rack 2.2.15 → 3.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +429 -70
  3. data/CONTRIBUTING.md +63 -55
  4. data/MIT-LICENSE +1 -1
  5. data/README.md +355 -0
  6. data/SPEC.rdoc +204 -131
  7. data/lib/rack/auth/abstract/handler.rb +3 -1
  8. data/lib/rack/auth/abstract/request.rb +3 -1
  9. data/lib/rack/auth/basic.rb +1 -3
  10. data/lib/rack/bad_request.rb +8 -0
  11. data/lib/rack/body_proxy.rb +21 -3
  12. data/lib/rack/builder.rb +102 -69
  13. data/lib/rack/cascade.rb +2 -3
  14. data/lib/rack/common_logger.rb +22 -17
  15. data/lib/rack/conditional_get.rb +18 -15
  16. data/lib/rack/constants.rb +67 -0
  17. data/lib/rack/content_length.rb +12 -16
  18. data/lib/rack/content_type.rb +8 -5
  19. data/lib/rack/deflater.rb +40 -26
  20. data/lib/rack/directory.rb +9 -3
  21. data/lib/rack/etag.rb +17 -23
  22. data/lib/rack/events.rb +4 -0
  23. data/lib/rack/files.rb +15 -17
  24. data/lib/rack/head.rb +9 -8
  25. data/lib/rack/headers.rb +238 -0
  26. data/lib/rack/lint.rb +840 -644
  27. data/lib/rack/lock.rb +2 -5
  28. data/lib/rack/logger.rb +3 -0
  29. data/lib/rack/media_type.rb +8 -3
  30. data/lib/rack/method_override.rb +5 -1
  31. data/lib/rack/mime.rb +14 -5
  32. data/lib/rack/mock.rb +1 -300
  33. data/lib/rack/mock_request.rb +161 -0
  34. data/lib/rack/mock_response.rb +153 -0
  35. data/lib/rack/multipart/generator.rb +7 -5
  36. data/lib/rack/multipart/parser.rb +213 -95
  37. data/lib/rack/multipart/uploaded_file.rb +4 -0
  38. data/lib/rack/multipart.rb +53 -40
  39. data/lib/rack/null_logger.rb +9 -0
  40. data/lib/rack/query_parser.rb +79 -101
  41. data/lib/rack/recursive.rb +2 -0
  42. data/lib/rack/reloader.rb +0 -2
  43. data/lib/rack/request.rb +260 -123
  44. data/lib/rack/response.rb +151 -66
  45. data/lib/rack/rewindable_input.rb +24 -5
  46. data/lib/rack/runtime.rb +7 -6
  47. data/lib/rack/sendfile.rb +30 -25
  48. data/lib/rack/show_exceptions.rb +21 -4
  49. data/lib/rack/show_status.rb +17 -7
  50. data/lib/rack/static.rb +8 -8
  51. data/lib/rack/tempfile_reaper.rb +15 -4
  52. data/lib/rack/urlmap.rb +3 -1
  53. data/lib/rack/utils.rb +236 -237
  54. data/lib/rack/version.rb +1 -9
  55. data/lib/rack.rb +13 -89
  56. metadata +13 -39
  57. data/README.rdoc +0 -347
  58. data/Rakefile +0 -130
  59. data/bin/rackup +0 -5
  60. data/contrib/rack.png +0 -0
  61. data/contrib/rack.svg +0 -150
  62. data/contrib/rack_logo.svg +0 -164
  63. data/contrib/rdoc.css +0 -412
  64. data/example/lobster.ru +0 -6
  65. data/example/protectedlobster.rb +0 -16
  66. data/example/protectedlobster.ru +0 -10
  67. data/lib/rack/auth/digest/md5.rb +0 -131
  68. data/lib/rack/auth/digest/nonce.rb +0 -53
  69. data/lib/rack/auth/digest/params.rb +0 -54
  70. data/lib/rack/auth/digest/request.rb +0 -43
  71. data/lib/rack/chunked.rb +0 -117
  72. data/lib/rack/core_ext/regexp.rb +0 -14
  73. data/lib/rack/file.rb +0 -7
  74. data/lib/rack/handler/cgi.rb +0 -59
  75. data/lib/rack/handler/fastcgi.rb +0 -100
  76. data/lib/rack/handler/lsws.rb +0 -61
  77. data/lib/rack/handler/scgi.rb +0 -71
  78. data/lib/rack/handler/thin.rb +0 -36
  79. data/lib/rack/handler/webrick.rb +0 -129
  80. data/lib/rack/handler.rb +0 -104
  81. data/lib/rack/lobster.rb +0 -70
  82. data/lib/rack/server.rb +0 -466
  83. data/lib/rack/session/abstract/id.rb +0 -523
  84. data/lib/rack/session/cookie.rb +0 -203
  85. data/lib/rack/session/memcache.rb +0 -10
  86. data/lib/rack/session/pool.rb +0 -90
  87. data/rack.gemspec +0 -46
data/CHANGELOG.md CHANGED
@@ -2,6 +2,356 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.1.15] - 2025-05-18
6
+
7
+ - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
8
+
9
+ ## [3.1.14] - 2025-05-06
10
+
11
+ ### Security
12
+
13
+ - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
14
+
15
+ ## [3.1.13] - 2025-04-13
16
+
17
+ - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
18
+
19
+ ## [3.1.12] - 2025-03-11
20
+
21
+ ### Security
22
+
23
+ - [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
24
+
25
+ ## [3.1.11] - 2025-03-04
26
+
27
+ ### Security
28
+
29
+ - [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
30
+
31
+ ## [3.1.10] - 2025-02-12
32
+
33
+ ### Security
34
+
35
+ - [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
36
+
37
+ ## [3.1.9] - 2025-01-31
38
+
39
+ ### Fixed
40
+
41
+ - `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
42
+
43
+ ## [3.1.8] - 2024-10-14
44
+
45
+ ### Fixed
46
+
47
+ - Resolve deprecation warnings about uri `DEFAULT_PARSER`. ([#2249](https://github.com/rack/rack/pull/2249), [@earlopain])
48
+
49
+ ## [3.1.7] - 2024-07-11
50
+
51
+ ### Fixed
52
+
53
+ - Do not remove escaped opening/closing quotes for content-disposition filenames. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
54
+ - Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. ([#2227](https://github.com/rack/rack/pull/2227), [@jeremyevans])
55
+ - `Rack::Response` should not generate invalid `content-length` header. ([#2219](https://github.com/rack/rack/pull/2219), [@ioquatix])
56
+ - Allow empty PATH_INFO. ([#2214](https://github.com/rack/rack/pull/2214), [@ioquatix])
57
+
58
+ ## [3.1.6] - 2024-07-03
59
+
60
+ ### Fixed
61
+
62
+ - Fix several edge cases in `Rack::Request#parse_http_accept_header`'s implementation. ([#2226](https://github.com/rack/rack/pull/2226), [@ioquatix])
63
+
64
+ ## [3.1.5] - 2024-07-02
65
+
66
+ ### Security
67
+
68
+ - Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
69
+
70
+ ## [3.1.4] - 2024-06-22
71
+
72
+ ### Fixed
73
+
74
+ - Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
75
+
76
+ ## [3.1.3] - 2024-06-12
77
+
78
+ ### Fixed
79
+
80
+ - Fix passing non-strings to `Rack::Utils.escape_html`. ([#2202](https://github.com/rack/rack/pull/2202), [@earlopain])
81
+ - `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy])
82
+
83
+ ## [3.1.2] - 2024-06-11
84
+
85
+ - `Rack::Response` will take in to consideration chunked encoding responses ([#2204](https://github.com/rack/rack/pull/2204), [@tenderlove])
86
+
87
+ ## [3.1.1] - 2024-06-11
88
+
89
+ - Oops! I shouldn't have shipped that
90
+
91
+ ## [3.1.0] - 2024-06-11
92
+
93
+ :warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
94
+
95
+ Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
96
+
97
+ ### SPEC Changes
98
+
99
+ - `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
100
+ - `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [#2181](https://github.com/rack/rack/pull/2181), [@ioquatix])
101
+ - `OPTIONS *` is now accepted. ([#2114](https://github.com/rack/rack/pull/2114), [@doriantaylor](https://github.com/doriantaylor))
102
+ - Introduce optional `rack.protocol` request and response header for handling connection upgrades. ([#1954](https://github.com/rack/rack/pull/1954), [@ioquatix])
103
+
104
+ ### Added
105
+
106
+ - Introduce `Rack::Multipart::MissingInputError` for improved handling of missing input in `#parse_multipart`. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
107
+ - Introduce `module Rack::BadRequest` which is included in multipart and query parser errors. ([#2019](https://github.com/rack/rack/pull/2019), [@ioquatix])
108
+ - Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas](https://github.com/axilleas))
109
+ - `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b](https://github.com/flavio-b))
110
+ - Introduce `rack.early_hints` for sending `103 Early Hints` informational responses. ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine](https://github.com/casperisfine), [@jeremyevans])
111
+
112
+ ### Changed
113
+
114
+ - MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8), [@ioquatix])
115
+ - Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
116
+ - `Rack::Utils.escape_html` is now delegated to `CGI.escapeHTML`. `'` is escaped to `#39;` instead of `#x27;`. (decimal vs hexadecimal) ([#2099](https://github.com/rack/rack/pull/2099), [@JunichiIto](https://github.com/JunichiIto))
117
+ - Clarify use of `@buffered` and only update `content-length` when `Rack::Response#finish` is invoked. ([#2149](https://github.com/rack/rack/pull/2149), [@ioquatix])
118
+
119
+ ### Deprecated
120
+
121
+ - Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073), [@jeremyevans])
122
+ - Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. ([#2191](https://github.com/rack/rack/pull/2191), [@ioquatix])
123
+ - `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
124
+ - Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
125
+ - Deprecate `Rack::Request#values_at`, use `request.params.values_at` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
126
+
127
+ ### Removed
128
+
129
+ - Remove deprecated `Rack::Auth::Digest` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
130
+ - Remove deprecated `Rack::Cascade::NotFound` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
131
+ - Remove deprecated `Rack::Chunked` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
132
+ - Remove deprecated `Rack::File`, use `Rack::Files` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
133
+ - Remove deprecated `Rack::QueryParser` `key_space_limit` parameter with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
134
+ - Remove deprecated `Rack::Response#header`, use `Rack::Response#headers` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
135
+ - Remove deprecated cookie methods from `Rack::Utils`: `add_cookie_to_header`, `make_delete_cookie_header`, `add_remove_cookie_to_header`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
136
+ - Remove deprecated `Rack::Utils::HeaderHash`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
137
+ - Remove deprecated `Rack::VERSION`, `Rack::VERSION_STRING`, `Rack.version`, use `Rack.release` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
138
+ - Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
139
+ - Remove any dependency on `transfer-encoding: chunked`. ([#2195](https://github.com/rack/rack/pull/2195), [@ioquatix])
140
+ - Remove deprecated `Rack::Request#[]`, use `request.params[key]` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
141
+
142
+ ### Fixed
143
+
144
+ - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
145
+
146
+ ## [3.0.17] - 2025-05-18
147
+
148
+ - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
149
+
150
+
151
+ ## [3.0.16] - 2025-05-06
152
+
153
+ ### Security
154
+
155
+ - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
156
+
157
+ ## [3.0.15] - 2025-04-13
158
+
159
+ - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
160
+
161
+ ## [3.0.14] - 2025-03-11
162
+
163
+ ### Security
164
+
165
+ - [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
166
+
167
+ ## [3.0.13] - 2025-03-04
168
+
169
+ ### Security
170
+
171
+ - [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
172
+
173
+ ## [3.0.12] - 2025-02-12
174
+
175
+ ### Security
176
+
177
+ - [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
178
+
179
+ ## [3.0.11] - 2024-05-10
180
+
181
+ - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
182
+
183
+ ## [3.0.10] - 2024-03-21
184
+
185
+ - Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
186
+
187
+ ## [3.0.9.1] - 2024-02-21
188
+
189
+ ### Security
190
+
191
+ * [CVE-2024-26146] Fixed ReDoS in Accept header parsing
192
+ * [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
193
+ * [CVE-2024-26141] Reject Range headers which are too large
194
+
195
+ [CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
196
+ [CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
197
+ [CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
198
+
199
+ ## [3.0.9] - 2024-01-31
200
+
201
+ - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
202
+
203
+ ## [3.0.8] - 2023-06-14
204
+
205
+ - Fix some unused variable verbose warnings. ([#2084](https://github.com/rack/rack/pull/2084), [@jeremyevans], [@skipkayhil](https://github.com/skipkayhil))
206
+
207
+ ## [3.0.7] - 2023-03-16
208
+
209
+ - Make query parameters without `=` have `nil` values. ([#2059](https://github.com/rack/rack/pull/2059), [@jeremyevans])
210
+
211
+ ## [3.0.6.1] - 2023-03-13
212
+
213
+ ### Security
214
+
215
+ - [CVE-2023-27539] Avoid ReDoS in header parsing
216
+
217
+ ## [3.0.6] - 2023-03-13
218
+
219
+ - Add `QueryParser#missing_value` for handling missing values + tests. ([#2052](https://github.com/rack/rack/pull/2052), [@ioquatix])
220
+
221
+ ## [3.0.5] - 2023-03-13
222
+
223
+ - Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
224
+
225
+ ## [3.0.4.2] - 2023-03-02
226
+
227
+ ### Security
228
+
229
+ - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
230
+
231
+ ## [3.0.4.1] - 2023-01-17
232
+
233
+ ### Security
234
+
235
+ - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
236
+ - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
237
+ - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
238
+
239
+ ## [3.0.4] - 2023-01-17
240
+
241
+ - `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
242
+ - Fix `Rack::Lint` error message for `HTTP_CONTENT_TYPE` and `HTTP_CONTENT_LENGTH`. ([#2007](https://github.com/rack/rack/pull/2007), [@byroot](https://github.com/byroot))
243
+ - Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2006](https://github.com/rack/rack/pull/2006), [@byroot](https://github.com/byroot))
244
+
245
+ ## [3.0.3] - 2022-12-27
246
+
247
+ ### Fixed
248
+
249
+ - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
250
+
251
+ ## [3.0.2] - 2022-12-05
252
+
253
+ ### Fixed
254
+
255
+ - `Utils.build_nested_query` URL-encodes nested field names including the square brackets.
256
+ - Allow `Rack::Response` to pass through streaming bodies. ([#1993](https://github.com/rack/rack/pull/1993), [@ioquatix])
257
+
258
+ ## [3.0.1] - 2022-11-18
259
+
260
+ ### Fixed
261
+
262
+ - `MethodOverride` does not look for an override if a request does not include form/parseable data.
263
+ - `Rack::Lint::Wrapper` correctly handles `respond_to?` with `to_ary`, `each`, `call` and `to_path`, forwarding to the body. ([#1981](https://github.com/rack/rack/pull/1981), [@ioquatix])
264
+
265
+ ## [3.0.0] - 2022-09-06
266
+
267
+ - No changes
268
+
269
+ ## [3.0.0.rc1] - 2022-09-04
270
+
271
+ ### SPEC Changes
272
+
273
+ - Stream argument must implement `<<` https://github.com/rack/rack/pull/1959
274
+ - `close` may be called on `rack.input` https://github.com/rack/rack/pull/1956
275
+ - `rack.response_finished` may be used for executing code after the response has been finished https://github.com/rack/rack/pull/1952
276
+
277
+ ## [3.0.0.beta1] - 2022-08-08
278
+
279
+ ### Security
280
+
281
+ - Do not use semicolon as GET parameter separator. ([#1733](https://github.com/rack/rack/pull/1733), [@jeremyevans])
282
+
283
+ ### SPEC Changes
284
+
285
+ - Response array must now be non-frozen.
286
+ - Response `status` must now be an integer greater than or equal to 100.
287
+ - Response `headers` must now be an unfrozen hash.
288
+ - Response header keys can no longer include uppercase characters.
289
+ - Response header values can be an `Array` to handle multiple values (and no longer supports `\n` encoded headers).
290
+ - Response body can now respond to `#call` (streaming body) instead of `#each` (enumerable body), for the equivalent of response hijacking in previous versions.
291
+ - Middleware must no longer call `#each` on the body, but they can call `#to_ary` on the body if it responds to `#to_ary`.
292
+ - `rack.input` is no longer required to be rewindable.
293
+ - `rack.multithread`/`rack.multiprocess`/`rack.run_once`/`rack.version` are no longer required environment keys.
294
+ - `SERVER_PROTOCOL` is now a required environment key, matching the HTTP protocol used in the request.
295
+ - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional.
296
+ - `rack.hijack_io` has been removed completely.
297
+ - `rack.response_finished` is an optional environment key which contains an array of callable objects that must accept `#call(env, status, headers, error)` and are invoked after the response is finished (either successfully or unsuccessfully).
298
+ - It is okay to call `#close` on `rack.input` to indicate that you no longer need or care about the input.
299
+ - The stream argument supplied to the streaming body and hijack must support `#<<` for writing output.
300
+
301
+ ### Removed
302
+
303
+ - Remove `rack.multithread`/`rack.multiprocess`/`rack.run_once`. These variables generally come too late to be useful. ([#1720](https://github.com/rack/rack/pull/1720), [@ioquatix], [@jeremyevans]))
304
+ - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
305
+ - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
306
+ - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
307
+ - Extract `rackup` command, `Rack::Server`, `Rack::Handler`, `Rack::Lobster` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
308
+
309
+ ### Added
310
+
311
+ - `Rack::Headers` added to support lower-case header keys. ([@jeremyevans])
312
+ - `Rack::Utils#set_cookie_header` now supports `escape_key: false` to avoid key escaping. ([@jeremyevans])
313
+ - `Rack::RewindableInput` supports size. ([@ahorek](https://github.com/ahorek))
314
+ - `Rack::RewindableInput::Middleware` added for making `rack.input` rewindable. ([@jeremyevans])
315
+ - The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded-* headers. `Rack::Request.forwarded_priority` accessor has been added for configuring the priority of which header to check. ([#1423](https://github.com/rack/rack/issues/1423), [@jeremyevans])
316
+ - Allow response headers to contain array of values. ([#1598](https://github.com/rack/rack/issues/1598), [@ioquatix])
317
+ - Support callable body for explicit streaming support and clarify streaming response body behaviour. ([#1745](https://github.com/rack/rack/pull/1745), [@ioquatix], [#1748](https://github.com/rack/rack/pull/1748), [@wjordan])
318
+ - Allow `Rack::Builder#run` to take a block instead of an argument. ([#1942](https://github.com/rack/rack/pull/1942), [@ioquatix])
319
+ - Add `rack.response_finished` to `Rack::Lint`. ([#1802](https://github.com/rack/rack/pull/1802), [@BlakeWilliams], [#1952](https://github.com/rack/rack/pull/1952), [@ioquatix])
320
+ - The stream argument must implement `#<<`. ([#1959](https://github.com/rack/rack/pull/1959), [@ioquatix])
321
+
322
+ ### Changed
323
+
324
+ - BREAKING CHANGE: Require `status` to be an Integer. ([#1662](https://github.com/rack/rack/pull/1662), [@olleolleolle](https://github.com/olleolleolle))
325
+ - BREAKING CHANGE: Query parsing now treats parameters without `=` as having the empty string value instead of nil value, to conform to the URL spec. ([#1696](https://github.com/rack/rack/issues/1696), [@jeremyevans])
326
+ - Relax validations around `Rack::Request#host` and `Rack::Request#hostname`. ([#1606](https://github.com/rack/rack/issues/1606), [@pvande](https://github.com/pvande))
327
+ - Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. ([#1658](https://github.com/rack/rack/pull/1658), [@ioquatix])
328
+ - Removed options from `Rack::Builder.parse_file` and `Rack::Builder.load_file`. ([#1663](https://github.com/rack/rack/pull/1663), [@ioquatix])
329
+ - `Rack::HTTP_VERSION` has been removed and the `HTTP_VERSION` env setting is no longer set in the CGI and Webrick handlers. ([#970](https://github.com/rack/rack/issues/970), [@jeremyevans])
330
+ - `Rack::Request#[]` and `#[]=` now warn even in non-verbose mode. ([#1277](https://github.com/rack/rack/issues/1277), [@jeremyevans])
331
+ - Decrease default allowed parameter recursion level from 100 to 32. ([#1640](https://github.com/rack/rack/issues/1640), [@jeremyevans])
332
+ - Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. ([#1603](https://github.com/rack/rack/issues/1603), [@jeremyevans])
333
+ - `Rack::Utils.secure_compare` uses OpenSSL's faster implementation if available. ([#1711](https://github.com/rack/rack/pull/1711), [@bdewater](https://github.com/bdewater))
334
+ - `Rack::Request#POST` now caches an empty hash if input content type is not parseable. ([#749](https://github.com/rack/rack/pull/749), [@jeremyevans])
335
+ - BREAKING CHANGE: Updated `trusted_proxy?` to match full 127.0.0.0/8 network. ([#1781](https://github.com/rack/rack/pull/1781), [@snbloch](https://github.com/snbloch))
336
+ - Explicitly deprecate `Rack::File` which was an alias for `Rack::Files`. ([#1811](https://github.com/rack/rack/pull/1720), [@ioquatix]).
337
+ - Moved `Rack::Session` into [separate gem](https://github.com/rack/rack-session). ([#1805](https://github.com/rack/rack/pull/1805), [@ioquatix])
338
+ - `rackup -D` option to daemonizes no longer changes the working directory to the root. ([#1813](https://github.com/rack/rack/pull/1813), [@jeremyevans])
339
+ - The `x-forwarded-proto` header is now considered before the `x-forwarded-scheme` header for determining the forwarded protocol. `Rack::Request.x_forwarded_proto_priority` accessor has been added for configuring the priority of which header to check. ([#1809](https://github.com/rack/rack/issues/1809), [@jeremyevans])
340
+ - `Rack::Request.forwarded_authority` (and methods that call it, such as `host`) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. ([#1829](https://github.com/rack/rack/issues/1809), [@jeremyevans])
341
+ - Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting `secure` and `httponly` attributes). ([#1849](https://github.com/rack/rack/pull/1849), [@ioquatix])
342
+ - The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. ([#1887](https://github.com/rack/rack/pull/1887), [#1927](https://github.com/rack/rack/pull/1927), [@amatsuda], [@ioquatix])
343
+ - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional. `rack.hijack_io` is no longer required/specified. ([#1939](https://github.com/rack/rack/pull/1939), [@ioquatix])
344
+ - Allow calling close on `rack.input`. ([#1956](https://github.com/rack/rack/pull/1956), [@ioquatix])
345
+
346
+ ### Fixed
347
+
348
+ - Make Rack::MockResponse handle non-hash headers. ([#1629](https://github.com/rack/rack/issues/1629), [@jeremyevans])
349
+ - TempfileReaper now deletes temp files if application raises an exception. ([#1679](https://github.com/rack/rack/issues/1679), [@jeremyevans])
350
+ - Handle cookies with values that end in '=' ([#1645](https://github.com/rack/rack/pull/1645), [@lukaso](https://github.com/lukaso))
351
+ - Make `Rack::NullLogger` respond to `#fatal!` [@jeremyevans])
352
+ - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
353
+ - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
354
+
5
355
  ## [2.2.15] - 2025-05-18
6
356
 
7
357
  - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
@@ -10,7 +360,6 @@ All notable changes to this project will be documented in this file. For info on
10
360
 
11
361
  ### Security
12
362
 
13
- - [CVE-2025-32441](https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g) Rack session can be restored after deletion.
14
363
  - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
15
364
 
16
365
  ## [2.2.13] - 2025-03-11
@@ -89,18 +438,18 @@ All notable changes to this project will be documented in this file. For info on
89
438
  - [CVE-2022-30123] Fix shell escaping issue in Common Logger
90
439
  - [CVE-2022-30122] Restrict parsing of broken MIME attachments
91
440
 
92
- ## [2.2.3] - 2020-02-11
441
+ ## [2.2.3] - 2020-06-15
93
442
 
94
443
  ### Security
95
444
 
96
- - [CVE-2020-8184] Only decode cookie values
445
+ - [[CVE-2020-8184](https://nvd.nist.gov/vuln/detail/CVE-2020-8184)] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. ([@fletchto99](https://github.com/fletchto99))
97
446
 
98
447
  ## [2.2.2] - 2020-02-11
99
448
 
100
449
  ### Fixed
101
450
 
102
- - Fix incorrect `Rack::Request#host` value. ([#1591](https://github.com/rack/rack/pull/1591), [@ioquatix](https://github.com/ioquatix))
103
- - Revert `Rack::Handler::Thin` implementation. ([#1583](https://github.com/rack/rack/pull/1583), [@jeremyevans](https://github.com/jeremyevans))
451
+ - Fix incorrect `Rack::Request#host` value. ([#1591](https://github.com/rack/rack/pull/1591), [@ioquatix])
452
+ - Revert `Rack::Handler::Thin` implementation. ([#1583](https://github.com/rack/rack/pull/1583), [@jeremyevans])
104
453
  - Double assignment is still needed to prevent an "unused variable" warning. ([#1589](https://github.com/rack/rack/pull/1589), [@kamipo](https://github.com/kamipo))
105
454
  - Fix to handle same_site option for session pool. ([#1587](https://github.com/rack/rack/pull/1587), [@kamipo](https://github.com/kamipo))
106
455
 
@@ -108,105 +457,111 @@ All notable changes to this project will be documented in this file. For info on
108
457
 
109
458
  ### Fixed
110
459
 
111
- - Rework `Rack::Request#ip` to handle empty `forwarded_for`. ([#1577](https://github.com/rack/rack/pull/1577), [@ioquatix](https://github.com/ioquatix))
460
+ - Rework `Rack::Request#ip` to handle empty `forwarded_for`. ([#1577](https://github.com/rack/rack/pull/1577), [@ioquatix])
112
461
 
113
462
  ## [2.2.0] - 2020-02-08
114
463
 
115
464
  ### SPEC Changes
116
465
 
117
- - `rack.session` request environment entry must respond to `to_hash` and return unfrozen Hash. ([@jeremyevans](https://github.com/jeremyevans))
118
- - Request environment cannot be frozen. ([@jeremyevans](https://github.com/jeremyevans))
119
- - CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. ([@jeremyevans](https://github.com/jeremyevans))
120
- - Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
466
+ - `rack.session` request environment entry must respond to `to_hash` and return unfrozen Hash. ([@jeremyevans])
467
+ - Request environment cannot be frozen. ([@jeremyevans])
468
+ - CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. ([@jeremyevans])
469
+ - Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix])
121
470
 
122
471
  ### Added
123
472
 
124
- - `rackup` supports multiple `-r` options and will require all arguments. ([@jeremyevans](https://github.com/jeremyevans))
473
+ - `rackup` supports multiple `-r` options and will require all arguments. ([@jeremyevans])
125
474
  - `Server` supports an array of paths to require for the `:require` option. ([@khotta](https://github.com/khotta))
126
475
  - `Files` supports multipart range requests. ([@fatkodima](https://github.com/fatkodima))
127
- - `Multipart::UploadedFile` supports an IO-like object instead of using the filesystem, using `:filename` and `:io` options. ([@jeremyevans](https://github.com/jeremyevans))
128
- - `Multipart::UploadedFile` supports keyword arguments `:path`, `:content_type`, and `:binary` in addition to positional arguments. ([@jeremyevans](https://github.com/jeremyevans))
129
- - `Static` supports a `:cascade` option for calling the app if there is no matching file. ([@jeremyevans](https://github.com/jeremyevans))
130
- - `Session::Abstract::SessionHash#dig`. ([@jeremyevans](https://github.com/jeremyevans))
131
- - `Response.[]` and `MockResponse.[]` for creating instances using status, headers, and body. ([@ioquatix](https://github.com/ioquatix))
132
- - Convenient cache and content type methods for `Rack::Response`. ([#1555](https://github.com/rack/rack/pull/1555), [@ioquatix](https://github.com/ioquatix))
476
+ - `Multipart::UploadedFile` supports an IO-like object instead of using the filesystem, using `:filename` and `:io` options. ([@jeremyevans])
477
+ - `Multipart::UploadedFile` supports keyword arguments `:path`, `:content_type`, and `:binary` in addition to positional arguments. ([@jeremyevans])
478
+ - `Static` supports a `:cascade` option for calling the app if there is no matching file. ([@jeremyevans])
479
+ - `Session::Abstract::SessionHash#dig`. ([@jeremyevans])
480
+ - `Response.[]` and `MockResponse.[]` for creating instances using status, headers, and body. ([@ioquatix])
481
+ - Convenient cache and content type methods for `Rack::Response`. ([#1555](https://github.com/rack/rack/pull/1555), [@ioquatix])
133
482
 
134
483
  ### Changed
135
484
 
136
- - `Request#params` no longer rescues EOFError. ([@jeremyevans](https://github.com/jeremyevans))
137
- - `Directory` uses a streaming approach, significantly improving time to first byte for large directories. ([@jeremyevans](https://github.com/jeremyevans))
138
- - `Directory` no longer includes a Parent directory link in the root directory index. ([@jeremyevans](https://github.com/jeremyevans))
139
- - `QueryParser#parse_nested_query` uses original backtrace when reraising exception with new class. ([@jeremyevans](https://github.com/jeremyevans))
140
- - `ConditionalGet` follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. ([@jeremyevans](https://github.com/jeremyevans))
485
+ - `Request#params` no longer rescues EOFError. ([@jeremyevans])
486
+ - `Directory` uses a streaming approach, significantly improving time to first byte for large directories. ([@jeremyevans])
487
+ - `Directory` no longer includes a Parent directory link in the root directory index. ([@jeremyevans])
488
+ - `QueryParser#parse_nested_query` uses original backtrace when reraising exception with new class. ([@jeremyevans])
489
+ - `ConditionalGet` follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. ([@jeremyevans])
141
490
  - `.ru` files supports the `frozen-string-literal` magic comment. ([@eregon](https://github.com/eregon))
142
- - Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. ([@jeremyevans](https://github.com/jeremyevans))
143
- - `Etag` will continue sending ETag even if the response should not be cached. ([@henm](https://github.com/henm))
491
+ - Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. ([@jeremyevans])
492
+ - BREAKING CHANGE: `Etag` will continue sending ETag even if the response should not be cached. Streaming no longer works without a workaround, see [#1619](https://github.com/rack/rack/issues/1619#issuecomment-848460528). ([@henm](https://github.com/henm))
144
493
  - `Request#host_with_port` no longer includes a colon for a missing or empty port. ([@AlexWayfer](https://github.com/AlexWayfer))
145
- - All handlers uses keywords arguments instead of an options hash argument. ([@ioquatix](https://github.com/ioquatix))
146
- - `Files` handling of range requests no longer return a body that supports `to_path`, to ensure range requests are handled correctly. ([@jeremyevans](https://github.com/jeremyevans))
147
- - `Multipart::Generator` only includes `Content-Length` for files with paths, and `Content-Disposition` `filename` if the `UploadedFile` instance has one. ([@jeremyevans](https://github.com/jeremyevans))
148
- - `Request#ssl?` is true for the `wss` scheme (secure websockets). ([@jeremyevans](https://github.com/jeremyevans))
149
- - `Rack::HeaderHash` is memoized by default. ([#1549](https://github.com/rack/rack/pull/1549), [@ioquatix](https://github.com/ioquatix))
494
+ - All handlers uses keywords arguments instead of an options hash argument. ([@ioquatix])
495
+ - `Files` handling of range requests no longer return a body that supports `to_path`, to ensure range requests are handled correctly. ([@jeremyevans])
496
+ - `Multipart::Generator` only includes `Content-Length` for files with paths, and `Content-Disposition` `filename` if the `UploadedFile` instance has one. ([@jeremyevans])
497
+ - `Request#ssl?` is true for the `wss` scheme (secure websockets). ([@jeremyevans])
498
+ - `Rack::HeaderHash` is memoized by default. ([#1549](https://github.com/rack/rack/pull/1549), [@ioquatix])
150
499
  - `Rack::Directory` allow directory traversal inside root directory. ([#1417](https://github.com/rack/rack/pull/1417), [@ThomasSevestre](https://github.com/ThomasSevestre))
151
- - Sort encodings by server preference. ([#1184](https://github.com/rack/rack/pull/1184), [@ioquatix](https://github.com/ioquatix), [@wjordan](https://github.com/wjordan))
152
- - Rework host/hostname/authority implementation in `Rack::Request`. `#host` and `#host_with_port` have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.2.2). ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
153
- - `Rack::Builder` parsing options on first `#\` line is deprecated. ([#1574](https://github.com/rack/rack/pull/1574), [@ioquatix](https://github.com/ioquatix))
500
+ - Sort encodings by server preference. ([#1184](https://github.com/rack/rack/pull/1184), [@ioquatix], [@wjordan](https://github.com/wjordan))
501
+ - Rework host/hostname/authority implementation in `Rack::Request`. `#host` and `#host_with_port` have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.2.2). ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix])
502
+ - `Rack::Builder` parsing options on first `#\` line is deprecated. ([#1574](https://github.com/rack/rack/pull/1574), [@ioquatix])
154
503
 
155
504
  ### Removed
156
505
 
157
- - `Directory#path` as it was not used and always returned nil. ([@jeremyevans](https://github.com/jeremyevans))
158
- - `BodyProxy#each` as it was only needed to work around a bug in Ruby <1.9.3. ([@jeremyevans](https://github.com/jeremyevans))
506
+ - `Directory#path` as it was not used and always returned nil. ([@jeremyevans])
507
+ - `BodyProxy#each` as it was only needed to work around a bug in Ruby <1.9.3. ([@jeremyevans])
159
508
  - `URLMap::INFINITY` and `URLMap::NEGATIVE_INFINITY`, in favor of `Float::INFINITY`. ([@ch1c0t](https://github.com/ch1c0t))
160
509
  - Deprecation of `Rack::File`. It will be deprecated again in rack 2.2 or 3.0. ([@rafaelfranca](https://github.com/rafaelfranca))
161
- - Support for Ruby 2.2 as it is well past EOL. ([@ioquatix](https://github.com/ioquatix))
162
- - Remove `Rack::Files#response_body` as the implementation was broken. ([#1153](https://github.com/rack/rack/pull/1153), [@ioquatix](https://github.com/ioquatix))
163
- - Remove `SERVER_ADDR` which was never part of the original SPEC. ([#1573](https://github.com/rack/rack/pull/1573), [@ioquatix](https://github.com/ioquatix))
510
+ - Support for Ruby 2.2 as it is well past EOL. ([@ioquatix])
511
+ - Remove `Rack::Files#response_body` as the implementation was broken. ([#1153](https://github.com/rack/rack/pull/1153), [@ioquatix])
512
+ - Remove `SERVER_ADDR` which was never part of the original SPEC. ([#1573](https://github.com/rack/rack/pull/1573), [@ioquatix])
164
513
 
165
514
  ### Fixed
166
515
 
167
- - `Directory` correctly handles root paths containing glob metacharacters. ([@jeremyevans](https://github.com/jeremyevans))
168
- - `Cascade` uses a new response object for each call if initialized with no apps. ([@jeremyevans](https://github.com/jeremyevans))
169
- - `BodyProxy` correctly delegates keyword arguments to the body object on Ruby 2.7+. ([@jeremyevans](https://github.com/jeremyevans))
170
- - `BodyProxy#method` correctly handles methods delegated to the body object. ([@jeremyevans](https://github.com/jeremyevans))
516
+ - `Directory` correctly handles root paths containing glob metacharacters. ([@jeremyevans])
517
+ - `Cascade` uses a new response object for each call if initialized with no apps. ([@jeremyevans])
518
+ - `BodyProxy` correctly delegates keyword arguments to the body object on Ruby 2.7+. ([@jeremyevans])
519
+ - `BodyProxy#method` correctly handles methods delegated to the body object. ([@jeremyevans])
171
520
  - `Request#host` and `Request#host_with_port` handle IPv6 addresses correctly. ([@AlexWayfer](https://github.com/AlexWayfer))
172
- - `Lint` checks when response hijacking that `rack.hijack` is called with a valid object. ([@jeremyevans](https://github.com/jeremyevans))
173
- - `Response#write` correctly updates `Content-Length` if initialized with a body. ([@jeremyevans](https://github.com/jeremyevans))
521
+ - `Lint` checks when response hijacking that `rack.hijack` is called with a valid object. ([@jeremyevans])
522
+ - `Response#write` correctly updates `Content-Length` if initialized with a body. ([@jeremyevans])
174
523
  - `CommonLogger` includes `SCRIPT_NAME` when logging. ([@Erol](https://github.com/Erol))
175
- - `Utils.parse_nested_query` correctly handles empty queries, using an empty instance of the params class instead of a hash. ([@jeremyevans](https://github.com/jeremyevans))
524
+ - `Utils.parse_nested_query` correctly handles empty queries, using an empty instance of the params class instead of a hash. ([@jeremyevans])
176
525
  - `Directory` correctly escapes paths in links. ([@yous](https://github.com/yous))
177
- - `Request#delete_cookie` and related `Utils` methods handle `:domain` and `:path` options in same call. ([@jeremyevans](https://github.com/jeremyevans))
178
- - `Request#delete_cookie` and related `Utils` methods do an exact match on `:domain` and `:path` options. ([@jeremyevans](https://github.com/jeremyevans))
526
+ - `Request#delete_cookie` and related `Utils` methods handle `:domain` and `:path` options in same call. ([@jeremyevans])
527
+ - `Request#delete_cookie` and related `Utils` methods do an exact match on `:domain` and `:path` options. ([@jeremyevans])
179
528
  - `Static` no longer adds headers when a gzipped file request has a 304 response. ([@chooh](https://github.com/chooh))
180
- - `ContentLength` sets `Content-Length` response header even for bodies not responding to `to_ary`. ([@jeremyevans](https://github.com/jeremyevans))
181
- - Thin handler supports options passed directly to `Thin::Controllers::Controller`. ([@jeremyevans](https://github.com/jeremyevans))
182
- - WEBrick handler no longer ignores `:BindAddress` option. ([@jeremyevans](https://github.com/jeremyevans))
183
- - `ShowExceptions` handles invalid POST data. ([@jeremyevans](https://github.com/jeremyevans))
184
- - Basic authentication requires a password, even if the password is empty. ([@jeremyevans](https://github.com/jeremyevans))
185
- - `Lint` checks response is array with 3 elements, per SPEC. ([@jeremyevans](https://github.com/jeremyevans))
529
+ - `ContentLength` sets `Content-Length` response header even for bodies not responding to `to_ary`. ([@jeremyevans])
530
+ - Thin handler supports options passed directly to `Thin::Controllers::Controller`. ([@jeremyevans])
531
+ - WEBrick handler no longer ignores `:BindAddress` option. ([@jeremyevans])
532
+ - `ShowExceptions` handles invalid POST data. ([@jeremyevans])
533
+ - Basic authentication requires a password, even if the password is empty. ([@jeremyevans])
534
+ - `Lint` checks response is array with 3 elements, per SPEC. ([@jeremyevans])
186
535
  - Support for using `:SSLEnable` option when using WEBrick handler. (Gregor Melhorn)
187
- - Close response body after buffering it when buffering. ([@ioquatix](https://github.com/ioquatix))
536
+ - Close response body after buffering it when buffering. ([@ioquatix])
188
537
  - Only accept `;` as delimiter when parsing cookies. ([@mrageh](https://github.com/mrageh))
189
- - `Utils::HeaderHash#clear` clears the name mapping as well. ([@raxoft](https://github.com/raxoft))
190
- - Support for passing `nil` `Rack::Files.new`, which notably fixes Rails' current `ActiveStorage::FileServer` implementation. ([@ioquatix](https://github.com/ioquatix))
538
+ - `Utils::HeaderHash#clear` clears the name mapping as well. ([@raxoft](https://github.com/raxoft))
539
+ - Support for passing `nil` `Rack::Files.new`, which notably fixes Rails' current `ActiveStorage::FileServer` implementation. ([@ioquatix])
191
540
 
192
541
  ### Documentation
193
542
 
194
543
  - CHANGELOG updates. ([@aupajo](https://github.com/aupajo))
195
544
  - Added [CONTRIBUTING](CONTRIBUTING.md). ([@dblock](https://github.com/dblock))
196
545
 
546
+ ## [2.0.9] - 2020-02-08
547
+
548
+ - Handle case where session id key is requested but missing ([@jeremyevans])
549
+ - Restore support for code relying on `SessionId#to_s`. ([@jeremyevans])
550
+ - Add support for `SameSite=None` cookie value. ([@hennikul](https://github.com/hennikul))
551
+
197
552
  ## [2.1.2] - 2020-01-27
198
553
 
199
554
  - Fix multipart parser for some files to prevent denial of service ([@aiomaster](https://github.com/aiomaster))
200
555
  - Fix `Rack::Builder#use` with keyword arguments ([@kamipo](https://github.com/kamipo))
201
- - Skip deflating in Rack::Deflater if Content-Length is 0 ([@jeremyevans](https://github.com/jeremyevans))
556
+ - Skip deflating in Rack::Deflater if Content-Length is 0 ([@jeremyevans])
202
557
  - Remove `SessionHash#transform_keys`, no longer needed ([@pavel](https://github.com/pavel))
203
558
  - Add to_hash to wrap Hash and Session classes ([@oleh-demyanyuk](https://github.com/oleh-demyanyuk))
204
- - Handle case where session id key is requested but missing ([@jeremyevans](https://github.com/jeremyevans))
559
+ - Handle case where session id key is requested but missing ([@jeremyevans])
205
560
 
206
561
  ## [2.1.1] - 2020-01-12
207
562
 
208
- - Remove `Rack::Chunked` from `Rack::Server` default middleware. ([#1475](https://github.com/rack/rack/pull/1475), [@ioquatix](https://github.com/ioquatix))
209
- - Restore support for code relying on `SessionId#to_s`. ([@jeremyevans](https://github.com/jeremyevans))
563
+ - Remove `Rack::Chunked` from `Rack::Server` default middleware. ([#1475](https://github.com/rack/rack/pull/1475), [@ioquatix])
564
+ - Restore support for code relying on `SessionId#to_s`. ([@jeremyevans])
210
565
 
211
566
  ## [2.1.0] - 2020-01-10
212
567
 
@@ -223,13 +578,13 @@ All notable changes to this project will be documented in this file. For info on
223
578
  - Add boot-time profiling capabilities to `rackup`. ([@tenderlove](https://github.com/tenderlove))
224
579
  - Add multi mapping support for `X-Accel-Mappings` header. ([@yoshuki](https://github.com/yoshuki))
225
580
  - Add `sync: false` option to `Rack::Deflater`. (Eric Wong)
226
- - Add `Builder#freeze_app` to freeze application and all middleware instances. ([@jeremyevans](https://github.com/jeremyevans))
581
+ - Add `Builder#freeze_app` to freeze application and all middleware instances. ([@jeremyevans])
227
582
  - Add API to extract cookies from `Rack::MockResponse`. ([@petercline](https://github.com/petercline))
228
583
 
229
584
  ### Changed
230
585
 
231
- - Don't propagate nil values from middleware. ([@ioquatix](https://github.com/ioquatix))
232
- - Lazily initialize the response body and only buffer it if required. ([@ioquatix](https://github.com/ioquatix))
586
+ - Don't propagate nil values from middleware. ([@ioquatix])
587
+ - Lazily initialize the response body and only buffer it if required. ([@ioquatix])
233
588
  - Fix deflater zlib buffer errors on empty body part. ([@felixbuenemann](https://github.com/felixbuenemann))
234
589
  - Set `X-Accel-Redirect` to percent-encoded path. ([@diskkid](https://github.com/diskkid))
235
590
  - Remove unnecessary buffer growing when parsing multipart. ([@tainoe](https://github.com/tainoe))
@@ -242,15 +597,15 @@ All notable changes to this project will be documented in this file. For info on
242
597
  - Make `Utils.status_code` raise an error when the status symbol is invalid instead of `500`. ([@adambutler](https://github.com/adambutler))
243
598
  - Rename `Request::SCHEME_WHITELIST` to `Request::ALLOWED_SCHEMES`.
244
599
  - Make `Multipart::Parser.get_filename` accept files with `+` in their name. ([@lucaskanashiro](https://github.com/lucaskanashiro))
245
- - Add Falcon to the default handler fallbacks. ([@ioquatix](https://github.com/ioquatix))
600
+ - Add Falcon to the default handler fallbacks. ([@ioquatix])
246
601
  - Update codebase to avoid string mutations in preparation for `frozen_string_literals`. ([@pat](https://github.com/pat))
247
602
  - Change `MockRequest#env_for` to rely on the input optionally responding to `#size` instead of `#length`. ([@janko](https://github.com/janko))
248
- - Rename `Rack::File` -> `Rack::Files` and add deprecation notice. ([@postmodern](https://github.com/postmodern)).
249
- - Prefer Base64 “strict encoding” for Base64 cookies. ([@ioquatix](https://github.com/ioquatix))
603
+ - Rename `Rack::File` -> `Rack::Files` and add deprecation notice. ([@postmodern](https://github.com/postmodern))
604
+ - Prefer Base64 “strict encoding” for Base64 cookies. ([@ioquatix])
250
605
 
251
606
  ### Removed
252
607
 
253
- - Remove `to_ary` from Response ([@tenderlove](https://github.com/tenderlove))
608
+ - BREAKING CHANGE: Remove `to_ary` from Response ([@tenderlove](https://github.com/tenderlove))
254
609
  - Deprecate `Rack::Session::Memcache` in favor of `Rack::Session::Dalli` from dalli gem ([@fatkodima](https://github.com/fatkodima))
255
610
 
256
611
  ### Fixed
@@ -331,7 +686,7 @@ All notable changes to this project will be documented in this file. For info on
331
686
  ### Added
332
687
 
333
688
  - Allow `Session::Abstract::SessionHash#fetch` to accept a block with a default value. ([@yannvanhalewyn](https://github.com/yannvanhalewyn))
334
- - Add `Builder#freeze_app` to freeze application and all middleware. ([@jeremyevans](https://github.com/jeremyevans))
689
+ - Add `Builder#freeze_app` to freeze application and all middleware. ([@jeremyevans])
335
690
 
336
691
  ### Changed
337
692
 
@@ -343,9 +698,9 @@ All notable changes to this project will be documented in this file. For info on
343
698
  ### Fixed
344
699
 
345
700
  - Handle `NULL` bytes in multipart filenames. ([@casperisfine](https://github.com/casperisfine))
346
- - Remove warnings due to miscapitalized global. ([@ioquatix](https://github.com/ioquatix))
701
+ - Remove warnings due to miscapitalized global. ([@ioquatix])
347
702
  - Prevent exceptions caused by a race condition on multi-threaded servers. ([@sophiedeziel](https://github.com/sophiedeziel))
348
- - Add RDoc as an explicit depencency for `doc` group. ([@tonytonyjan](https://github.com/tonytonyjan))
703
+ - Add RDoc as an explicit dependency for `doc` group. ([@tonytonyjan](https://github.com/tonytonyjan))
349
704
  - Record errors originating from `Multipart::Parser` in the `MethodOverride` middleware instead of letting them bubble up. ([@carlzulauf](https://github.com/carlzulauf))
350
705
  - Remove remaining use of removed `Utils#bytesize` method from the `File` middleware. ([@brauliomartinezlm](https://github.com/brauliomartinezlm))
351
706
 
@@ -663,7 +1018,7 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
663
1018
  - Moved Auth::OpenID to rack-contrib.
664
1019
  - SPEC change that relaxes Lint slightly to allow subclasses of the
665
1020
  required types
666
- - SPEC change to document rack.input binary mode in greator detail
1021
+ - SPEC change to document rack.input binary mode in greater detail
667
1022
  - SPEC define optional rack.logger specification
668
1023
  - File servers support X-Cascade header
669
1024
  - Imported Config middleware
@@ -784,4 +1139,8 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
784
1139
 
785
1140
  [@ioquatix]: https://github.com/ioquatix "Samuel Williams"
786
1141
  [@jeremyevans]: https://github.com/jeremyevans "Jeremy Evans"
1142
+ [@amatsuda]: https://github.com/amatsuda "Akira Matsuda"
1143
+ [@wjordan]: https://github.com/wjordan "Will Jordan"
1144
+ [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
1145
+ [@davidstosik]: https://github.com/davidstosik "David Stosik"
787
1146
  [@earlopain]: https://github.com/earlopain "Earlopain"