rack 2.0.9.4 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

Files changed (188) hide show
  1. checksums.yaml +4 -4
  2. data/{HISTORY.md → CHANGELOG.md} +214 -164
  3. data/{COPYING → MIT-LICENSE} +4 -2
  4. data/README.rdoc +79 -133
  5. data/Rakefile +25 -18
  6. data/SPEC +9 -9
  7. data/bin/rackup +1 -0
  8. data/example/lobster.ru +2 -0
  9. data/example/protectedlobster.rb +3 -1
  10. data/example/protectedlobster.ru +2 -0
  11. data/lib/rack/auth/abstract/handler.rb +3 -1
  12. data/lib/rack/auth/abstract/request.rb +2 -0
  13. data/lib/rack/auth/basic.rb +4 -1
  14. data/lib/rack/auth/digest/md5.rb +9 -7
  15. data/lib/rack/auth/digest/nonce.rb +6 -3
  16. data/lib/rack/auth/digest/params.rb +4 -2
  17. data/lib/rack/auth/digest/request.rb +2 -0
  18. data/lib/rack/body_proxy.rb +3 -6
  19. data/lib/rack/builder.rb +38 -15
  20. data/lib/rack/cascade.rb +6 -5
  21. data/lib/rack/chunked.rb +29 -6
  22. data/lib/rack/common_logger.rb +9 -11
  23. data/lib/rack/conditional_get.rb +3 -1
  24. data/lib/rack/config.rb +2 -0
  25. data/lib/rack/content_length.rb +3 -1
  26. data/lib/rack/content_type.rb +3 -1
  27. data/lib/rack/core_ext/regexp.rb +14 -0
  28. data/lib/rack/deflater.rb +28 -17
  29. data/lib/rack/directory.rb +17 -14
  30. data/lib/rack/etag.rb +3 -1
  31. data/lib/rack/events.rb +5 -3
  32. data/lib/rack/file.rb +5 -173
  33. data/lib/rack/files.rb +178 -0
  34. data/lib/rack/handler/cgi.rb +3 -1
  35. data/lib/rack/handler/fastcgi.rb +4 -2
  36. data/lib/rack/handler/lsws.rb +3 -1
  37. data/lib/rack/handler/scgi.rb +9 -6
  38. data/lib/rack/handler/thin.rb +3 -1
  39. data/lib/rack/handler/webrick.rb +4 -2
  40. data/lib/rack/handler.rb +7 -2
  41. data/lib/rack/head.rb +2 -0
  42. data/lib/rack/lint.rb +15 -12
  43. data/lib/rack/lobster.rb +7 -5
  44. data/lib/rack/lock.rb +2 -0
  45. data/lib/rack/logger.rb +2 -0
  46. data/lib/rack/media_type.rb +10 -5
  47. data/lib/rack/method_override.rb +4 -2
  48. data/lib/rack/mime.rb +9 -1
  49. data/lib/rack/mock.rb +74 -15
  50. data/lib/rack/multipart/generator.rb +6 -7
  51. data/lib/rack/multipart/parser.rb +55 -62
  52. data/lib/rack/multipart/uploaded_file.rb +2 -0
  53. data/lib/rack/multipart.rb +6 -3
  54. data/lib/rack/null_logger.rb +2 -0
  55. data/lib/rack/query_parser.rb +51 -25
  56. data/lib/rack/recursive.rb +7 -5
  57. data/lib/rack/reloader.rb +10 -4
  58. data/lib/rack/request.rb +79 -26
  59. data/lib/rack/response.rb +71 -31
  60. data/lib/rack/rewindable_input.rb +4 -2
  61. data/lib/rack/runtime.rb +4 -2
  62. data/lib/rack/sendfile.rb +15 -8
  63. data/lib/rack/server.rb +88 -16
  64. data/lib/rack/session/abstract/id.rb +40 -22
  65. data/lib/rack/session/cookie.rb +10 -9
  66. data/lib/rack/session/memcache.rb +4 -93
  67. data/lib/rack/session/pool.rb +4 -2
  68. data/lib/rack/show_exceptions.rb +15 -9
  69. data/lib/rack/show_status.rb +4 -2
  70. data/lib/rack/static.rb +15 -10
  71. data/lib/rack/tempfile_reaper.rb +2 -0
  72. data/lib/rack/urlmap.rb +11 -2
  73. data/lib/rack/utils.rb +64 -93
  74. data/lib/rack.rb +63 -60
  75. data/rack.gemspec +17 -7
  76. metadata +33 -175
  77. data/test/builder/an_underscore_app.rb +0 -5
  78. data/test/builder/anything.rb +0 -5
  79. data/test/builder/comment.ru +0 -4
  80. data/test/builder/end.ru +0 -5
  81. data/test/builder/line.ru +0 -1
  82. data/test/builder/options.ru +0 -2
  83. data/test/cgi/assets/folder/test.js +0 -1
  84. data/test/cgi/assets/fonts/font.eot +0 -1
  85. data/test/cgi/assets/images/image.png +0 -1
  86. data/test/cgi/assets/index.html +0 -1
  87. data/test/cgi/assets/javascripts/app.js +0 -1
  88. data/test/cgi/assets/stylesheets/app.css +0 -1
  89. data/test/cgi/lighttpd.conf +0 -26
  90. data/test/cgi/rackup_stub.rb +0 -6
  91. data/test/cgi/sample_rackup.ru +0 -5
  92. data/test/cgi/test +0 -9
  93. data/test/cgi/test+directory/test+file +0 -1
  94. data/test/cgi/test.fcgi +0 -9
  95. data/test/cgi/test.gz +0 -0
  96. data/test/cgi/test.ru +0 -5
  97. data/test/gemloader.rb +0 -10
  98. data/test/helper.rb +0 -34
  99. data/test/multipart/bad_robots +0 -259
  100. data/test/multipart/binary +0 -0
  101. data/test/multipart/content_type_and_no_filename +0 -6
  102. data/test/multipart/empty +0 -10
  103. data/test/multipart/fail_16384_nofile +0 -814
  104. data/test/multipart/file1.txt +0 -1
  105. data/test/multipart/filename_and_modification_param +0 -7
  106. data/test/multipart/filename_and_no_name +0 -6
  107. data/test/multipart/filename_with_encoded_words +0 -7
  108. data/test/multipart/filename_with_escaped_quotes +0 -6
  109. data/test/multipart/filename_with_escaped_quotes_and_modification_param +0 -7
  110. data/test/multipart/filename_with_null_byte +0 -7
  111. data/test/multipart/filename_with_percent_escaped_quotes +0 -6
  112. data/test/multipart/filename_with_single_quote +0 -7
  113. data/test/multipart/filename_with_unescaped_percentages +0 -6
  114. data/test/multipart/filename_with_unescaped_percentages2 +0 -6
  115. data/test/multipart/filename_with_unescaped_percentages3 +0 -6
  116. data/test/multipart/filename_with_unescaped_quotes +0 -6
  117. data/test/multipart/ie +0 -6
  118. data/test/multipart/invalid_character +0 -6
  119. data/test/multipart/mixed_files +0 -21
  120. data/test/multipart/nested +0 -10
  121. data/test/multipart/none +0 -9
  122. data/test/multipart/quoted +0 -15
  123. data/test/multipart/rack-logo.png +0 -0
  124. data/test/multipart/semicolon +0 -6
  125. data/test/multipart/text +0 -15
  126. data/test/multipart/three_files_three_fields +0 -31
  127. data/test/multipart/unity3d_wwwform +0 -11
  128. data/test/multipart/webkit +0 -32
  129. data/test/rackup/config.ru +0 -31
  130. data/test/registering_handler/rack/handler/registering_myself.rb +0 -8
  131. data/test/spec_auth_basic.rb +0 -89
  132. data/test/spec_auth_digest.rb +0 -260
  133. data/test/spec_body_proxy.rb +0 -85
  134. data/test/spec_builder.rb +0 -233
  135. data/test/spec_cascade.rb +0 -63
  136. data/test/spec_cgi.rb +0 -84
  137. data/test/spec_chunked.rb +0 -103
  138. data/test/spec_common_logger.rb +0 -107
  139. data/test/spec_conditional_get.rb +0 -103
  140. data/test/spec_config.rb +0 -23
  141. data/test/spec_content_length.rb +0 -86
  142. data/test/spec_content_type.rb +0 -46
  143. data/test/spec_deflater.rb +0 -375
  144. data/test/spec_directory.rb +0 -148
  145. data/test/spec_etag.rb +0 -108
  146. data/test/spec_events.rb +0 -133
  147. data/test/spec_fastcgi.rb +0 -85
  148. data/test/spec_file.rb +0 -264
  149. data/test/spec_handler.rb +0 -57
  150. data/test/spec_head.rb +0 -46
  151. data/test/spec_lint.rb +0 -520
  152. data/test/spec_lobster.rb +0 -59
  153. data/test/spec_lock.rb +0 -204
  154. data/test/spec_logger.rb +0 -24
  155. data/test/spec_media_type.rb +0 -42
  156. data/test/spec_method_override.rb +0 -110
  157. data/test/spec_mime.rb +0 -51
  158. data/test/spec_mock.rb +0 -359
  159. data/test/spec_multipart.rb +0 -721
  160. data/test/spec_null_logger.rb +0 -21
  161. data/test/spec_recursive.rb +0 -75
  162. data/test/spec_request.rb +0 -1423
  163. data/test/spec_response.rb +0 -528
  164. data/test/spec_rewindable_input.rb +0 -128
  165. data/test/spec_runtime.rb +0 -50
  166. data/test/spec_sendfile.rb +0 -125
  167. data/test/spec_server.rb +0 -193
  168. data/test/spec_session_abstract_id.rb +0 -31
  169. data/test/spec_session_abstract_session_hash.rb +0 -45
  170. data/test/spec_session_cookie.rb +0 -442
  171. data/test/spec_session_memcache.rb +0 -357
  172. data/test/spec_session_persisted_secure_secure_session_hash.rb +0 -73
  173. data/test/spec_session_pool.rb +0 -247
  174. data/test/spec_show_exceptions.rb +0 -93
  175. data/test/spec_show_status.rb +0 -104
  176. data/test/spec_static.rb +0 -184
  177. data/test/spec_tempfile_reaper.rb +0 -64
  178. data/test/spec_thin.rb +0 -96
  179. data/test/spec_urlmap.rb +0 -237
  180. data/test/spec_utils.rb +0 -742
  181. data/test/spec_version.rb +0 -11
  182. data/test/spec_webrick.rb +0 -206
  183. data/test/static/another/index.html +0 -1
  184. data/test/static/foo.html +0 -1
  185. data/test/static/index.html +0 -1
  186. data/test/testrequest.rb +0 -78
  187. data/test/unregistered_handler/rack/handler/unregistered.rb +0 -7
  188. data/test/unregistered_handler/rack/handler/unregistered_long_one.rb +0 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3418ae80f8de1427728a2e17364b9c8d124f2efb3e2ce6ebd2fbf6ba08c76efa
4
- data.tar.gz: 2ba9cd20d9b168c583813b6c1e0d39cb6b8f33d110605b2c28c97dac60718cfc
3
+ metadata.gz: e12f073e1e04051923534a08cf31f175959a4217f1a793f43283e1bb902a7225
4
+ data.tar.gz: e96008a1e0f77466d55c3834da7df2a4c640ec213306bab87e19bad5a9042c2c
5
5
  SHA512:
6
- metadata.gz: ff2af28dd5b0b338c61d95eb793ac577098803374db893f739402ebd41ee75a1ebab4eba32474e2e68014475f0f5e71ad8fff3b4270fe3c9f281eaf3024c4b32
7
- data.tar.gz: 6ebf297cb644ab382bcf02d3c0a7b4376223222ccaca426e093ecba02a4a9302324199ecd43788aa5f248b060f3c37a16fe820ebb9b46570dc2831627ef486d0
6
+ metadata.gz: f73e64b61cd21153bb90d23811b28026caa652f8eb4c682ebc02d8d5967b537f07c08d3d1b6d70cc14482d687637a2e539b384b119eb5b9be0d40c994577a2e7
7
+ data.tar.gz: 512be9498bf6b40a18a7c4d3bcce2e2bc1818185e30e522def5c9461cfaa8ad68282b09f6457f40a38779e7711b732cc9dc0b126f96b35f3b451b8709cc45f9b
@@ -1,177 +1,229 @@
1
- Thu Mar 2 14:50:46 2023 Aaron Patterson <tenderlove@ruby-lang.org>
1
+ # Changelog
2
2
 
3
- * [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
3
+ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
- Tue Jan 17 12:27:04 2023 Aaron Patterson <tenderlove@ruby-lang.org>
5
+ ## Unreleased
6
6
 
7
- * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
8
- * [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
9
- * [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
7
+ _Note: There are many unreleased changes in Rack (`master` is around 300 commits ahead of `2-0-stable`), and below is not an exhaustive list. If you would like to help out and document some of the unreleased changes, PRs are welcome._
10
8
 
11
- Fri May 27 08:27:04 2022 Aaron Patterson <tenderlove@ruby-lang.org>
9
+ ### Added
12
10
 
13
- * [CVE-2022-30123] Fix shell escaping issue in Common Logger
14
- * [CVE-2022-30122] Restrict parsing of broken MIME attachments
11
+ - Add support for `SameSite=None` cookie value. ([@hennikul](https://github.com/hennikul))
12
+ - Add trailer headers. ([@eileencodes](https://github.com/eileencodes))
13
+ - Add MIME Types for video streaming. ([@styd](https://github.com/styd))
14
+ - Add MIME Type for WASM. ([@buildrtech](https://github.com/buildrtech))
15
+ - Add `Early Hints(103)` to status codes. ([@egtra](https://github.com/egtra))
16
+ - Add `Too Early(425)` to status codes. ([@y-yagi]((https://github.com/y-yagi)))
17
+ - Add `Bandwidth Limit Exceeded(509)` to status codes. ([@CJKinni](https://github.com/CJKinni))
18
+ - Add method for custom `ip_filter`. ([@svcastaneda](https://github.com/svcastaneda))
19
+ - Add boot-time profiling capabilities to `rackup`. ([@tenderlove](https://github.com/tenderlove))
20
+ - Add multi mapping support for `X-Accel-Mappings` header. ([@yoshuki](https://github.com/yoshuki))
21
+ - Add `sync: false` option to `Rack::Deflater`. (Eric Wong)
22
+ - Add `Builder#freeze_app` to freeze application and all middleware instances. ([@jeremyevans](https://github.com/jeremyevans))
23
+ - Add API to extract cookies from `Rack::MockResponse`. ([@petercline](https://github.com/petercline))
15
24
 
16
- Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremydaer@gmail.com>
25
+ ### Changed
17
26
 
18
- * First-party "SameSite" cookies. Browsers omit SameSite cookies
19
- from third-party requests, closing the door on many CSRF attacks.
27
+ - Don't propagate nil values from middleware. ([@ioquatix](https://github.com/ioquatix))
28
+ - Lazily initialize the response body and only buffer it if required. ([@ioquatix](https://github.com/ioquatix))
29
+ - Fix deflater zlib buffer errors on empty body part. ([@felixbuenemann](https://github.com/felixbuenemann))
30
+ - Set `X-Accel-Redirect` to percent-encoded path. ([@diskkid](https://github.com/diskkid))
31
+ - Remove unnecessary buffer growing when parsing multipart. ([@tainoe](https://github.com/tainoe))
32
+ - Expand the root path in `Rack::Static` upon initialization. ([@rosenfeld](https://github.com/rosenfeld))
33
+ - Make `ShowExceptions` work with binary data. ([@axyjo](https://github.com/axyjo))
34
+ - Use buffer string when parsing multipart requests. ([@janko-m](https://github.com/janko-m))
35
+ - Support optional UTF-8 Byte Order Mark (BOM) in config.ru. ([@mikegee](https://github.com/mikegee))
36
+ - Handle `X-Forwarded-For` with optional port. ([@dpritchett](https://github.com/dpritchett))
37
+ - Use `Time#httpdate` format for Expires, as proposed by RFC 7231. ([@nanaya](https://github.com/nanaya))
38
+ - Make `Utils.status_code` raise an error when the status symbol is invalid instead of `500`. ([@adambutler](https://github.com/adambutler))
39
+ - Rename `Request::SCHEME_WHITELIST` to `Request::ALLOWED_SCHEMES`.
40
+ - Make `Multipart::Parser.get_filename` accept files with `+` in their name. ([@lucaskanashiro](https://github.com/lucaskanashiro))
41
+ - Add Falcon to the default handler fallbacks. ([@ioquatix](https://github.com/ioquatix))
42
+ - Update codebase to avoid string mutations in preparation for `frozen_string_literals`. ([@pat](https://github.com/pat))
43
+ - Change `MockRequest#env_for` to rely on the input optionally responding to `#size` instead of `#length`. ([@janko](https://github.com/janko))
44
+ - Rename `Rack::File` -> `Rack::Files` and add deprecation notice. ([@postmodern](https://github.com/postmodern)).
20
45
 
21
- Pass `same_site: true` (or `:strict`) to enable:
22
- response.set_cookie 'foo', value: 'bar', same_site: true
23
- or `same_site: :lax` to use Lax enforcement:
24
- response.set_cookie 'foo', value: 'bar', same_site: :lax
46
+ ### Removed
25
47
 
26
- Based on version 7 of the Same-site Cookies internet draft:
27
- https://tools.ietf.org/html/draft-west-first-party-cookies-07
48
+ - Remove `to_ary` from Response ([@tenderlove](https://github.com/tenderlove))
49
+ - Deprecate `Rack::Session::Memcache` in favor of `Rack::Session::Dalli` from dalli gem ([@fatkodima](https://github.com/fatkodima))
28
50
 
29
- Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
30
- updating to drafts 5 and 7.
51
+ ### Documentation
31
52
 
32
- Tue Nov 3 16:17:26 2015 Aaron Patterson <tenderlove@ruby-lang.org>
53
+ - Update broken example in `Session::Abstract::ID` documentation. ([tonytonyjan](https://github.com/tonytonyjan))
54
+ - Add Padrino to the list of frameworks implmenting Rack. ([@wikimatze](https://github.com/wikimatze))
55
+ - Remove Mongrel from the suggested server options in the help output. ([@tricknotes](https://github.com/tricknotes))
56
+ - Replace `HISTORY.md` and `NEWS.md` with `CHANGELOG.md`. ([@twitnithegirl](https://github.com/twitnithegirl))
57
+ - Backfill `CHANGELOG.md` from 2.0.1 to 2.0.7 releases. ([@drenmi](https://github.com/Drenmi))
33
58
 
34
- * Add `Rack::Events` middleware for adding event based middleware:
35
- middleware that does not care about the response body, but only cares
36
- about doing work at particular points in the request / response
37
- lifecycle.
59
+ ## [2.0.8] - 2019-12-08
38
60
 
39
- Thu Oct 8 14:58:46 2015 Aaron Patterson <tenderlove@ruby-lang.org>
61
+ - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca))
40
62
 
41
- * Add `Rack::Request#authority` to calculate the authority under which
42
- the response is being made (this will be handy for h2 pushes).
63
+ ## [1.6.12] - 2019-12-08
43
64
 
44
- Tue Oct 6 13:19:04 2015 Aaron Patterson <tenderlove@ruby-lang.org>
65
+ - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca))
45
66
 
46
- * Add `Rack::Response::Helpers#cache_control` and `cache_control=`.
47
- Use this for setting cache control headers on your response objects.
67
+ ## [2.0.7] - 2019-04-02
48
68
 
49
- Tue Oct 6 13:12:21 2015 Aaron Patterson <tenderlove@ruby-lang.org>
69
+ ### Fixed
50
70
 
51
- * Add `Rack::Response::Helpers#etag` and `etag=`. Use this for
52
- setting etag values on the response.
71
+ - Remove calls to `#eof?` on Rack input in `Multipart::Parser`, as this breaks the specification. ([@matthewd](https://github.com/matthewd))
72
+ - Preserve forwarded IP addresses for trusted proxy chains. ([@SamSaffron](https://github.com/SamSaffron))
53
73
 
54
- Sun Oct 3 18:25:03 2015 Jeremy Daer <jeremydaer@gmail.com>
74
+ ## [2.0.6] - 2018-11-05
55
75
 
56
- * Introduce `Rack::Response::Helpers#add_header` to add a value to a
57
- multi-valued response header. Implemented in terms of other
58
- `Response#*_header` methods, so it's available to any response-like
59
- class that includes the `Helpers` module.
76
+ ### Fixed
60
77
 
61
- * Add `Rack::Request#add_header` to match.
78
+ - [[CVE-2018-16470](https://nvd.nist.gov/vuln/detail/CVE-2018-16470)] Reduce buffer size of `Multipart::Parser` to avoid pathological parsing. ([@tenderlove](https://github.com/tenderlove))
79
+ - Fix a call to a non-existing method `#accepts_html` in the `ShowExceptions` middleware. ([@tomelm](https://github.com/tomelm))
80
+ - [[CVE-2018-16471](https://nvd.nist.gov/vuln/detail/CVE-2018-16471)] Whitelist HTTP and HTTPS schemes in `Request#scheme` to prevent a possible XSS attack. ([@PatrickTulskie](https://github.com/PatrickTulskie))
62
81
 
63
- Fri Sep 4 18:34:53 2015 Aaron Patterson <tenderlove@ruby-lang.org>
82
+ ## [2.0.5] - 2018-04-23
64
83
 
65
- * `Rack::Session::Abstract::ID` IS DEPRECATED. Please switch to
66
- `Rack::Session::Abstract::Persisted`.
67
- `Rack::Session::Abstract::Persisted` uses a request object rather than
68
- the `env` hash.
84
+ ### Fixed
69
85
 
70
- Fri Sep 4 17:32:12 2015 Aaron Patterson <tenderlove@ruby-lang.org>
86
+ - Record errors originating from invalid UTF8 in `MethodOverride` middleware instead of breaking. ([@mclark](https://github.com/mclark))
71
87
 
72
- * Pull `ENV` access inside the request object in to a module. This
73
- will help with legacy Request objects that are ENV based but don't
74
- want to inherit from Rack::Request
88
+ ## [2.0.4] - 2018-01-31
75
89
 
76
- Fri Sep 4 16:09:11 2015 Aaron Patterson <tenderlove@ruby-lang.org>
90
+ ### Changed
77
91
 
78
- * Move most methods on the `Rack::Request` to a module
79
- `Rack::Request::Helpers` and use public API to get values from the
80
- request object. This enables users to mix `Rack::Request::Helpers` in
81
- to their own objects so they can implement
82
- `(get|set|fetch|each)_header` as they see fit (for example a proxy
83
- object).
92
+ - Ensure the `Lock` middleware passes the original `env` object. ([@lugray](https://github.com/lugray))
93
+ - Improve performance of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng))
94
+ - Increase buffer size in `Multipart::Parser` for better performance. ([@jkowens](https://github.com/jkowens))
95
+ - Reduce memory usage of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng))
96
+ - Replace ConcurrentRuby dependency with native `Queue`. ([@devmchakan](https://github.com/devmchakan))
84
97
 
85
- Fri Sep 4 14:15:32 2015 Aaron Patterson <tenderlove@ruby-lang.org>
98
+ ### Fixed
86
99
 
87
- * Files and directories with + in the name are served correctly.
88
- Rather than unescaping paths like a form, we unescape with a URI
89
- parser using `Rack::Utils.unescape_path`. Fixes #265
100
+ - Require the correct digest algorithm in the `ETag` middleware. ([@matthewd](https://github.com/matthewd))
90
101
 
91
- Thu Aug 27 15:43:48 2015 Aaron Patterson <tenderlove@ruby-lang.org>
102
+ ### Documentation
92
103
 
93
- * Tempfiles are automatically closed in the case that there were too
94
- many posted.
104
+ - Update homepage links to use SSL. ([@hugoabonizio](https://github.com/hugoabonizio))
95
105
 
96
- Thu Aug 27 11:00:03 2015 Aaron Patterson <tenderlove@ruby-lang.org>
106
+ ## [2.0.3] - 2017-05-15
97
107
 
98
- * Added methods for manipulating response headers that don't assume
99
- they're stored as a Hash. Response-like classes may include the
100
- Rack::Response::Helpers module if they define these methods:
108
+ ### Changed
101
109
 
102
- * Rack::Response#has_header?
103
- * Rack::Response#get_header
104
- * Rack::Response#set_header
105
- * Rack::Response#delete_header
110
+ - Ensure `env` values are ASCII 8-bit encoded. ([@eileencodes](https://github.com/eileencodes))
106
111
 
107
- Mon Aug 24 18:05:23 2015 Aaron Patterson <tenderlove@ruby-lang.org>
112
+ ### Fixed
108
113
 
109
- * Introduce Util.get_byte_ranges that will parse the value of the
110
- HTTP_RANGE string passed to it without depending on the `env` hash.
111
- `byte_ranges` is deprecated in favor of this method.
114
+ - Prevent exceptions when a class with mixins inherits from `Session::Abstract::ID`. ([@jnraine](https://github.com/jnraine))
112
115
 
113
- Sat Aug 22 17:49:49 2015 Aaron Patterson <tenderlove@ruby-lang.org>
116
+ ## [2.0.2] - 2017-05-08
114
117
 
115
- * Change Session internals to use Request objects for looking up
116
- session information. This allows us to only allocate one request
117
- object when dealing with session objects (rather than doing it every
118
- time we need to manipulate cookies, etc).
118
+ ### Added
119
119
 
120
- Fri Aug 21 16:30:51 2015 Aaron Patterson <tenderlove@ruby-lang.org>
120
+ - Allow `Session::Abstract::SessionHash#fetch` to accept a block with a default value. ([@yannvanhalewyn](https://github.com/yannvanhalewyn))
121
+ - Add `Builder#freeze_app` to freeze application and all middleware. ([@jeremyevans](https://github.com/jeremyevans))
121
122
 
122
- * Add `Rack::Request#initialize_copy` so that the env is duped when
123
- the request gets duped.
123
+ ### Changed
124
124
 
125
- Thu Aug 20 16:20:58 2015 Aaron Patterson <tenderlove@ruby-lang.org>
125
+ - Freeze default session options to avoid accidental mutation. ([@kirs](https://github.com/kirs))
126
+ - Detect partial hijack without hash headers. ([@devmchakan](https://github.com/devmchakan))
127
+ - Update tests to use MiniTest 6 matchers. ([@tonytonyjan](https://github.com/tonytonyjan))
128
+ - Allow 205 Reset Content responses to set a Content-Length, as RFC 7231 proposes setting this to 0. ([@devmchakan](https://github.com/devmchakan))
126
129
 
127
- * Added methods for manipulating request specific data. This includes
128
- data set as CGI parameters, and just any arbitrary data the user wants
129
- to associate with a particular request. New methods:
130
+ ### Fixed
131
+
132
+ - Handle `NULL` bytes in multipart filenames. ([@casperisfine](https://github.com/casperisfine))
133
+ - Remove warnings due to miscapitalized global. ([@ioquatix](https://github.com/ioquatix))
134
+ - Prevent exceptions caused by a race condition on multi-threaded servers. ([@sophiedeziel](https://github.com/sophiedeziel))
135
+ - Add RDoc as an explicit depencency for `doc` group. ([@tonytonyjan](https://github.com/tonytonyjan))
136
+ - Record errors originating from `Multipart::Parser` in the `MethodOverride` middleware instead of letting them bubble up. ([@carlzulauf](https://github.com/carlzulauf))
137
+ - Remove remaining use of removed `Utils#bytesize` method from the `File` middleware. ([@brauliomartinezlm](https://github.com/brauliomartinezlm))
138
+
139
+ ### Removed
140
+
141
+ - Remove `deflate` encoding support to reduce caching overhead. ([@devmchakan](https://github.com/devmchakan))
142
+
143
+ ### Documentation
144
+
145
+ - Update broken example in `Deflater` documentation. ([@mwpastore](https://github.com/mwpastore))
146
+
147
+ ## [2.0.1] - 2016-06-30
130
148
 
131
- * Rack::Request#has_header?
132
- * Rack::Request#get_header
133
- * Rack::Request#fetch_header
134
- * Rack::Request#each_header
135
- * Rack::Request#set_header
136
- * Rack::Request#delete_header
149
+ ### Changed
137
150
 
138
- Thu Jun 18 16:00:05 2015 Aaron Patterson <tenderlove@ruby-lang.org>
151
+ - Remove JSON as an explicit dependency. ([@mperham](https://github.com/mperham))
139
152
 
140
- * lib/rack/utils.rb: add a method for constructing "delete" cookie
153
+
154
+ # History/News Archive
155
+ Items below this line are from the previously maintained HISTORY.md and NEWS.md files.
156
+
157
+ ## [2.0.0.rc1] 2016-05-06
158
+ - Rack::Session::Abstract::ID is deprecated. Please change to use Rack::Session::Abstract::Persisted
159
+
160
+ ## [2.0.0.alpha] 2015-12-04
161
+ - First-party "SameSite" cookies. Browsers omit SameSite cookies from third-party requests, closing the door on many CSRF attacks.
162
+ - Pass `same_site: true` (or `:strict`) to enable: response.set_cookie 'foo', value: 'bar', same_site: true or `same_site: :lax` to use Lax enforcement: response.set_cookie 'foo', value: 'bar', same_site: :lax
163
+ - Based on version 7 of the Same-site Cookies internet draft:
164
+ https://tools.ietf.org/html/draft-west-first-party-cookies-07
165
+ - Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for updating to drafts 5 and 7.
166
+ - Add `Rack::Events` middleware for adding event based middleware: middleware that does not care about the response body, but only cares about doing work at particular points in the request / response lifecycle.
167
+ - Add `Rack::Request#authority` to calculate the authority under which the response is being made (this will be handy for h2 pushes).
168
+ - Add `Rack::Response::Helpers#cache_control` and `cache_control=`. Use this for setting cache control headers on your response objects.
169
+ - Add `Rack::Response::Helpers#etag` and `etag=`. Use this for setting etag values on the response.
170
+ - Introduce `Rack::Response::Helpers#add_header` to add a value to a multi-valued response header. Implemented in terms of other `Response#*_header` methods, so it's available to any response-like class that includes the `Helpers` module.
171
+ - Add `Rack::Request#add_header` to match.
172
+ - `Rack::Session::Abstract::ID` IS DEPRECATED. Please switch to `Rack::Session::Abstract::Persisted`. `Rack::Session::Abstract::Persisted` uses a request object rather than the `env` hash.
173
+ - Pull `ENV` access inside the request object in to a module. This will help with legacy Request objects that are ENV based but don't want to inherit from Rack::Request
174
+ - Move most methods on the `Rack::Request` to a module `Rack::Request::Helpers` and use public API to get values from the request object. This enables users to mix `Rack::Request::Helpers` in to their own objects so they can implement `(get|set|fetch|each)_header` as they see fit (for example a proxy object).
175
+ - Files and directories with + in the name are served correctly. Rather than unescaping paths like a form, we unescape with a URI parser using `Rack::Utils.unescape_path`. Fixes #265
176
+ - Tempfiles are automatically closed in the case that there were too
177
+ many posted.
178
+ - Added methods for manipulating response headers that don't assume
179
+ they're stored as a Hash. Response-like classes may include the
180
+ Rack::Response::Helpers module if they define these methods:
181
+ - Rack::Response#has_header?
182
+ - Rack::Response#get_header
183
+ - Rack::Response#set_header
184
+ - Rack::Response#delete_header
185
+ - Introduce Util.get_byte_ranges that will parse the value of the HTTP_RANGE string passed to it without depending on the `env` hash. `byte_ranges` is deprecated in favor of this method.
186
+ - Change Session internals to use Request objects for looking up session information. This allows us to only allocate one request object when dealing with session objects (rather than doing it every time we need to manipulate cookies, etc).
187
+ - Add `Rack::Request#initialize_copy` so that the env is duped when the request gets duped.
188
+ - Added methods for manipulating request specific data. This includes
189
+ data set as CGI parameters, and just any arbitrary data the user wants
190
+ to associate with a particular request. New methods:
191
+ - Rack::Request#has_header?
192
+ - Rack::Request#get_header
193
+ - Rack::Request#fetch_header
194
+ - Rack::Request#each_header
195
+ - Rack::Request#set_header
196
+ - Rack::Request#delete_header
197
+ - lib/rack/utils.rb: add a method for constructing "delete" cookie
141
198
  headers. This allows us to construct cookie headers without depending
142
199
  on the side effects of mutating a hash.
143
-
144
- Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
145
-
146
- * Prevent extremely deep parameters from being parsed. CVE-2015-3225
147
-
148
- ### May 6th, 2015, Thirty seventh public release 1.6.1
149
- - Fix CVE-2014-9490, denial of service attack in OkJson ([8cd610](https://github.com/rack/rack/commit/8cd61062954f70e0a03e2855704e95ff4bdd4f6e))
150
- - Use a monotonic time for Rack::Runtime, if available ([d170b2](https://github.com/rack/rack/commit/d170b2363c949dce60871f9d5a6bfc83da2bedb5))
151
- - RACK_MULTIPART_LIMIT changed to RACK_MULTIPART_PART_LIMIT (RACK_MULTIPART_LIMIT is deprecated and will be removed in 1.7.0) ([c096c5](https://github.com/rack/rack/commit/c096c50c00230d8eee13ad5f79ad027d9a3f3ca9))
152
- - See the full [git history](https://github.com/rack/rack/compare/1.6.0...1.6.1) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22)
153
-
154
- ### May 6th, 2015, Thirty seventh public release 1.5.3
155
- - Fix CVE-2014-9490, denial of service attack in OkJson ([99f725](https://github.com/rack/rack/commit/99f725b583b357376ffbb7b3b042c5daa3106ad6))
156
- - Backport bug fixes to 1.5 series ([#585](https://github.com/rack/rack/pull/585), [#711](https://github.com/rack/rack/pull/711), [#756](https://github.com/rack/rack/pull/756))
157
- - See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.5.3) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.5.3%22)
158
-
159
- ### December 18th, 2014, Thirty sixth public release 1.6.0
160
- - Response#unauthorized? helper ([#580](https://github.com/rack/rack/pull/580))
161
- - Deflater now accepts an options hash to control compression on a per-request level ([#457](https://github.com/rack/rack/pull/457))
162
- - Builder#warmup method for app preloading ([#617](https://github.com/rack/rack/pull/617))
163
- - Request#accept_language method to extract HTTP_ACCEPT_LANGUAGE ([#623](https://github.com/rack/rack/pull/623))
164
- - Add quiet mode of rack server, rackup --quiet ([#674](https://github.com/rack/rack/pull/674))
165
- - Update HTTP Status Codes to RFC 7231 ([#754](https://github.com/rack/rack/pull/754))
166
- - Less strict header name validation according to [RFC 2616](https://tools.ietf.org/html/rfc2616) ([#399](https://github.com/rack/rack/pull/399))
167
- - SPEC updated to specify headers conform to RFC7230 specification ([6839fc](https://github.com/rack/rack/commit/6839fc203339f021cb3267fb09cba89410f086e9))
168
- - Etag correctly marks etags as weak ([#681](https://github.com/rack/rack/issues/681))
169
- - Request#port supports multiple x-http-forwarded-proto values ([#669](https://github.com/rack/rack/pull/669))
170
- - Utils#multipart_part_limit configures the maximum number of parts a request can contain ([#684](https://github.com/rack/rack/pull/684))
171
- - Default host to localhost when in development mode ([#514](https://github.com/rack/rack/pull/514))
172
- - Various bugfixes and performance improvements (See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.6.0) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22))
173
-
174
- ### February 7th, 2013, Thirty fifth public release 1.5.2
200
+ - Prevent extremely deep parameters from being parsed. CVE-2015-3225
201
+
202
+ ## [1.6.1] 2015-05-06
203
+ - Fix CVE-2014-9490, denial of service attack in OkJson
204
+ - Use a monotonic time for Rack::Runtime, if available
205
+ - RACK_MULTIPART_LIMIT changed to RACK_MULTIPART_PART_LIMIT (RACK_MULTIPART_LIMIT is deprecated and will be removed in 1.7.0)
206
+
207
+ ## [1.5.3] 2015-05-06
208
+ - Fix CVE-2014-9490, denial of service attack in OkJson
209
+ - Backport bug fixes to 1.5 series
210
+
211
+ ## [1.6.0] 2014-01-18
212
+ - Response#unauthorized? helper
213
+ - Deflater now accepts an options hash to control compression on a per-request level
214
+ - Builder#warmup method for app preloading
215
+ - Request#accept_language method to extract HTTP_ACCEPT_LANGUAGE
216
+ - Add quiet mode of rack server, rackup --quiet
217
+ - Update HTTP Status Codes to RFC 7231
218
+ - Less strict header name validation according to RFC 2616
219
+ - SPEC updated to specify headers conform to RFC7230 specification
220
+ - Etag correctly marks etags as weak
221
+ - Request#port supports multiple x-http-forwarded-proto values
222
+ - Utils#multipart_part_limit configures the maximum number of parts a request can contain
223
+ - Default host to localhost when in development mode
224
+ - Various bugfixes and performance improvements
225
+
226
+ ## [1.5.2] 2013-02-07
175
227
  - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
176
228
  - Fix CVE-2013-0262, symlink path traversal in Rack::File
177
229
  - Add various methods to Session for enhanced Rails compatibility
@@ -181,26 +233,26 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
181
233
  - Fix a race condition that could result in overwritten pidfiles
182
234
  - Various documentation additions
183
235
 
184
- ### February 7th, 2013, Thirty fifth public release 1.4.5
236
+ ## [1.4.5] 2013-02-07
185
237
  - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
186
238
  - Fix CVE-2013-0262, symlink path traversal in Rack::File
187
239
 
188
- ### February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
240
+ ## [1.1.6, 1.2.8, 1.3.10] 2013-02-07
189
241
  - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
190
242
 
191
- ### January 28th, 2013: Thirty fourth public release 1.5.1
243
+ ## [1.5.1] 2013-01-28
192
244
  - Rack::Lint check_hijack now conforms to other parts of SPEC
193
245
  - Added hash-like methods to Abstract::ID::SessionHash for compatibility
194
246
  - Various documentation corrections
195
247
 
196
- ### January 21st, 2013: Thirty third public release 1.5.0
248
+ ## [1.5.0] 2013-01-21
197
249
  - Introduced hijack SPEC, for before-response and after-response hijacking
198
250
  - SessionHash is no longer a Hash subclass
199
251
  - Rack::File cache_control parameter is removed, in place of headers options
200
252
  - Rack::Auth::AbstractRequest#scheme now yields strings, not symbols
201
253
  - Rack::Utils cookie functions now format expires in RFC 2822 format
202
254
  - Rack::File now has a default mime type
203
- - rackup -b 'run Rack::File.new(".")', option provides command line configs
255
+ - rackup -b 'run Rack::Files.new(".")', option provides command line configs
204
256
  - Rack::Deflater will no longer double encode bodies
205
257
  - Rack::Mime#match? provides convenience for Accept header matching
206
258
  - Rack::Utils#q_values provides splitting for Accept headers
@@ -217,17 +269,17 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
217
269
  - Updated HTTP status codes
218
270
  - Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported
219
271
 
220
- ### January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
272
+ ## [1.4.4, 1.3.9, 1.2.7, 1.1.5] 2013-01-13
221
273
  - [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
222
274
  - Fixed erroneous test case in the 1.3.x series
223
275
 
224
- ### January 7th, 2013: Thirty first public release 1.4.3
276
+ ## [1.4.3] 2013-01-07
225
277
  - Security: Prevent unbounded reads in large multipart boundaries
226
278
 
227
- ### January 7th, 2013: Thirtieth public release 1.3.8
279
+ ## [1.3.8] 2013-01-07
228
280
  - Security: Prevent unbounded reads in large multipart boundaries
229
281
 
230
- ### January 6th, 2013: Twenty ninth public release 1.4.2
282
+ ## [1.4.2] 2013-01-06
231
283
  - Add warnings when users do not provide a session secret
232
284
  - Fix parsing performance for unquoted filenames
233
285
  - Updated URI backports
@@ -257,7 +309,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
257
309
  - Rack::BodyProxy now explicitly defines #each, useful for C extensions
258
310
  - Cookies that are not URI escaped no longer cause exceptions
259
311
 
260
- ### January 6th, 2013: Twenty eighth public release 1.3.7
312
+ ## [1.3.7] 2013-01-06
261
313
  - Add warnings when users do not provide a session secret
262
314
  - Fix parsing performance for unquoted filenames
263
315
  - Updated URI backports
@@ -274,14 +326,14 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
274
326
  - Additional notes regarding ECMA escape compatibility issues
275
327
  - Fix the parsing of multiple ranges in range headers
276
328
 
277
- ### January 6th, 2013: Twenty seventh public release 1.2.6
329
+ ## [1.2.6] 2013-01-06
278
330
  - Add warnings when users do not provide a session secret
279
331
  - Fix parsing performance for unquoted filenames
280
332
 
281
- ### January 6th, 2013: Twenty sixth public release 1.1.4
333
+ ## [1.1.4] 2013-01-06
282
334
  - Add warnings when users do not provide a session secret
283
335
 
284
- ### January 22nd, 2012: Twenty fifth public release 1.4.1
336
+ ## [1.4.1] 2012-01-22
285
337
  - Alter the keyspace limit calculations to reduce issues with nested params
286
338
  - Add a workaround for multipart parsing where files contain unescaped "%"
287
339
  - Added Rack::Response::Helpers#method_not_allowed? (code 405)
@@ -297,7 +349,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
297
349
  - Rack::Static no longer defaults to serving index files
298
350
  - Rack.release was fixed
299
351
 
300
- ### December 28th, 2011: Twenty fourth public release 1.4.0
352
+ ## [1.4.0] 2011-12-28
301
353
  - Ruby 1.8.6 support has officially been dropped. Not all tests pass.
302
354
  - Raise sane error messages for broken config.ru
303
355
  - Allow combining run and map in a config.ru
@@ -316,32 +368,32 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
316
368
  - Support added for HTTP_X_FORWARDED_SCHEME
317
369
  - Numerous bug fixes, including many fixes for new and alternate rubies
318
370
 
319
- ### December 28th, 2011: Twenty first public release: 1.1.3.
371
+ ## [1.1.3] 2011-12-28
320
372
  - Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
321
373
  Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
322
374
 
323
- ### October 17, 2011: Twentieth public release 1.3.5
375
+ ## [1.3.5] 2011-10-17
324
376
  - Fix annoying warnings caused by the backport in 1.3.4
325
377
 
326
- ### October 1, 2011: Nineteenth public release 1.3.4
378
+ ## [1.3.4] 2011-10-01
327
379
  - Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
328
380
  - Small documentation update
329
381
  - Fix an issue where BodyProxy could cause an infinite recursion
330
382
  - Add some supporting files for travis-ci
331
383
 
332
- ### September 16, 2011: Eighteenth public release 1.2.4
384
+ ## [1.2.4] 2011-09-16
333
385
  - Fix a bug with MRI regex engine to prevent XSS by malformed unicode
334
386
 
335
- ### September 16, 2011: Seventeenth public release 1.3.3
387
+ ## [1.3.3] 2011-09-16
336
388
  - Fix bug with broken query parameters in Rack::ShowExceptions
337
389
  - Rack::Request#cookies no longer swallows exceptions on broken input
338
390
  - Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
339
391
  - Rack::ConditionalGet handles broken If-Modified-Since helpers
340
392
 
341
- ### July 16, 2011: Sixteenth public release 1.3.2
393
+ ## [1.3.2] 2011-07-16
342
394
  - Fix for Rails and rack-test, Rack::Utils#escape calls to_s
343
395
 
344
- ### July 13, 2011: Fifteenth public release 1.3.1
396
+ ## [1.3.1] 2011-07-13
345
397
  - Fix 1.9.1 support
346
398
  - Fix JRuby support
347
399
  - Properly handle $KCODE in Rack::Utils.escape
@@ -352,11 +404,11 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
352
404
  - Rack::MockResponse calls close on the body object
353
405
  - Fix a DOS vector from MRI stdlib backport
354
406
 
355
- ### May 22nd, 2011: Fourteenth public release 1.2.3
407
+ ## [1.2.3] 2011-05-22
356
408
  - Pulled in relevant bug fixes from 1.3
357
409
  - Fixed 1.8.6 support
358
410
 
359
- ### May 22nd, 2011: Thirteenth public release 1.3.0
411
+ ## [1.3.0] 2011-05-22
360
412
  - Various performance optimizations
361
413
  - Various multipart fixes
362
414
  - Various multipart refactors
@@ -376,16 +428,16 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
376
428
  - Cookies respect renew
377
429
  - Session middleware uses SecureRandom.hex
378
430
 
379
- ### March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
431
+ ## [1.2.2, 1.1.2] 2011-03-13
380
432
  - Security fix in Rack::Auth::Digest::MD5: when authenticator
381
433
  returned nil, permission was granted on empty password.
382
434
 
383
- ### June 15th, 2010: Eleventh public release 1.2.1.
435
+ ## [1.2.1] 2010-06-15
384
436
  - Make CGI handler rewindable
385
437
  - Rename spec/ to test/ to not conflict with SPEC on lesser
386
438
  operating systems
387
439
 
388
- ### June 13th, 2010: Tenth public release 1.2.0.
440
+ ## [1.2.0] 2010-06-13
389
441
  - Removed Camping adapter: Camping 2.0 supports Rack as-is
390
442
  - Removed parsing of quoted values
391
443
  - Add Request.trace? and Request.options?
@@ -394,7 +446,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
394
446
  - Various multipart fixes
395
447
  - Switch test suite to bacon
396
448
 
397
- ### January 3rd, 2010: Ninth public release 1.1.0.
449
+ ## [1.1.0] 2010-01-03
398
450
  - Moved Auth::OpenID to rack-contrib.
399
451
  - SPEC change that relaxes Lint slightly to allow subclasses of the
400
452
  required types
@@ -429,7 +481,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
429
481
  - Enforce binary encoding in RewindableInput
430
482
  - Set correct external_encoding for handlers that don't use RewindableInput
431
483
 
432
- ### October 18th, 2009: Eighth public release 1.0.1.
484
+ ## [1.0.1] 2009-10-18
433
485
  - Bump remainder of rack.versions.
434
486
  - Support the pure Ruby FCGI implementation.
435
487
  - Fix for form names containing "=": split first then unescape components
@@ -440,7 +492,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
440
492
  - Make sure WEBrick respects the :Host option
441
493
  - Many Ruby 1.9 fixes.
442
494
 
443
- ### April 25th, 2009: Seventh public release 1.0.0.
495
+ ## [1.0.0] 2009-04-25
444
496
  - SPEC change: Rack::VERSION has been pushed to [1,0].
445
497
  - SPEC change: header values must be Strings now, split on "\n".
446
498
  - SPEC change: Content-Length can be missing, in this case chunked transfer
@@ -462,10 +514,10 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
462
514
  - The Rakefile has been rewritten.
463
515
  - Many bugfixes and small improvements.
464
516
 
465
- ### January 9th, 2009: Sixth public release 0.9.1.
517
+ ## [0.9.1] 2009-01-09
466
518
  - Fix directory traversal exploits in Rack::File and Rack::Directory.
467
519
 
468
- ### January 6th, 2009: Fifth public release 0.9.
520
+ ## [0.9] 2009-01-06
469
521
  - Rack is now managed by the Rack Core Team.
470
522
  - Rack::Lint is stricter and follows the HTTP RFCs more closely.
471
523
  - Added ConditionalGet middleware.
@@ -481,7 +533,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
481
533
  - Made HeaderHash case-preserving.
482
534
  - Many bugfixes and small improvements.
483
535
 
484
- ### August 21st, 2008: Fourth public release 0.4.
536
+ ## [0.4] 2008-08-21
485
537
  - New middleware, Rack::Deflater, by Christoffer Sawicki.
486
538
  - OpenID authentication now needs ruby-openid 2.
487
539
  - New Memcache sessions, by blink.
@@ -493,7 +545,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
493
545
  - Improved tests.
494
546
  - Rack moved to Git.
495
547
 
496
- ### February 26th, 2008: Third public release 0.3.
548
+ ## [0.3] 2008-02-26
497
549
  - LiteSpeed handler, by Adrian Madrid.
498
550
  - SCGI handler, by Jeremy Evans.
499
551
  - Pool sessions, by blink.
@@ -505,7 +557,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
505
557
  - HTTP status 201 can contain a Content-Type and a body now.
506
558
  - Many bugfixes, especially related to Cookie handling.
507
559
 
508
- ### May 16th, 2007: Second public release 0.2.
560
+ ## [0.2] 2007-05-16
509
561
  - HTTP Basic authentication.
510
562
  - Cookie Sessions.
511
563
  - Static file handler.
@@ -515,6 +567,4 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
515
567
  - Bug fixes in the Camping adapter.
516
568
  - Removed Rails adapter, was too alpha.
517
569
 
518
- ### March 3rd, 2007: First public release 0.1.
519
-
520
- /* vim: set filetype=changelog */
570
+ ## [0.1] 2007-03-03
@@ -1,4 +1,6 @@
1
- Copyright (c) 2007-2016 Christian Neukirchen <purl.org/net/chneukirchen>
1
+ The MIT License (MIT)
2
+
3
+ Copyright (C) 2007-2019 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
2
4
 
3
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
6
  of this software and associated documentation files (the "Software"), to
@@ -13,6 +15,6 @@ all copies or substantial portions of the Software.
13
15
  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
16
  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15
17
  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
16
- THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
17
19
  IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
18
20
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.