rack 2.1.3 → 2.2.1

data/CONTRIBUTING.md

@@ -0,0 +1,136 @@
+Contributing to Rack
+=====================
+
+Rack is work of [hundreds of contributors](https://github.com/rack/rack/graphs/contributors). You're encouraged to submit [pull requests](https://github.com/rack/rack/pulls), [propose features and discuss issues](https://github.com/rack/rack/issues). When in doubt, post to the [rack-devel](http://groups.google.com/group/rack-devel) mailing list.
+
+#### Fork the Project
+
+Fork the [project on Github](https://github.com/rack/rack) and check out your copy.
+
+```
+git clone https://github.com/contributor/rack.git
+cd rack
+git remote add upstream https://github.com/rack/rack.git
+```
+
+#### Create a Topic Branch
+
+Make sure your fork is up-to-date and create a topic branch for your feature or bug fix.
+
+```
+git checkout master
+git pull upstream master
+git checkout -b my-feature-branch
+```
+
+#### Bundle Install and Quick Test
+
+Ensure that you can build the project and run quick tests.
+
+```
+bundle install --without extra
+bundle exec rake test
+```
+
+#### Running All Tests
+
+Install all dependencies.
+
+```
+bundle install
+```
+
+Run all tests.
+
+```
+rake test
+```
+
+The test suite has no dependencies outside of the core Ruby installation and bacon.
+
+Some tests will be skipped if a dependency is not found.
+
+To run the test suite completely, you need:
+
+  * fcgi
+  * dalli
+  * thin
+
+To test Memcache sessions, you need memcached (will be run on port 11211) and dalli installed.
+
+#### Write Tests
+
+Try to write a test that reproduces the problem you're trying to fix or describes a feature that you want to build.
+
+We definitely appreciate pull requests that highlight or reproduce a problem, even without a fix.
+
+#### Write Code
+
+Implement your feature or bug fix.
+
+Make sure that `bundle exec rake fulltest` completes without errors.
+
+#### Write Documentation
+
+Document any external behavior in the [README](README.rdoc).
+
+#### Update Changelog
+
+Add a line to [CHANGELOG](CHANGELOG.md).
+
+#### Commit Changes
+
+Make sure git knows your name and email address:
+
+```
+git config --global user.name "Your Name"
+git config --global user.email "contributor@example.com"
+```
+
+Writing good commit logs is important. A commit log should describe what changed and why.
+
+```
+git add ...
+git commit
+```
+
+#### Push
+
+```
+git push origin my-feature-branch
+```
+
+#### Make a Pull Request
+
+Go to https://github.com/contributor/rack and select your feature branch. Click the 'Pull Request' button and fill out the form. Pull requests are usually reviewed within a few days.
+
+#### Rebase
+
+If you've been working on a change for a while, rebase with upstream/master.
+
+```
+git fetch upstream
+git rebase upstream/master
+git push origin my-feature-branch -f
+```
+
+#### Make Required Changes
+
+Amend your previous commit and force push the changes.
+
+```
+git commit --amend
+git push origin my-feature-branch -f
+```
+
+#### Check on Your Pull Request
+
+Go back to your pull request after a few minutes and see whether it passed muster with Travis-CI. Everything should look green, otherwise fix issues and amend your commit as described above.
+
+#### Be Patient
+
+It's likely that your change will not be merged and that the nitpicky maintainers will ask you to do more, or fix seemingly benign problems. Hang on there!
+
+#### Thank You
+
+Please do know that we really appreciate and value your time and work. We love you, really.

data/README.rdoc

@@ -5,6 +5,7 @@
 {<img src="https://circleci.com/gh/rack/rack.svg?style=svg" alt="CircleCI" />}[https://circleci.com/gh/rack/rack]
 {<img src="https://badge.fury.io/rb/rack.svg" alt="Gem Version" />}[http://badge.fury.io/rb/rack]
 {<img src="https://api.dependabot.com/badges/compatibility_score?dependency-name=rack&package-manager=bundler&version-scheme=semver" alt="SemVer Stability" />}[https://dependabot.com/compatibility-score.html?dependency-name=rack&package-manager=bundler&version-scheme=semver]
+{<img src="http://inch-ci.org/github/rack/rack.svg?branch=master" alt="Inline docs" />}[http://inch-ci.org/github/rack/rack]
 
 \Rack provides a minimal, modular, and adaptable interface for developing
 web applications in Ruby. By wrapping HTTP requests and responses in
@@ -30,10 +31,11 @@ These web servers include \Rack handlers in their distributions:
 
 * Agoo[https://github.com/ohler55/agoo]
 * Falcon[https://github.com/socketry/falcon]
+* Iodine[https://github.com/boazsegev/iodine]
 * {NGINX Unit}[https://unit.nginx.org/]
 * {Phusion Passenger}[https://www.phusionpassenger.com/] (which is mod_rack for Apache and for nginx)
 * Puma[https://puma.io/]
-* Unicorn[https://bogomips.org/unicorn/]
+* Unicorn[https://yhbt.net/unicorn/]
 * uWSGI[https://uwsgi-docs.readthedocs.io/en/latest/]
 
 Any valid \Rack app will run the same on all these handlers, without
@@ -41,13 +43,12 @@ changing anything.
 
 == Supported web frameworks
 
-These frameworks include \Rack adapters in their distributions:
+These frameworks and many others support the \Rack API:
 
 * Camping[http://www.ruby-camping.com/]
 * Coset[http://leahneukirchen.org/repos/coset/]
 * Hanami[https://hanamirb.org/]
 * Padrino[http://padrinorb.com/]
-* Racktools::SimpleApplication
 * Ramaze[http://ramaze.net/]
 * Roda[https://github.com/jeremyevans/roda]
 * {Ruby on Rails}[https://rubyonrails.org/]
@@ -55,19 +56,45 @@ These frameworks include \Rack adapters in their distributions:
 * Sinatra[http://sinatrarb.com/]
 * Utopia[https://github.com/socketry/utopia]
 * WABuR[https://github.com/ohler55/wabur]
-* ... and many others.
 
-== Available middleware
+== Available middleware shipped with \Rack
 
 Between the server and the framework, \Rack can be customized to your
-applications needs using middleware, for example:
+applications needs using middleware. \Rack itself ships with the following
+middleware:
 
-* Rack::URLMap, to route to multiple applications inside the same process.
+* Rack::Chunked, for streaming responses using chunked encoding.
 * Rack::CommonLogger, for creating Apache-style logfiles.
+* Rack::ConditionalGet, for returning not modified responses when the response
+  has not changed.
+* Rack::Config, for modifying the environment before processing the request.
+* Rack::ContentLength, for setting Content-Length header based on body size.
+* Rack::ContentType, for setting default Content-Type header for responses.
+* Rack::Deflater, for compressing responses with gzip.
+* Rack::ETag, for setting ETag header on string bodies.
+* Rack::Events, for providing easy hooks when a request is received
+  and when the response is sent.
+* Rack::Files, for serving static files.
+* Rack::Head, for returning an empty body for HEAD requests.
+* Rack::Lint, for checking conformance to the \Rack API.
+* Rack::Lock, for serializing requests using a mutex.
+* Rack::Logger, for setting a logger to handle logging errors.
+* Rack::MethodOverride, for modifying the request method based on a submitted
+  parameter.
+* Rack::Recursive, for including data from other paths in the application,
+  and for performing internal redirects.
+* Rack::Reloader, for reloading files if they have been modified.
+* Rack::Runtime, for including a response header with the time taken to
+  process the request.
+* Rack::Sendfile, for working with web servers that can use optimized
+  file serving for file system paths.
 * Rack::ShowException, for catching unhandled exceptions and
   presenting them in a nice and helpful way with clickable backtrace.
-* Rack::Files, for serving static files.
-* ...many others!
+* Rack::ShowStatus, for using nice error pages for empty client error
+  responses.
+* Rack::Static, for more configurable serving of static files.
+* Rack::TempfileReaper, for removing temporary files creating during a
+  request.
 
 All these components use the same interface, which is described in
 detail in the \Rack specification.  These optional components can be
@@ -86,6 +113,15 @@ over:
   cookie handling.
 * Rack::MockRequest and Rack::MockResponse for efficient and quick
   testing of \Rack application without real HTTP round-trips.
+* Rack::Cascade, for trying additional \Rack applications if an
+  application returns a not found or method not supported response.
+* Rack::Directory, for serving files under a given directory, with
+  directory indexes.
+* Rack::MediaType, for parsing Content-Type headers.
+* Rack::Mime, for determining Content-Type based on file extension.
+* Rack::RewindableInput, for making any IO object rewindable, using
+  a temporary file buffer.
+* Rack::URLMap, to route to multiple applications inside the same process.
 
 == rack-contrib
 
@@ -125,46 +161,46 @@ A Gem of \Rack is available at {rubygems.org}[https://rubygems.org/gems/rack]. Y
 
     gem install rack
 
-== Running the tests
+== Usage
 
-Testing \Rack requires the bacon testing framework:
+You should require the library:
 
-    bundle install --without extra # to be able to run the fast tests
+    require 'rack'
 
-Or:
+\Rack uses autoload to automatically load other files \Rack ships with on demand,
+so you should not need require paths under +rack+.  If you require paths under
++rack+ without requiring +rack+ itself, things may not work correctly.
 
-    bundle install # this assumes that you have installed native extensions!
+== Configuration
 
-There is a rake-based test task:
+Several parameters can be modified on Rack::Utils to configure \Rack behaviour.
 
-    rake test # tests all the tests
+e.g:
 
-The testsuite has no dependencies outside of the core Ruby
-installation and bacon.
+    Rack::Utils.key_space_limit = 128
 
-To run the test suite completely, you need:
+=== key_space_limit
 
-  * fcgi
-  * dalli
-  * thin
+The default number of bytes to allow all parameters keys in a given parameter hash to take up.
+Does not affect nested parameter hashes, so doesn't actually prevent an attacker from using
+more than this many bytes for parameter keys.
 
-To test Memcache sessions, you need memcached (will be
-run on port 11211) and dalli installed.
+Defaults to 65536 characters.
 
-== Configuration
+=== param_depth_limit
 
-Several parameters can be modified on Rack::Utils to configure \Rack behaviour.
+The maximum amount of nesting allowed in parameters.
+For example, if set to 3, this query string would be allowed:
 
-e.g:
+    ?a[b][c]=d
 
-    Rack::Utils.key_space_limit = 128
+but this query string would not be allowed:
 
-=== key_space_limit
+    ?a[b][c][d]=e
 
-The default number of bytes to allow a single parameter key to take up.
-This helps prevent a rogue client from flooding a Request.
+Limiting the depth prevents a possible stack overflow when parsing parameters.
 
-Default to 65536 characters (4 kiB in worst case).
+Defaults to 100.
 
 === multipart_part_limit
 
@@ -181,6 +217,10 @@ Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable.
 
 See {CHANGELOG.md}[https://github.com/rack/rack/blob/master/CHANGELOG.md].
 
+== Contributing
+
+See {CONTRIBUTING.md}[https://github.com/rack/rack/blob/master/CONTRIBUTING.md].
+
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -198,7 +238,6 @@ Mailing list archives are available at
 Git repository (send Git patches to the mailing list):
 
 * https://github.com/rack/rack
-* http://git.vuxu.org/cgi-bin/gitweb.cgi?p=rack-github.git
 
 You are also welcome to join the #rack channel on irc.freenode.net.
 
@@ -206,20 +245,25 @@ You are also welcome to join the #rack channel on irc.freenode.net.
 
 The \Rack Core Team, consisting of
 
+* Aaron Patterson (tenderlove[https://github.com/tenderlove])
+* Samuel Williams (ioquatix[https://github.com/ioquatix])
+* Jeremy Evans (jeremyevans[https://github.com/jeremyevans])
+* Eileen Uchitelle (eileencodes[https://github.com/eileencodes])
+* Matthew Draper (matthewd[https://github.com/matthewd])
+* Rafael França (rafaelfranca[https://github.com/rafaelfranca])
+
+and the \Rack Alumni
+
+* Ryan Tomayko (rtomayko[https://github.com/rtomayko])
+* Scytrin dai Kinthra (scytrin[https://github.com/scytrin])
 * Leah Neukirchen (leahneukirchen[https://github.com/leahneukirchen])
 * James Tucker (raggi[https://github.com/raggi])
 * Josh Peek (josh[https://github.com/josh])
 * José Valim (josevalim[https://github.com/josevalim])
 * Michael Fellinger (manveru[https://github.com/manveru])
-* Aaron Patterson (tenderlove[https://github.com/tenderlove])
 * Santiago Pastorino (spastorino[https://github.com/spastorino])
 * Konstantin Haase (rkh[https://github.com/rkh])
 
-and the \Rack Alumnis
-
-* Ryan Tomayko (rtomayko[https://github.com/rtomayko])
-* Scytrin dai Kinthra (scytrin[https://github.com/scytrin])
-
 would like to thank:
 
 * Adrian Madrid, for the LiteSpeed handler.

data/Rakefile

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "bundler/gem_tasks"
 require "rake/testtask"
 
 desc "Run all the tests"
@@ -20,7 +21,7 @@ end
 desc "Make an archive as .tar.gz"
 task dist: %w[chmod changelog spec rdoc] do
   sh "git archive --format=tar --prefix=#{release}/ HEAD^{tree} >#{release}.tar"
-  sh "pax -waf #{release}.tar -s ':^:#{release}/:' SPEC ChangeLog doc rack.gemspec"
+  sh "pax -waf #{release}.tar -s ':^:#{release}/:' SPEC.rdoc ChangeLog doc rack.gemspec"
   sh "gzip -f -9 #{release}.tar"
 end
 
@@ -38,7 +39,7 @@ task officialrelease_really: %w[spec dist gem] do
 end
 
 def release
-  "rack-" + File.read('lib/rack.rb')[/RELEASE += +([\"\'])([\d][\w\.]+)\1/, 2]
+  "rack-" + File.read('lib/rack/version.rb')[/RELEASE += +([\"\'])([\d][\w\.]+)\1/, 2]
 end
 
 desc "Make binaries executable"
@@ -71,13 +72,13 @@ file "ChangeLog" => '.git/index' do
 end
 
 desc "Generate Rack Specification"
-task spec: "SPEC"
+task spec: "SPEC.rdoc"
 
 file 'lib/rack/lint.rb'
-file "SPEC" => 'lib/rack/lint.rb' do
-  File.open("SPEC", "wb") { |file|
+file "SPEC.rdoc" => 'lib/rack/lint.rb' do
+  File.open("SPEC.rdoc", "wb") { |file|
     IO.foreach("lib/rack/lint.rb") { |line|
-      if line =~ /## (.*)/
+      if line =~ /^\s*## ?(.*)/
         file.puts $1
       end
     }
@@ -91,6 +92,12 @@ Rake::TestTask.new("test:regular") do |t|
   t.verbose = true
 end
 
+desc "Run tests with coverage"
+task "test_cov" do
+  ENV['COVERAGE'] = '1'
+  Rake::Task['test:regular'].invoke
+end
+
 desc "Run all the fast + platform agnostic tests"
 task test: %w[spec test:regular]
 
@@ -107,7 +114,7 @@ desc "Generate RDoc documentation"
 task rdoc: %w[changelog spec] do
   sh(*%w{rdoc --line-numbers --main README.rdoc
               --title 'Rack\ Documentation' --charset utf-8 -U -o doc} +
-              %w{README.rdoc KNOWN-ISSUES SPEC ChangeLog} +
+              %w{README.rdoc KNOWN-ISSUES SPEC.rdoc ChangeLog} +
               `git ls-files lib/\*\*/\*.rb`.strip.split)
   cp "contrib/rdoc.css", "doc/rdoc.css"
 end

data/{SPEC → SPEC.rdoc}

@@ -1,5 +1,6 @@
 This specification aims to formalize the Rack protocol.  You
 can (and should) use Rack::Lint to enforce it.
+
 When you develop middleware, be sure to add a Lint before and
 after to catch all mistakes.
 = Rack applications
@@ -11,9 +12,10 @@ The *status*,
 the *headers*,
 and the *body*.
 == The Environment
-The environment must be an instance of Hash that includes
+The environment must be an unfrozen instance of Hash that includes
 CGI-like headers.  The application is free to modify the
 environment.
+
 The environment is required to include these variables
 (adopted from PEP333), except when they'd be empty, but see
 below.
@@ -104,6 +106,7 @@ be implemented by the server.
                         fetch(key, default = nil) (aliased as []);
                         delete(key);
                         clear;
+                        to_hash (returning unfrozen Hash instance);
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)
@@ -118,10 +121,13 @@ environment, too.  The keys must contain at least one dot,
 and should be prefixed uniquely.  The prefix <tt>rack.</tt>
 is reserved for use with the Rack core distribution and other
 accepted specifications and must not be used otherwise.
+
 The environment must not contain the keys
 <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
 (use the versions without <tt>HTTP_</tt>).
 The CGI keys (named without a period) must have String values.
+If the string values for CGI keys contain non-ASCII characters,
+they should use ASCII-8BIT encoding.
 There are the following restrictions:
 * <tt>rack.version</tt> must be an array of Integers.
 * <tt>rack.url_scheme</tt> must either be +http+ or +https+.
@@ -137,6 +143,7 @@ There are the following restrictions:
   <tt>SCRIPT_NAME</tt> is empty.
   <tt>SCRIPT_NAME</tt> never should be <tt>/</tt>, but instead be empty.
 === The Input Stream
+
 The input stream is an IO-like object which contains the raw HTTP
 POST data.
 When applicable, its external encoding must be "ASCII-8BIT" and it
@@ -146,14 +153,19 @@ The input stream must respond to +gets+, +each+, +read+ and +rewind+.
   or +nil+ on EOF.
 * +read+ behaves like IO#read.
   Its signature is <tt>read([length, [buffer]])</tt>.
+
   If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
   and +buffer+ must be a String and may not be nil.
+
   If +length+ is given and not nil, then this method reads at most
   +length+ bytes from the input stream.
+
   If +length+ is not given or nil, then this method reads
   all data until EOF.
+
   When EOF is reached, this method returns nil if +length+ is given
   and not nil, or "" if +length+ is not given or is nil.
+
   If +buffer+ is given, then the read data will be placed
   into +buffer+ instead of a newly created String object.
 * +each+ must be called without arguments and only yield Strings.
@@ -175,16 +187,20 @@ The error stream must respond to +puts+, +write+ and +flush+.
 If rack.hijack? is true then rack.hijack must respond to #call.
 rack.hijack must return the io that will also be assigned (or is
 already present, in rack.hijack_io.
+
 rack.hijack_io must respond to:
 <tt>read, write, read_nonblock, write_nonblock, flush, close,
 close_read, close_write, closed?</tt>
+
 The semantics of these IO methods must be a best effort match to
 those of a normal ruby IO or Socket object, using standard
 arguments and raising standard exceptions. Servers are encouraged
 to simply pass on real IO objects, although it is recognized that
 this approach is not directly compatible with SPDY and HTTP 2.0.
+
 IO provided in rack.hijack_io should preference the
 IO::WaitReadable and IO::WaitWritable APIs wherever supported.
+
 There is a deliberate lack of full specification around
 rack.hijack_io, as semantics will change from server to server.
 Users are encouraged to utilize this API with a knowledge of their
@@ -192,7 +208,9 @@ server choice, and servers may extend the functionality of
 hijack_io to provide additional features to users. The purpose of
 rack.hijack is for Rack to "get out of the way", as such, Rack only
 provides the minimum of specification and support.
+
 If rack.hijack? is false, then rack.hijack should not be set.
+
 If rack.hijack? is false, then rack.hijack_io should not be set.
 ==== Response (after headers)
 It is also possible to hijack a response after the status and headers
@@ -201,6 +219,7 @@ In order to do this, an application may set the special header
 <tt>rack.hijack</tt> to an object that responds to <tt>call</tt>
 accepting an argument that conforms to the <tt>rack.hijack_io</tt>
 protocol.
+
 After the headers have been sent, and this hijack callback has been
 called, the application is now responsible for the remaining lifecycle
 of the IO. The application is also responsible for maintaining HTTP
@@ -209,8 +228,10 @@ applications will have wanted to specify the header Connection:close in
 HTTP/1.1, and not Connection:keep-alive, as there is no protocol for
 returning hijacked sockets to the web server. For that purpose, use the
 body streaming API instead (progressively yielding strings via each).
+
 Servers must ignore the <tt>body</tt> part of the response tuple when
 the <tt>rack.hijack</tt> response API is in use.
+
 The special response header <tt>rack.hijack</tt> must only be set
 if the request env has <tt>rack.hijack?</tt> <tt>true</tt>.
 ==== Conventions
@@ -244,16 +265,20 @@ There must not be a Content-Length header when the
 === The Body
 The Body must respond to +each+
 and must only yield String values.
+
 The Body itself should not be an instance of String, as this will
 break in Ruby 1.9.
+
 If the Body responds to +close+, it will be called after iteration. If
 the body is replaced by a middleware after action, the original body
 must be closed first, if it responds to close.
+
 If the Body responds to +to_path+, it must return a String
 identifying the location of a file whose contents are identical
 to that produced by calling +each+; this may be used by the
 server as an alternative, possibly more efficient way to
 transport the response.
+
 The Body commonly is an Array of Strings, the application
 instance itself, or a File-like object.
 == Thanks