rack 3.1.21 → 3.2.0

data/lib/rack/utils.rb

@@ -146,77 +146,17 @@ module Rack
       end
     end
 
-    ALLOWED_FORWARED_PARAMS = %w[by for host proto].to_h { |name| [name, name.to_sym] }.freeze
-    private_constant :ALLOWED_FORWARED_PARAMS
-
     def forwarded_values(forwarded_header)
-      return unless forwarded_header
-      header = forwarded_header.to_s.tr("\n", ";")
-      header.sub!(/\A[\s;,]+/, '')
-      num_params = num_escapes = 0
-      max_params = max_escapes = 1024
-      params = {}
-
-      # Parse parameter list
-      while i = header.index('=')
-        # Only parse up to max parameters, to avoid potential denial of service
-        num_params += 1
-        return if num_params > max_params
-
-        # Found end of parameter name, ensure forward progress in loop
-        param = header.slice!(0, i+1)
-
-        # Remove ending equals and preceding whitespace from parameter name
-        param.chomp!('=')
-        param.strip!
-        param.downcase!
-        return unless param = ALLOWED_FORWARED_PARAMS[param]
-
-        if header[0] == '"'
-          # Parameter value is quoted, parse it, handling backslash escapes
-          header.slice!(0, 1)
-          value = String.new
-
-          while i = header.index(/(["\\])/)
-            c = $1
-
-            # Append all content until ending quote or escape
-            value << header.slice!(0, i)
-
-            # Remove either backslash or ending quote,
-            # ensures forward progress in loop
-            header.slice!(0, 1)
-
-            # stop parsing parameter value if found ending quote
-            break if c == '"'
-
-            # Only allow up to max escapes, to avoid potential denial of service
-            num_escapes += 1
-            return if num_escapes > max_escapes
-            escaped_char = header.slice!(0, 1)
-            value << escaped_char
-          end
-        else
-          if i = header.index(/[;,]/)
-            # Parameter value unquoted (which may be invalid), value ends at comma or semicolon
-            value = header.slice!(0, i)
-            value.sub!(/[\s;,]+\z/, '')
-          else
-            # If no ending semicolon, assume remainder of line is value and stop parsing
-            header.strip!
-            value = header
-            header = ''
-          end
-          value.lstrip!
+      return nil unless forwarded_header
+      forwarded_header = forwarded_header.to_s.gsub("\n", ";")
+
+      forwarded_header.split(';').each_with_object({}) do |field, values|
+        field.split(',').each do |pair|
+          pair = pair.split('=').map(&:strip).join('=')
+          return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i
+          (values[$1.downcase.to_sym] ||= []) << $2
         end
-
-        (params[param] ||= []) << value
-
-        # skip trailing semicolons/commas/whitespace, to proceed to next parameter
-        header.sub!(/\A[\s;,]+/, '') unless header.empty?
       end
-
-      params
     end
     module_function :forwarded_values
 
@@ -241,49 +181,29 @@ module Rack
     # doesn't get monkey-patched by rails
     if defined?(ERB::Escape) && ERB::Escape.instance_method(:html_escape)
       define_method(:escape_html, ERB::Escape.instance_method(:html_escape))
+    # :nocov:
+    # Ruby 3.2/ERB 4.0 added ERB::Escape#html_escape, so the else
+    # branch cannot be hit on the current Ruby version.
     else
       require 'cgi/escape'
       # Escape ampersands, brackets and quotes to their HTML/XML entities.
       def escape_html(string)
         CGI.escapeHTML(string.to_s)
       end
+    # :nocov:
     end
 
-    # Given an array of available encoding strings, and an array of
-    # acceptable encodings for a request, where each element of the
-    # acceptable encodings array is an array where the first element
-    # is an encoding name and the second element is the numeric
-    # priority for the encoding, return the available encoding with
-    # the highest priority.
-    #
-    # The accept_encoding argument is typically generated by calling
-    # Request#accept_encoding.
-    #
-    # Example:
-    #
-    #   select_best_encoding(%w(compress gzip identity),
-    #                        [["compress", 0.5], ["gzip", 1.0]])
-    #   # => "gzip"
-    #
-    # To reduce denial of service potential, only the first 16
-    # acceptable encodings are considered.
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 
-      # Only process the first 16 encodings
-      accept_encoding = accept_encoding[0...16]
       expanded_accept_encoding = []
-      wildcard_seen = false
 
       accept_encoding.each do |m, q|
         preference = available_encodings.index(m) || available_encodings.size
 
         if m == "*"
-          unless wildcard_seen
-            (available_encodings - accept_encoding.map(&:first)).each do |m2|
-              expanded_accept_encoding << [m2, q, preference]
-            end
-            wildcard_seen = true
+          (available_encodings - accept_encoding.map(&:first)).each do |m2|
+            expanded_accept_encoding << [m2, q, preference]
           end
         else
           expanded_accept_encoding << [m, q, preference]
@@ -291,13 +211,7 @@ module Rack
       end
 
       encoding_candidates = expanded_accept_encoding
-        .sort do |(_, q1, p1), (_, q2, p2)|
-          if r = (q1 <=> q2).nonzero?
-            -r
-          else
-            (p1 <=> p2).nonzero? || 0
-          end
-        end
+        .sort_by { |_, q, p| [-q, p] }
         .map!(&:first)
 
       unless encoding_candidates.include?("identity")
@@ -344,26 +258,18 @@ module Rack
       parse_cookies_header env[HTTP_COOKIE]
     end
 
-    # A valid cookie key according to RFC2616.
+    # A valid cookie key according to RFC6265 and RFC2616.
     # A <cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
     VALID_COOKIE_KEY = /\A[!#$%&'*+\-\.\^_`|~0-9a-zA-Z]+\z/.freeze
     private_constant :VALID_COOKIE_KEY
 
-    private def escape_cookie_key(key)
-      if key =~ VALID_COOKIE_KEY
-        key
-      else
-        warn "Cookie key #{key.inspect} is not valid according to RFC2616; it will be escaped. This behaviour is deprecated and will be removed in a future version of Rack.", uplevel: 2
-        escape(key)
-      end
-    end
-
     # :call-seq:
     #   set_cookie_header(key, value) -> encoded string
     #
     # Generate an encoded string using the provided +key+ and +value+ suitable
     # for the +set-cookie+ header according to RFC6265. The +value+ may be an
-    # instance of either +String+ or +Hash+.
+    # instance of either +String+ or +Hash+. If the cookie key is invalid (as
+    # defined by RFC6265), an +ArgumentError+ will be raised.
     #
     # If the cookie +value+ is an instance of +Hash+, it considers the following
     # cookie attribute keys: +domain+, +max_age+, +expires+ (must be instance
@@ -371,10 +277,6 @@ module Rack
     # details about the interpretation of these fields, consult
     # [RFC6265 Section 5.2](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2).
     #
-    # An extra cookie attribute +escape_key+ can be provided to control whether
-    # or not the cookie key is URL encoded. If explicitly set to +false+, the
-    # cookie key name will not be url encoded (escaped). The default is +true+.
-    #
     #   set_cookie_header("myname", "myvalue")
     #   # => "myname=myvalue"
     #
@@ -382,9 +284,12 @@ module Rack
     #   # => "myname=myvalue; max-age=10"
     #
     def set_cookie_header(key, value)
+      unless key =~ VALID_COOKIE_KEY
+        raise ArgumentError, "invalid cookie key: #{key.inspect}"
+      end
+
       case value
       when Hash
-        key = escape_cookie_key(key) unless value[:escape_key] == false
         domain  = "; domain=#{value[:domain]}"   if value[:domain]
         path    = "; path=#{value[:path]}"       if value[:path]
         max_age = "; max-age=#{value[:max_age]}" if value[:max_age]
@@ -406,8 +311,6 @@ module Rack
           end
         partitioned = "; partitioned" if value[:partitioned]
         value = value[:value]
-      else
-        key = escape_cookie_key(key)
       end
 
       value = [value] unless Array === value
@@ -496,19 +399,17 @@ module Rack
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
     # Returns an empty array if none of the ranges are satisfiable.
-    def byte_ranges(env, size, max_ranges: 100)
-      get_byte_ranges env['HTTP_RANGE'], size, max_ranges: max_ranges
+    def byte_ranges(env, size)
+      get_byte_ranges env['HTTP_RANGE'], size
     end
 
-    def get_byte_ranges(http_range, size, max_ranges: 100)
+    def get_byte_ranges(http_range, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       # Ignore Range when file size is 0 to avoid a 416 error.
       return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
-      byte_range = $1
-      return nil if byte_range.count(',') >= max_ranges
       ranges = []
-      byte_range.split(/,[ \t]*/).each do |range_spec|
+      $1.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]
@@ -684,11 +585,9 @@ module Rack
           fallback_code = OBSOLETE_SYMBOLS_TO_STATUS_CODES.fetch(status) { raise ArgumentError, "Unrecognized status code #{status.inspect}" }
           message = "Status code #{status.inspect} is deprecated and will be removed in a future version of Rack."
           if canonical_symbol = OBSOLETE_SYMBOL_MAPPINGS[status]
-            # message = "#{message} Please use #{canonical_symbol.inspect} instead."
-            # For now, let's not emit any warning when there is a mapping.
-          else
-            warn message, uplevel: 3
+            message = "#{message} Please use #{canonical_symbol.inspect} instead."
           end
+          warn message, uplevel: 3
           fallback_code
         end
       else

data/lib/rack/version.rb

@@ -5,17 +5,13 @@
 # Rack is freely distributable under the terms of an MIT-style license.
 # See MIT-LICENSE or https://opensource.org/licenses/MIT.
 
-# The Rack main module, serving as a namespace for all core Rack
-# modules and classes.
-#
-# All modules meant for use in your application are <tt>autoload</tt>ed here,
-# so it should be enough just to <tt>require 'rack'</tt> in your code.
-
 module Rack
-  RELEASE = "3.1.21"
+  VERSION = "3.2.0"
+
+  RELEASE = VERSION
 
   # Return the Rack release as a dotted string.
   def self.release
-    RELEASE
+    VERSION
   end
 end

data/lib/rack.rb

@@ -34,7 +34,6 @@ module Rack
   autoload :Headers, "rack/headers"
   autoload :Lint, "rack/lint"
   autoload :Lock, "rack/lock"
-  autoload :Logger, "rack/logger"
   autoload :MediaType, "rack/media_type"
   autoload :MethodOverride, "rack/method_override"
   autoload :Mime, "rack/mime"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.21
+  version: 3.2.0
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -107,7 +107,6 @@ files:
 - lib/rack/headers.rb
 - lib/rack/lint.rb
 - lib/rack/lock.rb
-- lib/rack/logger.rb
 - lib/rack/media_type.rb
 - lib/rack/method_override.rb
 - lib/rack/mime.rb
@@ -142,6 +141,7 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 3.6.7
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []

data/lib/rack/logger.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-require 'logger'
-require_relative 'constants'
-
-warn "Rack::Logger is deprecated and will be removed in Rack 3.2.", uplevel: 1
-
-module Rack
-  # Sets up rack.logger to write to rack.errors stream
-  class Logger
-    def initialize(app, level = ::Logger::INFO)
-      @app, @level = app, level
-    end
-
-    def call(env)
-      logger = ::Logger.new(env[RACK_ERRORS])
-      logger.level = @level
-
-      env[RACK_LOGGER] = logger
-      @app.call(env)
-    end
-  end
-end