rack 3.0.18 → 3.1.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c109b92a92a0fcc346c4fabc30223e1a29fec8d062f91c45791d4b2a4b411a2f
-  data.tar.gz: 161c23b7fcfecad716e387db0946f07ceab0c5ff8616cc5c022ec8fafd097382
+  metadata.gz: 627b4fe8d3af482f544229eaa2a32868adf887decbc3616669646c0ecdb514e5
+  data.tar.gz: f5c0b0b49232d4dd4630e4ccf71f30a322bf7cf91f8e38711e9a203b2e2c03c7
 SHA512:
-  metadata.gz: 5eb41a9d006fba6cdb3c272c74527896a6a3b5c9dc0b855a5ca06928ec50d182edfb23c6cf777ce77995d0d2f41a74440e59a48a301e12e1f99f5ca98cfda694
-  data.tar.gz: 865ae1620806ea268231ce88b4b228d6bef477e37cd465dd8525d81c42fdd5eab0a75f3de21770a6209d25ed9e2a49be4cacbf5335e356af73cd831bbb64dd37
+  metadata.gz: 5f61477c3fc2f135ee874290de05f1c18c015fe9285348e5d673a41d86782bd00f61f83d8fea2a81af15158e3d87acea8c2edcf5600c7e292df79c2e40480f98
+  data.tar.gz: 6e22900f3d703d4db6d14e4a7960a52f835df19df2796cf1669e1c4415b4243a5e9097cf87ab1b37102090a98109408524ca6c2762a77f69eeda9755ed47aef1

data/CHANGELOG.md

@@ -2,6 +2,168 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.18] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [3.1.17] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.1.16] - 2025-06-04
+
+### Security
+
+- [CVE-2025-49007](https://github.com/advisories/GHSA-47m2-26rw-j2jw) Fix ReDoS in multipart request.
+
+## [3.1.15] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
+## [3.1.14] - 2025-05-06
+
+### Security
+
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+
+## [3.1.13] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
+## [3.1.12] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [3.1.11] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [3.1.10] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [3.1.9] - 2025-01-31
+
+### Fixed
+
+- `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
+## [3.1.8] - 2024-10-14
+
+### Fixed
+
+- Resolve deprecation warnings about uri `DEFAULT_PARSER`. ([#2249](https://github.com/rack/rack/pull/2249), [@earlopain])
+
+## [3.1.7] - 2024-07-11
+
+### Fixed
+
+- Do not remove escaped opening/closing quotes for content-disposition filenames. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. ([#2227](https://github.com/rack/rack/pull/2227), [@jeremyevans])
+- `Rack::Response` should not generate invalid `content-length` header. ([#2219](https://github.com/rack/rack/pull/2219), [@ioquatix])
+- Allow empty PATH_INFO. ([#2214](https://github.com/rack/rack/pull/2214), [@ioquatix])
+
+## [3.1.6] - 2024-07-03
+
+### Fixed
+
+- Fix several edge cases in `Rack::Request#parse_http_accept_header`'s implementation. ([#2226](https://github.com/rack/rack/pull/2226), [@ioquatix])
+
+## [3.1.5] - 2024-07-02
+
+### Security
+
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
+
+## [3.1.4] - 2024-06-22
+
+### Fixed
+
+- Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
+
+## [3.1.3] - 2024-06-12
+
+### Fixed
+
+- Fix passing non-strings to `Rack::Utils.escape_html`. ([#2202](https://github.com/rack/rack/pull/2202), [@earlopain])
+- `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy])
+
+## [3.1.2] - 2024-06-11
+
+- `Rack::Response` will take in to consideration chunked encoding responses ([#2204](https://github.com/rack/rack/pull/2204), [@tenderlove])
+
+## [3.1.1] - 2024-06-11
+
+- Oops! I shouldn't have shipped that
+
+## [3.1.0] - 2024-06-11
+
+:warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
+
+Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
+
+### SPEC Changes
+
+- `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
+- `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [#2181](https://github.com/rack/rack/pull/2181), [@ioquatix])
+  - `OPTIONS *` is now accepted. ([#2114](https://github.com/rack/rack/pull/2114), [@doriantaylor](https://github.com/doriantaylor))
+- Introduce optional `rack.protocol` request and response header for handling connection upgrades. ([#1954](https://github.com/rack/rack/pull/1954), [@ioquatix])
+
+### Added
+
+- Introduce `Rack::Multipart::MissingInputError` for improved handling of missing input in `#parse_multipart`. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
+- Introduce `module Rack::BadRequest` which is included in multipart and query parser errors. ([#2019](https://github.com/rack/rack/pull/2019), [@ioquatix])
+- Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas](https://github.com/axilleas))
+- `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b](https://github.com/flavio-b))
+- Introduce `rack.early_hints` for sending `103 Early Hints` informational responses. ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine](https://github.com/casperisfine), [@jeremyevans])
+
+### Changed
+
+- MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8), [@ioquatix])
+- Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
+- `Rack::Utils.escape_html` is now delegated to `CGI.escapeHTML`. `'` is escaped to `#39;` instead of `#x27;`. (decimal vs hexadecimal) ([#2099](https://github.com/rack/rack/pull/2099), [@JunichiIto](https://github.com/JunichiIto))
+- Clarify use of `@buffered` and only update `content-length` when `Rack::Response#finish` is invoked. ([#2149](https://github.com/rack/rack/pull/2149), [@ioquatix])
+
+### Deprecated
+
+- Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073), [@jeremyevans])
+- Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. ([#2191](https://github.com/rack/rack/pull/2191), [@ioquatix])
+- `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
+- Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
+- Deprecate `Rack::Request#values_at`, use `request.params.values_at` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
+
+### Removed
+
+- Remove deprecated `Rack::Auth::Digest` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Cascade::NotFound` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Chunked` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::File`, use `Rack::Files` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::QueryParser` `key_space_limit` parameter with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Response#header`, use `Rack::Response#headers` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated cookie methods from `Rack::Utils`: `add_cookie_to_header`, `make_delete_cookie_header`, `add_remove_cookie_to_header`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Utils::HeaderHash`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::VERSION`, `Rack::VERSION_STRING`, `Rack.version`, use `Rack.release` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
+- Remove any dependency on `transfer-encoding: chunked`. ([#2195](https://github.com/rack/rack/pull/2195), [@ioquatix])
+- Remove deprecated `Rack::Request#[]`, use `request.params[key]` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
+
+### Fixed
+
+- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
+
 ## [3.0.18] - 2025-05-22
 
 - Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
@@ -14,7 +176,7 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [3.0.15] - 2025-04-13
 
@@ -24,13 +186,13 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [3.0.13] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
 ### Fixed
 
@@ -40,7 +202,7 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [3.0.11] - 2024-05-10
 
@@ -218,6 +380,31 @@ All notable changes to this project will be documented in this file. For info on
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.20] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [2.2.18] - 2025-09-25
+
+### Security
+
+- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+
+## [2.2.17] - 2025-06-03
+
+- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
 ## [2.2.16] - 2025-05-22
 
 - Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
@@ -230,25 +417,25 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [2.2.13] - 2025-03-11
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [2.2.12] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
 ## [2.2.11] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [2.2.10] - 2024-10-14
 
@@ -303,6 +490,8 @@ All notable changes to this project will be documented in this file. For info on
 
 ## [2.2.3.1] - 2022-05-27
 
+### Security
+
 - [CVE-2022-30123] Fix shell escaping issue in Common Logger
 - [CVE-2022-30122] Restrict parsing of broken MIME attachments
 
@@ -1010,4 +1199,5 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
 [@amatsuda]: https://github.com/amatsuda "Akira Matsuda"
 [@wjordan]: https://github.com/wjordan "Will Jordan"
 [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
+[@davidstosik]: https://github.com/davidstosik "David Stosik"
 [@earlopain]: https://github.com/earlopain "Earlopain"

data/CONTRIBUTING.md

@@ -5,6 +5,15 @@ contributors](https://github.com/rack/rack/graphs/contributors). You're
 encouraged to submit [pull requests](https://github.com/rack/rack/pulls) and
 [propose features and discuss issues](https://github.com/rack/rack/issues).
 
+## Backports
+
+Only security patches are ideal for backporting to non-main release versions. If
+you're not sure if your bug fix is backportable, you should open a discussion to
+discuss it first.
+
+The [Security Policy] documents which release versions will receive security
+backports.
+
 ## Fork the Project
 
 Fork the [project on GitHub](https://github.com/rack/rack) and check out your
@@ -27,15 +36,6 @@ git pull upstream main
 git checkout -b my-feature-branch
 ```
 
-## Bundle Install and Quick Test
-
-Ensure that you can build the project and run quick tests.
-
-```
-bundle install --without extra
-bundle exec rake test
-```
-
 ## Running All Tests
 
 Install all dependencies.
@@ -140,3 +140,5 @@ there!
 
 Please do know that we really appreciate and value your time and work. We love
 you, really.
+
+[Security Policy]: SECURITY.md

data/README.md

@@ -1,10 +1,5 @@
 # ![Rack](contrib/logo.webp)
 
-> **_NOTE:_** Rack v3.0.0 was recently released. Please check the [Upgrade
-> Guide](UPGRADE-GUIDE.md) for more details about migrating your existing
-> servers, middlewares and applications. For detailed information on specific
-> changes, check the [Change Log](CHANGELOG.md).
-
 Rack provides a minimal, modular, and adaptable interface for developing web
 applications in Ruby. By wrapping HTTP requests and responses in the simplest
 way possible, it unifies and distills the bridge between web servers, web
@@ -13,6 +8,32 @@ frameworks, and web application into a single method call.
 The exact details of this are described in the [Rack Specification], which all
 Rack applications should conform to.
 
+## Version support
+
+| Version  | Support                            |
+|----------|------------------------------------|
+|    3.0.x | Bug fixes and security patches.    |
+|    2.2.x | Security patches only.             |
+| <= 2.1.x | End of support.                    |
+
+Please see the [Security Policy] for more information.
+
+## Rack 3.0
+
+This is the latest version of Rack. It contains API improvements but also some
+breaking changes. Please check the [Upgrade Guide](UPGRADE-GUIDE.md) for more
+details about migrating servers, middlewares and applications designed for Rack 2
+to Rack 3. For detailed information on specific changes, check the [Change Log](CHANGELOG.md).
+
+## Rack 2.2
+
+This version of Rack is receiving security patches only, and effort should be
+made to move to Rack 3.
+
+Starting in Ruby 3.4 the `base64` dependency will no longer be a default gem,
+and may cause a warning or error about `base64` being missing. To correct this,
+add `base64` as a dependency to your project.
+
 ## Installation
 
 Add the rack gem to your application bundle, or follow the instructions provided
@@ -20,10 +41,10 @@ by a [supported web framework](#supported-web-frameworks):
 
 ```bash
 # Install it generally:
-$ gem install rack --pre
+$ gem install rack
 
 # or, add it to your current application gemfile:
-$ bundle add rack --version 3.0.0
+$ bundle add rack
 ```
 
 If you need features from `Rack::Session` or `bin/rackup` please add those gems separately.
@@ -57,7 +78,7 @@ Hello World
 Rack is supported by a wide range of servers, including:
 
 * [Agoo](https://github.com/ohler55/agoo)
-* [Falcon](https://github.com/socketry/falcon) **(Rack 3 Compatible)**
+* [Falcon](https://github.com/socketry/falcon)
 * [Iodine](https://github.com/boazsegev/iodine)
 * [NGINX Unit](https://unit.nginx.org/)
 * [Phusion Passenger](https://www.phusionpassenger.com/) (which is mod_rack for
@@ -84,18 +105,15 @@ These frameworks and many others support the [Rack Specification]:
 
 * [Camping](https://github.com/camping/camping)
 * [Hanami](https://hanamirb.org/)
+* [Ramaze](https://github.com/ramaze/ramaze)
 * [Padrino](https://padrinorb.com/)
-* [Roda](https://github.com/jeremyevans/roda) **(Rack 3 Compatible)**
+* [Roda](https://github.com/jeremyevans/roda)
 * [Ruby on Rails](https://rubyonrails.org/)
+* [Rum](https://github.com/leahneukirchen/rum)
 * [Sinatra](https://sinatrarb.com/)
-* [Utopia](https://github.com/socketry/utopia) **(Rack 3 Compatible)**
+* [Utopia](https://github.com/socketry/utopia)
 * [WABuR](https://github.com/ohler55/wabur)
 
-### Older (possibly unsupported) web frameworks
-
-* [Ramaze](http://ramaze.net/)
-* [Rum](https://github.com/leahneukirchen/rum)
-
 ## Available middleware shipped with Rack
 
 Between the server and the framework, Rack can be customized to your
@@ -192,6 +210,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 ### `param_depth_limit`
 
 ```ruby
@@ -334,3 +360,4 @@ would like to thank:
 Rack is released under the [MIT License](MIT-LICENSE).
 
 [Rack Specification]: SPEC.rdoc
+[Security Policy]: SECURITY.md

data/SPEC.rdoc

@@ -82,6 +82,10 @@ Rack-specific variables:
 <tt>rack.hijack</tt>:: See below, if present, an object responding
                        to +call+ that is used to perform a full
                        hijack.
+<tt>rack.protocol</tt>:: An optional +Array+ of +String+, containing
+                         the protocols advertised by the client in
+                         the +upgrade+ header (HTTP/1) or the
+                         +:protocol+ pseudo-header (HTTP/2).
 Additional environment specifications have approved to
 standardized middleware APIs. None of these are required to
 be implemented by the server.
@@ -112,7 +116,6 @@ The <tt>SERVER_PORT</tt> must be an Integer if set.
 The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
 The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
 The <tt>SERVER_PROTOCOL</tt> must match the regexp <tt>HTTP/\d(\.\d)?</tt>.
-If the <tt>HTTP_VERSION</tt> is present, it must equal the <tt>SERVER_PROTOCOL</tt>.
 The environment must not contain the keys
 <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
 (use the versions without <tt>HTTP_</tt>).
@@ -121,12 +124,17 @@ If the string values for CGI keys contain non-ASCII characters,
 they should use ASCII-8BIT encoding.
 There are the following restrictions:
 * <tt>rack.url_scheme</tt> must either be +http+ or +https+.
-* There must be a valid input stream in <tt>rack.input</tt>.
+* There may be a valid input stream in <tt>rack.input</tt>.
 * There must be a valid error stream in <tt>rack.errors</tt>.
 * There may be a valid hijack callback in <tt>rack.hijack</tt>
+* There may be a valid early hints callback in <tt>rack.early_hints</tt>
 * The <tt>REQUEST_METHOD</tt> must be a valid token.
 * The <tt>SCRIPT_NAME</tt>, if non-empty, must start with <tt>/</tt>
-* The <tt>PATH_INFO</tt>, if non-empty, must start with <tt>/</tt>
+* The <tt>PATH_INFO</tt>, if provided, must be a valid request target or an empty string.
+  * Only <tt>OPTIONS</tt> requests may have <tt>PATH_INFO</tt> set to <tt>*</tt> (asterisk-form).
+  * Only <tt>CONNECT</tt> requests may have <tt>PATH_INFO</tt> set to an authority (authority-form). Note that in HTTP/2+, the authority-form is not a valid request target.
+  * <tt>CONNECT</tt> and <tt>OPTIONS</tt> requests must not have <tt>PATH_INFO</tt> set to a URI (absolute-form).
+  * Otherwise, <tt>PATH_INFO</tt> must start with a <tt>/</tt> and must not include a fragment part starting with '#' (origin-form).
 * The <tt>CONTENT_LENGTH</tt>, if given, must consist of digits only.
 * One of <tt>SCRIPT_NAME</tt> or <tt>PATH_INFO</tt> must be
   set. <tt>PATH_INFO</tt> should be <tt>/</tt> if
@@ -144,11 +152,11 @@ exceptions. They should be invoked in reverse order of registration.
 The input stream is an IO-like object which contains the raw HTTP
 POST data.
 When applicable, its external encoding must be "ASCII-8BIT" and it
-must be opened in binary mode, for Ruby 1.9 compatibility.
+must be opened in binary mode.
 The input stream must respond to +gets+, +each+, and +read+.
 * +gets+ must be called without arguments and return a string,
   or +nil+ on EOF.
-* +read+ behaves like IO#read.
+* +read+ behaves like <tt>IO#read</tt>.
   Its signature is <tt>read([length, [buffer]])</tt>.
 
   If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
@@ -166,8 +174,8 @@ The input stream must respond to +gets+, +each+, and +read+.
   If +buffer+ is given, then the read data will be placed
   into +buffer+ instead of a newly created String object.
 * +each+ must be called without arguments and only yield Strings.
-* +close+ can be called on the input stream to indicate that the
-any remaining input is not needed.
+* +close+ can be called on the input stream to indicate that
+  any remaining input is not needed.
 
 === The Error Stream
 
@@ -228,6 +236,16 @@ instance is recommended.
 
 The special response header +rack.hijack+ must only be set
 if the request +env+ has a truthy +rack.hijack?+.
+
+=== Early Hints
+
+The application or any middleware may call the <tt>rack.early_hints</tt>
+with an object which would be valid as the headers of a Rack response.
+
+If <tt>rack.early_hints</tt> is present, it must respond to #call.
+If <tt>rack.early_hints</tt> is called, it must be called with
+valid Rack response headers.
+
 == The Response
 
 === The Status
@@ -249,16 +267,26 @@ Header values must be either a String instance,
 or an Array of String instances,
 such that each String instance must not contain characters below 037.
 
-=== The content-type
+==== The +content-type+ Header
 
 There must not be a <tt>content-type</tt> header key when the +Status+ is 1xx,
 204, or 304.
 
-=== The content-length
+==== The +content-length+ Header
 
 There must not be a <tt>content-length</tt> header key when the
 +Status+ is 1xx, 204, or 304.
 
+==== The +rack.protocol+ Header
+
+If the +rack.protocol+ header is present, it must be a +String+, and
+must be one of the values from the +rack.protocol+ array from the
+environment.
+
+Setting this value informs the server that it should perform a
+connection upgrade. In HTTP/1, this is done using the +upgrade+
+header. In HTTP/2, this is done by accepting the request.
+
 === The Body
 
 The Body is typically an +Array+ of +String+ instances, an enumerable
@@ -301,12 +329,9 @@ the body.
 
 The Enumerable Body must respond to +each+.
 It must only be called once.
-It must not be called after being closed.
+It must not be called after being closed,
 and must only yield String values.
 
-The Body itself should not be an instance of String, as this will
-break in Ruby 1.9.
-
 Middleware must not call +each+ directly on the Body.
 Instead, middleware can return a new Body that calls +each+ on the
 original Body, yielding at least once per iteration.

data/lib/rack/auth/basic.rb

@@ -2,7 +2,6 @@
 
 require_relative 'abstract/handler'
 require_relative 'abstract/request'
-require 'base64'
 
 module Rack
   module Auth
@@ -46,7 +45,7 @@ module Rack
         end
 
         def credentials
-          @credentials ||= Base64.decode64(params).split(':', 2)
+          @credentials ||= params.unpack1('m').split(':', 2)
         end
 
         def username

data/lib/rack/bad_request.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Rack
+  # Represents a 400 Bad Request error when input data fails to meet the
+  # requirements.
+  module BadRequest
+  end
+end