?
         yield
       rescue MemCache::MemCacheError, Errno::ECONNREFUSED
         if $VERBOSE
@@ -88,6 +89,11 @@ module Rack
         @mutex.unlock if @mutex.locked?
       end
 
+      private
+
+      def get_session_with_fallback(sid)
+        @pool.get(sid.private_id) || @pool.get(sid.public_id)
+      end
     end
   end
 end

data/lib/rack/session/pool.rb

@@ -24,7 +24,7 @@ module Rack
     #   )
     #   Rack::Handler::WEBrick.run sessioned
 
-    class Pool < Abstract::Persisted
+    class Pool < Abstract::PersistedSecure
       attr_reader :mutex, :pool
       DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge :drop => false
 
@@ -37,15 +37,15 @@ module Rack
       def generate_sid
         loop do
           sid = super
-          break sid unless @pool.key? sid
+          break sid unless @pool.key? sid.private_id
         end
       end
 
       def find_session(req, sid)
         with_lock(req) do
-          unless sid and session = @pool[sid]
+          unless sid and session = get_session_with_fallback(sid)
             sid, session = generate_sid, {}
-            @pool.store sid, session
+            @pool.store sid.private_id, session
           end
           [sid, session]
         end
@@ -53,14 +53,15 @@ module Rack
 
       def write_session(req, session_id, new_session, options)
         with_lock(req) do
-          @pool.store session_id, new_session
+          @pool.store session_id.private_id, new_session
           session_id
         end
       end
 
       def delete_session(req, session_id, options)
         with_lock(req) do
-          @pool.delete(session_id)
+          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
           generate_sid unless options[:drop]
         end
       end
@@ -71,6 +72,12 @@ module Rack
       ensure
         @mutex.unlock if @mutex.locked?
       end
+
+      private
+
+      def get_session_with_fallback(sid)
+        @pool[sid.private_id] || @pool[sid.public_id]
+      end
     end
   end
 end

data/lib/rack/show_exceptions.rb

@@ -46,7 +46,7 @@ module Rack
     end
 
     def prefers_plaintext?(env)
-      !accepts_html(env)
+      !accepts_html?(env)
     end
 
     def accepts_html?(env)

data/rack.gemspec

@@ -12,7 +12,7 @@ the simplest way possible, it unifies and distills the API for web
 servers, web frameworks, and software in between (the so-called
 middleware) into a single method call.
 
-Also see http://rack.github.io/.
+Also see https://rack.github.io/.
 EOF
 
   s.files           = Dir['{bin/*,contrib/*,example/*,lib/**/*,test/**/*}'] +
@@ -23,13 +23,12 @@ EOF
   s.extra_rdoc_files = ['README.rdoc', 'HISTORY.md']
   s.test_files      = Dir['test/spec_*.rb']
 
-  s.author          = 'Christian Neukirchen'
-  s.email           = 'chneukirchen@gmail.com'
-  s.homepage        = 'http://rack.github.io/'
+  s.author          = 'Leah Neukirchen'
+  s.email           = 'leah@vuxu.org'
+  s.homepage        = 'https://rack.github.io/'
   s.required_ruby_version = '>= 2.2.2'
 
   s.add_development_dependency 'minitest', "~> 5.0"
   s.add_development_dependency 'minitest-sprint'
-  s.add_development_dependency 'concurrent-ruby'
   s.add_development_dependency 'rake'
 end

data/test/spec_lock.rb

@@ -147,7 +147,8 @@ describe Rack::Lock do
     }, false)
     env = Rack::MockRequest.env_for("/")
     env['rack.multithread'].must_equal true
-    app.call(env)
+    _, _, body = app.call(env)
+    body.close
     env['rack.multithread'].must_equal true
   end
 
@@ -191,4 +192,13 @@ describe Rack::Lock do
     lambda { app.call(env) }.must_raise Exception
     lock.synchronized.must_equal false
   end
+
+  it "not replace the environment" do
+    env  = Rack::MockRequest.env_for("/")
+    app  = lock_app(lambda { |inner_env| [200, {"Content-Type" => "text/plain"}, [inner_env.object_id.to_s]] })
+
+    _, _, body = app.call(env)
+
+    body.to_enum.to_a.must_equal [env.object_id.to_s]
+  end
 end

data/test/spec_method_override.rb

@@ -17,6 +17,20 @@ describe Rack::MethodOverride do
     env["REQUEST_METHOD"].must_equal "GET"
   end
 
+  it "sets rack.errors for invalid UTF8 _method values" do
+    errors = StringIO.new
+    env = Rack::MockRequest.env_for("/",
+      :method => "POST",
+      :input => "_method=\xBF".b,
+      Rack::RACK_ERRORS => errors)
+
+    app.call env
+
+    errors.rewind
+    errors.read.must_equal "Invalid string for method\n"
+    env["REQUEST_METHOD"].must_equal "POST"
+  end
+
   it "modify REQUEST_METHOD for POST requests when _method parameter is set" do
     env = Rack::MockRequest.env_for("/", :method => "POST", :input => "_method=put")
     app.call env

data/test/spec_request.rb

@@ -572,6 +572,11 @@ class RackRequestTest < Minitest::Spec
     request.must_be :ssl?
   end
 
+  it "prevents scheme abuse" do
+    request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
+    request.scheme.must_equal 'http'
+  end
+
   it "parse cookies" do
     req = make_request \
       Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
@@ -1281,7 +1286,16 @@ EOF
     res.body.must_equal '2.2.2.3'
   end
 
-  it "regard local addresses as proxies" do
+  it "preserves ip for trusted proxy chain" do
+    mock = Rack::MockRequest.new(Rack::Lint.new(ip_app))
+    res = mock.get '/',
+      'HTTP_X_FORWARDED_FOR' => '192.168.0.11, 192.168.0.7',
+      'HTTP_CLIENT_IP' => '127.0.0.1'
+    res.body.must_equal '192.168.0.11'
+
+  end
+
+  it "regards local addresses as proxies" do
     req = make_request(Rack::MockRequest.env_for("/"))
     req.trusted_proxy?('127.0.0.1').must_equal 0
     req.trusted_proxy?('10.0.0.1').must_equal 0

data/test/spec_session_memcache.rb

@@ -226,15 +226,52 @@ begin
       req = Rack::MockRequest.new(pool)
 
       res0 = req.get("/")
-      session_id = (cookie = res0["Set-Cookie"])[session_match, 1]
-      ses0 = pool.pool.get(session_id, true)
+      session_id = Rack::Session::SessionId.new (cookie = res0["Set-Cookie"])[session_match, 1]
+      ses0 = pool.pool.get(session_id.private_id, true)
 
       req.get("/", "HTTP_COOKIE" => cookie)
-      ses1 = pool.pool.get(session_id, true)
+      ses1 = pool.pool.get(session_id.private_id, true)
 
       ses1.wont_equal ses0
     end
 
+    it "can read the session with the legacy id" do
+      pool = Rack::Session::Memcache.new(incrementor)
+      req = Rack::MockRequest.new(pool)
+
+      res0 = req.get("/")
+      cookie = res0["Set-Cookie"]
+      session_id = Rack::Session::SessionId.new cookie[session_match, 1]
+      ses0 = pool.pool.get(session_id.private_id, true)
+      pool.pool.set(session_id.public_id, ses0, 0, true)
+      pool.pool.delete(session_id.private_id)
+
+      res1 = req.get("/", "HTTP_COOKIE" => cookie)
+      res1["Set-Cookie"].must_be_nil
+      res1.body.must_equal '{"counter"=>2}'
+      pool.pool.get(session_id.private_id, true).wont_be_nil
+    end
+
+    it "drops the session in the legacy id as well" do
+      pool = Rack::Session::Memcache.new(incrementor)
+      req = Rack::MockRequest.new(pool)
+      drop = Rack::Utils::Context.new(pool, drop_session)
+      dreq = Rack::MockRequest.new(drop)
+
+      res0 = req.get("/")
+      cookie = res0["Set-Cookie"]
+      session_id = Rack::Session::SessionId.new cookie[session_match, 1]
+      ses0 = pool.pool.get(session_id.private_id, true)
+      pool.pool.set(session_id.public_id, ses0, 0, true)
+      pool.pool.delete(session_id.private_id)
+
+      res2 = dreq.get("/", "HTTP_COOKIE" => cookie)
+      res2["Set-Cookie"].must_be_nil
+      res2.body.must_equal '{"counter"=>2}'
+      pool.pool.get(session_id.private_id, true).must_be_nil
+      pool.pool.get(session_id.public_id, true).must_be_nil
+    end
+
     # anyone know how to do this better?
     it "cleanly merges sessions when multithreaded" do
       skip unless $DEBUG

data/test/spec_session_pool.rb

@@ -6,7 +6,7 @@ require 'rack/session/pool'
 
 describe Rack::Session::Pool do
   session_key = Rack::Session::Pool::DEFAULT_OPTIONS[:key]
-  session_match = /#{session_key}=[0-9a-fA-F]+;/
+  session_match = /#{session_key}=([0-9a-fA-F]+);/
 
   incrementor = lambda do |env|
     env["rack.session"]["counter"] ||= 0
@@ -14,7 +14,7 @@ describe Rack::Session::Pool do
     Rack::Response.new(env["rack.session"].inspect).to_a
   end
 
-  session_id = Rack::Lint.new(lambda do |env|
+  get_session_id = Rack::Lint.new(lambda do |env|
     Rack::Response.new(env["rack.session"].inspect).to_a
   end)
 
@@ -143,6 +143,43 @@ describe Rack::Session::Pool do
     pool.pool.size.must_equal 1
   end
 
+  it "can read the session with the legacy id" do
+    pool = Rack::Session::Pool.new(incrementor)
+    req = Rack::MockRequest.new(pool)
+
+    res0 = req.get("/")
+    cookie = res0["Set-Cookie"]
+    session_id = Rack::Session::SessionId.new cookie[session_match, 1]
+    ses0 = pool.pool[session_id.private_id]
+    pool.pool[session_id.public_id] = ses0
+    pool.pool.delete(session_id.private_id)
+
+    res1 = req.get("/", "HTTP_COOKIE" => cookie)
+    res1["Set-Cookie"].must_be_nil
+    res1.body.must_equal '{"counter"=>2}'
+    pool.pool[session_id.private_id].wont_be_nil
+  end
+
+  it "drops the session in the legacy id as well" do
+    pool = Rack::Session::Pool.new(incrementor)
+    req = Rack::MockRequest.new(pool)
+    drop = Rack::Utils::Context.new(pool, drop_session)
+    dreq = Rack::MockRequest.new(drop)
+
+    res0 = req.get("/")
+    cookie = res0["Set-Cookie"]
+    session_id = Rack::Session::SessionId.new cookie[session_match, 1]
+    ses0 = pool.pool[session_id.private_id]
+    pool.pool[session_id.public_id] = ses0
+    pool.pool.delete(session_id.private_id)
+
+    res2 = dreq.get("/", "HTTP_COOKIE" => cookie)
+    res2["Set-Cookie"].must_be_nil
+    res2.body.must_equal '{"counter"=>2}'
+    pool.pool[session_id.private_id].must_be_nil
+    pool.pool[session_id.public_id].must_be_nil
+  end
+
   # anyone know how to do this better?
   it "should merge sessions when multithreaded" do
     unless $DEBUG
@@ -191,7 +228,7 @@ describe Rack::Session::Pool do
   end
 
   it "does not return a cookie if cookie was not written (only read)" do
-    app = Rack::Session::Pool.new(session_id)
+    app = Rack::Session::Pool.new(get_session_id)
     res = Rack::MockRequest.new(app).get("/")
     res["Set-Cookie"].must_be_nil
   end

data/test/spec_show_exceptions.rb

@@ -77,4 +77,17 @@ describe Rack::ShowExceptions do
     assert_match(res, /ShowExceptions/)
     assert_match(res, /unknown location/)
   end
+
+  it "knows to prefer plaintext for non-html" do
+    # We don't need an app for this
+    exc = Rack::ShowExceptions.new(nil)
+
+    [
+      [{ "HTTP_ACCEPT" => "text/plain" }, true],
+      [{ "HTTP_ACCEPT" => "text/foo" }, true],
+      [{ "HTTP_ACCEPT" => "text/html" }, false]
+    ].each do |env, expected|
+      assert_equal(expected, exc.prefers_plaintext?(env))
+    end
+  end
 end

data/test/spec_webrick.rb

@@ -1,7 +1,6 @@
 require 'minitest/autorun'
 require 'rack/mock'
-require 'concurrent/utility/native_integer'
-require 'concurrent/atomic/count_down_latch'
+require 'thread'
 require File.expand_path('../testrequest', __FILE__)
 
 Thread.abort_on_exception = true
@@ -120,8 +119,7 @@ describe Rack::Handler::WEBrick do
   end
 
   it "provide a .run" do
-    block_ran = false
-    latch = Concurrent::CountDownLatch.new 1
+    queue = Queue.new
 
     t = Thread.new do
       Rack::Handler::WEBrick.run(lambda {},
@@ -132,13 +130,12 @@ describe Rack::Handler::WEBrick do
                                    :AccessLog => []}) { |server|
         block_ran = true
         assert_kind_of WEBrick::HTTPServer, server
-        @s = server
-        latch.count_down
+        queue.push(server)
       }
     end
 
-    latch.wait
-    @s.shutdown
+    server = queue.pop
+    server.shutdown
     t.join
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.8
 platform: ruby
 authors:
-- Christian Neukirchen
+- Leah Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-15 00:00:00.000000000 Z
+date: 2019-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -38,20 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: concurrent-ruby
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -73,8 +59,8 @@ description: |
   servers, web frameworks, and software in between (the so-called
   middleware) into a single method call.
 
-  Also see http://rack.github.io/.
-email: chneukirchen@gmail.com
+  Also see https://rack.github.io/.
+email: leah@vuxu.org
 executables:
 - rackup
 extensions: []
@@ -269,7 +255,7 @@ files:
 - test/testrequest.rb
 - test/unregistered_handler/rack/handler/unregistered.rb
 - test/unregistered_handler/rack/handler/unregistered_long_one.rb
-homepage: http://rack.github.io/
+homepage: https://rack.github.io/
 licenses:
 - MIT
 metadata: {}
@@ -288,60 +274,59 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files:
-- test/spec_auth_basic.rb
-- test/spec_auth_digest.rb
-- test/spec_body_proxy.rb
-- test/spec_builder.rb
-- test/spec_cascade.rb
-- test/spec_cgi.rb
-- test/spec_chunked.rb
-- test/spec_common_logger.rb
-- test/spec_conditional_get.rb
-- test/spec_config.rb
-- test/spec_content_length.rb
-- test/spec_content_type.rb
+- test/spec_multipart.rb
 - test/spec_deflater.rb
-- test/spec_directory.rb
+- test/spec_static.rb
+- test/spec_session_cookie.rb
+- test/spec_session_pool.rb
 - test/spec_etag.rb
-- test/spec_events.rb
-- test/spec_fastcgi.rb
-- test/spec_file.rb
+- test/spec_version.rb
 - test/spec_handler.rb
-- test/spec_head.rb
-- test/spec_lint.rb
-- test/spec_lobster.rb
-- test/spec_lock.rb
-- test/spec_logger.rb
-- test/spec_media_type.rb
-- test/spec_method_override.rb
+- test/spec_thin.rb
+- test/spec_session_abstract_id.rb
 - test/spec_mime.rb
-- test/spec_mock.rb
-- test/spec_multipart.rb
-- test/spec_null_logger.rb
 - test/spec_recursive.rb
+- test/spec_null_logger.rb
+- test/spec_media_type.rb
+- test/spec_cgi.rb
+- test/spec_method_override.rb
+- test/spec_content_type.rb
+- test/spec_session_abstract_session_hash.rb
 - test/spec_request.rb
-- test/spec_response.rb
-- test/spec_rewindable_input.rb
+- test/spec_chunked.rb
+- test/spec_show_exceptions.rb
 - test/spec_runtime.rb
+- test/spec_fastcgi.rb
+- test/spec_common_logger.rb
+- test/spec_builder.rb
+- test/spec_config.rb
+- test/spec_utils.rb
 - test/spec_sendfile.rb
+- test/spec_lobster.rb
+- test/spec_lint.rb
+- test/spec_conditional_get.rb
+- test/spec_tempfile_reaper.rb
+- test/spec_mock.rb
 - test/spec_server.rb
-- test/spec_session_abstract_id.rb
-- test/spec_session_abstract_session_hash.rb
-- test/spec_session_cookie.rb
-- test/spec_session_memcache.rb
-- test/spec_session_pool.rb
-- test/spec_show_exceptions.rb
+- test/spec_directory.rb
+- test/spec_webrick.rb
+- test/spec_response.rb
+- test/spec_file.rb
 - test/spec_show_status.rb
-- test/spec_static.rb
-- test/spec_tempfile_reaper.rb
-- test/spec_thin.rb
+- test/spec_body_proxy.rb
+- test/spec_logger.rb
+- test/spec_auth_digest.rb
 - test/spec_urlmap.rb
-- test/spec_utils.rb
-- test/spec_version.rb
-- test/spec_webrick.rb
+- test/spec_events.rb
+- test/spec_cascade.rb
+- test/spec_auth_basic.rb
+- test/spec_head.rb
+- test/spec_lock.rb
+- test/spec_rewindable_input.rb
+- test/spec_session_memcache.rb
+- test/spec_content_length.rb