rack 3.0.15 → 3.2.6

data/lib/rack/sendfile.rb

@@ -16,21 +16,21 @@ module Rack
   # delivery code.
   #
   # In order to take advantage of this middleware, the response body must
-  # respond to +to_path+ and the request must include an x-sendfile-type
+  # respond to +to_path+ and the request must include an `x-sendfile-type`
   # header. Rack::Files and other components implement +to_path+ so there's
-  # rarely anything you need to do in your application. The x-sendfile-type
+  # rarely anything you need to do in your application. The `x-sendfile-type`
   # header is typically set in your web servers configuration. The following
   # sections attempt to document
   #
   # === Nginx
   #
-  # Nginx supports the x-accel-redirect header. This is similar to x-sendfile
+  # Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
   # but requires parts of the filesystem to be mapped into a private URL
   # hierarchy.
   #
   # The following example shows the Nginx configuration required to create
-  # a private "/files/" area, enable x-accel-redirect, and pass the special
-  # x-sendfile-type and x-accel-mapping headers to the backend:
+  # a private "/files/" area, enable `x-accel-redirect`, and pass the special
+  # `x-accel-mapping` header to the backend:
   #
   #   location ~ /files/(.*) {
   #     internal;
@@ -44,24 +44,29 @@ module Rack
   #     proxy_set_header   X-Real-IP           $remote_addr;
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
-  #     proxy_set_header   x-sendfile-type     x-accel-redirect;
   #     proxy_set_header   x-accel-mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
-  # Note that the x-sendfile-type header must be set exactly as shown above.
-  # The x-accel-mapping header should specify the location on the file system,
+  # The `x-accel-mapping` header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
-  # that it maps to. The middleware performs a simple substitution on the
+  # that it maps to. The middleware performs a case-insensitive substitution on the
   # resulting path.
   #
+  # To enable `x-accel-redirect`, you must configure the middleware explicitly:
+  #
+  #   use Rack::Sendfile, "x-accel-redirect"
+  #
+  # For security reasons, the `x-sendfile-type` header from requests is ignored.
+  # The sendfile variation must be set via the middleware constructor.
+  #
   # See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
   #
   # === lighttpd
   #
-  # Lighttpd has supported some variation of the x-sendfile header for some
-  # time, although only recent version support x-sendfile in a reverse proxy
+  # Lighttpd has supported some variation of the `x-sendfile` header for some
+  # time, although only recent version support `x-sendfile` in a reverse proxy
   # configuration.
   #
   #   $HTTP["host"] == "example.com" {
@@ -83,7 +88,7 @@ module Rack
   #
   # === Apache
   #
-  # x-sendfile is supported under Apache 2.x using a separate module:
+  # `x-sendfile` is supported under Apache 2.x using a separate module:
   #
   # https://tn123.org/mod_xsendfile/
   #
@@ -97,16 +102,28 @@ module Rack
   # === Mapping parameter
   #
   # The third parameter allows for an overriding extension of the
-  # x-accel-mapping header. Mappings should be provided in tuples of internal to
+  # `x-accel-mapping` header. Mappings should be provided in tuples of internal to
   # external. The internal values may contain regular expression syntax, they
   # will be matched with case indifference.
+  #
+  # When `x-accel-redirect` is explicitly enabled via the variation parameter,
+  # and no application-level mappings are provided, the middleware will read
+  # the `x-accel-mapping` header from the proxy. This allows nginx to control
+  # the path mapping without requiring application-level configuration.
+  #
+  # === Security
+  #
+  # For security reasons, the `x-sendfile-type` header from HTTP requests is
+  # ignored. The sendfile variation must be explicitly configured via the
+  # middleware constructor to prevent information disclosure vulnerabilities
+  # where attackers could bypass proxy restrictions.
 
   class Sendfile
     def initialize(app, variation = nil, mappings = [])
       @app = app
       @variation = variation
       @mappings = mappings.map do |internal, external|
-        [/^#{internal}/i, external]
+        [/\A#{internal}/i, external]
       end
     end
 
@@ -145,22 +162,35 @@ module Rack
     end
 
     private
+
     def variation(env)
-      @variation ||
-        env['sendfile.type'] ||
-        env['HTTP_X_SENDFILE_TYPE']
+      # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
+      # Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
+      @variation || env['sendfile.type']
+    end
+
+    def x_accel_mapping(env)
+      # Only allow header when:
+      # 1. `x-accel-redirect` is explicitly enabled via constructor.
+      # 2. No application-level mappings are configured.
+      return nil unless @variation =~ /x-accel-redirect/i
+      return nil if @mappings.any?
+      
+      env['HTTP_X_ACCEL_MAPPING']
     end
 
     def map_accel_path(env, path)
       if mapping = @mappings.find { |internal, _| internal =~ path }
-        path.sub(*mapping)
-      elsif mapping = env['HTTP_X_ACCEL_MAPPING']
+        return path.sub(*mapping)
+      elsif mapping = x_accel_mapping(env)
+        # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/^#{internal}/i, external)
+          new_path = path.sub(/\A#{Regexp.escape(internal)}/i, external)
           return new_path unless path == new_path
         end
-        path
+
+        return path
       end
     end
   end

data/lib/rack/show_exceptions.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'ostruct'
 require 'erb'
 
 require_relative 'constants'
@@ -19,6 +18,11 @@ module Rack
   class ShowExceptions
     CONTEXT = 7
 
+    Frame = Struct.new(:filename, :lineno, :function,
+                       :pre_context_lineno, :pre_context,
+                       :context_line, :post_context_lineno,
+                       :post_context)
+
     def initialize(app)
       @app = app
     end
@@ -61,8 +65,12 @@ module Rack
     def dump_exception(exception)
       if exception.respond_to?(:detailed_message)
         message = exception.detailed_message(highlight: false)
+      # :nocov:
+      # Ruby 3.2 added Exception#detailed_message, so the else
+      # branch cannot be hit on the current Ruby version.
       else
         message = exception.message
+      # :nocov:
       end
       string = "#{exception.class}: #{message}\n".dup
       string << exception.backtrace.map { |l| "\t#{l}" }.join("\n")
@@ -79,7 +87,7 @@ module Rack
       # This double assignment is to prevent an "unused variable" warning.
       # Yes, it is dumb, but I don't like Ruby yelling at me.
       frames = frames = exception.backtrace.map { |line|
-        frame = OpenStruct.new
+        frame = Frame.new
         if line =~ /(.*?):(\d+)(:in `(.*)')?/
           frame.filename = $1
           frame.lineno = $2.to_i
@@ -397,7 +405,5 @@ module Rack
       </body>
       </html>
     HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/show_status.rb

@@ -117,7 +117,5 @@ TEMPLATE = <<'HTML'
 </body>
 </html>
 HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/static.rb

@@ -93,6 +93,9 @@ module Rack
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -115,7 +118,7 @@ module Rack
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
 
     def can_serve(path)
@@ -165,6 +168,8 @@ module Rack
 
     # Convert HTTP header rules to HTTP headers
     def applicable_rules(path)
+      path = ::Rack::Utils.unescape_path(path)
+
       @header_rules.find_all do |rule, new_headers|
         case rule
         when :all
@@ -172,10 +177,9 @@ module Rack
         when :fonts
           /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
         when String
-          path = ::Rack::Utils.unescape(path)
           path.start_with?(rule) || path.start_with?('/' + rule)
         when Array
-          /\.(#{rule.join('|')})\z/.match?(path)
+          /\.#{Regexp.union(rule)}\z/.match?(path)
         when Regexp
           rule.match?(path)
         else