rack 3.0.9.1 → 3.1.8

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ebeaad43b1e4e691aa7123f2f0b0abb55bd4e8ccb062a048d3bc636c12780a1c
4
- data.tar.gz: 4db213c69e487539b15f2648019de339b3876bd9d9ab39a7e4948c6114a18546
3
+ metadata.gz: cd9b9438930771f3687ff42be3f3506df2faeea5d947d8ed4fa9e5eec1b5970c
4
+ data.tar.gz: 170b7d3e30e472e5a5403f9bb889f37b60e4e9eced41e94f97a88d848e5c2fb4
5
5
  SHA512:
6
- metadata.gz: 6c3afb608d9170593f0bc58120d60dcec9d4d3163e72a9805b8a48b2ebd8952a359dd56d2c2f48dc8673d2361647409a628b22073b4e07a6c070f60283265bb9
7
- data.tar.gz: fb304999e3568174cdcc7a2b0b43b3ba064448db1882142524b50332cd7d037a2ff44c7042f94a2b18da862ca4db6e43b6eb9ca71b6b73986e1359e4b294eb7c
6
+ metadata.gz: 0a5c0c56cda8181c7ec4e87a348b54a22938d4c450a9647fbbf07aaec37282ff89230d3964ba0dfd9f5bc7f7e60d99eaf704636de143704c5e9156120bd04624
7
+ data.tar.gz: eeef987e1c6dc77ff1fc40e5cc0e37bde704d354c62217a834e6a4d36828900a71dac09e591a9743273fc5ea678bf603d36c3e165f9c7dbfa1759301c42f957f
data/CHANGELOG.md CHANGED
@@ -2,11 +2,130 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
- ## Unreleased
5
+ ## [3.1.8] - 2024-10-14
6
+
7
+ - Resolve deprecation warnings about uri `DEFAULT_PARSER`. ([#2249](https://github.com/rack/rack/pull/2249), [@earlopain])
8
+
9
+ ## [3.1.7] - 2024-07-11
10
+
11
+ ### Fixed
12
+
13
+ - Do not remove escaped opening/closing quotes for content-disposition filenames. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
14
+ - Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. ([#2227](https://github.com/rack/rack/pull/2227), [@jeremyevans])
15
+ - `Rack::Response` should not generate invalid `content-length` header. ([#2219](https://github.com/rack/rack/pull/2219), [@ioquatix])
16
+ - Allow empty PATH_INFO. ([#2214](https://github.com/rack/rack/pull/2214), [@ioquatix])
17
+
18
+ ## [3.1.6] - 2024-07-03
19
+
20
+ ### Fixed
21
+
22
+ - Fix several edge cases in `Rack::Request#parse_http_accept_header`'s implementation. ([#2226](https://github.com/rack/rack/pull/2226), [@ioquatix])
23
+
24
+ ## [3.1.5] - 2024-07-02
25
+
26
+ ### Security
27
+
28
+ - Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
29
+
30
+ ## [3.1.4] - 2024-06-22
31
+
32
+ ### Fixed
33
+
34
+ - Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
35
+
36
+ ## [3.1.3] - 2024-06-12
37
+
38
+ ### Fixed
39
+
40
+ - Fix passing non-strings to `Rack::Utils.escape_html`. ([#2202](https://github.com/rack/rack/pull/2202), [@earlopain])
41
+ - `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy])
42
+
43
+ ## [3.1.2] - 2024-06-11
44
+
45
+ - `Rack::Response` will take in to consideration chunked encoding responses ([#2204](https://github.com/rack/rack/pull/2204), [@tenderlove])
46
+
47
+ ## [3.1.1] - 2024-06-11
48
+
49
+ - Oops! I shouldn't have shipped that
50
+
51
+ ## [3.1.0] - 2024-06-11
52
+
53
+ :warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
54
+
55
+ Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
56
+
57
+ ### SPEC Changes
58
+
59
+ - `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
60
+ - `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [#2181](https://github.com/rack/rack/pull/2181), [@ioquatix])
61
+ - `OPTIONS *` is now accepted. ([#2114](https://github.com/rack/rack/pull/2114), [@doriantaylor](https://github.com/doriantaylor))
62
+ - Introduce optional `rack.protocol` request and response header for handling connection upgrades. ([#1954](https://github.com/rack/rack/pull/1954), [@ioquatix])
63
+
64
+ ### Added
65
+
66
+ - Introduce `Rack::Multipart::MissingInputError` for improved handling of missing input in `#parse_multipart`. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
67
+ - Introduce `module Rack::BadRequest` which is included in multipart and query parser errors. ([#2019](https://github.com/rack/rack/pull/2019), [@ioquatix])
68
+ - Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas](https://github.com/axilleas))
69
+ - `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b](https://github.com/flavio-b))
70
+ - Introduce `rack.early_hints` for sending `103 Early Hints` informational responses. ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine](https://github.com/casperisfine), [@jeremyevans])
71
+
72
+ ### Changed
73
+
74
+ - MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8), [@ioquatix])
75
+ - Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
76
+ - `Rack::Utils.escape_html` is now delegated to `CGI.escapeHTML`. `'` is escaped to `#39;` instead of `#x27;`. (decimal vs hexadecimal) ([#2099](https://github.com/rack/rack/pull/2099), [@JunichiIto](https://github.com/JunichiIto))
77
+ - Clarify use of `@buffered` and only update `content-length` when `Rack::Response#finish` is invoked. ([#2149](https://github.com/rack/rack/pull/2149), [@ioquatix])
78
+
79
+ ### Deprecated
80
+
81
+ - Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073), [@jeremyevans])
82
+ - Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. ([#2191](https://github.com/rack/rack/pull/2191), [@ioquatix])
83
+ - `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
84
+ - Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
85
+ - Deprecate `Rack::Request#values_at`, use `request.params.values_at` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
86
+
87
+ ### Removed
88
+
89
+ - Remove deprecated `Rack::Auth::Digest` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
90
+ - Remove deprecated `Rack::Cascade::NotFound` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
91
+ - Remove deprecated `Rack::Chunked` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
92
+ - Remove deprecated `Rack::File`, use `Rack::Files` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
93
+ - Remove deprecated `Rack::QueryParser` `key_space_limit` parameter with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
94
+ - Remove deprecated `Rack::Response#header`, use `Rack::Response#headers` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
95
+ - Remove deprecated cookie methods from `Rack::Utils`: `add_cookie_to_header`, `make_delete_cookie_header`, `add_remove_cookie_to_header`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
96
+ - Remove deprecated `Rack::Utils::HeaderHash`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
97
+ - Remove deprecated `Rack::VERSION`, `Rack::VERSION_STRING`, `Rack.version`, use `Rack.release` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
98
+ - Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
99
+ - Remove any dependency on `transfer-encoding: chunked`. ([#2195](https://github.com/rack/rack/pull/2195), [@ioquatix])
100
+ - Remove deprecated `Rack::Request#[]`, use `request.params[key]` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
101
+
102
+ ### Fixed
103
+
104
+ - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
105
+
106
+ ## [3.0.11] - 2024-05-10
107
+
108
+ - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
109
+
110
+ ## [3.0.10] - 2024-03-21
111
+
112
+ - Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
113
+
114
+ ## [3.0.9.1] - 2024-02-21
115
+
116
+ ### Security
117
+
118
+ * [CVE-2024-26146] Fixed ReDoS in Accept header parsing
119
+ * [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
120
+ * [CVE-2024-26141] Reject Range headers which are too large
121
+
122
+ [CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
123
+ [CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
124
+ [CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
6
125
 
7
126
  ## [3.0.9] - 2024-01-31
8
127
 
9
- - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson])
128
+ - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
10
129
 
11
130
  ## [3.0.8] - 2023-06-14
12
131
 
@@ -18,6 +137,8 @@ All notable changes to this project will be documented in this file. For info on
18
137
 
19
138
  ## [3.0.6.1] - 2023-03-13
20
139
 
140
+ ### Security
141
+
21
142
  - [CVE-2023-27539] Avoid ReDoS in header parsing
22
143
 
23
144
  ## [3.0.6] - 2023-03-13
@@ -28,12 +149,16 @@ All notable changes to this project will be documented in this file. For info on
28
149
 
29
150
  - Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
30
151
 
31
- ## [3.0.4.1] - 2023-03-02
152
+ ## [3.0.4.2] - 2023-03-02
153
+
154
+ ### Security
32
155
 
33
156
  - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
34
157
 
35
158
  ## [3.0.4.1] - 2023-01-17
36
159
 
160
+ ### Security
161
+
37
162
  - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
38
163
  - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
39
164
  - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
@@ -106,7 +231,7 @@ All notable changes to this project will be documented in this file. For info on
106
231
  - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
107
232
  - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
108
233
  - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
109
- - Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
234
+ - Extract `rackup` command, `Rack::Server`, `Rack::Handler`, `Rack::Lobster` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
110
235
 
111
236
  ### Added
112
237
 
@@ -161,6 +286,8 @@ All notable changes to this project will be documented in this file. For info on
161
286
 
162
287
  ## [2.2.3.1] - 2022-05-27
163
288
 
289
+ ### Security
290
+
164
291
  - [CVE-2022-30123] Fix shell escaping issue in Common Logger
165
292
  - [CVE-2022-30122] Restrict parsing of broken MIME attachments
166
293
 
@@ -868,3 +995,4 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
868
995
  [@amatsuda]: https://github.com/amatsuda "Akira Matsuda"
869
996
  [@wjordan]: https://github.com/wjordan "Will Jordan"
870
997
  [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
998
+ [@davidstosik]: https://github.com/davidstosik "David Stosik"
data/CONTRIBUTING.md CHANGED
@@ -5,6 +5,15 @@ contributors](https://github.com/rack/rack/graphs/contributors). You're
5
5
  encouraged to submit [pull requests](https://github.com/rack/rack/pulls) and
6
6
  [propose features and discuss issues](https://github.com/rack/rack/issues).
7
7
 
8
+ ## Backports
9
+
10
+ Only security patches are ideal for backporting to non-main release versions. If
11
+ you're not sure if your bug fix is backportable, you should open a discussion to
12
+ discuss it first.
13
+
14
+ The [Security Policy] documents which release versions will receive security
15
+ backports.
16
+
8
17
  ## Fork the Project
9
18
 
10
19
  Fork the [project on GitHub](https://github.com/rack/rack) and check out your
@@ -27,15 +36,6 @@ git pull upstream main
27
36
  git checkout -b my-feature-branch
28
37
  ```
29
38
 
30
- ## Bundle Install and Quick Test
31
-
32
- Ensure that you can build the project and run quick tests.
33
-
34
- ```
35
- bundle install --without extra
36
- bundle exec rake test
37
- ```
38
-
39
39
  ## Running All Tests
40
40
 
41
41
  Install all dependencies.
@@ -140,3 +140,5 @@ there!
140
140
 
141
141
  Please do know that we really appreciate and value your time and work. We love
142
142
  you, really.
143
+
144
+ [Security Policy]: SECURITY.md
data/README.md CHANGED
@@ -1,10 +1,5 @@
1
1
  # ![Rack](contrib/logo.webp)
2
2
 
3
- > **_NOTE:_** Rack v3.0.0 was recently released. Please check the [Upgrade
4
- > Guide](UPGRADE-GUIDE.md) for more details about migrating your existing
5
- > servers, middlewares and applications. For detailed information on specific
6
- > changes, check the [Change Log](CHANGELOG.md).
7
-
8
3
  Rack provides a minimal, modular, and adaptable interface for developing web
9
4
  applications in Ruby. By wrapping HTTP requests and responses in the simplest
10
5
  way possible, it unifies and distills the bridge between web servers, web
@@ -13,6 +8,32 @@ frameworks, and web application into a single method call.
13
8
  The exact details of this are described in the [Rack Specification], which all
14
9
  Rack applications should conform to.
15
10
 
11
+ ## Version support
12
+
13
+ | Version | Support |
14
+ |----------|------------------------------------|
15
+ | 3.0.x | Bug fixes and security patches. |
16
+ | 2.2.x | Security patches only. |
17
+ | <= 2.1.x | End of support. |
18
+
19
+ Please see the [Security Policy] for more information.
20
+
21
+ ## Rack 3.0
22
+
23
+ This is the latest version of Rack. It contains API improvements but also some
24
+ breaking changes. Please check the [Upgrade Guide](UPGRADE-GUIDE.md) for more
25
+ details about migrating servers, middlewares and applications designed for Rack 2
26
+ to Rack 3. For detailed information on specific changes, check the [Change Log](CHANGELOG.md).
27
+
28
+ ## Rack 2.2
29
+
30
+ This version of Rack is receiving security patches only, and effort should be
31
+ made to move to Rack 3.
32
+
33
+ Starting in Ruby 3.4 the `base64` dependency will no longer be a default gem,
34
+ and may cause a warning or error about `base64` being missing. To correct this,
35
+ add `base64` as a dependency to your project.
36
+
16
37
  ## Installation
17
38
 
18
39
  Add the rack gem to your application bundle, or follow the instructions provided
@@ -20,10 +41,10 @@ by a [supported web framework](#supported-web-frameworks):
20
41
 
21
42
  ```bash
22
43
  # Install it generally:
23
- $ gem install rack --pre
44
+ $ gem install rack
24
45
 
25
46
  # or, add it to your current application gemfile:
26
- $ bundle add rack --version 3.0.0
47
+ $ bundle add rack
27
48
  ```
28
49
 
29
50
  If you need features from `Rack::Session` or `bin/rackup` please add those gems separately.
@@ -57,7 +78,7 @@ Hello World
57
78
  Rack is supported by a wide range of servers, including:
58
79
 
59
80
  * [Agoo](https://github.com/ohler55/agoo)
60
- * [Falcon](https://github.com/socketry/falcon) **(Rack 3 Compatible)**
81
+ * [Falcon](https://github.com/socketry/falcon)
61
82
  * [Iodine](https://github.com/boazsegev/iodine)
62
83
  * [NGINX Unit](https://unit.nginx.org/)
63
84
  * [Phusion Passenger](https://www.phusionpassenger.com/) (which is mod_rack for
@@ -84,18 +105,15 @@ These frameworks and many others support the [Rack Specification]:
84
105
 
85
106
  * [Camping](https://github.com/camping/camping)
86
107
  * [Hanami](https://hanamirb.org/)
108
+ * [Ramaze](https://github.com/ramaze/ramaze)
87
109
  * [Padrino](https://padrinorb.com/)
88
- * [Roda](https://github.com/jeremyevans/roda) **(Rack 3 Compatible)**
110
+ * [Roda](https://github.com/jeremyevans/roda)
89
111
  * [Ruby on Rails](https://rubyonrails.org/)
112
+ * [Rum](https://github.com/leahneukirchen/rum)
90
113
  * [Sinatra](https://sinatrarb.com/)
91
- * [Utopia](https://github.com/socketry/utopia) **(Rack 3 Compatible)**
114
+ * [Utopia](https://github.com/socketry/utopia)
92
115
  * [WABuR](https://github.com/ohler55/wabur)
93
116
 
94
- ### Older (possibly unsupported) web frameworks
95
-
96
- * [Ramaze](http://ramaze.net/)
97
- * [Rum](https://github.com/leahneukirchen/rum)
98
-
99
117
  ## Available middleware shipped with Rack
100
118
 
101
119
  Between the server and the framework, Rack can be customized to your
@@ -307,3 +325,4 @@ would like to thank:
307
325
  Rack is released under the [MIT License](MIT-LICENSE).
308
326
 
309
327
  [Rack Specification]: SPEC.rdoc
328
+ [Security Policy]: SECURITY.md
data/SPEC.rdoc CHANGED
@@ -82,6 +82,10 @@ Rack-specific variables:
82
82
  <tt>rack.hijack</tt>:: See below, if present, an object responding
83
83
  to +call+ that is used to perform a full
84
84
  hijack.
85
+ <tt>rack.protocol</tt>:: An optional +Array+ of +String+, containing
86
+ the protocols advertised by the client in
87
+ the +upgrade+ header (HTTP/1) or the
88
+ +:protocol+ pseudo-header (HTTP/2).
85
89
  Additional environment specifications have approved to
86
90
  standardized middleware APIs. None of these are required to
87
91
  be implemented by the server.
@@ -112,7 +116,6 @@ The <tt>SERVER_PORT</tt> must be an Integer if set.
112
116
  The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
113
117
  The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
114
118
  The <tt>SERVER_PROTOCOL</tt> must match the regexp <tt>HTTP/\d(\.\d)?</tt>.
115
- If the <tt>HTTP_VERSION</tt> is present, it must equal the <tt>SERVER_PROTOCOL</tt>.
116
119
  The environment must not contain the keys
117
120
  <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
118
121
  (use the versions without <tt>HTTP_</tt>).
@@ -121,12 +124,17 @@ If the string values for CGI keys contain non-ASCII characters,
121
124
  they should use ASCII-8BIT encoding.
122
125
  There are the following restrictions:
123
126
  * <tt>rack.url_scheme</tt> must either be +http+ or +https+.
124
- * There must be a valid input stream in <tt>rack.input</tt>.
127
+ * There may be a valid input stream in <tt>rack.input</tt>.
125
128
  * There must be a valid error stream in <tt>rack.errors</tt>.
126
129
  * There may be a valid hijack callback in <tt>rack.hijack</tt>
130
+ * There may be a valid early hints callback in <tt>rack.early_hints</tt>
127
131
  * The <tt>REQUEST_METHOD</tt> must be a valid token.
128
132
  * The <tt>SCRIPT_NAME</tt>, if non-empty, must start with <tt>/</tt>
129
- * The <tt>PATH_INFO</tt>, if non-empty, must start with <tt>/</tt>
133
+ * The <tt>PATH_INFO</tt>, if provided, must be a valid request target or an empty string.
134
+ * Only <tt>OPTIONS</tt> requests may have <tt>PATH_INFO</tt> set to <tt>*</tt> (asterisk-form).
135
+ * Only <tt>CONNECT</tt> requests may have <tt>PATH_INFO</tt> set to an authority (authority-form). Note that in HTTP/2+, the authority-form is not a valid request target.
136
+ * <tt>CONNECT</tt> and <tt>OPTIONS</tt> requests must not have <tt>PATH_INFO</tt> set to a URI (absolute-form).
137
+ * Otherwise, <tt>PATH_INFO</tt> must start with a <tt>/</tt> and must not include a fragment part starting with '#' (origin-form).
130
138
  * The <tt>CONTENT_LENGTH</tt>, if given, must consist of digits only.
131
139
  * One of <tt>SCRIPT_NAME</tt> or <tt>PATH_INFO</tt> must be
132
140
  set. <tt>PATH_INFO</tt> should be <tt>/</tt> if
@@ -144,11 +152,11 @@ exceptions. They should be invoked in reverse order of registration.
144
152
  The input stream is an IO-like object which contains the raw HTTP
145
153
  POST data.
146
154
  When applicable, its external encoding must be "ASCII-8BIT" and it
147
- must be opened in binary mode, for Ruby 1.9 compatibility.
155
+ must be opened in binary mode.
148
156
  The input stream must respond to +gets+, +each+, and +read+.
149
157
  * +gets+ must be called without arguments and return a string,
150
158
  or +nil+ on EOF.
151
- * +read+ behaves like IO#read.
159
+ * +read+ behaves like <tt>IO#read</tt>.
152
160
  Its signature is <tt>read([length, [buffer]])</tt>.
153
161
 
154
162
  If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
@@ -166,8 +174,8 @@ The input stream must respond to +gets+, +each+, and +read+.
166
174
  If +buffer+ is given, then the read data will be placed
167
175
  into +buffer+ instead of a newly created String object.
168
176
  * +each+ must be called without arguments and only yield Strings.
169
- * +close+ can be called on the input stream to indicate that the
170
- any remaining input is not needed.
177
+ * +close+ can be called on the input stream to indicate that
178
+ any remaining input is not needed.
171
179
 
172
180
  === The Error Stream
173
181
 
@@ -228,6 +236,16 @@ instance is recommended.
228
236
 
229
237
  The special response header +rack.hijack+ must only be set
230
238
  if the request +env+ has a truthy +rack.hijack?+.
239
+
240
+ === Early Hints
241
+
242
+ The application or any middleware may call the <tt>rack.early_hints</tt>
243
+ with an object which would be valid as the headers of a Rack response.
244
+
245
+ If <tt>rack.early_hints</tt> is present, it must respond to #call.
246
+ If <tt>rack.early_hints</tt> is called, it must be called with
247
+ valid Rack response headers.
248
+
231
249
  == The Response
232
250
 
233
251
  === The Status
@@ -249,16 +267,26 @@ Header values must be either a String instance,
249
267
  or an Array of String instances,
250
268
  such that each String instance must not contain characters below 037.
251
269
 
252
- === The content-type
270
+ ==== The +content-type+ Header
253
271
 
254
272
  There must not be a <tt>content-type</tt> header key when the +Status+ is 1xx,
255
273
  204, or 304.
256
274
 
257
- === The content-length
275
+ ==== The +content-length+ Header
258
276
 
259
277
  There must not be a <tt>content-length</tt> header key when the
260
278
  +Status+ is 1xx, 204, or 304.
261
279
 
280
+ ==== The +rack.protocol+ Header
281
+
282
+ If the +rack.protocol+ header is present, it must be a +String+, and
283
+ must be one of the values from the +rack.protocol+ array from the
284
+ environment.
285
+
286
+ Setting this value informs the server that it should perform a
287
+ connection upgrade. In HTTP/1, this is done using the +upgrade+
288
+ header. In HTTP/2, this is done by accepting the request.
289
+
262
290
  === The Body
263
291
 
264
292
  The Body is typically an +Array+ of +String+ instances, an enumerable
@@ -301,12 +329,9 @@ the body.
301
329
 
302
330
  The Enumerable Body must respond to +each+.
303
331
  It must only be called once.
304
- It must not be called after being closed.
332
+ It must not be called after being closed,
305
333
  and must only yield String values.
306
334
 
307
- The Body itself should not be an instance of String, as this will
308
- break in Ruby 1.9.
309
-
310
335
  Middleware must not call +each+ directly on the Body.
311
336
  Instead, middleware can return a new Body that calls +each+ on the
312
337
  original Body, yielding at least once per iteration.
@@ -2,7 +2,6 @@
2
2
 
3
3
  require_relative 'abstract/handler'
4
4
  require_relative 'abstract/request'
5
- require 'base64'
6
5
 
7
6
  module Rack
8
7
  module Auth
@@ -46,7 +45,7 @@ module Rack
46
45
  end
47
46
 
48
47
  def credentials
49
- @credentials ||= Base64.decode64(params).split(':', 2)
48
+ @credentials ||= params.unpack1('m').split(':', 2)
50
49
  end
51
50
 
52
51
  def username
@@ -0,0 +1,8 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Rack
4
+ # Represents a 400 Bad Request error when input data fails to meet the
5
+ # requirements.
6
+ module BadRequest
7
+ end
8
+ end
@@ -15,7 +15,12 @@ module Rack
15
15
 
16
16
  # Return whether the wrapped body responds to the method.
17
17
  def respond_to_missing?(method_name, include_all = false)
18
- super or @body.respond_to?(method_name, include_all)
18
+ case method_name
19
+ when :to_str
20
+ false
21
+ else
22
+ super or @body.respond_to?(method_name, include_all)
23
+ end
19
24
  end
20
25
 
21
26
  # If not already closed, close the wrapped body and
@@ -38,7 +43,18 @@ module Rack
38
43
 
39
44
  # Delegate missing methods to the wrapped body.
40
45
  def method_missing(method_name, *args, &block)
41
- @body.__send__(method_name, *args, &block)
46
+ case method_name
47
+ when :to_str
48
+ super
49
+ when :to_ary
50
+ begin
51
+ @body.__send__(method_name, *args, &block)
52
+ ensure
53
+ close
54
+ end
55
+ else
56
+ @body.__send__(method_name, *args, &block)
57
+ end
42
58
  end
43
59
  # :nocov:
44
60
  ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
data/lib/rack/builder.rb CHANGED
@@ -2,6 +2,9 @@
2
2
 
3
3
  require_relative 'urlmap'
4
4
 
5
+ module Rack; end
6
+ Rack::BUILDER_TOPLEVEL_BINDING = ->(builder){builder.instance_eval{binding}}
7
+
5
8
  module Rack
6
9
  # Rack::Builder provides a domain-specific language (DSL) to construct Rack
7
10
  # applications. It is primarily used to parse +config.ru+ files which
@@ -53,15 +56,15 @@ module Rack
53
56
  # Rack::Builder.parse_file('app.rb')
54
57
  # # requires app.rb, which can be anywhere in Ruby's
55
58
  # # load path. After requiring, assumes App constant
56
- # # contains Rack application
59
+ # # is a Rack application
57
60
  #
58
61
  # Rack::Builder.parse_file('./my_app.rb')
59
62
  # # requires ./my_app.rb, which should be in the
60
63
  # # process's current directory. After requiring,
61
- # # assumes MyApp constant contains Rack application
62
- def self.parse_file(path)
64
+ # # assumes MyApp constant is a Rack application
65
+ def self.parse_file(path, **options)
63
66
  if path.end_with?('.ru')
64
- return self.load_file(path)
67
+ return self.load_file(path, **options)
65
68
  else
66
69
  require path
67
70
  return Object.const_get(::File.basename(path, '.rb').split('_').map(&:capitalize).join(''))
@@ -81,7 +84,7 @@ module Rack
81
84
  # use Rack::ContentLength
82
85
  # require './app.rb'
83
86
  # run App
84
- def self.load_file(path)
87
+ def self.load_file(path, **options)
85
88
  config = ::File.read(path)
86
89
  config.slice!(/\A#{UTF_8_BOM}/) if config.encoding == Encoding::UTF_8
87
90
 
@@ -91,16 +94,18 @@ module Rack
91
94
 
92
95
  config.sub!(/^__END__\n.*\Z/m, '')
93
96
 
94
- return new_from_string(config, path)
97
+ return new_from_string(config, path, **options)
95
98
  end
96
99
 
97
100
  # Evaluate the given +builder_script+ string in the context of
98
101
  # a Rack::Builder block, returning a Rack application.
99
- def self.new_from_string(builder_script, file = "(rackup)")
102
+ def self.new_from_string(builder_script, path = "(rackup)", **options)
103
+ builder = self.new(**options)
104
+
100
105
  # We want to build a variant of TOPLEVEL_BINDING with self as a Rack::Builder instance.
101
106
  # We cannot use instance_eval(String) as that would resolve constants differently.
102
- binding, builder = TOPLEVEL_BINDING.eval('Rack::Builder.new.instance_eval { [binding, self] }')
103
- eval builder_script, binding, file
107
+ binding = BUILDER_TOPLEVEL_BINDING.call(builder)
108
+ eval(builder_script, binding, path)
104
109
 
105
110
  return builder.to_app
106
111
  end
@@ -108,16 +113,24 @@ module Rack
108
113
  # Initialize a new Rack::Builder instance. +default_app+ specifies the
109
114
  # default application if +run+ is not called later. If a block
110
115
  # is given, it is evaluated in the context of the instance.
111
- def initialize(default_app = nil, &block)
116
+ def initialize(default_app = nil, **options, &block)
112
117
  @use = []
113
118
  @map = nil
114
119
  @run = default_app
115
120
  @warmup = nil
116
121
  @freeze_app = false
122
+ @options = options
117
123
 
118
124
  instance_eval(&block) if block_given?
119
125
  end
120
126
 
127
+ # Any options provided to the Rack::Builder instance at initialization.
128
+ # These options can be server-specific. Some general options are:
129
+ #
130
+ # * +:isolation+: One of +process+, +thread+ or +fiber+. The execution
131
+ # isolation model to use.
132
+ attr :options
133
+
121
134
  # Create a new Rack::Builder instance and return the Rack application
122
135
  # generated from it.
123
136
  def self.app(default_app = nil, &block)
data/lib/rack/cascade.rb CHANGED
@@ -9,9 +9,6 @@ module Rack
9
9
  # status codes, return the last response.
10
10
 
11
11
  class Cascade
12
- # deprecated, no longer used
13
- NotFound = [404, { CONTENT_TYPE => "text/plain" }, []]
14
-
15
12
  # An array of applications to try in order.
16
13
  attr_reader :apps
17
14
 
@@ -32,6 +32,7 @@ module Rack
32
32
  DELETE = 'DELETE'
33
33
  HEAD = 'HEAD'
34
34
  OPTIONS = 'OPTIONS'
35
+ CONNECT = 'CONNECT'
35
36
  LINK = 'LINK'
36
37
  UNLINK = 'UNLINK'
37
38
  TRACE = 'TRACE'
@@ -39,6 +40,7 @@ module Rack
39
40
  # Rack environment variables
40
41
  RACK_VERSION = 'rack.version'
41
42
  RACK_TEMPFILES = 'rack.tempfiles'
43
+ RACK_EARLY_HINTS = 'rack.early_hints'
42
44
  RACK_ERRORS = 'rack.errors'
43
45
  RACK_LOGGER = 'rack.logger'
44
46
  RACK_INPUT = 'rack.input'
@@ -54,6 +56,7 @@ module Rack
54
56
  RACK_RESPONSE_FINISHED = 'rack.response_finished'
55
57
  RACK_REQUEST_FORM_INPUT = 'rack.request.form_input'
56
58
  RACK_REQUEST_FORM_HASH = 'rack.request.form_hash'
59
+ RACK_REQUEST_FORM_PAIRS = 'rack.request.form_pairs'
57
60
  RACK_REQUEST_FORM_VARS = 'rack.request.form_vars'
58
61
  RACK_REQUEST_FORM_ERROR = 'rack.request.form_error'
59
62
  RACK_REQUEST_COOKIE_HASH = 'rack.request.cookie_hash'