rack 2.1.0 → 3.1.0

data/lib/rack/request.rb

@@ -1,9 +1,8 @@
 # frozen_string_literal: true
 
-require 'rack/utils'
-require 'rack/media_type'
-
-require_relative 'core_ext/regexp'
+require_relative 'constants'
+require_relative 'utils'
+require_relative 'media_type'
 
 module Rack
   # Rack::Request provides a convenient interface to a Rack
@@ -15,22 +14,54 @@ module Rack
   #   req.params["data"]
 
   class Request
-    using ::Rack::RegexpExtensions
-
     class << self
       attr_accessor :ip_filter
-    end
 
-    self.ip_filter = lambda { |ip| /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i.match?(ip) }
-    ALLOWED_SCHEMES = %w(https http).freeze
-    SCHEME_WHITELIST = ALLOWED_SCHEMES
-    if Object.respond_to?(:deprecate_constant)
-      deprecate_constant :SCHEME_WHITELIST
+      # The priority when checking forwarded headers. The default
+      # is <tt>[:forwarded, :x_forwarded]</tt>, which means, check the
+      # +Forwarded+ header first, followed by the appropriate
+      # <tt>X-Forwarded-*</tt> header.  You can revert the priority by
+      # reversing the priority, or remove checking of either
+      # or both headers by removing elements from the array.
+      #
+      # This should be set as appropriate in your environment
+      # based on what reverse proxies are in use.  If you are not
+      # using reverse proxies, you should probably use an empty
+      # array.
+      attr_accessor :forwarded_priority
+
+      # The priority when checking either the <tt>X-Forwarded-Proto</tt>
+      # or <tt>X-Forwarded-Scheme</tt> header for the forwarded protocol.
+      # The default is <tt>[:proto, :scheme]</tt>, to try the
+      # <tt>X-Forwarded-Proto</tt> header before the
+      # <tt>X-Forwarded-Scheme</tt> header.  Rack 2 had behavior
+      # similar to <tt>[:scheme, :proto]</tt>.  You can remove either or
+      # both of the entries in array to ignore that respective header.
+      attr_accessor :x_forwarded_proto_priority
     end
 
+    @forwarded_priority = [:forwarded, :x_forwarded]
+    @x_forwarded_proto_priority = [:proto, :scheme]
+
+    valid_ipv4_octet = /\.(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/
+
+    trusted_proxies = Regexp.union(
+      /\A127#{valid_ipv4_octet}{3}\z/,                          # localhost IPv4 range 127.x.x.x, per RFC-3330
+      /\A::1\z/,                                                # localhost IPv6 ::1
+      /\Af[cd][0-9a-f]{2}(?::[0-9a-f]{0,4}){0,7}\z/i,           # private IPv6 range fc00 .. fdff
+      /\A10#{valid_ipv4_octet}{3}\z/,                           # private IPv4 range 10.x.x.x
+      /\A172\.(1[6-9]|2[0-9]|3[01])#{valid_ipv4_octet}{2}\z/,   # private IPv4 range 172.16.0.0 .. 172.31.255.255
+      /\A192\.168#{valid_ipv4_octet}{2}\z/,                     # private IPv4 range 192.168.x.x
+      /\Alocalhost\z|\Aunix(\z|:)/i,                            # localhost hostname, and unix domain sockets
+    )
+
+    self.ip_filter = lambda { |ip| trusted_proxies.match?(ip) }
+
+    ALLOWED_SCHEMES = %w(https http wss ws).freeze
+
     def initialize(env)
+      @env = env
       @params = nil
-      super(env)
     end
 
     def params
@@ -54,6 +85,8 @@ module Rack
 
       def initialize(env)
         @env = env
+        # This module is included at least in `ActionDispatch::Request`
+        # The call to `super()` allows additional mixed-in initializers are called
         super()
       end
 
@@ -93,7 +126,7 @@ module Rack
       #   assert_equal 'image/png,*/*', request.get_header('Accept')
       #
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
-      def add_header key, v
+      def add_header(key, v)
         if v.nil?
           get_header key
         elsif has_header? key
@@ -134,11 +167,25 @@ module Rack
       # to include the port in a generated URI.
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
 
+      # The address of the client which connected to the proxy.
+      HTTP_X_FORWARDED_FOR = 'HTTP_X_FORWARDED_FOR'
+
+      # The contents of the host/:authority header sent to the proxy.
+      HTTP_X_FORWARDED_HOST = 'HTTP_X_FORWARDED_HOST'
+
+      HTTP_FORWARDED          = 'HTTP_FORWARDED'
+
+      # The value of the scheme sent to the proxy.
       HTTP_X_FORWARDED_SCHEME = 'HTTP_X_FORWARDED_SCHEME'
-      HTTP_X_FORWARDED_PROTO  = 'HTTP_X_FORWARDED_PROTO'
-      HTTP_X_FORWARDED_HOST   = 'HTTP_X_FORWARDED_HOST'
-      HTTP_X_FORWARDED_PORT   = 'HTTP_X_FORWARDED_PORT'
-      HTTP_X_FORWARDED_SSL    = 'HTTP_X_FORWARDED_SSL'
+
+      # The protocol used to connect to the proxy.
+      HTTP_X_FORWARDED_PROTO = 'HTTP_X_FORWARDED_PROTO'
+
+      # The port used to connect to the proxy.
+      HTTP_X_FORWARDED_PORT = 'HTTP_X_FORWARDED_PORT'
+
+      # Another way for specifying https scheme was used.
+      HTTP_X_FORWARDED_SSL = 'HTTP_X_FORWARDED_SSL'
 
       def body;            get_header(RACK_INPUT)                         end
       def script_name;     get_header(SCRIPT_NAME).to_s                   end
@@ -152,7 +199,6 @@ module Rack
       def content_length;  get_header('CONTENT_LENGTH')                   end
       def logger;          get_header(RACK_LOGGER)                        end
       def user_agent;      get_header('HTTP_USER_AGENT')                  end
-      def multithread?;    get_header(RACK_MULTITHREAD)                   end
 
       # the referer of the client
       def referer;         get_header('HTTP_REFERER')                     end
@@ -212,19 +258,50 @@ module Rack
         end
       end
 
+      # The authority of the incoming request as defined by RFC3976.
+      # https://tools.ietf.org/html/rfc3986#section-3.2
+      #
+      # In HTTP/1, this is the `host` header.
+      # In HTTP/2, this is the `:authority` pseudo-header.
       def authority
-        get_header(SERVER_NAME) + ':' + get_header(SERVER_PORT)
+        forwarded_authority || host_authority || server_authority
+      end
+
+      # The authority as defined by the `SERVER_NAME` and `SERVER_PORT`
+      # variables.
+      def server_authority
+        host = self.server_name
+        port = self.server_port
+
+        if host
+          if port
+            "#{host}:#{port}"
+          else
+            host
+          end
+        end
+      end
+
+      def server_name
+        get_header(SERVER_NAME)
+      end
+
+      def server_port
+        get_header(SERVER_PORT)
       end
 
       def cookies
-        hash = fetch_header(RACK_REQUEST_COOKIE_HASH) do |k|
-          set_header(k, {})
+        hash = fetch_header(RACK_REQUEST_COOKIE_HASH) do |key|
+          set_header(key, {})
+        end
+
+        string = get_header(HTTP_COOKIE)
+
+        unless string == get_header(RACK_REQUEST_COOKIE_STRING)
+          hash.replace Utils.parse_cookies_header(string)
+          set_header(RACK_REQUEST_COOKIE_STRING, string)
         end
-        string = get_header HTTP_COOKIE
 
-        return hash if string == get_header(RACK_REQUEST_COOKIE_STRING)
-        hash.replace Utils.parse_cookies_header string
-        set_header(RACK_REQUEST_COOKIE_STRING, string)
         hash
       end
 
@@ -237,52 +314,122 @@ module Rack
         get_header("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest"
       end
 
-      def host_with_port
-        if forwarded = get_header(HTTP_X_FORWARDED_HOST)
-          forwarded.split(/,\s?/).last
+      # The `HTTP_HOST` header.
+      def host_authority
+        get_header(HTTP_HOST)
+      end
+
+      def host_with_port(authority = self.authority)
+        host, _, port = split_authority(authority)
+
+        if port == DEFAULT_PORTS[self.scheme]
+          host
         else
-          get_header(HTTP_HOST) || "#{get_header(SERVER_NAME) || get_header(SERVER_ADDR)}:#{get_header(SERVER_PORT)}"
+          authority
         end
       end
 
+      # Returns a formatted host, suitable for being used in a URI.
       def host
-        # Remove port number.
-        h = host_with_port
-        if colon_index = h.index(":")
-          h[0, colon_index]
-        else
-          h
-        end
+        split_authority(self.authority)[0]
+      end
+
+      # Returns an address suitable for being to resolve to an address.
+      # In the case of a domain name or IPv4 address, the result is the same
+      # as +host+. In the case of IPv6 or future address formats, the square
+      # brackets are removed.
+      def hostname
+        split_authority(self.authority)[1]
       end
 
       def port
-        if port = extract_port(host_with_port)
-          port.to_i
-        elsif port = get_header(HTTP_X_FORWARDED_PORT)
-          port.to_i
-        elsif has_header?(HTTP_X_FORWARDED_HOST)
-          DEFAULT_PORTS[scheme]
-        elsif has_header?(HTTP_X_FORWARDED_PROTO)
-          DEFAULT_PORTS[extract_proto_header(get_header(HTTP_X_FORWARDED_PROTO))]
-        else
-          get_header(SERVER_PORT).to_i
+        if authority = self.authority
+          _, _, port = split_authority(authority)
         end
+
+        port || forwarded_port&.last || DEFAULT_PORTS[scheme] || server_port
+      end
+
+      def forwarded_for
+        forwarded_priority.each do |type|
+          case type
+          when :forwarded
+            if forwarded_for = get_http_forwarded(:for)
+              return(forwarded_for.map! do |authority|
+                split_authority(authority)[1]
+              end)
+            end
+          when :x_forwarded
+            if value = get_header(HTTP_X_FORWARDED_FOR)
+              return(split_header(value).map do |authority|
+                split_authority(wrap_ipv6(authority))[1]
+              end)
+            end
+          end
+        end
+
+        nil
+      end
+
+      def forwarded_port
+        forwarded_priority.each do |type|
+          case type
+          when :forwarded
+            if forwarded = get_http_forwarded(:for)
+              return(forwarded.map do |authority|
+                split_authority(authority)[2]
+              end.compact)
+            end
+          when :x_forwarded
+            if value = get_header(HTTP_X_FORWARDED_PORT)
+              return split_header(value).map(&:to_i)
+            end
+          end
+        end
+
+        nil
+      end
+
+      def forwarded_authority
+        forwarded_priority.each do |type|
+          case type
+          when :forwarded
+            if forwarded = get_http_forwarded(:host)
+              return forwarded.last
+            end
+          when :x_forwarded
+            if value = get_header(HTTP_X_FORWARDED_HOST)
+              return wrap_ipv6(split_header(value).last)
+            end
+          end
+        end
+
+        nil
       end
 
       def ssl?
-        scheme == 'https'
+        scheme == 'https' || scheme == 'wss'
       end
 
       def ip
-        remote_addrs = split_ip_addresses(get_header('REMOTE_ADDR'))
-        remote_addrs = reject_trusted_ip_addresses(remote_addrs)
+        remote_addresses = split_header(get_header('REMOTE_ADDR'))
+        external_addresses = reject_trusted_ip_addresses(remote_addresses)
 
-        return remote_addrs.first if remote_addrs.any?
+        unless external_addresses.empty?
+          return external_addresses.last
+        end
 
-        forwarded_ips = split_ip_addresses(get_header('HTTP_X_FORWARDED_FOR'))
-          .map { |ip| strip_port(ip) }
+        if (forwarded_for = self.forwarded_for) && !forwarded_for.empty?
+          # The forwarded for addresses are ordered: client, proxy1, proxy2.
+          # So we reject all the trusted addresses (proxy*) and return the
+          # last client. Or if we trust everyone, we just return the first
+          # address.
+          return reject_trusted_ip_addresses(forwarded_for).last || forwarded_for.first
+        end
 
-        return reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR")
+        # If all the addresses are trusted, and we aren't forwarded, just return
+        # the first remote address, which represents the source of the request.
+        remote_addresses.first
       end
 
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -313,16 +460,17 @@ module Rack
       end
 
       # Determine whether the request body contains form-data by checking
-      # the request Content-Type for one of the media-types:
+      # the request content-type for one of the media-types:
       # "application/x-www-form-urlencoded" or "multipart/form-data". The
       # list of form-data media types can be modified through the
       # +FORM_DATA_MEDIA_TYPES+ array.
       #
       # A request body is also assumed to contain form-data when no
-      # Content-Type header is provided and the request_method is POST.
+      # content-type header is provided and the request_method is POST.
       def form_data?
         type = media_type
         meth = get_header(RACK_METHODOVERRIDE_ORIGINAL_METHOD) || get_header(REQUEST_METHOD)
+
         (meth == POST && type.nil?) || FORM_DATA_MEDIA_TYPES.include?(type)
       end
 
@@ -334,10 +482,15 @@ module Rack
 
       # Returns the data received in the query string.
       def GET
-        if get_header(RACK_REQUEST_QUERY_STRING) == query_string
+        rr_query_string = get_header(RACK_REQUEST_QUERY_STRING)
+        query_string = self.query_string
+        if rr_query_string == query_string
           get_header(RACK_REQUEST_QUERY_HASH)
         else
-          query_hash = parse_query(query_string, '&;')
+          if rr_query_string
+            warn "query string used for GET parsing different from current query string. Starting in Rack 3.2, Rack will used the cached GET value instead of parsing the current query string.", uplevel: 1
+          end
+          query_hash = parse_query(query_string, '&')
           set_header(RACK_REQUEST_QUERY_STRING, query_string)
           set_header(RACK_REQUEST_QUERY_HASH, query_hash)
         end
@@ -348,27 +501,52 @@ module Rack
       # This method support both application/x-www-form-urlencoded and
       # multipart/form-data.
       def POST
-        if get_header(RACK_INPUT).nil?
-          raise "Missing rack.input"
-        elsif get_header(RACK_REQUEST_FORM_INPUT) == get_header(RACK_INPUT)
-          get_header(RACK_REQUEST_FORM_HASH)
-        elsif form_data? || parseable_data?
-          unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
-            form_vars = get_header(RACK_INPUT).read
-
-            # Fix for Safari Ajax postings that always append \0
-            # form_vars.sub!(/\0\z/, '') # performance replacement:
-            form_vars.slice!(-1) if form_vars.end_with?("\0")
-
-            set_header RACK_REQUEST_FORM_VARS, form_vars
-            set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
-
-            get_header(RACK_INPUT).rewind
+        if error = get_header(RACK_REQUEST_FORM_ERROR)
+          raise error.class, error.message, cause: error.cause
+        end
+
+        begin
+          rack_input = get_header(RACK_INPUT)
+
+          # If the form hash was already memoized:
+          if form_hash = get_header(RACK_REQUEST_FORM_HASH)
+            form_input = get_header(RACK_REQUEST_FORM_INPUT)
+            # And it was memoized from the same input:
+            if form_input.equal?(rack_input)
+              return form_hash
+            elsif form_input
+              warn "input stream used for POST parsing different from current input stream. Starting in Rack 3.2, Rack will used the cached POST value instead of parsing the current input stream.", uplevel: 1
+            end
           end
-          set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
-          get_header RACK_REQUEST_FORM_HASH
-        else
-          {}
+
+          # Otherwise, figure out how to parse the input:
+          if rack_input.nil?
+            set_header RACK_REQUEST_FORM_INPUT, nil
+            set_header(RACK_REQUEST_FORM_HASH, {})
+          elsif form_data? || parseable_data?
+            if pairs = Rack::Multipart.parse_multipart(env, Rack::Multipart::ParamList)
+              set_header RACK_REQUEST_FORM_PAIRS, pairs
+              set_header RACK_REQUEST_FORM_HASH, expand_param_pairs(pairs)
+            else
+              form_vars = get_header(RACK_INPUT).read
+
+              # Fix for Safari Ajax postings that always append \0
+              # form_vars.sub!(/\0\z/, '') # performance replacement:
+              form_vars.slice!(-1) if form_vars.end_with?("\0")
+
+              set_header RACK_REQUEST_FORM_VARS, form_vars
+              set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
+            end
+
+            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
+            get_header RACK_REQUEST_FORM_HASH
+          else
+            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
+            set_header(RACK_REQUEST_FORM_HASH, {})
+          end
+        rescue => error
+          set_header(RACK_REQUEST_FORM_ERROR, error)
+          raise
         end
       end
 
@@ -377,8 +555,6 @@ module Rack
       # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
       def params
         self.GET.merge(self.POST)
-      rescue EOFError
-        self.GET.dup
       end
 
       # Destructively update a parameter, whether it's in GET and/or POST. Returns nil.
@@ -412,9 +588,7 @@ module Rack
       end
 
       def base_url
-        url = "#{scheme}://#{host}"
-        url = "#{url}:#{port}" if port != DEFAULT_PORTS[scheme]
-        url
+        "#{scheme}://#{host_with_port}"
       end
 
       # Tries to return a remake of the original request URL as a string.
@@ -442,28 +616,10 @@ module Rack
         Rack::Request.ip_filter.call(ip)
       end
 
-      # shortcut for <tt>request.params[key]</tt>
-      def [](key)
-        if $VERBOSE
-          warn("Request#[] is deprecated and will be removed in a future version of Rack. Please use request.params[] instead")
-        end
-
-        params[key.to_s]
-      end
-
-      # shortcut for <tt>request.params[key] = value</tt>
-      #
-      # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
-      def []=(key, value)
-        if $VERBOSE
-          warn("Request#[]= is deprecated and will be removed in a future version of Rack. Please use request.params[]= instead")
-        end
-
-        params[key.to_s] = value
-      end
-
       # like Hash#values_at
       def values_at(*keys)
+        warn("Request#values_at is deprecated and will be removed in a future version of Rack. Please use request.params.values_at instead", uplevel: 1)
+        
         keys.map { |key| params[key] }
       end
 
@@ -471,6 +627,20 @@ module Rack
 
       def default_session; {}; end
 
+      # Assist with compatibility when processing `X-Forwarded-For`.
+      def wrap_ipv6(host)
+        # Even thought IPv6 addresses should be wrapped in square brackets,
+        # sometimes this is not done in various legacy/underspecified headers.
+        # So we try to fix this situation for compatibility reasons.
+
+        # Try to detect IPv6 addresses which aren't escaped yet:
+        if !host.start_with?('[') && host.count(':') > 1
+          "[#{host}]"
+        else
+          host
+        end
+      end
+
       def parse_http_accept_header(header)
         header.to_s.split(/\s*,\s*/).map do |part|
           attribute, parameters = part.split(/\s*;\s*/, 2)
@@ -482,6 +652,11 @@ module Rack
         end
       end
 
+      # Get an array of values set in the RFC 7239 `Forwarded` request header.
+      def get_http_forwarded(token)
+        Utils.forwarded_values(get_header(HTTP_FORWARDED))&.[](token)
+      end
+
       def query_parser
         Utils.default_query_parser
       end
@@ -494,56 +669,108 @@ module Rack
         Rack::Multipart.extract_multipart(self, query_parser)
       end
 
-      def split_ip_addresses(ip_addresses)
-        ip_addresses ? ip_addresses.strip.split(/[,\s]+/) : []
-      end
+      def expand_param_pairs(pairs, query_parser = query_parser())
+        params = query_parser.make_params
 
-      def strip_port(ip_address)
-        # IPv6 format with optional port: "[2001:db8:cafe::17]:47011"
-        # returns: "2001:db8:cafe::17"
-        sep_start = ip_address.index('[')
-        sep_end = ip_address.index(']')
-        if (sep_start && sep_end)
-          return ip_address[sep_start + 1, sep_end - 1]
+        pairs.each do |k, v|
+          query_parser.normalize_params(params, k, v)
         end
 
-        # IPv4 format with optional port: "192.0.2.43:47011"
-        # returns: "192.0.2.43"
-        sep = ip_address.index(':')
-        if (sep && ip_address.count(':') == 1)
-          return ip_address[0, sep]
-        end
-
-        ip_address
+        params.to_params_hash
+      end
+
+      def split_header(value)
+        value ? value.strip.split(/[,\s]+/) : []
+      end
+
+      # ipv6 extracted from resolv stdlib, simplified
+      # to remove numbered match group creation.
+      ipv6 = Regexp.union(
+        /(?:[0-9A-Fa-f]{1,4}:){7}
+         [0-9A-Fa-f]{1,4}/x,
+        /(?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)? ::
+         (?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?/x,
+        /(?:[0-9A-Fa-f]{1,4}:){6,6}
+         \d+\.\d+\.\d+\.\d+/x,
+        /(?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)? ::
+         (?:[0-9A-Fa-f]{1,4}:)*
+         \d+\.\d+\.\d+\.\d+/x,
+        /[Ff][Ee]80
+         (?::[0-9A-Fa-f]{1,4}){7}
+         %[-0-9A-Za-z._~]+/x,
+        /[Ff][Ee]80:
+         (?:
+           (?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)? ::
+           (?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?
+           |
+           :(?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?
+         )?
+         :[0-9A-Fa-f]{1,4}%[-0-9A-Za-z._~]+/x)
+
+      AUTHORITY = /
+        \A
+        (?<host>
+          # Match IPv6 as a string of hex digits and colons in square brackets
+          \[(?<address>#{ipv6})\]
+          |
+          # Match any other printable string (except square brackets) as a hostname
+          (?<address>[[[:graph:]&&[^\[\]]]]*?)
+        )
+        (:(?<port>\d+))?
+        \z
+      /x
+
+      private_constant :AUTHORITY
+
+      def split_authority(authority)
+        return [] if authority.nil?
+        return [] unless match = AUTHORITY.match(authority)
+        return match[:host], match[:address], match[:port]&.to_i
       end
 
       def reject_trusted_ip_addresses(ip_addresses)
         ip_addresses.reject { |ip| trusted_proxy?(ip) }
       end
 
+      FORWARDED_SCHEME_HEADERS = {
+        proto: HTTP_X_FORWARDED_PROTO,
+        scheme: HTTP_X_FORWARDED_SCHEME
+      }.freeze
+      private_constant :FORWARDED_SCHEME_HEADERS
       def forwarded_scheme
-        allowed_scheme(get_header(HTTP_X_FORWARDED_SCHEME)) ||
-        allowed_scheme(extract_proto_header(get_header(HTTP_X_FORWARDED_PROTO)))
+        forwarded_priority.each do |type|
+          case type
+          when :forwarded
+            if (forwarded_proto = get_http_forwarded(:proto)) &&
+               (scheme = allowed_scheme(forwarded_proto.last))
+              return scheme
+            end
+          when :x_forwarded
+            x_forwarded_proto_priority.each do |x_type|
+              if header = FORWARDED_SCHEME_HEADERS[x_type]
+                split_header(get_header(header)).reverse_each do |scheme|
+                  if allowed_scheme(scheme)
+                    return scheme
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        nil
       end
 
       def allowed_scheme(header)
         header if ALLOWED_SCHEMES.include?(header)
       end
 
-      def extract_proto_header(header)
-        if header
-          if (comma_index = header.index(','))
-            header[0, comma_index]
-          else
-            header
-          end
-        end
+      def forwarded_priority
+        Request.forwarded_priority
       end
 
-      def extract_port(uri)
-        if (colon_index = uri.index(':'))
-          uri[colon_index + 1, uri.length]
-        end
+      def x_forwarded_proto_priority
+        Request.x_forwarded_proto_priority
       end
     end
 
@@ -551,3 +778,7 @@ module Rack
     include Helpers
   end
 end
+
+# :nocov:
+require_relative 'multipart' unless defined?(Rack::Multipart)
+# :nocov: