rack 2.1.4.4 → 2.2.0

data/lib/rack/multipart/generator.rb

@@ -17,9 +17,13 @@ module Rack
 
         flattened_params.map do |name, file|
           if file.respond_to?(:original_filename)
-            ::File.open(file.path, 'rb') do |f|
-              f.set_encoding(Encoding::BINARY)
-              content_for_tempfile(f, file, name)
+            if file.path
+              ::File.open(file.path, 'rb') do |f|
+                f.set_encoding(Encoding::BINARY)
+                content_for_tempfile(f, file, name)
+              end
+            else
+              content_for_tempfile(file, file, name)
             end
           else
             content_for_other(file, name)
@@ -69,12 +73,13 @@ module Rack
       end
 
       def content_for_tempfile(io, file, name)
+        length = ::File.stat(file.path).size if file.path
+        filename = "; filename=\"#{Utils.escape(file.original_filename)}\"" if file.original_filename
 <<-EOF
 --#{MULTIPART_BOUNDARY}\r
-Content-Disposition: form-data; name="#{name}"; filename="#{Utils.escape(file.original_filename)}"\r
+Content-Disposition: form-data; name="#{name}"#{filename}\r
 Content-Type: #{file.content_type}\r
-Content-Length: #{::File.stat(file.path).size}\r
-\r
+#{"Content-Length: #{length}\r\n" if length}\r
 #{io.read}\r
 EOF
       end

data/lib/rack/multipart/parser.rb

@@ -1,16 +1,13 @@
 # frozen_string_literal: true
 
-require 'rack/utils'
 require 'strscan'
-require 'rack/core_ext/regexp'
 
 module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
-    class MultipartTotalPartLimitError < StandardError; end
 
     class Parser
-      using ::Rack::RegexpExtensions
+      (require_relative '../core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
       BUFSIZE = 1_048_576
       TEXT_PLAIN = "text/plain"
@@ -102,12 +99,6 @@ module Rack
 
               data = { filename: fn, type: content_type,
                       name: name, tempfile: body, head: head }
-            elsif !filename && content_type && body.is_a?(IO)
-              body.rewind
-
-              # Generic multipart cases, not coming from a form
-              data = { type: content_type,
-                      name: name, tempfile: body, head: head }
             end
 
             yield data
@@ -126,7 +117,7 @@ module Rack
 
         include Enumerable
 
-        def initialize tempfile
+        def initialize(tempfile)
           @tempfile = tempfile
           @mime_parts = []
           @open_files = 0
@@ -136,7 +127,7 @@ module Rack
           @mime_parts.each { |part| yield part }
         end
 
-        def on_mime_head mime_index, head, filename, content_type, name
+        def on_mime_head(mime_index, head, filename, content_type, name)
           if filename
             body = @tempfile.call(filename, content_type)
             body.binmode if body.respond_to?(:binmode)
@@ -149,35 +140,25 @@ module Rack
 
           @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
 
-          check_part_limits
+          check_open_files
         end
 
-        def on_mime_body mime_index, content
+        def on_mime_body(mime_index, content)
           @mime_parts[mime_index].body << content
         end
 
-        def on_mime_finish mime_index
+        def on_mime_finish(mime_index)
         end
 
         private
 
-        def check_part_limits
-          file_limit = Utils.multipart_file_limit
-          part_limit = Utils.multipart_total_part_limit
-
-          if file_limit && file_limit > 0
-            if @open_files >= file_limit
+        def check_open_files
+          if Utils.multipart_part_limit > 0
+            if @open_files >= Utils.multipart_part_limit
               @mime_parts.each(&:close)
               raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
             end
           end
-
-          if part_limit && part_limit > 0
-            if @mime_parts.size >= part_limit
-              @mime_parts.each(&:close)
-              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
-            end
-          end
         end
       end
 
@@ -201,7 +182,7 @@ module Rack
         @head_regex = /(.*?#{EOL})#{EOL}/m
       end
 
-      def on_read content
+      def on_read(content)
         handle_empty_content!(content)
         @sbuf.concat content
         run_parser
@@ -320,9 +301,8 @@ module Rack
           elsif filename = params['filename*']
             encoding, _, filename = filename.split("'", 3)
           end
-        when BROKEN
+        when BROKEN_QUOTED, BROKEN_UNQUOTED
           filename = $1
-          filename = $1 if filename =~ /^"(.*)"$/
         end
 
         return unless filename
@@ -359,7 +339,7 @@ module Rack
           type_subtype = list.first
           type_subtype.strip!
           if TEXT_PLAIN == type_subtype
-            rest         = list.drop 1
+            rest = list.drop 1
             rest.each do |param|
               k, v = param.split('=', 2)
               k.strip!

data/lib/rack/multipart/uploaded_file.rb

@@ -9,17 +9,23 @@ module Rack
       # The content type of the "uploaded" file
       attr_accessor :content_type
 
-      def initialize(path, content_type = "text/plain", binary = false)
-        raise "#{path} file does not exist" unless ::File.exist?(path)
+      def initialize(filepath = nil, ct = "text/plain", bin = false,
+                     path: filepath, content_type: ct, binary: bin, filename: nil, io: nil)
+        if io
+          @tempfile = io
+          @original_filename = filename
+        else
+          raise "#{path} file does not exist" unless ::File.exist?(path)
+          @original_filename = filename || ::File.basename(path)
+          @tempfile = Tempfile.new([@original_filename, ::File.extname(path)], encoding: Encoding::BINARY)
+          @tempfile.binmode if binary
+          FileUtils.copy_file(path, @tempfile.path)
+        end
         @content_type = content_type
-        @original_filename = ::File.basename(path)
-        @tempfile = Tempfile.new([@original_filename, ::File.extname(path)], encoding: Encoding::BINARY)
-        @tempfile.binmode if binary
-        FileUtils.copy_file(path, @tempfile.path)
       end
 
       def path
-        @tempfile.path
+        @tempfile.path if @tempfile.respond_to?(:path)
       end
       alias_method :local_path, :path
 

data/lib/rack/multipart.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'rack/multipart/parser'
+require_relative 'multipart/parser'
 
 module Rack
   # A multipart form data parser, adapted from IOWA.
@@ -16,12 +16,13 @@ module Rack
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
-    BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
+    BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
+    BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/query_parser.rb

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
-require_relative 'core_ext/regexp'
-
 module Rack
   class QueryParser
-    using ::Rack::RegexpExtensions
+    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
     DEFAULT_SEP = /[&;] */n
     COMMON_SEP = { ";" => /[;] */n, ";," => /[;,] */n, "&" => /[&] */n }
@@ -64,18 +62,19 @@ module Rack
     # ParameterTypeError is raised. Users are encouraged to return a 400 in this
     # case.
     def parse_nested_query(qs, d = nil)
-      return {} if qs.nil? || qs.empty?
       params = make_params
 
-      qs.split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p|
-        k, v = p.split('=', 2).map! { |s| unescape(s) }
+      unless qs.nil? || qs.empty?
+        (qs || '').split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p|
+          k, v = p.split('=', 2).map! { |s| unescape(s) }
 
-        normalize_params(params, k, v, param_depth_limit)
+          normalize_params(params, k, v, param_depth_limit)
+        end
       end
 
       return params.to_h
     rescue ArgumentError => e
-      raise InvalidParameterError, e.message
+      raise InvalidParameterError, e.message, e.backtrace
     end
 
     # normalize_params recursively expands parameters into structural types. If

data/lib/rack/recursive.rb

@@ -19,7 +19,7 @@ module Rack
       @env[PATH_INFO]       = @url.path
       @env[QUERY_STRING]    = @url.query  if @url.query
       @env[HTTP_HOST]       = @url.host   if @url.host
-      @env["HTTP_PORT"]     = @url.port   if @url.port
+      @env[HTTP_PORT]       = @url.port   if @url.port
       @env[RACK_URL_SCHEME] = @url.scheme if @url.scheme
 
       super "forwarding to #{url}"

data/lib/rack/reloader.rb

@@ -6,8 +6,6 @@
 
 require 'pathname'
 
-require_relative 'core_ext/regexp'
-
 module Rack
 
   # High performant source reloader
@@ -24,7 +22,7 @@ module Rack
   # It is performing a check/reload cycle at the start of every request, but
   # also respects a cool down time, during which nothing will be done.
   class Reloader
-    using ::Rack::RegexpExtensions
+    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
     def initialize(app, cooldown = 10, backend = Stat)
       @app = app

data/lib/rack/request.rb

@@ -1,10 +1,5 @@
 # frozen_string_literal: true
 
-require 'rack/utils'
-require 'rack/media_type'
-
-require_relative 'core_ext/regexp'
-
 module Rack
   # Rack::Request provides a convenient interface to a Rack
   # environment.  It is stateless, the environment +env+ passed to the
@@ -15,7 +10,7 @@ module Rack
   #   req.params["data"]
 
   class Request
-    using ::Rack::RegexpExtensions
+    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
     class << self
       attr_accessor :ip_filter
@@ -93,7 +88,7 @@ module Rack
       #   assert_equal 'image/png,*/*', request.get_header('Accept')
       #
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
-      def add_header key, v
+      def add_header(key, v)
         if v.nil?
           get_header key
         elsif has_header? key
@@ -134,11 +129,23 @@ module Rack
       # to include the port in a generated URI.
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
 
+      # The address of the client which connected to the proxy.
+      HTTP_X_FORWARDED_FOR = 'HTTP_X_FORWARDED_FOR'
+
+      # The contents of the host/:authority header sent to the proxy.
+      HTTP_X_FORWARDED_HOST = 'HTTP_X_FORWARDED_HOST'
+
+      # The value of the scheme sent to the proxy.
       HTTP_X_FORWARDED_SCHEME = 'HTTP_X_FORWARDED_SCHEME'
-      HTTP_X_FORWARDED_PROTO  = 'HTTP_X_FORWARDED_PROTO'
-      HTTP_X_FORWARDED_HOST   = 'HTTP_X_FORWARDED_HOST'
-      HTTP_X_FORWARDED_PORT   = 'HTTP_X_FORWARDED_PORT'
-      HTTP_X_FORWARDED_SSL    = 'HTTP_X_FORWARDED_SSL'
+
+      # The protocol used to connect to the proxy.
+      HTTP_X_FORWARDED_PROTO = 'HTTP_X_FORWARDED_PROTO'
+
+      # The port used to connect to the proxy.
+      HTTP_X_FORWARDED_PORT = 'HTTP_X_FORWARDED_PORT'
+
+      # Another way for specifing https scheme was used.
+      HTTP_X_FORWARDED_SSL = 'HTTP_X_FORWARDED_SSL'
 
       def body;            get_header(RACK_INPUT)                         end
       def script_name;     get_header(SCRIPT_NAME).to_s                   end
@@ -212,19 +219,52 @@ module Rack
         end
       end
 
+      # The authority of the incoming request as defined by RFC3976.
+      # https://tools.ietf.org/html/rfc3986#section-3.2
+      #
+      # In HTTP/1, this is the `host` header.
+      # In HTTP/2, this is the `:authority` pseudo-header.
       def authority
-        get_header(SERVER_NAME) + ':' + get_header(SERVER_PORT)
+        forwarded_authority || host_authority || server_authority
+      end
+
+      # The authority as defined by the `SERVER_NAME` and `SERVER_PORT`
+      # variables.
+      def server_authority
+        host = self.server_name
+        port = self.server_port
+
+        if host
+          if port
+            "#{host}:#{port}"
+          else
+            host
+          end
+        end
+      end
+
+      def server_name
+        get_header(SERVER_NAME)
+      end
+
+      def server_port
+        if port = get_header(SERVER_PORT)
+          Integer(port)
+        end
       end
 
       def cookies
-        hash = fetch_header(RACK_REQUEST_COOKIE_HASH) do |k|
-          set_header(k, {})
+        hash = fetch_header(RACK_REQUEST_COOKIE_HASH) do |key|
+          set_header(key, {})
+        end
+
+        string = get_header(HTTP_COOKIE)
+
+        unless string == get_header(RACK_REQUEST_COOKIE_STRING)
+          hash.replace Utils.parse_cookies_header(string)
+          set_header(RACK_REQUEST_COOKIE_STRING, string)
         end
-        string = get_header HTTP_COOKIE
 
-        return hash if string == get_header(RACK_REQUEST_COOKIE_STRING)
-        hash.replace Utils.parse_cookies_header string
-        set_header(RACK_REQUEST_COOKIE_STRING, string)
         hash
       end
 
@@ -237,52 +277,91 @@ module Rack
         get_header("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest"
       end
 
-      def host_with_port
-        if forwarded = get_header(HTTP_X_FORWARDED_HOST)
-          forwarded.split(/,\s?/).last
+      # The `HTTP_HOST` header.
+      def host_authority
+        get_header(HTTP_HOST)
+      end
+
+      def host_with_port(authority = self.authority)
+        host, _, port = split_authority(authority)
+
+        if port == DEFAULT_PORTS[self.scheme]
+          host
         else
-          get_header(HTTP_HOST) || "#{get_header(SERVER_NAME) || get_header(SERVER_ADDR)}:#{get_header(SERVER_PORT)}"
+          authority
         end
       end
 
+      # Returns a formatted host, suitable for being used in a URI.
       def host
-        # Remove port number.
-        h = host_with_port
-        if colon_index = h.index(":")
-          h[0, colon_index]
-        else
-          h
-        end
+        split_authority(self.authority)[0]
+      end
+
+      # Returns an address suitable for being to resolve to an address.
+      # In the case of a domain name or IPv4 address, the result is the same
+      # as +host+. In the case of IPv6 or future address formats, the square
+      # brackets are removed.
+      def hostname
+        split_authority(self.authority)[1]
       end
 
       def port
-        if port = extract_port(host_with_port)
-          port.to_i
-        elsif port = get_header(HTTP_X_FORWARDED_PORT)
-          port.to_i
-        elsif has_header?(HTTP_X_FORWARDED_HOST)
-          DEFAULT_PORTS[scheme]
-        elsif has_header?(HTTP_X_FORWARDED_PROTO)
-          DEFAULT_PORTS[extract_proto_header(get_header(HTTP_X_FORWARDED_PROTO))]
-        else
-          get_header(SERVER_PORT).to_i
+        if authority = self.authority
+          _, _, port = split_authority(self.authority)
+
+          if port
+            return port
+          end
+        end
+
+        if forwarded_port = self.forwarded_port
+          return forwarded_port.first
+        end
+
+        if scheme = self.scheme
+          if port = DEFAULT_PORTS[self.scheme]
+            return port
+          end
+        end
+
+        self.server_port
+      end
+
+      def forwarded_for
+        if value = get_header(HTTP_X_FORWARDED_FOR)
+          split_header(value).map do |authority|
+            split_authority(wrap_ipv6(authority))[1]
+          end
+        end
+      end
+
+      def forwarded_port
+        if value = get_header(HTTP_X_FORWARDED_PORT)
+          split_header(value).map(&:to_i)
+        end
+      end
+
+      def forwarded_authority
+        if value = get_header(HTTP_X_FORWARDED_HOST)
+          wrap_ipv6(split_header(value).first)
         end
       end
 
       def ssl?
-        scheme == 'https'
+        scheme == 'https' || scheme == 'wss'
       end
 
       def ip
-        remote_addrs = split_ip_addresses(get_header('REMOTE_ADDR'))
+        remote_addrs = split_header(get_header('REMOTE_ADDR'))
         remote_addrs = reject_trusted_ip_addresses(remote_addrs)
 
-        return remote_addrs.first if remote_addrs.any?
-
-        forwarded_ips = split_ip_addresses(get_header('HTTP_X_FORWARDED_FOR'))
-          .map { |ip| strip_port(ip) }
+        if remote_addrs.any?
+          remote_addrs.first
+        else
+          forwarded_ips = self.forwarded_for
 
-        return reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR")
+          reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR")
+        end
       end
 
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -323,6 +402,7 @@ module Rack
       def form_data?
         type = media_type
         meth = get_header(RACK_METHODOVERRIDE_ORIGINAL_METHOD) || get_header(REQUEST_METHOD)
+
         (meth == POST && type.nil?) || FORM_DATA_MEDIA_TYPES.include?(type)
       end
 
@@ -377,8 +457,6 @@ module Rack
       # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
       def params
         self.GET.merge(self.POST)
-      rescue EOFError
-        self.GET.dup
       end
 
       # Destructively update a parameter, whether it's in GET and/or POST. Returns nil.
@@ -412,9 +490,7 @@ module Rack
       end
 
       def base_url
-        url = "#{scheme}://#{host}"
-        url = "#{url}:#{port}" if port != DEFAULT_PORTS[scheme]
-        url
+        "#{scheme}://#{host_with_port}"
       end
 
       # Tries to return a remake of the original request URL as a string.
@@ -471,6 +547,20 @@ module Rack
 
       def default_session; {}; end
 
+      # Assist with compatibility when processing `X-Forwarded-For`.
+      def wrap_ipv6(host)
+        # Even thought IPv6 addresses should be wrapped in square brackets,
+        # sometimes this is not done in various legacy/underspecified headers.
+        # So we try to fix this situation for compatibility reasons.
+
+        # Try to detect IPv6 addresses which aren't escaped yet:
+        if !host.start_with?('[') && host.count(':') > 1
+          "[#{host}]"
+        else
+          host
+        end
+      end
+
       def parse_http_accept_header(header)
         header.to_s.split(/\s*,\s*/).map do |part|
           attribute, parameters = part.split(/\s*;\s*/, 2)
@@ -494,27 +584,39 @@ module Rack
         Rack::Multipart.extract_multipart(self, query_parser)
       end
 
-      def split_ip_addresses(ip_addresses)
-        ip_addresses ? ip_addresses.strip.split(/[,\s]+/) : []
-      end
-
-      def strip_port(ip_address)
-        # IPv6 format with optional port: "[2001:db8:cafe::17]:47011"
-        # returns: "2001:db8:cafe::17"
-        sep_start = ip_address.index('[')
-        sep_end = ip_address.index(']')
-        if (sep_start && sep_end)
-          return ip_address[sep_start + 1, sep_end - 1]
-        end
-
-        # IPv4 format with optional port: "192.0.2.43:47011"
-        # returns: "192.0.2.43"
-        sep = ip_address.index(':')
-        if (sep && ip_address.count(':') == 1)
-          return ip_address[0, sep]
+      def split_header(value)
+        value ? value.strip.split(/[,\s]+/) : []
+      end
+
+      AUTHORITY = /
+        # The host:
+        (?<host>
+          # An IPv6 address:
+          (\[(?<ip6>.*)\])
+          |
+          # An IPv4 address:
+          (?<ip4>[\d\.]+)
+          |
+          # A hostname:
+          (?<name>[a-zA-Z0-9\.\-]+)
+        )
+        # The optional port:
+        (:(?<port>\d+))?
+      /x
+
+      private_constant :AUTHORITY
+
+      def split_authority(authority)
+        if match = AUTHORITY.match(authority)
+          if address = match[:ip6]
+            return match[:host], address, match[:port]&.to_i
+          else
+            return match[:host], match[:host], match[:port]&.to_i
+          end
         end
 
-        ip_address
+        # Give up!
+        return authority, authority, nil
       end
 
       def reject_trusted_ip_addresses(ip_addresses)
@@ -539,12 +641,6 @@ module Rack
           end
         end
       end
-
-      def extract_port(uri)
-        if (colon_index = uri.index(':'))
-          uri[colon_index + 1, uri.length]
-        end
-      end
     end
 
     include Env