rack 3.1.3 → 3.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cb578b6c5608012f69e9e89637fe2b53f31d5aa15f9d546e1c756384119c762
-  data.tar.gz: 4201b8eb5e202b3832cf1e576bfa13106866da483d9e0395a58bb482a04da30a
+  metadata.gz: 0d973a8acf0ebcdea8f2cb7930d3f0417cdc32a1aeddb31c5f140357b7f968e3
+  data.tar.gz: a480d18cd351082f259cca12af557d9245717436135d87769584f53467d08912
 SHA512:
-  metadata.gz: 71f559cc4ffb927a6297ad5d1e9794d740270c670148f100feb40b0a465303e20aeea7d82c953cf3e2af9b9651facb9dbd814bb152f83c6e4042e4a89ac67b7b
-  data.tar.gz: 7ae4c87c4b74f111f0bae47d6ba80aacbbd3d5d6424f0231922676e3e0898ad895a3816098622b83cb73e2668cf4bd991ae5d8d4669b177557dab155b0fb80df
+  metadata.gz: 35d4ed80330dc0ac3484cbe7ba1208a27b5fc6e214873072bac0d9302bb84b06ffb93ff52abfa007298e2b305f7ffa19dde4e97afd9e58ac4ccefd8b33e62dbc
+  data.tar.gz: e278e7a0174d95775c006a51ef391d9bc968f7fb52bc9b4fdcb5d30859a06578946cf1a255f29349d00e0df87543d317d7590afe98fd07875d10f343603938ca

data/CHANGELOG.md

@@ -2,52 +2,98 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.7] - 2024-07-11
+
+### Fixed
+
+- Do not remove escaped opening/closing quotes for content-disposition filenames. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. ([#2227](https://github.com/rack/rack/pull/2227), [@jeremyevans])
+- `Rack::Response` should not generate invalid `content-length` header. ([#2219](https://github.com/rack/rack/pull/2219), [@ioquatix])
+- Allow empty PATH_INFO. ([#2214](https://github.com/rack/rack/pull/2214), [@ioquatix])
+
+## [3.1.6] - 2024-07-03
+
+### Fixed
+
+- Fix several edge cases in `Rack::Request#parse_http_accept_header`'s implementation. ([#2226](https://github.com/rack/rack/pull/2226), [@ioquatix])
+
+## [3.1.5] - 2024-07-02
+
+### Security
+
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
+
+## [3.1.4] - 2024-06-22
+
+### Fixed
+
+- Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
+
 ## [3.1.3] - 2024-06-12
 
 ### Fixed
 
 - Fix passing non-strings to `Rack::Utils.escape_html`. ([#2202](https://github.com/rack/rack/pull/2202), [@earlopain])
-- `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy](https://github.com/wynksaiddestroy))
+- `Rack::MockResponse` gracefully handles empty cookies ([#2203](https://github.com/rack/rack/pull/2203) [@wynksaiddestroy])
 
 ## [3.1.2] - 2024-06-11
 
-## Changed
-
 - `Rack::Response` will take in to consideration chunked encoding responses ([#2204](https://github.com/rack/rack/pull/2204), [@tenderlove])
 
 ## [3.1.1] - 2024-06-11
 
-- Oops, I shouldn't have shipped this
+- Oops! I shouldn't have shipped that
 
 ## [3.1.0] - 2024-06-11
 
+:warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
+
+Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
+
 ### SPEC Changes
 
-- `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [@ioquatix])
-- `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [@ioquatix])
-- `rack.protocol` is an optional environment key and response header for handling connection upgrades.
+- `rack.input` is now optional. ([#1997](https://github.com/rack/rack/pull/1997), [#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
+- `PATH_INFO` is now validated according to the HTTP/1.1 specification. ([#2117](https://github.com/rack/rack/pull/2117), [#2181](https://github.com/rack/rack/pull/2181), [@ioquatix])
+  - `OPTIONS *` is now accepted. ([#2114](https://github.com/rack/rack/pull/2114), [@doriantaylor](https://github.com/doriantaylor))
+- Introduce optional `rack.protocol` request and response header for handling connection upgrades. ([#1954](https://github.com/rack/rack/pull/1954), [@ioquatix])
 
 ### Added
 
+- Introduce `Rack::Multipart::MissingInputError` for improved handling of missing input in `#parse_multipart`. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
 - Introduce `module Rack::BadRequest` which is included in multipart and query parser errors. ([#2019](https://github.com/rack/rack/pull/2019), [@ioquatix])
-- Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas])
-- `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b])
-- `rack.early_hints` is now officially supported as an optional feature (already implemented by Unicorn, Puma, and Falcon). ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine, @jeremyevans])
+- Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas](https://github.com/axilleas))
+- `set_cookie_header` utility now supports the `partitioned` cookie attribute. This is required by Chrome in some embedded contexts. ([#2131](https://github.com/rack/rack/pull/2131), [@flavio-b](https://github.com/flavio-b))
+- Introduce `rack.early_hints` for sending `103 Early Hints` informational responses. ([#1831](https://github.com/rack/rack/pull/1831), [@casperisfine](https://github.com/casperisfine), [@jeremyevans])
 
 ### Changed
 
-- `rack.input` is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. ([#2018](https://github.com/rack/rack/pull/2018), [@ioquatix])
-- MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8))
+- MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8), [@ioquatix])
 - Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
 - `Rack::Utils.escape_html` is now delegated to `CGI.escapeHTML`. `'` is escaped to `#39;` instead of `#x27;`. (decimal vs hexadecimal) ([#2099](https://github.com/rack/rack/pull/2099), [@JunichiIto](https://github.com/JunichiIto))
+- Clarify use of `@buffered` and only update `content-length` when `Rack::Response#finish` is invoked. ([#2149](https://github.com/rack/rack/pull/2149), [@ioquatix])
+
+### Deprecated
+
+- Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073), [@jeremyevans])
 - Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. ([#2191](https://github.com/rack/rack/pull/2191), [@ioquatix])
+- `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
+- Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
+- Deprecate `Rack::Request#values_at`, use `request.params.values_at` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
 
 ### Removed
 
-- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn])
-- Add fallback lookup and deprecation warning for obsolete status symbols. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn])
-- Deprecate automatic cache invalidation in `Request#{GET,POST}` ([#2073](https://github.com/rack/rack/pull/2073) ([@jeremyevans])
-- `Rack::Logger` is deprecated. ([#2197](https://github.com/rack/rack/pull/2197), [@ioquatix])
+- Remove deprecated `Rack::Auth::Digest` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Cascade::NotFound` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Chunked` with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::File`, use `Rack::Files` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::QueryParser` `key_space_limit` parameter with no replacement. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Response#header`, use `Rack::Response#headers` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated cookie methods from `Rack::Utils`: `add_cookie_to_header`, `make_delete_cookie_header`, `add_remove_cookie_to_header`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::Utils::HeaderHash`. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove deprecated `Rack::VERSION`, `Rack::VERSION_STRING`, `Rack.version`, use `Rack.release` instead. ([#1966](https://github.com/rack/rack/pull/1966), [@ioquatix])
+- Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. ([#2137](https://github.com/rack/rack/pull/2137), [@wtn](https://github.com/wtn))
+- Remove any dependency on `transfer-encoding: chunked`. ([#2195](https://github.com/rack/rack/pull/2195), [@ioquatix])
+- Remove deprecated `Rack::Request#[]`, use `request.params[key]` instead ([#2183](https://github.com/rack/rack/pull/2183), [@ioquatix])
 
 ### Fixed
 
@@ -125,7 +171,7 @@ All notable changes to this project will be documented in this file. For info on
 
 - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
 
-## [3.0.2] -2022-12-05
+## [3.0.2] - 2022-12-05
 
 ### Fixed
 

data/SPEC.rdoc

@@ -130,7 +130,7 @@ There are the following restrictions:
 * There may be a valid early hints callback in <tt>rack.early_hints</tt>
 * The <tt>REQUEST_METHOD</tt> must be a valid token.
 * The <tt>SCRIPT_NAME</tt>, if non-empty, must start with <tt>/</tt>
-* The <tt>PATH_INFO</tt>, if provided, must be a valid request target.
+* The <tt>PATH_INFO</tt>, if provided, must be a valid request target or an empty string.
   * Only <tt>OPTIONS</tt> requests may have <tt>PATH_INFO</tt> set to <tt>*</tt> (asterisk-form).
   * Only <tt>CONNECT</tt> requests may have <tt>PATH_INFO</tt> set to an authority (authority-form). Note that in HTTP/2+, the authority-form is not a valid request target.
   * <tt>CONNECT</tt> and <tt>OPTIONS</tt> requests must not have <tt>PATH_INFO</tt> set to a URI (absolute-form).

data/lib/rack/lint.rb

@@ -13,7 +13,7 @@ module Rack
   class Lint
     REQUEST_PATH_ORIGIN_FORM = /\A\/[^#]*\z/
     REQUEST_PATH_ABSOLUTE_FORM = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
-    REQUEST_PATH_AUTHORITY_FORM = /\A(.*?)(:\d*)\z/
+    REQUEST_PATH_AUTHORITY_FORM = /\A[^\/:]+:\d+\z/
     REQUEST_PATH_ASTERISK_FORM = '*'
 
     def initialize(app)
@@ -361,7 +361,7 @@ module Rack
           raise LintError, "SCRIPT_NAME must start with /"
         end
 
-        ## * The <tt>PATH_INFO</tt>, if provided, must be a valid request target.
+        ## * The <tt>PATH_INFO</tt>, if provided, must be a valid request target or an empty string.
         if env.include?(PATH_INFO)
           case env[PATH_INFO]
           when REQUEST_PATH_ASTERISK_FORM
@@ -381,6 +381,8 @@ module Rack
             end
           when REQUEST_PATH_ORIGIN_FORM
             ##   * Otherwise, <tt>PATH_INFO</tt> must start with a <tt>/</tt> and must not include a fragment part starting with '#' (origin-form).
+          when ""
+            # Empty string is okay.
           else
             raise LintError, "PATH_INFO must start with a '/' and must not include a fragment part starting with '#' (origin-form)"
           end

data/lib/rack/mock_request.rb

@@ -139,23 +139,13 @@ module Rack
         end
       end
 
-      input = opts[:input]
-      if String === input
-        rack_input = StringIO.new(input)
-        rack_input.set_encoding(Encoding::BINARY)
-      else
-        if input.respond_to?(:encoding) && input.encoding != Encoding::BINARY
-          warn "input encoding not binary", uplevel: 1
-          if input.respond_to?(:set_encoding)
-            input.set_encoding(Encoding::BINARY)
-          else
-            raise ArgumentError, "could not coerce input to binary encoding"
-          end
-        end
-        rack_input = input
+      rack_input = opts[:input]
+      if String === rack_input
+        rack_input = StringIO.new(rack_input)
       end
 
       if rack_input
+        rack_input.set_encoding(Encoding::BINARY) if rack_input.respond_to?(:set_encoding)
         env[RACK_INPUT] = rack_input
 
         env["CONTENT_LENGTH"] ||= env[RACK_INPUT].size.to_s if env[RACK_INPUT].respond_to?(:size)

data/lib/rack/multipart/parser.rb

@@ -394,7 +394,6 @@ module Rack
             filename = normalize_filename(filename || '')
             filename.force_encoding(find_encoding(encoding))
           elsif filename
-            filename = $1 if filename =~ /^"(.*)"$/
             filename = normalize_filename(filename)
           end
 

data/lib/rack/request.rb

@@ -642,14 +642,26 @@ module Rack
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        # It would be nice to use filter_map here, but it's Ruby 2.7+
+        parts = header.to_s.split(',')
+
+        parts.map! do |part|
+          part.strip!
+          next if part.empty?
+
+          attribute, parameters = part.split(';', 2)
+          attribute.strip!
+          parameters&.strip!
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f
           end
           [attribute, quality]
         end
+
+        parts.compact!
+
+        parts
       end
 
       # Get an array of values set in the RFC 7239 `Forwarded` request header.

data/lib/rack/response.rb

@@ -72,7 +72,8 @@ module Rack
       if body.nil?
         @body = []
         @buffered = true
-        @length = 0
+        # Body is unspecified - it may be a buffered response, or it may be a HEAD response.
+        @length = nil
       elsif body.respond_to?(:to_str)
         @body = [body]
         @buffered = true
@@ -80,7 +81,7 @@ module Rack
       else
         @body = body
         @buffered = nil # undetermined as of yet.
-        @length = 0
+        @length = nil
       end
 
       yield self if block_given?
@@ -110,14 +111,15 @@ module Rack
         close
         return [@status, @headers, []]
       else
-        if @length && @length > 0 && !chunked?
-          set_header CONTENT_LENGTH, @length.to_s
-        end
-
         if block_given?
+          # We don't add the content-length here as the user has provided a block that can #write additional chunks to the body.
           @block = block
           return [@status, @headers, self]
         else
+          # If we know the length of the body, set the content-length header... except if we are chunked? which is a legacy special case where the body might already be encoded and thus the actual encoded body length and the content-length are likely to be different.
+          if @length && !chunked?
+            @headers[CONTENT_LENGTH] = @length.to_s
+          end
           return [@status, @headers, @body]
         end
       end
@@ -135,7 +137,9 @@ module Rack
       end
     end
 
-    # Append to body and update content-length.
+    # Append a chunk to the response body.
+    #
+    # Converts the response into a buffered response if it wasn't already.
     #
     # NOTE: Do not mix #write and direct #body access!
     #
@@ -336,16 +340,13 @@ module Rack
             # Turn the user supplied body into a buffered array:
             body = @body
             @body = Array.new
-            @length = 0
+            @buffered = true
 
             body.each do |part|
               @writer.call(part.to_s)
             end
 
             body.close if body.respond_to?(:close)
-
-            # We have converted the body into an Array:
-            @buffered = true
           else
             # We don't know how to buffer the user-supplied body:
             @buffered = false
@@ -359,7 +360,11 @@ module Rack
         chunk = chunk.dup unless chunk.frozen?
         @body << chunk
 
-        @length += chunk.bytesize
+        if @length
+          @length += chunk.bytesize
+        elsif @buffered
+          @length = chunk.bytesize
+        end
 
         return chunk
       end

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.3"
+  RELEASE = "3.1.7"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.3
+  version: 3.1.7
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-12 00:00:00.000000000 Z
+date: 2024-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest