rack 2.1.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e12f073e1e04051923534a08cf31f175959a4217f1a793f43283e1bb902a7225
-  data.tar.gz: e96008a1e0f77466d55c3834da7df2a4c640ec213306bab87e19bad5a9042c2c
+  metadata.gz: 67bdec7711476ad2de84fac3e118909b94332330645a6d347e09e350c5bf3dd6
+  data.tar.gz: 301f4cd141d1601d82f3e68cb967566be6422f8020f9a3ec7da1b665c9f2f61c
 SHA512:
-  metadata.gz: f73e64b61cd21153bb90d23811b28026caa652f8eb4c682ebc02d8d5967b537f07c08d3d1b6d70cc14482d687637a2e539b384b119eb5b9be0d40c994577a2e7
-  data.tar.gz: 512be9498bf6b40a18a7c4d3bcce2e2bc1818185e30e522def5c9461cfaa8ad68282b09f6457f40a38779e7711b732cc9dc0b126f96b35f3b451b8709cc45f9b
+  metadata.gz: 3c3cca256c84546a8af5faa34d99249d34273f25b7d6b0fc04e9b9212b637872af7c782625674ca07cf33aadee4421c2e82579072613d06349324b7a89733e69
+  data.tar.gz: 1dd24e07c20fd0b8aca78f93b083549c6c04bcec8e73a8e8aadea1037b359d0ec39b247027ef08bcc7150ee61b22c92cfadf2c3698be30e5101d750bb353ddfa

data/CHANGELOG.md

@@ -2,9 +2,120 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [2.2.2] - 2020-02-11
 
-_Note: There are many unreleased changes in Rack (`master` is around 300 commits ahead of `2-0-stable`), and below is not an exhaustive list. If you would like to help out and document some of the unreleased changes, PRs are welcome._ 
+### Fixed
+
+- Fix incorrect `Rack::Request#host` value. ([#1591](https://github.com/rack/rack/pull/1591), [@ioquatix](https://github.com/ioquatix))
+- Revert `Rack::Handler::Thin` implementation. ([#1583](https://github.com/rack/rack/pull/1583), [@jeremyevans](https://github.com/jeremyevans))
+- Double assignment is still needed to prevent an "unused variable" warning. ([#1589](https://github.com/rack/rack/pull/1589), [@kamipo](https://github.com/kamipo))
+- Fix to handle same_site option for session pool. ([#1587](https://github.com/rack/rack/pull/1587), [@kamipo](https://github.com/kamipo))
+
+## [2.2.1] - 2020-02-09
+
+### Fixed
+
+- Rework `Rack::Request#ip` to handle empty `forwarded_for`. ([#1577](https://github.com/rack/rack/pull/1577), [@ioquatix](https://github.com/ioquatix))
+
+## [2.2.0] - 2020-02-08
+
+### SPEC Changes
+
+- `rack.session` request environment entry must respond to `to_hash` and return unfrozen Hash. ([@jeremyevans](https://github.com/jeremyevans))
+- Request environment cannot be frozen. ([@jeremyevans](https://github.com/jeremyevans))
+- CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. ([@jeremyevans](https://github.com/jeremyevans))
+- Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
+
+### Added
+
+- `rackup` supports multiple `-r` options and will require all arguments. ([@jeremyevans](https://github.com/jeremyevans))
+- `Server` supports an array of paths to require for the `:require` option. ([@khotta](https://github.com/khotta))
+- `Files` supports multipart range requests. ([@fatkodima](https://github.com/fatkodima))
+- `Multipart::UploadedFile` supports an IO-like object instead of using the filesystem, using `:filename` and `:io` options. ([@jeremyevans](https://github.com/jeremyevans))
+- `Multipart::UploadedFile` supports keyword arguments `:path`, `:content_type`, and `:binary` in addition to positional arguments. ([@jeremyevans](https://github.com/jeremyevans))
+- `Static` supports a `:cascade` option for calling the app if there is no matching file. ([@jeremyevans](https://github.com/jeremyevans))
+- `Session::Abstract::SessionHash#dig`. ([@jeremyevans](https://github.com/jeremyevans))
+- `Response.[]` and `MockResponse.[]` for creating instances using status, headers, and body. ([@ioquatix](https://github.com/ioquatix))
+- Convenient cache and content type methods for `Rack::Response`. ([#1555](https://github.com/rack/rack/pull/1555), [@ioquatix](https://github.com/ioquatix))
+
+### Changed
+
+- `Request#params` no longer rescues EOFError. ([@jeremyevans](https://github.com/jeremyevans))
+- `Directory` uses a streaming approach, significantly improving time to first byte for large directories. ([@jeremyevans](https://github.com/jeremyevans))
+- `Directory` no longer includes a Parent directory link in the root directory index. ([@jeremyevans](https://github.com/jeremyevans))
+- `QueryParser#parse_nested_query` uses original backtrace when reraising exception with new class. ([@jeremyevans](https://github.com/jeremyevans))
+- `ConditionalGet` follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. ([@jeremyevans](https://github.com/jeremyevans))
+- `.ru` files supports the `frozen-string-literal` magic comment. ([@eregon](https://github.com/eregon))
+- Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. ([@jeremyevans](https://github.com/jeremyevans))
+- `Etag` will continue sending ETag even if the response should not be cached. ([@henm](https://github.com/henm))
+- `Request#host_with_port` no longer includes a colon for a missing or empty port. ([@AlexWayfer](https://github.com/AlexWayfer))
+- All handlers uses keywords arguments instead of an options hash argument. ([@ioquatix](https://github.com/ioquatix))
+- `Files` handling of range requests no longer return a body that supports `to_path`, to ensure range requests are handled correctly. ([@jeremyevans](https://github.com/jeremyevans))
+- `Multipart::Generator` only includes `Content-Length` for files with paths, and `Content-Disposition` `filename` if the `UploadedFile` instance has one. ([@jeremyevans](https://github.com/jeremyevans))
+- `Request#ssl?` is true for the `wss` scheme (secure websockets). ([@jeremyevans](https://github.com/jeremyevans))
+- `Rack::HeaderHash` is memoized by default. ([#1549](https://github.com/rack/rack/pull/1549), [@ioquatix](https://github.com/ioquatix))
+- `Rack::Directory` allow directory traversal inside root directory. ([#1417](https://github.com/rack/rack/pull/1417), [@ThomasSevestre](https://github.com/ThomasSevestre))
+- Sort encodings by server preference. ([#1184](https://github.com/rack/rack/pull/1184), [@ioquatix](https://github.com/ioquatix), [@wjordan](https://github.com/wjordan))
+- Rework host/hostname/authority implementation in `Rack::Request`. `#host` and `#host_with_port` have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.2.2). ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
+- `Rack::Builder` parsing options on first `#\` line is deprecated. ([#1574](https://github.com/rack/rack/pull/1574), [@ioquatix](https://github.com/ioquatix))
+
+### Removed
+
+- `Directory#path` as it was not used and always returned nil. ([@jeremyevans](https://github.com/jeremyevans))
+- `BodyProxy#each` as it was only needed to work around a bug in Ruby <1.9.3. ([@jeremyevans](https://github.com/jeremyevans))
+- `URLMap::INFINITY` and `URLMap::NEGATIVE_INFINITY`, in favor of `Float::INFINITY`. ([@ch1c0t](https://github.com/ch1c0t))
+- Deprecation of `Rack::File`. It will be deprecated again in rack 2.2 or 3.0. ([@rafaelfranca](https://github.com/rafaelfranca))
+- Support for Ruby 2.2 as it is well past EOL. ([@ioquatix](https://github.com/ioquatix))
+- Remove `Rack::Files#response_body` as the implementation was broken. ([#1153](https://github.com/rack/rack/pull/1153), [@ioquatix](https://github.com/ioquatix))
+- Remove `SERVER_ADDR` which was never part of the original SPEC. ([#1573](https://github.com/rack/rack/pull/1573), [@ioquatix](https://github.com/ioquatix))
+
+### Fixed
+
+- `Directory` correctly handles root paths containing glob metacharacters. ([@jeremyevans](https://github.com/jeremyevans))
+- `Cascade` uses a new response object for each call if initialized with no apps. ([@jeremyevans](https://github.com/jeremyevans))
+- `BodyProxy` correctly delegates keyword arguments to the body object on Ruby 2.7+. ([@jeremyevans](https://github.com/jeremyevans))
+- `BodyProxy#method` correctly handles methods delegated to the body object. ([@jeremyevans](https://github.com/jeremyevans))
+- `Request#host` and `Request#host_with_port` handle IPv6 addresses correctly. ([@AlexWayfer](https://github.com/AlexWayfer))
+- `Lint` checks when response hijacking that `rack.hijack` is called with a valid object. ([@jeremyevans](https://github.com/jeremyevans))
+- `Response#write` correctly updates `Content-Length` if initialized with a body. ([@jeremyevans](https://github.com/jeremyevans))
+- `CommonLogger` includes `SCRIPT_NAME` when logging. ([@Erol](https://github.com/Erol))
+- `Utils.parse_nested_query` correctly handles empty queries, using an empty instance of the params class instead of a hash. ([@jeremyevans](https://github.com/jeremyevans))
+- `Directory` correctly escapes paths in links. ([@yous](https://github.com/yous))
+- `Request#delete_cookie` and related `Utils` methods handle `:domain` and `:path` options in same call. ([@jeremyevans](https://github.com/jeremyevans))
+- `Request#delete_cookie` and related `Utils` methods do an exact match on `:domain` and `:path` options. ([@jeremyevans](https://github.com/jeremyevans))
+- `Static` no longer adds headers when a gzipped file request has a 304 response. ([@chooh](https://github.com/chooh))
+- `ContentLength` sets `Content-Length` response header even for bodies not responding to `to_ary`. ([@jeremyevans](https://github.com/jeremyevans))
+- Thin handler supports options passed directly to `Thin::Controllers::Controller`. ([@jeremyevans](https://github.com/jeremyevans))
+- WEBrick handler no longer ignores `:BindAddress` option. ([@jeremyevans](https://github.com/jeremyevans))
+- `ShowExceptions` handles invalid POST data. ([@jeremyevans](https://github.com/jeremyevans))
+- Basic authentication requires a password, even if the password is empty. ([@jeremyevans](https://github.com/jeremyevans))
+- `Lint` checks response is array with 3 elements, per SPEC. ([@jeremyevans](https://github.com/jeremyevans))
+- Support for using `:SSLEnable` option when using WEBrick handler. (Gregor Melhorn)
+- Close response body after buffering it when buffering. ([@ioquatix](https://github.com/ioquatix))
+- Only accept `;` as delimiter when parsing cookies. ([@mrageh](https://github.com/mrageh))
+- `Utils::HeaderHash#clear` clears the name mapping as well. ([@raxoft](https://github.com/raxoft)) 
+- Support for passing `nil` `Rack::Files.new`, which notably fixes Rails' current `ActiveStorage::FileServer` implementation. ([@ioquatix](https://github.com/ioquatix))
+
+### Documentation
+
+- CHANGELOG updates. ([@aupajo](https://github.com/aupajo))
+- Added [CONTRIBUTING](CONTRIBUTING.md). ([@dblock](https://github.com/dblock))
+
+## [2.1.2] - 2020-01-27
+
+- Fix multipart parser for some files to prevent denial of service ([@aiomaster](https://github.com/aiomaster))
+- Fix `Rack::Builder#use` with keyword arguments ([@kamipo](https://github.com/kamipo))
+- Skip deflating in Rack::Deflater if Content-Length is 0 ([@jeremyevans](https://github.com/jeremyevans))
+- Remove `SessionHash#transform_keys`, no longer needed ([@pavel](https://github.com/pavel))
+- Add to_hash to wrap Hash and Session classes ([@oleh-demyanyuk](https://github.com/oleh-demyanyuk))
+- Handle case where session id key is requested but missing ([@jeremyevans](https://github.com/jeremyevans))
+
+## [2.1.1] - 2020-01-12
+
+- Remove `Rack::Chunked` from `Rack::Server` default middleware. ([#1475](https://github.com/rack/rack/pull/1475), [@ioquatix](https://github.com/ioquatix))
+- Restore support for code relying on `SessionId#to_s`. ([@jeremyevans](https://github.com/jeremyevans))
+
+## [2.1.0] - 2020-01-10
 
 ### Added
 
@@ -42,26 +153,35 @@ _Note: There are many unreleased changes in Rack (`master` is around 300 commits
 - Update codebase to avoid string mutations in preparation for `frozen_string_literals`. ([@pat](https://github.com/pat))
 - Change `MockRequest#env_for` to rely on the input optionally responding to `#size` instead of `#length`. ([@janko](https://github.com/janko))
 - Rename `Rack::File` -> `Rack::Files` and add deprecation notice. ([@postmodern](https://github.com/postmodern)).
+- Prefer Base64 “strict encoding” for Base64 cookies. ([@ioquatix](https://github.com/ioquatix))
 
 ### Removed
 
 - Remove `to_ary` from Response ([@tenderlove](https://github.com/tenderlove))
 - Deprecate `Rack::Session::Memcache` in favor of `Rack::Session::Dalli` from dalli gem ([@fatkodima](https://github.com/fatkodima))
 
+### Fixed
+
+- Eliminate warnings for Ruby 2.7. ([@osamtimizer](https://github.com/osamtimizer]))
+
 ### Documentation
 
 - Update broken example in `Session::Abstract::ID` documentation. ([tonytonyjan](https://github.com/tonytonyjan))
-- Add Padrino to the list of frameworks implmenting Rack. ([@wikimatze](https://github.com/wikimatze))
+- Add Padrino to the list of frameworks implementing Rack. ([@wikimatze](https://github.com/wikimatze))
 - Remove Mongrel from the suggested server options in the help output. ([@tricknotes](https://github.com/tricknotes))
 - Replace `HISTORY.md` and `NEWS.md` with `CHANGELOG.md`. ([@twitnithegirl](https://github.com/twitnithegirl))
-- Backfill `CHANGELOG.md` from 2.0.1 to 2.0.7 releases. ([@drenmi](https://github.com/Drenmi))
+- CHANGELOG updates. ([@drenmi](https://github.com/Drenmi), [@p8](https://github.com/p8))
 
 ## [2.0.8] - 2019-12-08
 
+### Security
+
 - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca))
 
 ## [1.6.12] - 2019-12-08
 
+### Security
+
 - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca))
 
 ## [2.0.7] - 2019-04-02
@@ -227,7 +347,7 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
   - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
   - Fix CVE-2013-0262, symlink path traversal in Rack::File
   - Add various methods to Session for enhanced Rails compatibility
-  - Request#trusted_proxy? now only matches whole stirngs
+  - Request#trusted_proxy? now only matches whole strings
   - Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
   - URLMap host matching in environments that don't set the Host header fixed
   - Fix a race condition that could result in overwritten pidfiles
@@ -465,7 +585,7 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
   - Add status code lookup utility
   - Response should call #to_i on the status
   - Add Request#user_agent
-  - Request#host knows about forwared host
+  - Request#host knows about forwarded host
   - Return an empty string for Request#host if HTTP_HOST and
     SERVER_NAME are both missing
   - Allow MockRequest to accept hash params

data/CONTRIBUTING.md

@@ -0,0 +1,136 @@
+Contributing to Rack
+=====================
+
+Rack is work of [hundreds of contributors](https://github.com/rack/rack/graphs/contributors). You're encouraged to submit [pull requests](https://github.com/rack/rack/pulls), [propose features and discuss issues](https://github.com/rack/rack/issues). When in doubt, post to the [rack-devel](http://groups.google.com/group/rack-devel) mailing list.
+
+#### Fork the Project
+
+Fork the [project on Github](https://github.com/rack/rack) and check out your copy.
+
+```
+git clone https://github.com/contributor/rack.git
+cd rack
+git remote add upstream https://github.com/rack/rack.git
+```
+
+#### Create a Topic Branch
+
+Make sure your fork is up-to-date and create a topic branch for your feature or bug fix.
+
+```
+git checkout master
+git pull upstream master
+git checkout -b my-feature-branch
+```
+
+#### Bundle Install and Quick Test
+
+Ensure that you can build the project and run quick tests.
+
+```
+bundle install --without extra
+bundle exec rake test
+```
+
+#### Running All Tests
+
+Install all dependencies.
+
+```
+bundle install
+```
+
+Run all tests.
+
+```
+rake test
+```
+
+The test suite has no dependencies outside of the core Ruby installation and bacon.
+
+Some tests will be skipped if a dependency is not found.
+
+To run the test suite completely, you need:
+
+  * fcgi
+  * dalli
+  * thin
+
+To test Memcache sessions, you need memcached (will be run on port 11211) and dalli installed.
+
+#### Write Tests
+
+Try to write a test that reproduces the problem you're trying to fix or describes a feature that you want to build.
+
+We definitely appreciate pull requests that highlight or reproduce a problem, even without a fix.
+
+#### Write Code
+
+Implement your feature or bug fix.
+
+Make sure that `bundle exec rake fulltest` completes without errors.
+
+#### Write Documentation
+
+Document any external behavior in the [README](README.rdoc).
+
+#### Update Changelog
+
+Add a line to [CHANGELOG](CHANGELOG.md).
+
+#### Commit Changes
+
+Make sure git knows your name and email address:
+
+```
+git config --global user.name "Your Name"
+git config --global user.email "contributor@example.com"
+```
+
+Writing good commit logs is important. A commit log should describe what changed and why.
+
+```
+git add ...
+git commit
+```
+
+#### Push
+
+```
+git push origin my-feature-branch
+```
+
+#### Make a Pull Request
+
+Go to https://github.com/contributor/rack and select your feature branch. Click the 'Pull Request' button and fill out the form. Pull requests are usually reviewed within a few days.
+
+#### Rebase
+
+If you've been working on a change for a while, rebase with upstream/master.
+
+```
+git fetch upstream
+git rebase upstream/master
+git push origin my-feature-branch -f
+```
+
+#### Make Required Changes
+
+Amend your previous commit and force push the changes.
+
+```
+git commit --amend
+git push origin my-feature-branch -f
+```
+
+#### Check on Your Pull Request
+
+Go back to your pull request after a few minutes and see whether it passed muster with Travis-CI. Everything should look green, otherwise fix issues and amend your commit as described above.
+
+#### Be Patient
+
+It's likely that your change will not be merged and that the nitpicky maintainers will ask you to do more, or fix seemingly benign problems. Hang on there!
+
+#### Thank You
+
+Please do know that we really appreciate and value your time and work. We love you, really.

data/README.rdoc

@@ -5,6 +5,7 @@
 {<img src="https://circleci.com/gh/rack/rack.svg?style=svg" alt="CircleCI" />}[https://circleci.com/gh/rack/rack]
 {<img src="https://badge.fury.io/rb/rack.svg" alt="Gem Version" />}[http://badge.fury.io/rb/rack]
 {<img src="https://api.dependabot.com/badges/compatibility_score?dependency-name=rack&package-manager=bundler&version-scheme=semver" alt="SemVer Stability" />}[https://dependabot.com/compatibility-score.html?dependency-name=rack&package-manager=bundler&version-scheme=semver]
+{<img src="http://inch-ci.org/github/rack/rack.svg?branch=master" alt="Inline docs" />}[http://inch-ci.org/github/rack/rack]
 
 \Rack provides a minimal, modular, and adaptable interface for developing
 web applications in Ruby. By wrapping HTTP requests and responses in
@@ -30,10 +31,11 @@ These web servers include \Rack handlers in their distributions:
 
 * Agoo[https://github.com/ohler55/agoo]
 * Falcon[https://github.com/socketry/falcon]
+* Iodine[https://github.com/boazsegev/iodine]
 * {NGINX Unit}[https://unit.nginx.org/]
 * {Phusion Passenger}[https://www.phusionpassenger.com/] (which is mod_rack for Apache and for nginx)
 * Puma[https://puma.io/]
-* Unicorn[https://bogomips.org/unicorn/]
+* Unicorn[https://yhbt.net/unicorn/]
 * uWSGI[https://uwsgi-docs.readthedocs.io/en/latest/]
 
 Any valid \Rack app will run the same on all these handlers, without
@@ -41,13 +43,12 @@ changing anything.
 
 == Supported web frameworks
 
-These frameworks include \Rack adapters in their distributions:
+These frameworks and many others support the \Rack API:
 
 * Camping[http://www.ruby-camping.com/]
 * Coset[http://leahneukirchen.org/repos/coset/]
 * Hanami[https://hanamirb.org/]
 * Padrino[http://padrinorb.com/]
-* Racktools::SimpleApplication
 * Ramaze[http://ramaze.net/]
 * Roda[https://github.com/jeremyevans/roda]
 * {Ruby on Rails}[https://rubyonrails.org/]
@@ -55,19 +56,45 @@ These frameworks include \Rack adapters in their distributions:
 * Sinatra[http://sinatrarb.com/]
 * Utopia[https://github.com/socketry/utopia]
 * WABuR[https://github.com/ohler55/wabur]
-* ... and many others.
 
-== Available middleware
+== Available middleware shipped with \Rack
 
 Between the server and the framework, \Rack can be customized to your
-applications needs using middleware, for example:
+applications needs using middleware. \Rack itself ships with the following
+middleware:
 
-* Rack::URLMap, to route to multiple applications inside the same process.
+* Rack::Chunked, for streaming responses using chunked encoding.
 * Rack::CommonLogger, for creating Apache-style logfiles.
+* Rack::ConditionalGet, for returning not modified responses when the response
+  has not changed.
+* Rack::Config, for modifying the environment before processing the request.
+* Rack::ContentLength, for setting Content-Length header based on body size.
+* Rack::ContentType, for setting default Content-Type header for responses.
+* Rack::Deflater, for compressing responses with gzip.
+* Rack::ETag, for setting ETag header on string bodies.
+* Rack::Events, for providing easy hooks when a request is received
+  and when the response is sent.
+* Rack::Files, for serving static files.
+* Rack::Head, for returning an empty body for HEAD requests.
+* Rack::Lint, for checking conformance to the \Rack API.
+* Rack::Lock, for serializing requests using a mutex.
+* Rack::Logger, for setting a logger to handle logging errors.
+* Rack::MethodOverride, for modifying the request method based on a submitted
+  parameter.
+* Rack::Recursive, for including data from other paths in the application,
+  and for performing internal redirects.
+* Rack::Reloader, for reloading files if they have been modified.
+* Rack::Runtime, for including a response header with the time taken to
+  process the request.
+* Rack::Sendfile, for working with web servers that can use optimized
+  file serving for file system paths.
 * Rack::ShowException, for catching unhandled exceptions and
   presenting them in a nice and helpful way with clickable backtrace.
-* Rack::Files, for serving static files.
-* ...many others!
+* Rack::ShowStatus, for using nice error pages for empty client error
+  responses.
+* Rack::Static, for more configurable serving of static files.
+* Rack::TempfileReaper, for removing temporary files creating during a
+  request.
 
 All these components use the same interface, which is described in
 detail in the \Rack specification.  These optional components can be
@@ -86,6 +113,15 @@ over:
   cookie handling.
 * Rack::MockRequest and Rack::MockResponse for efficient and quick
   testing of \Rack application without real HTTP round-trips.
+* Rack::Cascade, for trying additional \Rack applications if an
+  application returns a not found or method not supported response.
+* Rack::Directory, for serving files under a given directory, with
+  directory indexes.
+* Rack::MediaType, for parsing Content-Type headers.
+* Rack::Mime, for determining Content-Type based on file extension.
+* Rack::RewindableInput, for making any IO object rewindable, using
+  a temporary file buffer.
+* Rack::URLMap, to route to multiple applications inside the same process.
 
 == rack-contrib
 
@@ -125,46 +161,46 @@ A Gem of \Rack is available at {rubygems.org}[https://rubygems.org/gems/rack]. Y
 
     gem install rack
 
-== Running the tests
+== Usage
 
-Testing \Rack requires the bacon testing framework:
+You should require the library:
 
-    bundle install --without extra # to be able to run the fast tests
+    require 'rack'
 
-Or:
+\Rack uses autoload to automatically load other files \Rack ships with on demand,
+so you should not need require paths under +rack+.  If you require paths under
++rack+ without requiring +rack+ itself, things may not work correctly.
 
-    bundle install # this assumes that you have installed native extensions!
+== Configuration
 
-There is a rake-based test task:
+Several parameters can be modified on Rack::Utils to configure \Rack behaviour.
 
-    rake test # tests all the tests
+e.g:
 
-The testsuite has no dependencies outside of the core Ruby
-installation and bacon.
+    Rack::Utils.key_space_limit = 128
 
-To run the test suite completely, you need:
+=== key_space_limit
 
-  * fcgi
-  * dalli
-  * thin
+The default number of bytes to allow all parameters keys in a given parameter hash to take up.
+Does not affect nested parameter hashes, so doesn't actually prevent an attacker from using
+more than this many bytes for parameter keys.
 
-To test Memcache sessions, you need memcached (will be
-run on port 11211) and dalli installed.
+Defaults to 65536 characters.
 
-== Configuration
+=== param_depth_limit
 
-Several parameters can be modified on Rack::Utils to configure \Rack behaviour.
+The maximum amount of nesting allowed in parameters.
+For example, if set to 3, this query string would be allowed:
 
-e.g:
+    ?a[b][c]=d
 
-    Rack::Utils.key_space_limit = 128
+but this query string would not be allowed:
 
-=== key_space_limit
+    ?a[b][c][d]=e
 
-The default number of bytes to allow a single parameter key to take up.
-This helps prevent a rogue client from flooding a Request.
+Limiting the depth prevents a possible stack overflow when parsing parameters.
 
-Default to 65536 characters (4 kiB in worst case).
+Defaults to 100.
 
 === multipart_part_limit
 
@@ -181,6 +217,10 @@ Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable.
 
 See {CHANGELOG.md}[https://github.com/rack/rack/blob/master/CHANGELOG.md].
 
+== Contributing
+
+See {CONTRIBUTING.md}[https://github.com/rack/rack/blob/master/CONTRIBUTING.md].
+
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -198,7 +238,6 @@ Mailing list archives are available at
 Git repository (send Git patches to the mailing list):
 
 * https://github.com/rack/rack
-* http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack-github.git
 
 You are also welcome to join the #rack channel on irc.freenode.net.
 
@@ -206,20 +245,25 @@ You are also welcome to join the #rack channel on irc.freenode.net.
 
 The \Rack Core Team, consisting of
 
+* Aaron Patterson (tenderlove[https://github.com/tenderlove])
+* Samuel Williams (ioquatix[https://github.com/ioquatix])
+* Jeremy Evans (jeremyevans[https://github.com/jeremyevans])
+* Eileen Uchitelle (eileencodes[https://github.com/eileencodes])
+* Matthew Draper (matthewd[https://github.com/matthewd])
+* Rafael França (rafaelfranca[https://github.com/rafaelfranca])
+
+and the \Rack Alumni
+
+* Ryan Tomayko (rtomayko[https://github.com/rtomayko])
+* Scytrin dai Kinthra (scytrin[https://github.com/scytrin])
 * Leah Neukirchen (leahneukirchen[https://github.com/leahneukirchen])
 * James Tucker (raggi[https://github.com/raggi])
 * Josh Peek (josh[https://github.com/josh])
 * José Valim (josevalim[https://github.com/josevalim])
 * Michael Fellinger (manveru[https://github.com/manveru])
-* Aaron Patterson (tenderlove[https://github.com/tenderlove])
 * Santiago Pastorino (spastorino[https://github.com/spastorino])
 * Konstantin Haase (rkh[https://github.com/rkh])
 
-and the \Rack Alumnis
-
-* Ryan Tomayko (rtomayko[https://github.com/rtomayko])
-* Scytrin dai Kinthra (scytrin[https://github.com/scytrin])
-
 would like to thank:
 
 * Adrian Madrid, for the LiteSpeed handler.