rack 2.2.18 → 3.2.3

data/lib/rack/response.rb

@@ -2,6 +2,11 @@
 
 require 'time'
 
+require_relative 'constants'
+require_relative 'utils'
+require_relative 'media_type'
+require_relative 'headers'
+
 module Rack
   # Rack::Response provides a convenient interface to create a Rack
   # response.
@@ -26,22 +31,38 @@ module Rack
     attr_accessor :length, :status, :body
     attr_reader :headers
 
-    # @deprecated Use {#headers} instead.
-    alias header headers
-
-    # Initialize the response object with the specified body, status
-    # and headers.
+    # Initialize the response object with the specified +body+, +status+
+    # and +headers+.
+    #
+    # If the +body+ is +nil+, construct an empty response object with internal
+    # buffering.
+    #
+    # If the +body+ responds to +to_str+, assume it's a string-like object and
+    # construct a buffered response object containing using that string as the
+    # initial contents of the buffer.
+    #
+    # Otherwise it is expected +body+ conforms to the normal requirements of a
+    # Rack response body, typically implementing one of +each+ (enumerable
+    # body) or +call+ (streaming body).
     #
-    # @param body [nil, #each, #to_str] the response body.
-    # @param status [Integer] the integer status as defined by the
-    # HTTP protocol RFCs.
-    # @param headers [#each] a list of key-value header pairs which
-    # conform to the HTTP protocol RFCs.
+    # The +status+ defaults to +200+ which is the "OK" HTTP status code. You
+    # can provide any other valid status code.
     #
-    # Providing a body which responds to #to_str is legacy behaviour.
+    # The +headers+ must be a +Hash+ of key-value header pairs which conform to
+    # the Rack specification for response headers. The key must be a +String+
+    # instance and the value can be either a +String+ or +Array+ instance.
     def initialize(body = nil, status = 200, headers = {})
       @status = status.to_i
-      @headers = Utils::HeaderHash[headers]
+
+      unless headers.is_a?(Hash)
+        raise ArgumentError, "Headers must be a Hash!"
+      end
+
+      @headers = Headers.new
+      # Convert headers input to a plain hash with lowercase keys.
+      headers.each do |k, v|
+        @headers[k] = v
+      end
 
       @writer = self.method(:append)
 
@@ -51,15 +72,16 @@ module Rack
       if body.nil?
         @body = []
         @buffered = true
-        @length = 0
+        # Body is unspecified - it may be a buffered response, or it may be a HEAD response.
+        @length = nil
       elsif body.respond_to?(:to_str)
         @body = [body]
         @buffered = true
         @length = body.to_str.bytesize
       else
         @body = body
-        @buffered = false
-        @length = 0
+        @buffered = nil # undetermined as of yet.
+        @length = nil
       end
 
       yield self if block_given?
@@ -74,20 +96,30 @@ module Rack
       CHUNKED == get_header(TRANSFER_ENCODING)
     end
 
+    def no_entity_body?
+      # The response body is an enumerable body and it is not allowed to have an entity body.
+      @body.respond_to?(:each) && STATUS_WITH_NO_ENTITY_BODY[@status]
+    end
+
     # Generate a response array consistent with the requirements of the SPEC.
     # @return [Array] a 3-tuple suitable of `[status, headers, body]`
     # which is suitable to be returned from the middleware `#call(env)` method.
     def finish(&block)
-      if STATUS_WITH_NO_ENTITY_BODY[status.to_i]
+      if no_entity_body?
         delete_header CONTENT_TYPE
         delete_header CONTENT_LENGTH
         close
         return [@status, @headers, []]
       else
         if block_given?
+          # We don't add the content-length here as the user has provided a block that can #write additional chunks to the body.
           @block = block
           return [@status, @headers, self]
         else
+          # If we know the length of the body, set the content-length header... except if we are chunked? which is a legacy special case where the body might already be encoded and thus the actual encoded body length and the content-length are likely to be different.
+          if @length && !chunked?
+            @headers[CONTENT_LENGTH] = @length.to_s
+          end
           return [@status, @headers, @body]
         end
       end
@@ -105,7 +137,9 @@ module Rack
       end
     end
 
-    # Append to body and update Content-Length.
+    # Append a chunk to the response body.
+    #
+    # Converts the response into a buffered response if it wasn't already.
     #
     # NOTE: Do not mix #write and direct #body access!
     #
@@ -123,10 +157,22 @@ module Rack
       @block == nil && @body.empty?
     end
 
-    def has_header?(key);   headers.key? key;   end
-    def get_header(key);    headers[key];       end
-    def set_header(key, v); headers[key] = v;   end
-    def delete_header(key); headers.delete key; end
+    def has_header?(key)
+      raise ArgumentError unless key.is_a?(String)
+      @headers.key?(key)
+    end
+    def get_header(key)
+      raise ArgumentError unless key.is_a?(String)
+      @headers[key]
+    end
+    def set_header(key, value)
+      raise ArgumentError unless key.is_a?(String)
+      @headers[key] = value
+    end
+    def delete_header(key)
+      raise ArgumentError unless key.is_a?(String)
+      @headers.delete key
+    end
 
     alias :[] :get_header
     alias :[]= :set_header
@@ -150,31 +196,43 @@ module Rack
       def forbidden?;           status == 403;                        end
       def not_found?;           status == 404;                        end
       def method_not_allowed?;  status == 405;                        end
+      def not_acceptable?;      status == 406;                        end
+      def request_timeout?;     status == 408;                        end
       def precondition_failed?; status == 412;                        end
       def unprocessable?;       status == 422;                        end
 
       def redirect?;            [301, 302, 303, 307, 308].include? status; end
 
       def include?(header)
-        has_header? header
+        has_header?(header)
       end
 
       # Add a header that may have multiple values.
       #
       # Example:
-      #   response.add_header 'Vary', 'Accept-Encoding'
-      #   response.add_header 'Vary', 'Cookie'
+      #   response.add_header 'vary', 'accept-encoding'
+      #   response.add_header 'vary', 'cookie'
       #
-      #   assert_equal 'Accept-Encoding,Cookie', response.get_header('Vary')
+      #   assert_equal 'accept-encoding,cookie', response.get_header('vary')
       #
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
-      def add_header(key, v)
-        if v.nil?
-          get_header key
-        elsif has_header? key
-          set_header key, "#{get_header key},#{v}"
+      def add_header(key, value)
+        raise ArgumentError unless key.is_a?(String)
+
+        if value.nil?
+          return get_header(key)
+        end
+
+        value = value.to_s
+
+        if header = get_header(key)
+          if header.is_a?(Array)
+            header << value
+          else
+            set_header(key, [header, value])
+          end
         else
-          set_header key, v
+          set_header(key, value)
         end
       end
 
@@ -202,36 +260,39 @@ module Rack
       end
 
       def location
-        get_header "Location"
+        get_header "location"
       end
 
       def location=(location)
-        set_header "Location", location
+        set_header "location", location
       end
 
       def set_cookie(key, value)
-        cookie_header = get_header SET_COOKIE
-        set_header SET_COOKIE, ::Rack::Utils.add_cookie_to_header(cookie_header, key, value)
+        add_header SET_COOKIE, Utils.set_cookie_header(key, value)
       end
 
       def delete_cookie(key, value = {})
-        set_header SET_COOKIE, ::Rack::Utils.add_remove_cookie_to_header(get_header(SET_COOKIE), key, value)
+        set_header(SET_COOKIE,
+          Utils.delete_set_cookie_header!(
+            get_header(SET_COOKIE), key, value
+          )
+        )
       end
 
       def set_cookie_header
         get_header SET_COOKIE
       end
 
-      def set_cookie_header=(v)
-        set_header SET_COOKIE, v
+      def set_cookie_header=(value)
+        set_header SET_COOKIE, value
       end
 
       def cache_control
         get_header CACHE_CONTROL
       end
 
-      def cache_control=(v)
-        set_header CACHE_CONTROL, v
+      def cache_control=(value)
+        set_header CACHE_CONTROL, value
       end
 
       # Specifies that the content shouldn't be cached. Overrides `cache!` if already called.
@@ -254,42 +315,55 @@ module Rack
         get_header ETAG
       end
 
-      def etag=(v)
-        set_header ETAG, v
+      def etag=(value)
+        set_header ETAG, value
       end
 
     protected
 
+      # Convert the body of this response into an internally buffered Array if possible.
+      #
+      # `@buffered` is a ternary value which indicates whether the body is buffered. It can be:
+      # * `nil` - The body has not been buffered yet.
+      # * `true` - The body is buffered as an Array instance.
+      # * `false` - The body is not buffered and cannot be buffered.
+      #
+      # @return [Boolean] whether the body is buffered as an Array instance.
       def buffered_body!
-        return if @buffered
-
-        if @body.is_a?(Array)
-          # The user supplied body was an array:
-          @body = @body.compact
-          @body.each do |part|
-            @length += part.to_s.bytesize
-          end
-        else
-          # Turn the user supplied body into a buffered array:
-          body = @body
-          @body = Array.new
-
-          body.each do |part|
-            @writer.call(part.to_s)
+        if @buffered.nil?
+          if @body.is_a?(Array)
+            # The user supplied body was an array:
+            @body = @body.compact
+            @length = @body.sum{|part| part.bytesize}
+            @buffered = true
+          elsif @body.respond_to?(:each)
+            # Turn the user supplied body into a buffered array:
+            body = @body
+            @body = Array.new
+            @buffered = true
+
+            body.each do |part|
+              @writer.call(part.to_s)
+            end
+
+            body.close if body.respond_to?(:close)
+          else
+            # We don't know how to buffer the user-supplied body:
+            @buffered = false
           end
-
-          body.close if body.respond_to?(:close)
         end
 
-        @buffered = true
+        return @buffered
       end
 
       def append(chunk)
+        chunk = chunk.dup unless chunk.frozen?
         @body << chunk
 
-        unless chunked?
+        if @length
           @length += chunk.bytesize
-          set_header(CONTENT_LENGTH, @length.to_s)
+        elsif @buffered
+          @length = chunk.bytesize
         end
 
         return chunk
@@ -309,10 +383,21 @@ module Rack
         @headers = headers
       end
 
-      def has_header?(key);   headers.key? key;   end
-      def get_header(key);    headers[key];       end
-      def set_header(key, v); headers[key] = v;   end
-      def delete_header(key); headers.delete key; end
+      def has_header?(key)
+        headers.key?(key)
+      end
+
+      def get_header(key)
+        headers[key]
+      end
+
+      def set_header(key, value)
+        headers[key] = value
+      end
+
+      def delete_header(key)
+        headers.delete(key)
+      end
     end
   end
 end

data/lib/rack/rewindable_input.rb

@@ -3,17 +3,32 @@
 
 require 'tempfile'
 
+require_relative 'constants'
+
 module Rack
   # Class which can make any IO object rewindable, including non-rewindable ones. It does
   # this by buffering the data into a tempfile, which is rewindable.
   #
-  # rack.input is required to be rewindable, so if your input stream IO is non-rewindable
-  # by nature (e.g. a pipe or a socket) then you can wrap it in an object of this class
-  # to easily make it rewindable.
-  #
   # Don't forget to call #close when you're done. This frees up temporary resources that
   # RewindableInput uses, though it does *not* close the original IO object.
   class RewindableInput
+    # Makes rack.input rewindable, for compatibility with applications and middleware
+    # designed for earlier versions of Rack (where rack.input was required to be
+    # rewindable).
+    class Middleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        if (input = env[RACK_INPUT])
+          env[RACK_INPUT] = RewindableInput.new(input)
+        end
+
+        @app.call(env)
+      end
+    end
+
     def initialize(io)
       @io = io
       @rewindable_io = nil
@@ -40,6 +55,11 @@ module Rack
       @rewindable_io.rewind
     end
 
+    def size
+      make_rewindable unless @rewindable_io
+      @rewindable_io.size
+    end
+
     # Closes this RewindableInput object without closing the originally
     # wrapped IO object. Cleans up any temporary resources that this RewindableInput
     # has created.
@@ -66,12 +86,14 @@ module Rack
       # access it because we have the file handle open.
       @rewindable_io = Tempfile.new('RackRewindableInput')
       @rewindable_io.chmod(0000)
-      @rewindable_io.set_encoding(Encoding::BINARY) if @rewindable_io.respond_to?(:set_encoding)
+      @rewindable_io.set_encoding(Encoding::BINARY)
       @rewindable_io.binmode
+      # :nocov:
       if filesystem_has_posix_semantics?
         raise 'Unlink failed. IO closed.' if @rewindable_io.closed?
         @unlinked = true
       end
+      # :nocov:
 
       buffer = "".dup
       while @io.read(1024 * 4, buffer)

data/lib/rack/runtime.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
+require_relative 'utils'
+
 module Rack
-  # Sets an "X-Runtime" response header, indicating the response
+  # Sets an "x-runtime" response header, indicating the response
   # time of the request, in seconds
   #
   # You can put it right before the application to see the processing
@@ -9,18 +11,17 @@ module Rack
   # too.
   class Runtime
     FORMAT_STRING = "%0.6f" # :nodoc:
-    HEADER_NAME = "X-Runtime" # :nodoc:
+    HEADER_NAME = "x-runtime" # :nodoc:
 
     def initialize(app, name = nil)
       @app = app
       @header_name = HEADER_NAME
-      @header_name += "-#{name}" if name
+      @header_name += "-#{name.to_s.downcase}" if name
     end
 
     def call(env)
       start_time = Utils.clock_time
-      status, headers, body = @app.call(env)
-      headers = Utils::HeaderHash[headers]
+      _, headers, _ = response = @app.call(env)
 
       request_time = Utils.clock_time - start_time
 
@@ -28,7 +29,7 @@ module Rack
         headers[@header_name] = FORMAT_STRING % request_time
       end
 
-      [status, headers, body]
+      response
     end
   end
 end

data/lib/rack/sendfile.rb

@@ -1,32 +1,36 @@
 # frozen_string_literal: true
 
+require_relative 'constants'
+require_relative 'utils'
+require_relative 'body_proxy'
+
 module Rack
 
   # = Sendfile
   #
   # The Sendfile middleware intercepts responses whose body is being
-  # served from a file and replaces it with a server specific X-Sendfile
+  # served from a file and replaces it with a server specific x-sendfile
   # header. The web server is then responsible for writing the file contents
   # to the client. This can dramatically reduce the amount of work required
   # by the Ruby backend and takes advantage of the web server's optimized file
   # delivery code.
   #
   # In order to take advantage of this middleware, the response body must
-  # respond to +to_path+ and the request must include an X-Sendfile-Type
+  # respond to +to_path+ and the request must include an `x-sendfile-type`
   # header. Rack::Files and other components implement +to_path+ so there's
-  # rarely anything you need to do in your application. The X-Sendfile-Type
+  # rarely anything you need to do in your application. The `x-sendfile-type`
   # header is typically set in your web servers configuration. The following
   # sections attempt to document
   #
   # === Nginx
   #
-  # Nginx supports the X-Accel-Redirect header. This is similar to X-Sendfile
+  # Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
   # but requires parts of the filesystem to be mapped into a private URL
   # hierarchy.
   #
   # The following example shows the Nginx configuration required to create
-  # a private "/files/" area, enable X-Accel-Redirect, and pass the special
-  # X-Sendfile-Type and X-Accel-Mapping headers to the backend:
+  # a private "/files/" area, enable `x-accel-redirect`, and pass the special
+  # `x-accel-mapping` header to the backend:
   #
   #   location ~ /files/(.*) {
   #     internal;
@@ -40,24 +44,29 @@ module Rack
   #     proxy_set_header   X-Real-IP           $remote_addr;
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
-  #     proxy_set_header   X-Sendfile-Type     X-Accel-Redirect;
-  #     proxy_set_header   X-Accel-Mapping     /var/www/=/files/;
+  #     proxy_set_header   x-accel-mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
-  # Note that the X-Sendfile-Type header must be set exactly as shown above.
-  # The X-Accel-Mapping header should specify the location on the file system,
+  # The `x-accel-mapping` header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
   # that it maps to. The middleware performs a simple substitution on the
   # resulting path.
   #
+  # To enable `x-accel-redirect`, you must configure the middleware explicitly:
+  #
+  #   use Rack::Sendfile, "x-accel-redirect"
+  #
+  # For security reasons, the `x-sendfile-type` header from requests is ignored.
+  # The sendfile variation must be set via the middleware constructor.
+  #
   # See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
   #
   # === lighttpd
   #
-  # Lighttpd has supported some variation of the X-Sendfile header for some
-  # time, although only recent version support X-Sendfile in a reverse proxy
+  # Lighttpd has supported some variation of the `x-sendfile` header for some
+  # time, although only recent version support `x-sendfile` in a reverse proxy
   # configuration.
   #
   #   $HTTP["host"] == "example.com" {
@@ -71,7 +80,7 @@ module Rack
   #
   #      proxy-core.allow-x-sendfile = "enable"
   #      proxy-core.rewrite-request = (
-  #        "X-Sendfile-Type" => (".*" => "X-Sendfile")
+  #        "x-sendfile-type" => (".*" => "x-sendfile")
   #      )
   #    }
   #
@@ -79,56 +88,69 @@ module Rack
   #
   # === Apache
   #
-  # X-Sendfile is supported under Apache 2.x using a separate module:
+  # `x-sendfile` is supported under Apache 2.x using a separate module:
   #
   # https://tn123.org/mod_xsendfile/
   #
   # Once the module is compiled and installed, you can enable it using
   # XSendFile config directive:
   #
-  #   RequestHeader Set X-Sendfile-Type X-Sendfile
+  #   RequestHeader Set x-sendfile-type x-sendfile
   #   ProxyPassReverse / http://localhost:8001/
   #   XSendFile on
   #
   # === Mapping parameter
   #
   # The third parameter allows for an overriding extension of the
-  # X-Accel-Mapping header. Mappings should be provided in tuples of internal to
+  # `x-accel-mapping` header. Mappings should be provided in tuples of internal to
   # external. The internal values may contain regular expression syntax, they
   # will be matched with case indifference.
+  #
+  # When `x-accel-redirect` is explicitly enabled via the variation parameter,
+  # and no application-level mappings are provided, the middleware will read
+  # the `x-accel-mapping` header from the proxy. This allows nginx to control
+  # the path mapping without requiring application-level configuration.
+  #
+  # === Security
+  #
+  # For security reasons, the `x-sendfile-type` header from HTTP requests is
+  # ignored. The sendfile variation must be explicitly configured via the
+  # middleware constructor to prevent information disclosure vulnerabilities
+  # where attackers could bypass proxy restrictions.
 
   class Sendfile
     def initialize(app, variation = nil, mappings = [])
       @app = app
       @variation = variation
       @mappings = mappings.map do |internal, external|
-        [/^#{internal}/i, external]
+        [/\A#{internal}/i, external]
       end
     end
 
     def call(env)
-      status, headers, body = @app.call(env)
+      _, headers, body = response = @app.call(env)
+
       if body.respond_to?(:to_path)
         case type = variation(env)
-        when 'X-Accel-Redirect'
+        when /x-accel-redirect/i
           path = ::File.expand_path(body.to_path)
           if url = map_accel_path(env, path)
             headers[CONTENT_LENGTH] = '0'
             # '?' must be percent-encoded because it is not query string but a part of path
-            headers[type] = ::Rack::Utils.escape_path(url).gsub('?', '%3F')
+            headers[type.downcase] = ::Rack::Utils.escape_path(url).gsub('?', '%3F')
             obody = body
-            body = Rack::BodyProxy.new([]) do
+            response[2] = Rack::BodyProxy.new([]) do
               obody.close if obody.respond_to?(:close)
             end
           else
-            env[RACK_ERRORS].puts "X-Accel-Mapping header missing"
+            env[RACK_ERRORS].puts "x-accel-mapping header missing"
           end
-        when 'X-Sendfile', 'X-Lighttpd-Send-File'
+        when /x-sendfile|x-lighttpd-send-file/i
           path = ::File.expand_path(body.to_path)
           headers[CONTENT_LENGTH] = '0'
-          headers[type] = path
+          headers[type.downcase] = path
           obody = body
-          body = Rack::BodyProxy.new([]) do
+          response[2] = Rack::BodyProxy.new([]) do
             obody.close if obody.respond_to?(:close)
           end
         when '', nil
@@ -136,26 +158,39 @@ module Rack
           env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
-      [status, headers, body]
+      response
     end
 
     private
+
     def variation(env)
-      @variation ||
-        env['sendfile.type'] ||
-        env['HTTP_X_SENDFILE_TYPE']
+      # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
+      # Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
+      @variation || env['sendfile.type']
+    end
+
+    def x_accel_mapping(env)
+      # Only allow header when:
+      # 1. `x-accel-redirect` is explicitly enabled via constructor.
+      # 2. No application-level mappings are configured.
+      return nil unless @variation =~ /x-accel-redirect/i
+      return nil if @mappings.any?
+      
+      env['HTTP_X_ACCEL_MAPPING']
     end
 
     def map_accel_path(env, path)
       if mapping = @mappings.find { |internal, _| internal =~ path }
-        path.sub(*mapping)
-      elsif mapping = env['HTTP_X_ACCEL_MAPPING']
+        return path.sub(*mapping)
+      elsif mapping = x_accel_mapping(env)
+        # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/^#{internal}/i, external)
+          new_path = path.sub(/\A#{internal}/i, external)
           return new_path unless path == new_path
         end
-        path
+
+        return path
       end
     end
   end