rack 1.2.5 → 1.2.6

data/README

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface
+= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -27,8 +27,11 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
+* Puma
 * Rainbows!
 * Unicorn
+* unixrack
+* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -313,7 +316,7 @@ run on port 11211) and memcache-client installed.
   * Rename spec/ to test/ to not conflict with SPEC on lesser
     operating systems
 
-* March 13th, 2011: Twelfth public release 1.2.2/1.1.1.
+* March 13th, 2011: Twelfth public release 1.2.2/1.1.2.
   * Security fix in Rack::Auth::Digest::MD5: when authenticator
     returned nil, permission was granted on empty password.
 
@@ -341,13 +344,131 @@ run on port 11211) and memcache-client installed.
   * Pulled in relevant bug fixes from 1.3
   * Fixed 1.8.6 support
 
+* July 13, 2011: Fifteenth public release 1.3.1
+  * Fix 1.9.1 support
+  * Fix JRuby support
+  * Properly handle $KCODE in Rack::Utils.escape
+  * Make method_missing/respond_to behavior consistent for Rack::Lock,
+    Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
+  * Reenable passing rack.session to session middleware
+  * Rack::CommonLogger handles streaming responses correctly
+  * Rack::MockResponse calls close on the body object
+  * Fix a DOS vector from MRI stdlib backport
+
+* July 16, 2011: Sixteenth public release 1.3.2
+  * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
+
+* Not Yet Released: Seventeenth public release 1.3.3
+  * Fix bug with broken query parameters in Rack::ShowExceptions
+  * Rack::Request#cookies no longer swallows exceptions on broken input
+  * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
+  * Rack::ConditionalGet handles broken If-Modified-Since helpers
+
 * September 16, 2011: Eighteenth public release 1.2.4
   * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
 
-* December 28th, 2011: Twenty second public release: 1.2.5
+* October 1, 2011: Nineteenth public release 1.3.4
+  * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
+  * Small documentation update
+  * Fix an issue where BodyProxy could cause an infinite recursion
+  * Add some supporting files for travis-ci
+
+* October 17, 2011: Twentieth public release 1.3.5
+  * Fix annoying warnings caused by the backport in 1.3.4
+
+* December 28th, 2011: Twenty first public release: 1.1.3.
   * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
     Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
 
+* December 28th, 2011: Twenty fourth public release 1.4.0
+  * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
+  * Raise sane error messages for broken config.ru
+  * Allow combining run and map in a config.ru
+  * Rack::ContentType will not set Content-Type for responses without a body
+  * Status code 205 does not send a response body
+  * Rack::Response::Helpers will not rely on instance variables
+  * Rack::Utils.build_query no longer outputs '=' for nil query values
+  * Various mime types added
+  * Rack::MockRequest now supports HEAD
+  * Rack::Directory now supports files that contain RFC3986 reserved chars
+  * Rack::File now only supports GET and HEAD requests
+  * Rack::Server#start now passes the block to Rack::Handler::<h>#run
+  * Rack::Static now supports an index option
+  * Added the Teapot status code
+  * rackup now defaults to Thin instead of Mongrel (if installed)
+  * Support added for HTTP_X_FORWARDED_SCHEME
+  * Numerous bug fixes, including many fixes for new and alternate rubies
+
+* January 22nd, 2012: Twenty fifth public release 1.4.1
+  * Alter the keyspace limit calculations to reduce issues with nested params
+  * Add a workaround for multipart parsing where files contain unescaped "%"
+  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
+  * Rack::File now returns 404 for illegal directory traversals
+  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
+  * Rack::Cascade now catches 405 by default, as well as 404
+  * Cookies missing '--' no longer cause an exception to be raised
+  * Various style changes and documentation spelling errors
+  * Rack::BodyProxy always ensures to execute its block
+  * Additional test coverage around cookies and secrets
+  * Rack::Session::Cookie can now be supplied either secret or old_secret
+  * Tests are no longer dependent on set order
+  * Rack::Static no longer defaults to serving index files
+  * Rack.release was fixed
+
+* January 6th, 2013: Twenty sixth public release 1.1.4
+  * Add warnings when users do not provide a session secret
+
+* January 6th, 2013: Twenty seventh public release 1.2.6
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+
+* January 6th, 2013: Twenty eighth public release 1.3.7
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+
+* January 6th, 2013: Twenty ninth public release 1.4.2
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+  * Prevent errors from empty parameter keys
+  * Added PATCH verb to Rack::Request
+  * Various documentation updates
+  * Fix session merge semantics (fixes rack-test)
+  * Rack::Static :index can now handle multiple directories
+  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
+  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
+  * Correct Rack::Directory script name escaping
+  * Rack::Static supports header rules for sophisticated configurations
+  * Multipart parsing now works without a Content-Length header
+  * New logos courtesy of Zachary Scott!
+  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
+  * Cookies that are not URI escaped no longer cause exceptions
+
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -428,7 +549,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.rubyforge.org/>
+Rack:: <http://rack.github.com/>
 Official Rack repositories:: <http://github.com/rack>
 Rack Bug Tracking:: <http://github.com/rack/rack/issues>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>

data/lib/rack/session/cookie.rb

@@ -27,6 +27,15 @@ module Rack
         @app = app
         @key = options[:key] || "rack.session"
         @secret = options[:secret]
+        warn <<-MSG unless @secret
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
         @default_options = {:domain => nil,
           :path => "/",
           :expire_after => nil}.merge(options)

data/lib/rack/utils.rb

@@ -548,7 +548,7 @@ module Rack
 
                 token = /[^\s()<>,;:\\"\/\[\]?=]+/
                 condisp = /Content-Disposition:\s*#{token}\s*/i
-                dispparm = /;\s*(#{token})=("(?:\\"|[^"])*"|#{token})*/
+                dispparm = /;\s*(#{token})=("(?:\\"|[^"])*"|#{token})/
 
                 rfc2183 = /^#{condisp}(#{dispparm})+$/i
                 broken_quoted = /^#{condisp}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{token}=)/i

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.2.5"
+  s.version         = "1.2.6"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_session_cookie.rb

@@ -8,6 +8,25 @@ describe Rack::Session::Cookie do
     Rack::Response.new(env["rack.session"].inspect).to_a
   end
 
+  before do
+    @warnings = warnings = []
+    Rack::Session::Cookie.class_eval do
+      define_method(:warn) { |m| warnings << m }
+    end
+  end
+
+  after do
+    Rack::Session::Cookie.class_eval { remove_method :warn }
+  end
+
+  it "warns if no secret is given" do
+    cookie = Rack::Session::Cookie.new(incrementor)
+    @warnings.first.should =~ /no secret/i
+    @warnings.clear
+    cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
+    @warnings.should.be.empty?
+  end
+
   it "creates a new cookie" do
     res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).get("/")
     res["Set-Cookie"].should.include("rack.session=")

data/test/spec_utils.rb

@@ -603,6 +603,28 @@ describe Rack::Utils::Multipart do
     params["files"][:tempfile].read.should.equal "contents"
   end
 
+
+  it "should parse very long unquoted multipart file names" do
+    data = <<-EOF
+--AaB03x\r
+Content-Type: text/plain\r
+Content-Disposition: attachment; name=file; filename=#{'long' * 100}\r
+\r
+contents\r
+--AaB03x--\r
+    EOF
+
+    options = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => data.length.to_s,
+      :input => StringIO.new(data)
+    }
+    env = Rack::MockRequest.env_for("/", options)
+    params = Rack::Utils::Multipart.parse_multipart(env)
+
+    params["file"][:filename].should.equal('long' * 100)
+  end
+
   it "rewinds input after parsing upload" do
     options = multipart_fixture(:text)
     input = options[:input]

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 19
   prerelease: 
   segments: 
   - 1
   - 2
-  - 5
-  version: 1.2.5
+  - 6
+  version: 1.2.6
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-12-28 00:00:00 Z
+date: 2013-01-07 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -284,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack
-rubygems_version: 1.8.12
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: a modular Ruby webserver interface
@@ -331,3 +331,4 @@ test_files:
 - test/spec_urlmap.rb
 - test/spec_utils.rb
 - test/spec_webrick.rb
+has_rdoc: true