rack 3.0.18 → 3.1.18

data/lib/rack/utils.rb

@@ -6,6 +6,7 @@ require 'fileutils'
 require 'set'
 require 'tempfile'
 require 'time'
+require 'erb'
 
 require_relative 'query_parser'
 require_relative 'mime'
@@ -23,6 +24,7 @@ module Rack
     DEFAULT_SEP = QueryParser::DEFAULT_SEP
     COMMON_SEP = QueryParser::COMMON_SEP
     KeySpaceConstrainedParams = QueryParser::Params
+    URI_PARSER = defined?(::URI::RFC2396_PARSER) ? ::URI::RFC2396_PARSER : ::URI::DEFAULT_PARSER
 
     class << self
       attr_accessor :default_query_parser
@@ -42,13 +44,13 @@ module Rack
     # Like URI escaping, but with %20 instead of +. Strictly speaking this is
     # true URI escaping.
     def escape_path(s)
-      ::URI::DEFAULT_PARSER.escape s
+      URI_PARSER.escape s
     end
 
     # Unescapes the **path** component of a URI.  See Rack::Utils.unescape for
     # unescaping query parameters or form components.
     def unescape_path(s)
-      ::URI::DEFAULT_PARSER.unescape s
+      URI_PARSER.unescape s
     end
 
     # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -85,15 +87,6 @@ module Rack
       self.default_query_parser = self.default_query_parser.new_depth_limit(v)
     end
 
-    def self.key_space_limit
-      warn("`Rack::Utils.key_space_limit` is deprecated as this value no longer has an effect. It will be removed in Rack 3.1", uplevel: 1)
-      65536
-    end
-
-    def self.key_space_limit=(v)
-      warn("`Rack::Utils.key_space_limit=` is deprecated and no longer has an effect. It will be removed in Rack 3.1", uplevel: 1)
-    end
-
     if defined?(Process::CLOCK_MONOTONIC)
       def clock_time
         Process.clock_gettime(Process::CLOCK_MONOTONIC)
@@ -184,20 +177,16 @@ module Rack
       matches&.first
     end
 
-    ESCAPE_HTML = {
-      "&" => "&amp;",
-      "<" => "&lt;",
-      ">" => "&gt;",
-      "'" => "&#x27;",
-      '"' => "&quot;",
-      "/" => "&#x2F;"
-    }
-
-    ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
-
-    # Escape ampersands, brackets and quotes to their HTML/XML entities.
-    def escape_html(string)
-      string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
+    # Introduced in ERB 4.0. ERB::Escape is an alias for ERB::Utils which
+    # doesn't get monkey-patched by rails
+    if defined?(ERB::Escape) && ERB::Escape.instance_method(:html_escape)
+      define_method(:escape_html, ERB::Escape.instance_method(:html_escape))
+    else
+      require 'cgi/escape'
+      # Escape ampersands, brackets and quotes to their HTML/XML entities.
+      def escape_html(string)
+        CGI.escapeHTML(string.to_s)
+      end
     end
 
     def select_best_encoding(available_encodings, accept_encoding)
@@ -252,21 +241,6 @@ module Rack
       end
     end
 
-    def add_cookie_to_header(header, key, value)
-      warn("add_cookie_to_header is deprecated and will be removed in Rack 3.1", uplevel: 1)
-
-      case header
-      when nil, ''
-        return set_cookie_header(key, value)
-      when String
-        [header, set_cookie_header(key, value)]
-      when Array
-        header + [set_cookie_header(key, value)]
-      else
-        raise ArgumentError, "Unrecognized cookie header value. Expected String, Array, or nil, got #{header.inspect}"
-      end
-    end
-
     # :call-seq:
     #   parse_cookies(env) -> hash
     #
@@ -280,6 +254,20 @@ module Rack
       parse_cookies_header env[HTTP_COOKIE]
     end
 
+    # A valid cookie key according to RFC2616.
+    # A <cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
+    VALID_COOKIE_KEY = /\A[!#$%&'*+\-\.\^_`|~0-9a-zA-Z]+\z/.freeze
+    private_constant :VALID_COOKIE_KEY
+
+    private def escape_cookie_key(key)
+      if key =~ VALID_COOKIE_KEY
+        key
+      else
+        warn "Cookie key #{key.inspect} is not valid according to RFC2616; it will be escaped. This behaviour is deprecated and will be removed in a future version of Rack.", uplevel: 2
+        escape(key)
+      end
+    end
+
     # :call-seq:
     #   set_cookie_header(key, value) -> encoded string
     #
@@ -306,7 +294,7 @@ module Rack
     def set_cookie_header(key, value)
       case value
       when Hash
-        key = escape(key) unless value[:escape_key] == false
+        key = escape_cookie_key(key) unless value[:escape_key] == false
         domain  = "; domain=#{value[:domain]}"   if value[:domain]
         path    = "; path=#{value[:path]}"       if value[:path]
         max_age = "; max-age=#{value[:max_age]}" if value[:max_age]
@@ -318,23 +306,24 @@ module Rack
           when false, nil
             nil
           when :none, 'None', :None
-            '; SameSite=None'
+            '; samesite=none'
           when :lax, 'Lax', :Lax
-            '; SameSite=Lax'
+            '; samesite=lax'
           when true, :strict, 'Strict', :Strict
-            '; SameSite=Strict'
+            '; samesite=strict'
           else
-            raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
+            raise ArgumentError, "Invalid :same_site value: #{value[:same_site].inspect}"
           end
+        partitioned = "; partitioned" if value[:partitioned]
         value = value[:value]
       else
-        key = escape(key)
+        key = escape_cookie_key(key)
       end
 
       value = [value] unless Array === value
 
       return "#{key}=#{value.map { |v| escape v }.join('&')}#{domain}" \
-        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
+        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}#{partitioned}"
     end
 
     # :call-seq:
@@ -375,24 +364,12 @@ module Rack
       set_cookie_header(key, value.merge(max_age: '0', expires: Time.at(0), value: ''))
     end
 
-    def make_delete_cookie_header(header, key, value)
-      warn("make_delete_cookie_header is deprecated and will be removed in Rack 3.1, use delete_set_cookie_header! instead", uplevel: 1)
-
-      delete_set_cookie_header!(header, key, value)
-    end
-
     def delete_cookie_header!(headers, key, value = {})
       headers[SET_COOKIE] = delete_set_cookie_header!(headers[SET_COOKIE], key, value)
 
       return nil
     end
 
-    def add_remove_cookie_to_header(header, key, value = {})
-      warn("add_remove_cookie_to_header is deprecated and will be removed in Rack 3.1, use delete_set_cookie_header! instead", uplevel: 1)
-
-      delete_set_cookie_header!(header, key, value)
-    end
-
     # :call-seq:
     #   delete_set_cookie_header!(header, key, value = {}) -> header value
     #
@@ -435,6 +412,8 @@ module Rack
 
     def get_byte_ranges(http_range, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
+      # Ignore Range when file size is 0 to avoid a 416 error.
+      return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
@@ -517,39 +496,12 @@ module Rack
       end
     end
 
-    # A wrapper around Headers
-    # header when set.
-    #
-    # @api private
-    class HeaderHash < Hash # :nodoc:
-      def self.[](headers)
-        warn "Rack::Utils::HeaderHash is deprecated and will be removed in Rack 3.1, switch to Rack::Headers", uplevel: 1
-        if headers.is_a?(Headers) && !headers.frozen?
-          return headers
-        end
-
-        new_headers = Headers.new
-        headers.each{|k,v| new_headers[k] = v}
-        new_headers
-      end
-
-      def self.new(hash = {})
-        warn "Rack::Utils::HeaderHash is deprecated and will be removed in Rack 3.1, switch to Rack::Headers", uplevel: 1
-        headers = Headers.new
-        hash.each{|k,v| headers[k] = v}
-        headers
-      end
-
-      def self.allocate
-        raise TypeError, "cannot allocate HeaderHash"
-      end
-    end
-
     # Every standard HTTP code mapped to the appropriate message.
     # Generated with:
-    #   curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv | \
-    #     ruby -ne 'm = /^(\d{3}),(?!Unassigned|\(Unused\))([^,]+)/.match($_) and \
-    #               puts "#{m[1]} => \x27#{m[2].strip}\x27,"'
+    #   curl -s https://www.iana.org/assignments/http-status-codes/http-status-codes-1.csv \
+    #     | ruby -rcsv -e "puts CSV.parse(STDIN, headers: true) \
+    #     .reject {|v| v['Description'] == 'Unassigned' or v['Description'].include? '(' } \
+    #     .map {|v| %Q/#{v['Value']} => '#{v['Description']}'/ }.join(','+?\n)"
     HTTP_STATUS_CODES = {
       100 => 'Continue',
       101 => 'Switching Protocols',
@@ -571,7 +523,6 @@ module Rack
       303 => 'See Other',
       304 => 'Not Modified',
       305 => 'Use Proxy',
-      306 => '(Unused)',
       307 => 'Temporary Redirect',
       308 => 'Permanent Redirect',
       400 => 'Bad Request',
@@ -587,13 +538,13 @@ module Rack
       410 => 'Gone',
       411 => 'Length Required',
       412 => 'Precondition Failed',
-      413 => 'Payload Too Large',
+      413 => 'Content Too Large',
       414 => 'URI Too Long',
       415 => 'Unsupported Media Type',
       416 => 'Range Not Satisfiable',
       417 => 'Expectation Failed',
       421 => 'Misdirected Request',
-      422 => 'Unprocessable Entity',
+      422 => 'Unprocessable Content',
       423 => 'Locked',
       424 => 'Failed Dependency',
       425 => 'Too Early',
@@ -601,7 +552,7 @@ module Rack
       428 => 'Precondition Required',
       429 => 'Too Many Requests',
       431 => 'Request Header Fields Too Large',
-      451 => 'Unavailable for Legal Reasons',
+      451 => 'Unavailable For Legal Reasons',
       500 => 'Internal Server Error',
       501 => 'Not Implemented',
       502 => 'Bad Gateway',
@@ -611,8 +562,6 @@ module Rack
       506 => 'Variant Also Negotiates',
       507 => 'Insufficient Storage',
       508 => 'Loop Detected',
-      509 => 'Bandwidth Limit Exceeded',
-      510 => 'Not Extended',
       511 => 'Network Authentication Required'
     }
 
@@ -620,12 +569,36 @@ module Rack
     STATUS_WITH_NO_ENTITY_BODY = Hash[((100..199).to_a << 204 << 304).product([true])]
 
     SYMBOL_TO_STATUS_CODE = Hash[*HTTP_STATUS_CODES.map { |code, message|
-      [message.downcase.gsub(/\s|-|'/, '_').to_sym, code]
+      [message.downcase.gsub(/\s|-/, '_').to_sym, code]
     }.flatten]
 
+    OBSOLETE_SYMBOLS_TO_STATUS_CODES = {
+      payload_too_large: 413,
+      unprocessable_entity: 422,
+      bandwidth_limit_exceeded: 509,
+      not_extended: 510
+    }.freeze
+    private_constant :OBSOLETE_SYMBOLS_TO_STATUS_CODES
+
+    OBSOLETE_SYMBOL_MAPPINGS = {
+      payload_too_large: :content_too_large,
+      unprocessable_entity: :unprocessable_content
+    }.freeze
+    private_constant :OBSOLETE_SYMBOL_MAPPINGS
+
     def status_code(status)
       if status.is_a?(Symbol)
-        SYMBOL_TO_STATUS_CODE.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
+        SYMBOL_TO_STATUS_CODE.fetch(status) do
+          fallback_code = OBSOLETE_SYMBOLS_TO_STATUS_CODES.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
+          message = "Status code #{status.inspect} is deprecated and will be removed in a future version of Rack."
+          if canonical_symbol = OBSOLETE_SYMBOL_MAPPINGS[status]
+            # message = "#{message} Please use #{canonical_symbol.inspect} instead."
+            # For now, let's not emit any warning when there is a mapping.
+          else
+            warn message, uplevel: 3
+          end
+          fallback_code
+        end
       else
         status.to_i
       end

data/lib/rack/version.rb

@@ -12,20 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  # The Rack protocol version number implemented.
-  VERSION = [1, 3].freeze
-  deprecate_constant :VERSION
-
-  VERSION_STRING = "1.3".freeze
-  deprecate_constant :VERSION_STRING
-
-  # The Rack protocol version number implemented.
-  def self.version
-    warn "Rack.version is deprecated and will be removed in Rack 3.1!", uplevel: 1
-    VERSION
-  end
-
-  RELEASE = "3.0.18"
+  RELEASE = "3.1.18"
 
   # Return the Rack release as a dotted string.
   def self.release

data/lib/rack.rb

@@ -15,10 +15,10 @@ require_relative 'rack/version'
 require_relative 'rack/constants'
 
 module Rack
+  autoload :BadRequest, "rack/bad_request"
   autoload :BodyProxy, "rack/body_proxy"
   autoload :Builder, "rack/builder"
   autoload :Cascade, "rack/cascade"
-  autoload :Chunked, "rack/chunked"
   autoload :CommonLogger, "rack/common_logger"
   autoload :ConditionalGet, "rack/conditional_get"
   autoload :Config, "rack/config"
@@ -28,7 +28,6 @@ module Rack
   autoload :Directory, "rack/directory"
   autoload :ETag, "rack/etag"
   autoload :Events, "rack/events"
-  autoload :File, "rack/file"
   autoload :Files, "rack/files"
   autoload :ForwardRequest, "rack/recursive"
   autoload :Head, "rack/head"
@@ -60,7 +59,6 @@ module Rack
 
   module Auth
     autoload :Basic, "rack/auth/basic"
-    autoload :Digest, "rack/auth/digest"
     autoload :AbstractHandler, "rack/auth/abstract/handler"
     autoload :AbstractRequest, "rack/auth/abstract/request"
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.18
+  version: 3.1.18
 platform: ruby
 authors:
 - Leah Neukirchen
 bindir: bin
 cert_chain: []
-date: 2025-05-22 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -75,9 +75,9 @@ email: leah@vuxu.org
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - CHANGELOG.md
 - CONTRIBUTING.md
+- README.md
 files:
 - CHANGELOG.md
 - CONTRIBUTING.md
@@ -88,15 +88,10 @@ files:
 - lib/rack/auth/abstract/handler.rb
 - lib/rack/auth/abstract/request.rb
 - lib/rack/auth/basic.rb
-- lib/rack/auth/digest.rb
-- lib/rack/auth/digest/md5.rb
-- lib/rack/auth/digest/nonce.rb
-- lib/rack/auth/digest/params.rb
-- lib/rack/auth/digest/request.rb
+- lib/rack/bad_request.rb
 - lib/rack/body_proxy.rb
 - lib/rack/builder.rb
 - lib/rack/cascade.rb
-- lib/rack/chunked.rb
 - lib/rack/common_logger.rb
 - lib/rack/conditional_get.rb
 - lib/rack/config.rb
@@ -107,7 +102,6 @@ files:
 - lib/rack/directory.rb
 - lib/rack/etag.rb
 - lib/rack/events.rb
-- lib/rack/file.rb
 - lib/rack/files.rb
 - lib/rack/head.rb
 - lib/rack/headers.rb
@@ -162,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []

data/lib/rack/auth/digest/md5.rb

@@ -1 +0,0 @@
-require_relative '../digest'

data/lib/rack/auth/digest/nonce.rb

@@ -1 +0,0 @@
-require_relative '../digest'

data/lib/rack/auth/digest/params.rb

@@ -1 +0,0 @@
-require_relative '../digest'

data/lib/rack/auth/digest/request.rb

@@ -1 +0,0 @@
-require_relative '../digest'

data/lib/rack/auth/digest.rb

@@ -1,256 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'abstract/handler'
-require_relative 'abstract/request'
-require 'digest/md5'
-require 'base64'
-
-module Rack
-  warn "Rack::Auth::Digest is deprecated and will be removed in Rack 3.1", uplevel: 1
-
-  module Auth
-    module Digest
-      # Rack::Auth::Digest::Nonce is the default nonce generator for the
-      # Rack::Auth::Digest::MD5 authentication handler.
-      #
-      # +private_key+ needs to set to a constant string.
-      #
-      # +time_limit+ can be optionally set to an integer (number of seconds),
-      # to limit the validity of the generated nonces.
-
-      class Nonce
-
-        class << self
-          attr_accessor :private_key, :time_limit
-        end
-
-        def self.parse(string)
-          new(*Base64.decode64(string).split(' ', 2))
-        end
-
-        def initialize(timestamp = Time.now, given_digest = nil)
-          @timestamp, @given_digest = timestamp.to_i, given_digest
-        end
-
-        def to_s
-          Base64.encode64("#{@timestamp} #{digest}").strip
-        end
-
-        def digest
-          ::Digest::MD5.hexdigest("#{@timestamp}:#{self.class.private_key}")
-        end
-
-        def valid?
-          digest == @given_digest
-        end
-
-        def stale?
-          !self.class.time_limit.nil? && (Time.now.to_i - @timestamp) > self.class.time_limit
-        end
-
-        def fresh?
-          !stale?
-        end
-
-      end
-
-      class Params < Hash
-
-        def self.parse(str)
-          Params[*split_header_value(str).map do |param|
-            k, v = param.split('=', 2)
-            [k, dequote(v)]
-          end.flatten]
-        end
-
-        def self.dequote(str) # From WEBrick::HTTPUtils
-          ret = (/\A"(.*)"\Z/ =~ str) ? $1 : str.dup
-          ret.gsub!(/\\(.)/, "\\1")
-          ret
-        end
-
-        def self.split_header_value(str)
-          str.scan(/\w+\=(?:"[^\"]+"|[^,]+)/n)
-        end
-
-        def initialize
-          super()
-
-          yield self if block_given?
-        end
-
-        def [](k)
-          super k.to_s
-        end
-
-        def []=(k, v)
-          super k.to_s, v.to_s
-        end
-
-        UNQUOTED = ['nc', 'stale']
-
-        def to_s
-          map do |k, v|
-            "#{k}=#{(UNQUOTED.include?(k) ? v.to_s : quote(v))}"
-          end.join(', ')
-        end
-
-        def quote(str) # From WEBrick::HTTPUtils
-          '"' + str.gsub(/[\\\"]/o, "\\\1") + '"'
-        end
-
-      end
-
-      class Request < Auth::AbstractRequest
-        def method
-          @env[RACK_METHODOVERRIDE_ORIGINAL_METHOD] || @env[REQUEST_METHOD]
-        end
-
-        def digest?
-          "digest" == scheme
-        end
-
-        def correct_uri?
-          request.fullpath == uri
-        end
-
-        def nonce
-          @nonce ||= Nonce.parse(params['nonce'])
-        end
-
-        def params
-          @params ||= Params.parse(parts.last)
-        end
-
-        def respond_to?(sym, *)
-          super or params.has_key? sym.to_s
-        end
-
-        def method_missing(sym, *args)
-          return super unless params.has_key?(key = sym.to_s)
-          return params[key] if args.size == 0
-          raise ArgumentError, "wrong number of arguments (#{args.size} for 0)"
-        end
-      end
-
-      # Rack::Auth::Digest::MD5 implements the MD5 algorithm version of
-      # HTTP Digest Authentication, as per RFC 2617.
-      #
-      # Initialize with the [Rack] application that you want protecting,
-      # and a block that looks up a plaintext password for a given username.
-      #
-      # +opaque+ needs to be set to a constant base64/hexadecimal string.
-      #
-      class MD5 < AbstractHandler
-
-        attr_accessor :opaque
-
-        attr_writer :passwords_hashed
-
-        def initialize(app, realm = nil, opaque = nil, &authenticator)
-          @passwords_hashed = nil
-          if opaque.nil? and realm.respond_to? :values_at
-            realm, opaque, @passwords_hashed = realm.values_at :realm, :opaque, :passwords_hashed
-          end
-          super(app, realm, &authenticator)
-          @opaque = opaque
-        end
-
-        def passwords_hashed?
-          !!@passwords_hashed
-        end
-
-        def call(env)
-          auth = Request.new(env)
-
-          unless auth.provided?
-            return unauthorized
-          end
-
-          if !auth.digest? || !auth.correct_uri? || !valid_qop?(auth)
-            return bad_request
-          end
-
-          if valid?(auth)
-            if auth.nonce.stale?
-              return unauthorized(challenge(stale: true))
-            else
-              env['REMOTE_USER'] = auth.username
-
-              return @app.call(env)
-            end
-          end
-
-          unauthorized
-        end
-
-
-        private
-
-        QOP = 'auth'
-
-        def params(hash = {})
-          Params.new do |params|
-            params['realm'] = realm
-            params['nonce'] = Nonce.new.to_s
-            params['opaque'] = H(opaque)
-            params['qop'] = QOP
-
-            hash.each { |k, v| params[k] = v }
-          end
-        end
-
-        def challenge(hash = {})
-          "Digest #{params(hash)}"
-        end
-
-        def valid?(auth)
-          valid_opaque?(auth) && valid_nonce?(auth) && valid_digest?(auth)
-        end
-
-        def valid_qop?(auth)
-          QOP == auth.qop
-        end
-
-        def valid_opaque?(auth)
-          H(opaque) == auth.opaque
-        end
-
-        def valid_nonce?(auth)
-          auth.nonce.valid?
-        end
-
-        def valid_digest?(auth)
-          pw = @authenticator.call(auth.username)
-          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
-        end
-
-        def md5(data)
-          ::Digest::MD5.hexdigest(data)
-        end
-
-        alias :H :md5
-
-        def KD(secret, data)
-          H "#{secret}:#{data}"
-        end
-
-        def A1(auth, password)
-          "#{auth.username}:#{auth.realm}:#{password}"
-        end
-
-        def A2(auth)
-          "#{auth.method}:#{auth.uri}"
-        end
-
-        def digest(auth, password)
-          password_hash = passwords_hashed? ? password : H(A1(auth, password))
-
-          KD password_hash, "#{auth.nonce}:#{auth.nc}:#{auth.cnonce}:#{QOP}:#{H A2(auth)}"
-        end
-
-      end
-    end
-  end
-end
-