RubyGems - rack - Versions diffs - 2.2.23 → 3.2.5 - Mend

rack 2.2.23 → 3.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +554 -83
data/CONTRIBUTING.md +63 -55
data/MIT-LICENSE +1 -1
data/README.md +384 -0
data/SPEC.rdoc +243 -277
data/lib/rack/auth/abstract/handler.rb +3 -1
data/lib/rack/auth/abstract/request.rb +5 -1
data/lib/rack/auth/basic.rb +1 -3
data/lib/rack/bad_request.rb +8 -0
data/lib/rack/body_proxy.rb +21 -3
data/lib/rack/builder.rb +108 -69
data/lib/rack/cascade.rb +2 -3
data/lib/rack/common_logger.rb +22 -17
data/lib/rack/conditional_get.rb +20 -16
data/lib/rack/constants.rb +68 -0
data/lib/rack/content_length.rb +12 -16
data/lib/rack/content_type.rb +8 -5
data/lib/rack/deflater.rb +40 -26
data/lib/rack/directory.rb +10 -4
data/lib/rack/etag.rb +17 -23
data/lib/rack/events.rb +25 -6
data/lib/rack/files.rb +16 -18
data/lib/rack/head.rb +8 -8
data/lib/rack/headers.rb +238 -0
data/lib/rack/lint.rb +817 -648
data/lib/rack/lock.rb +2 -5
data/lib/rack/media_type.rb +6 -7
data/lib/rack/method_override.rb +5 -1
data/lib/rack/mime.rb +14 -5
data/lib/rack/mock.rb +1 -300
data/lib/rack/mock_request.rb +161 -0
data/lib/rack/mock_response.rb +156 -0
data/lib/rack/multipart/generator.rb +7 -5
data/lib/rack/multipart/parser.rb +240 -123
data/lib/rack/multipart/uploaded_file.rb +45 -4
data/lib/rack/multipart.rb +53 -40
data/lib/rack/null_logger.rb +9 -0
data/lib/rack/query_parser.rb +116 -121
data/lib/rack/recursive.rb +2 -0
data/lib/rack/reloader.rb +0 -2
data/lib/rack/request.rb +272 -144
data/lib/rack/response.rb +151 -66
data/lib/rack/rewindable_input.rb +27 -5
data/lib/rack/runtime.rb +7 -6
data/lib/rack/sendfile.rb +37 -32
data/lib/rack/show_exceptions.rb +25 -6
data/lib/rack/show_status.rb +17 -9
data/lib/rack/static.rb +11 -15
data/lib/rack/tempfile_reaper.rb +15 -4
data/lib/rack/urlmap.rb +3 -1
data/lib/rack/utils.rb +234 -275
data/lib/rack/version.rb +3 -15
data/lib/rack.rb +13 -90
metadata +15 -41
data/README.rdoc +0 -355
data/Rakefile +0 -130
data/bin/rackup +0 -5
data/contrib/rack.png +0 -0
data/contrib/rack.svg +0 -150
data/contrib/rack_logo.svg +0 -164
data/contrib/rdoc.css +0 -412
data/example/lobster.ru +0 -6
data/example/protectedlobster.rb +0 -16
data/example/protectedlobster.ru +0 -10
data/lib/rack/auth/digest/md5.rb +0 -131
data/lib/rack/auth/digest/nonce.rb +0 -53
data/lib/rack/auth/digest/params.rb +0 -54
data/lib/rack/auth/digest/request.rb +0 -43
data/lib/rack/chunked.rb +0 -117
data/lib/rack/core_ext/regexp.rb +0 -14
data/lib/rack/file.rb +0 -7
data/lib/rack/handler/cgi.rb +0 -59
data/lib/rack/handler/fastcgi.rb +0 -100
data/lib/rack/handler/lsws.rb +0 -61
data/lib/rack/handler/scgi.rb +0 -71
data/lib/rack/handler/thin.rb +0 -34
data/lib/rack/handler/webrick.rb +0 -129
data/lib/rack/handler.rb +0 -104
data/lib/rack/lobster.rb +0 -70
data/lib/rack/logger.rb +0 -20
data/lib/rack/server.rb +0 -466
data/lib/rack/session/abstract/id.rb +0 -523
data/lib/rack/session/cookie.rb +0 -203
data/lib/rack/session/memcache.rb +0 -10
data/lib/rack/session/pool.rb +0 -90
data/rack.gemspec +0 -46

data/lib/rack/utils.rb CHANGED Viewed

@@ -6,32 +6,33 @@ require 'fileutils'
 require 'set'
 require 'tempfile'
 require 'time'
+require 'erb'
 require_relative 'query_parser'
+require_relative 'mime'
+require_relative 'headers'
+require_relative 'constants'
 module Rack
   # Rack::Utils contains a grab-bag of useful methods for writing web
   # applications adopted from all kinds of Ruby libraries.
   module Utils
-    (require_relative 'core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
     ParameterTypeError = QueryParser::ParameterTypeError
     InvalidParameterError = QueryParser::InvalidParameterError
+    ParamsTooDeepError = QueryParser::ParamsTooDeepError
     DEFAULT_SEP = QueryParser::DEFAULT_SEP
     COMMON_SEP = QueryParser::COMMON_SEP
     KeySpaceConstrainedParams = QueryParser::Params
-    RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
-    RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
-    RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
+    URI_PARSER = defined?(::URI::RFC2396_PARSER) ? ::URI::RFC2396_PARSER : ::URI::DEFAULT_PARSER
     class << self
       attr_accessor :default_query_parser
     end
-    # The default number of bytes to allow parameter keys to take up.
-    # This helps prevent a rogue client from flooding a Request.
-    self.default_query_parser = QueryParser.make_default(65536, 100)
+    # The default amount of nesting to allowed by hash parameters.
+    # This helps prevent a rogue client from triggering a possible stack overflow
+    # when parsing parameters.
+    self.default_query_parser = QueryParser.make_default(32)
     module_function
@@ -43,13 +44,13 @@ module Rack
     # Like URI escaping, but with %20 instead of +. Strictly speaking this is
     # true URI escaping.
     def escape_path(s)
-      RFC2396_PARSER.escape s
+      URI_PARSER.escape s
     end
     # Unescapes the **path** component of a URI.  See Rack::Utils.unescape for
     # unescaping query parameters or form components.
     def unescape_path(s)
-      RFC2396_PARSER.unescape s
+      URI_PARSER.unescape s
     end
     # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -86,14 +87,6 @@ module Rack
       self.default_query_parser = self.default_query_parser.new_depth_limit(v)
     end
-    def self.key_space_limit
-      default_query_parser.key_space_limit
-    end
-    def self.key_space_limit=(v)
-      self.default_query_parser = self.default_query_parser.new_space_limit(v)
-    end
     if defined?(Process::CLOCK_MONOTONIC)
       def clock_time
         Process.clock_gettime(Process::CLOCK_MONOTONIC)
@@ -132,13 +125,13 @@ module Rack
         }.join("&")
       when Hash
         value.map { |k, v|
-          build_nested_query(v, prefix ? "#{prefix}[#{escape(k)}]" : escape(k))
+          build_nested_query(v, prefix ? "#{prefix}[#{k}]" : k)
         }.delete_if(&:empty?).join('&')
       when nil
-        prefix
+        escape(prefix)
       else
         raise ArgumentError, "value must be a Hash" if prefix.nil?
-        "#{prefix}=#{escape(value)}"
+        "#{escape(prefix)}=#{escape(value)}"
       end
     end
@@ -153,6 +146,20 @@ module Rack
       end
     end
+    def forwarded_values(forwarded_header)
+      return nil unless forwarded_header
+      forwarded_header = forwarded_header.to_s.gsub("\n", ";")
+      forwarded_header.split(';').each_with_object({}) do |field, values|
+        field.split(',').each do |pair|
+          pair = pair.split('=').map(&:strip).join('=')
+          return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i
+          (values[$1.downcase.to_sym] ||= []) << $2
+        end
+      end
+    end
+    module_function :forwarded_values
     # Return best accept value to use, based on the algorithm
     # in RFC 2616 Section 14.  If there are multiple best
     # matches (same specificity and quality), the value returned
@@ -167,60 +174,36 @@ module Rack
       end.compact.sort_by do |match, quality|
         (match.split('/', 2).count('*') * -10) + quality
       end.last
-      matches && matches.first
+      matches&.first
     end
-    ESCAPE_HTML = {
-      "&" => "&amp;",
-      "<" => "&lt;",
-      ">" => "&gt;",
-      "'" => "&#x27;",
-      '"' => "&quot;",
-      "/" => "&#x2F;"
-    }
-    ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
-    # Escape ampersands, brackets and quotes to their HTML/XML entities.
-    def escape_html(string)
-      string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
+    # Introduced in ERB 4.0. ERB::Escape is an alias for ERB::Utils which
+    # doesn't get monkey-patched by rails
+    if defined?(ERB::Escape) && ERB::Escape.instance_method(:html_escape)
+      define_method(:escape_html, ERB::Escape.instance_method(:html_escape))
+    # :nocov:
+    # Ruby 3.2/ERB 4.0 added ERB::Escape#html_escape, so the else
+    # branch cannot be hit on the current Ruby version.
+    else
+      require 'cgi/escape'
+      # Escape ampersands, brackets and quotes to their HTML/XML entities.
+      def escape_html(string)
+        CGI.escapeHTML(string.to_s)
+      end
+    # :nocov:
     end
-    # Given an array of available encoding strings, and an array of
-    # acceptable encodings for a request, where each element of the
-    # acceptable encodings array is an array where the first element
-    # is an encoding name and the second element is the numeric
-    # priority for the encoding, return the available encoding with
-    # the highest priority.
-    #
-    # The accept_encoding argument is typically generated by calling
-    # Request#accept_encoding.
-    #
-    # Example:
-    #
-    #   select_best_encoding(%w(compress gzip identity),
-    #                        [["compress", 0.5], ["gzip", 1.0]])
-    #   # => "gzip"
-    #
-    # To reduce denial of service potential, only the first 16
-    # acceptable encodings are considered.
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
-      # Only process the first 16 encodings
-      accept_encoding = accept_encoding[0...16]
       expanded_accept_encoding = []
-      wildcard_seen = false
       accept_encoding.each do |m, q|
         preference = available_encodings.index(m) || available_encodings.size
         if m == "*"
-          unless wildcard_seen
-            (available_encodings - accept_encoding.map(&:first)).each do |m2|
-              expanded_accept_encoding << [m2, q, preference]
-            end
-            wildcard_seen = true
+          (available_encodings - accept_encoding.map(&:first)).each do |m2|
+            expanded_accept_encoding << [m2, q, preference]
           end
         else
           expanded_accept_encoding << [m, q, preference]
@@ -228,13 +211,7 @@ module Rack
       end
       encoding_candidates = expanded_accept_encoding
-        .sort do |(_, q1, p1), (_, q2, p2)|
-          if r = (q1 <=> q2).nonzero?
-            -r
-          else
-            (p1 <=> p2).nonzero? || 0
-          end
-        end
+        .sort_by { |_, q, p| [-q, p] }
         .map!(&:first)
       unless encoding_candidates.include?("identity")
@@ -248,24 +225,69 @@ module Rack
       (encoding_candidates & available_encodings)[0]
     end
-    def parse_cookies(env)
-      parse_cookies_header env[HTTP_COOKIE]
-    end
+    # :call-seq:
+    #   parse_cookies_header(value) -> hash
+    #
+    # Parse cookies from the provided header +value+ according to RFC6265. The
+    # syntax for cookie headers only supports semicolons. Returns a map of
+    # cookie +key+ to cookie +value+.
+    #
+    #   parse_cookies_header('myname=myvalue; max-age=0')
+    #   # => {"myname"=>"myvalue", "max-age"=>"0"}
+    #
+    def parse_cookies_header(value)
+      return {} unless value
-    def parse_cookies_header(header)
-      # According to RFC 6265:
-      # The syntax for cookie headers only supports semicolons
-      # User Agent -> Server ==
-      # Cookie: SID=31d4d96e407aad42; lang=en-US
-      return {} unless header
-      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
+      value.split(/; */n).each_with_object({}) do |cookie, cookies|
         next if cookie.empty?
         key, value = cookie.split('=', 2)
         cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
       end
     end
-    def add_cookie_to_header(header, key, value)
+    # :call-seq:
+    #   parse_cookies(env) -> hash
+    #
+    # Parse cookies from the provided request environment using
+    # parse_cookies_header. Returns a map of cookie +key+ to cookie +value+.
+    #
+    #   parse_cookies({'HTTP_COOKIE' => 'myname=myvalue'})
+    #   # => {'myname' => 'myvalue'}
+    #
+    def parse_cookies(env)
+      parse_cookies_header env[HTTP_COOKIE]
+    end
+    # A valid cookie key according to RFC6265 and RFC2616.
+    # A <cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
+    VALID_COOKIE_KEY = /\A[!#$%&'*+\-\.\^_`|~0-9a-zA-Z]+\z/.freeze
+    private_constant :VALID_COOKIE_KEY
+    # :call-seq:
+    #   set_cookie_header(key, value) -> encoded string
+    #
+    # Generate an encoded string using the provided +key+ and +value+ suitable
+    # for the +set-cookie+ header according to RFC6265. The +value+ may be an
+    # instance of either +String+ or +Hash+. If the cookie key is invalid (as
+    # defined by RFC6265), an +ArgumentError+ will be raised.
+    #
+    # If the cookie +value+ is an instance of +Hash+, it considers the following
+    # cookie attribute keys: +domain+, +max_age+, +expires+ (must be instance
+    # of +Time+), +secure+, +http_only+, +same_site+ and +value+. For more
+    # details about the interpretation of these fields, consult
+    # [RFC6265 Section 5.2](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2).
+    #
+    #   set_cookie_header("myname", "myvalue")
+    #   # => "myname=myvalue"
+    #
+    #   set_cookie_header("myname", {value: "myvalue", max_age: 10})
+    #   # => "myname=myvalue; max-age=10"
+    #
+    def set_cookie_header(key, value)
+      unless key =~ VALID_COOKIE_KEY
+        raise ArgumentError, "invalid cookie key: #{key.inspect}"
+      end
       case value
       when Hash
         domain  = "; domain=#{value[:domain]}"   if value[:domain]
@@ -273,124 +295,121 @@ module Rack
         max_age = "; max-age=#{value[:max_age]}" if value[:max_age]
         expires = "; expires=#{value[:expires].httpdate}" if value[:expires]
         secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
+        httponly = "; httponly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
         same_site =
           case value[:same_site]
           when false, nil
             nil
           when :none, 'None', :None
-            '; SameSite=None'
+            '; samesite=none'
           when :lax, 'Lax', :Lax
-            '; SameSite=Lax'
+            '; samesite=lax'
           when true, :strict, 'Strict', :Strict
-            '; SameSite=Strict'
+            '; samesite=strict'
           else
-            raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
+            raise ArgumentError, "Invalid :same_site value: #{value[:same_site].inspect}"
           end
+        partitioned = "; partitioned" if value[:partitioned]
         value = value[:value]
       end
       value = [value] unless Array === value
-      cookie = "#{escape(key)}=#{value.map { |v| escape v }.join('&')}#{domain}" \
-        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
+      return "#{key}=#{value.map { |v| escape v }.join('&')}#{domain}" \
+        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}#{partitioned}"
+    end
-      case header
-      when nil, ''
-        cookie
-      when String
-        [header, cookie].join("\n")
-      when Array
-        (header + [cookie]).join("\n")
+    # :call-seq:
+    #   set_cookie_header!(headers, key, value) -> header value
+    #
+    # Append a cookie in the specified headers with the given cookie +key+ and
+    # +value+ using set_cookie_header.
+    #
+    # If the headers already contains a +set-cookie+ key, it will be converted
+    # to an +Array+ if not already, and appended to.
+    def set_cookie_header!(headers, key, value)
+      if header = headers[SET_COOKIE]
+        if header.is_a?(Array)
+          header << set_cookie_header(key, value)
+        else
+          headers[SET_COOKIE] = [header, set_cookie_header(key, value)]
+        end
       else
-        raise ArgumentError, "Unrecognized cookie header value. Expected String, Array, or nil, got #{header.inspect}"
+        headers[SET_COOKIE] = set_cookie_header(key, value)
       end
     end
-    def set_cookie_header!(header, key, value)
-      header[SET_COOKIE] = add_cookie_to_header(header[SET_COOKIE], key, value)
-      nil
+    # :call-seq:
+    #   delete_set_cookie_header(key, value = {}) -> encoded string
+    #
+    # Generate an encoded string based on the given +key+ and +value+ using
+    # set_cookie_header for the purpose of causing the specified cookie to be
+    # deleted. The +value+ may be an instance of +Hash+ and can include
+    # attributes as outlined by set_cookie_header. The encoded cookie will have
+    # a +max_age+ of 0 seconds, an +expires+ date in the past and an empty
+    # +value+. When used with the +set-cookie+ header, it will cause the client
+    # to *remove* any matching cookie.
+    #
+    #   delete_set_cookie_header("myname")
+    #   # => "myname=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT"
+    #
+    def delete_set_cookie_header(key, value = {})
+      set_cookie_header(key, value.merge(max_age: '0', expires: Time.at(0), value: ''))
     end
-    def make_delete_cookie_header(header, key, value)
-      case header
-      when nil, ''
-        cookies = []
-      when String
-        cookies = header.split("\n")
-      when Array
-        cookies = header
-      end
-      key = escape(key)
-      domain = value[:domain]
-      path = value[:path]
-      regexp = if domain
-                 if path
-                   /\A#{key}=.*(?:domain=#{domain}(?:;|$).*path=#{path}(?:;|$)|path=#{path}(?:;|$).*domain=#{domain}(?:;|$))/
-                 else
-                   /\A#{key}=.*domain=#{domain}(?:;|$)/
-                 end
-               elsif path
-                 /\A#{key}=.*path=#{path}(?:;|$)/
-               else
-                 /\A#{key}=/
-               end
-      cookies.reject! { |cookie| regexp.match? cookie }
+    def delete_cookie_header!(headers, key, value = {})
+      headers[SET_COOKIE] = delete_set_cookie_header!(headers[SET_COOKIE], key, value)
-      cookies.join("\n")
+      return nil
     end
-    def delete_cookie_header!(header, key, value = {})
-      header[SET_COOKIE] = add_remove_cookie_to_header(header[SET_COOKIE], key, value)
-      nil
-    end
-    # Adds a cookie that will *remove* a cookie from the client.  Hence the
-    # strange method name.
-    def add_remove_cookie_to_header(header, key, value = {})
-      new_header = make_delete_cookie_header(header, key, value)
-      add_cookie_to_header(new_header, key,
-                 { value: '', path: nil, domain: nil,
-                   max_age: '0',
-                   expires: Time.at(0) }.merge(value))
+    # :call-seq:
+    #   delete_set_cookie_header!(header, key, value = {}) -> header value
+    #
+    # Set an expired cookie in the specified headers with the given cookie
+    # +key+ and +value+ using delete_set_cookie_header. This causes
+    # the client to immediately delete the specified cookie.
+    #
+    #   delete_set_cookie_header!(nil, "mycookie")
+    #   # => "mycookie=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT"
+    #
+    # If the header is non-nil, it will be modified in place.
+    #
+    #   header = []
+    #   delete_set_cookie_header!(header, "mycookie")
+    #   # => ["mycookie=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT"]
+    #   header
+    #   # => ["mycookie=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT"]
+    #
+    def delete_set_cookie_header!(header, key, value = {})
+      if header
+        header = Array(header)
+        header << delete_set_cookie_header(key, value)
+      else
+        header = delete_set_cookie_header(key, value)
+      end
+      return header
     end
     def rfc2822(time)
       time.rfc2822
     end
-    # Modified version of stdlib time.rb Time#rfc2822 to use '%d-%b-%Y' instead
-    # of '% %b %Y'.
-    # It assumes that the time is in GMT to comply to the RFC 2109.
-    #
-    # NOTE: I'm not sure the RFC says it requires GMT, but is ambiguous enough
-    # that I'm certain someone implemented only that option.
-    # Do not use %a and %b from Time.strptime, it would use localized names for
-    # weekday and month.
-    #
-    def rfc2109(time)
-      wday = RFC2822_DAY_NAME[time.wday]
-      mon = RFC2822_MONTH_NAME[time.mon - 1]
-      time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
-    end
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
     # Returns an empty array if none of the ranges are satisfiable.
-    def byte_ranges(env, size, max_ranges: 100)
-      get_byte_ranges env['HTTP_RANGE'], size, max_ranges: max_ranges
+    def byte_ranges(env, size)
+      get_byte_ranges env['HTTP_RANGE'], size
     end
-    def get_byte_ranges(http_range, size, max_ranges: 100)
+    def get_byte_ranges(http_range, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
+      # Ignore Range when file size is 0 to avoid a 416 error.
+      return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
-      byte_range = $1
-      return nil if byte_range.count(',') >= max_ranges
       ranges = []
-      byte_range.split(/,[ \t]*/).each do |range_spec|
+      $1.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]
@@ -413,25 +432,35 @@ module Rack
         ranges << (r0..r1)  if r0 <= r1
       end
-      return [] if ranges.map(&:size).inject(0, :+) > size
+      return [] if ranges.map(&:size).sum > size
       ranges
     end
-    # Constant time string comparison.
-    #
-    # NOTE: the values compared should be of fixed length, such as strings
-    # that have already been processed by HMAC. This should not be used
-    # on variable length plaintext strings because it could leak length info
-    # via timing attacks.
-    def secure_compare(a, b)
-      return false unless a.bytesize == b.bytesize
+    # :nocov:
+    if defined?(OpenSSL.fixed_length_secure_compare)
+      # Constant time string comparison.
+      #
+      # NOTE: the values compared should be of fixed length, such as strings
+      # that have already been processed by HMAC. This should not be used
+      # on variable length plaintext strings because it could leak length info
+      # via timing attacks.
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
-      l = a.unpack("C*")
+        OpenSSL.fixed_length_secure_compare(a, b)
+      end
+    # :nocov:
+    else
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
-      r, i = 0, -1
-      b.each_byte { |v| r |= v ^ l[i += 1] }
-      r == 0
+        l = a.unpack("C*")
+        r, i = 0, -1
+        b.each_byte { |v| r |= v ^ l[i += 1] }
+        r == 0
+      end
     end
     # Context allows the use of a compatible middleware at different points
@@ -460,101 +489,12 @@ module Rack
       end
     end
-    # A case-insensitive Hash that preserves the original case of a
-    # header when set.
-    #
-    # @api private
-    class HeaderHash < Hash # :nodoc:
-      def self.[](headers)
-        if headers.is_a?(HeaderHash) && !headers.frozen?
-          return headers
-        else
-          return self.new(headers)
-        end
-      end
-      def initialize(hash = {})
-        super()
-        @names = {}
-        hash.each { |k, v| self[k] = v }
-      end
-      # on dup/clone, we need to duplicate @names hash
-      def initialize_copy(other)
-        super
-        @names = other.names.dup
-      end
-      # on clear, we need to clear @names hash
-      def clear
-        super
-        @names.clear
-      end
-      def each
-        super do |k, v|
-          yield(k, v.respond_to?(:to_ary) ? v.to_ary.join("\n") : v)
-        end
-      end
-      def to_hash
-        hash = {}
-        each { |k, v| hash[k] = v }
-        hash
-      end
-      def [](k)
-        super(k) || super(@names[k.downcase])
-      end
-      def []=(k, v)
-        canonical = k.downcase.freeze
-        delete k if @names[canonical] && @names[canonical] != k # .delete is expensive, don't invoke it unless necessary
-        @names[canonical] = k
-        super k, v
-      end
-      def delete(k)
-        canonical = k.downcase
-        result = super @names.delete(canonical)
-        result
-      end
-      def include?(k)
-        super || @names.include?(k.downcase)
-      end
-      alias_method :has_key?, :include?
-      alias_method :member?, :include?
-      alias_method :key?, :include?
-      def merge!(other)
-        other.each { |k, v| self[k] = v }
-        self
-      end
-      def merge(other)
-        hash = dup
-        hash.merge! other
-      end
-      def replace(other)
-        clear
-        other.each { |k, v| self[k] = v }
-        self
-      end
-      protected
-        def names
-          @names
-        end
-    end
     # Every standard HTTP code mapped to the appropriate message.
     # Generated with:
-    #   curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv | \
-    #     ruby -ne 'm = /^(\d{3}),(?!Unassigned|\(Unused\))([^,]+)/.match($_) and \
-    #               puts "#{m[1]} => \x27#{m[2].strip}\x27,"'
+    #   curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv \
+    #     | ruby -rcsv -e "puts CSV.parse(STDIN, headers: true) \
+    #     .reject {|v| v['Description'] == 'Unassigned' or v['Description'].include? '(' } \
+    #     .map {|v| %Q/#{v['Value']} => '#{v['Description']}'/ }.join(','+?\n)"
     HTTP_STATUS_CODES = {
       100 => 'Continue',
       101 => 'Switching Protocols',
@@ -576,7 +516,6 @@ module Rack
       303 => 'See Other',
       304 => 'Not Modified',
       305 => 'Use Proxy',
-      306 => '(Unused)',
       307 => 'Temporary Redirect',
       308 => 'Permanent Redirect',
       400 => 'Bad Request',
@@ -592,13 +531,13 @@ module Rack
       410 => 'Gone',
       411 => 'Length Required',
       412 => 'Precondition Failed',
-      413 => 'Payload Too Large',
+      413 => 'Content Too Large',
       414 => 'URI Too Long',
       415 => 'Unsupported Media Type',
       416 => 'Range Not Satisfiable',
       417 => 'Expectation Failed',
       421 => 'Misdirected Request',
-      422 => 'Unprocessable Entity',
+      422 => 'Unprocessable Content',
       423 => 'Locked',
       424 => 'Failed Dependency',
       425 => 'Too Early',
@@ -606,7 +545,7 @@ module Rack
       428 => 'Precondition Required',
       429 => 'Too Many Requests',
       431 => 'Request Header Fields Too Large',
-      451 => 'Unavailable for Legal Reasons',
+      451 => 'Unavailable For Legal Reasons',
       500 => 'Internal Server Error',
       501 => 'Not Implemented',
       502 => 'Bad Gateway',
@@ -616,8 +555,6 @@ module Rack
       506 => 'Variant Also Negotiates',
       507 => 'Insufficient Storage',
       508 => 'Loop Detected',
-      509 => 'Bandwidth Limit Exceeded',
-      510 => 'Not Extended',
       511 => 'Network Authentication Required'
     }
@@ -625,12 +562,34 @@ module Rack
     STATUS_WITH_NO_ENTITY_BODY = Hash[((100..199).to_a << 204 << 304).product([true])]
     SYMBOL_TO_STATUS_CODE = Hash[*HTTP_STATUS_CODES.map { |code, message|
-      [message.downcase.gsub(/\s|-|'/, '_').to_sym, code]
+      [message.downcase.gsub(/\s|-/, '_').to_sym, code]
     }.flatten]
+    OBSOLETE_SYMBOLS_TO_STATUS_CODES = {
+      payload_too_large: 413,
+      unprocessable_entity: 422,
+      bandwidth_limit_exceeded: 509,
+      not_extended: 510
+    }.freeze
+    private_constant :OBSOLETE_SYMBOLS_TO_STATUS_CODES
+    OBSOLETE_SYMBOL_MAPPINGS = {
+      payload_too_large: :content_too_large,
+      unprocessable_entity: :unprocessable_content
+    }.freeze
+    private_constant :OBSOLETE_SYMBOL_MAPPINGS
     def status_code(status)
       if status.is_a?(Symbol)
-        SYMBOL_TO_STATUS_CODE.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
+        SYMBOL_TO_STATUS_CODE.fetch(status) do
+          fallback_code = OBSOLETE_SYMBOLS_TO_STATUS_CODES.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
+          message = "Status code #{status.inspect} is deprecated and will be removed in a future version of Rack."
+          if canonical_symbol = OBSOLETE_SYMBOL_MAPPINGS[status]
+            message = "#{message} Please use #{canonical_symbol.inspect} instead."
+          end
+          warn message, uplevel: 3
+          fallback_code
+        end
       else
         status.to_i
       end