rack 1.2.8 → 1.3.0.beta

data/README

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
+= Rack, a modular Ruby webserver interface
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -27,11 +27,8 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
-* Puma
 * Rainbows!
 * Unicorn
-* unixrack
-* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -122,7 +119,7 @@ By default, the lobster is found at http://localhost:9292.
 
 == Installing with RubyGems
 
-A Gem of Rack is available at rubygems.org.  You can install it with:
+A Gem of Rack is available at gemcutter.org.  You can install it with:
 
     gem install rack
 
@@ -320,7 +317,7 @@ run on port 11211) and memcache-client installed.
   * Security fix in Rack::Auth::Digest::MD5: when authenticator
     returned nil, permission was granted on empty password.
 
-* May 22nd, 2011: Thirteenth public release 1.3.0
+* unknown: Thirteenth? public release 1.3.0.beta
   * Various performance optimizations
   * Various multipart fixes
   * Various multipart refactors
@@ -336,177 +333,14 @@ run on port 11211) and memcache-client installed.
   * Rack::Deflater now supports streaming
   * Improved Rack::Handler loading and searching
   * Support for the PATCH verb
-  * env['rack.session.options'] now contains session options
-  * Cookies respect renew
-  * Session middleware uses SecureRandom.hex
-
-* May 22nd, 2011: Fourteenth public release 1.2.3
-  * Pulled in relevant bug fixes from 1.3
-  * Fixed 1.8.6 support
-
-* July 13, 2011: Fifteenth public release 1.3.1
-  * Fix 1.9.1 support
-  * Fix JRuby support
-  * Properly handle $KCODE in Rack::Utils.escape
-  * Make method_missing/respond_to behavior consistent for Rack::Lock,
-    Rack::Auth::Digest::Request and Rack::Multipart::UploadedFile
-  * Reenable passing rack.session to session middleware
-  * Rack::CommonLogger handles streaming responses correctly
-  * Rack::MockResponse calls close on the body object
-  * Fix a DOS vector from MRI stdlib backport
-
-* July 16, 2011: Sixteenth public release 1.3.2
-  * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
-
-* Not Yet Released: Seventeenth public release 1.3.3
-  * Fix bug with broken query parameters in Rack::ShowExceptions
-  * Rack::Request#cookies no longer swallows exceptions on broken input
-  * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
-  * Rack::ConditionalGet handles broken If-Modified-Since helpers
-
-* September 16, 2011: Eighteenth public release 1.2.4
-  * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
-
-* October 1, 2011: Nineteenth public release 1.3.4
-  * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
-  * Small documentation update
-  * Fix an issue where BodyProxy could cause an infinite recursion
-  * Add some supporting files for travis-ci
-
-* October 17, 2011: Twentieth public release 1.3.5
-  * Fix annoying warnings caused by the backport in 1.3.4
-
-* December 28th, 2011: Twenty first public release: 1.1.3.
-  * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
-    Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
-
-* December 28th, 2011: Twenty fourth public release 1.4.0
-  * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
-  * Raise sane error messages for broken config.ru
-  * Allow combining run and map in a config.ru
-  * Rack::ContentType will not set Content-Type for responses without a body
-  * Status code 205 does not send a response body
-  * Rack::Response::Helpers will not rely on instance variables
-  * Rack::Utils.build_query no longer outputs '=' for nil query values
-  * Various mime types added
-  * Rack::MockRequest now supports HEAD
-  * Rack::Directory now supports files that contain RFC3986 reserved chars
-  * Rack::File now only supports GET and HEAD requests
-  * Rack::Server#start now passes the block to Rack::Handler::<h>#run
-  * Rack::Static now supports an index option
-  * Added the Teapot status code
-  * rackup now defaults to Thin instead of Mongrel (if installed)
-  * Support added for HTTP_X_FORWARDED_SCHEME
-  * Numerous bug fixes, including many fixes for new and alternate rubies
-
-* January 22nd, 2012: Twenty fifth public release 1.4.1
-  * Alter the keyspace limit calculations to reduce issues with nested params
-  * Add a workaround for multipart parsing where files contain unescaped "%"
-  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
-  * Rack::File now returns 404 for illegal directory traversals
-  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
-  * Rack::Cascade now catches 405 by default, as well as 404
-  * Cookies missing '--' no longer cause an exception to be raised
-  * Various style changes and documentation spelling errors
-  * Rack::BodyProxy always ensures to execute its block
-  * Additional test coverage around cookies and secrets
-  * Rack::Session::Cookie can now be supplied either secret or old_secret
-  * Tests are no longer dependent on set order
-  * Rack::Static no longer defaults to serving index files
-  * Rack.release was fixed
-
-* January 6th, 2013: Twenty sixth public release 1.1.4
-  * Add warnings when users do not provide a session secret
-
-* January 6th, 2013: Twenty seventh public release 1.2.6
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-
-* January 6th, 2013: Twenty eighth public release 1.3.7
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-
-* January 6th, 2013: Twenty ninth public release 1.4.2
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-  * Prevent errors from empty parameter keys
-  * Added PATCH verb to Rack::Request
-  * Various documentation updates
-  * Fix session merge semantics (fixes rack-test)
-  * Rack::Static :index can now handle multiple directories
-  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
-  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
-  * Correct Rack::Directory script name escaping
-  * Rack::Static supports header rules for sophisticated configurations
-  * Multipart parsing now works without a Content-Length header
-  * New logos courtesy of Zachary Scott!
-  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
-  * Cookies that are not URI escaped no longer cause exceptions
-
-* January 7th, 2013: Thirtieth public release 1.3.8
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 7th, 2013: Thirty first public release 1.4.3
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
-  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
-  * Fixed erroneous test case in the 1.3.x series
-
-* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-
-* February 7th, Thirty fifth public release 1.4.5
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-
-* February 7th, Thirty fifth public release 1.5.2
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-  * Add various methods to Session for enhanced Rails compatibility
-  * Request#trusted_proxy? now only matches whole stirngs
-  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
-  * URLMap host matching in environments that don't set the Host header fixed
-  * Fix a race condition that could result in overwritten pidfiles
-  * Various documentation additions
+
+
 
 == Contact
 
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
 
-Please post security related bugs and suggestions to the core team at
-<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
-to wide usage of the library, it is strongly preferred that we manage timing in
-order to provide viable patches at the time of disclosure. Your assistance in
-this matter is greatly appreciated.
-
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 
@@ -526,8 +360,6 @@ The Rack Core Team, consisting of
 * Michael Fellinger (manveru)
 * Ryan Tomayko (rtomayko)
 * Scytrin dai Kinthra (scytrin)
-* Aaron Patterson (tenderlove)
-* Konstantin Haase (rkh)
 
 would like to thank:
 
@@ -557,7 +389,7 @@ would like to thank:
 * Marcus Rückert, for help with configuring and debugging lighttpd.
 * The WSGI team for the well-done and documented work they've done and
   Rack builds up on.
-* All bug reporters and patch contributors not mentioned above.
+* All bug reporters and patch contributers not mentioned above.
 
 == Copyright
 
@@ -582,11 +414,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.com/>
+Rack:: <http://rack.rubyforge.org/>
+Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
 Official Rack repositories:: <http://github.com/rack>
-Rack Bug Tracking:: <http://github.com/rack/rack/issues>
+Rack Lighthouse Bug Tracking:: <http://rack.lighthouseapp.com/>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>
-Rack's Rubyforge project:: <http://rubyforge.org/projects/rack>
 
 Christian Neukirchen:: <http://chneukirchen.org/>
 

data/Rakefile

@@ -1,4 +1,5 @@
 # Rakefile for Rack.  -*-ruby-*-
+require 'rake/rdoctask'
 
 desc "Run all the tests"
 task :default => [:test]
@@ -68,7 +69,7 @@ desc "Run all the fast tests"
 task :test => 'SPEC' do
   opts     = ENV['TEST'] || '-a'
   specopts = ENV['TESTOPTS'] ||
-    "-q -t '^(?!Rack::Handler|Rack::Adapter|Rack::Session::Memcache|rackup)'"
+    "-q -t '^(?!Rack::Adapter|Rack::Session::Memcache|Rack::Server)'"
 
   sh "bacon -I./lib:./test -w #{opts} #{specopts}"
 end

data/SPEC

@@ -3,7 +3,7 @@ can (and should) use Rack::Lint to enforce it.
 When you develop middleware, be sure to add a Lint before and
 after to catch all mistakes.
 = Rack applications
-A Rack application is a Ruby object (not a class) that
+A Rack application is an Ruby object (not a class) that
 responds to +call+.
 It takes exactly one argument, the *environment*
 and returns an Array of exactly three values:
@@ -106,7 +106,7 @@ The input stream must respond to +gets+, +each+, +read+ and +rewind+.
 * +gets+ must be called without arguments and return a string,
   or +nil+ on EOF.
 * +read+ behaves like IO#read. Its signature is <tt>read([length, [buffer]])</tt>.
-  If given, +length+ must be a non-negative Integer (>= 0) or +nil+, and +buffer+ must
+  If given, +length+ must be an non-negative Integer (>= 0) or +nil+, and +buffer+ must
   be a String and may not be nil. If +length+ is given and not nil, then this method
   reads at most +length+ bytes from the input stream. If +length+ is not given or nil,
   then this method reads all data until EOF.

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.2"
+    "1.3"
   end
 
   autoload :Builder, "rack/builder"
@@ -54,6 +54,7 @@ module Rack
   autoload :Static, "rack/static"
   autoload :URLMap, "rack/urlmap"
   autoload :Utils, "rack/utils"
+  autoload :Multipart, "rack/multipart"
 
   autoload :MockRequest, "rack/mock"
   autoload :MockResponse, "rack/mock"
@@ -71,18 +72,6 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
-
-    # Not all of the following schemes are "standards", but they are used often.
-    @schemes = %w[basic digest bearer mac token oauth oauth2]
-
-    def self.add_scheme scheme
-      @schemes << scheme
-      @schemes.uniq!
-    end
-
-    def self.schemes
-      @schemes.dup
-    end
   end
 
   module Session

data/lib/rack/auth/abstract/request.rb

@@ -1,3 +1,5 @@
+require 'rack/request'
+
 module Rack
   module Auth
     class AbstractRequest
@@ -6,6 +8,10 @@ module Rack
         @env = env
       end
 
+      def request
+        @request ||= Request.new(@env)
+      end
+
       def provided?
         !authorization_key.nil?
       end
@@ -15,11 +21,7 @@ module Rack
       end
 
       def scheme
-        @scheme ||=
-          begin
-            s = parts.first.downcase
-            Rack::Auth.schemes.include?(s) ? s.to_sym : s
-          end
+        @scheme ||= parts.first.downcase.to_sym
       end
 
       def params

data/lib/rack/auth/digest/md5.rb

@@ -21,9 +21,13 @@ module Rack
 
         attr_writer :passwords_hashed
 
-        def initialize(*args)
-          super
+        def initialize(app, realm=nil, opaque=nil, &authenticator)
           @passwords_hashed = nil
+          if opaque.nil? and realm.respond_to? :values_at
+            realm, opaque, @passwords_hashed = realm.values_at :realm, :opaque, :passwords_hashed 
+          end
+          super(app, realm, &authenticator)
+          @opaque = opaque
         end
 
         def passwords_hashed?

data/lib/rack/auth/digest/params.rb

@@ -4,11 +4,10 @@ module Rack
       class Params < Hash
 
         def self.parse(str)
-          split_header_value(str).inject(new) do |header, param|
+          Params[*split_header_value(str).map do |param|
             k, v = param.split('=', 2)
-            header[k] = dequote(v)
-            header
-          end
+            [k, dequote(v)]
+          end.flatten]
         end
 
         def self.dequote(str) # From WEBrick::HTTPUtils
@@ -38,9 +37,8 @@ module Rack
         UNQUOTED = ['nc', 'stale']
 
         def to_s
-          inject([]) do |parts, (k, v)|
-            parts << "#{k}=" + (UNQUOTED.include?(k) ? v.to_s : quote(v))
-            parts
+          map do |k, v|
+            "#{k}=" + (UNQUOTED.include?(k) ? v.to_s : quote(v))
           end.join(', ')
         end
 

data/lib/rack/auth/digest/request.rb

@@ -16,7 +16,7 @@ module Rack
         end
 
         def correct_uri?
-          (@env['SCRIPT_NAME'].to_s + @env['PATH_INFO'].to_s) == uri
+          request.fullpath == uri
         end
 
         def nonce

data/lib/rack/backports/uri/common.rb

@@ -0,0 +1,64 @@
+# :stopdoc:
+
+# Stolen from ruby core's uri/common.rb, with modifications to support 1.8.x
+#
+# https://github.com/ruby/ruby/blob/trunk/lib/uri/common.rb
+#
+#
+
+module URI
+  TBLENCWWWCOMP_ = {} # :nodoc:
+  TBLDECWWWCOMP_ = {} # :nodoc:
+
+  # Encode given +str+ to URL-encoded form data.
+  #
+  # This method doesn't convert *, -, ., 0-9, A-Z, _, a-z, but does convert SP
+  # (ASCII space) to + and converts others to %XX.
+  #
+  # This is an implementation of
+  # http://www.w3.org/TR/html5/forms.html#url-encoded-form-data
+  #
+  # See URI.decode_www_form_component, URI.encode_www_form
+  def self.encode_www_form_component(str)
+    if TBLENCWWWCOMP_.empty?
+      tbl = {}
+      256.times do |i|
+        tbl[i.chr] = '%%%02X' % i
+      end
+      tbl[' '] = '+'
+      begin
+        TBLENCWWWCOMP_.replace(tbl)
+        TBLENCWWWCOMP_.freeze
+      rescue
+      end
+    end
+    str = str.to_s
+    str.gsub(/[^*\-.0-9A-Z_a-z]/) {|m| TBLENCWWWCOMP_[m]}
+  end
+
+  # Decode given +str+ of URL-encoded form data.
+  #
+  # This decods + to SP.
+  #
+  # See URI.encode_www_form_component, URI.decode_www_form
+  def self.decode_www_form_component(str, enc=nil)
+    if TBLDECWWWCOMP_.empty?
+      tbl = {}
+      256.times do |i|
+        h, l = i>>4, i&15
+        tbl['%%%X%X' % [h, l]] = i.chr
+        tbl['%%%x%X' % [h, l]] = i.chr
+        tbl['%%%X%x' % [h, l]] = i.chr
+        tbl['%%%x%x' % [h, l]] = i.chr
+      end
+      tbl['+'] = ' '
+      begin
+        TBLDECWWWCOMP_.replace(tbl)
+        TBLDECWWWCOMP_.freeze
+      rescue
+      end
+    end
+    raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%]+)*\z/ =~ str
+    str.gsub(/\+|%[0-9a-fA-F]{2}/) {|m| TBLDECWWWCOMP_[m]}
+  end
+end