rack 3.1.21 → 3.2.0

data/lib/rack/request.rb

@@ -61,9 +61,14 @@ module Rack
 
     def initialize(env)
       @env = env
+      @ip = nil
       @params = nil
     end
 
+    def ip
+      @ip ||= super
+    end
+
     def params
       @params ||= super
     end
@@ -398,8 +403,8 @@ module Rack
               return forwarded.last
             end
           when :x_forwarded
-            if value = get_header(HTTP_X_FORWARDED_HOST)
-              return wrap_ipv6(split_header(value).last)
+            if (value = get_header(HTTP_X_FORWARDED_HOST)) && (x_forwarded_host = split_header(value).last)
+              return wrap_ipv6(x_forwarded_host)
             end
           end
         end
@@ -413,10 +418,9 @@ module Rack
 
       def ip
         remote_addresses = split_header(get_header('REMOTE_ADDR'))
-        external_addresses = reject_trusted_ip_addresses(remote_addresses)
 
-        unless external_addresses.empty?
-          return external_addresses.last
+        remote_addresses.reverse_each do |ip|
+          return ip unless trusted_proxy?(ip)
         end
 
         if (forwarded_for = self.forwarded_for) && !forwarded_for.empty?
@@ -424,7 +428,10 @@ module Rack
           # So we reject all the trusted addresses (proxy*) and return the
           # last client. Or if we trust everyone, we just return the first
           # address.
-          return reject_trusted_ip_addresses(forwarded_for).last || forwarded_for.first
+          forwarded_for.reverse_each do |ip|
+            return ip unless trusted_proxy?(ip)
+          end
+          return forwarded_for.first
         end
 
         # If all the addresses are trusted, and we aren't forwarded, just return
@@ -482,70 +489,42 @@ module Rack
 
       # Returns the data received in the query string.
       def GET
-        rr_query_string = get_header(RACK_REQUEST_QUERY_STRING)
-        query_string = self.query_string
-        if rr_query_string == query_string
-          get_header(RACK_REQUEST_QUERY_HASH)
-        else
-          if rr_query_string
-            warn "query string used for GET parsing different from current query string. Starting in Rack 3.2, Rack will used the cached GET value instead of parsing the current query string.", uplevel: 1
-          end
-          query_hash = parse_query(query_string, '&')
-          set_header(RACK_REQUEST_QUERY_STRING, query_string)
-          set_header(RACK_REQUEST_QUERY_HASH, query_hash)
-        end
+        get_header(RACK_REQUEST_QUERY_HASH) || set_header(RACK_REQUEST_QUERY_HASH, parse_query(query_string, '&'))
       end
 
-      # Returns the data received in the request body.
+      # Returns the form data pairs received in the request body.
       #
       # This method support both application/x-www-form-urlencoded and
       # multipart/form-data.
-      def POST
-        if error = get_header(RACK_REQUEST_FORM_ERROR)
+      def form_pairs
+        if pairs = get_header(RACK_REQUEST_FORM_PAIRS)
+          return pairs
+        elsif error = get_header(RACK_REQUEST_FORM_ERROR)
           raise error.class, error.message, cause: error.cause
         end
 
         begin
           rack_input = get_header(RACK_INPUT)
 
-          # If the form hash was already memoized:
-          if form_hash = get_header(RACK_REQUEST_FORM_HASH)
-            form_input = get_header(RACK_REQUEST_FORM_INPUT)
-            # And it was memoized from the same input:
-            if form_input.equal?(rack_input)
-              return form_hash
-            elsif form_input
-              warn "input stream used for POST parsing different from current input stream. Starting in Rack 3.2, Rack will used the cached POST value instead of parsing the current input stream.", uplevel: 1
-            end
-          end
-
           # Otherwise, figure out how to parse the input:
           if rack_input.nil?
-            set_header RACK_REQUEST_FORM_INPUT, nil
-            set_header(RACK_REQUEST_FORM_HASH, {})
+            set_header(RACK_REQUEST_FORM_PAIRS, [])
           elsif form_data? || parseable_data?
             if pairs = Rack::Multipart.parse_multipart(env, Rack::Multipart::ParamList)
               set_header RACK_REQUEST_FORM_PAIRS, pairs
-              set_header RACK_REQUEST_FORM_HASH, expand_param_pairs(pairs)
             else
-              # Add 2 bytes. One to check whether it is over the limit, and a second
-              # in case the slice! call below removes the last byte
-              # If read returns nil, use the empty string
-              form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
+              form_vars = get_header(RACK_INPUT).read
 
               # Fix for Safari Ajax postings that always append \0
               # form_vars.sub!(/\0\z/, '') # performance replacement:
               form_vars.slice!(-1) if form_vars.end_with?("\0")
 
               set_header RACK_REQUEST_FORM_VARS, form_vars
-              set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
+              pairs = query_parser.parse_query_pairs(form_vars, '&')
+              set_header(RACK_REQUEST_FORM_PAIRS, pairs)
             end
-
-            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
-            get_header RACK_REQUEST_FORM_HASH
           else
-            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
-            set_header(RACK_REQUEST_FORM_HASH, {})
+            set_header(RACK_REQUEST_FORM_PAIRS, [])
           end
         rescue => error
           set_header(RACK_REQUEST_FORM_ERROR, error)
@@ -553,6 +532,21 @@ module Rack
         end
       end
 
+      # Returns the data received in the request body.
+      #
+      # This method support both application/x-www-form-urlencoded and
+      # multipart/form-data.
+      def POST
+        if form_hash = get_header(RACK_REQUEST_FORM_HASH)
+          return form_hash
+        elsif error = get_header(RACK_REQUEST_FORM_ERROR)
+          raise error.class, error.message, cause: error.cause
+        end
+
+        pairs = form_pairs
+        set_header RACK_REQUEST_FORM_HASH, expand_param_pairs(pairs)
+      end
+
       # The union of GET and POST data.
       #
       # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
@@ -560,6 +554,10 @@ module Rack
         self.GET.merge(self.POST)
       end
 
+      # Allow overriding the query parser that the receiver will use.
+      # By default Rack::Utils.default_query_parser is used.
+      attr_writer :query_parser
+
       # Destructively update a parameter, whether it's in GET and/or POST. Returns nil.
       #
       # The parameter is updated wherever it was previous defined, so GET, POST, or both. If it wasn't previously defined, it's inserted into GET.
@@ -619,13 +617,6 @@ module Rack
         Rack::Request.ip_filter.call(ip)
       end
 
-      # like Hash#values_at
-      def values_at(*keys)
-        warn("Request#values_at is deprecated and will be removed in a future version of Rack. Please use request.params.values_at instead", uplevel: 1)
-        
-        keys.map { |key| params[key] }
-      end
-
       private
 
       def default_session; {}; end
@@ -673,7 +664,7 @@ module Rack
       end
 
       def query_parser
-        Utils.default_query_parser
+        @query_parser || Utils.default_query_parser
       end
 
       def parse_query(qs, d = '&')
@@ -681,6 +672,7 @@ module Rack
       end
 
       def parse_multipart
+        warn "Rack::Request#parse_multipart is deprecated and will be removed in a future version of Rack.", uplevel: 1
         Rack::Multipart.extract_multipart(self, query_parser)
       end
 
@@ -695,7 +687,7 @@ module Rack
       end
 
       def split_header(value)
-        value ? value.strip.split(/[,\s]+/) : []
+        value ? value.strip.split(/[, \t]+/) : []
       end
 
       # ipv6 extracted from resolv stdlib, simplified
@@ -728,8 +720,8 @@ module Rack
           # Match IPv6 as a string of hex digits and colons in square brackets
           \[(?<address>#{ipv6})\]
           |
-          # Match characters allowed by RFC 3986 Section 3.2.2
-          (?<address>[-a-zA-Z0-9._~%!$&'()*+,;=]*?)
+          # Match any other printable string (except square brackets) as a hostname
+          (?<address>[[[:graph:]&&[^\[\]]]]*?)
         )
         (:(?<port>\d+))?
         \z
@@ -743,10 +735,6 @@ module Rack
         return match[:host], match[:address], match[:port]&.to_i
       end
 
-      def reject_trusted_ip_addresses(ip_addresses)
-        ip_addresses.reject { |ip| trusted_proxy?(ip) }
-      end
-
       FORWARDED_SCHEME_HEADERS = {
         proto: HTTP_X_FORWARDED_PROTO,
         scheme: HTTP_X_FORWARDED_SCHEME

data/lib/rack/rewindable_input.rb

@@ -21,7 +21,10 @@ module Rack
       end
 
       def call(env)
-        env[RACK_INPUT] = RewindableInput.new(env[RACK_INPUT])
+        if (input = env[RACK_INPUT])
+          env[RACK_INPUT] = RewindableInput.new(input)
+        end
+
         @app.call(env)
       end
     end

data/lib/rack/sendfile.rb

@@ -16,21 +16,21 @@ module Rack
   # delivery code.
   #
   # In order to take advantage of this middleware, the response body must
-  # respond to +to_path+ and the request must include an `x-sendfile-type`
+  # respond to +to_path+ and the request must include an x-sendfile-type
   # header. Rack::Files and other components implement +to_path+ so there's
-  # rarely anything you need to do in your application. The `x-sendfile-type`
+  # rarely anything you need to do in your application. The x-sendfile-type
   # header is typically set in your web servers configuration. The following
   # sections attempt to document
   #
   # === Nginx
   #
-  # Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
+  # Nginx supports the x-accel-redirect header. This is similar to x-sendfile
   # but requires parts of the filesystem to be mapped into a private URL
   # hierarchy.
   #
   # The following example shows the Nginx configuration required to create
-  # a private "/files/" area, enable `x-accel-redirect`, and pass the special
-  # `x-accel-mapping` header to the backend:
+  # a private "/files/" area, enable x-accel-redirect, and pass the special
+  # x-sendfile-type and x-accel-mapping headers to the backend:
   #
   #   location ~ /files/(.*) {
   #     internal;
@@ -44,29 +44,24 @@ module Rack
   #     proxy_set_header   X-Real-IP           $remote_addr;
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
+  #     proxy_set_header   x-sendfile-type     x-accel-redirect;
   #     proxy_set_header   x-accel-mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
-  # The `x-accel-mapping` header should specify the location on the file system,
+  # Note that the x-sendfile-type header must be set exactly as shown above.
+  # The x-accel-mapping header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
-  # that it maps to. The middleware performs a case-insensitive substitution on the
+  # that it maps to. The middleware performs a simple substitution on the
   # resulting path.
   #
-  # To enable `x-accel-redirect`, you must configure the middleware explicitly:
-  #
-  #   use Rack::Sendfile, "x-accel-redirect"
-  #
-  # For security reasons, the `x-sendfile-type` header from requests is ignored.
-  # The sendfile variation must be set via the middleware constructor.
-  #
   # See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
   #
   # === lighttpd
   #
-  # Lighttpd has supported some variation of the `x-sendfile` header for some
-  # time, although only recent version support `x-sendfile` in a reverse proxy
+  # Lighttpd has supported some variation of the x-sendfile header for some
+  # time, although only recent version support x-sendfile in a reverse proxy
   # configuration.
   #
   #   $HTTP["host"] == "example.com" {
@@ -88,7 +83,7 @@ module Rack
   #
   # === Apache
   #
-  # `x-sendfile` is supported under Apache 2.x using a separate module:
+  # x-sendfile is supported under Apache 2.x using a separate module:
   #
   # https://tn123.org/mod_xsendfile/
   #
@@ -102,28 +97,16 @@ module Rack
   # === Mapping parameter
   #
   # The third parameter allows for an overriding extension of the
-  # `x-accel-mapping` header. Mappings should be provided in tuples of internal to
+  # x-accel-mapping header. Mappings should be provided in tuples of internal to
   # external. The internal values may contain regular expression syntax, they
   # will be matched with case indifference.
-  #
-  # When `x-accel-redirect` is explicitly enabled via the variation parameter,
-  # and no application-level mappings are provided, the middleware will read
-  # the `x-accel-mapping` header from the proxy. This allows nginx to control
-  # the path mapping without requiring application-level configuration.
-  #
-  # === Security
-  #
-  # For security reasons, the `x-sendfile-type` header from HTTP requests is
-  # ignored. The sendfile variation must be explicitly configured via the
-  # middleware constructor to prevent information disclosure vulnerabilities
-  # where attackers could bypass proxy restrictions.
 
   class Sendfile
     def initialize(app, variation = nil, mappings = [])
       @app = app
       @variation = variation
       @mappings = mappings.map do |internal, external|
-        [/\A#{internal}/i, external]
+        [/^#{internal}/i, external]
       end
     end
 
@@ -162,35 +145,22 @@ module Rack
     end
 
     private
-
     def variation(env)
-      # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
-      # Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
-      @variation || env['sendfile.type']
-    end
-
-    def x_accel_mapping(env)
-      # Only allow header when:
-      # 1. `x-accel-redirect` is explicitly enabled via constructor.
-      # 2. No application-level mappings are configured.
-      return nil unless @variation =~ /x-accel-redirect/i
-      return nil if @mappings.any?
-      
-      env['HTTP_X_ACCEL_MAPPING']
+      @variation ||
+        env['sendfile.type'] ||
+        env['HTTP_X_SENDFILE_TYPE']
     end
 
     def map_accel_path(env, path)
       if mapping = @mappings.find { |internal, _| internal =~ path }
-        return path.sub(*mapping)
-      elsif mapping = x_accel_mapping(env)
-        # Safe to use header: explicit config + no app mappings:
+        path.sub(*mapping)
+      elsif mapping = env['HTTP_X_ACCEL_MAPPING']
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/\A#{Regexp.escape(internal)}/i, external)
+          new_path = path.sub(/^#{internal}/i, external)
           return new_path unless path == new_path
         end
-
-        return path
+        path
       end
     end
   end

data/lib/rack/show_exceptions.rb

@@ -65,8 +65,12 @@ module Rack
     def dump_exception(exception)
       if exception.respond_to?(:detailed_message)
         message = exception.detailed_message(highlight: false)
+      # :nocov:
+      # Ruby 3.2 added Exception#detailed_message, so the else
+      # branch cannot be hit on the current Ruby version.
       else
         message = exception.message
+      # :nocov:
       end
       string = "#{exception.class}: #{message}\n".dup
       string << exception.backtrace.map { |l| "\t#{l}" }.join("\n")
@@ -401,7 +405,5 @@ module Rack
       </body>
       </html>
     HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/show_status.rb

@@ -117,7 +117,5 @@ TEMPLATE = <<'HTML'
 </body>
 </html>
 HTML
-
-    # :startdoc:
   end
 end

data/lib/rack/static.rb

@@ -93,9 +93,6 @@ module Rack
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
-      if @urls.kind_of?(Array)
-        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
-      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -118,7 +115,7 @@ module Rack
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
+      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
     end
 
     def can_serve(path)
@@ -168,8 +165,6 @@ module Rack
 
     # Convert HTTP header rules to HTTP headers
     def applicable_rules(path)
-      path = ::Rack::Utils.unescape_path(path)
-
       @header_rules.find_all do |rule, new_headers|
         case rule
         when :all
@@ -177,9 +172,10 @@ module Rack
         when :fonts
           /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
         when String
+          path = ::Rack::Utils.unescape(path)
           path.start_with?(rule) || path.start_with?('/' + rule)
         when Array
-          /\.#{Regexp.union(rule)}\z/.match?(path)
+          /\.(#{rule.join('|')})\z/.match?(path)
         when Regexp
           rule.match?(path)
         else