rack 3.0.11 → 3.1.8

data/lib/rack/headers.rb

@@ -1,9 +1,93 @@
+# frozen_string_literal: true
+
 module Rack
   # Rack::Headers is a Hash subclass that downcases all keys.  It's designed
   # to be used by rack applications that don't implement the Rack 3 SPEC
   # (by using non-lowercase response header keys), automatically handling
   # the downcasing of keys.
   class Headers < Hash
+    KNOWN_HEADERS = {}
+    %w(
+      Accept-CH
+      Accept-Patch
+      Accept-Ranges
+      Access-Control-Allow-Credentials
+      Access-Control-Allow-Headers
+      Access-Control-Allow-Methods
+      Access-Control-Allow-Origin
+      Access-Control-Expose-Headers
+      Access-Control-Max-Age
+      Age
+      Allow
+      Alt-Svc
+      Cache-Control
+      Connection
+      Content-Disposition
+      Content-Encoding
+      Content-Language
+      Content-Length
+      Content-Location
+      Content-MD5
+      Content-Range
+      Content-Security-Policy
+      Content-Security-Policy-Report-Only
+      Content-Type
+      Date
+      Delta-Base
+      ETag
+      Expect-CT
+      Expires
+      Feature-Policy
+      IM
+      Last-Modified
+      Link
+      Location
+      NEL
+      P3P
+      Permissions-Policy
+      Pragma
+      Preference-Applied
+      Proxy-Authenticate
+      Public-Key-Pins
+      Referrer-Policy
+      Refresh
+      Report-To
+      Retry-After
+      Server
+      Set-Cookie
+      Status
+      Strict-Transport-Security
+      Timing-Allow-Origin
+      Tk
+      Trailer
+      Transfer-Encoding
+      Upgrade
+      Vary
+      Via
+      WWW-Authenticate
+      Warning
+      X-Cascade
+      X-Content-Duration
+      X-Content-Security-Policy
+      X-Content-Type-Options
+      X-Correlation-ID
+      X-Correlation-Id
+      X-Download-Options
+      X-Frame-Options
+      X-Permitted-Cross-Domain-Policies
+      X-Powered-By
+      X-Redirect-By
+      X-Request-ID
+      X-Request-Id
+      X-Runtime
+      X-UA-Compatible
+      X-WebKit-CS
+      X-XSS-Protection
+    ).each do |str|
+      downcased = str.downcase.freeze
+      KNOWN_HEADERS[str] = KNOWN_HEADERS[downcased] = downcased
+    end
+
     def self.[](*items)
       if items.length % 2 != 0
         if items.length == 1 && items.first.is_a?(Hash)
@@ -28,7 +112,7 @@ module Rack
     end
 
     def []=(key, value)
-      super(key.downcase.freeze, value)
+      super(KNOWN_HEADERS[key] || key.downcase.freeze, value)
     end
     alias store []=
 
@@ -148,7 +232,7 @@ module Rack
     private
 
     def downcase_key(key)
-      key.is_a?(String) ? key.downcase : key
+      key.is_a?(String) ? KNOWN_HEADERS[key] || key.downcase : key
     end
   end
 end

data/lib/rack/lint.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'forwardable'
+require 'uri'
 
 require_relative 'constants'
 require_relative 'utils'
@@ -10,6 +11,11 @@ module Rack
   # responses according to the Rack spec.
 
   class Lint
+    REQUEST_PATH_ORIGIN_FORM = /\A\/[^#]*\z/
+    REQUEST_PATH_ABSOLUTE_FORM = /\A#{Utils::URI_PARSER.make_regexp}\z/
+    REQUEST_PATH_AUTHORITY_FORM = /\A[^\/:]+:\d+\z/
+    REQUEST_PATH_ASTERISK_FORM = '*'
+
     def initialize(app)
       @app = app
     end
@@ -56,9 +62,6 @@ module Rack
         raise LintError, "No env given" unless @env
         check_environment(@env)
 
-        @env[RACK_INPUT] = InputWrapper.new(@env[RACK_INPUT])
-        @env[RACK_ERRORS] = ErrorWrapper.new(@env[RACK_ERRORS])
-
         ## and returns a non-frozen Array of exactly three values:
         @response = @app.call(@env)
         raise LintError, "response is not an Array, but #{@response.class}" unless @response.kind_of? Array
@@ -78,8 +81,9 @@ module Rack
         end
 
         ## and the *body*.
-        check_content_type(@status, @headers)
-        check_content_length(@status, @headers)
+        check_content_type_header(@status, @headers)
+        check_content_length_header(@status, @headers)
+        check_rack_protocol_header(@status, @headers)
         @head_request = @env[REQUEST_METHOD] == HEAD
 
         @lint = (@env['rack.lint'] ||= []) << self
@@ -179,6 +183,16 @@ module Rack
         ##                        to +call+ that is used to perform a full
         ##                        hijack.
 
+        ## <tt>rack.protocol</tt>:: An optional +Array+ of +String+, containing
+        ##                          the protocols advertised by the client in
+        ##                          the +upgrade+ header (HTTP/1) or the
+        ##                          +:protocol+ pseudo-header (HTTP/2).
+        if protocols = @env['rack.protocol']
+          unless protocols.is_a?(Array) && protocols.all?{|protocol| protocol.is_a?(String)}
+            raise LintError, "rack.protocol must be an Array of Strings"
+          end
+        end
+
         ## Additional environment specifications have approved to
         ## standardized middleware APIs. None of these are required to
         ## be implemented by the server.
@@ -265,11 +279,9 @@ module Rack
         ## is reserved for use with the Rack core distribution and other
         ## accepted specifications and must not be used otherwise.
         ##
-
-        %w[REQUEST_METHOD SERVER_NAME QUERY_STRING SERVER_PROTOCOL
-           rack.input rack.errors].each { |header|
+        %w[REQUEST_METHOD SERVER_NAME QUERY_STRING SERVER_PROTOCOL rack.errors].each do |header|
           raise LintError, "env missing required key #{header}" unless env.include? header
-        }
+        end
 
         ## The <tt>SERVER_PORT</tt> must be an Integer if set.
         server_port = env["SERVER_PORT"]
@@ -293,11 +305,6 @@ module Rack
           raise LintError, "env[SERVER_PROTOCOL] does not match HTTP/\\d(\\.\\d)?"
         end
 
-        ## If the <tt>HTTP_VERSION</tt> is present, it must equal the <tt>SERVER_PROTOCOL</tt>.
-        if env['HTTP_VERSION'] && env['HTTP_VERSION'] != server_protocol
-          raise LintError, "env[HTTP_VERSION] does not equal env[SERVER_PROTOCOL]"
-        end
-
         ## The environment must not contain the keys
         ## <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
         ## (use the versions without <tt>HTTP_</tt>).
@@ -328,12 +335,21 @@ module Rack
           raise LintError, "rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}"
         end
 
-        ## * There must be a valid input stream in <tt>rack.input</tt>.
-        check_input env[RACK_INPUT]
+        ## * There may be a valid input stream in <tt>rack.input</tt>.
+        if rack_input = env[RACK_INPUT]
+          check_input_stream(rack_input)
+          @env[RACK_INPUT] = InputWrapper.new(rack_input)
+        end
+
         ## * There must be a valid error stream in <tt>rack.errors</tt>.
-        check_error env[RACK_ERRORS]
+        rack_errors = env[RACK_ERRORS]
+        check_error_stream(rack_errors)
+        @env[RACK_ERRORS] = ErrorWrapper.new(rack_errors)
+
         ## * There may be a valid hijack callback in <tt>rack.hijack</tt>
         check_hijack env
+        ## * There may be a valid early hints callback in <tt>rack.early_hints</tt>
+        check_early_hints env
 
         ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
         unless env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
@@ -344,10 +360,34 @@ module Rack
         if env.include?(SCRIPT_NAME) && env[SCRIPT_NAME] != "" && env[SCRIPT_NAME] !~ /\A\//
           raise LintError, "SCRIPT_NAME must start with /"
         end
-        ## * The <tt>PATH_INFO</tt>, if non-empty, must start with <tt>/</tt>
-        if env.include?(PATH_INFO) && env[PATH_INFO] != "" && env[PATH_INFO] !~ /\A\//
-          raise LintError, "PATH_INFO must start with /"
+
+        ## * The <tt>PATH_INFO</tt>, if provided, must be a valid request target or an empty string.
+        if env.include?(PATH_INFO)
+          case env[PATH_INFO]
+          when REQUEST_PATH_ASTERISK_FORM
+            ##   * Only <tt>OPTIONS</tt> requests may have <tt>PATH_INFO</tt> set to <tt>*</tt> (asterisk-form).
+            unless env[REQUEST_METHOD] == OPTIONS
+              raise LintError, "Only OPTIONS requests may have PATH_INFO set to '*' (asterisk-form)"
+            end
+          when REQUEST_PATH_AUTHORITY_FORM
+            ##   * Only <tt>CONNECT</tt> requests may have <tt>PATH_INFO</tt> set to an authority (authority-form). Note that in HTTP/2+, the authority-form is not a valid request target.
+            unless env[REQUEST_METHOD] == CONNECT
+              raise LintError, "Only CONNECT requests may have PATH_INFO set to an authority (authority-form)"
+            end
+          when REQUEST_PATH_ABSOLUTE_FORM
+            ##   * <tt>CONNECT</tt> and <tt>OPTIONS</tt> requests must not have <tt>PATH_INFO</tt> set to a URI (absolute-form).
+            if env[REQUEST_METHOD] == CONNECT || env[REQUEST_METHOD] == OPTIONS
+              raise LintError, "CONNECT and OPTIONS requests must not have PATH_INFO set to a URI (absolute-form)"
+            end
+          when REQUEST_PATH_ORIGIN_FORM
+            ##   * Otherwise, <tt>PATH_INFO</tt> must start with a <tt>/</tt> and must not include a fragment part starting with '#' (origin-form).
+          when ""
+            # Empty string is okay.
+          else
+            raise LintError, "PATH_INFO must start with a '/' and must not include a fragment part starting with '#' (origin-form)"
+          end
         end
+
         ## * The <tt>CONTENT_LENGTH</tt>, if given, must consist of digits only.
         if env.include?("CONTENT_LENGTH") && env["CONTENT_LENGTH"] !~ /\A\d+\z/
           raise LintError, "Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}"
@@ -384,9 +424,9 @@ module Rack
       ##
       ## The input stream is an IO-like object which contains the raw HTTP
       ## POST data.
-      def check_input(input)
+      def check_input_stream(input)
         ## When applicable, its external encoding must be "ASCII-8BIT" and it
-        ## must be opened in binary mode, for Ruby 1.9 compatibility.
+        ## must be opened in binary mode.
         if input.respond_to?(:external_encoding) && input.external_encoding != Encoding::ASCII_8BIT
           raise LintError, "rack.input #{input} does not have ASCII-8BIT as its external encoding"
         end
@@ -418,7 +458,7 @@ module Rack
           v
         end
 
-        ## * +read+ behaves like IO#read.
+        ## * +read+ behaves like <tt>IO#read</tt>.
         ##   Its signature is <tt>read([length, [buffer]])</tt>.
         ##
         ##   If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
@@ -478,8 +518,8 @@ module Rack
           }
         end
 
-        ## * +close+ can be called on the input stream to indicate that the
-        ## any remaining input is not needed.
+        ## * +close+ can be called on the input stream to indicate that
+        ##   any remaining input is not needed.
         def close(*args)
           @input.close(*args)
         end
@@ -488,7 +528,7 @@ module Rack
       ##
       ## === The Error Stream
       ##
-      def check_error(error)
+      def check_error_stream(error)
         ## The error stream must respond to +puts+, +write+ and +flush+.
         [:puts, :write, :flush].each { |method|
           unless error.respond_to? method
@@ -609,6 +649,30 @@ module Rack
         nil
       end
 
+      ##
+      ## === Early Hints
+      ##
+      ## The application or any middleware may call the <tt>rack.early_hints</tt>
+      ## with an object which would be valid as the headers of a Rack response.
+      def check_early_hints(env)
+        if env[RACK_EARLY_HINTS]
+          ##
+          ## If <tt>rack.early_hints</tt> is present, it must respond to #call.
+          unless env[RACK_EARLY_HINTS].respond_to?(:call)
+            raise LintError, "rack.early_hints must respond to call"
+          end
+
+          original_callback = env[RACK_EARLY_HINTS]
+          env[RACK_EARLY_HINTS] = lambda do |headers|
+            ## If <tt>rack.early_hints</tt> is called, it must be called with
+            ## valid Rack response headers.
+            check_headers(headers)
+            original_callback.call(headers)
+          end
+        end
+      end
+
+      ##
       ## == The Response
       ##
       ## === The Status
@@ -672,9 +736,9 @@ module Rack
       end
 
       ##
-      ## === The content-type
+      ## ==== The +content-type+ Header
       ##
-      def check_content_type(status, headers)
+      def check_content_type_header(status, headers)
         headers.each { |key, value|
           ## There must not be a <tt>content-type</tt> header key when the +Status+ is 1xx,
           ## 204, or 304.
@@ -688,9 +752,9 @@ module Rack
       end
 
       ##
-      ## === The content-length
+      ## ==== The +content-length+ Header
       ##
-      def check_content_length(status, headers)
+      def check_content_length_header(status, headers)
         headers.each { |key, value|
           if key == 'content-length'
             ## There must not be a <tt>content-length</tt> header key when the
@@ -715,6 +779,29 @@ module Rack
         end
       end
 
+      ## 
+      ## ==== The +rack.protocol+ Header
+      ##
+      def check_rack_protocol_header(status, headers)
+        ## If the +rack.protocol+ header is present, it must be a +String+, and
+        ## must be one of the values from the +rack.protocol+ array from the
+        ## environment.
+        protocol = headers['rack.protocol']
+
+        if protocol
+          request_protocols = @env['rack.protocol']
+
+          if request_protocols.nil?
+            raise LintError, "rack.protocol header is #{protocol.inspect}, but rack.protocol was not set in request!"
+          elsif !request_protocols.include?(protocol)
+            raise LintError, "rack.protocol header is #{protocol.inspect}, but should be one of #{request_protocols.inspect} from the request!"
+          end
+        end
+      end
+      ##
+      ## Setting this value informs the server that it should perform a
+      ## connection upgrade. In HTTP/1, this is done using the +upgrade+
+      ## header. In HTTP/2, this is done by accepting the request.
       ##
       ## === The Body
       ##
@@ -782,7 +869,7 @@ module Rack
         ## It must only be called once.
         raise LintError, "Response body must only be invoked once (#{@invoked})" unless @invoked.nil?
 
-        ## It must not be called after being closed.
+        ## It must not be called after being closed,
         raise LintError, "Response body is already closed" if @closed
 
         @invoked = :each
@@ -793,9 +880,6 @@ module Rack
             raise LintError, "Body yielded non-string value #{chunk.inspect}"
           end
 
-          ##
-          ## The Body itself should not be an instance of String, as this will
-          ## break in Ruby 1.9.
           ##
           ## Middleware must not call +each+ directly on the Body.
           ## Instead, middleware can return a new Body that calls +each+ on the

data/lib/rack/logger.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 require 'logger'
-
 require_relative 'constants'
 
+warn "Rack::Logger is deprecated and will be removed in Rack 3.2.", uplevel: 1
+
 module Rack
   # Sets up rack.logger to write to rack.errors stream
   class Logger

data/lib/rack/mime.rb

@@ -290,7 +290,7 @@ module Rack
       ".jpg"       => "image/jpeg",
       ".jpgv"      => "video/jpeg",
       ".jpm"       => "video/jpm",
-      ".js"        => "application/javascript",
+      ".js"        => "text/javascript",
       ".json"      => "application/json",
       ".karbon"    => "application/vnd.kde.karbon",
       ".kfo"       => "application/vnd.kde.kformula",
@@ -338,6 +338,7 @@ module Rack
       ".mif"       => "application/vnd.mif",
       ".mime"      => "message/rfc822",
       ".mj2"       => "video/mj2",
+      ".mjs"       => "text/javascript",
       ".mlp"       => "application/vnd.dolby.mlp",
       ".mmd"       => "application/vnd.chipnuts.karaoke-mmd",
       ".mmf"       => "application/vnd.smaf",
@@ -409,7 +410,7 @@ module Rack
       ".ogx"       => "application/ogg",
       ".org"       => "application/vnd.lotus-organizer",
       ".otc"       => "application/vnd.oasis.opendocument.chart-template",
-      ".otf"       => "application/vnd.oasis.opendocument.formula-template",
+      ".otf"       => "font/otf",
       ".otg"       => "application/vnd.oasis.opendocument.graphics-template",
       ".oth"       => "application/vnd.oasis.opendocument.text-web",
       ".oti"       => "application/vnd.oasis.opendocument.image-template",
@@ -590,7 +591,7 @@ module Rack
       ".trm"       => "application/x-msterminal",
       ".ts"        => "video/mp2t",
       ".tsv"       => "text/tab-separated-values",
-      ".ttf"       => "application/octet-stream",
+      ".ttf"       => "font/ttf",
       ".twd"       => "application/vnd.simtech-mindmapper",
       ".txd"       => "application/vnd.genomatix.tuxedo",
       ".txf"       => "application/vnd.mobius.txf",
@@ -636,8 +637,8 @@ module Rack
       ".wmv"       => "video/x-ms-wmv",
       ".wmx"       => "video/x-ms-wmx",
       ".wmz"       => "application/x-ms-wmz",
-      ".woff"      => "application/font-woff",
-      ".woff2"     => "application/font-woff2",
+      ".woff"      => "font/woff",
+      ".woff2"     => "font/woff2",
       ".wpd"       => "application/vnd.wordperfect",
       ".wpl"       => "application/vnd.ms-wpl",
       ".wps"       => "application/vnd.ms-works",

data/lib/rack/mock_request.rb

@@ -41,11 +41,6 @@ module Rack
       end
     end
 
-    DEFAULT_ENV = {
-      RACK_INPUT        => StringIO.new,
-      RACK_ERRORS       => StringIO.new,
-    }.freeze
-
     def initialize(app)
       @app = app
     end
@@ -104,7 +99,7 @@ module Rack
       uri = parse_uri_rfc2396(uri)
       uri.path = "/#{uri.path}" unless uri.path[0] == ?/
 
-      env = DEFAULT_ENV.dup
+      env = {}
 
       env[REQUEST_METHOD]  = (opts[:method] ? opts[:method].to_s.upcase : GET).b
       env[SERVER_NAME]     = (uri.host || "example.org").b
@@ -144,20 +139,20 @@ module Rack
         end
       end
 
-      opts[:input] ||= String.new
-      if String === opts[:input]
-        rack_input = StringIO.new(opts[:input])
-      else
-        rack_input = opts[:input]
+      rack_input = opts[:input]
+      if String === rack_input
+        rack_input = StringIO.new(rack_input)
       end
 
-      rack_input.set_encoding(Encoding::BINARY)
-      env[RACK_INPUT] = rack_input
+      if rack_input
+        rack_input.set_encoding(Encoding::BINARY) if rack_input.respond_to?(:set_encoding)
+        env[RACK_INPUT] = rack_input
 
-      env["CONTENT_LENGTH"] ||= env[RACK_INPUT].size.to_s if env[RACK_INPUT].respond_to?(:size)
+        env["CONTENT_LENGTH"] ||= env[RACK_INPUT].size.to_s if env[RACK_INPUT].respond_to?(:size)
+      end
 
       opts.each { |field, value|
-        env[field] = value  if String === field
+        env[field] = value if String === field
       }
 
       env

data/lib/rack/mock_response.rb

@@ -78,22 +78,20 @@ module Rack
 
     def parse_cookies_from_header
       cookies = Hash.new
-      if headers.has_key? 'set-cookie'
-        set_cookie_header = headers.fetch('set-cookie')
-        Array(set_cookie_header).each do |header_value|
-          header_value.split("\n").each do |cookie|
-            cookie_name, cookie_filling = cookie.split('=', 2)
-            cookie_attributes = identify_cookie_attributes cookie_filling
-            parsed_cookie = CGI::Cookie.new(
-              'name' => cookie_name.strip,
-              'value' => cookie_attributes.fetch('value'),
-              'path' => cookie_attributes.fetch('path', nil),
-              'domain' => cookie_attributes.fetch('domain', nil),
-              'expires' => cookie_attributes.fetch('expires', nil),
-              'secure' => cookie_attributes.fetch('secure', false)
-            )
-            cookies.store(cookie_name, parsed_cookie)
-          end
+      set_cookie_header = headers['set-cookie']
+      if set_cookie_header && !set_cookie_header.empty?
+        Array(set_cookie_header).each do |cookie|
+          cookie_name, cookie_filling = cookie.split('=', 2)
+          cookie_attributes = identify_cookie_attributes cookie_filling
+          parsed_cookie = CGI::Cookie.new(
+            'name' => cookie_name.strip,
+            'value' => cookie_attributes.fetch('value'),
+            'path' => cookie_attributes.fetch('path', nil),
+            'domain' => cookie_attributes.fetch('domain', nil),
+            'expires' => cookie_attributes.fetch('expires', nil),
+            'secure' => cookie_attributes.fetch('secure', false)
+          )
+          cookies.store(cookie_name, parsed_cookie)
         end
       end
       cookies