rack 3.1.16 → 3.2.3

data/lib/rack/sendfile.rb

@@ -16,21 +16,21 @@ module Rack
   # delivery code.
   #
   # In order to take advantage of this middleware, the response body must
-  # respond to +to_path+ and the request must include an x-sendfile-type
+  # respond to +to_path+ and the request must include an `x-sendfile-type`
   # header. Rack::Files and other components implement +to_path+ so there's
-  # rarely anything you need to do in your application. The x-sendfile-type
+  # rarely anything you need to do in your application. The `x-sendfile-type`
   # header is typically set in your web servers configuration. The following
   # sections attempt to document
   #
   # === Nginx
   #
-  # Nginx supports the x-accel-redirect header. This is similar to x-sendfile
+  # Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
   # but requires parts of the filesystem to be mapped into a private URL
   # hierarchy.
   #
   # The following example shows the Nginx configuration required to create
-  # a private "/files/" area, enable x-accel-redirect, and pass the special
-  # x-sendfile-type and x-accel-mapping headers to the backend:
+  # a private "/files/" area, enable `x-accel-redirect`, and pass the special
+  # `x-accel-mapping` header to the backend:
   #
   #   location ~ /files/(.*) {
   #     internal;
@@ -44,24 +44,29 @@ module Rack
   #     proxy_set_header   X-Real-IP           $remote_addr;
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
-  #     proxy_set_header   x-sendfile-type     x-accel-redirect;
   #     proxy_set_header   x-accel-mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
-  # Note that the x-sendfile-type header must be set exactly as shown above.
-  # The x-accel-mapping header should specify the location on the file system,
+  # The `x-accel-mapping` header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
   # that it maps to. The middleware performs a simple substitution on the
   # resulting path.
   #
+  # To enable `x-accel-redirect`, you must configure the middleware explicitly:
+  #
+  #   use Rack::Sendfile, "x-accel-redirect"
+  #
+  # For security reasons, the `x-sendfile-type` header from requests is ignored.
+  # The sendfile variation must be set via the middleware constructor.
+  #
   # See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
   #
   # === lighttpd
   #
-  # Lighttpd has supported some variation of the x-sendfile header for some
-  # time, although only recent version support x-sendfile in a reverse proxy
+  # Lighttpd has supported some variation of the `x-sendfile` header for some
+  # time, although only recent version support `x-sendfile` in a reverse proxy
   # configuration.
   #
   #   $HTTP["host"] == "example.com" {
@@ -83,7 +88,7 @@ module Rack
   #
   # === Apache
   #
-  # x-sendfile is supported under Apache 2.x using a separate module:
+  # `x-sendfile` is supported under Apache 2.x using a separate module:
   #
   # https://tn123.org/mod_xsendfile/
   #
@@ -97,16 +102,28 @@ module Rack
   # === Mapping parameter
   #
   # The third parameter allows for an overriding extension of the
-  # x-accel-mapping header. Mappings should be provided in tuples of internal to
+  # `x-accel-mapping` header. Mappings should be provided in tuples of internal to
   # external. The internal values may contain regular expression syntax, they
   # will be matched with case indifference.
+  #
+  # When `x-accel-redirect` is explicitly enabled via the variation parameter,
+  # and no application-level mappings are provided, the middleware will read
+  # the `x-accel-mapping` header from the proxy. This allows nginx to control
+  # the path mapping without requiring application-level configuration.
+  #
+  # === Security
+  #
+  # For security reasons, the `x-sendfile-type` header from HTTP requests is
+  # ignored. The sendfile variation must be explicitly configured via the
+  # middleware constructor to prevent information disclosure vulnerabilities
+  # where attackers could bypass proxy restrictions.
 
   class Sendfile
     def initialize(app, variation = nil, mappings = [])
       @app = app
       @variation = variation
       @mappings = mappings.map do |internal, external|
-        [/^#{internal}/i, external]
+        [/\A#{internal}/i, external]
       end
     end
 
@@ -145,22 +162,35 @@ module Rack
     end
 
     private
+
     def variation(env)
-      @variation ||
-        env['sendfile.type'] ||
-        env['HTTP_X_SENDFILE_TYPE']
+      # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
+      # Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
+      @variation || env['sendfile.type']
+    end
+
+    def x_accel_mapping(env)
+      # Only allow header when:
+      # 1. `x-accel-redirect` is explicitly enabled via constructor.
+      # 2. No application-level mappings are configured.
+      return nil unless @variation =~ /x-accel-redirect/i
+      return nil if @mappings.any?
+      
+      env['HTTP_X_ACCEL_MAPPING']
     end
 
     def map_accel_path(env, path)
       if mapping = @mappings.find { |internal, _| internal =~ path }
-        path.sub(*mapping)
-      elsif mapping = env['HTTP_X_ACCEL_MAPPING']
+        return path.sub(*mapping)
+      elsif mapping = x_accel_mapping(env)
+        # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/^#{internal}/i, external)
+          new_path = path.sub(/\A#{internal}/i, external)
           return new_path unless path == new_path
         end
-        path
+
+        return path
       end
     end
   end

data/lib/rack/show_exceptions.rb

@@ -65,8 +65,12 @@ module Rack
     def dump_exception(exception)
       if exception.respond_to?(:detailed_message)
         message = exception.detailed_message(highlight: false)
+      # :nocov:
+      # Ruby 3.2 added Exception#detailed_message, so the else
+      # branch cannot be hit on the current Ruby version.
       else
         message = exception.message
+      # :nocov:
       end
       string = "#{exception.class}: #{message}\n".dup
       string << exception.backtrace.map { |l| "\t#{l}" }.join("\n")
@@ -401,7 +405,5 @@ module Rack
       </body>
       </html>
     HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/show_status.rb

@@ -117,7 +117,5 @@ TEMPLATE = <<'HTML'
 </body>
 </html>
 HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/utils.rb

@@ -181,12 +181,16 @@ module Rack
     # doesn't get monkey-patched by rails
     if defined?(ERB::Escape) && ERB::Escape.instance_method(:html_escape)
       define_method(:escape_html, ERB::Escape.instance_method(:html_escape))
+    # :nocov:
+    # Ruby 3.2/ERB 4.0 added ERB::Escape#html_escape, so the else
+    # branch cannot be hit on the current Ruby version.
     else
       require 'cgi/escape'
       # Escape ampersands, brackets and quotes to their HTML/XML entities.
       def escape_html(string)
         CGI.escapeHTML(string.to_s)
       end
+    # :nocov:
     end
 
     def select_best_encoding(available_encodings, accept_encoding)
@@ -254,26 +258,18 @@ module Rack
       parse_cookies_header env[HTTP_COOKIE]
     end
 
-    # A valid cookie key according to RFC2616.
+    # A valid cookie key according to RFC6265 and RFC2616.
     # A <cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
     VALID_COOKIE_KEY = /\A[!#$%&'*+\-\.\^_`|~0-9a-zA-Z]+\z/.freeze
     private_constant :VALID_COOKIE_KEY
 
-    private def escape_cookie_key(key)
-      if key =~ VALID_COOKIE_KEY
-        key
-      else
-        warn "Cookie key #{key.inspect} is not valid according to RFC2616; it will be escaped. This behaviour is deprecated and will be removed in a future version of Rack.", uplevel: 2
-        escape(key)
-      end
-    end
-
     # :call-seq:
     #   set_cookie_header(key, value) -> encoded string
     #
     # Generate an encoded string using the provided +key+ and +value+ suitable
     # for the +set-cookie+ header according to RFC6265. The +value+ may be an
-    # instance of either +String+ or +Hash+.
+    # instance of either +String+ or +Hash+. If the cookie key is invalid (as
+    # defined by RFC6265), an +ArgumentError+ will be raised.
     #
     # If the cookie +value+ is an instance of +Hash+, it considers the following
     # cookie attribute keys: +domain+, +max_age+, +expires+ (must be instance
@@ -281,10 +277,6 @@ module Rack
     # details about the interpretation of these fields, consult
     # [RFC6265 Section 5.2](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2).
     #
-    # An extra cookie attribute +escape_key+ can be provided to control whether
-    # or not the cookie key is URL encoded. If explicitly set to +false+, the
-    # cookie key name will not be url encoded (escaped). The default is +true+.
-    #
     #   set_cookie_header("myname", "myvalue")
     #   # => "myname=myvalue"
     #
@@ -292,9 +284,12 @@ module Rack
     #   # => "myname=myvalue; max-age=10"
     #
     def set_cookie_header(key, value)
+      unless key =~ VALID_COOKIE_KEY
+        raise ArgumentError, "invalid cookie key: #{key.inspect}"
+      end
+
       case value
       when Hash
-        key = escape_cookie_key(key) unless value[:escape_key] == false
         domain  = "; domain=#{value[:domain]}"   if value[:domain]
         path    = "; path=#{value[:path]}"       if value[:path]
         max_age = "; max-age=#{value[:max_age]}" if value[:max_age]
@@ -316,8 +311,6 @@ module Rack
           end
         partitioned = "; partitioned" if value[:partitioned]
         value = value[:value]
-      else
-        key = escape_cookie_key(key)
       end
 
       value = [value] unless Array === value
@@ -416,7 +409,7 @@ module Rack
       return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
-      $1.split(/,\s*/).each do |range_spec|
+      $1.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]
@@ -592,11 +585,9 @@ module Rack
           fallback_code = OBSOLETE_SYMBOLS_TO_STATUS_CODES.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
           message = "Status code #{status.inspect} is deprecated and will be removed in a future version of Rack."
           if canonical_symbol = OBSOLETE_SYMBOL_MAPPINGS[status]
-            # message = "#{message} Please use #{canonical_symbol.inspect} instead."
-            # For now, let's not emit any warning when there is a mapping.
-          else
-            warn message, uplevel: 3
+            message = "#{message} Please use #{canonical_symbol.inspect} instead."
           end
+          warn message, uplevel: 3
           fallback_code
         end
       else

data/lib/rack/version.rb

@@ -5,17 +5,13 @@
 # Rack is freely distributable under the terms of an MIT-style license.
 # See MIT-LICENSE or https://opensource.org/licenses/MIT.
 
-# The Rack main module, serving as a namespace for all core Rack
-# modules and classes.
-#
-# All modules meant for use in your application are <tt>autoload</tt>ed here,
-# so it should be enough just to <tt>require 'rack'</tt> in your code.
-
 module Rack
-  RELEASE = "3.1.16"
+  VERSION = "3.2.3"
+
+  RELEASE = VERSION
 
   # Return the Rack release as a dotted string.
   def self.release
-    RELEASE
+    VERSION
   end
 end

data/lib/rack.rb

@@ -34,7 +34,6 @@ module Rack
   autoload :Headers, "rack/headers"
   autoload :Lint, "rack/lint"
   autoload :Lock, "rack/lock"
-  autoload :Logger, "rack/logger"
   autoload :MediaType, "rack/media_type"
   autoload :MethodOverride, "rack/method_override"
   autoload :Mime, "rack/mime"

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.16
+  version: 3.2.3
 platform: ruby
 authors:
 - Leah Neukirchen
 bindir: bin
 cert_chain: []
-date: 2025-06-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -75,9 +75,9 @@ email: leah@vuxu.org
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - CHANGELOG.md
 - CONTRIBUTING.md
+- README.md
 files:
 - CHANGELOG.md
 - CONTRIBUTING.md
@@ -107,7 +107,6 @@ files:
 - lib/rack/headers.rb
 - lib/rack/lint.rb
 - lib/rack/lock.rb
-- lib/rack/logger.rb
 - lib/rack/media_type.rb
 - lib/rack/method_override.rb
 - lib/rack/mime.rb
@@ -142,6 +141,7 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []

data/lib/rack/logger.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-require 'logger'
-require_relative 'constants'
-
-warn "Rack::Logger is deprecated and will be removed in Rack 3.2.", uplevel: 1
-
-module Rack
-  # Sets up rack.logger to write to rack.errors stream
-  class Logger
-    def initialize(app, level = ::Logger::INFO)
-      @app, @level = app, level
-    end
-
-    def call(env)
-      logger = ::Logger.new(env[RACK_ERRORS])
-      logger.level = @level
-
-      env[RACK_LOGGER] = logger
-      @app.call(env)
-    end
-  end
-end