rack 2.1.4.4 → 2.2.17

data/lib/rack/session/abstract/id.rb

@@ -3,10 +3,8 @@
 # AUTHOR: blink <blinketje@gmail.com>; blink#ruby-lang@irc.freenode.net
 # bugrep: Andreas Zehnder
 
-require 'rack'
+require_relative '../../../rack'
 require 'time'
-require 'rack/request'
-require 'rack/response'
 require 'securerandom'
 require 'digest/sha2'
 
@@ -44,18 +42,6 @@ module Rack
       # SessionHash is responsible to lazily load the session from store.
 
       class SessionHash
-        using Module.new {
-          refine Hash do
-            def transform_keys(&block)
-              hash = {}
-              each do |key, value|
-                hash[block.call(key)] = value
-              end
-              hash
-            end
-          end
-        } unless {}.respond_to?(:transform_keys)
-
         include Enumerable
         attr_writer :id
 
@@ -98,6 +84,11 @@ module Rack
           @data[key.to_s]
         end
 
+        def dig(key, *keys)
+          load_for_read!
+          @data.dig(key.to_s, *keys)
+        end
+
         def fetch(key, default = Unspecified, &block)
           load_for_read!
           if default == Unspecified
@@ -201,14 +192,19 @@ module Rack
         end
 
         def stringify_keys(other)
-          other.to_hash.transform_keys(&:to_s)
+          # Use transform_keys after dropping Ruby 2.4 support
+          hash = {}
+          other.to_hash.each do |key, value|
+            hash[key.to_s] = value
+          end
+          hash
         end
       end
 
       # ID sets up a basic framework for implementing an id based sessioning
       # service. Cookies sent to the client for maintaining sessions will only
-      # contain an id reference. Only #find_session and #write_session are
-      # required to be overwritten.
+      # contain an id reference. Only #find_session, #write_session and
+      # #delete_session are required to be overwritten.
       #
       # All parameters are optional.
       # * :key determines the name of the cookie, by default it is
@@ -256,6 +252,7 @@ module Rack
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
           @key = @default_options.delete(:key)
           @cookie_only = @default_options.delete(:cookie_only)
+          @same_site = @default_options.delete(:same_site)
           initialize_sid
         end
 
@@ -397,6 +394,12 @@ module Rack
             cookie[:value] = cookie_value(data)
             cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
             cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
+
+            if @same_site.respond_to? :call
+              cookie[:same_site] = @same_site.call(req, res)
+            else
+              cookie[:same_site] = @same_site
+            end
             set_cookie(req, res, cookie.merge!(options))
           end
         end

data/lib/rack/session/cookie.rb

@@ -2,11 +2,9 @@
 
 require 'openssl'
 require 'zlib'
-require 'rack/request'
-require 'rack/response'
-require 'rack/session/abstract/id'
+require_relative 'abstract/id'
 require 'json'
-require 'base64'
+require 'delegate'
 
 module Rack
 
@@ -52,11 +50,11 @@ module Rack
       # Encode session cookies as Base64
       class Base64
         def encode(str)
-          ::Base64.strict_encode64(str)
+          [str].pack("m0")
         end
 
         def decode(str)
-          ::Base64.decode64(str)
+          str.unpack("m").first
         end
 
         # Encode session cookies as Marshaled Base64 data

data/lib/rack/session/pool.rb

@@ -5,7 +5,7 @@
 #   apeiros, for session id generation, expiry setup, and threadiness
 #   sergio, threadiness and bugreps
 
-require 'rack/session/abstract/id'
+require_relative 'abstract/id'
 require 'thread'
 
 module Rack
@@ -55,6 +55,7 @@ module Rack
 
       def write_session(req, session_id, new_session, options)
         with_lock(req) do
+          return false unless get_session_with_fallback(session_id)
           @pool.store session_id.private_id, new_session
           session_id
         end
@@ -64,7 +65,11 @@ module Rack
         with_lock(req) do
           @pool.delete(session_id.public_id)
           @pool.delete(session_id.private_id)
-          generate_sid unless options[:drop]
+          unless options[:drop]
+            sid = generate_sid
+            @pool.store(sid.private_id, {})
+            sid
+          end
         end
       end
 

data/lib/rack/show_exceptions.rb

@@ -2,8 +2,6 @@
 
 require 'ostruct'
 require 'erb'
-require 'rack/request'
-require 'rack/utils'
 
 module Rack
   # Rack::ShowExceptions catches all exceptions raised from the app it
@@ -65,12 +63,12 @@ module Rack
     def pretty(env, exception)
       req = Rack::Request.new(env)
 
-      # This double assignment is to prevent an "unused variable" warning on
-      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      # This double assignment is to prevent an "unused variable" warning.
+      # Yes, it is dumb, but I don't like Ruby yelling at me.
       path = path = (req.script_name + req.path_info).squeeze("/")
 
-      # This double assignment is to prevent an "unused variable" warning on
-      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      # This double assignment is to prevent an "unused variable" warning.
+      # Yes, it is dumb, but I don't like Ruby yelling at me.
       frames = frames = exception.backtrace.map { |line|
         frame = OpenStruct.new
         if line =~ /(.*?):(\d+)(:in `(.*)')?/
@@ -313,7 +311,7 @@ module Rack
         <% end %>
 
         <h3 id="post-info">POST</h3>
-        <% if req.POST and not req.POST.empty? %>
+        <% if ((req.POST and not req.POST.empty?) rescue (no_post_data = "Invalid POST data"; nil)) %>
           <table class="req">
             <thead>
               <tr>
@@ -331,7 +329,7 @@ module Rack
             </tbody>
           </table>
         <% else %>
-          <p>No POST data.</p>
+          <p><%= no_post_data || "No POST data" %>.</p>
         <% end %>
 
 

data/lib/rack/show_status.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require 'erb'
-require 'rack/request'
-require 'rack/utils'
 
 module Rack
   # Rack::ShowStatus catches all empty responses and replaces them
@@ -20,19 +18,19 @@ module Rack
 
     def call(env)
       status, headers, body = @app.call(env)
-      headers = Utils::HeaderHash.new(headers)
+      headers = Utils::HeaderHash[headers]
       empty = headers[CONTENT_LENGTH].to_i <= 0
 
       # client or server error, or explicit message
       if (status.to_i >= 400 && empty) || env[RACK_SHOWSTATUS_DETAIL]
-        # This double assignment is to prevent an "unused variable" warning on
-        # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+        # This double assignment is to prevent an "unused variable" warning.
+        # Yes, it is dumb, but I don't like Ruby yelling at me.
         req = req = Rack::Request.new(env)
 
         message = Rack::Utils::HTTP_STATUS_CODES[status.to_i] || status.to_s
 
-        # This double assignment is to prevent an "unused variable" warning on
-        # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+        # This double assignment is to prevent an "unused variable" warning.
+        # Yes, it is dumb, but I don't like Ruby yelling at me.
         detail = detail = env[RACK_SHOWSTATUS_DETAIL] || message
 
         body = @template.result(binding)

data/lib/rack/static.rb

@@ -1,10 +1,5 @@
 # frozen_string_literal: true
 
-require "rack/files"
-require "rack/utils"
-
-require_relative 'core_ext/regexp'
-
 module Rack
 
   # The Rack::Static middleware intercepts requests for static files
@@ -19,6 +14,11 @@ module Rack
   #
   #     use Rack::Static, :urls => ["/media"]
   #
+  # Same as previous, but instead of returning 404 for missing files under
+  # /media, call the next middleware:
+  #
+  #     use Rack::Static, :urls => ["/media"], :cascade => true
+  #
   # Serve all requests beginning with /css or /images from the folder "public"
   # in the current directory (ie public/css/* and public/images/*):
   #
@@ -86,13 +86,14 @@ module Rack
   #         ]
   #
   class Static
-    using ::Rack::RegexpExtensions
+    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
       @index = options[:index]
       @gzip = options[:gzip]
+      @cascade = options[:cascade]
       root = options[:root] || Dir.pwd
 
       # HTTP Headers
@@ -121,8 +122,9 @@ module Rack
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
@@ -133,6 +135,8 @@ module Rack
 
           if response[0] == 404
             response = nil
+          elsif response[0] == 304
+            # Do nothing, leave headers as is
           else
             if mime_type = Mime.mime_type(::File.extname(path), 'text/plain')
               response[1][CONTENT_TYPE] = mime_type
@@ -144,6 +148,10 @@ module Rack
         path = env[PATH_INFO]
         response ||= @file_server.call(env)
 
+        if @cascade && response[0] == 404
+          return @app.call(env)
+        end
+
         headers = response[1]
         applicable_rules(path).each do |rule, new_headers|
           new_headers.each { |field, content| headers[field] = content }

data/lib/rack/tempfile_reaper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'rack/body_proxy'
-
 module Rack
 
   # Middleware tracks and cleans Tempfiles created throughout a request (i.e. Rack::Multipart)

data/lib/rack/urlmap.rb

@@ -16,9 +16,6 @@ module Rack
   # first, since they are most specific.
 
   class URLMap
-    NEGATIVE_INFINITY = -1.0 / 0.0
-    INFINITY = 1.0 / 0.0
-
     def initialize(map = {})
       remap(map)
     end
@@ -38,11 +35,11 @@ module Rack
         end
 
         location = location.chomp('/')
-        match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)", nil, 'n')
+        match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)", Regexp::NOENCODING)
 
         [host, location, match, app]
       }.sort_by do |(host, location, _, _)|
-        [host ? -host.size : INFINITY, -location.size]
+        [host ? -host.size : Float::INFINITY, -location.size]
       end
     end
 

data/lib/rack/utils.rb

@@ -5,17 +5,16 @@ require 'uri'
 require 'fileutils'
 require 'set'
 require 'tempfile'
-require 'rack/query_parser'
 require 'time'
 
-require_relative 'core_ext/regexp'
+require_relative 'query_parser'
 
 module Rack
   # Rack::Utils contains a grab-bag of useful methods for writing web
   # applications adopted from all kinds of Ruby libraries.
 
   module Utils
-    using ::Rack::RegexpExtensions
+    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
 
     ParameterTypeError = QueryParser::ParameterTypeError
     InvalidParameterError = QueryParser::InvalidParameterError
@@ -23,6 +22,10 @@ module Rack
     COMMON_SEP = QueryParser::COMMON_SEP
     KeySpaceConstrainedParams = QueryParser::Params
 
+    RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
+    RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
+    RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
+
     class << self
       attr_accessor :default_query_parser
     end
@@ -30,33 +33,30 @@ module Rack
     # This helps prevent a rogue client from flooding a Request.
     self.default_query_parser = QueryParser.make_default(65536, 100)
 
+    module_function
+
     # URI escapes. (CGI style space to +)
     def escape(s)
       URI.encode_www_form_component(s)
     end
-    module_function :escape
 
     # Like URI escaping, but with %20 instead of +. Strictly speaking this is
     # true URI escaping.
     def escape_path(s)
-      ::URI::DEFAULT_PARSER.escape s
+      RFC2396_PARSER.escape s
     end
-    module_function :escape_path
 
     # Unescapes the **path** component of a URI.  See Rack::Utils.unescape for
     # unescaping query parameters or form components.
     def unescape_path(s)
-      ::URI::DEFAULT_PARSER.unescape s
+      RFC2396_PARSER.unescape s
     end
-    module_function :unescape_path
-
 
     # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
     # target encoding of the string returned, and it defaults to UTF-8
     def unescape(s, encoding = Encoding::UTF_8)
       URI.decode_www_form_component(s, encoding)
     end
-    module_function :unescape
 
     class << self
       attr_accessor :multipart_total_part_limit
@@ -99,21 +99,20 @@ module Rack
         Process.clock_gettime(Process::CLOCK_MONOTONIC)
       end
     else
+      # :nocov:
       def clock_time
         Time.now.to_f
       end
+      # :nocov:
     end
-    module_function :clock_time
 
     def parse_query(qs, d = nil, &unescaper)
       Rack::Utils.default_query_parser.parse_query(qs, d, &unescaper)
     end
-    module_function :parse_query
 
     def parse_nested_query(qs, d = nil)
       Rack::Utils.default_query_parser.parse_nested_query(qs, d)
     end
-    module_function :parse_nested_query
 
     def build_query(params)
       params.map { |k, v|
@@ -124,7 +123,6 @@ module Rack
         end
       }.join("&")
     end
-    module_function :build_query
 
     def build_nested_query(value, prefix = nil)
       case value
@@ -143,7 +141,6 @@ module Rack
         "#{prefix}=#{escape(value)}"
       end
     end
-    module_function :build_nested_query
 
     def q_values(q_value_header)
       q_value_header.to_s.split(',').map do |part|
@@ -155,8 +152,11 @@ module Rack
         [value, quality]
       end
     end
-    module_function :q_values
 
+    # Return best accept value to use, based on the algorithm
+    # in RFC 2616 Section 14.  If there are multiple best
+    # matches (same specificity and quality), the value returned
+    # is arbitrary.
     def best_q_match(q_value_header, available_mimes)
       values = q_values(q_value_header)
 
@@ -169,7 +169,6 @@ module Rack
       end.last
       matches && matches.first
     end
-    module_function :best_q_match
 
     ESCAPE_HTML = {
       "&" => "&amp;",
@@ -186,22 +185,27 @@ module Rack
     def escape_html(string)
       string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
     end
-    module_function :escape_html
 
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 
-      expanded_accept_encoding =
-        accept_encoding.each_with_object([]) do |(m, q), list|
-          if m == "*"
-            (available_encodings - accept_encoding.map(&:first))
-              .each { |m2| list << [m2, q] }
-          else
-            list << [m, q]
+      expanded_accept_encoding = []
+
+      accept_encoding.each do |m, q|
+        preference = available_encodings.index(m) || available_encodings.size
+
+        if m == "*"
+          (available_encodings - accept_encoding.map(&:first)).each do |m2|
+            expanded_accept_encoding << [m2, q, preference]
           end
+        else
+          expanded_accept_encoding << [m, q, preference]
         end
+      end
 
-      encoding_candidates = expanded_accept_encoding.sort_by { |_, q| -q }.map!(&:first)
+      encoding_candidates = expanded_accept_encoding
+        .sort_by { |_, q, p| [-q, p] }
+        .map!(&:first)
 
       unless encoding_candidates.include?("identity")
         encoding_candidates.push("identity")
@@ -213,27 +217,23 @@ module Rack
 
       (encoding_candidates & available_encodings)[0]
     end
-    module_function :select_best_encoding
 
     def parse_cookies(env)
       parse_cookies_header env[HTTP_COOKIE]
     end
-    module_function :parse_cookies
 
     def parse_cookies_header(header)
-      # According to RFC 2109:
-      #   If multiple cookies satisfy the criteria above, they are ordered in
-      #   the Cookie header such that those with more specific Path attributes
-      #   precede those with less specific.  Ordering with respect to other
-      #   attributes (e.g., Domain) is unspecified.
+      # According to RFC 6265:
+      # The syntax for cookie headers only supports semicolons
+      # User Agent -> Server ==
+      # Cookie: SID=31d4d96e407aad42; lang=en-US
       return {} unless header
-      header.split(/[;,] */n).each_with_object({}) do |cookie, cookies|
+      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
         next if cookie.empty?
         key, value = cookie.split('=', 2)
         cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
       end
     end
-    module_function :parse_cookies_header
 
     def add_cookie_to_header(header, key, value)
       case value
@@ -275,13 +275,11 @@ module Rack
         raise ArgumentError, "Unrecognized cookie header value. Expected String, Array, or nil, got #{header.inspect}"
       end
     end
-    module_function :add_cookie_to_header
 
     def set_cookie_header!(header, key, value)
       header[SET_COOKIE] = add_cookie_to_header(header[SET_COOKIE], key, value)
       nil
     end
-    module_function :set_cookie_header!
 
     def make_delete_cookie_header(header, key, value)
       case header
@@ -293,25 +291,30 @@ module Rack
         cookies = header
       end
 
-      regexp = if value[:domain]
-                 /\A#{escape(key)}=.*domain=#{value[:domain]}/
-               elsif value[:path]
-                 /\A#{escape(key)}=.*path=#{value[:path]}/
+      key = escape(key)
+      domain = value[:domain]
+      path = value[:path]
+      regexp = if domain
+                 if path
+                   /\A#{key}=.*(?:domain=#{domain}(?:;|$).*path=#{path}(?:;|$)|path=#{path}(?:;|$).*domain=#{domain}(?:;|$))/
+                 else
+                   /\A#{key}=.*domain=#{domain}(?:;|$)/
+                 end
+               elsif path
+                 /\A#{key}=.*path=#{path}(?:;|$)/
                else
-                 /\A#{escape(key)}=/
+                 /\A#{key}=/
                end
 
       cookies.reject! { |cookie| regexp.match? cookie }
 
       cookies.join("\n")
     end
-    module_function :make_delete_cookie_header
 
     def delete_cookie_header!(header, key, value = {})
       header[SET_COOKIE] = add_remove_cookie_to_header(header[SET_COOKIE], key, value)
       nil
     end
-    module_function :delete_cookie_header!
 
     # Adds a cookie that will *remove* a cookie from the client.  Hence the
     # strange method name.
@@ -324,12 +327,10 @@ module Rack
                    expires: Time.at(0) }.merge(value))
 
     end
-    module_function :add_remove_cookie_to_header
 
     def rfc2822(time)
       time.rfc2822
     end
-    module_function :rfc2822
 
     # Modified version of stdlib time.rb Time#rfc2822 to use '%d-%b-%Y' instead
     # of '% %b %Y'.
@@ -341,11 +342,10 @@ module Rack
     # weekday and month.
     #
     def rfc2109(time)
-      wday = Time::RFC2822_DAY_NAME[time.wday]
-      mon = Time::RFC2822_MONTH_NAME[time.mon - 1]
+      wday = RFC2822_DAY_NAME[time.wday]
+      mon = RFC2822_MONTH_NAME[time.mon - 1]
       time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
     end
-    module_function :rfc2109
 
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
@@ -354,7 +354,6 @@ module Rack
       warn "`byte_ranges` is deprecated, please use `get_byte_ranges`" if $VERBOSE
       get_byte_ranges env['HTTP_RANGE'], size
     end
-    module_function :byte_ranges
 
     def get_byte_ranges(http_range, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
@@ -382,9 +381,11 @@ module Rack
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      return [] if ranges.map(&:size).inject(0, :+) > size
+
       ranges
     end
-    module_function :get_byte_ranges
 
     # Constant time string comparison.
     #
@@ -401,7 +402,6 @@ module Rack
       b.each_byte { |v| r |= v ^ l[i += 1] }
       r == 0
     end
-    module_function :secure_compare
 
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
@@ -434,6 +434,14 @@ module Rack
     #
     # @api private
     class HeaderHash < Hash # :nodoc:
+      def self.[](headers)
+        if headers.is_a?(HeaderHash) && !headers.frozen?
+          return headers
+        else
+          return self.new(headers)
+        end
+      end
+
       def initialize(hash = {})
         super()
         @names = {}
@@ -446,6 +454,12 @@ module Rack
         @names = other.names.dup
       end
 
+      # on clear, we need to clear @names hash
+      def clear
+        super
+        @names.clear
+      end
+
       def each
         super do |k, v|
           yield(k, v.respond_to?(:to_ary) ? v.to_ary.join("\n") : v)
@@ -590,7 +604,6 @@ module Rack
         status.to_i
       end
     end
-    module_function :status_code
 
     PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
 
@@ -604,18 +617,16 @@ module Rack
         part == '..' ? clean.pop : clean << part
       end
 
-      clean.unshift '/' if parts.empty? || parts.first.empty?
-
-      ::File.join clean
+      clean_path = clean.join(::File::SEPARATOR)
+      clean_path.prepend("/") if parts.empty? || parts.first.empty?
+      clean_path
     end
-    module_function :clean_path_info
 
     NULL_BYTE = "\0"
 
     def valid_path?(path)
       path.valid_encoding? && !path.include?(NULL_BYTE)
     end
-    module_function :valid_path?
 
   end
 end