rack 3.0.10 → 3.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '02708966a52d0c3f5837969a1be34245fe608b2b195e05a5f6d01a192c54a104'
-  data.tar.gz: ce9f131cb863d4c4fd215cfc612cad5f90368187d20eaabd70db6f5cc8fd14ea
+  metadata.gz: eaf18cf63641b74f599535734eddaf9886c6ffa7f7b00d9aca768715b25498f9
+  data.tar.gz: 375ef784b899a1f936505dfffef3d6da3ee0f546e0f90d475a9a4db3264281cc
 SHA512:
-  metadata.gz: 5d7a4f539b7abd7e28908da9c34d29ef6df3a1bb80e52ec656dc9324bdf5573b2213e82bb01175327f701c9275f404a790ddb3ee42ceeba7dac0d579f68f6cd6
-  data.tar.gz: 125fb761b1d4e979936a4587146c41623d03c26561c8e36501efb25735cb8ff122bcf2fe77382850ea3c28559ef2aa3f5dba64dba86530c02359a6be6ac0a3bf
+  metadata.gz: 41667c1b8b3e3fe9ac3dd9c22f456a8eb5b756c310c28af98dd7b9ce998eed1a224c39c680019dabb3dedd32cff762d1274a63770f2372a12874f92d026713a6
+  data.tar.gz: ca3837da3ae9a4bf02cf540661c00755e9db416d6c2b268e92df759f77a882646da3b3cb229668ccc409d0764fccb70fcba34134cbece934927adda5a14e5564

data/CHANGELOG.md

@@ -2,12 +2,93 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.1.6] - 2024-07-03
+
+- Fix several edge cases in `Rack::Request#parse_http_accept_header`'s implementation. ([#2226](https://github.com/rack/rack/pull/2226), [@ioquatix])
+
+## [3.1.5] - 2024-07-02
+
+### Security
+
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
+
+## [3.1.4] - 2024-06-22
+
+### Fixed
+
+- Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
+
+## [3.1.3] - 2024-06-12
+
+### Fixed
+
+- Fix passing non-strings to `Rack::Utils.escape_html`. ([#2202](https://github.com/rack/rack/pull/2202), [@earlopain])
+- `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy](https://github.com/wynksaiddestroy))
+
+## [3.1.2] - 2024-06-11
+
+## Changed
+
+- `Rack::Response` will take in to consideration chunked encoding responses ([#2204](https://github.com/rack/rack/pull/2204), [@tenderlove])
+
+## [3.1.1] - 2024-06-11
+
+- Oops, I shouldn't have shipped this
+
+## [3.1.0] - 2024-06-11
+
+### SPEC Changes
+
+- `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [@ioquatix])
+- `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [@ioquatix])
+- `rack.protocol` is an optional environment key and response header for handling connection upgrades.
+
+### Added
+
+- Introduce `module Rack::BadRequest` which is included in multipart and query parser errors. ([#2019](https://github.com/rack/rack/pull/2019), [@ioquatix])
+- Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas])
+- `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b])
+- `rack.early_hints` is now officially supported as an optional feature (already implemented by Unicorn, Puma, and Falcon). ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine, @jeremyevans])
+
+### Changed
+
+- `rack.input` is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
+- MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8))
+- Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
+- `Rack::Utils.escape_html` is now delegated to `CGI.escapeHTML`. `'` is escaped to `#39;` instead of `#x27;`. (decimal vs hexadecimal) ([#2099](https://github.com/rack/rack/pull/2099), [@JunichiIto](https://github.com/JunichiIto))
+- Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. ([#2191](https://github.com/rack/rack/pull/2191), [@ioquatix])
+
+### Removed
+
+- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn])
+- Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn])
+- Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073) ([@jeremyevans])
+- `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
+
+### Fixed
+
+- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
+
+## [3.0.11] - 2024-05-10
+
+- Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
 
 ## [3.0.10] - 2024-03-21
 
 - Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
 
+## [3.0.9.1] - 2024-02-21
+
+### Security
+
+* [CVE-2024-26146] Fixed ReDoS in Accept header parsing
+* [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
+* [CVE-2024-26141] Reject Range headers which are too large
+
+[CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
+[CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
+[CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
+
 ## [3.0.9] - 2024-01-31
 
 - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
@@ -22,6 +103,8 @@ All notable changes to this project will be documented in this file. For info on
 
 ## [3.0.6.1] - 2023-03-13
 
+### Security
+
 - [CVE-2023-27539] Avoid ReDoS in header parsing
 
 ## [3.0.6] - 2023-03-13
@@ -32,12 +115,16 @@ All notable changes to this project will be documented in this file. For info on
 
 - Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
 
-## [3.0.4.1] - 2023-03-02
+## [3.0.4.2] - 2023-03-02
+
+### Security
 
 - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
 
 ## [3.0.4.1] - 2023-01-17
 
+### Security
+
 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
 - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
 - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
@@ -110,7 +197,7 @@ All notable changes to this project will be documented in this file. For info on
 - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
 - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
 - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
-- Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
+- Extract `rackup` command, `Rack::Server`, `Rack::Handler`, `Rack::Lobster` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
 
 ### Added
 
@@ -165,6 +252,8 @@ All notable changes to this project will be documented in this file. For info on
 
 ## [2.2.3.1] - 2022-05-27
 
+### Security
+
 - [CVE-2022-30123] Fix shell escaping issue in Common Logger
 - [CVE-2022-30122] Restrict parsing of broken MIME attachments
 
@@ -872,3 +961,4 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
 [@amatsuda]: https://github.com/amatsuda "Akira Matsuda"
 [@wjordan]: https://github.com/wjordan "Will Jordan"
 [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
+[@davidstosik]: https://github.com/davidstosik "David Stosik"

data/CONTRIBUTING.md

@@ -5,6 +5,15 @@ contributors](https://github.com/rack/rack/graphs/contributors). You're
 encouraged to submit [pull requests](https://github.com/rack/rack/pulls) and
 [propose features and discuss issues](https://github.com/rack/rack/issues).
 
+## Backports
+
+Only security patches are ideal for backporting to non-main release versions. If
+you're not sure if your bug fix is backportable, you should open a discussion to
+discuss it first.
+
+The [Security Policy] documents which release versions will receive security
+backports.
+
 ## Fork the Project
 
 Fork the [project on GitHub](https://github.com/rack/rack) and check out your
@@ -27,15 +36,6 @@ git pull upstream main
 git checkout -b my-feature-branch
 ```
 
-## Bundle Install and Quick Test
-
-Ensure that you can build the project and run quick tests.
-
-```
-bundle install --without extra
-bundle exec rake test
-```
-
 ## Running All Tests
 
 Install all dependencies.
@@ -140,3 +140,5 @@ there!
 
 Please do know that we really appreciate and value your time and work. We love
 you, really.
+
+[Security Policy]: SECURITY.md

data/README.md

@@ -1,10 +1,5 @@
 # ![Rack](contrib/logo.webp)
 
-> **_NOTE:_** Rack v3.0.0 was recently released. Please check the [Upgrade
-> Guide](UPGRADE-GUIDE.md) for more details about migrating your existing
-> servers, middlewares and applications. For detailed information on specific
-> changes, check the [Change Log](CHANGELOG.md).
-
 Rack provides a minimal, modular, and adaptable interface for developing web
 applications in Ruby. By wrapping HTTP requests and responses in the simplest
 way possible, it unifies and distills the bridge between web servers, web
@@ -13,6 +8,32 @@ frameworks, and web application into a single method call.
 The exact details of this are described in the [Rack Specification], which all
 Rack applications should conform to.
 
+## Version support
+
+| Version  | Support                            |
+|----------|------------------------------------|
+|    3.0.x | Bug fixes and security patches.    |
+|    2.2.x | Security patches only.             |
+| <= 2.1.x | End of support.                    |
+
+Please see the [Security Policy] for more information.
+
+## Rack 3.0
+
+This is the latest version of Rack. It contains API improvements but also some
+breaking changes. Please check the [Upgrade Guide](UPGRADE-GUIDE.md) for more
+details about migrating servers, middlewares and applications designed for Rack 2
+to Rack 3. For detailed information on specific changes, check the [Change Log](CHANGELOG.md).
+
+## Rack 2.2
+
+This version of Rack is receiving security patches only, and effort should be
+made to move to Rack 3.
+
+Starting in Ruby 3.4 the `base64` dependency will no longer be a default gem,
+and may cause a warning or error about `base64` being missing. To correct this,
+add `base64` as a dependency to your project.
+
 ## Installation
 
 Add the rack gem to your application bundle, or follow the instructions provided
@@ -20,10 +41,10 @@ by a [supported web framework](#supported-web-frameworks):
 
 ```bash
 # Install it generally:
-$ gem install rack --pre
+$ gem install rack
 
 # or, add it to your current application gemfile:
-$ bundle add rack --version 3.0.0
+$ bundle add rack
 ```
 
 If you need features from `Rack::Session` or `bin/rackup` please add those gems separately.
@@ -57,7 +78,7 @@ Hello World
 Rack is supported by a wide range of servers, including:
 
 * [Agoo](https://github.com/ohler55/agoo)
-* [Falcon](https://github.com/socketry/falcon) **(Rack 3 Compatible)**
+* [Falcon](https://github.com/socketry/falcon)
 * [Iodine](https://github.com/boazsegev/iodine)
 * [NGINX Unit](https://unit.nginx.org/)
 * [Phusion Passenger](https://www.phusionpassenger.com/) (which is mod_rack for
@@ -84,18 +105,15 @@ These frameworks and many others support the [Rack Specification]:
 
 * [Camping](https://github.com/camping/camping)
 * [Hanami](https://hanamirb.org/)
+* [Ramaze](https://github.com/ramaze/ramaze)
 * [Padrino](https://padrinorb.com/)
-* [Roda](https://github.com/jeremyevans/roda) **(Rack 3 Compatible)**
+* [Roda](https://github.com/jeremyevans/roda)
 * [Ruby on Rails](https://rubyonrails.org/)
+* [Rum](https://github.com/leahneukirchen/rum)
 * [Sinatra](https://sinatrarb.com/)
-* [Utopia](https://github.com/socketry/utopia) **(Rack 3 Compatible)**
+* [Utopia](https://github.com/socketry/utopia)
 * [WABuR](https://github.com/ohler55/wabur)
 
-### Older (possibly unsupported) web frameworks
-
-* [Ramaze](http://ramaze.net/)
-* [Rum](https://github.com/leahneukirchen/rum)
-
 ## Available middleware shipped with Rack
 
 Between the server and the framework, Rack can be customized to your
@@ -307,3 +325,4 @@ would like to thank:
 Rack is released under the [MIT License](MIT-LICENSE).
 
 [Rack Specification]: SPEC.rdoc
+[Security Policy]: SECURITY.md

data/SPEC.rdoc

@@ -82,6 +82,10 @@ Rack-specific variables:
 <tt>rack.hijack</tt>:: See below, if present, an object responding
                        to +call+ that is used to perform a full
                        hijack.
+<tt>rack.protocol</tt>:: An optional +Array+ of +String+, containing
+                         the protocols advertised by the client in
+                         the +upgrade+ header (HTTP/1) or the
+                         +:protocol+ pseudo-header (HTTP/2).
 Additional environment specifications have approved to
 standardized middleware APIs. None of these are required to
 be implemented by the server.
@@ -112,7 +116,6 @@ The <tt>SERVER_PORT</tt> must be an Integer if set.
 The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
 The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
 The <tt>SERVER_PROTOCOL</tt> must match the regexp <tt>HTTP/\d(\.\d)?</tt>.
-If the <tt>HTTP_VERSION</tt> is present, it must equal the <tt>SERVER_PROTOCOL</tt>.
 The environment must not contain the keys
 <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
 (use the versions without <tt>HTTP_</tt>).
@@ -121,12 +124,17 @@ If the string values for CGI keys contain non-ASCII characters,
 they should use ASCII-8BIT encoding.
 There are the following restrictions:
 * <tt>rack.url_scheme</tt> must either be +http+ or +https+.
-* There must be a valid input stream in <tt>rack.input</tt>.
+* There may be a valid input stream in <tt>rack.input</tt>.
 * There must be a valid error stream in <tt>rack.errors</tt>.
 * There may be a valid hijack callback in <tt>rack.hijack</tt>
+* There may be a valid early hints callback in <tt>rack.early_hints</tt>
 * The <tt>REQUEST_METHOD</tt> must be a valid token.
 * The <tt>SCRIPT_NAME</tt>, if non-empty, must start with <tt>/</tt>
-* The <tt>PATH_INFO</tt>, if non-empty, must start with <tt>/</tt>
+* The <tt>PATH_INFO</tt>, if provided, must be a valid request target.
+  * Only <tt>OPTIONS</tt> requests may have <tt>PATH_INFO</tt> set to <tt>*</tt> (asterisk-form).
+  * Only <tt>CONNECT</tt> requests may have <tt>PATH_INFO</tt> set to an authority (authority-form). Note that in HTTP/2+, the authority-form is not a valid request target.
+  * <tt>CONNECT</tt> and <tt>OPTIONS</tt> requests must not have <tt>PATH_INFO</tt> set to a URI (absolute-form).
+  * Otherwise, <tt>PATH_INFO</tt> must start with a <tt>/</tt> and must not include a fragment part starting with '#' (origin-form).
 * The <tt>CONTENT_LENGTH</tt>, if given, must consist of digits only.
 * One of <tt>SCRIPT_NAME</tt> or <tt>PATH_INFO</tt> must be
   set. <tt>PATH_INFO</tt> should be <tt>/</tt> if
@@ -144,11 +152,11 @@ exceptions. They should be invoked in reverse order of registration.
 The input stream is an IO-like object which contains the raw HTTP
 POST data.
 When applicable, its external encoding must be "ASCII-8BIT" and it
-must be opened in binary mode, for Ruby 1.9 compatibility.
+must be opened in binary mode.
 The input stream must respond to +gets+, +each+, and +read+.
 * +gets+ must be called without arguments and return a string,
   or +nil+ on EOF.
-* +read+ behaves like IO#read.
+* +read+ behaves like <tt>IO#read</tt>.
   Its signature is <tt>read([length, [buffer]])</tt>.
 
   If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
@@ -166,8 +174,8 @@ The input stream must respond to +gets+, +each+, and +read+.
   If +buffer+ is given, then the read data will be placed
   into +buffer+ instead of a newly created String object.
 * +each+ must be called without arguments and only yield Strings.
-* +close+ can be called on the input stream to indicate that the
-any remaining input is not needed.
+* +close+ can be called on the input stream to indicate that
+  any remaining input is not needed.
 
 === The Error Stream
 
@@ -228,6 +236,16 @@ instance is recommended.
 
 The special response header +rack.hijack+ must only be set
 if the request +env+ has a truthy +rack.hijack?+.
+
+=== Early Hints
+
+The application or any middleware may call the <tt>rack.early_hints</tt>
+with an object which would be valid as the headers of a Rack response.
+
+If <tt>rack.early_hints</tt> is present, it must respond to #call.
+If <tt>rack.early_hints</tt> is called, it must be called with
+valid Rack response headers.
+
 == The Response
 
 === The Status
@@ -249,16 +267,26 @@ Header values must be either a String instance,
 or an Array of String instances,
 such that each String instance must not contain characters below 037.
 
-=== The content-type
+==== The +content-type+ Header
 
 There must not be a <tt>content-type</tt> header key when the +Status+ is 1xx,
 204, or 304.
 
-=== The content-length
+==== The +content-length+ Header
 
 There must not be a <tt>content-length</tt> header key when the
 +Status+ is 1xx, 204, or 304.
 
+==== The +rack.protocol+ Header
+
+If the +rack.protocol+ header is present, it must be a +String+, and
+must be one of the values from the +rack.protocol+ array from the
+environment.
+
+Setting this value informs the server that it should perform a
+connection upgrade. In HTTP/1, this is done using the +upgrade+
+header. In HTTP/2, this is done by accepting the request.
+
 === The Body
 
 The Body is typically an +Array+ of +String+ instances, an enumerable
@@ -301,12 +329,9 @@ the body.
 
 The Enumerable Body must respond to +each+.
 It must only be called once.
-It must not be called after being closed.
+It must not be called after being closed,
 and must only yield String values.
 
-The Body itself should not be an instance of String, as this will
-break in Ruby 1.9.
-
 Middleware must not call +each+ directly on the Body.
 Instead, middleware can return a new Body that calls +each+ on the
 original Body, yielding at least once per iteration.

data/lib/rack/auth/basic.rb

@@ -2,7 +2,6 @@
 
 require_relative 'abstract/handler'
 require_relative 'abstract/request'
-require 'base64'
 
 module Rack
   module Auth
@@ -46,7 +45,7 @@ module Rack
         end
 
         def credentials
-          @credentials ||= Base64.decode64(params).split(':', 2)
+          @credentials ||= params.unpack1('m').split(':', 2)
         end
 
         def username

data/lib/rack/bad_request.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Rack
+  # Represents a 400 Bad Request error when input data fails to meet the
+  # requirements.
+  module BadRequest
+  end
+end

data/lib/rack/body_proxy.rb

@@ -15,7 +15,12 @@ module Rack
 
     # Return whether the wrapped body responds to the method.
     def respond_to_missing?(method_name, include_all = false)
-      super or @body.respond_to?(method_name, include_all)
+      case method_name
+      when :to_str
+        false
+      else
+        super or @body.respond_to?(method_name, include_all)
+      end
     end
 
     # If not already closed, close the wrapped body and
@@ -38,7 +43,18 @@ module Rack
 
     # Delegate missing methods to the wrapped body.
     def method_missing(method_name, *args, &block)
-      @body.__send__(method_name, *args, &block)
+      case method_name
+      when :to_str
+        super
+      when :to_ary
+        begin
+          @body.__send__(method_name, *args, &block)
+        ensure
+          close
+        end
+      else
+        @body.__send__(method_name, *args, &block)
+      end
     end
     # :nocov:
     ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)

data/lib/rack/builder.rb

@@ -2,6 +2,9 @@
 
 require_relative 'urlmap'
 
+module Rack; end
+Rack::BUILDER_TOPLEVEL_BINDING = ->(builder){builder.instance_eval{binding}}
+
 module Rack
   # Rack::Builder provides a domain-specific language (DSL) to construct Rack
   # applications. It is primarily used to parse +config.ru+ files which
@@ -53,15 +56,15 @@ module Rack
     #   Rack::Builder.parse_file('app.rb')
     #   # requires app.rb, which can be anywhere in Ruby's
     #   # load path. After requiring, assumes App constant
-    #   # contains Rack application
+    #   # is a Rack application
     #
     #   Rack::Builder.parse_file('./my_app.rb')
     #   # requires ./my_app.rb, which should be in the
     #   # process's current directory.  After requiring,
-    #   # assumes MyApp constant contains Rack application
-    def self.parse_file(path)
+    #   # assumes MyApp constant is a Rack application
+    def self.parse_file(path, **options)
       if path.end_with?('.ru')
-        return self.load_file(path)
+        return self.load_file(path, **options)
       else
         require path
         return Object.const_get(::File.basename(path, '.rb').split('_').map(&:capitalize).join(''))
@@ -81,7 +84,7 @@ module Rack
     #   use Rack::ContentLength
     #   require './app.rb'
     #   run App
-    def self.load_file(path)
+    def self.load_file(path, **options)
       config = ::File.read(path)
       config.slice!(/\A#{UTF_8_BOM}/) if config.encoding == Encoding::UTF_8
 
@@ -91,16 +94,18 @@ module Rack
 
       config.sub!(/^__END__\n.*\Z/m, '')
 
-      return new_from_string(config, path)
+      return new_from_string(config, path, **options)
     end
 
     # Evaluate the given +builder_script+ string in the context of
     # a Rack::Builder block, returning a Rack application.
-    def self.new_from_string(builder_script, file = "(rackup)")
+    def self.new_from_string(builder_script, path = "(rackup)", **options)
+      builder = self.new(**options)
+
       # We want to build a variant of TOPLEVEL_BINDING with self as a Rack::Builder instance.
       # We cannot use instance_eval(String) as that would resolve constants differently.
-      binding, builder = TOPLEVEL_BINDING.eval('Rack::Builder.new.instance_eval { [binding, self] }')
-      eval builder_script, binding, file
+      binding = BUILDER_TOPLEVEL_BINDING.call(builder)
+      eval(builder_script, binding, path)
 
       return builder.to_app
     end
@@ -108,16 +113,24 @@ module Rack
     # Initialize a new Rack::Builder instance.  +default_app+ specifies the
     # default application if +run+ is not called later.  If a block
     # is given, it is evaluated in the context of the instance.
-    def initialize(default_app = nil, &block)
+    def initialize(default_app = nil, **options, &block)
       @use = []
       @map = nil
       @run = default_app
       @warmup = nil
       @freeze_app = false
+      @options = options
 
       instance_eval(&block) if block_given?
     end
 
+    # Any options provided to the Rack::Builder instance at initialization.
+    # These options can be server-specific. Some general options are:
+    #
+    # * +:isolation+: One of +process+, +thread+ or +fiber+. The execution
+    #   isolation model to use.
+    attr :options
+
     # Create a new Rack::Builder instance and return the Rack application
     # generated from it.
     def self.app(default_app = nil, &block)

data/lib/rack/cascade.rb

@@ -9,9 +9,6 @@ module Rack
   # status codes, return the last response.
 
   class Cascade
-    # deprecated, no longer used
-    NotFound = [404, { CONTENT_TYPE => "text/plain" }, []]
-
     # An array of applications to try in order.
     attr_reader :apps
 

data/lib/rack/constants.rb

@@ -32,6 +32,7 @@ module Rack
   DELETE  = 'DELETE'
   HEAD    = 'HEAD'
   OPTIONS = 'OPTIONS'
+  CONNECT = 'CONNECT'
   LINK    = 'LINK'
   UNLINK  = 'UNLINK'
   TRACE   = 'TRACE'
@@ -39,6 +40,7 @@ module Rack
   # Rack environment variables
   RACK_VERSION                        = 'rack.version'
   RACK_TEMPFILES                      = 'rack.tempfiles'
+  RACK_EARLY_HINTS                    = 'rack.early_hints'
   RACK_ERRORS                         = 'rack.errors'
   RACK_LOGGER                         = 'rack.logger'
   RACK_INPUT                          = 'rack.input'
@@ -54,6 +56,7 @@ module Rack
   RACK_RESPONSE_FINISHED              = 'rack.response_finished'
   RACK_REQUEST_FORM_INPUT             = 'rack.request.form_input'
   RACK_REQUEST_FORM_HASH              = 'rack.request.form_hash'
+  RACK_REQUEST_FORM_PAIRS             = 'rack.request.form_pairs'
   RACK_REQUEST_FORM_VARS              = 'rack.request.form_vars'
   RACK_REQUEST_FORM_ERROR             = 'rack.request.form_error'
   RACK_REQUEST_COOKIE_HASH            = 'rack.request.cookie_hash'